Privacy Policy

Last Updated: 24 Nov 2025

This Privacy Policy explains how MyVitalRx Health Inc. (USA) and MyVitalRx Health Private Limited (India) collect, use, store, process, disclose, and protect your information when you use our mobile apps, web portals, telehealth systems, remote patient monitoring (RPM) services, and associated healthcare platforms. This version includes full updates to incorporate Razorpay payment gateway integration.

1. Introduction

This Privacy Policy (“Policy”) describes how MyVitalRx Health Private Limited (a company incorporated in India) (collectively referred to as “MyVitalRx,” “we,” “our,” or “us”) collect, use, store, share, and protect your personal and health information when you use any of our digital products and services.

This Policy applies to:

• The MyVitalRx mobile application (“App”) for patients and caregivers
• The MyVitalRx.com web portal for healthcare professionals, hospitals, laboratories, dieticians, and other authorized entities
• Any other online services, tools, or platforms operated by MyVitalRx (collectively, the “Services”)

We are committed to protecting your privacy and ensuring the security of your personal and health information in compliance with applicable laws, including but not limited to:

• United States: Health Insurance Portability and Accountability Act (HIPAA) and other relevant federal/state privacy laws
• India: Information Technology Act, 2000; Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011; Digital Personal Data Protection Act, 2023 (DPDP Act)
• Other applicable data protection laws depending on the user’s location

When you use our Services, the data controller will be:

• MyVitalRx Health Inc. for users located in the United States and other countries (except India)
• MyVitalRx Health Private Limited for users located in India

Your use of the Services is also subject to our Terms of Use, which should be read together with this Privacy Policy.

BY ACCESSING OR USING ANY OF OUR SERVICES, OR BY OTHERWISE PROVIDING US WITH YOUR INFORMATION, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREED TO THIS PRIVACY POLICY, AND YOU AGREE TO BE BOUND BY ITS TERMS. YOU HEREBY CONSENT TO OUR COLLECTION, USE, STORAGE, DISCLOSURE, AND PROCESSING OF YOUR INFORMATION AS DESCRIBED IN THIS PRIVACY POLICY AND, WHERE APPLICABLE, IN OUR TERMS OF USE. IF YOU DO NOT AGREE WITH THIS PRIVACY POLICY AT ANY TIME, PLEASE DO NOT USE ANY OF OUR SERVICES OR PROVIDE US WITH ANY OF YOUR INFORMATION.

IF YOU USE THE SERVICES ON BEHALF OF ANOTHER INDIVIDUAL (SUCH AS A MINOR OR A PATIENT) OR ON BEHALF OF AN ENTITY (SUCH AS A HOSPITAL OR CLINIC), YOU REPRESENT AND WARRANT THAT YOU ARE AUTHORIZED TO (i) ACCEPT THIS PRIVACY POLICY ON THEIR BEHALF, AND (ii) PROVIDE CONSENT ON THEIR BEHALF TO OUR COLLECTION, USE, STORAGE, AND DISCLOSURE OF THEIR INFORMATION AS DESCRIBED IN THIS PRIVACY POLICY.

WE RESERVE THE RIGHT TO MODIFY OR UPDATE THIS PRIVACY POLICY AT OUR SOLE DISCRETION AT ANY TIME. CHANGES WILL BE EFFECTIVE UPON POSTING ON OUR SERVICES UNLESS OTHERWISE REQUIRED BY LAW.

Access to and use of the Services is conditional upon your acceptance of this Privacy Policy. If you do not agree to this Privacy Policy, you must not use the Services.

2. Scope

This Privacy Policy applies to all individuals and entities (“Users”) who access, use, or interact with our Services, regardless of the device or platform used, including but not limited to:

• The MyVitalRx mobile application for patients, caregivers, and authorized individuals
• The MyVitalRx.com web portal for healthcare professionals, hospitals, laboratories, dieticians, pharmacists, and other authorized staff
• Any other websites, mobile sites, applications, tools, or online services operated by MyVitalRx Health Inc. or MyVitalRx Health Private Limited

This Policy applies to Users in all locations, subject to applicable local laws. Depending on your location, either MyVitalRx Health Inc. or MyVitalRx Health Private Limited will act as the data controller for your personal and health information.

The term “User” includes, but is not limited to:

• Patients who use our App or Services for booking appointments, receiving healthcare services, accessing medical records, managing prescriptions, or related activities
• Friends, family members, and other authorized individuals who assist in managing a patient’s care or access the Services on behalf of a patient
• Healthcare providers such as doctors, dieticians, therapists, and specialists who use our web portal or other platforms to deliver healthcare services
• Pharmacists and authorized pharmacy staff who access prescription and medication-related information through our Services
• Hospital, laboratory, and clinic staff who use our Services for scheduling, diagnostics, reporting, or administrative purposes
• Caregivers and authorized representatives acting in a formal or informal capacity on behalf of a patient
• Business partners, vendors, and third-party service providers who interact with our systems for service delivery

This Privacy Policy does not apply to:

• Third-party websites, services, or applications that may be linked from our Services, unless explicitly stated
• Data collected by third parties outside the scope of our contractual relationship with them
• Offline interactions with healthcare providers, pharmacists, or staff outside the use of our Services

We encourage you to review the privacy practices of any third-party services you access through our platforms, as we are not responsible for their privacy policies or practices.

