Privacy Policy

1.1 Who We Are

MedJourney is an AI-powered health platform operated by Tryzent Technologies Private Limited, a company incorporated under the Companies Act, 2013, with registered office at Lajpat Nagar, New Delhi, India.

Contact Email: info@medjourney.ai

Website: medjourney.ai

1.2 Scope of This Policy

This Privacy Policy applies to all personal data collected through:

• MedJourney website (medjourney.ai)
• MedJourney mobile applications (iOS and Android)
• Interactions with our customer support, emails, and communications
• Third-party integrations (when accessing MedJourney through partner platforms)

1.3 Consent and Acceptance

By using MedJourney, you consent to the collection, use, and disclosure of your personal data as described in this Privacy Policy. If you do not agree, please do not use our services.

For users under 18 years: Verifiable parental or guardian consent is required before we collect or process personal data, as mandated by the Digital Personal Data Protection Act, 2023.

1.4 Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be notified through email, in-app notifications, or website banners at least 30 days before implementation. Continued use of the Platform after changes take effect constitutes acceptance of the updated policy.

To help you understand this policy better:

• Personal Data means any information relating to an identified or identifiable individual, including name, email, phone number, health records, and device identifiers.
• Health Data means medical reports, prescriptions, diagnostic test results, health records, AI health interview responses, and any health-related information. Under DPDP Act 2023, health data is treated as personal data (not separately categorized as sensitive).
• Data Fiduciary means Tryzent Technologies Private Limited, the entity determining the purpose and means of processing personal data.
• Data Processor means third-party service providers (cloud hosts, AI APIs, payment gateways) who process data on our behalf.
• Data Principal means you, the individual whose personal data we process.
• Consent means freely given, specific, informed, and unambiguous agreement to data processing.

3.1 Information You Provide Directly

3.1.1 Account Registration Information

• Full name
• Email address
• Mobile phone number
• Date of birth
• Gender
• Password (encrypted and never stored in plain text)

3.1.2 Health and Medical Information

• Medical reports (lab tests, diagnostic imaging, pathology reports)
• Prescriptions and medication history
• Medical history, symptoms, and health conditions
• Responses to AI-guided health interviews
• Health metrics (blood pressure, glucose levels, weight, etc.)
• Allergies and adverse reactions
• Family medical history (if provided)
• Vaccination records

3.1.3 Profile Information for Family Members

When you create health profiles for family members, we collect similar information as above for each profile. You confirm that you have obtained necessary consent to provide their information, especially for minors under 18 years.

3.1.4 Payment Information

• Billing name and address
• Payment method details (processed by Razorpay - we do not store complete credit card numbers)
• Transaction history and invoices
• GST number (for business accounts)

3.1.5 Communications and Support

• Messages, queries, and feedback sent through contact forms, email, or in-app chat
• Customer support conversations and help tickets
• Survey responses and product feedback

3.1.6 Professional Information (Doctors and Lab Partners)

• Medical Council registration number and state
• Specialization and qualifications
• Clinic/hospital/lab name and address
• Business license and registration documents
• NABL accreditation (for labs)

3.2 Information Collected Automatically

3.2.1 Device and Usage Information

• Device type, model, operating system, and version
• Browser type and version
• IP address and approximate location (city/state level)
• Pages viewed, features used, and time spent on Platform
• Clicks, navigation paths, and interaction patterns
• App performance data (crashes, errors, loading times)

3.2.2 Cookies and Tracking Technologies

• Essential Cookies: Authentication, security, session management (cannot be disabled)
• Functional Cookies: Language preferences, display settings, personalization
• Analytics Cookies: Usage statistics, feature adoption, performance monitoring (Google Analytics)

We use cookies, web beacons, and similar technologies to:

You can manage cookie preferences through browser settings or our cookie consent banner. Disabling non-essential cookies may affect functionality.

