MeditwinMeditwin

Privacy Policy

Last updated: 2026-05-19 · Effective from: 2026-05-19

1. Introduction

This Privacy Policy explains how Omnithrive Technologies Private Limited(“Meditwin,” “we,” “our,” or “us”) collects, uses, stores, shares, and protects personal data — including sensitive personal data such as health and medical information — when you use the Meditwin website, mobile-friendly web application, or any related services (collectively, the “Services”).

We are committed to handling your data in accordance with applicable Indian law, including the Digital Personal Data Protection Act, 2023 (“DPDP Act”), the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”), and other applicable rules and regulations.

2. Who we are (Data Fiduciary)

For the purposes of the DPDP Act, the “Data Fiduciary” is:

Omnithrive Technologies Private Limited
#355, 6th Block, Anjanapura BDA Layout, Anjanapura, Bangalore, Karnataka, India, 560108
CIN: U62099KA2024PTC191540
PAN: AAECO4613L
Email: support@meditwin.ai

3. Personal data we collect

We collect only the data we need to provide the Services. The categories of personal data we process include:

3.1 Account & identity data

  • Full name, date of birth, gender
  • Email address and / or mobile phone number
  • Hashed password (we never store your password in plain text); or OAuth identity (for Google sign-in)
  • Family member profile information you choose to add
  • Record of acceptance of these Terms and Privacy Policy (version + timestamp)

3.2 Health and medical data (sensitive personal data)

  • Medical reports, lab results, prescriptions, discharge summaries, radiology images, and other documents you upload
  • Structured findings extracted from those documents (test values, dates, body zones, severity, AI-generated explanations)
  • Bills, invoices, and payment receipts you upload for expense tracking
  • Self-reported entries you add manually (symptoms, vitals, notes)
  • Optional fitness and lifestyle metrics you choose to provide (e.g. height, weight, activity level)

3.3 Usage & device data

  • IP address, approximate location (country / region only)
  • Browser type, device type, operating system
  • Pages visited, features used, error events (collected via PostHog product analytics; see “Sub-processors” below)

3.4 Payment data

Payments are processed exclusively by Razorpay Software Private Limited. We do not see or store your full card number, CVV, UPI PIN, or net-banking credentials. We retain only payment metadata: amount, currency, payment status, Razorpay order / payment IDs, and timestamps, for accounting and tax purposes.

3.5 Shared-history access data

If you grant a doctor access to your records via a shared link, we log the doctor's identity, the consent you provided, the scope of access, and the timestamps of access events for your audit trail.

4. How we use your data (Purposes)

  • Provide the Services: store your records, render the body-map, generate summaries, allow you to share with clinicians.
  • AI processing: extract structured findings from uploaded documents, generate plain-language explanations in English and Hindi, suggest possible next steps. See Section 6.
  • Account security: authenticate you, detect fraudulent activity, enforce rate limits.
  • Billing & credits: compute the per-use cost of AI features and debit your credit balance; bill via Razorpay when you recharge.
  • Customer support: respond to your queries, investigate issues you report.
  • Service improvement: aggregated and de-identified analytics on which features are used. We never use your raw medical data for product analytics.
  • Legal compliance: comply with applicable laws, respond to lawful requests from authorities, enforce our Terms.

5. Legal basis for processing

We process your personal data on one or more of these grounds:

  • Your consent, which you give explicitly at signup (captured with the version number and timestamp of the Terms / Privacy Policy you accepted) and at the point of uploading specific records. You may withdraw consent at any time (Section 11).
  • Performance of a contract with you (these Terms), including the legitimate purposes of running and improving the Services.
  • Compliance with law, where we are required to process data to meet a legal obligation.

6. How AI processing works

Meditwin uses third-party Large Language Models (LLMs) to analyse your uploaded documents and generate summaries. Specifically:

  • The current AI provider is Anthropic, PBC (United States), via the Claude model family (Claude Haiku and Claude Sonnet).
  • When you upload a document or trigger a summary, the relevant file or text is transmitted to Anthropic over an encrypted connection for processing.
  • Anthropic, as a contracted sub-processor, has committed in its API terms not to train its models on data submitted via the API. We do not authorise any other use of your data by Anthropic.
  • We cache AI-generated summaries in our own database keyed by a content fingerprint, so that re-opening a body-zone or dashboard view does not re-transmit your data to the LLM unnecessarily.
  • You can delete your records at any time, which removes them from our database. Cached summaries derived from those records are also deleted.

Because Anthropic processes data in the United States, your data is transferred internationally. See Section 10.

7. Sub-processors and data sharing

We share personal data only with the sub-processors and recipients listed below, and only to the extent necessary to provide the Services. We do not sell your data, and we do not share it for third-party advertising.

