Privacy Policy

What We Collect

Depending on how you use our services, we may collect:

• Your name, phone number, email address, and delivery address
• Prescriptions, medical records, and health details you share when placing orders
• Payment information when you make a purchase
• Device and usage data — browser type, pages visited, time on site — when you use our website or app
• Messages you send us through WhatsApp, SMS, email, or our support channels

We only ask for what we actually need. We don't collect data for the sake of it.

How We Use It

Your information is used to:

• Process and deliver your medication orders and service bookings
• Send you order updates, refill reminders, and appointment confirmations
• Respond to your support queries and resolve complaints
• Improve how our platform works and make it more useful for you
• Send marketing messages about our services — but only with your consent, and you can opt out any time

We don't use your health data to show you ads, and we never will.

Who We Share It With

We share your information only when it's necessary to deliver a service to you, or when the law requires it. That includes:

• Pharmacy partners, diagnostic labs, and nursing partners who fulfil your orders
• Logistics providers who handle delivery
• Technology vendors who help us run the platform — such as Google Analytics for website usage insights, WhatsApp Business API for messaging, and cloud infrastructure providers for hosting. These vendors are bound by data processing agreements and cannot use your data for their own purposes
• Law enforcement or regulatory authorities when we're legally required to

We do not sell your personal information. Full stop.

Your Prescriptions

Prescriptions are about as personal as it gets, and we treat them that way:

• Only the licensed pharmacist fulfilling your order can access your prescription — nobody else in the company can see it by default
• Prescription images are stored encrypted and are never fed into any marketing or analytics system
• We don't look at your prescriptions to figure out what ads to show you
• We retain prescription records for a minimum of 2 years from the date of dispensing, as required under the Drugs and Cosmetics Act, 1940 and Rules, 1945

WhatsApp and SMS

We use WhatsApp and SMS to keep you updated on your orders, upcoming nurse visits, test results, and refill reminders. By giving us your phone number, you're okay with receiving these messages.

• To stop WhatsApp messages, send "STOP" to our WhatsApp number or email privacy@evirishealth.com
• To opt out of SMS, reply "STOP" to any message, or register on the national DND registry via the TRAI DND app or by calling 1909
• Opting out of marketing messages won't affect order confirmations and other transactional updates you need

Messages you send us on WhatsApp are also subject to WhatsApp's own privacy policy, so it's worth reviewing that too.

How We Keep Your Data Safe

We take security seriously. The measures we have in place include:

• All data in transit is encrypted using TLS 1.2 or higher
• Health records and sensitive personal data are encrypted at rest
• Access to patient data is restricted — only staff who genuinely need it can see it
• We run regular internal security audits and reviews
• Prescription storage and handling complies with the Drugs and Cosmetics Act, 1940, the Drugs and Cosmetics Rules, 1945, and CDSCO guidelines for digital prescription management

That said, no system is completely immune. We keep improving our security and are working toward alignment with ISO/IEC 27001 information security standards. If you ever notice anything unusual with your account, please contact us straight away.

If Something Goes Wrong

If we ever experience a data breach that could affect your personal information, here's what we'll do:

• We'll report it to the Indian Computer Emergency Response Team (CERT-In) within 6 hours of becoming aware — as required under the CERT-In Directions, 2022
• We'll notify you if your personal or health data was compromised, without unnecessary delay and in line with the Digital Personal Data Protection Act, 2023
• We'll tell you what happened, what data was affected, what it could mean for you, and what we're doing about it
• Every incident is logged and reviewed internally, regardless of how minor it seems

If you think your data with us has been compromised, please email privacy@evirishealth.com straight away and we'll investigate.

How Long We Keep Your Data

We don't hold onto your data longer than we need to:

• Support messages and contact records — up to 24 months
• Order, account, and transaction records — up to 8 years, as required for legal, tax, and audit purposes
• Health and prescription records — as long as applicable law and clinical guidelines require

When we no longer need your data, we delete it, anonymise it, or archive it securely.

Cookies

Our website uses cookies to work properly and to help us understand how people use it. We use:

• Essential cookies that the site needs to function
• Analytics cookies that show us traffic patterns and usage — nothing personally identifiable
• Preference cookies that remember your settings between visits

You can turn cookies off in your browser settings, though some parts of the site may not work as well if you do.

Links to Other Sites

Our platform may link to third-party websites — payment gateways, WhatsApp, partner portals. Once you leave our site, this policy no longer applies. We'd recommend checking the privacy policies of any external sites you visit through us.

Children Under 18

Our services aren't intended for use by children without a parent or guardian involved. If we find that we've collected personal data from a minor without proper authorisation, we'll delete it promptly.

Data Outside India

Some of our technology vendors — such as cloud hosting providers — may process or store data outside India. When this happens, we ensure appropriate contractual safeguards are in place to protect your data to the same standard we apply here.

Why We're Allowed to Process Your Health Data

We process your personal and health data only when we have a valid legal reason — primarily because you've given us consent, or because it's necessary to deliver the service you've asked for, or because we're legally required to.

If we're relying on your consent, you can withdraw it at any time by writing to us. Withdrawing consent won't undo anything already done, but it may mean we can no longer provide certain services that depend on that data.

Your Rights

Under the Digital Personal Data Protection Act, 2023, you have the following rights over your data:

• Access (Section 11): Ask us what personal data we hold about you and why we have it
• Correction and Erasure (Section 12): Ask us to fix incorrect data, or delete data we no longer have a reason to keep — subject to any legal retention requirements
• Withdraw Consent (Section 6): Pull back your consent at any time; it won't affect what we've already done, but it applies going forward
• Grievance Redressal (Section 13): Raise a complaint with our Grievance Officer (details below), and escalate to the Data Protection Board of India if you're not satisfied with our response
• Nomination (Section 14): Nominate someone to exercise your data rights on your behalf if you pass away or become incapacitated

To use any of these rights, just email us at privacy@evirishealth.com.

What You Can Control

You can update or delete your personal information through your account settings at any time. You can also opt out of marketing messages — email, SMS, or WhatsApp — whenever you want. Choosing not to share certain information is always an option, though it may limit some features.

When This Policy Changes

We'll update this page when the policy changes and revise the date at the top. For significant changes, we'll also send you a notification by email or through the app.

Governing Law

This policy is governed by Indian law, including the Digital Personal Data Protection Act, 2023 and the Information Technology Act, 2000. Any disputes relating to this policy fall under the jurisdiction of the courts in Hyderabad, Telangana.

Grievance Officer

If you have a concern about how we've handled your data, the best place to start is our Grievance Officer. Reach out and we'll acknowledge your complaint within 72 hours and resolve it within 30 days, in line with Rule 5(9) of the IT (SPDI) Rules, 2011. If you're still not satisfied, you can escalate to the Data Protection Board of India once it's constituted under the DPDPA 2023.