3. Definitions

For the purposes of this Privacy Policy, the following terms shall have the meanings set out below. Words not defined here shall have the meanings assigned to them under applicable laws.

3.1 “Personal Information” (PI)

Information that can identify you directly or indirectly, either alone or in combination with other information. This includes, but is not limited to:

• Basic identifiers such as name, date of birth, gender, address, email, and phone number
• Government-issued identification numbers (e.g., Aadhaar, PAN, passport, driver’s license, or medical registration number)
• Login credentials and account details
• Device identifiers such as IP address, mobile device ID, IMEI, or MAC address

Depending on your jurisdiction, certain categories of Personal Information may also be classified as Sensitive Personal Data or Information (SPDI) under Indian law (see Section 3.2) or as Protected Health Information (PHI) under US law (see Section 3.3).

3.2 “Sensitive Personal Data or Information” (SPDI) — India Only

As defined under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, SPDI is a subset of Personal Information and includes:

• Passwords
• Financial information such as bank account, credit card, or debit card details
• Physical, physiological, and mental health condition
• Medical records and history, including EMR and e-prescriptions
• Biometric information
• Any detail relating to the above categories provided for delivering services

For users located in India, processing of SPDI requires express consent, and is subject to the Digital Personal Data Protection Act, 2023 and other applicable Indian regulations.

3.3 “Personal Health Information” (PHI) — as per US HIPAA

As defined under the Health Insurance Portability and Accountability Act (HIPAA), PHI refers to individually identifiable health information that relates to:

• The individual’s past, present, or future physical or mental health condition
• The provision of healthcare to the individual
• Payment for the provision of healthcare

PHI includes data such as medical history, diagnostic reports, prescriptions, treatment plans, lab results, imaging, RPM device readings, and telehealth records, when linked to an identifiable individual.

3.4 “Electronic Medical Record” (EMR)

A digital record of a patient’s medical history, diagnoses, treatment plans, test results, medications, allergies, and other clinical data created and maintained by healthcare providers using our Services.

3.5 “e-Prescription”

A digital prescription created, transmitted, and stored through our Services by authorized healthcare providers, containing details of prescribed medications, dosage instructions, and related clinical information.

3.6 “Device Information”

Technical and operational data about the devices you use to access our Services, including:

• Mobile devices, tablets, computers, or web-enabled devices
• Unique device identifiers (IMEI, MAC address, serial number)
• Operating system type and version
• Browser type and version
• Network information and IP address
• For connected health devices: device model, serial number, manufacturer, firmware version, and operational status
• Sensor and usage data from medical devices (e.g., blood pressure monitors, glucose meters, pulse oximeters, weight scales, ECG devices, activity trackers, and other RPM devices)

3.7 “Data Controller”

The entity that determines the purposes and means of processing Personal Information.

• For users located in the United States and other countries (except India), the Data Controller is MyVitalRx Health Inc.
• For users located in India, the Data Controller is MyVitalRx Health Private Limited

3.8 “Data Processor”

Any person or entity that processes Personal Information on behalf of the Data Controller, in accordance with the Controller’s instructions.

3.9 “Processing”

Any operation performed on Personal Information, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, restriction, erasure, or destruction.

3.10 “Services”

All products, platforms, applications, websites, tools, and related services operated by MyVitalRx Health Inc. and MyVitalRx Health Private Limited, including but not limited to the MyVitalRx mobile app, MyVitalRx.com web portal, telehealth platforms, remote patient monitoring systems, EMR systems, e-prescription tools, and any future enhancements or additions.

3.11 “User”

Any individual or entity that accesses or uses the Services, including but not limited to patients, friends/family/authorized individuals, healthcare providers, pharmacists, laboratory staff, hospital/clinic staff, caregivers, business partners, and third-party service providers.

4. Information We Collect

We collect different types of information depending on your role, the Services you use, and the applicable legal requirements. This includes information you provide directly, information we collect automatically, and information received from third parties.

