Your Privacy Matters

Privacy Policy

Last updated: March 11, 2026

Contents

1. Overview2. Data We Collect3. How We Use Your Data4. Data Sharing & Third Parties5. Data Storage & Security6. Data Retention7. Your Rights (DPDPA 2023)8. Children's Privacy9. Cookies & Local Storage10. Grievance Officer11. Changes to This Policy

1. Overview

RxDesk ("we", "our", or "us") operates a digital healthcare platform that connects patients with doctors and medical shops across India. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights under the Digital Personal Data Protection Act, 2023 (DPDPA) and other applicable laws. By using our app or website, you consent to the practices described in this policy. If you do not agree, please discontinue use of our services.

2. Data We Collect

Personal Information

  • Full name, phone number, and address
  • Date of birth and gender (for patient profiles)
  • Medical Registration Number (for doctors)
  • Drug License Number (for medical shops)

Medical & Health Data

  • Appointment records including date, time, and doctor details
  • Digital prescriptions issued by doctors
  • Medical history and notes added by your doctor
  • Billing records for consultations and medicines

Financial Data

  • Subscription plan and billing history (shop owners)
  • Payment references from Razorpay (we do not store card/bank details)

Technical Data

  • Device type, operating system, and app version
  • IP address and approximate location (if permitted)
  • Push notification tokens (Firebase FCM) for reminders
  • Session tokens for authentication

3. How We Use Your Data

  • Connecting patients with nearby doctors and medical shops
  • Booking, managing, and sending reminders for appointments
  • Generating and storing digital prescriptions
  • Processing bills and maintaining billing records
  • Verifying identity via OTP (through MSG91)
  • Sending appointment reminders and health alerts via SMS and push notifications
  • Improving platform performance and fixing technical issues
  • Complying with legal and regulatory obligations

4. Data Sharing & Third Parties

We do not sell your personal data. We share data only as follows:

  • Doctors: see only the data of their own patients (appointments, prescriptions)
  • Medical Shops: see only their own billing and inventory records
  • Razorpay: processes subscription payments — governed by Razorpay's Privacy Policy
  • MSG91: delivers OTP and SMS notifications — your phone number is shared for delivery only
  • Firebase (Google): delivers push notifications — governed by Google's Privacy Policy
  • Legal authorities: if required by law, court order, or to protect rights and safety

5. Data Storage & Security

Your data is stored on secure servers located in India. We implement the following safeguards:

  • All data in transit is encrypted using HTTPS/TLS
  • Passwords are securely hashed and never stored in plain text
  • Access tokens (JWT) expire automatically and are rotated on refresh
  • Session management limits the number of simultaneous active sessions per account
  • Database access is restricted to authorised backend services only
  • Prescription QR codes are HMAC-signed to prevent tampering

6. Data Retention

  • Active accounts: data retained for the duration of the account
  • Deleted accounts: personal data purged within 30 days of deletion request
  • Prescription and medical records: may be retained for up to 7 years to comply with medical record-keeping regulations
  • Financial/billing records: retained for 8 years as required by tax laws
  • Anonymised or aggregated analytics data may be retained indefinitely

7. Your Rights (DPDPA 2023)

Under the Digital Personal Data Protection Act, 2023, you have the following rights:

  • Right to Access: request a summary of personal data we hold about you
  • Right to Correction: request correction of inaccurate or incomplete data
  • Right to Erasure: request deletion of your personal data, subject to legal retention requirements
  • Right to Withdraw Consent: withdraw consent for data processing at any time
  • Right to Grievance Redressal: raise a complaint with our Grievance Officer (see Section 10)
  • Right to Nominate: nominate a person to exercise rights on your behalf in case of death or incapacity

To exercise any right, email us at privacy@rxdesk.in. We will respond within 30 days.

8. Children's Privacy

RxDesk is not intended for use by children under 18 years of age without parental or guardian consent. We do not knowingly collect personal data from children under 18 without verifiable parental consent. If you believe a child's data has been collected without consent, please contact us immediately and we will delete such data promptly.

9. Cookies & Local Storage

Our web application uses browser local storage to maintain your login session. We do not use third-party advertising cookies. The mobile app uses device secure storage (Expo SecureStore) for authentication tokens. You can clear this data by logging out or uninstalling the app.

10. Grievance Officer

In accordance with the Digital Personal Data Protection Act, 2023, and the Information Technology Act, 2000, we have appointed a Grievance Officer to address data-related concerns:

Name: Grievance Officer, RxDesk

Email: privacy@rxdesk.in

Phone: +91 98304 50252(Mon–Sat, 9 AM – 5 PM IST)

Response time: Within 30 days of receiving your complaint

If you are not satisfied with our response, you may lodge a complaint with the Data Protection Board of India once it is constituted under the DPDPA, 2023.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will notify you via the app or email. Continued use of RxDesk after changes are posted constitutes acceptance of the revised policy. The date at the top of this page always reflects when the policy was last updated.

Questions about your privacy? We're here to help.

Contact Privacy Team