Medboks

We're currently serving Pune only. More cities coming soon.

Privacy Policy

Last updated: 15 June 2025

1. Who We Are

This Privacy Policy applies to MEDBOKS SUPPLIES PRIVATE LIMITED ("Medboks", "we", "our", or "us"), a company incorporated under the Companies Act, 2013, operating the website medboks.com and related mobile or web applications (collectively, the "Platform").

We provide medical device rental, purchase, and home-care booking services across select service areas in India. Our current operational coverage is updated on our website.

2. Information We Collect

2.1 Information you provide directly

  • Account & identity — full name, mobile number, email address.
  • KYC & identity verification — Identity verification may require government-issued document details (such as Aadhaar, processed only via OTP-based e-KYC — we do not store full document numbers after verification), and may include a photograph or liveness check. Specific KYC requirements may vary based on the service and applicable regulations at the time of use.
  • Delivery address — postal address, PIN code, GPS coordinates (latitude/longitude captured from the map picker you use to set your delivery pin).
  • Payment information — we do not store card numbers or CVVs. Payment processing is handled by Razorpay. We store only the Razorpay payment ID, order ID, and payment mode (UPI/card/netbanking) for order records.
  • Care booking details — patient name, age, relationship to patient, preferred dates, medical notes, and prescription files you choose to upload.

2.2 Information collected automatically

  • Device & usage data — IP address, browser type, pages visited, time spent, referral URLs.
  • Analytics — anonymised usage events via Google Analytics 4 (GA4). You can opt out via browser settings or the GA opt-out extension.
  • Cookies & local storage — session tokens, language preference, referral codes, and location cache stored in your browser. No third-party advertising cookies are used.

3. How We Use Your Information

  • Process rental, purchase, and care-booking orders.
  • Verify your identity (KYC) as required for medical device rental.
  • Send OTPs via SMS for authentication.
  • Process payments and issue refunds via Razorpay.
  • Communicate order status, delivery updates, and support responses.
  • Improve our Platform through aggregated analytics.
  • Comply with applicable Indian laws including the Information Technology Act, 2000, the Digital Personal Data Protection Act, 2023, and UIDAI guidelines.

4. How We Protect Your Data

All sensitive personal data (mobile number, email, Aadhaar reference) is encrypted at rest using AES-256-GCM encryption before storage in our database. Deterministic lookup hashes (HMAC-SHA256) are used to query encrypted fields without exposing plaintext. Data is stored on AWS infrastructure in the ap-south-1 (Mumbai) region with automated daily backups.

Connections to our platform use TLS 1.2 or higher. Payment data is handled exclusively by Razorpay on their PCI-DSS compliant infrastructure.

5. Sharing Your Information

We do not sell your personal data. We share data only with:

  • Razorpay — to process payments and issue refunds. Subject to Razorpay's Privacy Policy.
  • Google — Maps API for address search and geocoding. Your search queries are sent to Google's servers.
  • Care service providers — your name, address, and booking details are shared with the assigned care professional to fulfil your booking.
  • Legal authorities — when required by Indian law, court order, or government directive.

6. Data Retention

We retain your account and order data for a minimum of 5 years from your last transaction, as required for financial and tax record-keeping under Indian law. KYC reference data is retained as required by applicable regulations. You may request deletion of your account for data that is not legally required to be retained by contacting us.

7. Your Rights

Under the Digital Personal Data Protection Act, 2023 (DPDP Act), you have the right to:

  • Access — request a summary of personal data we hold about you.
  • Correction — update inaccurate or incomplete personal data.
  • Erasure — request deletion of your personal data (subject to legal retention requirements).
  • Grievance redressal — raise a complaint with our Data Protection Officer.

To exercise any of these rights, contact us at support@medboks.com.

8. Children's Privacy

Our Platform is not directed at children under 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a child, please contact us and we will delete it promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice on the Platform or sending an email to your registered address. Continued use of the Platform after changes constitutes acceptance of the revised policy.

10. Contact Us

For privacy-related questions or to exercise your rights:

Data Protection Officer

MEDBOKS SUPPLIES PRIVATE LIMITED

Pune, Maharashtra, India

Email: support@medboks.com