4.1 Information Provided Directly by You

A. For Patients and Authorized Individuals (Friends, Family, Caregivers)

• Personal identifiers: Name, date of birth, gender, address, phone number, email
• Identity verification details: Government-issued ID (Aadhaar, PAN, passport, driver’s license)
• Health-related information:
• Medical history, current health conditions, allergies
• Clinical notes and diagnostic details shared during consultations
• Reports, images, and other diagnostic results uploaded by you
• Insurance details (policy numbers, coverage information)
• Telehealth-specific details:
• Symptoms and medical concerns submitted for virtual consultation
• Communication records (chat, voice, video recordings if applicable and permitted by law)
• Remote Patient Monitoring (RPM) details:
• Health readings from connected devices (blood pressure, glucose levels, oxygen saturation, weight, ECG, activity data)

B. For Healthcare Providers (Doctors, Dieticians, Therapists)

• Professional identifiers: Name, medical registration/license number, specialty, qualifications
• Practice details: Clinic/hospital name, address, contact details, working hours
• Credentials for access to EMR and e-prescription systems
• Consultation notes, diagnosis details, and treatment plans entered into EMR
• E-prescriptions created, transmitted, or updated via our Services

C. For Pharmacists

• Professional identifiers: Name, license/registration number, pharmacy name and address, contact details
• Prescription processing details:
• E-prescriptions received and fulfilled
• Dispensing records
• Medication stock and batch details (if integrated into Services)

D. For Hospital, Laboratory, and Clinic Staff

• Name, role, and contact details
• Scheduling, diagnostic, and reporting data entered or accessed
• Administrative notes and patient workflow management information

4.2 Information Collected Automatically

When you use our Services, we automatically collect:

• Device information: Device model, unique identifiers (IMEI, MAC address, serial number), operating system, browser type, IP address, network type, language settings
• Usage data: Pages viewed, features used, actions performed, date and time of access, session duration, crash reports, and performance diagnostics
• Telehealth interaction metadata: Call duration, connection quality, participant details (but not content of calls unless recorded with consent)
• Location information: If enabled, we may collect location data to connect you with nearby healthcare providers, pharmacies, or laboratories

4.3 Information Received from Third Parties

We may receive information about you from:

• Linked hospitals, clinics, laboratories, and pharmacies
• Health insurance providers (for eligibility, claims, and coverage validation)
• Third-party medical device manufacturers or integrators in RPM programs
• Partner platforms or service providers you interact with through our Services
• Government health programs or registries, where authorized by law
• We may receive health, fitness, and activity data from third-party platforms or devices you choose to connect to our Services, including but not limited to Apple Health, Google Fit, Garmin, and similar applications or wearables. This may include step count, activity type and duration, heart rate, sleep data, weight, body composition, and other health metrics. Such data is accessed only with your explicit permission, and you may revoke access at any time through the settings of the respective platform or our Services.
• If you choose to connect Google Fit or other Google API-enabled services, our use and transfer of information received from those services will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

4.4 EMR and e-Prescription Data

When you use EMR or e-prescription features, we may collect, store, and process:

• Patient demographics, medical history, current health conditions
• Clinical notes, diagnostic results, treatment plans
• Medication names, dosages, frequencies, and administration instructions
• Prescriber information, dispensing status, and related communications
• Attachments such as lab reports, imaging results, or supporting documents

4.5 Optional and Consent-Based Information

Certain features of our Services may request optional information, such as:

• Health and wellness tracking data (diet logs, exercise logs)
• Lifestyle questionnaires and preventive health assessments This information will be collected and processed only with your explicit consent.

4.6 Special Categories of Data

We treat all Sensitive Personal Data or Information (SPDI) and Personal Health Information (PHI) in accordance with applicable laws, applying heightened safeguards for:

• Medical records and history
• Biometric information
• Data from connected medical devices
• Prescription and diagnostic data

4.7 Permissions and Device Access

To deliver certain features of the Services, we may request access to specific device functions, always with your explicit consent at the time of use:

• Camera: For uploading medical records, capturing profile photos, scanning QR codes for device pairing, or using camera-based health features (e.g., heart rate monitoring).
• Microphone/Audio: For telehealth consultations, voice notes, or other audio interactions within the Services.
• File Storage: For uploading, saving, or sharing medical records and related documents. We do not scan or access any other files without your explicit selection.
• Location: Used only for secure pairing of certain connected health devices and requested only at the time of pairing. Location data is not stored or used for any other purpose.

5. How We Use Your Information

We use the information we collect for purposes directly related to providing and improving our Services, fulfilling our legal obligations, and protecting your safety and privacy. The purposes may vary depending on your role (patient, authorized individual, healthcare provider, pharmacist, or staff).

5.1 For Patients and Authorized Individuals (Friends, Family, Caregivers)

• To create and manage your account on the MyVitalRx mobile app or web portal
• To verify your identity and eligibility for healthcare services
• To schedule, manage, and confirm appointments (in-person or virtual)
• To provide telehealth consultations, including chat, audio, and video interactions
• To store, update, and make available your medical history, diagnostic results, and treatment plans in your Electronic Medical Record (EMR)
• To process and track prescriptions and medication orders
• To receive, store, and display data from Remote Patient Monitoring (RPM) devices, such as blood pressure monitors, glucose meters, ECG devices, pulse oximeters, and other connected health devices
• To send you reminders for medications, upcoming appointments, lab tests, or health check-ins
• To facilitate secure communication with healthcare providers, pharmacists, and laboratory staff
• To import and display health and fitness data from third-party platforms (e.g., Apple Health, Google Fit, Garmin, Fitbit) to enrich your health records, support remote monitoring, and help healthcare providers better understand your health trends.

