SecondMedic™ is a registered trademark and product of Remote Healthcare Technologies Private Limited. Registered Address: Office No 320, Plot No 17-18, Platinum Techno Park, Palm Beach Road, Vashi, Navi Mumbai, Thane, Maharashtra, India - 400703. Website: www.secondmedic.com

Introduction

SecondMedic™ ("we", "us" or "our") is committed to protecting the privacy of individuals who use our healthcare platform and services. This Privacy Policy explains how SecondMedic™ collects, uses, shares, and safeguards digital personal data of all users, including patients, doctors, internal employees, and third-party vendors, in compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act) and its 2025 implementation rules. We recognize the rights of individuals ("Data Principals") under the DPDP Act and implement measures to meet our obligations as a responsible Data Fiduciary. This Policy is written in clear and plain language, following recognized best practices in India, and is suitable for publication on our website and use in compliance audits.

Please read this Privacy Policy carefully. By using SecondMedic™'s website, mobile app, or services, you consent to the practices described herein. If you do not agree with any part of this Policy, you should refrain from using our services.

 

Scope and Applicability

This Privacy Policy applies to all personal data (in digital form) that we collect and process in India in connection with SecondMedic™'s services. It covers personal data of the following categories of individuals under a unified framework: patients, doctors, SecondMedic™ employees, and third-party vendors/partners. The Policy is intended for Data Principals who are within the territory of India; our services are designed and offered for users in India, and we apply this Policy only to personal data of individuals in India. If you are accessing our services from outside India, please note that our data practices are aligned primarily with Indian law.

 

Children: Our services are generally intended for adults. We do not knowingly collect or process personal data of children under 18 years of age without verifiable parental consent. If you are under 18, you should use SecondMedic™ services only with the involvement and consent of your parent or legal guardian. We also do not engage in any tracking or targeted advertising directed at children. Parents or guardians who become aware that a child has provided us personal data without consent can contact us to have such data deleted.

Personal Data We Collect and How We Use It?

SecondMedic™ collects only that personal data which is necessary for specified lawful purposes. We provide a notice at the time of data collection describing the personal data being collected and the purpose of processing, in compliance with DPDP Act requirements. The types of personal data we collect, and the purposes for which we use them, are outlined below:

 

Patients

Individuals using SecondMedic™ as patients provide personal data needed for healthcare services. This may include:

• Identity and Contact Data: e.g. your name, email address, phone number, age, gender, and login credentials. We use this information to create your account, verify your identity, communicate with you (for appointments, reminders, support, etc.), and personalize your experience.
• Health and Medical Information: e.g. health profile details such as medical history, current medications, allergies, and other information you input about your health. We process this sensitive health data only with your explicit consent, and use it solely to provide medical consultations, second opinions, and other healthcare services requested by you. This helps our doctors understand your condition and offer informed medical advice or treatment plans.
• Medical Records and Documents: e.g. prescriptions or lab reports that you upload to the platform (in formats like PDF or JPG). With your consent, these documents are collected to be reviewed by consulting doctors and to be stored in your health profile for future reference. We may also use them to facilitate services you request (for example, sharing a prescription with a partner pharmacy to fulfill a medicine order, but only with your consent).
• Consultation Data: e.g. details of your teleconsultations, including chat transcripts, audio/video call records, and any e-prescriptions or notes generated during consultations. We collect this data to enable and document the medical advice provided, to ensure continuity of care, and for quality assurance. Consultation records are accessible to you and the attending doctor, and are kept confidential. This processing is based on your consent at the time of consultation (we obtain your agreement to record or save consultation information as needed).
• Payment and Transaction Data: e.g. Bank name, transaction reference number, or payment method details when you pay for services. We use this data to process your payments for appointments, services or purchases on SecondMedic™. Payment data is processed under deemed consent for contractual necessity – by initiating a payment you are understood to consent to the processing of that data for completing the transaction. Note - we do not directly collect or store sensitive payment instrument details like full credit card numbers; payments are handled through trusted payment gateways.
• Customer Support Communications: e.g. the content of emails or messages you send to our support team, which may include your name and details of your inquiry. We collect these when you voluntarily contact us for help, and use them to resolve your issues and improve our services. This is considered consent by voluntary action (when you email us, we infer your consent to use that information to assist you).
• Usage and Device Data: e.g. cookies and analytics data about how you use our website/app – such as your device identifier, IP address, browser type, and pages or features accessed. We collect this with your consent (via our cookie consent banner) to analyze usage patterns, improve our platform's performance, and for marketing analytics. This data helps us understand user engagement and preferences in order to enhance the user experience. (See Cookies and Tracking Technologies below for more details.)

