Privacy Policy

medRudra is a business operations app for service organisations, operated by [YOUR LEGAL ENTITY NAME]("we", "us", "the Company"), registered at [REGISTERED ADDRESS], India. We provide the back-office platform that this mobile app connects to. Each organisation that uses medRudrais the data controller for its own service records; the Company acts as a data processor on the organisation's behalf.

Contact for any privacy question or request: info@medrudra.com.

medRudra is intended only for authorised staff members of subscribing organisations (owners, managers, front-desk staff, and team members) who already have a login provided by their organisation. End customers do not sign in here.

When you use the app we process the following categories of data:

Account data

• Your work email, name, role, and the organisation / branch you belong to. Used to authenticate you and apply role-based access.

Client data your organisation enters

• Client name, phone, age, gender, address, service requirement, appointment notes, invoices, payments, attached photos, and free-text notes added by staff.
• This data belongs to your organisation. We hold it on our servers solely so the organisation's authorised staff can view and update it.

Device permissions you may grant

• Camera — used only when you tap the Scan button, to read client and service-record QR or barcodes. We do not record video, capture photos in the background, or upload camera frames anywhere.
• Microphone — used only when you tap the voice-dictation mic on a notes field, to transcribe what you say into text. Recognition happens via the device's built-in speech engine; no audio is stored or sent to us.
• Internet — required for the app to talk to your organisation's server.

Diagnostic data

• Standard server access logs (IP, request path, response code, timestamp) for security and reliability. We do not use any third-party analytics or advertising SDK in this app.

• To deliver the features of the app (showing bookings, taking service notes, raising invoices, generating QR / barcodes for clients and service records).
• To authenticate you and prevent unauthorised access.
• To provide your organisation's administrators with operational visibility into their own data.
• To comply with legal and regulatory obligations applicable to the organisation's records.

We do not sell, rent, or share client or staff data with advertisers, brokers, or any unrelated third party.

• Client and operational data is stored on servers operated by us in Bangalore, India (DigitalOcean BLR1 region) and is logically isolated per organisation ("tenant"). Staff from one organisation cannot see data from another.
• Sub-processors we rely on for hosting and infrastructure: DigitalOcean (compute, block storage), DigitalOcean Spaces (encrypted database backups), Caddy (TLS termination). They process data only as instructed by us and are bound by confidentiality.
• We will disclose data only when legally required (court order, valid government request) and only to the extent required.

• Account data is retained while you are an active staff member of the organisation, plus a reasonable archive period thereafter for audit purposes.
• Client and operational records are retained per the organisation's policy and any applicable record-keeping laws (typically 3+ years for business records under Indian commercial practice). The organisation is the controller for retention decisions on client data.
• Diagnostic logs are retained for a limited period (typically up to 90 days) and then deleted or anonymised.
• Database backups are retained for 7 days in encrypted, access-controlled object storage and then rotated.

Under India's Digital Personal Data Protection Act 2023, you may:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Erase data, subject to retention obligations.
• Withdraw consent for optional processing.
• Nominate another person to exercise your rights in case of incapacity.
• Lodge a grievance with the Data Protection Board of India.

To exercise any right, email info@medrudra.com with your name, organisation, and the specific request. We respond within statutory timelines (typically 30 days). For data about a client, please contact the organisation directly first — the organisation is the controller.

The app is not intended for use by children. Where an organisation's end customer is a minor, that relationship is handled by the organisation directly with the customer and their guardian, not via this app's account system.

We use industry-standard safeguards: encrypted transport (HTTPS / TLS 1.3), per-tenant data isolation, role-based access control, hashed passwords (bcrypt), short-lived authentication tokens, and encrypted, rotated database backups. No system is perfectly secure; if we discover a breach affecting your data we will notify the organisation and follow the timelines required by Indian law.

We may update this policy as the platform changes. Material changes will be notified through the app or by email. Continued use after the effective date constitutes acceptance of the updated policy.

We acknowledge grievances within 48 hours and aim to resolve them within 30 days.