5.2 For Healthcare Providers (Doctors, Dieticians, Therapists)

• To verify your professional credentials and enable secure access to our Services
• To allow you to create, update, and maintain Electronic Medical Records for patients
• To enable the creation, transmission, and management of e-prescriptions
• To facilitate secure communication with patients, other healthcare professionals, pharmacists, and laboratories
• To integrate your notes, diagnostic orders, and treatment plans into the patient’s EMR
• To provide you with relevant patient history, test results, and device-generated health data during consultations
• To support telehealth services and remote patient monitoring programs

5.3 For Pharmacists

• To receive and process e-prescriptions from authorized healthcare providers
• To verify prescription authenticity and patient details before dispensing
• To record dispensing details and update prescription fulfillment status
• To securely communicate with healthcare providers and patients regarding medication-related queries or substitutions

5.4 For Hospital, Laboratory, and Clinic Staff

• To manage patient appointments, diagnostic orders, and reporting workflows
• To upload, store, and share diagnostic reports and images securely
• To update treatment progress or administrative notes in the EMR
• To coordinate with healthcare providers, pharmacists, and patients as required

5.5 For Operational, Legal, and Administrative Purposes

• To operate, maintain, and improve our Services, including app and portal performance
• To provide customer support and technical assistance
• To conduct audits, quality control, and security reviews
• To comply with applicable legal and regulatory requirements, including data retention laws
• To detect, prevent, and investigate fraud, misuse, unauthorized access, and other harmful activity
• To enforce our Terms of Use and other agreements

5.6 For Research, Analytics, and Service Improvement

• To analyze anonymized and aggregated data to improve our Services, clinical outcomes, and user experience
• To conduct statistical analysis and prepare internal business reports
• To support medical research or public health initiatives, only with required consent and in compliance with applicable laws

5.7 With Your Explicit Consent

We may use your information for additional purposes not listed above, but only after obtaining your explicit, informed consent. You may withdraw your consent at any time, subject to legal and contractual restrictions.

6. Consent

We process your Personal Information, Sensitive Personal Data or Information (SPDI), and Personal Health Information (PHI) only where we have a lawful basis to do so under applicable laws. In most cases, that basis will be your consent, which you provide in one or more of the following ways:

6.1 When You Provide Consent

You provide consent when you:

• Create an account or profile on our mobile app or web portal
• Submit personal or health information during registration or while using our Services
• Book an appointment, initiate a telehealth consultation, or share health readings from RPM devices
• Enter or update information in your Electronic Medical Record (EMR) or create an e-prescription
• Upload diagnostic reports, images, or related documents
• Accept this Privacy Policy and/or our Terms of Use during sign-up or continued use of the Services

6.2 Implied Consent by Use

By accessing or using our Services, or by otherwise providing us with your information, you consent to the collection, use, storage, processing, and disclosure of that information in accordance with this Privacy Policy and applicable laws.

6.3 Consent for Minors

• If you are under 18 years of age (or the legal age of majority in your jurisdiction), you may use our Services only with the involvement of a parent or legal guardian.
• We require that the parent or guardian provide consent on behalf of the minor for the collection, use, and disclosure of the minor’s information.
• The parent or guardian must also consent to the creation and maintenance of the minor’s EMR and any e-prescriptions issued for them.

6.4 Consent When Acting for Another Individual

If you are a friend, family member, caregiver, or authorized representative acting on behalf of a patient:

• You confirm that you have the authority to provide consent on behalf of that individual.
• You agree to provide only accurate and necessary information to manage that individual’s care.

6.5 Withdrawal of Consent

You may withdraw your consent at any time by contacting us at support@myvitalrx.com. Upon withdrawal of consent:

• We will stop processing your information for the purposes for which consent was given.
• Certain services may no longer be available to you.
• We may still retain and process your information as required by applicable laws or contractual obligations (for example, to comply with medical record retention laws).

6.6 Special Consent for Telehealth, EMR, e-Prescriptions, and RPM

By using these specific features, you expressly consent to:

• The collection, storage, and sharing of your medical history, treatment notes, prescriptions, and device readings with authorized healthcare providers, pharmacists, laboratories, and other authorized personnel involved in your care.
• The transmission of your health information through secure electronic channels for consultations, prescriptions, and remote monitoring.

7. Data Sharing and Disclosure

We do not sell your Personal Information, Sensitive Personal Data or Information (SPDI), or Personal Health Information (PHI) to third parties. We share your information only as described below, and always in compliance with applicable laws and with appropriate safeguards in place.