 

Doctors

Medical practitioners who register on SecondMedic™'s platform or provide services through it share certain personal and professional data with us. This includes:

• Professional Identity and Verification Data: e.g. full name, contact information, medical credentials (degrees, specialization), government-issued physician registration or license number, and any verification documents (like scanned license certificates or ID proof) collected during the onboarding process. We use this information to verify the doctor's qualifications and identity, to create their profile on our platform, and to comply with legal or regulatory requirements for healthcare providers. The processing of doctors' professional data is based on deemed consent – it is necessary for entering into a provider agreement and for compliance (doctors voluntarily provide these details to register and practice on SecondMedic™).

 

Patient health information that a doctor accesses or inputs during a consultation is handled with strict confidentiality and in compliance with medical ethics and data protection law.

 

• Performance and Feedback: e.g. patient ratings or feedback on the doctor's services (if collected), which we use to maintain service quality. Such information, if any, is shared with the doctor in aggregate or as needed for improvement.

 

We may also collect and use doctors' data for legal compliance and employment purposes in certain cases (for example, if a doctor is engaged as an employee or contractor, we may process their data for taxation, statutory reporting, or regulatory audits under deemed consent provisions).

 

Employees

If you are an employee of SecondMedic™, we collect personal data necessary for human resource management and to fulfill our obligations as an employer. This may include:

• Personal Identification and Contact Details: e.g. full name, address, phone number, email, date of birth, and emergency contact persons.
• Employment Records: e.g. your resume/CV, educational qualifications, work history, references, job title, department, work location, and performance evaluations.
• Government Identifiers: e.g. PAN, Aadhaar number or other ID for background verification and payroll compliance, as well as any mandatory employment registrations.
• Financial Information: e.g. bank account details for salary payments, salary and benefit information, tax deductions, etc.
• Health and Benefits Data: e.g. health insurance details, medical certificates (if provided for leaves or insurance claims), and any occupational health information if applicable.

This employee data is used strictly for internal purposes: payroll and benefits administration, performance management, statutory compliance (Provident Fund, tax, labor laws), and workplace security.

Processing of employee data is generally based on deemed consent and legal obligation – by accepting employment with SecondMedic™, an individual is understood to consent to the processing of their data for legitimate HR purposes, and we also process certain data to comply with laws (such as maintaining employment records or furnishing returns to government). We ensure employee data is accessed only by authorized HR personnel or management on a need-to-know basis, and it is not disclosed outside SecondMedic™ except as required by law or with the employee's consent.

 

Third-Party Vendors and Partners

If you are a vendor, service provider, or business partner to SecondMedic™ (for example, a laboratory, pharmacy, payment gateway, IT service provider, etc.), we may collect limited personal data about your representatives or personnel as needed for our business engagement. This typically includes:

• Business Contact Information: e.g. name, work email, phone number, and designation of the vendor's point of contact or authorized signatory. We use this to communicate and coordinate with you regarding contracts, orders, and service delivery.
• Due Diligence and Credentialing Data: e.g. company registration details, relevant licenses or certifications (for a healthcare partner like a pharmacy or lab), and KYC documents of key individuals if required under law. These are used to verify credibility and fulfill legal obligations such as anti-fraud or anti-bribery checks.
• Financial and Payment Information: e.g. bank account or UPI details of the vendor (if an individual) or billing contact, used for processing payments to you for services rendered, and for accounting/tax compliance.

We process vendor personal data under deemed consent (as it is provided in the context of contracting and is necessary for our legitimate business interests) and in some cases to comply with legal requirements (e.g., maintaining records for audits or taxation). We do not use vendor personal data for any purpose other than managing our commercial relationship and fulfilling mutual obligations.

 

No Unauthorized Collection

We do not collect any personal data that is not required for the stated purposes. In particular, we do not collect information about your racial or ethnic origin, political opinions, religious or philosophical beliefs, or sexual orientation, as these are not relevant to our services. In any case, we treat all personal data with high standards of security and confidentiality. If we ever need to process any additional categories of personal data, we will do so only with appropriate notice and consent.

