This Privacy Policy is prepared in accordance with: the Digital Personal Data Protection Act, 2023 (DPDPA); the Information Technology (Reasonable Security Practices and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules); the Information Technology Act, 2000; Telemedicine Practice Guidelines 2020 (Board of Governors in supersession of MCI); Ministry of Health & Family Welfare EHR Standards 2016; the Ayushman Bharat Digital Mission (ABDM) Health Data Management Policy; the Clinical Establishments (Registration and Regulation) Act, 2010; the Drugs and Cosmetics Act, 1940 (for e-Pharmacy operations); and the Consumer Protection Act, 2019.
vcdoc.in ("vcdoc", "we", "our", or "us") is a digital healthcare platform providing online doctor consultations, e-Pharmacy, e-Diagnostics, and Electronic Health Record (EHR) management services. We are operated by the entity registered at the address provided in Section 13 of this policy.
We are deeply committed to protecting the privacy, confidentiality, and security of all personal data, and in particular, Sensitive Personal Data or Information (SPDI) relating to health and medical information, which we collect in the course of delivering healthcare services.
This Privacy Policy explains how we collect, process, store, share, and protect your personal and health data. It applies to all users of the vcdoc.in website and mobile platform, including patients, caregivers, registered healthcare professionals, and partner institutions.
By accessing or using vcdoc.in, you consent to the practices described in this Privacy Policy. If you do not agree, please discontinue use of the platform. For healthcare services involving Sensitive Personal Data, we will additionally seek your free, informed, and specific consent at the point of data collection, as required under applicable law.
Under the Digital Personal Data Protection Act, 2023, vcdoc.in acts as the Data Fiduciary - the entity that determines the purposes and means of processing your personal data.
| Platform Name | vcdoc.in |
| Legal Entity | M J Mediport Private Limited |
| CIN / Registration | U86201TS2025PTC194133 |
| Registered Address | Prashanthi Nivas, H.No: 2-2-22, D D Colony, Bagh Amberpet, Amberpet, Hyderabad, Telangana 500013 |
| Primary Email | harshavardhan@vcdoc.in |
| Website | www.vcdoc.in |
| Services Offered | Online Consultations, e-Pharmacy, e-Diagnostics, EHR Management |
| Jurisdiction | India |
| Grievance Officer | See Section 13 for contact details |
We collect the following categories of data, which include Sensitive Personal Data or Information (SPDI) as defined under the IT (SPDI) Rules, 2011. Health and medical information constitutes SPDI and is afforded the highest level of protection under Indian law.
For online consultations conducted on the vcdoc platform, in compliance with the Telemedicine Practice Guidelines 2020 (issued by the Board of Governors in supersession of the Medical Council of India):
We use collected data solely for the purposes described below. We do not use health or personal data for advertising, profiling for commercial purposes, or any purpose unrelated to healthcare delivery.
| Purpose of Processing | Data Categories Used | Legal Basis (DPDPA / SPDI Rules) |
|---|---|---|
| Facilitate online consultations with licensed Registered Medical Practitioners (RMPs) | Identity, health/medical (SPDI), consultation data | Consent + Contract performance |
| Maintain and update Electronic Health Records (EHR) in line with MoHFW EHR Standards 2016 | All health data (SPDI), identity data | Consent + Legal obligation |
| Process e-Pharmacy prescriptions and coordinate medicine delivery | Identity, address, prescription (SPDI) | Consent + Contract performance |
| Manage diagnostic bookings and deliver test reports | Identity, address, health data (SPDI) | Consent + Contract performance |
| Send appointment reminders, health alerts, and service updates | Contact data, appointment data | Consent |
| Verify identity and prevent unauthorised access or fraud | Identity, technical data | Legitimate use + Legal obligation |
| Comply with healthcare laws, medical regulations, and court orders | All relevant categories | Legal obligation |
| Improve platform performance and user experience | Usage data (anonymised where possible) | Legitimate use |
| Conduct anonymised analytics for service and clinical improvement | Anonymised/aggregated health data | Legitimate use (data de-identified) |
| Integrate with ABDM / National Digital Health Ecosystem (with consent) | Health data, ABHA ID (if linked) | Explicit consent |
| Support medico-legal documentation when required by law | Health, identity, consultation records | Legal obligation |
In accordance with the Digital Personal Data Protection Act, 2023 and the IT (SPDI) Rules, 2011, we rely on consent as the primary lawful basis for collecting and processing your personal data, especially Sensitive Personal Data.
You may withdraw your consent for data processing at any time by writing to harshavardhan@vcdoc.in. Withdrawal of consent will not affect the lawfulness of processing carried out before withdrawal. Note that withdrawal may affect our ability to continue providing certain services that depend on the use of that data.