3.2.3 Location Information

We collect approximate location (city/state) from IP address for service delivery, language preferences, and finding nearby healthcare providers. We do not collect precise GPS location unless you explicitly grant permission for features like finding nearby labs.

3.3 Information from Third-Party Sources

3.3.1 Healthcare Provider Data

When you authorize doctors or labs to access your profile, they may add clinical notes, prescriptions, or test results to your health records on the Platform.

3.3.2 Third-Party Authentication

If you sign up using Google or other social login, we receive your name, email address, and profile picture from that service. We do not access other information without your permission.

3.3.3 Future Health Data Integrations

In the future, we may integrate with national or regional health data systems (such as Ayushman Bharat Digital Mission/ABHA) to retrieve health records from other healthcare providers. This functionality is not currently available in our MVP. When implemented, all such data retrieval will require your explicit consent and will be clearly communicated to you.

We process your personal data only for specified, legitimate purposes with your consent or as permitted by law.

4.1 Providing Core Platform Services

• Health Record Management: Store, organize, and retrieve your medical reports and health information
• AI-Powered Analysis: Generate plain-language summaries, explanations of medical terminology, health trend visualizations
• Health Tracking: Monitor vital signs, track health metrics over time, identify patterns
• Doctor Consultation Support: Facilitate pre-consultation interviews, generate visit preparation packs, enable telemedicine sessions
• Lab Services: Connect you with diagnostic labs, display Smart Reports, schedule follow-up tests

4.2 Personalization and Improvement

• Customize content, features, and recommendations based on your health profile and usage patterns
• Improve AI models through machine learning on aggregated, de-identified data
• Analyze Platform performance, identify bugs, and enhance user experience
• Conduct research and analytics on health trends (using anonymized data)

4.3 Communication and Engagement

• Send service notifications (appointment reminders, test result availability, medication schedules)
• Provide customer support and respond to inquiries
• Share product updates, new features, and educational health content
• Send promotional offers, surveys, and feedback requests (you can opt out)

4.4 Security and Fraud Prevention

• Verify identity and authenticate users
• Detect, prevent, and investigate fraudulent activities or security threats
• Monitor for unauthorized access or misuse of the Platform
• Maintain audit logs for security and compliance purposes

4.5 Payment Processing

• Process subscription payments and transactions through our payment partner Razorpay
• Generate invoices and maintain financial records for tax compliance
• Prevent payment fraud and chargebacks

4.6 Legal Compliance

• Comply with legal obligations under DPDP Act 2023, IT Act, healthcare regulations
• Respond to legal requests from courts, law enforcement, or regulatory authorities
• Enforce our Terms and Conditions and protect our legal rights
• Resolve disputes and handle grievances

Under the Digital Personal Data Protection Act, 2023, we process your personal data based on:

5.1 Consent

You provide explicit consent when you:

• Create an account and accept this Privacy Policy
• Upload health records and use AI analysis features
• Share information with specific healthcare providers
• Opt in to marketing communications or non-essential cookies

You can withdraw consent at any time through account settings or by contacting info@medjourney.ai. Withdrawal does not affect the lawfulness of processing before withdrawal.

5.2 Legitimate Purposes (Section 7 of DPDP Act)

We may process personal data without explicit consent for:

• Medical Emergencies: Providing or responding to medical emergencies involving life-threatening situations [Section 7(d)]
• Legal Compliance: Complying with court orders, regulatory requirements, or statutory obligations [Section 7(f)]
• Prevention of Fraud: Detecting and preventing fraud, identity theft, or security threats [Section 7(g)]
• Service Delivery: Performing contractual obligations to provide Platform services

We do not sell your personal data to third parties. We share information only in the following circumstances:

6.1 With Healthcare Providers (Your Consent Required)

• Doctors: When you book consultations, share visit preparation packs, or authorize doctors to access your health records
• Labs: When you order diagnostic tests or consent to labs viewing your historical reports for comparative analysis
• Hospitals/Clinics: When you present at healthcare facilities and authorize data sharing through direct Platform integration

Important: You control who sees your health information. All sharing requires your explicit consent, which can be granted or revoked anytime.