 

 

Cookies and Tracking Technologies

We use cookies and similar tracking technologies on our website and app to enhance user experience, analyze traffic, and support our services. A cookie is a small text file stored on your device that helps remember your preferences and activity. SecondMedic™ uses cookies in the following manner:

 

• Essential Cookies

These are necessary for our site's core functionality – for example, to keep you logged in during a session, to remember items in your cart, or to enable navigation. Without these cookies, certain services or features may not be available. These cookies do not collect personal data beyond what is needed for service operation, and they are generally session-based(temporary). By using our site, you implicitly consent to essential cookies as they are required for service delivery.

• Analytics and Performance Cookies

We use third-party analytics tools (such as Google Analytics) to collect information about how users interact with our platform. This includes data like your device type, browser, IP address, pages visited, time spent, and actions taken on our site. We use analytics cookies only with your opt-in consent, as indicated by our cookie consent banner when you first visit. The information gathered helps us understand user behavior and improve our website, features, and marketing strategies. For instance, Google Analytics cookies allow us to gauge which services are most popular, how users navigate our app, and how our marketing campaigns are performing. The data collected via analytics cookies is typically aggregated and pseudonymized. Google Analytics may assign you a unique identifier, but it does not reveal your identity to us. We have configured Google Analytics to respect data minimization and retention limits (user-level data is retained for 14 months by default in GA before automatic deletion).

 

• Advertising Cookies

Currently, SecondMedic™ does not use any third-party advertising or targeting cookies on our platform. We do not serve targeted advertisements based on user profiling, nor do we share your browsing behavior with advertising networks. If this changes in the future, we will update our Policy and seek any necessary consents. In any case, as noted, we do not engage in targeted advertising towards minors in compliance with the DPDP Act.

 

• Cookie Consent and Control

When you first access SecondMedic™'s website or app, you will see a cookie notice or banner requesting your consent for non-essential cookies (analytics). You have the choice to accept or reject these. If you opt out, we will not set those cookies and will respect your preference (though our site will still set any essential cookies needed for functionality). You can also control cookies through your browser settings – for example, you can delete existing cookies or block future cookies from being set. However, please note that disabling cookies might affect certain interactive features of our services. For mobile apps, you can typically control tracking via your device settings (such as resetting advertising IDs or limiting ad tracking, though again, we currently do not use ad trackers). By adjusting these settings, you can withdraw consent for cookie-based processing at any time, and we will cease collecting your data through those means.

For more information on how to manage cookies or to change your preferences with us, please refer to our Cookie Notice (if available on the site) or contact us for assistance. We strive to make our use of cookies transparent and in line with user expectations and legal requirements.

 

How We Share Personal Data?

SecondMedic™ does not sell or rent your personal information to any third party. However, in order to operate our services and fulfill the purposes described above, we may share your personal data with third parties in certain situations. Any sharing of data is done in a limited, secure, and responsible manner, only as necessary and with adequate safeguards. The categories of third parties with whom we may share data include:

1. Service Providers (Processors)

We employ trusted third-party companies to perform services on our behalf, such as:

Hosting and Infrastructure: e.g. cloud storage providers and data center services that host our databases and application on servers (our primary databases are hosted in India). These providers may incidentally have access to stored data for maintenance or backups, but only under strict confidentiality.

Communication Services: e.g. SMS or email gateways for sending OTPs (one-time passwords), notifications, or emails. For instance, when you register or reset a password, an OTP service API is used to send verification codes to your phone. Such providers get access only to the necessary contact information (phone/email) and message content for that transaction.

Payment Processors: e.g. our UPI/payment gateway partners who handle payment transactions. When you make a payment, we share the required transaction details with the payment processor (such as your order ID and payment amount). The processor in turn may interact with banks or UPI networks. These third parties are contractually bound to use the data only for processing the payment and complying with legal requirements (e.g. receipts, audits).

Analytics Providers: e.g. Google Analytics, as mentioned, which processes usage data on our behalf for analytics purposes. Google may process this data on its servers (which could be outside India – see Cross-Border section) but is contractually obligated not to use it for any other purposes without our instructions. We have configured our analytics to not collect more data than necessary and to respect Do-Not-Track signals where possible.

IT Support and Security: e.g. providers of security monitoring, anti-fraud services, or customer support software. If we use a cloud-based customer support ticket system, for example, the personal data you provide in support tickets (name, email, issue details) may be stored on their platform. We ensure any such provider implements industry-standard security measures and privacy controls.

