Pre-launch preview — not live yet. See the build log

Privacy Policy

India · Effective 28 April 2026

Last updated: 28 April 2026

MediSero takes your health data seriously. This Privacy Policy explains what personal data we collect when you use the MediSero patient application, why we collect it, how we use and protect it, and the rights you have as a Data Principal under Indian law.

1. About MediSero and this Policy

The MediSero patient application (the "App") is operated by MediSero Technologies Private Limited ("MediSero", "we", "our", "us"), a company incorporated in India. This Privacy Policy is published in accordance with Rule 3 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and Rule 3(1) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, read with Section 5 and Chapter II of the Digital Personal Data Protection Act, 2023.

By installing, accessing or using the App, you confirm that you have read, understood and consented to the processing of your personal data as described in this Policy. If you do not agree, please do not use the App.

2. Definitions

  • "Personal Data" means any data about an individual who is identifiable by or in relation to such data.
  • "Sensitive Personal Data or Information" ("SPDI") has the meaning given in Rule 3 of the SPDI Rules and includes health, physical, physiological and mental health condition, medical records and history, biometric information and passwords.
  • "Data Principal" means the natural person to whom the personal data relates — in the App, that is you, the patient.
  • "Data Fiduciary" means the person who determines the purpose and means of processing — MediSero is the Data Fiduciary for your data processed through the App.
  • "Processing" means any operation performed on personal data, including collection, storage, use, sharing, disclosure and deletion.

3. Data we collect

We only collect data that is necessary to deliver the MediSero service and provide you with health information you can act on. Specifically, we collect the following categories:

  • Identity and contact information — name, date of birth, gender, mobile number, email, address, profile photo and the MediSero ID auto-generated for your account.
  • Health and medical information (SPDI) — prescriptions, medication logs, allergies, diagnoses, lab reports, imaging, vitals, symptoms, visit notes, doctor-dictated SOAP notes and adherence history.
  • Wearable and device data — with your permission, heart rate, heart-rate variability, resting heart rate, steps, distance, active energy, SpO₂, sleep, respiration rate, body mass, blood pressure, blood glucose, temperature and workouts from Apple Health, Apple Watch, Google Health Connect, Samsung Health and any third-party apps that write to those platforms.
  • Visit recordings and transcripts — audio captured during your doctor visits only when you explicitly start a recording, together with AI-generated transcripts, summaries and TScore™ quality scores.
  • Account and authentication data — phone OTP, device identifiers, push notification tokens and authentication state stored securely on your device via Expo SecureStore / Keychain.
  • Usage and diagnostic data — in-app actions, screen views, crash logs and performance telemetry, used in aggregated form to improve the App.
  • Payment data — where applicable, billing name, GSTIN (if any) and transaction identifiers. Card numbers and bank credentials are handled exclusively by RBI-regulated payment gateways and are never stored on MediSero servers.

We never collect bank account numbers, debit/credit card numbers, CVV, net-banking passwords or Aadhaar/PAN numbers through the App. If any screen appears to ask you for these, stop and contact our Grievance Officer immediately.

4. How we collect your data

  • Directly from you when you create an account, fill a form, upload a report, record a visit or enter a reading manually.
  • From your treating doctor when they share a visit record, prescription or lab report with you through the MediSero doctor application.
  • From your wearable or health platform — only after you grant explicit OS-level permission (HealthKit on iOS, Health Connect on Android).
  • Automatically from the App for security, fraud prevention and service performance (crash logs, network telemetry).

5. Purposes and lawful basis for processing

We process your personal data on the basis of your consent (Section 6 of the DPDP Act) and, where applicable, for the "legitimate uses" listed in Section 7 of the DPDP Act, such as responding to a medical emergency involving a threat to life or providing medical treatment during an epidemic or other public health event. Specifically, we use your data to:

  • Create and maintain your MediSero account and longitudinal health record.
  • Show you prescriptions, lab reports, visit history, vitals trends and medication reminders.
  • Generate AI-assisted insights through Clio — including visit summaries, medication safety checks, drug-interaction alerts and daily health briefs.
  • Enable doctor-patient sharing, consultation booking, queue/token tracking and, where available, telemedicine follow-ups under the Telemedicine Practice Guidelines, 2020.
  • Send push notifications for alarms, refills, appointment reminders and health trend alerts — only for the categories you have enabled in Settings.
  • Protect the App against fraud, abuse and unauthorised access.
  • Comply with legal and regulatory obligations and respond to lawful requests from courts, government authorities and regulators.
  • Improve the App, including training and fine-tuning Clio — using de-identified and aggregated data only, and never identifiable visit audio or prescriptions.

6. Consent and how you can withdraw it

Before we process your personal data, we seek your free, specific, informed, unconditional and unambiguous consent through clear in-app prompts. Where we process Sensitive Personal Data or Information (such as health data), we obtain your explicit consent as required by Rule 5(1) of the SPDI Rules.

You can withdraw your consent at any time from the App: Profile → Privacy & Security → Consent Log, or by writing to the Grievance Officer at the address in Section 14. Withdrawing consent does not affect the lawfulness of processing done before the withdrawal. If you withdraw consent for core processing we need to run the service, we may no longer be able to provide the App to you.

7. How we share your data

We do not sell your personal data. We share your data only in the limited circumstances below, and only to the extent strictly necessary:

  • With your treating doctor, clinic, pharmacy or diagnostic lab — only when you explicitly initiate a share (for example, by booking a visit, accepting a prescription, or sharing a report via QR/link).
  • With service providers we engage to run the App, including cloud hosting, push notification delivery, OTP and SMS providers, payment gateways and crash-log providers. These providers are contractually bound to keep your data confidential and to process it only on our instructions.
  • With AI sub-processors strictly for the purpose of generating the insights you request. Visit audio is transmitted only when you start a recording, processed in-memory for transcription and summarisation, and is not retained for model training.
  • With regulators, courts and government authorities where required by law, including under Section 91 of the Code of Criminal Procedure or a lawful order under the IT Act.
  • As part of a merger, acquisition or corporate restructuring, in which case the acquirer will be bound to honour this Privacy Policy.