6.2 With Service Providers (Data Processors)

We engage trusted third-party service providers who process data on our behalf under strict contractual obligations:

• Cloud Infrastructure: Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform for secure data storage and computing
• AI Services: OpenAI, healthcare-specific LLM providers for AI-powered report analysis and summaries
• Payment Processors: Razorpay for secure payment processing (they do not receive health data)
• Analytics: Google Analytics, Vercel for usage statistics (anonymized data only)
• Communication: Email service providers, SMS gateways for notifications
• Customer Support: Helpdesk software for managing support tickets

All service providers are contractually required to maintain confidentiality, implement appropriate security measures, and use data only for specified purposes.

6.3 Future Health Data Exchanges

In the future, we may integrate with national health data systems (such as ABDM) to enable health data exchange with other healthcare providers. This feature is not currently available. When implemented, all data sharing will be:

• Based on your explicit consent for each sharing request
• Encrypted and logged for your review
• Revocable at any time through your account settings

6.4 Legal and Regulatory Disclosures

We may disclose personal data when required by law or to protect rights and safety:

• In response to valid legal requests from courts, law enforcement, or regulatory authorities
• To comply with subpoenas, court orders, or statutory obligations
• To protect the rights, property, or safety of MedJourney, our users, or the public
• To enforce our Terms and Conditions or investigate violations
• To prevent or address fraud, security issues, or technical problems

6.5 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred to the acquiring entity. We will notify you via email and provide an opportunity to delete your data before the transfer if you do not consent to the new ownership.

6.6 Aggregated and De-Identified Data

We may share aggregated, de-identified, or anonymized data that cannot be used to identify you individually for:

• Research and public health insights (e.g., disease prevalence trends)
• Industry benchmarking and analytics reports
• Marketing and business development purposes

We take the security of your health information extremely seriously. We implement comprehensive technical, organizational, and physical safeguards:

7.1 Technical Security Controls

• Encryption: End-to-end encryption for data transmission (TLS 1.3), AES-256 encryption for data at rest
• Access Controls: Role-based access, multi-factor authentication, principle of least privilege
• Network Security: Firewalls, intrusion detection/prevention systems, DDoS protection
• Secure Infrastructure: Data stored in India-based, ISO 27001 certified data centers with redundancy and backup
• Authentication: Strong password requirements, session management, automatic logout

7.2 Organizational Security Measures

• Employee Training: Regular security awareness training, HIPAA-equivalent privacy training
• Access Limitations: Only authorized personnel can access personal data, with audit trails of all access
• Confidentiality Agreements: All employees and contractors sign NDAs and data protection agreements
• Incident Response: Established procedures for detecting, reporting, and responding to security incidents

7.3 Ongoing Security Monitoring

• Regular Security Audits: Quarterly internal audits, annual third-party security assessments
• Vulnerability Management: Continuous scanning for vulnerabilities, prompt patching of security issues
• Penetration Testing: Annual penetration testing by certified ethical hackers
• Compliance Monitoring: Regular reviews to ensure DPDP Act, ISO 27001, and ABDM compliance

7.4 Data Breach Response

In the unlikely event of a data breach affecting your personal data:

• We will notify the Data Protection Board as required by DPDP Act 2023
• We will notify affected users via email within 72 hours of discovering the breach
• The notification will include nature of the breach, data affected, measures being taken, and recommended actions
• We will provide credit monitoring or identity theft protection services if financial data is compromised

7.5 Your Security Responsibilities

While we implement robust security, you also play a crucial role:

• Use strong, unique passwords and enable two-factor authentication
• Log out from shared or public devices
• Keep your contact information current for security alerts
• Report suspicious activity immediately to info@medjourney.ai
• Beware of phishing attempts - we will never ask for your password via email