All our service providers act on our instructions as data processors. We sign data processing agreements with them to ensure your data remains protected according to our standards and the DPDP Act's requirements. This includes obligations to maintain confidentiality, apply appropriate security measures (encryption, access control, etc.), and not to further share the data without authorization. If a data processor no longer needs the data or if you withdraw consent (in cases of consent-based processing), we ensure they delete or return the personal data as required. SecondMedic™ remains accountable for the protection of your data even when it is processed by third- party service providers.

 

1. Healthcare Partners

With your consent and direction, we may share relevant personal data with third parties involved in your healthcare or wellness needs. For example:

• • If you request a lab test or a diagnostic service through SecondMedic™, we will share the necessary information with the partner laboratory (e.g. your name, contact, test details) to book your test and have them deliver results. Only the information required to provide the service is shared, and the lab is expected to safeguard it and use it only for fulfilling your tests.
  • If you opt to have a prescription filled via our platform (online pharmacy service), we will forward your prescription details and contact information to our authorized pharmacy partner to facilitate the medicine delivery. This is done with your explicit consent at the time of placing the order (you would, for instance, tick a checkbox or click "Agree" to allow us to share your data with the pharmacy for fulfillment). The pharmacy is bound to use your information only for dispensing the prescribed medicines and for no other purpose.
  • In telemedicine consultations, the consulting doctor (who may be an independent practitioner on our platform) will have access to the personal and health information you have provided for that consultation. This sharing is inherent in providing you the service – by booking a consultation, you consent to your data being shared with the assigned doctor. All doctors using SecondMedic™ are bound by confidentiality and ethics to keep patient information private. They only use your data for the purposes of medical diagnosis and advice, and SecondMedic™ contractually requires them to adhere to data protection obligations.

Similarly, if we have tie-ups with hospitals, insurers, or wellness providers and you choose to engage with them through our platform, we will share your data only as needed and with your knowledge. Each such partner's use of your data will be governed by this Policy as well as any additional consent you give.

1. Business Partners and Vendors

In some cases, we may share limited personal data of one category of user with another category in a business context. For example:

• • We might share a doctor's professional profile information (name, specialty, qualifications) with patients publicly on our platform so that patients can choose a provider. This is mostly information the doctor has consented to make public. Contact details of doctors are generally not shared directly with patients except through the consultation interface or as required to fulfill the service.
  • If an employer or corporate partner has arranged health services for you (e.g. via an Employee Assistance Program or corporate health plan), we may share usage or aggregate health data with that partner only with appropriate consent and as per agreements. For instance, a corporate client might receive de-identified summary reports about how many of their employees availed certain services, but not any specific medical details without individual consent.
  • We may share vendor contact data internally or with other partners when required for coordination. For example, if a tech vendor is working alongside another consultant on a project, we might connect them using business contact information. This is limited to professional use.

 

1. Legal and Regulatory Disclosure

We may disclose personal data to government authorities, regulatory bodies, law enforcement or other third parties if required to do so by law or legal process, or if we determine that such disclosure is necessary to:

• • Comply with a legal obligation or request (for example, responding to a court order, law enforcement inquiry or government notice).
  • Enforce our Terms of Service or other agreements, or investigate potential violations thereof.
  • Detect, prevent, or address security or technical issues, fraud, or abuse.
  • Protect the rights, property, or safety of SecondMedic™, our users, or the public, as permitted by law.

When disclosing information for legal reasons, we will ensure the request is legitimate (for instance, we may demand a warrant or official letter where appropriate) and we will only provide the minimum data necessary. We may process the user’s personal data without consent for certain "legitimate uses" such as compliance with laws or court orders and in response to emergencies. We will rely on those provisions when making any such disclosures. Wherever feasible, we may notify the affected users about such disclosures, unless we are legally restrained from doing so.

1. Corporate Transactions

If SecondMedic™ undergoes a business transaction like a merger, acquisition, restructuring, or sale of assets, personal data might be transferred to the successor or new owner as part of the transaction. In such cases, we will ensure that the new entity continues to be bound by privacy obligations at least as strict as those described in this Policy. A notice will be provided on our website or via email to inform you of any change in data controllership resulting from such a transaction, and your choices regarding your data will be preserved.

1. No Unauthorized Third-Party Access

We do not share personal data with any third parties other than as described above. Specifically, we do not share your data with advertisers or social media companies for their own marketing purposes without your consent. We also do not allow any third-party to have access to your personal data for analytics or processing unless they are under a contract to provide a service for us and to act under our instructions. Your trust is important to us, and we take care to engage only reputed partners who adhere to data protection standards. If you have questions about a particular third party with whom your data may be shared, you may contact us for more information.

