1. Introduction & Legal Framework

Mediso India ("Mediso", "we", "us", "our") operates the digital healthcare platform accessible at mediso.in (the "Platform"). We are a technology-enabled hyperlocal medicine delivery platform that acts as a LOGISTICS INTERMEDIARY AND DIGITAL AGGREGATOR connecting customers with licensed, verified local pharmacies.

IMPORTANT CLARIFICATION: Mediso is NOT a pharmacy. We do NOT:

• • Store or maintain medicine inventory
• • Directly dispense or sell medicines
• • Hold physical drug stock
• • Make treatment recommendations
• • Act as a licensed pharmacy or chemist

What Mediso DOES:

• • Provide a digital platform for customers to place medicine orders
• • Verify prescription authenticity and completeness
• • Forward orders to partner licensed pharmacies
• • Coordinate delivery logistics with delivery partners
• • Charge service fees, delivery charges, cart fees, and other platform fees
• • Facilitate payment collection and disbursement to pharmacies

Mediso earns revenue through:

• • Delivery/Logistics charges
• • Service charges
• • Cart handling fees
• • Commission from pharmacy partners
• • Platform transaction fees

This Privacy Policy ("Policy") governs how Mediso collects, uses, processes, stores, shares, and protects your personal data and sensitive personal health information ("SPDI"). We comply with all applicable Indian laws and regulations, including:

• 1. Digital Personal Data Protection Act, 2023 (DPDP Act) - India's primary data protection statute
• 2. Digital Personal Data Protection Rules, 2025 (DPDP Rules) - Operational implementation rules
• 3. Information Technology Act, 2000 (IT Act) - Foundational framework for digital regulation
• 4. Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules) - Requirements for sensitive health data
• 5. Information Technology (Intermediaries Guidelines and Digital Media Ethics Code) Rules, 2021 (Intermediary Rules) - Platform conduct obligations
• 6. Drugs and Cosmetics Act, 1940 (D&C Act) - Pharmaceutical product and distribution regulations
• 7. Drugs and Cosmetics Rules, 1945 (D&C Rules) - Detailed pharmaceutical compliance requirements
• 8. Pharmacy Act, 1948 - Pharmacist licensing and confidentiality obligations
• 9. Consumer Protection Act, 2019 (CPA) - E-commerce consumer safeguards
• 10. Consumer Protection (E-Commerce) Rules, 2020 - Online transaction regulations
• 11. Drugs (Prices Control) Order, 2013 (DPCO) - Price display and transparency requirements
• 12. National Pharmaceutical Pricing Authority (NPPA) Guidelines - Medicine pricing and transparency
• 13. Electronic Health Record Standards for India, 2016 - Health data protection standards

Jurisdiction: This Policy is governed by the laws of the India, and disputes shall be subject to the exclusive jurisdiction of courts in Ahmedabad, Gujarat.

2. Definitions

Unless the context clearly indicates otherwise, the following terms have the meanings assigned below:

2.1 Core Definitions Under DPDP Act, 2023 & DPDP Rules, 2025

"Data Principal" means you, any individual to whom personal data relates, whose data we collect and process.

"Personal Data" means any information about an individual who is identifiable by or in relation to such data. Under the DPDP Act, this includes both general personal data (name, phone, email, address, pincode) and sensitive personal data derived from health information.

"Sensitive Personal Data" / "SPDI" (as defined under IT Act SPDI Rules, 2011) means personal data that reveals:

• • Physical, physiological, or mental health condition
• • Medical records and medical history
• • Biometric information used for health purposes
• • Genetic information related to health
• • Lab test results and diagnostic information
• • Prescription details and medication history
• • Health insurance information
• • Disability status
• • Any inferred health information derived from the above

"Data Fiduciary" means Mediso India, as we determine the purposes and means of processing your personal data, including SPDI. Mediso is your Data Fiduciary under the DPDP Act.

"Data Processor" means any individual, entity, or third-party service provider (including delivery partners, payment gateways, analytics vendors) acting on our behalf, processing personal data only according to our documented instructions. Note: Partner pharmacies are NOT data processors for Mediso; they are independent data fiduciaries for prescription data they handle.

"Platform" means the mediso.in website, mobile app and WhatsApp-based ordering system through which customers place medicine orders.

"Order" means a customer's request for medicines placed through Mediso's platform, which Mediso forwards to the appropriate partner pharmacy for fulfillment.

"Processing" means any automated or manual operation performed on personal data, including collection, recording, organization, structuring, storage, adaptation, retrieval, use, transmission, sharing, erasure, or destruction.

"Consent" means a free, specific, informed, unconditional, and unambiguous agreement given through a clear affirmative action (e.g., ticking a checkbox, clicking "I Agree", providing data voluntarily) to process your personal data for specified purposes.

"Data Breach" means unauthorized or accidental access, disclosure, loss, alteration, or destruction of personal data due to security failures.means unauthorized or accidental access, disclosure, loss, alteration, or destruction of personal data due to security failures.

"Grievance Officer" means the designated person at Mediso responsible for receiving, acknowledging, and resolving data principal complaints and rights requests.

