Privacy Policy

Vedcura (“we,” “us,” or “our”) operates the website vedcura.in and associated services, including online consultations, in-clinic appointments, and medicine delivery. We are an AYUSH-licensed cannabis medicine clinic registered and operating in India.

This Privacy Policy explains how we collect, use, store, share, and protect your personal information and sensitive personal data when you use our website, book consultations, purchase medicines, or otherwise interact with our services.

By using our services, you consent to the practices described in this Privacy Policy.

1. Legal Framework

This Privacy Policy is governed by and compliant with:

• Information Technology Act, 2000 (IT Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (IT Rules 2011)
• Digital Personal Data Protection Act, 2023 (DPDPA 2023)
• Applicable regulations under the AYUSH framework governing patient data in licensed clinics

Where the DPDPA 2023 rules are notified and come into effect, this policy will be updated to reflect any additional obligations.

2. Information We Collect

2.1 Information You Provide Directly

• Registration Data: Name, email address, phone number, date of birth, gender, and residential address when you create an account.
• Health and Medical Information: Medical history, current medications, symptoms, health conditions, lifestyle details, and other information submitted through consultation forms, intake questionnaires, or during doctor consultations. This constitutes Sensitive Personal Data or Information (SPDI) under the IT Rules 2011.
• Prescription Records: Details of prescriptions issued by our AYUSH-registered practitioners, treatment plans, and follow-up notes.
• Payment Information: Billing address and transaction details processed through our payment partner. We do not store your full card or bank account details on our servers.
• Communication Data: Messages, emails, chat transcripts, and call records when you contact our support team or communicate with practitioners.

2.2 Information Collected Automatically

• Device and Browser Information: IP address, browser type and version, operating system, device identifiers, and screen resolution.
• Usage Data: Pages visited, time spent on pages, click patterns, referral URLs, and navigation paths.
• Location Data: Approximate location based on IP address (we do not collect precise GPS location without explicit consent).

2.3 Information from Third Parties

• Payment Processor (Razorpay): Transaction status, payment confirmation, and refund details.
• Analytics Services: Aggregated usage statistics from tools such as Google Analytics.

3. How We Use Your Information

We use the information collected for the following purposes:

• Providing Medical Services: To facilitate consultations, generate prescriptions, manage treatment plans, and deliver medicines.
• Account Management: To create and maintain your account, verify your identity, and communicate service updates.
• Appointment Scheduling: To book, confirm, reschedule, or cancel appointments.
• Order Fulfillment: To process medicine orders, arrange delivery, and handle returns or refunds.
• Treatment Improvement: To review treatment outcomes, adjust plans, and provide follow-up care.
• Communication: To send appointment reminders, treatment updates, order notifications, and respond to your queries.
• Legal Compliance: To comply with applicable laws, regulations, and legal processes, including AYUSH reporting requirements.
• Safety and Security: To detect and prevent fraud, abuse, and unauthorized access to our systems.
• Analytics and Improvement: To analyze usage patterns and improve our website, services, and user experience. All analytics data is aggregated and de-identified.

We do not use your health data for advertising, profiling for marketing purposes, or sale to third parties.

4. How We Share Your Information

We share your information only in the following circumstances:

• With Our Medical Team: Your health data is shared with Vedcura's AYUSH-registered practitioners, pharmacists, and clinical staff directly involved in your care.
• Payment Processing: Transaction data is shared with Razorpay to process payments securely. Razorpay's privacy policy governs their handling of payment data.
• Delivery Partners: Your name, delivery address, and phone number are shared with logistics partners solely for medicine delivery.
• Legal Requirements: We may disclose information when required by law, court order, or government regulation, or to protect the rights, safety, or property of Vedcura, our patients, or the public.
• With Your Consent: We may share information with third parties when you have provided explicit, informed consent.

We do not sell, rent, or trade your personal or health data to any third party.

5. Cookies and Tracking Technologies

Our website uses cookies and similar technologies to:

• Essential Cookies: Maintain your session, remember login state, and ensure the website functions correctly. These cannot be disabled.
• Analytics Cookies: Understand how visitors use our website to improve content and user experience. These cookies collect aggregated, anonymous data.
• Preference Cookies: Remember your language, region, and display preferences.

You can manage cookie preferences through your browser settings. Disabling non-essential cookies will not affect core website functionality.

We do not use cookies for behavioral advertising or cross-site tracking.

6. Patient Health Data Handling

Health and medical data is classified as Sensitive Personal Data or Information (SPDI) under the IT Rules 2011. We apply the following safeguards:

• Encryption: All health data is encrypted in transit (TLS 1.2 or higher) and at rest using industry-standard encryption protocols.
• Access Controls: Only authorized medical personnel and essential administrative staff can access patient health records, on a need-to-know basis.
• Audit Trails: Access to patient records is logged and audited regularly.
• Data Minimization: We collect only the health data necessary for diagnosis, treatment, and follow-up care.
• Consent: We obtain your explicit consent before collecting sensitive personal data, as required under the IT Rules 2011 and DPDPA 2023.
• No Automated Decision-Making: Treatment decisions are made by qualified AYUSH practitioners. We do not use automated systems or algorithms to make clinical decisions about your care.

7. Data Retention

We retain your data for the following periods:

After the retention period expires, data is securely deleted or irreversibly anonymized.

8. Your Rights

Under applicable Indian data protection laws, including the DPDPA 2023, you have the following rights:

• Right to Access: Request a summary of the personal data we hold about you.
• Right to Correction: Request correction of inaccurate or incomplete personal data.
• Right to Erasure: Request deletion of your personal data, subject to legal retention requirements and ongoing medical obligations.
• Right to Withdraw Consent: Withdraw your consent for data processing at any time. Withdrawal does not affect the lawfulness of processing performed before withdrawal.
• Right to Grievance Redressal: File a complaint with our Data Protection Officer or, if unresolved, with the Data Protection Board of India (once constituted under the DPDPA 2023).
• Right to Nominate: Nominate another individual to exercise your data rights in the event of your death or incapacity, as provided under the DPDPA 2023.

To exercise any of these rights, contact us using the details provided in Section 11 below.

9. Data Security

We implement reasonable security practices and procedures as required under the IT Rules 2011, including:

• Encryption of data in transit and at rest
• Regular security assessments and vulnerability testing
• Employee access controls and confidentiality agreements
• Incident response procedures for data breaches
• Secure data backup and disaster recovery systems

In the event of a data breach that poses a risk to your rights, we will notify affected individuals and the relevant authorities as required by law.

10. Children's Data

Our services are intended for individuals aged 18 years and above. We do not knowingly collect personal data from children under 18. If we become aware that we have collected data from a minor without verifiable parental or guardian consent, we will take steps to delete that data promptly.

For patients under 18 who require consultation, a parent or legal guardian must create the account and provide consent on the minor's behalf.

11. Contact Us

For any questions, concerns, or requests related to this Privacy Policy or your personal data, contact us at:

Data Protection Officer
Vedcura Healthcare
Email: privacy@vedcura.in
Phone: [Contact number to be added]
Address: [Registered office address to be added]

We will respond to your request within 30 days.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or services. When we make material changes:

• The updated policy will be posted on this page with a revised “Last Updated” date.
• For significant changes affecting how we handle health data, we will notify you via email or an in-app notification.

We encourage you to review this page periodically.

13. Grievance Officer

In accordance with the IT Rules 2011, the details of the Grievance Officer are:

Name: [Grievance Officer name to be added]
Email: grievance@vedcura.in
Phone: [Contact number to be added]

The Grievance Officer will acknowledge your complaint within 24 hours and resolve it within 30 days of receipt.