 

Cross-Border Data Transfers

As a rule, SecondMedic™ stores and processes personal data on servers located in India whenever possible. However, some of our service providers or partners may be located in, or use infrastructure in, other countries. For example: our analytics provider (Google) may process data on servers in the

 

United States or European Union; our email or customer support systems might route communications globally. Therefore, your personal data may be transferred outside of India in certain circumstances.

We will ensure that any international transfer of data is made in compliance with applicable laws. This means: (a) we will not send your personal data to any country that is officially prohibited for data transfers by the Indian government (the government is expected to publish a list of restricted jurisdictions, if any); and (b) we continue to remain responsible for the security of your data even when it is processed outside India.

 

Whenever your data is transferred outside India, we take appropriate safeguards. Our contracts with data processors include clauses to protect your information regardless of where it is processed. We also consider industry best practices such as encryption of data in transit, and selecting vendors with strong security certifications, to protect cross-border data flows. By using our services or by providing your information, you consent to the transfer of such information abroad, subject to the safeguards described in this Policy.

If you would like to know more about where your data may be stored or transferred, or if you have concerns about a particular destination, please contact us. We will be happy to provide information on the cross-border practices relevant to your personal data. Currently, key instances of cross-border transfer in our operations include: Google Analytics data (transferred to Google's servers globally), and possibly email/support data if our email servers are hosted by a global provider. All such transfers are made in line with the applicable rules and with respect for your privacy.

 

Data Security Measures

SecondMedic™ takes data security very seriously. We implement reasonable and appropriate security safeguards to protect personal data from unauthorized access, loss, misuse, alteration, or destruction. Our security program is designed to adhere to industry standards and Indian legal requirements (such as the IT Act's "reasonable security practices" and the DPDP Act's expectations). Key measures we have in place include:

• Encryption: Personal data is protected by encryption in transit and at rest wherever feasible. For example, our websites use HTTPS (TLS encryption) for all data transmission, ensuring that information exchanged between you and us is secure. Sensitive data in our databases is encrypted or hashed. Documents and records (like medical reports) stored in our cloud are kept in secure, access-controlled storage with encryption.
• Access Control: We strictly limit who at SecondMedic™ can access personal data. Internal access to patient or user data is restricted to authorized personnel on a need-to-know basis. For instance, only support staff or admins who need to assist you have access to your account information; only medical officers or your consulting doctor can view your health records. Employee and vendor data is accessible only to HR or finance staff requiring it. All accesses are logged and monitored. We enforce strong authentication for our employees and partners (such as strong passwords, 2FA where appropriate) to prevent unauthorized login.

 

• Organizational Policies: We have internal policies and training in place to ensure our team handles personal data properly. This includes confidentiality agreements with all employees, regular privacy training, and clear procedures for data handling. Any violation of data protection policies by staff can result in disciplinary action. We designate specific roles (e.g. a Privacy Officer or Grievance Officer) who oversee compliance and address security incidents.
• Vendor Due Diligence: Before onboarding any third-party service provider to handle personal data, we assess their security practices. We choose reputable vendors and ensure they have appropriate certifications or safeguards (for example, many of our providers comply with standards like ISO 27001 or SOC 2). We include data protection and security requirements in our contracts with them. Our vendors are obligated to notify us in case of any security breach on their side.
• Technical Safeguards: We deploy firewalls, intrusion detection systems, and antivirus/anti- malware tools to protect our IT infrastructure. Regular vulnerability assessments and penetration testing are conducted on our applications to identify and fix potential security weaknesses. We keep our systems and software up to date with security patches. Our application has in-built security features like input validation and encryption to protect data.
• Anonymization and Pseudonymization: Where possible, we anonymize or pseudonymize personal data to reduce direct identifiability. For example, when generating analytical reports or sharing data with researchers or corporate clients in aggregated form, we remove or mask personal identifiers. If we use production data for testing new features, we sanitize it beforehand.
• Data Retention and Deletion: As described in the next section, we do not keep personal data longer than needed. We have processes to securely delete or destroy data that is no longer required (using techniques like secure erasure, shredding of physical documents, etc.), preventing any unauthorized recovery of information.