3. Mediso's Role as Intermediary

3.1 What Mediso Is

Mediso is a DIGITAL INTERMEDIARY PLATFORM that:

• 1. Accepts orders from customers via website (mediso.in) or mobile app or WhatsApp
• 2. Verifies prescription authenticity and legitimacy
• 3. Forwards orders to partner pharmacies
• 4. Monitors order status with pharmacies
• 5. Arranges logistics and delivery with own or third-party delivery partners
• 6. Collects payment from customers
• 7. Pays pharmacies for medicine cost (minus Mediso's service charge/commission)
• 8. Provides customer support and grievance redressal

3.2 What Mediso Is NOT

Mediso is NOT:

• • A pharmacy or chemist
• • A licensed drug retailer (licenses held by partner pharmacies, not Mediso)
• • A medicine storage facility
• • A medicine wholesaler or distributor
• • A healthcare provider
• • Responsible for prescribing or recommending medicines (doctors/partner pharmacies do this)
• • Responsible for medicine quality or authenticity (partner pharmacies verify)

3.3 Partner Pharmacy Role

Each partner pharmacy that fulfills your order:

• • Is independently licensed under the Drugs & Cosmetics Act, 1940
• • Has its own premises, staff, and inventory
• • Is responsible for verifying prescription authenticity
• • Is responsible for medicine quality and authenticity
• • Maintains its own patient confidentiality obligations under Pharmacy Act, 1948
• • Holds its own data protection and privacy obligations

IMPORTANT: When Mediso forwards your order to a pharmacy, that pharmacy becomes the primary handler of your prescription and health data. Pharmacy confidentiality obligations apply.

3.4 Revenue Model

Mediso earns money through:

• 1. Delivery/Logistics Charges: Fee charged to customers for delivery coordination and last-mile logistics
• 2. Service Charges: Platform fee for order processing, verification, and customer support
• 3. Cart Handling Fees: Administrative fee for packaging and cart management
• 4. Commission from Pharmacies: Percentage commission on medicine sale value (negotiated with each pharmacy)
• 5. Payment Processing Fees: If applicable, fees from payment gateways (passed through or absorbed by Mediso)

Mediso does NOT earn money by:

• • Selling medicines directly
• • Marking up medicine prices (prices set by pharmacies and NPPA)
• • Storing inventory
• • Stocking medicines

4. Data We Collect

4.1 Categories of Personal Data Collected

We collect the following categories of personal data to provide our intermediary services:

4.1.1 Identification & Contact Information

• • Full name
• • Date of birth / Age
• • Email address
• • Mobile phone number(s)
• • Residential address (with pincode)
• • Delivery address(es)
• • Government-issued ID (Aadhaar, PAN, Voter ID, Driving License, Passport) - if requested for age/address verification or account creation
• • WhatsApp Business account identifier
• • Photograph (if provided for delivery preference)

4.1.2 Health & Medical Information (SPDI) - HANDLED BY MEDISO AS INTERMEDIARY

Important: The prescription and medical data you provide belongs to you and your doctor. Mediso collects this data ONLY as a technical intermediary to:

• • Verify prescription legitimacy
• • Forward the order to the appropriate pharmacy
• • Ensure the correct medicine is delivered to the correct person
• • Maintain audit trail for regulatory compliance

Mediso collects:

• • Prescription image, PDF, or text (uploaded by customer)
• • Prescription date and validity
• • Prescribing doctor's name and registration number
• • Pharmacy license number referenced in prescription (if any)
• • Customer's stated medical conditions (only if mentioned in prescription)
• • Allergy information (if stated in prescription for delivery safety)
• • List of medicines ordered (name, dosage, quantity)

Mediso does NOT collect or store:

• • Detailed patient medical records
• • Doctor's clinical notes or diagnosis
• • Lab reports or test results (unless directly referenced in prescription image)
• • Medication history beyond current order
• • Health insurance details
• • Disease history or chronic condition management plans

4.1.3 Payment & Financial Information

• • Payment method (UPI ID, cash on delivery indicator, card tokenized data)
• • Transaction history and order amounts
• • Billing address
• • GST ID / PAN (for business orders, if any)
• • Payment gateway reference ID and status
• • Refund information
• • Service charge and delivery charge amounts

4.1.4 Device & Technical Information

• • Device type (smartphone model, operating system, OS version)
• • IP address
• • Mobile phone MAC address
• • Browser type and version
• • Unique device ID
• • Cookies and tracking technologies (if website analytics enabled)
• • Login credentials and account security questions
• • Session data and access logs

4.1.5 Order & Transactional Data

• • Order date and time
• • Medicines ordered (names, dosages, quantities)
• • Pharmacy partner assigned to fulfill order
• • Order status and timeline
• • Delivery address and delivery time
• • Customer support interactions related to order
• • Refund or return requests
• • Customer ratings and reviews (if provided)

4.1.6 Communication & Support Data

• • WhatsApp messages sent to/from Mediso
• • Email support communications
• • Feedback and survey responses
• • Grievance complaints and resolutions
• • Call logs (if phone support provided)
• • Chat logs with customer service

4.1.7 Third-Party Data

• • Data from partner pharmacies (order fulfillment confirmation, medicine batch numbers, expiry dates)
• • Data from delivery partners (delivery confirmation, delivery time, driver name)
• • Data from payment gateways (transaction confirmation, fraud detection results)
• • Data from SMS/Email service providers (delivery notifications)

4.1.8 Data From Children (If Applicable)

• • If an adult orders medicines for a child under 18 years using Mediso, we collect the child's name, age, and information about the medication ordered
• • Special Requirement: The adult account holder (parent/guardian) is responsible for providing verifiable consent

4.2 How We Collect Data

We collect your personal data through:

1. Direct provision by you:

• • Account registration on mediso.in
• • WhatsApp messages and order placement
• • Prescription uploads
• • Customer support interactions
• • Feedback forms and surveys

2. Automated collection:

• • Website cookies and tracking pixels
• • Server logs and IP logs
• • Device identifiers and session tokens
• • Analytics tools (Google Analytics, Mixpanel, or similar)
• • Payment gateway data

