1. Data Controller

Medione Healthcare (Partnership Firm), located at 71/6, 1st Floor, Rama Road Industrial Area, New Delhi – 110015, acts as the controller of your personal data provided to, collected by, or processed in connection with its Services.

The data controller is responsible for the collection, use, disclosure, retention, and protection of your personal information in accordance with its privacy standards and applicable national laws. Medione may process and store your personal information on its servers in India, where its data centres are located, and/or on third-party servers (within or outside India) under contractual agreements with Medione.

2. Who This Policy Applies To

• Merchants/Customers (e.g., registered pharmacies, hospitals, institutions).
• Authorised representatives of customers (e.g., purchaser, billing contacts).
• Website and app visitors and prospective customers/suppliers who contact us.

We are a B2B pharmaceutical distributor. We do not sell to end consumers via this website or app. Our Services are intended for business users aged 18 or older.

3. What Personal Data We Collect

We collect the following categories of data (as applicable):

3.1 Personal Information

Personal Information refers to information that can be associated with a specific person and could be used to identify that person, either directly or in combination with other data we have or may have access to. Personal Information does not include data that has been anonymised or aggregated to the point where it cannot be used to identify a specific individual.

3.2 Identification & KYC

• Name, business name, GSTIN, PAN, drug licence details.
• Official email address, phone/WhatsApp number, designation.
• Delivery address and registered business address.

3.3 Account & Transaction Data

• Account credentials (stored in hashed/encrypted form).
• Order history, invoices, payment status, returns.
• Credit facility documentation (e.g., undated cheques/bank guarantees).
• Communications, preferences, and account settings.

3.4 Payment-Related Data

• Mode of payment (bank transfer/UPI/COD).
• Limited payment instrument details as provided to us or our payment partner.
• We do not store full card/UPI credentials; processing occurs via banks and PCI-DSS compliant payment providers.

3.5 Device & Technical Information

When you use our mobile application or website, we may collect:

• IP address, browser type, app version, operating system.
• Device type, device model, and mobile network information.
• Unique device identifiers, including Advertising ID (Android) and IDFA (iOS), used to track preferences, improve user experience, and display relevant content.
• Pages/screens viewed, time spent, referral URLs, clicks, search queries within the app.
• Session durations, error logs, browsing/navigation history within the app.
• App online/offline status.
• Information about other applications installed on your device, to the extent used to personalise your experience (where permitted by applicable law and your consent).
• Cookies and similar tracking technologies (see Section 6).

3.6 Location Data

When you use our location-enabled Services (e.g., delivery tracking, route management from a mobile device), we may collect and process information about your device's GPS location, including latitude, longitude, and the time the location data is recorded. This helps us provide location-based features such as delivery tracking and dispatch management.

We will request your consent before collecting precise location data. You can withdraw your consent at any time by disabling GPS or location services on your device. Please refer to your device manufacturer's instructions for guidance.

3.7 Stored Files & Metadata

Where you grant permission, the app may access metadata and other information related to files stored on your device, such as photos or contact information, for the purpose of uploading delivery confirmations, KYC documents, or other business-related content. We access this data only when you explicitly choose to share it.

3.8 Communications & Support

• Emails, WhatsApp messages, SMS/RCS messages, and phone logs (to the extent recorded per consent/notice).
• Support tickets, feedback, and surveys.

3.9 Supplier/Logistics Contacts

• Names, emails, and phone numbers of supplier or logistics partner points of contact.

We do not intentionally collect sensitive health/patient data through this website or app. If your interaction could include any sensitive data, please share only what is strictly necessary.

4. How We Collect Data

We collect information in the following ways:

4.1 Information You Provide to Us

The types of information we may collect when you directly interact with our Services include:

Account Information

• Your full name, business name, email address, mobile number, designation, and profile details.
• Account credentials (stored in hashed/encrypted form).
• You may also provide this information via third-party sign-in services such as Google. We collect and store any information made available through these platforms.

