Version 1.1 • Effective Date: 25 April 2026 • Jurisdiction: Amaravathi, Andhra Pradesh, India
In this Privacy Policy, unless the context otherwise requires, the following terms shall have the meanings set out below:
"Data Fiduciary"
An entity that, alone or in conjunction with others, determines the purposes and means of processing personal data. Medivera is the Data Fiduciary in respect of personal data collected through the Platform, as defined under the Digital Personal Data Protection Act, 2023 ("DPDP Act").
"Data Principal"
The individual to whom the personal data relates — i.e., the Patient or User of the Platform.
"Sensitive Personal Data" / "Health Data"
Medical history, diagnoses, prescriptions, consultation notes, blood group, medications, allergies, uploaded medical records, and all other health-related information, as classified under the DPDP Act 2023.
"Data Processor"
A third party that processes personal data on behalf of and under the instruction of Medivera, including Supabase, Daily.co, PostHog, and payment processors.
"Personal Data Breach"
Any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored, or otherwise processed by Medivera or its Data Processors.
"Telemedicine Guidelines"
The Telemedicine Practice Guidelines, 2020, issued by the Board of Governors in supersession of the Medical Council of India, as amended from time to time.
"Platform"
The Medivera mobile application, web application, and website accessible at www.medivera.in, and all associated services and digital infrastructure.
"Minor"
A person below eighteen (18) years of age.
"Applicable Law"
All statutes, regulations, guidelines, and notifications applicable to Medivera's operations in India, including the DPDP Act 2023, the Information Technology Act, 2000, the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the Telemedicine Practice Guidelines, 2020.
Any reference to the singular includes the plural and vice versa. Headings are for convenience only and do not affect interpretation.
2.1 Medivera is a technology intermediary platform for telemedicine services, operated from Amaravathi, Andhra Pradesh, India (website: www.medivera.in). Medivera is not a medical service provider and does not employ Doctors on the Platform.
2.2 Medivera is an "intermediary" under the Information Technology Act, 2000 and the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and acts as a "Data Fiduciary" under the Digital Personal Data Protection Act, 2023 in respect of personal data collected through the Platform.
2.3 This Privacy Policy applies to all personal data collected through the Platform — including the mobile application, web application at www.medivera.in, and all associated services.
2.4 This Privacy Policy must be read alongside the Terms & Conditions. Together, they form the entire agreement governing your use of the Platform.
2.5 Medivera's data practices are governed by: the DPDP Act 2023; the Information Technology Act, 2000; the IT (Intermediary Guidelines) Rules, 2021; and the Telemedicine Practice Guidelines, 2020.
Medivera collects personal data through the following means:
Medivera processes your personal data only for specified, explicit, and lawful purposes. The table below sets out each purpose and the legal basis under the DPDP Act 2023:
Your health data, identity data, and pre-consultation information are shared with the specific Doctor you book a consultation with, strictly for the purpose of that consultation. Doctors are independent Registered Medical Practitioners, not Medivera employees. They are bound by medical confidentiality obligations and contractual data protection requirements. Following the consultation, the Doctor's notes and any prescription issued are stored in your Medivera health record.
Medivera uses the following Data Processors who may process your data on our behalf and under our instruction:
Each Data Processor is subject to a Data Processing Agreement requiring equivalent technical and organisational security measures and prohibiting processing beyond Medivera's instructions.
Medivera may disclose personal data in response to a valid court order, government directive, or regulatory request from competent Indian authorities under the IT Act 2000 or other Applicable Law. Where permitted by law, Medivera will endeavour to notify you before complying with such a request.
In the event of a merger, acquisition, corporate restructuring, or sale of substantially all of Medivera's assets, your personal data may be transferred to the successor entity, subject to equivalent data protection obligations. You will be notified of any such transfer in advance.
Medivera retains your personal data for the periods set out below, after which data is securely deleted or irreversibly anonymized:
Anonymized data (from which all identifying information has been irreversibly removed) is no longer personal data and may be retained for research or product improvement without a defined time limit.
Medivera uses the following types of cookies and tracking technologies on the Platform:
Medivera does not use:
Health data and Sensitive Personal Data are never stored in cookies or similar client-side storage.
You may delete or block cookies through your browser settings; note this may affect Platform functionality. Medivera's cookie practices are consistent with the IT Act 2000 and evolving guidance under the DPDP Rules.
9.1 Medivera is an Indian entity. However, certain Data Processors used by Medivera (including Supabase, Daily.co, PostHog, and Google LLC) are headquartered in or operate infrastructure in the United States and other countries outside India.
9.2 Under the DPDP Act 2023, the Central Government is empowered to notify "Restricted Countries" to which personal data transfers are prohibited. Until any such notification is issued and any such processor country is included on the Restricted List, transfers to those countries are permissible under the Act.