7.1 With Your Healthcare Team

We may share your information with:

• Healthcare providers (e.g., doctors, dieticians, therapists) involved in your care
• Pharmacists and authorized pharmacy staff for prescription fulfillment
• Hospital, laboratory, and clinic staff for diagnostics, reporting, and care coordination
• Caregivers, friends, family, or authorized representatives you have designated to assist in managing your care This sharing ensures that your healthcare team has the information necessary to provide safe, effective, and coordinated services.

7.2 With Third-Party Health and Fitness Platforms

If you choose to connect your account to third-party platforms such as Apple Health, Google Fit, Garmin, or similar services:

• We may receive health, fitness, and activity data from these platforms (e.g., steps, heart rate, sleep, weight, exercise details)
• We may share relevant health information back to these platforms (e.g., weight records, blood pressure readings), but only if you explicitly enable this option in your account settings
• Your use of these integrations is subject to both this Privacy Policy and the third party’s own privacy policy
• You may revoke access at any time via the settings of the respective platform or our Services

7.3 With Third-Party Service Providers

We may share your information with trusted third-party vendors who help us operate and maintain our Services, including:

• Cloud hosting providers
• Telecommunication service providers for telehealth sessions
• Payment processors for billing and subscription management
• Technical support and analytics providers These service providers are contractually bound to use your data only as necessary to provide their services to us and in compliance with applicable data protection laws.

7.4 For Legal and Regulatory Compliance

We may disclose your information:

• To comply with applicable laws, regulations, legal processes, or enforceable governmental requests
• To report certain diseases or conditions to public health authorities, as required by law
• To respond to valid legal claims, subpoenas, warrants, or court orders
• To enforce our Terms of Use or protect our rights, safety, and property, or the rights, safety, and property of others

7.5 In Corporate Transactions

In the event of a merger, acquisition, asset sale, or similar corporate transaction, your information may be transferred to the acquiring entity, subject to this Privacy Policy.

7.6 With Your Explicit Consent

We may share your information for purposes not listed above, but only after obtaining your explicit, informed consent.

Confidentiality: We treat all Personal Information, Sensitive Personal Data or Information (SPDI), and Personal Health Information (PHI) as confidential and will not disclose it to any third party except as permitted under this Privacy Policy, required by law, or with your explicit consent.

8. Data Storage and Security

We take appropriate technical, administrative, and organizational measures to protect your Personal Information, Sensitive Personal Data or Information (SPDI), and Personal Health Information (PHI) against unauthorized access, use, alteration, disclosure, or destruction.

8.1 Data Storage Location

All Personal Information, SPDI, and PHI collected through our Services is stored on secure cloud infrastructure provided by Amazon Web Services (AWS), located in the United States of America.

• AWS complies with recognized industry standards such as ISO 27001, SOC 2, and, where applicable, HIPAA security requirements.
• By using our Services, you acknowledge and consent that your data will be transferred to, processed, and stored in the United States, regardless of your country of residence.
• For users located in India, Assume Private Limited remains the Data Controller of your information. However, your data will be transferred to and stored in the United States on secure AWS infrastructure. Such transfers are made in compliance with the Digital Personal Data Protection Act, 2023, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, with contractual and technical safeguards in place to protect your data.

8.2 Security Measures

We use industry-standard security practices to protect your data, including but not limited to:

• Encryption in transit and at rest for all PHI, EMR, e-prescriptions, and device data
• Access controls with role-based permissions for patients, providers, pharmacists, laboratories, and staff
• Multi-factor authentication (MFA) for healthcare provider, pharmacist, and admin accounts
• Audit trails to log all access to EMR, e-prescriptions, and other sensitive data
• Regular security assessments and penetration testing of our platforms
• Firewalls and intrusion detection systems to prevent unauthorized access

8.3 Safeguards for Remote Patient Monitoring (RPM) and Device Data

• All data from connected medical devices, Apple Health, Google Fit, Garmin, or similar integrations is transmitted via secure, encrypted channels.
• Device identifiers and readings are stored separately from unrelated account data wherever possible, to minimize re-identification risk.
• Device integrations can be disabled by you at any time through account settings.

8.4 Data Retention

• We retain your Personal Information, SPDI, and PHI only for as long as necessary to provide the Services, fulfill legal and regulatory obligations, resolve disputes, and enforce agreements.
• Certain medical records may need to be retained for a legally mandated period (e.g., under Indian Clinical Establishments Rules or US state retention laws), even after account closure.
• Once the retention period ends, data will be securely deleted or anonymized.

8.5 Your Role in Security

While we take reasonable steps to protect your data, security also depends on you:

• Keep your account credentials confidential and do not share them with others.
• Use strong passwords and enable multi-factor authentication where available.
• Immediately notify us if you suspect unauthorized access to your account.

9. User Rights

You have certain rights regarding your Personal Information, Sensitive Personal Data or Information (SPDI), and Personal Health Information (PHI) under applicable data protection and healthcare privacy laws. These rights may vary depending on your country of residence.