8.1 Retention Periods

We retain your personal data only as long as necessary for the purposes stated in this Privacy Policy or as required by law:

• Active Accounts: Health data and account information retained while your account is active
• After Account Deletion: Most data deleted within 90 days, with some exceptions below
• Financial Records: Transaction data retained for 7 years for tax and accounting compliance
• Legal/Compliance: Data retained longer if required by law, court order, or ongoing legal proceedings
• Backup Systems: Deleted data may persist in backup systems for up to 90 days before permanent removal
• Aggregated Data: De-identified, aggregated data may be retained indefinitely for research and analytics

8.2 Account Deletion Process

When you delete your account:

• Immediate: Account disabled, access terminated, data no longer visible in Platform
• Within 30 days: All health records, personal information, and uploaded files permanently deleted from production systems
• Within 90 days: Complete removal from all backup systems and archives

Important: Data shared with healthcare providers through direct sharing is not automatically deleted from their systems. Contact them separately if needed.

8.3 Data Export Before Deletion

Before deleting your account, you can export all your data in machine-readable formats (PDF for reports, JSON for structured data) using the data export feature in account settings. We recommend exporting your data before deletion as recovery is not possible afterward.

As a Data Principal under the Digital Personal Data Protection Act, 2023, you have the following rights:

9.1 Right to Access (Section 11(1))

You can request a summary of your personal data being processed, including:

• Categories of personal data collected
• Purposes of processing
• Identity of Data Processors and third parties with whom data is shared

How to Exercise: Submit a data access request to info@medjourney.ai. We will respond within 30 days with the requested information.

9.2 Right to Correction (Section 11(2))

You can request correction of inaccurate, incomplete, or outdated personal data. You can also update most information directly through account settings.

How to Exercise: Update via account settings or email info@medjourney.ai with specific corrections needed. We will process within 7 days.

9.3 Right to Erasure (Section 11(3))

You can request deletion of your personal data when:

• Processing purpose has been fulfilled
• You withdraw consent and we have no other legal basis to process
• Data is no longer necessary for stated purposes

Limitations: We may retain data if required by law (e.g., financial records for tax purposes, data needed for ongoing legal proceedings, or legitimate business purposes like fraud prevention).

How to Exercise: Use account deletion option in settings or email info@medjourney.ai. Deletion completes within 90 days.

9.4 Right to Grievance Redressal (Section 11(4))

If you have complaints about data processing:

• Step 1 - Internal Grievance: Contact our Grievance Officer at info@medjourney.ai. We will acknowledge within 24 hours and resolve within 30 days as per IT Rules 2021.
• Step 2 - Data Protection Board: If unsatisfied with our response, you can escalate to the Data Protection Board of India established under DPDP Act 2023.

9.5 Right to Nominate (Section 11(5))

You can nominate another individual to exercise your rights in case of death or incapacity.

How to Exercise: Submit nomination details through account settings or email info@medjourney.ai with nominee's name, contact information, and relationship. Nominees must verify identity before accessing data.

9.6 Right to Withdraw Consent

You can withdraw consent at any time with the same ease as giving consent. Withdrawal does not affect lawfulness of processing before withdrawal but may limit Platform functionality.

How to Exercise: Manage consent preferences in account settings or email info@medjourney.ai.

10.1 Age Requirements

MedJourney services are available for all ages, but with specific protections for children:

• 18+ years: Can independently create accounts and use services
• Under 18 years: Require verifiable parental or guardian consent before we process their personal data

10.2 Verifiable Parental Consent (DPDP Act Section 9)

For users under 18, we obtain verifiable parental consent through:

• Parent/guardian creating master account and adding child profiles
• Email verification sent to parent's email address
• OTP verification to parent's registered mobile number
• Digital consent acknowledgment confirming parental authority

10.3 Parental Control and Management

Parents/guardians can:

• Access and review their child's health information and Platform activity
• Request correction or deletion of their child's data
• Control consent settings and data sharing permissions
• Revoke consent and request account deletion at any time

10.4 Special Protections for Children

• We do not use children's data for targeted advertising or profiling
• Enhanced security measures for accounts with minor profiles
• Age-appropriate content and communications
• Regular parental notifications about data processing activities

11.1 Primary Data Location

Your personal and health data is primarily stored and processed in India-based secure data centers operated by certified cloud service providers (AWS Mumbai, Azure India, etc.). This ensures compliance with Indian data localization requirements.