3. From third parties:

• • Pharmacy partners (order fulfillment confirmation, medicine data)
• • Delivery partners (location, delivery status)
• • Payment processors (transaction data)
• • SMS/Email providers (delivery status)

4. Inferred data:

• • Medicine preferences based on order history
• • Frequency of orders
• • Behavioral patterns on the platform

5. Purpose of data collection & processing

5.1 We Process Your Data For The Following Specified, Lawful Purposes

Core Service Delivery (Mandatory)

• • Receiving and processing medicine orders from customers
• • Verifying prescription authenticity and completeness (preventing fraud, Schedule X drug abuse)
• • Forwarding verified orders to appropriate partner pharmacies
• • Tracking order status and coordinating with pharmacies
• • Arranging logistics and coordinating with delivery partners
• • Managing payment collection and processing
• • Communicating order status updates to customers
• • Handling refunds, cancellations, and returns
• • Providing customer support

Regulatory Compliance (Mandatory)

• • Maintaining audit trail of orders for 3 years (Drugs & Cosmetics Act requirement)
• • Maintaining prescription records for legal retention (minimum 3 years per pharmacy regulations)
• • Reporting to government agencies if required (e.g., CDSCO, NPPA, tax authorities)
• • Complying with law enforcement requests with valid court orders
• • Maintaining financial records for 7 years (Income Tax Act, GST compliance)
• • Responding to data protection authorities and grievance boards

Safety & Quality (Mandatory)

• • Verifying prescription legitimacy to prevent misuse of controlled substances
• • Checking for obvious red flags (bulk Schedule X orders, obviously forged prescriptions)
• • Blocking suspicious orders (e.g., bulk orders of high-addiction drugs)
• • Preventing delivery to minors without adult consent

Note: Detailed pharmacological checks (drug-drug interactions, dosage appropriateness) are responsibility of partner pharmacy pharmacists, not Mediso.

Account Management & Authentication

• • Creating and maintaining customer accounts
• • Authenticating customer identity for security
• • Managing login credentials and account access
• • Preventing unauthorized account access and fraud
• • Account recovery and password reset

Communication (With Your Consent)

• • Sending order confirmations and delivery updates
• • Providing customer support and responding to inquiries
• • Sending transactional notifications (order status, delivery OTP)
• • Sending promotional offers (only with your opt-in consent)
• • SMS/Email notifications (transactional messages mandatory; marketing requires explicit consent)

Quality Improvement & Analytics (With Your Consent)

• • Analyzing order patterns to improve service delivery
• • Understanding customer preferences
• • Optimizing delivery routes and timings
• • Conducting customer satisfaction surveys
• • Improving platform user experience
• • Identifying popular medicines and high-demand areas

Fraud Prevention & Security (Mandatory)

• • Detecting and preventing fraudulent transactions
• • Identifying unusual account activity
• • Blocking suspicious orders (fake prescriptions, bulk controlled substance orders)
• • Investigating complaints of unauthorized access
• • IP/Device blacklisting for known fraudsters

Business Operations (Mandatory)

• • Managing relationships with pharmacy partners
• • Processing invoices and commission payments to pharmacies
• • Managing delivery partner logistics
• • Financial accounting and auditing
• • Legal and compliance operations

5.2 Purposes We Will NOT Use Your Data For

Prohibited Uses:

• • Selling your personal or health data to third parties for profit
• • Unauthorized sharing of prescriptions or medical records
• • Building consumer health profiles for insurance companies without your explicit consent
• • Disclosing your medical conditions to employers without authorization
• • Using your health data for targeted advertising of controlled substances
• • Tracking you for non-delivery purposes
• • Discriminating against you based on health conditions
• • Any purpose not specified in this Policy without your explicit consent

6. Legal Basis for Processing

6.1 Lawful Basis Under DPDP Act, 2023

We process your personal data only on one of these lawful bases:

• Basis 1: Your Free, Specific, Informed Consent
• • We provide a Privacy Notice before processing
• • You provide clear affirmative consent to specific purposes
• • Examples: Marketing emails, analytics, optional features
• • You can withdraw consent anytime

• Basis 2: Voluntary Disclosure Without Objection
• • You voluntarily provide data (uploading prescription) for a specific purpose
• • You don't indicate objection to our processing
• • We process only for that specified purpose
• • Example: You upload prescription; we use it to fulfill your order

• Basis 3: Legal Obligation or Court Orders
• • Mandatory under Drugs & Cosmetics Act (audit trail maintenance)
• • Required for tax compliance (GST, TDS)
• • Court-ordered disclosure
• • Government regulatory investigation

• Basis 4: Performance of Contract
• • Processing is necessary to fulfill the service you requested
• • Example: We need your address to arrange delivery; we need your prescription to forward to pharmacy

• Basis 5: Medical Emergency
• • Sharing critical health data with emergency services if you report medical emergency during order

6.2 SPDI-Specific Legal Requirements Under SPDI Rules, 2011 & DPDP Act

Your Sensitive Personal Data / SPDI (prescriptions, medicine information) requires:

• • Explicit informed consent before collection and processing
• • Purpose limitation - we use SPDI only for intermediary service delivery and regulatory compliance
• • Data minimization - we collect only what is necessary to fulfill orders and verify legitimacy
• • Accuracy obligation - we ensure prescription data is accurately captured/forwarded
• • Security safeguards - encryption, access controls, audit logs
• • Breach notification - we inform you within 72 hours of any breach
• • Retention limits - we delete SPDI within 30 days of order fulfillment (except where legal retention applies for 3 years)
• • Access rights - you can access, correct, or delete your SPDI (subject to legal retention)