9.1 Rights Under India’s Digital Personal Data Protection Act, 2023 (DPDP Act) and SPDI Rules

If you are located in India, you have the following rights:

• Right to Access: Request details of the Personal Information and SPDI we hold about you.
• Right to Correction: Request correction of inaccurate or incomplete information.
• Right to Erasure: Request deletion of your information, subject to legal or contractual obligations that require us to retain certain data (e.g., medical record retention laws).
• Right to Withdraw Consent: Withdraw your consent to processing your data at any time, subject to applicable laws.
• Right to Nominate: Nominate another individual to exercise your rights in the event of your death or incapacity.
• Right to Grievance Redressal: File a complaint with our designated Grievance Officer if you believe your rights have been violated.

9.2 Rights Under United States HIPAA

If you are located in the United States, you have the following rights with respect to your PHI:

• Right to Access: Receive a copy of your PHI, including electronic copies of your EMR and e-prescriptions.
• Right to Amendment: Request that we amend your PHI if it is inaccurate or incomplete.
• Right to an Accounting of Disclosures: Request a list of certain disclosures of your PHI made in the past six years.
• Right to Request Restrictions: Request restrictions on the use or disclosure of your PHI, though we are not always required to agree to these requests.
• Right to Confidential Communications: Request to receive PHI through alternative means or at alternative locations.
• Right to Complain: File a complaint with us or with the U.S. Department of Health and Human Services (HHS) if you believe your HIPAA privacy rights have been violated.

9.3 How to Exercise Your Rights

You can exercise your rights by contacting us at: Email: support@myvitalrx.com Postal Address: 1600 N Milwaukee Ave, #1118

Vernon Hills - 60061-1574

United States (US) Attention: Data Protection Officer / Privacy Officer

When making a request, please include:

• Your full name and contact details
• A clear description of your request
• Proof of identity (or proof of authority if acting on behalf of someone else)

We will respond to your request within the timeframe required by applicable law.

• In India: As per DPDP Act timelines.
• In the United States: Within the timelines set by HIPAA (generally 30 days).

9.4 Limitations

Your rights may be subject to certain legal limitations. For example, we may not be able to delete your information if retention is required by law (e.g., medical record retention regulations) or if it is necessary to resolve disputes, enforce agreements, or protect our legal rights.

10. Children’s Privacy

We are committed to protecting the privacy of children and complying with applicable laws regarding the collection and processing of minors’ data, including the Digital Personal Data Protection Act, 2023 (India) and the Children’s Online Privacy Protection Act (COPPA) (United States).

10.1 Age Restrictions

• In India, our Services are not intended for children under 18 years of age without the involvement of a parent or legal guardian.
• In the United States, our Services are not intended for children under 13 years of age without verified parental consent, and minors under 18 years must still have parental or guardian oversight for healthcare services.

10.2 Parental/Guardian Consent

If a patient is a minor under applicable law:

• A parent or legal guardian must create and manage the account on behalf of the minor.
• The parent or guardian must provide consent for:
• Collection, storage, and use of the minor’s Personal Information, SPDI, and PHI
• Creation and maintenance of the minor’s Electronic Medical Record (EMR)
• Issuance of e-prescriptions
• Participation in telehealth consultations and remote patient monitoring programs
• We may require verification of parental/guardian identity before enabling the account.

10.3 Information Collected from Minors

With verified parental/guardian consent, we may collect:

• Basic personal identifiers (name, date of birth, gender)
• Health and medical information relevant to the patient’s care
• Data from RPM devices used in pediatric care
• E-prescription details and related clinical notes

We do not knowingly collect more information than is reasonably necessary to provide the healthcare services requested.

10.4 Withdrawal of Consent

A parent or guardian may withdraw their consent at any time by contacting us at support@myvitalrx.com. Upon withdrawal of consent:

• We will stop processing the minor’s information for the purposes for which consent was given.
• Certain healthcare services may no longer be available to the minor.
• We may still retain and process certain information if required by law (e.g., pediatric medical record retention requirements).

10.5 Prohibited Activities

We do not:

• Directly market to minors
• Use minors’ data for targeted advertising
• Disclose minors’ data to third parties for marketing or non-healthcare purposes

11. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to improve your experience, enhance security, and understand how our Services are used. These technologies may operate differently depending on whether you are using our mobile application, web portal, or other connected services.

11.1 What Are Cookies and Tracking Technologies?

• Cookies are small text files stored on your browser or device that help us remember your preferences and settings.
• Local storage and session storage are browser-based storage mechanisms for maintaining information during your visit or across visits.
• Pixel tags, web beacons, and JavaScript are technologies that help us understand how you interact with our Services and whether our communications are effective.
• SDKs (Software Development Kits) are used in our mobile applications for analytics, crash reporting, and integration with third-party services such as Apple Health, Google Fit, or Garmin.

