Privacy Policy

Digital Personal Data Protection (DPDP) Act, 2023 · IT Act, 2000 · Last updated: April 2026 · Version 3.0

Suprameds is committed to protecting your personal and health data under the DPDP Act, 2023. All sensitive personal data (prescriptions, health records) is stored in data centres in India and never exported. You have the right to access, correct, and erase your data at any time.

1. What data we collect

We collect the following categories of personal data with your explicit consent:

• Account data: Name, phone, email, date of birth
• Health data (PHI): Prescription documents, prescribing doctor details, dispensed medicines, family member health information
• Transaction data: Order history, payment method (not card numbers), delivery addresses
• Location data: Approximate and precise location (with your permission) — used solely to check delivery availability for your pincode and pre-fill address fields. Never used for tracking or advertising.
• Camera & photos: Camera access and photo library access are requested only when you upload a prescription. Images are uploaded directly to our encrypted prescription store; we do not access your gallery otherwise.
• Device identifiers: Firebase Cloud Messaging (FCM) push token for notifications, Google advertising ID for ad-conversion measurement, IP address for fraud prevention and security
• Usage data: Pages visited, search queries, product interactions (non-PHI pages only, with your analytics consent)

2. Legal basis for processing

We process your data under the following lawful bases:

• Consent: Health data, analytics, marketing communications
• Contract performance: Processing your orders and prescription dispensing
• Legal obligation: CDSCO prescription retention, GST records retention, H1 register — as required by applicable law
• Legitimate interest: Fraud prevention, security logs, poison control emergency situations

3. Data storage and security

All sensitive personal data (prescriptions, health records) is stored in data centres in the India region, complying with the DPDP Act's data localisation requirement.

• Prescription documents: Encrypted at rest on Cloudflare R2 (India region), TLS in transit
• Account & order databases: Hosted on Supabase (Mumbai, India region)
• Health records: Encrypted, access-logged, accessible only to authorised pharmacists
• Backups: Regular backups with appropriate retention; PHI records retained as required by CDSCO
• Access control: Role-based, with multi-factor authentication for staff access

4. Your rights under DPDP Act, 2023

As a Data Principal, you have the following rights:

• Right to access: Request a copy of all your personal data
• Right to correction: Correct inaccurate personal data
• Right to erasure: Request deletion of your data (subject to legal retention obligations)
• Right to withdraw consent: Withdraw any consent given for non-essential processing
• Right to grievance: Raise complaints with our Grievance Officer (see /grievance)
• Right to nominate: Nominate a person to exercise rights on your behalf

To exercise these rights, email suprameds@gmail.com or call +91 76749 62758. We respond within 15 days as required by DPDP Rules.

5. Data sharing with third-party processors

We never sell your personal data. We share the minimum necessary data only with the following categories of processors, each bound by a data-processing agreement:

• Logistics carriers (via AfterShip): Delivery address, phone number, order contents for last-mile shipment and tracking
• Payment processors (Razorpay, Paytm): Transaction amount and order reference only — card and UPI details are entered directly into the processor's PCI-DSS-certified interface; we never see or store them. Cash-on-delivery transactions do not leave our systems.
• SMS providers (BulkSMSPlans.com primary, MSG91 fallback): Phone number + transactional OTP and order-status templates only. DLT-registered sender IDs (SUPRACYN PRIVATE LIMITED).
• Email provider (Resend): Email address + order-related transactional message content
• Push notifications (Firebase Cloud Messaging, a Google service): Device token + notification payload. FCM may transfer data outside India per Google's standard terms.
• Analytics (Firebase Analytics, Google Analytics 4, Google Tag Manager): Anonymous usage data. Does not include PHI. Requires your analytics consent.
• Google Ads conversion tracking: When you enable marketing consent, we send SHA-256 hashes of your email and phone (Enhanced Conversions) to Google Ads for cross-device attribution. Hashed values cannot be reversed to the original email/phone. Opt out by disabling marketing consent.
• Error monitoring (Sentry): Technical error traces. Sensitive fields are scrubbed before transmission.
• Regulatory authorities (CDSCO, State Drug Controller): Prescription and dispensing records on regulatory inspection
• Law enforcement: When legally required by court order

International transfers: Google and Sentry may process analytics/error data outside India. No sensitive PHI (prescriptions, health records, dispensing details) is ever transferred outside India.

6. Cookies & mobile app permissions

On the web, we use the following categories of cookies:

• Essential: Session, cart, OTP authentication — always active (legitimate interest)
• Functional: Order history, saved addresses, recently viewed — requires consent
• Analytics: Page view analytics on non-PHI pages — requires consent, off by default
• Marketing: Abandoned cart, WhatsApp marketing — requires explicit consent, off by default

In our Android application , we request the following runtime permissions only at the moment they are needed:

• Camera: Prompted when you choose "Take photo" to capture a prescription. Never used in the background.
• Photos & media: Prompted when you choose "Upload from gallery" to attach a prescription image. We only read the specific image you select.
• Location (coarse/precise): Prompted when you tap "Use my location" to auto-detect your pincode. You can always enter your pincode manually instead.
• Notifications (Android 13+): Prompted for order and prescription-review status updates via Firebase Cloud Messaging. You can revoke at any time in Android Settings → Apps.

To manage your preferences or withdraw consent, email suprameds@gmail.com.

7. Data retention

We retain data for the periods required by applicable law:

• Prescription documents: as required by CDSCO regulations
• Supply memos and GST invoices: as required by GST Act
• H1 register entries: as required by Drugs & Cosmetics Rules
• Order history: as required for service and legal obligations
• PHI access logs: as required by applicable regulations
• Account data: until account deletion request (subject to legal holds)
• Analytics events (non-PHI): limited retention period

8. Contact & Grievance Officer

For privacy queries, data-rights requests, or to withdraw consent:

• Data Protection / Grievance Officer: Supracyn Private Limited
• Email: suprameds@gmail.com
• Grievance escalation: suprameds@gmail.com (response within 15 days per DPDP Rules)
• Helpdesk: suprameds@gmail.com
• Phone: +91 76749 62758
• Address: Supracyn Private Limited, 1st Floor, H.No 7-2-544, SRT 323, Sanathnagar, Hyderabad – 500018, Telangana, India
• For unresolved DPDP Act complaints: Data Protection Board of India (once operational)