7. Data Retention & Deletion

7.1 Retention Schedules

We retain different categories of data for different periods based on legal requirements and operational necessity:

Category 1: Prescription & Order Records (SPDI)

• • Prescription images/PDFs/records: 3 years (Drugs & Cosmetics Act requirements for audit trail and traceability)
• • Order details (medicines, quantities, dates): 3 years (Regulatory requirement; consumer dispute resolution)
• • Pharmacy fulfillment confirmations: 3 years (Traceability; regulatory audit)
• • Delivery proof (OTP, location, time): 1 year (Dispute resolution; logistics audit)
• • Deletion Timeline: After 3 years, we permanently delete encrypted copies; you can request deletion earlier (except where legal hold applies)

Category 2: Payment & Financial Data

• • Transaction records: 7 years (Income Tax Act, 1961; GST compliance)
• • Invoices & receipts: 7 years (Goods & Services Tax Rules, 2017)
• • Refund records: 7 years (Consumer Protection Act, 2019)
• • Payment method tokens: Duration of account or 5 years (PCI DSS security standards)
• • Deletion Timeline: Automated purge after retention period expires

Category 3: Account & Contact Information (Personal Data)

• • Name, phone, email, address: Duration of account + 2 years (Operational necessity + statutory hold period)
• • Account access logs: 1 year (Security investigation; breach forensics)
• • Login credentials & OTPs: Duration of use (Security necessity)
• • Device identifiers: Duration of account (Fraud prevention)
• • Deletion Timeline: Upon account deletion (+ 2-year statutory hold), or at your request

Category 4: Behavioral & Analytics Data

• • Website analytics data: 26 months (Google Analytics default retention)
• • User browsing history: 1 year (Service improvement; analytics)
• • Order history summary: 3 years (For customer service, refunds, disputes)
• • Deletion Timeline: Automatic deletion after retention period; manual deletion on request

Category 5: Customer Support & Grievance Records

• • Support tickets: 3 years (Complaint resolution; dispute history)
• • Chat logs: 1 year (Quality assurance; complaint resolution)
• • Feedback responses: 1 year (Service improvement)
• • Deletion Timeline: After retention period, or at your request (unless ongoing dispute)

Category 6: Device & Technical Data (Cookies, IP Logs)

• • IP address logs: 1 year (Fraud detection; security investigation)
• • Browser cookies: Duration of session + 30 days (Website functionality)
• • Device IDs: 1 year (User identification)
• • Session tokens: Duration of session (Authentication)
• • Deletion Timeline: Automatic deletion after retention period; manual deletion on request

7.2 Right to Erasure (Right to Be Forgotten)

Under DPDP Act Section 11 & DPDP Rules, you have the Right to Erasure.

You can request deletion of your personal data when:

• • Processing purpose is fulfilled and data is no longer necessary
• • You withdraw consent and no other lawful basis exists
• • Data was collected without lawful basis
• • Data is no longer accurate or is incomplete
• • Processing violates DPDP Act requirements
• • Retention period has expired

We will NOT delete data when:

• • Legal retention requirements apply (3-year audit trail for pharmaceuticals; 7-year tax records)
• • Ongoing disputes or legal proceedings
• • Data is anonymized (no longer personal data)
• • Court orders require retention

Deletion Process:

• 1. Your Request: Submit deletion request via support@mediso.in or in writing
• 2. Our Acknowledgment: Within 24-72 hours with ticket reference
• 3. Our Assessment: Verify legal obligations and assess if deletion is possible (5-7 working days)
• 4. Our Response: Confirm deletion or explain in writing why deletion cannot occur
• 5. Implementation: Once approved, delete personal data and permanently destroy encrypted backups within 30 days

8. Data Sharing & Disclosure

8.1 Who We Share Your Data With

We share your personal data only with the following recipients and only to the extent necessary for intermediary service delivery or legal compliance:

8.1.1 Mandatory Internal Sharing (Within Mediso)

• • Operations Team: Order details, customer contact, delivery address (Processing orders, delivery coordination)
• • Compliance & Legal: All data as needed (Regulatory investigations, court orders)
• • Data Protection Officer: All data for audits (Privacy impact assessment, breach investigation)
• • Finance & Accounting: Payment data, transaction history, GST info (Invoicing, tax compliance)
• • Grievance Officer: Data related to complaints (Complaint resolution)

8.1.2 Partner Pharmacies (Licensed & Independent)

CRITICAL POINT: When Mediso forwards your order to a pharmacy, the pharmacy receives:

• • Prescription image/PDF: For pharmacist verification and medicine fulfillment
• • Medicines ordered: Specific names, dosages, quantities
• • Customer name & phone: For order confirmation and delivery coordination
• • Delivery address: For delivery instructions
• • Customer email: For order receipt

Partner pharmacy does NOT receive:

• • Payment details or financial information
• • Account credentials
• • Full medical history (only what's in the prescription)
• • Other order history
• • Analytics or behavioral data

Legal Status: Partner pharmacies are INDEPENDENT DATA FIDUCIARIES (not Mediso's data processors). They have their own privacy policies and data protection obligations under:

• • Pharmacy Act, 1948 (confidentiality obligations)
• • Drugs & Cosmetics Act, 1940
• • DPDP Act, 2023 (as separate data fiduciaries)

Each pharmacy is individually licensed and responsible for protecting your prescription data.

8.1.3 Delivery & Logistics Partners

Delivery Partner Receives:

• • Customer name, phone number
• • Delivery address (full address with pincode)
• • Delivery instructions
• • Order reference ID
• • Expected medicine package (size/weight info only)

Delivery Partner Does NOT Receive:

• • Prescription details or health information
• • Medicine names (they see package only)
• • Payment information
• • Account details
• • Medical history

Data Protection: Data Processing Agreement with encrypted data transmission; delivery data deleted after 90 days of delivery completion.