 

 

Despite our best efforts, please note that no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security. However, we continuously review and update our security practices to react to new threats and vulnerabilities. You also play a role in keeping your data secure: please use a strong, unique password for your SecondMedic™ account, do not share your login credentials, and notify us immediately if you suspect any unauthorized access to your account or any security issue. We will support and guide you on additional steps to secure your account in such cases.

In the unfortunate event of a personal data breach (such as unauthorized access, theft, or leak of personal data), SecondMedic™ has a breach response plan in place. We will promptly contain and investigate the incident, mitigate any harm, and notify the affected Data Principals and the Data Protection Board of India as required. Our breach notices (if ever needed) will outline the nature of the breach, the data involved, steps we are taking to address it, and guidance on what you can do to protect yourself. We will endeavor to send such notice to you in a clear and concise manner and within the timeline prescribed by law. Protecting your data is our priority, and we will take all necessary measures to prevent and respond to security incidents.

 

Data Retention and Disposal

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required or permitted by law. Once personal data has fulfilled its purpose and is no longer required, or upon your valid request for deletion, we will either delete it or anonymize it so that it can no longer be associated with you. Our retention practices are as follows:

• General Retention Principle: By default, we review personal data periodically to determine if it is still needed. If not, we safely dispose of it. For data collected on the basis of your consent, we will erase the data if you withdraw that consent and there is no other lawful basis to continue retaining it. For data collected under deemed consent or legal obligation, we retain it as long as needed for that purpose and/or as mandated by law.
• Specific Retention Periods: Different categories of data may have different retention timelines, based on legal requirements and our business needs. For transparency, here are some key retention periods we follow (these are subject to change if laws change, but we will update accordingly):
  • Account Information (Patients & Doctors): We retain your basic account data (name, contact, etc.) for as long as your account is active. If you delete your account or it remains inactive for an extended period, we may archive or delete the data after a grace period. Currently, we treat 24 months of inactivity as a threshold for deletion of patient accounts (unless there is a reason to retain, like an ongoing treatment or legal obligation). We will notify you (via email or SMS) before terminating an inactive account. Account deletion will involve removing personal identifiers, but some minimal data may be kept in backups or logs for a short period or as required for our legitimate purposes (e.g. fraud prevention).
  • Health and Consultation Records: We retain medical consultation data and health records for a period that ensures continuity of care and meets medical record-keeping standards. Typically, consultation chat transcripts are retained for 1 year and e- prescriptions or consultation summaries for up to 3 years. Uploaded health documents (like lab reports) and health profile information are retained for about 5 years from the date of collection. These periods align with recommended practices in healthcare for retaining patient records. After these periods, data may be archived in anonymized form for research or statistical purposes, or deleted securely. If you wish to have a particular record deleted sooner, you can request erasure (see Your Rights below), and we will accommodate if there is no legal need to keep it.
  • Payment and Financial Records: We retain transaction records (payment histories, invoices, receipts) for at least 7 years, as this is required to comply with tax and accounting regulations in India. Even if you delete your account, we may need to keep payment records for the legally mandated period. However, these records will not be used for any other purpose beyond compliance and audits.
  • Customer Support Communications: Support emails or messages are generally retained for about 2 years for training and quality assurance purposes. This helps us refer back to previous issues and improve our support. Older support threads beyond this period are securely archived or deleted as appropriate.
  • Analytics Data: Google Analytics and similar tools automatically delete or anonymize user-level data after a set period. We currently adhere to Google's default, which is 14 months for retention of analytics data. Aggregate reports may be kept longer, but they contain no personally identifiable information.
  • Employees' Data: We retain employee records during the tenure of employment and for at least 5 years after separation (or longer if required by specific laws, e.g. labor

 

laws, PF records). This retention is needed for any post-employment obligations (like employment verification requests, pension/benefit references, or legal disputes). After that, we archive or delete what is not needed. Some information, like payroll details, may be kept longer if mandated by tax laws.

• • Vendor Data: Vendor contracts and related personal data are typically retained for the duration of the contract and for a reasonable period (e.g. 5 years) thereafter. This covers any warranty or dispute periods and accounting record requirements.
  • Secure Disposal: When data is due for deletion, we follow secure disposal methods. Digital records are deleted from active systems and then overwritten or wiped from storage media. We also ensure deletion from backup systems in the next backup cycle (backups have limited retention themselves). Physical records (if any) containing personal data are shredded or incinerated. Prior to deletion, we may anonymize data so that it can be retained in a form that no longer identifies individuals (for example, we might keep anonymized health statistics for research). Anonymization is irreversible.
  • Legal Holds: If we are subject to a legal obligation to retain data (such as a government order, litigation hold, or an investigation), or if the data is required to resolve a dispute, we will securely retain the specific data as needed beyond the normal retention period and only for the duration required. During such a period, we will not use the data for any other purpose. Once the retention period expires (and no legal hold applies), we ensure the data is expunged. Our goal is to minimize storage of personal data and reduce risk. If you have any questions about our retention policy for a specific type of data, feel free to reach out to us.