Business & KYC Details

• GSTIN, PAN, drug licence number, and other regulatory or identity documentation required for onboarding.
• Delivery address, registered business address, and billing contacts.

Preferences & Settings

• Your account settings and preferences, such as language, notification preferences, and time zone.
• Saved addresses, delivery instructions, and ordering preferences.

Transaction Details

• Information related to orders and purchases, including order history, invoices, billing details, payment information, phone numbers, and delivery addresses.
• Payment details are encrypted and processed securely via PCI-DSS compliant gateways. We do not store full card or UPI credentials.
• Credit facility documentation such as undated cheques or bank guarantees.

Communications

• Messages and queries sent to us via email, WhatsApp, phone, or support tickets.
• Your participation in surveys, contests, or promotions, and requests for specific features such as newsletters or updates.
• SMS/RCS is used as a communication channel for transactional and service messages.

Public Posts & Feedback

• Reviews, ratings, photographs, or comments you choose to submit through our Services. While privacy settings may be available, we cannot guarantee absolute security or control over how others may handle publicly shared data.

4.2 Information Collected Automatically

We may automatically gather information about your devices (including mobile devices) and your usage of the Services, even if you are not logged in. This includes:

Usage Information

• Details about your activity on our Services, such as traffic data, location data, logs, and resources accessed.
• Searches you perform within the app, features you use, and advertisements you interact with.

Device Information

• Data about your computer or mobile device, including IP address, operating system, browser type, device type, and mobile network information.

Mobile Device IDs

• Unique device identifiers, including Advertising ID (Android) and IDFA (Apple devices), used for tracking preferences, improving user experience, and displaying relevant content.

Activity Logs

• Search queries, browsing and navigation history within the app, error logs, clicks, pages and screens viewed, session durations, and other similar interaction data.

Mobile Status & Applications

• Online/offline status of our application.
• Information about the presence of other applications on your device, to the extent used to personalise your experience and where permitted by applicable law and your consent.

Stored Files & Metadata

• Where you grant permission, access to metadata and information related to files stored on your device, such as photos, videos, or contacts, for purposes such as uploading delivery confirmations or KYC documents.

4.3 Precise Location Data & How to Opt Out

When you use our location-enabled Services (for example, accessing the app from a mobile device for delivery tracking or dispatch management), we may collect and process information about your mobile device's GPS location, including latitude, longitude, altitude, and the time the location data is recorded. This helps us provide location-based features and Services. We may associate this location data with your device ID and other information we hold about you. We retain this data only for as long as necessary to provide the relevant Services.

You will be asked to provide consent before we collect precise location data. You can withdraw your consent at any time by disabling GPS or other location-tracking functionalities on your device. Please refer to your device manufacturer's instructions for guidance on how to do this.

5. Lawful Bases & How We Use Your Data

We process personal data for the following purposes under the lawful bases of consent, contract performance, legitimate interests, and legal obligation:

• Account creation, verification, and KYC (contract; legal obligation).
• Order processing, delivery, and customer support (contract).
• Billing, payments, and collections (contract; legitimate interests).
• Credit assessment and credit limit management (consent/contract; legitimate interests).
• Compliance with tax, GST, TCS, invoicing, and regulatory requirements (legal obligation).
• Security, fraud detection, and misuse prevention (legitimate interests).
• Service communications — order updates, policy changes, transactional alerts (contract/legal obligation).
• Push notifications — delivery updates, order confirmations, and (with consent) promotional alerts.
• SMS/RCS and WhatsApp communications — OTPs, order updates, and business communications.
• Marketing and business communications to business contacts (consent/legitimate interests, with opt-out).
• Analytics, app improvement, and personalisation (legitimate interests; consent where cookies/device IDs require it).
• Responding to queries, administering contests, surveys, or promotions.
• Generating and analysing reports, data, and usage trends.
• Complying with legal obligations and enforcing contractual rights.