8.1.4 Payment & Financial Service Providers

• • Payment Gateways: Tokenized payment data, transaction amount, order reference (Payment processing, fraud detection)
• • Protection: PCI DSS Level 1 compliance; we never store full card numbers
• • Banks/Financial Institutions: Transaction records for TDS and GST settlement (Tax compliance)
• • Government Tax Authorities: Aggregated transaction data, GST returns (Tax compliance, regulatory reporting)

8.1.5 Communication Service Providers

• • SMS Providers: Phone number, order reference, delivery status (Sending transactional SMS)
• • Email Service Providers: Email address, name, order details (Sending receipts, support responses)
• • WhatsApp Business API Partner: Phone number, messages (Order messages)

8.1.6 Analytics & Improvement Partners (With Consent)

• • Google Analytics: Anonymized event data, page views, session duration (Website performance analysis)
• • Data Minimization: We share ONLY anonymized data that cannot identify you
• • Consent: Optional; you can opt-out in privacy settings

8.1.7 Government & Law Enforcement

• • Central Drugs Standard Control Organization (CDSCO): Prescription audit trail, adverse effects (Medicine safety monitoring) - Only if required
• • National Pharmaceutical Pricing Authority (NPPA): Aggregated sales data, pricing info (Price monitoring)
• • Police/Law Enforcement: Data with valid warrant or court order (Criminal investigation, public safety)
• • Income Tax Department: Financial records (Tax audit, compliance)
• • Data Protection Board of India: Data related to complaints (Investigation of privacy violations)

SAFEGUARD: We will NEVER voluntarily disclose data to law enforcement without valid legal order (warrant, summons, or court directive). We will notify you of requests (unless law prohibits notification).

8.1.8 No Cross-Border Data Transfers

• Current Policy: Mediso stores ALL data in India. NO data transfers outside India except:
• • Cloud infrastructure providers (AWS, Google Cloud, Azure) with India data centers
• • Government bodies (if legally required)

8.2 Data We DO NOT Share (Prohibited Disclosures)

We WILL NEVER share your data with:

• • Insurance companies without your explicit written consent
• • Employers or third-party screening agencies
• • Marketing/advertising companies for health-targeted ads
• • Data brokers or data sellers
• • Loan/credit agencies without legal authorization
• • Public social media
• • Unauthorized healthcare providers
• • Any party for commercial profit from health data

9. Data Security & Technical Safeguards

9.1 Security Standards & Encryption

Mediso implements industry-standard security measures to protect your data against unauthorized access, disclosure, alteration, and destruction:

9.1.1 Encryption Standards

• • Data in Transit: TLS 1.2 / TLS 1.3 (HTTPS) - Website connections, API calls
• • Prescription Images: AES-256 encryption - Storage in cloud database
• • Health Records: AES-256 encryption - Patient medical data storage
• • Payment Data: PCI DSS encryption (tokenization) - Zero-knowledge; tokens only; full card data never stored
• • Passwords: Bcrypt hashing - One-way hash; passwords never decrypted
• • Sensitive fields: Field-level encryption or masking - Aadhaar, account numbers encrypted at rest; masked for display

9.1.2 Access Control Measures

• • Role-Based Access Control: Employees access only minimum necessary data
• • Multi-Factor Authentication: Admin access requires MFA (password + OTP)
• • Audit Logging: Every access to health data logged with timestamp, user ID, purpose
• • IP Whitelisting: Internal access restricted to authorized company IPs
• • VPN Requirement: Remote access requires VPN encryption
• • Session Timeout: Inactive sessions timeout (15-30 minutes)
• • Background Checks: All staff with data access undergo criminal background verification

9.1.3 Database Security

• • Firewalls: Application firewalls block malicious traffic
• • SQL Injection Protection: Parameterized queries prevent injection attacks
• • Data Masking: Development databases use synthetic/masked data only
• • Regular Patching: Systems patched within 30 days of security updates
• • Vulnerability Scanning: Weekly automated vulnerability scans
• • Penetration Testing: Annual authorized security testing
• • Database Backups: Daily encrypted backups in geographically separate locations

9.1.4 Network Security

• • DDoS Protection: Distributed denial-of-service attack mitigation
• • Intrusion Detection: 24/7 monitoring for suspicious activity
• • SSL/TLS Certificates: Valid EV SSL certificates; HTTPS mandatory
• • API Security: OAuth 2.0 token-based authentication
• • Rate Limiting: Protects against brute-force attacks

9.2 Data Breach Notification & Response

In the event of a data breach, we will:

• Immediate Response (0-24 Hours)
• • Isolate affected systems
• • Disable compromised accounts
• • Block IP addresses used in attack
• • Change encryption keys if compromised
• • Document timeline and scope

9.2.1 Notification to Authorities (24-72 Hours)

Under DPDP Act Section 6 & DPDP Rules, we must notify the Data Protection Board of India (DPBI) within 72 hours of discovering a breach involving:

• • Large-scale personal data (e.g., >1000 individuals)
• • Sensitive Personal Data (health information)
• • High-risk data

9.2.3 Notification to You (Without Undue Delay)

Under DPDP Act Section 6, we will notify you if breach is likely to cause harm.

