Medshood - India's Trusted Online Pharmacy | Authentic Medicines up to 70% Off

1. Introduction

MedsHood Pharmacy Private Limited ("MedsHood," "we," "us," or "our") is committed to protecting your privacy and complying with applicable data protection laws, including:

EU General Data Protection Regulation (GDPR) for EU/EEA customers
UK GDPR for UK customers
Digital Personal Data Protection Act (DPDP), 2023 for Indian customers
HIPAA principles for health data protection

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal and health information when you use our online pharmacy and healthcare services.

2. Data Controller Information

Data Controller: MedsHood Pharmacy Private Limited

Registered Office: [Insert Address], India

Company Registration: [Insert CIN]

Email: privacy@medshood.com

Phone: +91 1800 123 456

Data Protection Officer (DPO): dpo@medshood.com

For EU/UK residents: You have the right to contact your local supervisory authority with any concerns about how we process your data.

3. Information We Collect

3.1 Personal Information

Identity Data: Full name, date of birth, gender, government ID (for age verification)
Contact Data: Email address, phone number, billing/delivery address
Financial Data: Payment card details (tokenized), billing information
Account Data: Username, password (hashed), account preferences
Marketing Data: Communication preferences, marketing consent status

3.2 Special Category Data (Health Information)

⚠️ Sensitive Data - Enhanced Protection

The following health data is classified as "special category data" under GDPR Article 9 and receives enhanced protection:

Prescription Records: Medication names, dosages, prescribing physician, prescription images
Medical History: Current and past medical conditions, allergies, drug interactions
Treatment Information: Current medications, treatment plans, medication adherence
Health Metrics: Weight, blood pressure, lab results (if provided)

3.3 Technical Data

IP address, browser type, device information
Cookies and similar tracking technologies (see Cookie Policy below)
Usage data: pages visited, time spent, click patterns
Location data (general city/region only, not precise GPS)

3.4 Data We Do NOT Collect

Precise geolocation (GPS coordinates)
Biometric data (fingerprints, facial recognition)
Genetic/DNA information
Social media content (unless you choose to connect accounts)

4. Legal Basis for Processing (GDPR Article 6 & 9)

We only process your personal data when we have a valid legal basis. For EU/UK customers, our legal bases are:

Data Type	Legal Basis	Purpose
Personal Information	Contract Performance	To fulfill medication orders and provide services
Health Data (Prescriptions)	Explicit Consent + Legal Obligation	Pharmaceutical regulations require prescription verification
Payment Information	Contract Performance	To process payments for medication orders
Marketing Communications	Consent	To send promotional emails (opt-in only)
Usage Analytics	Legitimate Interest	To improve website performance and user experience
Fraud Prevention Data	Legitimate Interest	To protect against fraudulent transactions

For Indian customers, processing is based on consent and legal obligations under the DPDP Act 2023.

5. How We Use Your Information

5.1 Primary Purposes

Order Fulfillment: Process prescriptions, verify eligibility, dispense medications
Delivery: Arrange secure delivery of medications to your address
Payment Processing: Process transactions and prevent fraud
Customer Support: Respond to inquiries, resolve issues, provide assistance
Regulatory Compliance: Maintain records as required by pharmaceutical regulations
Safety Monitoring: Track adverse drug reactions, drug interactions

5.2 Secondary Purposes (with consent or legitimate interest)

Service Improvement: Analyze aggregated, anonymized data to improve services
Marketing: Send promotional emails about new products/services (opt-in only)
Personalization: Customize website content based on your preferences
Research: Conduct anonymized health research (with explicit consent)

5.3 Automated Decision-Making

We do NOT use fully automated decision-making or profiling that produces legal effects or similarly significant effects on you.

All prescription approvals are reviewed by licensed pharmacists. You have the right to request human intervention if you believe an automated system has been used incorrectly.

7. International Data Transfers (GDPR Chapter V)

Your data is primarily stored in India. For EU/UK customers, some data may be transferred to processors outside the EU/EEA/UK. We ensure adequate protection through:

EU Standard Contractual Clauses (SCCs): Approved by the European Commission
UK International Data Transfer Agreement (IDTA): For UK transfers
Adequacy Decisions: Transfers only to countries with adequate data protection
Additional Safeguards: Encryption, access controls, regular audits

You can request a copy of the safeguards in place by contacting dpo@medshood.com

8. Data Retention (GDPR Article 5)

We retain your data only as long as necessary for the purposes collected and to comply with legal obligations:

Data Type	Retention Period	Legal Basis
Prescription Records	7 years	Pharmaceutical regulations
Order History	5 years	Tax compliance
Account Information	30 days after account deletion request	Grace period for cancellation
Marketing Consent	Until withdrawn	Consent-based processing
Cookie Consent	12 months	ePrivacy Directive
Audit Logs	7 years	HIPAA compliance

After retention periods expire, data is either securely deleted or anonymized for statistical purposes.