8. Cross-border transfers

Our primary data centres are located in India. Certain sub-processors (for example, cloud backup or AI inference providers) may process data outside India. We transfer data outside India only to countries not restricted by the Central Government under Section 16 of the DPDP Act, and under contractual safeguards ensuring protection equivalent to that under Indian law.

9. Data retention

We retain your health record for as long as your MediSero account is active, so that your longitudinal history is available to you and your doctors over time. When you delete your account, we will erase your personal data within 30 days, except where a longer retention period is required by law (for example, tax and financial records under the Income Tax Act, 1961, or records the Ministry of Health and Family Welfare requires a clinical establishment to retain).

Visit audio recordings are retained on your device until you delete them. If you enable cloud backup, audio is stored encrypted in our servers and is deleted when you delete the visit or your account.

10. Your rights as a Data Principal

Subject to the conditions and exemptions in Chapter III of the DPDP Act and Rule 5(6) of the SPDI Rules, you have the following rights in relation to your personal data:

  • Right to access — you can view the personal data we hold about you and a summary of processing activities.
  • Right to correction and erasure — you can ask us to correct inaccurate data or to erase data that is no longer needed.
  • Right to withdraw consent — you can withdraw any consent you have given at any time.
  • Right to grievance redressal — you can raise a complaint with our Grievance Officer and, if unsatisfied, escalate to the Data Protection Board of India.
  • Right to nominate — you can nominate another individual who will exercise these rights on your behalf in the event of your death or incapacity.

You can exercise most of these rights directly from Profile → Privacy & Security or by writing to our Grievance Officer. We will respond within the timelines prescribed by law.

11. Security safeguards

We implement "reasonable security practices and procedures" as required by Section 43A of the IT Act and Rule 8 of the SPDI Rules. In plain terms, this is what that means in MediSero today:

  • Encryption in transit — all traffic between the App and our servers uses TLS 1.2 or higher (targeting TLS 1.3). No request or response travels in plain text.
  • Encryption at rest — sensitive medical fields (such as SOAP notes, prescriptions, lab report contents and diagnoses) are encrypted in our database using AES-256-GCM with a unique 96-bit nonce per record, before they are written. A stolen database backup yields unreadable ciphertext.
  • Hardware-backed credential storage — authentication tokens and session data are held on your device in the iOS Keychain or Android Keystore, which is backed by the Secure Enclave / StrongBox on supported devices.
  • Least-privilege access — only a small number of authorised MediSero engineers can access production systems, and all access to health data is logged and audited. We do not permit browsing of user records outside of specific support or incident response tasks that you initiate.
  • Purpose-limited use — we access the contents of your records only to deliver features you have explicitly asked for, such as generating a Clio AI summary of your recording, sharing a prescription with a pharmacy, or preparing a backup you have requested.
  • No advertising, no data sales — we do not sell, rent or license your data to any third party, and we do not use it to target you with advertising.
  • Operational security — penetration testing, vulnerability scanning, dependency monitoring and an incident response plan aligned with CERT-In reporting timelines.

Honesty about encryption. Today, encryption keys used for at-rest encryption are held by MediSero servers so that features like Clio AI analysis, visit sharing with your doctor and lab-report parsing can work. This is encryption at rest and in transit — it is NOT the same as "true end-to-end encryption", where only your device holds the key. We are working on a true end-to-end encrypted mode for MediSero, and when we ship it we will update this Policy, notify you in the App, and let you opt in.

No system is perfectly secure. If you suspect that your account has been compromised, please contact our Grievance Officer immediately so we can take remedial action and, where required, notify the Indian Computer Emergency Response Team (CERT-In).

12. Children

The App is intended for use by individuals 18 years of age or older. For children below 18, processing may be carried out only with the verifiable consent of a parent or lawful guardian, as required by Section 9 of the DPDP Act. We do not engage in tracking, behavioural monitoring or targeted advertising directed at children.

13. Cookies and analytics

The App uses a minimal set of device-level identifiers for authentication, crash analytics and performance monitoring. We do not use advertising cookies or sell data to advertising networks. Analytics data is pseudonymised wherever possible.

14. Grievance Officer

In accordance with Rule 5(9) of the SPDI Rules and Rule 3(2) of the IT Rules 2021, you can contact our Grievance Officer with any question, complaint or request relating to this Policy:

  • Name: [To be appointed] — Grievance Officer, MediSero Technologies Private Limited
  • Email: support@medisero.in
  • Postal address: MediSero Technologies Private Limited, [Registered office address], India
  • Hours: Monday to Friday, 10:00–18:00 IST (excluding public holidays)

We will acknowledge your complaint within 24 hours and resolve it within 15 days of receipt, consistent with the IT Rules 2021. If you are not satisfied with our response, you may approach the Data Protection Board of India once it becomes operational under the DPDP Act.

15. Changes to this Policy

We may update this Policy from time to time to reflect changes in law, technology or our business. We will notify you of material changes through the App, and, where required by law, seek fresh consent. The "Effective" date at the top of this Policy reflects the current version.

16. Governing law and jurisdiction

This Policy is governed by the laws of India. Subject to Section 24 below in our Terms & Conditions, the courts at , Karnataka shall have exclusive jurisdiction over any disputes arising out of or relating to this Policy.