6. Cookies & Similar Tracking Technologies

We and our third-party partners use cookies, pixel tags, web beacons, mobile device IDs, and similar technologies to collect and store information about your use of the Services.

6.1 Cookies

A cookie is a small text file stored on your device. We use cookies to:

• Recognise you as a registered user when you visit our website or app.
• Store your preferences and settings.
• Enhance your experience by delivering relevant content.
• Perform analytics and research.
• Track usage of our Services.
• Assist with security and administrative functions.

Cookies can be persistent or session-based. You can manage cookies via your browser settings to block all cookies, block third-party cookies, or remove specific cookies. Disabling cookies may affect some features of our Services. For more information, visit aboutcookies.org.

Where required by applicable law, we will display a cookie consent banner and obtain your consent before placing non-essential cookies.

6.2 Pixel Tags / Web Beacons

A pixel tag (or web beacon) is a tiny graphic embedded on a webpage, advertisement, or email. It helps us track user activity, ad impressions, clicks, and access to cookies stored on your device. We use pixel tags to measure the popularity of various pages and features, and to track email open rates and engagement.

6.3 Third-Party Cookies & Analytics

We may use third-party analytics services such as Google Analytics to understand user behaviour. These providers may collect information as described above. To opt out of Google Analytics tracking, use the Google Analytics Opt-Out Browser Add-on available at tools.google.com/dlpage/gaoptout.

Some third-party services, such as social media platforms, may use their own cookies or similar tools. We encourage you to review their privacy policies, as we do not control their practices.

7. Disclosures & Third-Party Sharing

We may disclose personal information that we collect or that you provide as described in this Privacy Policy in the following ways:

7.1 Subsidiaries & Affiliates

We may share information with our subsidiaries and affiliates, which are entities under common ownership or control of Medione Healthcare. Such sharing is for operational, administrative, and service delivery purposes and is subject to this Policy.

7.2 Contractors, Advertisers & Service Providers

We may engage third-party vendors and service providers for the following purposes:

• Sending communications via email, SMS/RCS, WhatsApp, or calls to inform you about orders, services, or updates.
• Delivering push notifications to your device.
• Providing analytics, voice recognition, payment processing, and hosting services.
• KYC and credit assessment to evaluate credit facility eligibility and limits.
• Logistics and delivery management via our own fleet and third-party courier partners.
• Professional services including legal, tax, and audit advisors.
• Organising surveys, contests, or promotional activities on our behalf.

All such parties are bound by contractual obligations to keep your personal information confidential and to use it solely for the purposes for which we disclose it to them.

7.3 Corporate Transactions

In the event of a merger, divestiture, restructuring, reorganisation, dissolution, or other sale or transfer of some or all of Medione Healthcare's assets — whether as a going concern or as part of bankruptcy, insolvency, or liquidation proceedings — personal information held about users of our Services may be among the assets transferred. You will be notified of any such change via a notice on our website or by email, as applicable.

7.4 Third Parties for Marketing

Where you have provided explicit consent, we may share your information with third parties to market their products or services to you. These third parties are contractually required to keep your personal information confidential and to use it solely for the agreed-upon marketing purposes. You may withdraw this consent at any time by contacting us.

7.5 To Fulfil Your Requests

We may share information with third parties to fulfil the specific purpose for which you provided it, or as disclosed by us at the time the information was collected.

7.6 Payment Card Information

To use certain Services, you may need to provide payment information. By submitting this information, you consent to sharing your payment details with third-party payment processors and fraud detection vendors. Third-party payment providers are validated as PCI-DSS (Payment Card Industry Data Security Standard) compliant and may store your payment details for future transactions through our Services.

7.7 For Legal & Safety Reasons

We may share information if we believe it is necessary to:

• Comply with applicable legal obligations, including responding to subpoenas, court orders, or regulatory requests.
• Investigate or address suspected illegal activities, threats to the safety of any person, or violations of our policies.
• Protect the rights, property, or safety of Medione Healthcare, its employees, users, or the general public.