9.3 Medivera has entered into Data Processing Agreements with all international Data Processors, requiring them to: (a) process personal data only on Medivera's documented instructions; (b) implement technical and organisational security measures equivalent to those required under Indian law; (c) not engage sub-processors without Medivera's prior authorisation; and (d) assist Medivera in fulfilling Data Principal rights requests.
9.4 Health data is not transferred internationally except as strictly necessary for real-time service delivery (e.g., video infrastructure during a live teleconsultation via Daily.co).
No method of electronic transmission or storage is one hundred percent secure. While Medivera implements commercially reasonable security measures, it cannot guarantee the absolute security of your personal data. You are responsible for maintaining the confidentiality of your account credentials and for notifying Medivera immediately of any suspected unauthorised access at support@medivera.in.
Under the DPDP Act 2023, you have the following rights in respect of your personal data held by Medivera:
Request a summary of personal data held by Medivera and information about how it has been processed. Medivera will respond within 30 days of a verified request.
Correct inaccurate or outdated personal data via your Profile settings, or by written request to privacy@medivera.in. Request the deletion of your personal data; note that health records and prescriptions may be retained for the minimum statutory periods even after deletion of other account data.
Download your consultation history, prescriptions, and health records in a machine-readable format (PDF or JSON) via the Profile page on the Platform.
Withdraw your consent for any processing at any time via Profile > Privacy Settings or by writing to privacy@medivera.in. Withdrawal does not affect the lawfulness of processing before withdrawal. Withdrawal of consent for core service processing will result in inability to use teleconsultation services on the Platform.
File a complaint regarding any data processing matter with Medivera's Grievance Officer (Section 19). If you are not satisfied with the response, you may escalate to the Data Protection Board of India once it is constituted under the DPDP Act 2023.
Under the DPDP Act 2023, you may nominate a person to exercise your data rights on your behalf in the event of your death or incapacity. Contact privacy@medivera.in to register a nominee.
Submit a request via your Profile settings in the app, or in writing to privacy@medivera.in. Medivera will respond within 30 days. For complex requests (e.g., portability involving large health record archives, or erasure requiring legal carve-out analysis), Medivera may extend by a further 30 days with written notice to you.
12.1 Transactional communications — appointment confirmations, reminders, prescription delivery notifications, and payment receipts — are sent as a necessary function of the Service and do not require opt-in consent.
12.2 Promotional or marketing communications — new features, health tips, or offers — are sent only if you have explicitly opted in at registration or via Profile > Notifications.
12.3 You may opt out of marketing communications at any time by: (a) clicking the unsubscribe link in any marketing email; (b) toggling off notifications in Profile > Notifications; or (c) writing to privacy@medivera.in.
12.4 Opting out of marketing communications does not affect the transactional communications described in clause 12.1.
12.5 Medivera does not use your health data or Sensitive Personal Data for marketing purposes. Any marketing is based only on general account information (e.g., that you are a registered user).
13.1 Persons below eighteen (18) years of age (Minors) may not register an independent account on the Platform. A parent or legal guardian must create an account and may manage a Minor's consultations through their own registered account.
13.2 The parent or guardian provides all consent on behalf of the Minor for data collection, processing, and storage. The guardian bears full legal responsibility for the accuracy of information provided about the Minor.
13.3 Health data of Minors is treated with additional care. It is not used for analytics, product improvement, or any purpose beyond direct service delivery, even in pseudonymized form.
13.4 For Minor Patients under the age of sixteen (16) years, the parent or guardian must be physically present with the Minor throughout the teleconsultation, consistent with the Telemedicine Practice Guidelines 2020 and the Terms & Conditions (Section 6.4).
13.5 If Medivera discovers that a Minor has independently registered an account without guardian consent, that account will be suspended immediately and the identified guardian notified.
13.6 Medivera will implement verifiable parental consent mechanisms for Minor data as required by Section 9 of the DPDP Act 2023 and associated Rules, upon their notification by the Central Government.
14.1 A Personal Data Breach means any unauthorised access, disclosure, destruction, alteration, or loss of personal data held by or on behalf of Medivera.
14.2 Medivera maintains monitoring systems and incident response procedures to detect and contain security incidents. Upon discovering a suspected breach, Medivera will investigate and initiate containment within 24 hours of internal detection.
14.3 Notification to the Data Protection Board of India: Medivera will notify the Data Protection Board of India of a reportable breach within the timelines prescribed under the DPDP Act 2023 and associated Rules (expected to be within 72 hours of becoming aware of a reportable breach, or as otherwise prescribed).
