GDPR

1. Introduction

Medeasy.ai (“Medeasy,” “Company,” “we,” “us,” or “our”), operated by Bizionic Technologies Pvt. Ltd., is committed to protecting the privacy and security of personal data. This GDPR Compliance Policy outlines how we collect, process, store, and protect data in compliance with the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”).

2. Scope

This policy applies to all users, customers, healthcare providers, and employees interacting with our platform, applications, and services. It covers:

  • Data collection and processing practices

  • User rights regarding their personal data

  • Security measures implemented to safeguard data

  • Procedures for handling data breaches

  • Third-party processors involved in data processing

  • Data retention and deletion policies

3. Data Collection & Processing

Types of Data Collected

  • Personal Information: Name, email, phone, address, date of birth, gender, physician details, pharmacy information

  • Usage Data: IP address, device info, activity logs, navigation patterns

  • Technical Data: Cookies, API logs, error reports, session tracking

  • Healthcare Data: Medical history, vitals, remote monitoring data, goals, mood logs, and communications with providers

  • Compliance Data: Physician license details, professional insurance info, education history, patient insurance info

  • Financial Data: Payment transactions, billing details, subscription info

  • Communication Data: Messages exchanged within the platform

Legal Basis for Processing Data

  • Consent (Article 6(1)(a)) – Voluntarily provided data

  • Contractual necessity (Article 6(1)(b)) – Required to provide services

  • Legal obligations (Article 6(1)(c)) – To meet legal/regulatory requirements

  • Legitimate interests (Article 6(1)(f)) – For business operations, fraud prevention, and platform security

4. Data Protection & Security Measures

  • Access Controls: Role-based access, strong authentication, activity logging

  • Encryption: Data encrypted at rest and in transit

  • Network Security: Firewalls, intrusion detection systems, secure VPNs

  • Regular Audits: Security assessments, vulnerability tests, compliance reviews

  • Data Minimization: Only necessary data is collected; anonymization where possible

5. Data Retention & Deletion Policy

Retention Periods

  • User activity logs: 6–12 months

  • Customer data: During subscription + 30–90 days post-termination

  • Backups: 30–90 days

  • Communication records: 24 months (unless legally required longer)

Deletion Process

  • Users can request deletion via UI or support

  • Data is securely erased from live systems within 90 days

  • Backup data purged within the same retention period

6. Data Transfers & International Compliance

  • Data stored in India (Azure Cloud, Central India)

  • For transfers outside the EU, we use Standard Contractual Clauses (SCCs) and ensure ISO 27001 compliance

7. Data Subject Rights

Under GDPR, individuals have the right to:

  • Right to Access (Article 15): View personal data held

  • Right to Rectification (Article 16): Correct inaccurate data

  • Right to Erasure (Article 17): Request deletion of personal data

  • Right to Restriction (Article 18): Limit processing in certain cases

  • Right to Data Portability (Article 20): Transfer data to another provider

  • Right to Object (Article 21): Object to data processing based on legitimate interest

  • Right to Lodge a Complaint: Contact the relevant Data Protection Authority

8. Third-Party Processors & Sub-Processors

We work with the following processors:

  • AWS S3 – File storage

  • CloudFront – Content distribution

  • Microsoft Azure – Hosting & infrastructure

  • Agora – Video/voice calls

  • Stripe, Razorpay – Payment processing

  • Firebase – Mobile app development

  • Amplitude – User analytics

  • Google Apps – Calendar, Analytics, Tag Manager

  • Facebook Ads, Google Ads – Ad tracking

  • Twilio – SMS, OTPs

  • Zoho Suite – Email, CRM, marketing automation

  • SRFax – Secure faxing

  • ABDM – ABHA validation (if selected)

  • MongoDB Atlas – Database management

  • Make.com – Workflow automation

9. Data Breach Response Plan

  • Detection & Containment: Immediate action upon breach detection

  • Regulatory Reporting: Notify users & regulators within 72 hours

  • Investigation & Remediation: Analyze, resolve, and apply future mitigations

10. Cookie & Tracking Policy

We use cookies for:

  • Essential platform functionality

  • Performance & usage analytics

  • Marketing personalization

Users can manage cookie preferences via browser settings or opt-out tools.

11. Payment & Transaction Processing

  • Payments processed via secure third-party providers

  • Users can view pricing before scheduling

  • All transactions follow PCI-DSS security standards