Privacy Policy

1. Data We Collect

• Identity & contact: name, mobile number, and (optionally) email at registration.
• Health data: symptoms, consultation notes, diagnoses, prescriptions, and lab reports shared during or after a visit.
• Consent records: timestamp, consent text, and mode of consent captured at booking.
• Transaction data: payment references, order IDs, and fulfilment metadata for pharmacy and lab orders.
• Usage data: IP address, device type, and page interaction logs collected for security and debugging.

2. Why We Process Your Data

• To provide telemedicine consultations and share records with your treating RMP.
• To fulfil prescription and lab-at-home orders with licensed partner facilities.
• To send appointment confirmations and follow-up reminders via WhatsApp/SMS.
• To meet statutory reporting and audit obligations under Indian law.
• To detect, prevent, and respond to fraud or security incidents.

Health data is never sold, rented, or shared for advertising purposes.

3. Data Sharing

• Treating RMPs: your clinical data is shared with the physician you consult.
• Partner pharmacies & labs: order and prescription data is shared only with the licensed facility fulfilling your order.
• Regulators: data may be disclosed to NMC, MoHFW, CERT-In, or law enforcement when required by law.
• Payment processor: Razorpay receives transaction data necessary to process payments; CalDoc does not receive or store card details.

4. Data Retention

• Medical records (consultation notes, prescriptions, consent records) are retained for a minimum of 3 years from the consultation date, as required under NMC regulations and the Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002.
• Transaction records are retained for 7 years for tax and audit compliance.
• Account and usage data is retained until you request deletion, subject to the above mandatory retention periods.

5. Your Rights Under DPDP Act, 2023

• Right of access: request a copy of the personal data we hold about you.
• Right of correction: request correction of inaccurate or incomplete data.
• Right of erasure: request deletion of your data (subject to mandatory retention obligations).
• Right to withdraw consent: withdraw consent to processing at any time; this will affect your ability to use the platform.
• Right to nominate: nominate a representative to exercise these rights on your behalf.

Exercise any of these rights by emailing privacy@telemed.in. Requests will be acknowledged within 48 hours and fulfilled within 30 days.

6. Security & Breach Notification

• All data is encrypted at rest (AES-256) and in transit (TLS 1.3).
• Servers are located in India (AWS ap-south-1). No health data is transferred outside India.
• Access is restricted by role; all privileged actions are audit-logged.
• In the event of a personal data breach that is likely to result in harm to Data Principals, we will notify affected users and CERT-In within 72 hours of becoming aware of the breach, as required by the DPDP Act, 2023.

7. Grievance Officer