7.8 With Your Consent

We may share your information in any other circumstances where you have given explicit consent. Such consent may be withdrawn at any time, though withdrawal will not affect any sharing already carried out on the basis of that consent.

8. Social Media & Third-Party Accounts

If you use social media features (e.g., the Facebook Like button) or sign in through a social media account (e.g., Google), these features may collect information about your activities on our Services. Such interactions are governed by the social media provider's privacy policies. If you connect a social media account, you consent to our collection, storage, and use of information provided through the social media interface, including your public profile and any data shared during the sign-in process.

9. Anonymous & De-identified Data

We may anonymise or de-identify data collected through the Services, including via third-party analytics tools. Once anonymised or de-identified, such information is no longer personally identifiable and may be used or disclosed without restriction under applicable law.

10. International Data Transfers

Our cloud and service providers may store or process data within or outside India. Where data is transferred cross-border, we take reasonable measures to ensure protection consistent with applicable law, including appropriate contractual safeguards with our service providers.

11. Data Retention & Account Termination

We retain personal data for as long as necessary to fulfil the purposes in this Policy, including to meet legal, accounting, or reporting requirements:

• Orders, invoices, and tax/GST/TCS records: retained as per statutory retention periods under applicable Indian law (including GST, Income Tax, and Drugs & Cosmetics Act requirements).
• Account and contractual records: retained throughout the business relationship plus a reasonable limitation period thereafter.
• Marketing data: retained until you opt-out, or for a reasonable period after your last interaction with us.
• Location and device data: retained only for as long as necessary to provide the relevant Services, after which it is deleted or anonymised.
• Support communications and logs: retained for a reasonable period to assist with dispute resolution and service improvement.

11.1 Account Closure

You may request closure of your account at any time by:

• Visiting the account settings page within the app and selecting the account closure option (where available), or
• Contacting us at info@medionepharma.com or via WhatsApp +91 92899 68999 with your closure request.

Once your account is closed, we will remove your data and/or dissociate it from your account profile on our active systems. Please note:

• We may retain certain information for purposes permitted under this Privacy Policy, such as compliance with legal obligations, resolution of disputes, or to investigate suspected wrongdoing.
• After the applicable retention period has elapsed, we will either permanently and securely delete your personal information or anonymise it so that it is no longer associated with your identity in any way.
• Requests must not be abusive or excessive. We may require verification of your identity before processing a closure or deletion request.

12. Security

We implement appropriate physical, electronic, and organisational measures to protect personal data against unauthorised access, loss, or misuse. These measures include:

• Access controls and role-based least-privilege practices.
• Encryption of data in transit (HTTPS/TLS where applicable).
• Audit logging and monitoring.
• Third-party payment processors validated as PCI-DSS (Payment Card Industry Data Security Standard) compliant.

However, no system is 100% secure. You share data at your own risk. Please keep your credentials confidential and notify us immediately of any suspected compromise. We are not liable for disclosures resulting from transmission errors, unauthorised third-party access, or causes beyond our reasonable control.

13. Your Rights

Subject to conditions and applicable law (including the DPDP Act, 2023), you may have the right to:

• Access your personal data held by us.
• Correction or updation of inaccurate or incomplete data.
• Erasure of personal data when no longer needed or when consent is withdrawn (subject to legal retention obligations).
• Withdraw consent for processing that relies on consent (e.g., marketing communications).
• Grievance redressal and, under the DPDP Act, nomination (appointing a nominee).
• Review, update, or delete your personal information by contacting us through the details below.

Requests must not be abusive or excessive. You can exercise your rights by contacting us at info@medionepharma.com or via WhatsApp +91 92899 68999. We may require verification before actioning your request. If dissatisfied with our response, you may escalate to the Data Protection Board of India (when fully operational and as per prescribed procedure).