11.2 Types of Cookies and Technologies We Use

• Strictly Necessary Cookies – Required for core functionality, such as authentication, security, and privacy settings. These cannot be disabled.
• Performance and Analytics Cookies – Help us understand usage patterns, measure performance, and improve our Services.
• Functional Cookies – Remember user preferences, such as language and accessibility settings.
• Integration and Device Connectivity – Enable secure data exchange with connected health and fitness platforms (e.g., Apple Health, Google Fit, Garmin, Fitbit).
• Security and Fraud Prevention Tools – Detect suspicious activity and protect against unauthorized access.

11.3 How We Use These Technologies

We use cookies and tracking technologies to:

• Maintain your session and securely authenticate you
• Remember your preferences and settings across visits
• Monitor system performance and detect technical issues
• Analyze aggregate usage trends to improve Services
• Enable device and third-party health platform integrations
• Secure our Services against fraud and misuse

11.4 Third-Party Analytics and Services

We may use third-party analytics tools (e.g., Google Analytics, AWS CloudWatch, or similar) to gather non-identifying usage data.

• These third parties may set their own cookies or tracking technologies in your browser or app.
• Any data shared with these services is either aggregated, anonymized, or de-identified to prevent direct identification of users.

11.5 Your Choices

• Web Users: You can adjust your browser settings to block or delete cookies. However, disabling certain cookies may affect functionality.
• Mobile App Users: You can manage tracking preferences via in-app settings or through your device’s privacy settings.
• Third-Party Integrations: You can enable or disable connections to Apple Health, Google Fit, Garmin, or similar platforms at any time through account settings.

12. Data Breach Notification

We take data breaches very seriously and have procedures in place to detect, investigate, and respond promptly to any actual or suspected unauthorized access, use, or disclosure of Personal Information, Sensitive Personal Data or Information (SPDI), or Personal Health Information (PHI).

12.1 What Constitutes a Data Breach

A “data breach” means any confirmed or reasonably suspected incident that results in:

• Unauthorized access to, or acquisition of, unencrypted or unprotected personal or health data
• Loss, alteration, or destruction of data in a manner that compromises its confidentiality, integrity, or availability
• Unauthorized disclosure of EMR, e-prescription, RPM device data, or other PHI

12.2 Detection and Investigation

• We use monitoring tools, audit logs, and intrusion detection systems to identify potential breaches.
• Once a breach is suspected, it is immediately escalated to our Security and Privacy teams for investigation.
• We assess the scope, cause, and impact of the incident, and take containment measures to prevent further risk.

12.3 Notification to Users

If a breach is likely to result in a risk to your rights and freedoms, we will notify you as soon as practicable and in accordance with applicable laws:

• India: In compliance with the Digital Personal Data Protection Act, 2023 and any applicable CERT-In guidelines.
• United States: In compliance with the HIPAA Breach Notification Rule, affected individuals will be notified without unreasonable delay and no later than 60 days after discovery of the breach.
• Notification will include:
• A description of the incident
• The categories of information involved
• Steps we are taking to address the breach
• Steps you can take to protect yourself
• Our contact details for further information

12.4 Notification to Authorities

We will notify relevant data protection authorities, regulators, or other required government bodies as mandated by law in each jurisdiction.

12.5 Remedial Actions

Following a breach, we may:

• Reset affected account credentials
• Implement additional technical safeguards
• Conduct post-incident reviews and security enhancements
• Provide guidance to affected users on mitigating potential harm

13. Marketing Communications

13.1. Marketing Communications and Opt-Out We may send you promotional or marketing communications related to new features, services, or offers that we believe may interest you.

• You can opt out of receiving such communications at any time by using the unsubscribe link in the email or by contacting us at support@myvitalrx.com
• Even if you opt out of promotional messages, we may still send you non-promotional communications, such as service notifications, account updates, or legal notices.

14. Changes to This Privacy Policy

We may update or modify this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the features of our Services.

14.1 How We Will Notify You

• Minor changes (e.g., clarifications, formatting updates) will be reflected by updating the “Last Updated” date at the top of this Privacy Policy.
• Material changes (e.g., changes to how we collect, use, or share data; new categories of data; significant changes in user rights) will be communicated to you through:
• Email notifications (where we have your email address)
• In-app or portal notifications
• A prominent notice on our website and/or mobile app

14.2 Effective Date of Changes

• Changes will take effect on the date specified in the updated Privacy Policy.
• Continued use of our Services after the effective date constitutes your acceptance of the updated Privacy Policy.
• If you do not agree to the changes, you should discontinue use of our Services and contact us to exercise your data rights.

14.3 Version Control

We will maintain a version history of this Privacy Policy, which can be made available upon request, so you can review past versions.

15. Contact Information

If you have any questions, concerns, or complaints about this Privacy Policy, our data handling practices, or your privacy rights, you may contact our designated Data Protection Officer (DPO) or Privacy Officer.