RecipientPurposeRegion
Supabase, Inc.Database, authentication, file storage hostingIndia / Singapore region
Anthropic, PBCAI summarisation of documentsUnited States
Razorpay Software Pvt. Ltd.Payment processingIndia
Twilio, Inc.SMS / phone OTP deliveryUnited States
PostHog, Inc.Product analytics (no health data sent)European Union / United States
Resend (or equivalent)Transactional email deliveryUnited States / EU
Vercel, Inc.Application hosting / CDNIndia edge / United States

Each sub-processor is bound by contractual obligations to maintain confidentiality and to process data only on our documented instructions.

We may also share data: (a) with clinicians you explicitly grant access to via the shared-history feature; (b) with family members on profiles you share; (c) when required by law, court order, or government authority; (d) in connection with a corporate transaction (merger, acquisition, sale of assets), subject to your rights being preserved.

8. Security measures

We implement “reasonable security practices and procedures” as required by the SPDI Rules and the DPDP Act. Our current measures include:

  • Encryption in transit: all traffic between your device, our servers, and our sub-processors is encrypted using TLS 1.2 or higher (HTTPS).
  • Encryption at rest: our managed Postgres database and object storage encrypt all data at rest using AES-256, managed by our infrastructure provider.
  • Row-level security: every table containing personal data is protected by row-level security policies that ensure each user can only read or modify their own data.
  • Content addressing: uploaded files are fingerprinted using SHA-256 to detect and prevent duplicate processing.
  • Authentication: passwords are stored using a modern adaptive hashing algorithm; phone-based OTP uses a time-limited, single-use code via Twilio Verify; Google sign-in uses OAuth 2.0.
  • Access control: employee access to production data is restricted, logged, and subject to least-privilege principles.
  • Audit trails: sensitive actions, including grants of access to clinicians and acceptance of these Terms, are logged with timestamps.
  • Breach notification: in the event of a personal-data breach with significant risk to you, we will notify you and the Data Protection Board of India in accordance with the DPDP Act timelines.

No system is perfectly secure. While we apply industry-standard safeguards, we cannot guarantee absolute security.

9. Data retention

We retain your personal data for as long as your account is active and for a reasonable period thereafter to comply with legal obligations (e.g., tax records under the Income-tax Act). Specifically:

  • Account data: retained while your account is open; deleted within 30 days of account deletion, except where retention is required by law.
  • Medical records you upload: retained until you delete them or your account, whichever is earlier.
  • Payment records: retained for at least 8 years from the end of the relevant financial year, to comply with Indian tax and accounting laws.
  • Anonymised analytics: may be retained indefinitely as it does not identify you.

10. International data transfers

Some of our sub-processors (notably Anthropic and Twilio) process data in the United States. By using the Services, you consent to the transfer of your personal data — including sensitive personal data — to jurisdictions outside India, subject to contractual safeguards we put in place with those sub-processors. The Central Government may from time to time notify countries to which transfers are restricted; we will update our practices accordingly.

11. Your rights as a Data Principal

Under the DPDP Act, you (the “Data Principal”) have the following rights:

  • Right to access a summary of the personal data we hold about you and the identities of recipients with whom we have shared it.
  • Right to correction of inaccurate or misleading data, and completion of incomplete data. You can update most data directly from your Profile page.
  • Right to erasure of personal data no longer necessary for the purpose for which it was collected. You can delete individual records or your entire account from the Profile page.
  • Right to grievance redressal through our Grievance Officer (Section 14).
  • Right to nominate another person to exercise these rights on your behalf in the event of your death or incapacity.
  • Right to withdraw consent at any time. Note that withdrawal does not affect the lawfulness of processing carried out before withdrawal, and may limit your ability to use parts of the Services.

To exercise these rights, email support@meditwin.ai or use the controls in your Profile. We will respond within the timelines set by applicable law.

12. Children

The Services are not directed at children under 18. If a parent or legal guardian creates a family profile for a minor in their care, the guardian represents that they have authority to do so under Section 9 of the DPDP Act and consents to our processing of the minor's data on the same terms as their own.

13. Cookies and similar technologies

We use strictly necessary cookies to maintain your authenticated session and to remember your language preference. We use PostHog for product analytics, which sets a first-party cookie to recognise return visits. We do not use third-party advertising cookies. You can clear cookies via your browser at any time; doing so will log you out.

14. Grievance Officer

In accordance with Rule 5(9) of the SPDI Rules and Section 8(10) of the DPDP Act, the name and contact details of our Grievance Officer are:

Shivakumar C
Grievance Officer, Omnithrive Technologies Private Limited
#355, 6th Block, Anjanapura BDA Layout, Anjanapura, Bangalore, Karnataka, India, 560108
Email: admin@omnithrivetech.com
Phone: +91 98802 83664

We acknowledge complaints within 24 hours of receipt and resolve them within 15 days. If you are not satisfied with the resolution, you may approach the Data Protection Board of India.

15. Changes to this Policy

We may revise this Privacy Policy from time to time. The version number you accepted at signup is stored on your profile; if a new version is published, we will prompt you to re-confirm acceptance. The current version is 2026-05-19.

16. Contact

Questions about this Policy can be sent to support@meditwin.ai.