14. Marketing & Communications

14.1 Transactional Communications (Mandatory)

We will send essential service communications that are necessary for the operation of the Services and cannot be opted out of. These include:

• Order confirmations, dispatch updates, and delivery notifications.
• Payment confirmations, invoices, and credit-related notices.
• Account security alerts and verification OTPs.
• Policy updates, changes to Terms of Service, and legal notices.

These communications will be sent via email, WhatsApp, SMS/RCS, and/or push notifications as appropriate.

14.2 Marketing & Promotional Communications

We may use your information to contact you about products, services, or offers from us or from third parties that may interest you. This includes:

• Business communications sent to corporate contacts by email, WhatsApp, SMS/RCS, or push notification.
• Promotional offers, scheme updates, new product announcements, and loyalty programme communications.
• Sharing your preferences or Services availed with your network for marketing purposes, where applicable.

If you prefer not to receive such communications, you may opt out at any time by:

• Using the unsubscribe or opt-out link in any marketing communication.
• Adjusting your notification preferences in your account settings within the app.
• Contacting us directly at info@medionepharma.com or via WhatsApp +91 92899 68999.

Please note that opting out of marketing communications will not affect your receipt of mandatory transactional communications described in Section 14.1 above.

14.3 Targeted Advertising & Recommendations

We may display targeted content, advertisements, and recommendations to you based on the information we collect, including device identifiers, usage data, and interaction history. While we do not share your personal information with advertisers without your consent, advertisers may infer targeting criteria if you interact with their advertisements on our platform.

You may opt out of interest-based advertising by adjusting your device privacy settings (e.g., resetting your Advertising ID on Android, or enabling Limit Ad Tracking on iOS). Note that even if you opt out, you may still see generic advertisements that are not tailored to your interests.

14.4 Choices & Preferences

You have the following controls over how we communicate with you:

• Cookies: Adjust your browser or device settings to block cookies or receive alerts when cookies are being used. Disabling cookies may affect certain features of our Services.
• Push Notifications: Disable push notifications at any time through your device settings or within the app.
• Email & SMS: Manage preferences or unsubscribe from promotional messages via the link in any such communication.

Administrative, legal, security, and policy-related communications are mandatory and cannot be unsubscribed from, as they are necessary for the safe and lawful operation of your account.

15. Children's Data (Permissible Age)

Our Services are intended for users aged 18 or older (or such other age as is the permissible age under applicable local law). We do not knowingly collect personal information from users below the permissible age or market to them. If we discover that a user below the permissible age has submitted personal information, we will delete their account and associated data promptly. If you believe a minor has provided us with their data, please contact us immediately at info@medionepharma.com.

16. Third-Party Links & Services

Our website and app may contain links to third-party websites or services. Interacting with these features may result in the collection, processing, or sharing of your information by those third parties. We are not responsible for the content, security, or privacy practices of third-party websites or services. Our Privacy Policy does not cover information you provide to or that is collected by third parties. We encourage you to review the privacy policies of these third parties before interacting with their services.

17. Grievance Officer / Data Protection Contact

Grievance Officer: Jaswinder Singh Oberoi

Email: info@medionepharma.com

Phone/WhatsApp: +91 92899 68999

Address: 71/6, 1st Floor, Rama Road Industrial Area, New Delhi – 110015

Response Time: We will acknowledge your grievance within 48 hours and endeavour to resolve it within 30 days.

If you are dissatisfied with the resolution provided by the Grievance Officer, you may escalate the matter to the Data Protection Board of India, once fully operational, as per the procedure prescribed under the DPDP Act, 2023.

18. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy periodically to reflect changes in the law, updates to our data collection and usage practices, new features of our Services, or advances in technology.

• Please review this page regularly for updates.
• The use of information we collect will be subject to the Privacy Policy in effect at the time the information is used.
• If we make material changes to this Privacy Policy, we will post them at medionepharma.com with a revised Effective Date. Significant changes may also be notified by email or in-app banner.
• Your continued use of the Services after any changes are posted constitutes your acceptance of the revised Privacy Policy.