Notification Method:

• • Email to registered email address
• • SMS alert to registered phone number
• • In-app notification (if you have app access)
• • WhatsApp message
• • Public notice if >100 individuals affected

Notification Content:

• • Nature of breach
• • Data affected
• • When it occurred
• • Impact on you
• • Steps we took to contain it
• • Steps you should take

Timing:

• • High-risk breaches: Within 24 hours
• • Medium-risk breaches: Within 7 days
• • Low-risk breaches: Within 30 days

9.3 Limitations of Security

IMPORTANT DISCLAIMER: While we implement comprehensive security measures, no system is 100% secure. We cannot guarantee that unauthorized access will never occur. Security risks include:

• • Advanced hacking techniques
• • Insider threats or employee misconduct
• • Third-party vendor security failures
• • Physical theft or natural disasters
• • Cryptographic breakthroughs
• • Zero-day vulnerabilities

Your Responsibility:

• • Keep login credentials confidential
• • Use strong, unique passwords
• • Log out from public computers
• • Report suspicious activity immediately
• • Use only authorized Mediso channels

10. Your Rights Under DPDP Act, 2023 & DPDP Rules, 2025

10.1 Right to Know (Access & Transparency)

You have the RIGHT TO KNOW:

• • Whether we are processing your personal data
• • Categories of personal data we hold
• • Purpose of processing
• • Recipients with whom data is shared
• • Retention period for your data
• • How your data is protected
• • How your data is protected
• • Your rights and how to exercise them
• • Grievance redressal mechanism

How to Exercise:

• 1. Submit Access Request via email: support@mediso.in
• • Subject: "Right to Access Request"
• • Include: Your name, account email, phone, specific data you want to access

• 2. We Respond Within 5-7 Working Days with:
• • Downloadable copy of your personal data in structured format
• • List of third parties with whom data is shared
• • Data security measures in place

• 3. Format: Data provided in CSV, PDF, or JSON for portability

10.2 Right to Correction (Rectification)

You have the RIGHT TO CORRECT:

• • Inaccurate personal data
• • Incomplete personal data
• • Outdated information

Examples:

• • Correcting misspelled name in account
• • Updating phone number
• • Fixing address or delivery instructions
• • Correcting medication information if prescription was misread

How to Exercise:

• 1. Self-Service Correction (basic information):
• • Edit profile on mediso.in (name, phone, email, address)
• • Changes effective immediately

• 2. Formal Correction Request (health/sensitive data):
• • Email: support@mediso.in with details
• • Include: What data is wrong, what it should be, supporting evidence if needed
• • We respond within 5-7 working days and notify third parties if data was shared

10.3 Right to Erasure (Right to Be Forgotten)

You have the RIGHT TO ERASURE when:

• • Processing purpose is fulfilled and data retention is no longer necessary
• • You withdraw consent and no other lawful basis exists
• • Data was collected without lawful basis
• • Data retention violates DPDP Act
• • Retention period has expired
• • You request deletion and no legal obligation requires retention

Limitations - We CANNOT Delete When:

• • Legal retention requirements apply (3-year audit trail; 7-year tax records)
• • Ongoing disputes require data retention
• • Data is necessary for public health or safety
• • Court orders require retention

How to Exercise:

• Submit Deletion Request via: support@mediso.in
• • Subject: "Right to Erasure Request"
• • Include: Your name, account email, phone, specific data you want deleted, reason for deletion

• 2. We Assess Legality Within 5-7 Days:
• • If deletable: We delete and notify you within 30 days
• • If not deletable: We explain in writing why deletion cannot occur

• 3. Cascading Deletion:
• • Once we delete, we instruct pharmacy partners and delivery partners to delete same data
• • We verify deletion with signed attestations

10.4 Right to Data Portability

You have the RIGHT TO DATA PORTABILITY:

• • Download all your personal data in portable, machine-readable format
• • Transfer data to another service provider without hindrance
• • Includes: Account information, order history, communication records, health data

How to Exercise:

• 1. Submit Portability Request via: support@mediso.in
• • Subject: "Right to Data Portability Request"
• • Include: Your name, account email, phone, specific data you want to port

• We Provide Data Within 7-10 Days:
• • Encrypted download link sent to registered email
• • Download expires in 7 days; can request extension
• • Data includes: Orders, prescriptions, communications, account info

10.5 Right to Withdraw Consent

You have the RIGHT TO WITHDRAW CONSENT:

• • For marketing emails/SMS (1-click opt-out)
• • For behavioral analytics
• • For data sharing to specific third parties
• • Future processing stops; past processing remains valid

How to Exercise:

• 1. Marketing/Email Consent Withdrawal:
• • Click "Unsubscribe" link in marketing email
• • Reply to SMS with "STOP"
• • Change preferences in account settings
• • Change preferences in account settings

• 2. Cookie/Analytics Consent Withdrawal:
• • Account settings: "Privacy Preferences" → disable analytics
• • Cookie popup: Click "Reject All"
• • Effective immediately

• 3. General Consent Withdrawal:
• • Email: support@mediso.in with subject "Withdrawal of Consent"
• • Specify which consent (marketing, analytics, data sharing, etc.)
• • We confirm within 24 hours
• • Future processing for that purpose stops immediately

10.6 Right to Grievance Redressal

You have the RIGHT TO FILE A GRIEVANCE about our data handling practices:

• • If we violate your data rights
• • If data security is compromised
• • If we deny your rights requests
• • If we share data without consent
• • If we misuse your data

How to File a Grievance:

• STEP 1: Internal Grievance to Mediso (Mandatory First Step)
• Submit to our Grievance Officer:
• • Email: grievance@mediso.in
• • Phone: 08069328893
• • If we share data without consent

• What to Include:
• • Your name, email, phone, account ID
• • Date of incident
• • Detailed description of grievance
• • Your expected resolution
• • Supporting documents (screenshots, emails, etc.)