For patients under 18 years of age, consent is obtained from a parent or legal guardian. We do not permit minors to independently register, access medical services, or consent to data processing. Verifiable parental/guardian consent is required. See also Section 10 (Children's Privacy).
We do not sell, rent, or trade your personal or health data to any third party for commercial purposes. Sharing is strictly limited to the purposes described below.
Your health data is shared with the doctors, specialists, hospitals, diagnostic centres, and pharmacies directly involved in your care through the vcdoc platform. This sharing is necessary to deliver connected, coordinated healthcare services and is governed by medical confidentiality obligations under the National Medical Commission (NMC) Code of Ethics.
vcdoc engages third-party vendors for cloud hosting, payment processing, SMS/email communication, and logistics. Such partners:
We may disclose your information when required by:
If you choose to link your vcdoc account with your Ayushman Bharat Health Account (ABHA), your health records may be shared with the National Digital Health Ecosystem in accordance with the ABDM Health Data Management Policy. This integration is entirely optional and requires your separate, explicit consent.
For any sharing not described above, we will obtain your prior, explicit, written consent before disclosing your data.
vcdoc implements industry-standard and healthcare-grade security measures in accordance with the IT (SPDI) Rules, 2011, Rule 8 (Reasonable Security Practices), and ISO/IEC 27001 standards, including:
| Security Measures | Details |
|---|---|
| Encryption in Transit | TLS 1.2+ / TLS 1.3 end-to-end encryption for all health data transmitted to/from the platform. |
| Encryption at Rest | AES-256 encryption for all stored health data, including EHRs, prescriptions, and test reports. |
| Access Control | Role-Based Access Control (RBAC) ensures only authorised clinicians and staff access patient records on a need-to-know basis |
| Authentication | Multi-Factor Authentication (MFA) is required for all doctors, administrators, and platform staff |
| Security Audits | Regular vulnerability assessments, penetration testing, and third-party security audits |
| Data Backup | Secure, geographically redundant backup systems with tested disaster recovery procedures |
| Audit Trails | Full audit logs are maintained for all access to and modifications of patient health records |
| Staff Training | Mandatory data privacy and security training for all staff handling personal or health data |
| Incident Response | Documented data breach response plan with defined escalation procedures and regulatory notification timelines |
We retain personal and health data only as long as necessary for the purposes for which it was collected, and in compliance with applicable Indian healthcare and data protection regulations.
| Data Category | Retention Period | Legal / Regulatory Basis |
|---|---|---|
| Patient health records & EHR | Minimum 3 years from last consultation; typically, 5+ years | MCI / NMC Regulations; MoHFW EHR Standards 2016 |
| Consultation notes & prescriptions | Minimum 3 years; 5 years for surgical or complex cases | Telemedicine Practice Guidelines 2020; Clinical Establishments Act 2010 |
| Diagnostic reports & imaging | Minimum 5 years | NABH standards; Clinical best practice |
| Registered user profile data | Duration of account + 3 years’ post-closure | DPDPA 2023; IT Act 2000 |
| Pharmacy prescription records | Minimum 2 years | Drugs and Cosmetics Act 1940; Pharmacy Practice Regulations |
| Minor patient records | Until the patient reaches 21 years of age + 3 years | Standard medico-legal practice |
| Medico-legal case records | Minimum 10 years or as directed by the court/authority | Evidence Act; court/authority direction |
| Payment transaction metadata | 8 years | Income Tax Act 1961; GST regulations |
| Audit logs and access records | 3 years | IT (SPDI) Rules 2011; DPDPA 2023 |
| Security incident records | 5 years | DPDPA 2023; CERT-In guidelines |
After the applicable retention period, personal and health data will be securely deleted or anonymised in accordance with the DPDPA 2023 and CERT-In data destruction guidelines. Users may request early deletion of their personal data, subject to our legal retention obligations.
vcdoc processes and stores all patient health data (SPDI) within India, consistent with the data localisation considerations under the Digital Personal Data Protection Act, 2023 and the ABDM Health Data Management Policy.
Where any processing involves transfer of personal (non-health) data to service providers located outside India (e.g., cloud infrastructure providers), such transfers are conducted only:
Health data (SPDI) is not transferred outside India without explicit written consent and compliance with applicable Indian healthcare regulations.