 

Your Rights as a Data Principal

SecondMedic™ is committed to honoring all the policies and user’s data rights and providing you with control over your information. Subject to verification of your identity and applicable laws, you have the following rights with respect to your personal data that we hold:

 

• Right to Access and Confirmation: You have the right to get confirmation whether we are processing your personal data, and to access basic information about that processing. This includes the right to know what personal data of yours we have, and to obtain a summary of such data in an understandable format. For example, you can request: "Please confirm if you have my data, and provide me with a summary of my health records and account information on file." We will provide you with the data or details of data as required by law.
• Right to Correction: If any of your information with us is wrong or has changed (for example, you updated your phone number or need to correct a misspelling in your name), you can ask us to rectify it. Where feasible, we also provide self-service tools for you to edit certain profile details. We may ask for documentation where needed (e.g., proof of correct name) before making significant changes, to prevent fraud. We will correct the data within a reasonable time and confirm to you that we have done so.
• Right to Erasure: You may request that we delete certain data we hold about you. For instance, if you no longer want us to have your data, you can request account deletion. We will evaluate such requests in line with legal requirements – if the data is no longer needed or was processed based on your consent which you now withdraw, we will delete it. If we must keep some data

 

(for example, due to a legal retention obligation or an ongoing contract), we will inform you of that and isolate the data from active use. We will also delete data that is excessive or not required. Do note that deletion of some data (like health records) might limit our ability to provide you services in the future (for example, if you delete your consultation history, we cannot retrieve it later). Once we process an erasure request, the data will be removed from our active databases and we will also instruct our processors to delete the data. Residual copies might persist in backups for a short duration but will be removed as those backups cycle out.

• Right to Withdraw Consent: For processing activities that rely on your consent, you have the right to withdraw that consent at any time. For example, if you consented to us using your health data for a research project, you can change your mind; or if you consented to marketing emails or analytics cookies, you can opt out. Withdrawal of consent will not affect the lawfulness of processing already done based on the consent before its withdrawal, but we will stop the processing going forward. If consent is withdrawn and there is no other legal basis for us to process that data, we will cease processing and delete or anonymize the data. Some consents can be managed directly: e.g., you can unsubscribe from marketing emails using the "unsubscribe" link in those emails, or you can revoke analytics cookie consent via our Cookie settings. For other cases, you may contact us to ensure your consent preference is updated. We will confirm to you when we have acted on your withdrawal. Note: If a certain service is possible only with your consent to process certain data, withdrawing consent might mean we can no longer provide that service to you. We'll let you know if that's the case.
• Right to Grievance Redressal: You have the right to complain about any issue or grievance

regarding our processing of your personal data, and to have that grievance addressed in a timely manner. We have a dedicated grievance redressal mechanism (see Contact & Grievance Officer section below). You can reach out with your concerns – whether it's about a suspected misuse of data, a security incident, or an unresolved request regarding your rights. We will acknowledge your complaint and work to resolve it within the period prescribed by law. If you are not satisfied with our resolution, or if we fail to address your grievance within the prescribed time, you have the right to escalate the matter to the Data Protection Board, but before approaching the board – we are confident we will be able to resolve most issues amicably.

• Right to Nominate (Posthumous Rights): You have the right to nominate a representative to exercise your data rights in the event of your death or incapacity. This means you can designate (in writing, as per applicable form/procedure) another individual who will have the authority to request access, correction, or deletion of your data on your behalf if you are no longer able to. This is a new right aimed at ensuring your data is handled according to your wishes even after your lifetime or if you become incapacitated. If you wish to set up such a nomination, please contact us for the procedure. We will likely require an official nomination letter/email from you naming the nominee and their contact details. In the unfortunate event that a Data Principal has passed away or is unable to act, the nominee can approach us with proof of their identity and authorization, and we will honor valid requests in line with the law.
• Right to Data Portability: Where feasible, we will assist you in porting your data. For instance, you may request a copy of your medical records to share with another provider – we will provide you data in a common format that you can forward. We are working on interoperable systems to make such transfers smoother where possible. If future regulations mandate a formal portability right, we will incorporate that.
• Right to be Informed: You have the right to be informed about the collection and use of your personal data (fulfilled by this Privacy Policy and any just-in-time notices we give). We

endeavor to keep you informed whenever we collect new data or use it for a new purpose. If we make any significant changes in how we process your data, we will notify you (via an updated policy and/or direct communication).