• Our Response Timeline:
• • Acknowledgment: Within 24-72 hours
• • Investigation: 7-14 working days
• • Resolution: Within 30 days (or justified extension)

• STEP 2: Appeal to Data Protection Board of India (If Unsatisfied)
• If unsatisfied with our response, file complaint with Data Protection Board of India (DPBI) under DPDP Act Section 18.

• Where to File:
• • DPBI Website
• • DPBI Office (By Post)

10.7 Right to Non-Discrimination

You have the RIGHT NOT TO BE DISCRIMINATED AGAINST for exercising your data protection rights.

Mediso WILL NOT:

• • Deny service for exercising access, deletion, or portability rights
• • Increase prices for withdrawing marketing consent
• • Downgrade your account for filing grievances
• • Harass or threaten you for complaining about privacy violations

11. Children's Data Protection

11.1 Age Restrictions & Parental Consent

Mediso is intended for individuals 18 years and older.

If you are under 18 years old:

• • Do NOT create an account or provide data to Mediso

Your parent or legal guardian must:

• • Create the account for you
• • Provide verifiable consent before any data processing
• • Authorize all medicine orders

11.2 Verifiable Parental Consent Process

Under DPDP Rules, 2025, for any data processing of children (under 18):

We require verifiable parental/guardian consent via:

• Method 1: Third-Party Consent Verification Service
• • Parent/Guardian receives OTP via registered email or phone
• • Confirms consent by entering OTP
• • System records verified consent with timestamp

• Method 2: Government ID Verification
• • Parent/Guardian provides photocopy/scan of ID (Aadhaar, PAN, Voter ID, Passport)
• • Age verification conducted
• • Digital Locker integration (if available) for instant verification

• Method 3: Digital Signature
• • Parent/Guardian signs consent form using digital signature
• • Legally binding; recorded in system

11.3 Parent/Guardian Rights

Parent/Guardian of a child using Mediso has the right to:

• • Access all of their child's data
• • Request correction of inaccurate data
• • Delete their child's data (except where legal retention required)
• • Withdraw consent for any future processing
• • Object to any inappropriate data practices

Exercise Rights via:

• • Email: support@mediso.in (with proof of guardianship)
• • Written request to Grievance Officer

12. Regulatory Compliance & Pharmacy Operations

12.1 Drugs & Cosmetics Act, 1940 Compliance

As a medicine delivery intermediary platform, Mediso complies with Drugs & Cosmetics Act, 1940:

• • Prescription Verification: Mediso performs preliminary verification to ensure prescription appears legitimate and complete
• • Pharmacist Verification: Final verification is responsibility of partner pharmacy's licensed pharmacist
• • Schedule X Restriction: Mediso system prevents ordering of Schedule X drugs without proper prescription authentication
• • Prescription Retention: Mediso retains prescription audit trail for 3 years as required by law
• • Traceability Records: Every order includes medicine batch number, expiry date, pharmacy details (when fulfilled)
• • Adverse Reaction Reporting: Partner pharmacies report serious adverse effects to Pharmacovigilance Programme
• • Online Pharmacy Registration: Partner pharmacies are registered with State Drug Licensing Authorities

IMPORTANT: Mediso is NOT responsible for final drug safety checks. Each partner pharmacy is independently responsible for:

• • Verifying prescription authenticity
• • Checking drug-drug interactions
• • Ensuring appropriate dosage
• • Ensuring medicine authenticity
• • Monitoring for adverse effects

12.2 NPPA & Drug Price Control Compliance

Mediso facilitates price display as per NPPA requirements under Drugs (Prices Control) Order, 2013:

• • Price Display: All medicine prices clearly displayed on product pages (set by pharmacies)
• • Ceiling Price Compliance: Mediso ensures prices do NOT exceed NPPA-fixed ceiling prices
• • Price Transparency: MRP, discount (if any), and final price clearly stated
• • Price Updates: Prices updated as per pharmacy's updates and NPPA notifications
• • Complaint Mechanism: Users can report price overcharges directly to NPPA

IMPORTANT: Medicine prices are set by partner pharmacies, not Mediso. Mediso charges separate service/delivery fees.

12.3 Pharmacy Act, 1948 - Pharmacist Confidentiality

All partner pharmacies must comply with Pharmacy Act, 1948:

• • Pharmacists are bound by patient confidentiality obligations
• • Prescriptions and medical information cannot be disclosed to unauthorized parties
• • Violation is a criminal offense under Pharmacy Act
• • Each pharmacy maintains confidentiality and security standards

13. Consumer Protection & Rights

13.1 Consumer Protection Act, 2019 Compliance

Mediso recognizes your consumer rights under Consumer Protection Act, 2019:

• • Right to Safety: Partner pharmacies provide genuine, non-counterfeit medicines
• • Right to Information: Clear medicine descriptions, ingredients, precautions, side effects
• • Right to Choose: Freedom to choose from available medicines; no forced upselling
• • Right to Redressal: Grievance mechanism for complaints
• • Right to Consumer Education: Information about medicines, proper usage

13.2 Consumer Protection (E-Commerce) Rules, 2020

As an e-commerce platform, Mediso complies with Consumer Protection (E-Commerce) Rules, 2020:

• • Transparency: Clear terms and conditions, return policy, cancellation policy
• • Platform Information: Mediso's address, contact details, grievance officer information prominently displayed
• • Third-party Pharmacy Information: Partner pharmacy details, license information available on order pages
• • Consumer Data Protection: Personal information NOT shared with third parties without consent
• • Dispute Resolution: 2-tier redressal mechanism (internal + Consumer Commission appeal)

13.3 Return & Refund Policy (Related to Privacy)

• • Return requests require prescription image upload (to verify order legitimacy)
• • Prescription data retained only for return/refund processing (max 30 days post-refund)
• • Deleted thereafter unless required for dispute resolution

14. Analytics, Cookies & Tracking

14.1 Cookies & Tracking Technologies

What are Cookies?