14.4 Notification to affected Data Principals: Where a breach is likely to result in a high risk to the rights of affected individuals, Medivera will notify all affected Data Principals via email and/or in-app notification as soon as reasonably practicable, and in any event within 72 hours of confirming the breach, unless law enforcement requests a delay.
14.5 A breach notification to Data Principals will include: the nature of the breach; categories of data affected; likely consequences; measures taken or proposed by Medivera; and Grievance Officer contact details.
14.6 Where a breach occurs at a Data Processor (e.g., Supabase), Medivera will be notified under the applicable Data Processing Agreement and will follow the same notification procedure as above.
15.1 Medivera operates in compliance with the Telemedicine Practice Guidelines, 2020. This includes: maintaining consultation records for the prescribed minimum period; ensuring prescriptions are labelled "Teleconsultation" and contain all required fields; and supporting Doctors in verifying Patient identity at the commencement of each consultation.
15.2 As an intermediary under the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, Medivera maintains a designated Grievance Officer, publishes this Privacy Policy, preserves records as required by law, and cooperates with lawful requests from government authorities.
15.3 Under the DPDP Act 2023, Medivera treats health data with enhanced obligations: (a) it is processed only on explicit consent; (b) it is not used for advertising, profiling, or resale; (c) enhanced security measures apply (see Section 10); and (d) Medivera conducts Data Protection Impact Assessments before introducing any new processing activity involving health data.
16.1 Registration consent: At account creation, you provide consent for identity data processing, account management, transactional communications, and pseudonymized analytics. This consent is recorded with a timestamp, device identifier, IP address, and the version of this Policy in force.
16.2 Per-consultation consent: At each booking, you provide explicit, specific consent for: sharing your health profile with the specific Doctor you are booking with; processing of consultation data and prescription records; and storage of the resulting notes and prescription in your Medivera health record.
16.3 Granular controls: Via Profile > Privacy Settings you can: withdraw analytics consent; opt out of marketing communications; download your personal data; and submit an account deletion request.
16.4 Consent records: All consent events (grant and withdrawal) are logged with timestamp, IP address, and the exact version of this Policy active at the time. These records are retained for 7 years as part of the regulatory audit trail.
16.5 Withdrawal of consent: Withdrawal can be effected in-app (Profile > Privacy Settings) or by writing to privacy@medivera.in. Medivera will process the withdrawal within 7 business days.
16.6 Effect of withdrawal: Withdrawing core service consent means Medivera is unable to provide teleconsultation services to you. Health records generated prior to withdrawal will be retained for the statutory minimum period as set out in Section 7.
16.7 No bundled consent: Medivera does not bundle consent for core services with consent for marketing or optional analytics. Consent for each purpose is sought and recorded separately.
17.1 Medivera may update this Privacy Policy from time to time to reflect changes in the Platform, applicable law, or regulatory guidance.
17.2 Material changes — such as new purposes for processing health data, new third-party processors handling health data, or changes to data retention periods — will be notified to you at least fourteen (14) days in advance via in-app notification and email to your registered email address. You may withdraw consent or delete your account before the change takes effect.
17.3 Non-material changes — such as typographic corrections, clarifications that do not alter rights or obligations, updated contact details, or the addition of minor technical service processors — will be reflected by updating the version number and effective date without advance notice.
17.4 The version number and effective date at the top of this Policy always reflect the currently operative version. Previous versions are available on request from privacy@medivera.in.
17.5 Your continued use of the Platform after the effective date of any change constitutes your acceptance of the updated Privacy Policy.
18.1 This Privacy Policy is governed by and construed in accordance with the laws of the Republic of India, including the DPDP Act 2023, the Information Technology Act, 2000, the IT (Intermediary Guidelines) Rules, 2021, and the Telemedicine Practice Guidelines, 2020.
18.2 Any disputes arising out of or in connection with this Privacy Policy shall be subject to the exclusive jurisdiction of the courts at Amaravathi, Andhra Pradesh, India, consistent with the Terms & Conditions. Please refer to Terms & Conditions (Section 15) for the full dispute resolution and arbitration clause.
19.1 In accordance with the IT (Intermediary Guidelines) Rules, 2021 and the DPDP Act 2023, Medivera has designated a Grievance Officer to address all data protection complaints and Data Principal rights requests:
19.2 All complaints must be submitted in writing by email or through the support portal on the Platform, and must include: your registered email address, a description of the nature of the grievance, and the specific relief sought.
19.3 If you are not satisfied with Medivera's response, you may file a complaint with the Data Protection Board of India, to be constituted under the DPDP Act 2023.
For any questions, concerns, or feedback relating to this Privacy Policy or the Services, please contact Medivera through any of the following channels:
© 2026 Medivera. All Rights Reserved. Governed by the Laws of India.
This Privacy Policy was last reviewed and updated on 25 April 2026.