Under the Digital Personal Data Protection Act, 2023 (Sections 11–14) and the IT (SPDI) Rules, 2011, you have the following rights as a Data Principal:
| Right | What This Means |
|---|---|
| Right to Access (Sec. 11) | Request a summary of personal data held by us, the purposes of processing, and entities with whom it has been shared. |
| Right to Correction & Erasure (Sec. 12) | Request correction of inaccurate, incomplete, or misleading data; request erasure of data that is no longer necessary for the stated purpose, subject to legal retention obligations. |
| Right to Data Portability | Receive your personal and health data in a structured, commonly used, machine-readable format (e.g. FHIR-compliant EHR export for ABDM-linked records). |
| Right to Grievance Redressal (Sec. 13) | File a complaint with our Grievance Officer (see Section 13). We will respond within 30 days. |
| Right to Nominate (Sec. 14) | Nominate another individual to exercise your data rights in the event of your death or incapacity. |
| Right to Withdraw Consent | Withdraw consent for processing at any time (see Section 5.2). Withdrawal does not affect prior lawful processing. |
| Right to Complain to DPB | If unsatisfied with our response, lodge a complaint with the Data Protection Board of India (once constituted under DPDPA 2023). |
To exercise any of these rights, submit a written request to harshavardhan@vcdoc.in or use the data rights request form available on the platform. We will verify your identity before processing your request and respond within 30 days.
vcdoc may collect and process health information for patients under 18 years of age (minors) when such information is submitted by a verified parent or legal guardian. The following safeguards apply:
If you believe a minor's data has been collected on vcdoc without appropriate guardian consent, please contact our Grievance Officer immediately at harshavardhan@vcdoc.in. We will investigate and take immediate remedial action.
vcdoc uses cookies and similar technologies to support platform functionality and improve user experience. Cookies used on vcdoc.in fall into the following categories:
| Cookie Type | Source | Purpose | Duration |
|---|---|---|---|
| Essential | vcdoc.in | Required for login, session management, and core platform security | Session |
| Functional | vcdoc.in | Remember your preferences, language settings, and platform layout | Up to 1 year |
| Analytics | Third-party | Anonymised usage statistics to improve platform performance (no personally identifiable data) | Up to 13 months |
| Security | vcdoc.in | CSRF protection, rate-limiting, bot detection, and fraud prevention | Session |
You can manage or disable cookies through your browser settings. Disabling essential cookies may affect your ability to use core platform functions, including login and consultation services. Health data is never stored in cookies.
Pages on vcdoc.in may include embedded content such as videos, health information resources, maps, or social media posts. Embedded content from other websites behaves in the same way as if you had visited those websites directly. Third-party embedded content providers may:
We do not embed third-party content on pages containing health data or within clinical/consultation areas of the platform. We encourage you to review the privacy policies of any third-party platforms whose content appears on vcdoc.in. We are not responsible for third-party data practices.
The platform may contain links to external websites, including healthcare information resources, regulatory bodies, and partner institutions. These third-party sites are not governed by this Privacy Policy. We encourage you to review their privacy policies independently. vcdoc assumes no responsibility for the privacy practices of third-party websites.
vcdoc's online consultation services are subject to the Telemedicine Practice Guidelines, 2020. The following specific obligations apply:
All Registered Medical Practitioners (RMPs) on the vcdoc platform are bound by medical confidentiality obligations under the NMC Code of Professional Conduct. Patient information disclosed during consultations may not be shared by the RMP with any third party without patient consent, except as required by law.
Records of all telemedicine consultations, including mode of consultation, patient identity, chief complaints, clinical notes, and any prescriptions issued, are maintained as part of the patient's EHR in accordance with the Telemedicine Practice Guidelines 2020 and MoHFW EHR Standards 2016.
Digital prescriptions generated through the vcdoc platform are stored securely as part of the patient's health record and are shared only with the patient and the dispensing pharmacy. Prescriptions for Schedule H, H1, and X drugs are handled with additional controls in compliance with the Drugs and Cosmetics Act, 1940.
We may update this Privacy Policy periodically to reflect changes in our services, technology, or applicable legal and regulatory requirements. When material changes are made:
We encourage you to review this policy periodically. Continued use of the platform after the effective date of changes constitutes acceptance of those changes.
In accordance with Section 13 of the Digital Personal Data Protection Act, 2023 and Rule 5(9) of the IT (SPDI) Rules, 2011, vcdoc has designated a Grievance Officer to address complaints and queries related to personal data processing.
| Role | Grievance Officer / Data Protection Officer |
| Name | Mr Harshavardhan Reddy |
| harshavardhan@vcdoc.in | |
| Postal Address | Prashanithi Nivas, H.No: 2-2-22, D D Colony, Bagh Amberpet, Amberpet, Hyderabad, Telangana 500013 |
| Website | www.vcdoc.in |
| Response Time | Within 30 days of receipt of complaint |
| Escalation | Data Protection Board of India (www.meity.gov.in) - once constituted under DPDPA 2023 |