Cookies are small text files stored on your device to:

• Cookies are small text files stored on your device to:
• • Remember your login status
• • Track your browsing behavior (with your consent)
• • Personalize your experience
• • Measure website performance

14.2 Types of Cookies We Use

• • Essential/Functional: Login, cart, preferences, security - No (always enabled) - Session + 1 year
• • Analytics: Understanding user behavior (Google Analytics) - Yes - opt-in - 26 months
• • Marketing: Retargeting ads (if enabled) - Yes - opt-in - 1 year
• • Third-party: Tracking across websites (if enabled) - Yes - opt-in - Varies

14.3 Cookie Consent Management

First-Time Visitors see Cookie Banner:

Mediso uses cookies to improve your experience. Some are essential; others help us understand how you use our site.

You can:

• • Accept all cookies
• • Reject non-essential cookies
• • Customize which cookies to allow
• • Change preferences anytime in Privacy Settings

Disable Cookies:

• • Chrome: Settings → Privacy and Security → Cookies → Block all
• • Firefox: Options → Privacy & Security → Cookies → Block all
• • Safari: Preferences → Privacy → Cookies → Never

15. Policy Updates & Changes

15.1 When We Update This Policy

We may update this Privacy Policy to:

• • Reflect legal/regulatory changes
• • Improve clarity and transparency
• • Add new services or data processing activities
• • Respond to user feedback

15.2 How We Notify You

For Material Changes (affecting your rights):

• • Email Notification: To your registered email address
• • In-App Banner: Notification on mediso.in homepage
• • Website Notice: Policy change published on footer
• • 30-Day Notice Period: Changes effective after 30 days

15.3 Your Consent for Policy Changes

If we make material changes, you must:

• • Review the updated Policy
• • Provide fresh consent within 30 days
• • OR delete your account and data

If you don't consent to new terms:

• • Stop using Mediso
• • Request data deletion
• • Your account will be deactivated

16. Contact Information & Grievance Officer

16.1 Data Protection Officer (DPO)

For privacy-related questions, data requests, or regulatory compliance issues:

• Data Protection Officer
• Email: support@mediso.in
• Phone: 08069328893
• Available: Monday-Friday, 10 AM - 5 PM IST

16.2 Grievance Officer

For filing grievances about data handling, privacy violations, or rights requests:

• Grievance Officer
• Email: grievance@mediso.in
• Phone: 08069328893
• Office Hours: 9 AM - 6 PM, Monday to Friday (Excluding National Holidays)
• Response SLA: 24-hour acknowledgment; 30-day resolution

16.3 General Inquiries

For general questions about Mediso (not privacy-related):

• Email: hello@mediso.in
• Raise Ticket: Click to Raise Ticket

17. Legal Disclaimers & Acknowledgments

17.1 Mediso's Limited Responsibility

Mediso is a TECHNOLOGY INTERMEDIARY, not a pharmacy. Therefore:

• • Mediso is NOT responsible for medicine authenticity (partner pharmacies verify)
• • Mediso is NOT responsible for prescription verification accuracy (partner pharmacies verify)
• • Mediso is NOT responsible for drug-drug interactions (partner pharmacy pharmacists responsible)
• • Mediso is NOT responsible for dosage appropriateness (partner pharmacy pharmacists responsible)
• • Mediso is NOT responsible for medicine side effects (disclosed by manufacturer/pharmacy)
• • Mediso is NOT responsible for medicine efficacy or outcomes

Partner pharmacies are INDEPENDENT businesses with their own responsibilities, liabilities, and data protection obligations.

17.2 Limitation of Liability

Mediso's liability for data breaches, privacy violations, or mishandling is limited to:

• • Direct damages (not indirect, consequential, or punitive damages)
• • Maximum amount: Refund of amounts paid to Mediso in past 12 months
• • Exclusion: Damages for loss of health, injury, or death (covered by separate liability frameworks)

17.3 Governing Law & Jurisdiction

This Privacy Policy is governed by:

• • Privacy & Data Protection: Digital Personal Data Protection Act, 2023 & DPDP Rules, 2025
• • Health Data: Information Technology Act, 2000 & SPDI Rules, 2011
• • Pharmaceutical Operations: Drugs & Cosmetics Act, 1940 & D&C Rules, 1945
• • Consumer Rights: Consumer Protection Act, 2019
• • E-Commerce Operations: Consumer Protection (E-Commerce) Rules, 2020
• • Disputes & Jurisdiction: Courts of Ahmedabad, Gujarat, India

17.4 Entire Agreement

This Privacy Policy, together with our Terms & Conditions and Return Policy, constitutes the entire agreement regarding privacy and data handling between you and Mediso. No prior agreements or representations apply.

18. Closing Statement

Your privacy and the security of your health information are paramount to Mediso. We are committed to transparent data practices, regulatory compliance, and respecting your rights under Indian law.

By using Mediso, you acknowledge that:

• • You have read and understood this Privacy Policy
• • You consent to the collection and processing of your personal data as described
• • You have the right to contact us with questions or concerns
• • You can exercise your rights anytime (access, correction, deletion, portability, grievance)
• • You understand that Mediso is an intermediary platform, not a pharmacy

We welcome your questions and feedback on our privacy practices.

Last Updated: 14th March 2026

Next Review Date: July 2, 2026 (or upon regulatory changes)