11.2 Cross-Border Transfers

For certain service delivery purposes, your data may be transferred to and processed in other countries:

• AI Processing: OpenAI (USA) for AI-powered report summarization and health interview analysis
• Customer Support: Support ticket systems that may have servers in USA/Europe
• Analytics: Aggregated usage data processed by analytics providers (anonymized only)

11.3 Transfer Safeguards

When data is transferred internationally, we ensure:

• Compliance: Transfers comply with DPDP Act 2023 requirements (currently no countries are blacklisted)
• Contractual Protection: Standard Contractual Clauses with third-party processors ensuring equivalent data protection
• Encryption: All international data transfers encrypted in transit
• Minimization: Only necessary data transferred, never entire medical records

11.4 Future Expansion

As we expand to serve users in other countries, we will establish data centers or partner with local providers to comply with regional data protection laws. Users will be notified of any changes to data processing locations.

12.1 What Are Cookies

Cookies are small text files stored on your device when you visit our website or use our app. We use cookies and similar technologies (web beacons, pixels, local storage) to enhance your experience and understand Platform usage.

12.2 Types of Cookies We Use

12.2.1 Strictly Necessary Cookies (Cannot Be Disabled)

• Authentication and login session management
• Security features (CSRF protection, secure connections)
• Load balancing and infrastructure routing

12.2.2 Functional Cookies (Can Be Disabled)

• Language preferences and localization settings
• Display preferences (theme, font size, accessibility options)
• Recently viewed reports or saved filters

12.2.3 Analytics Cookies (Can Be Disabled)

• Google Analytics: Page views, user journeys, feature usage
• Performance monitoring: Load times, error rates, crash reports

Note: Analytics cookies use anonymized or pseudonymized data only. No personal health information is shared with analytics providers.

12.3 Managing Cookie Preferences

You can control cookies through:

• Cookie Consent Banner: Accept or reject non-essential cookies when first visiting
• Privacy Settings: Manage cookie preferences anytime in account settings
• Browser Controls: Configure browser to block or delete cookies (may affect functionality)

12.4 Third-Party Cookies

Some third-party services we use may set their own cookies:

• Payment processors (Razorpay) for transaction processing
• Google Analytics for website analytics

These third parties have their own privacy policies governing cookie use. We recommend reviewing their policies.

13.1 Data Protection Officer

For privacy questions, data access requests, or exercising your rights under DPDP Act 2023:

Email: info@medjourney.ai

Response Time: Within 30 days of request submission

13.2 Grievance Officer (IT Rules 2021)

For complaints about content, data processing, or Platform misuse:

Email: info@medjourney.ai

Address: Lajpat Nagar, New Delhi, India

Response Time: Acknowledgment within 24 hours, resolution within 30 days as mandated by IT Rules 2021

13.3 Data Protection Board

If unsatisfied with our grievance resolution, you can escalate to the Data Protection Board of India established under Section 18 of DPDP Act 2023.

13.4 General Inquiries

Company: Tryzent Technologies Private Limited

Registered Address: Lajpat Nagar, New Delhi, India

Customer Support: info@medjourney.ai

Website: medjourney.ai

We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or service offerings. Material changes will be communicated as follows:

• Advance Notice: At least 30 days before implementation of material changes
• Notification Methods: Email to registered address, in-app notifications, website banner
• Opt-Out Option: If you disagree with changes, you can delete your account before effective date

Continued use of the Platform after changes take effect constitutes acceptance of the updated Privacy Policy.