9. Data Security (GDPR Article 32)

We implement state-of-the-art technical and organizational measures to protect your data:

9.1 Technical Measures

Encryption: AES-256 encryption at rest, TLS 1.3 in transit
Access Controls: Role-based access (RBAC), least privilege principle
Authentication: Multi-factor authentication (MFA) for staff
Database Security: Row-Level Security (RLS) policies in Supabase
Network Security: Firewalls, intrusion detection, DDoS protection
Monitoring: 24/7 security monitoring, automated threat detection
Backups: Daily encrypted backups with 30-day retention

9.2 Organizational Measures

Staff training on data protection and GDPR compliance
Confidentiality agreements for all employees
Regular security audits and penetration testing
Incident response plan with 72-hour breach notification
Data Protection Impact Assessments (DPIAs) for high-risk processing

⚠️ Data Breach Notification

In the unlikely event of a data breach, we will notify affected individuals and supervisory authorities within 72 hours as required by GDPR Article 33-34.

10. Your Data Protection Rights

Under GDPR, UK GDPR, and DPDP Act 2023, you have the following rights:

1. Right to Access (Article 15)

Request a copy of all personal data we hold about you in machine-readable format (JSON).

→ Export Your Data

2. Right to Rectification (Article 16)

Request correction of inaccurate or incomplete data.

→ Request Correction

3. Right to Erasure / "Right to be Forgotten" (Article 17)

Request deletion of your data (subject to legal retention requirements). 30-day grace period applies.

→ Delete Your Account

4. Right to Restriction of Processing (Article 18)

Request temporary suspension of data processing in certain circumstances.

→ Request Restriction

5. Right to Data Portability (Article 20)

Receive your data in structured, machine-readable format and transfer to another service.

→ Export Your Data (JSON)

6. Right to Object (Article 21)

Object to processing based on legitimate interests or for direct marketing purposes.

→ Manage Preferences

7. Right to Withdraw Consent (Article 7)

Withdraw consent for marketing, analytics, or other consent-based processing at any time.

→ Manage Cookie Consent

8. Right to Lodge a Complaint (Article 77)

Lodge a complaint with your local supervisory authority if you believe we've violated your rights.

→ Find Your Supervisory Authority (EU)
→ UK Information Commissioner's Office

How to Exercise Your Rights

Visit your Privacy Settings Dashboard for self-service options
Email our Data Protection Officer: dpo@medshood.com
We will respond within 30 days (extendable to 60 days for complex requests)
We may request identity verification to prevent unauthorized access
All requests are free of charge (unless manifestly unfounded or excessive)

11. Cookie Policy (ePrivacy Directive)

We use cookies and similar technologies to improve your experience. You can control your cookie preferences at any time.

11.1 Cookie Categories

✅ Necessary Cookies (Always Active)

Essential for website functionality. Cannot be disabled.

Examples: Session management, authentication, shopping cart, security

📊 Analytics Cookies (Opt-In Required)

Help us understand how visitors use our website (anonymized data).

Provider: Google Analytics (IP anonymization enabled)

🎯 Marketing Cookies (Opt-In Required)

Track your activity across websites to deliver personalized ads.

Providers: Google Ads, Facebook Pixel (if you consent)

⚙️ Preference Cookies (Opt-In Required)

Remember your settings and preferences (language, region, theme).

11.2 Manage Your Cookie Preferences

You can manage your cookie preferences through:

Our cookie consent banner (appears on first visit)
Privacy Settings Dashboard (under "Cookies" tab)
Your browser settings (will disable all cookies, including necessary ones)

Note: Disabling necessary cookies may prevent the website from functioning correctly.

11.3 Cookie Retention

Your cookie consent is stored for 12 months. After this period, we will ask for your consent again.

12. Children's Privacy

Our services are NOT intended for individuals under 18 years of age.

We do not knowingly collect personal data from children. If you are a parent/guardian and believe your child has provided us with personal data, please contact us immediately at privacy@medshood.com, and we will delete it within 72 hours.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements.

Minor Changes: We will update the "Last Updated" date at the top of this page
Material Changes: We will notify you via email (30 days notice) and prominent website banner
Version History: Previous versions are available upon request to dpo@medshood.com

Continued use of our services after changes indicates acceptance of the updated policy.

14. Contact Us

For questions, concerns, or to exercise your data protection rights, contact us:

MedsHood Pharmacy - Privacy Team

General Privacy Inquiries:

📧 privacy@medshood.com

📞 +91 1800 123 456

Data Protection Officer (DPO):

📧 dpo@medshood.com

📞 +91 1800 123 457

Mailing Address:

MedsHood Pharmacy Private Limited
[Insert Complete Address]
City, State, PIN Code
India

Response Times:

✅ General inquiries: 5 business days
✅ Data subject access requests: 30 days (extendable to 60 days)
✅ Urgent security concerns: 24 hours

15. Supervisory Authorities

You have the right to lodge a complaint with your local data protection authority:

🇪🇺 EU/EEA Residents

Find your local Data Protection Authority:

→ European Data Protection Board - Member List

🇬🇧 UK Residents

Information Commissioner's Office (ICO)

📧 casework@ico.org.uk

📞 0303 123 1113

→ File a Complaint

🇮🇳 Indian Residents

Data Protection Board of India (DPDP Act 2023)

Note: The Data Protection Board is being established. In the interim, contact us directly.

Take Control of Your Privacy

🔐

Privacy Dashboard

Manage all your privacy settings

📥

Export Your Data

Download all your information

Privacy Policy

Quick Access