15.1 For Users in the United States and Other Countries (except India)

Entity: MyVitalRx Health Inc. Attention: Privacy Officer Email: support@MyVitalRx.com Postal Address:

1600 N Milwaukee Ave

Vernon Hills - 60061-1574

United States (US)

15.2 For Users in India

Entity: MyVitalRx Private Health Limited Attention: Data Protection Officer / Grievance Officer (as per DPDP Act and SPDI Rules) Email: [support@MyVitalRx.com] Postal Address: PC1/7 Work Yard, PLOT NO. 337, Business & Industrial Park, Industrial Area Chandigarh - 160002

15.3 Additional Contact Options

• In-App Support: You may also contact us via the help/support feature in the MyVitalRx mobile app or web portal.
• Regulatory Complaints: If you are not satisfied with our response, you may lodge a complaint with your local data protection authority or health privacy regulator (such as the U.S. Department of Health and Human Services in the United States or the Data Protection Board of India).

14. Changes to This Policy

Updated to reflect payment integration and any new legal requirements.

15. Contact Information

Email: support@myvitalrx.com

India Address: PC1/7 Work Yard, Plot 337, Chandigarh - 160002

16. Payments, Refunds & Financial Transactions (NEW)

16.1 Payments

All payments are processed securely by Razorpay. By making a payment, you also accept Razorpay’s terms and Privacy Policy.

16.2 Refunds & Chargebacks

• Refund execution follows Razorpay's refund workflows
• We store only non-sensitive metadata
• Refund times depend on the payment method

16.3 Fraud Detection

Razorpay independently performs fraud analysis. We may share transaction metadata as needed to prevent fraud or resolve disputes.

17. Payment Processor Details & Subprocessors (NEW)

Primary Payment Processor: Razorpay Software Pvt. Ltd.

Razorpay may engage subprocessors and partners to provide payment infrastructure, risk and fraud detection, settlement, and related services. We require all subprocessors to apply appropriate security controls and only process payment data in accordance with Razorpay’s and our instructions.

18. Legal Basis for Payment Processing (NEW)

Where applicable (for example, under the GDPR-like principles or local data protection laws), our legal bases for processing payment data include:

• Performance of a contract: Processing is necessary to perform the contract for the purchase of consultation, packages, or services.
• Legal compliance: Processing is necessary to comply with tax, accounting, or other statutory obligations.
• Legitimate interests: For fraud prevention, security, and dispute resolution, where such interests are not overridden by your rights.

19. Retention of Payment Records

We retain payment transaction metadata (order IDs, transaction IDs, timestamps, masked card digits, amounts, refund records) for as long as required to satisfy legal, accounting, and tax obligations, and to support operational needs such as refunds, disputes, and fraud investigations.

• Where required by law (for example, tax laws), financial records may be retained for up to seven (7) years or as otherwise required by local law.
• If you request deletion of your account, we will delete or anonymize your payment metadata where permitted, but may retain limited records to meet legal obligations or to resolve disputes.

20. How to Update or Remove Payment Methods

If you have saved payment instruments or billing information in your account (for example, a tokenized card or UPI authorization), you can update or remove them via the Payments or Billing section in your account settings. If you need assistance, contact us at support@myvitalrx.com.

21. Invoices, Taxes, and GST (if applicable)

We may generate invoices or receipts for payments and, where applicable, collect taxes (including GST in India) as required by law. If you require a tax invoice with specific details (GSTIN, company name), please provide the necessary information during billing or contact support.

22. Chargebacks and Dispute Resolution

If you dispute a charge on your card or payment instrument, you should first contact our support team at support@myvitalrx.com so we can investigate and try to resolve the issue. For card chargebacks, Razorpay and your issuing bank may initiate processes that require documentation; we may provide transaction records as needed to respond to such disputes.

23. International Data Transfers for Payments

Payment-related data required for processing (including order metadata and identifiers) may be transmitted to and processed in other jurisdictions where Razorpay, our service providers, or processors operate. We and our processors implement contractual, organizational and technical safeguards to protect data during international transfers.

24. Security, Encryption & Tokenization (Payments)

• We rely on Razorpay’s tokenization and PCI-DSS compliant infrastructure to ensure card data never reaches our servers.
• All in-transit payment communications use TLS/HTTPS. Transaction records stored within our systems are encrypted at rest.
• Access to payment metadata within our systems is restricted to authorized personnel and logged via audit trails.

25. Automated Decision-Making & Profiling (Payments)

To detect and prevent fraud we and/or Razorpay may use automated systems that analyze transaction patterns and risk signals. These automated processes may result in the temporary decline or hold of a transaction. If you believe an automated decision adversely affected you, please contact support to request a review.

26. Third-Party Links & Razorpay Privacy

Your use of the Razorpay payment experience is also subject to Razorpay’s Terms of Service and Privacy Policy. For details on how Razorpay handles payment information, please review their policy at https://razorpay.com/privacy/.

27. Audit & Compliance

We and our processors perform regular security assessments, audits, and compliance checks (including periodic PCI-related assessments for payment flows) to ensure continued adherence to security standards.