 

Automated Decision Making

SecondMedic™ currently does not make any legally significant decisions about you purely by automated means. If in future we use automated algorithms for something that materially affects you, you will have rights related to such processing (like the right to seek human intervention or an explanation). We will update our Policy accordingly in that case.

 

Exercising Your Rights

You can exercise the above rights by contacting us through the channels provided in the Contact & Grievance Redressal section. To protect your privacy, we will need to verify your identity before fulfilling any requests (so we don't give your data to an imposter). For example, we may ask you to confirm some account details or use an OTP verification. For certain requests, if we have a self-service option (like an account settings page to download your data or update info), we will guide you to use that for faster resolution. Otherwise, upon receiving your request, we will respond as soon as possible and at most within the timeframe required by law. If we cannot fulfill your request (due to legal reasons or other specific grounds under law), we will provide an explanation. We will not discriminate against you for exercising your rights.

 

Fees

In general, we will handle your reasonable requests free of charge. However, if a request is manifestly unfounded or excessive (for example, repetitive requests without basis), the law allows us to either charge a reasonable fee (to cover administrative costs) or refuse the request. We will communicate any such decision clearly to you.

Your rights are very important and form the core of our consumer protection ethos. SecondMedic™ has established processes internally to ensure these rights are respected. If you need any assistance in understanding or exercising your rights, please let us know – we are here to help.

 

Updates to this Privacy Policy

We may update or revise this Privacy Policy from time to time to reflect changes in our practices, to incorporate new services, to align with legal or regulatory developments, or for other legitimate purposes. When we do so, we will change the "Last Updated" date at the bottom of this Policy. If there are substantial changes to the Policy, we will provide a more prominent notice (such as a banner on our website or an email notification) so that you are made aware of the updates.

Significant changes might include (for example) adding new categories of personal data we collect, changing how we use data, or updating your rights or our obligations under new laws. We encourage you to review this Policy periodically to stay informed about how we are protecting your information.

Your continued use of SecondMedic™'s services after any changes to this Privacy Policy constitutes acceptance of the updated terms (to the extent permitted by law). If required, we will seek fresh consent for new purposes of processing that are not covered by the original consent. We will also archive previous versions of this Policy and make them available for review, so you can see how our privacy commitments have evolved.

 

Contact & Grievance Redressal

SecondMedic™ has appointed a Grievance Officer to address any questions, concerns, or complaints you may have regarding your personal data or this Privacy Policy. If you have any queries about how we handle your data, or if you wish to exercise your rights, or if you have a grievance to report, please do not hesitate to contact us:

 

Grievance Officer – SecondMedic™

Name: Sanjay Adtani

Email: dpo@secondmedic.com

Postal Address: Office No 320, Plot No 17-18, Platinum Techno Park, Palm Beach Road, Vashi, Navi Mumbai, Thane, Maharashtra 400703, India.

Phone: +91-8447748545 (Customer Support Helpline)

 

Note: The above contact information is provided for privacy-related concerns. For general customer service queries, you may also use [customer.support@secondmedic.com] or the support number. However, for any formal grievances under the DPDP Act, please direct them to the Grievance Officer contact.

The Grievance Officer is responsible for redressing your complaints in a timely manner, as mandated by law. When you contact us, please provide sufficient details of your issue, and any relevant information that would help us address it (for example, the email or phone associated with your account, specific interaction details, etc.). We will acknowledge your complaint and attempt to resolve it expeditiously. Our goal is to settle all grievances within 30 days or the period prescribed by Govt. regulations. If we need more time (for instance, if a thorough investigation is required), we will inform you of the delay and the reason.

If you are not satisfied with our response, or if your grievance is not resolved within the prescribed time, you have the right to file a complaint with the Data Protection Board (DPB). However, we are

committed to resolving issues directly and fairly, and we value the opportunity to fix any problems and improve our processes.

---

Last Updated: May 27, 2025. This Privacy Policy is effective as of this date and supersedes any prior privacy policy of SecondMedic™.