Legal

DPDP Compliance

How MedPilot AI is designed around India's Digital Personal Data Protection Act, 2023 — and how it helps your clinic meet its obligations.

Last updated: 14 April 2026

Who plays which role

  • Your clinic is the Data Fiduciary for your patients' personal data. You decide what's collected and why.
  • MedPilot AI is your Data Processor. We handle data on your instructions, per our service agreement.
  • Patients are Data Principals. They have rights under the DPDP Act that both you and we help them exercise.

How we help your clinic stay compliant

1. Lawful purpose and consent

Every patient record in MedPilot has a linked consent state. Booking flows capture explicit consent for appointment communication; marketing messages require a separate opt-in. Patients can withdraw consent via WhatsApp ("STOP"), which is automatically reflected in your dashboard.

2. Notice

We provide an editable notice template you can share with patients (available in English, Tamil, Hindi, Kannada, Telugu) that meets DPDP notice requirements — purpose, categories of data, rights, and grievance contact.

3. Data minimisation

Forms default to collecting the minimum needed. Optional fields are clearly marked. You can turn off fields you don't need per clinic.

4. Storage limitation

Configurable retention policies per data category (appointments, clinical notes, WhatsApp logs). Expired records are archived or deleted automatically according to your policy.

5. Data Principal rights

Built-in workflows for access, correction, erasure, and portability requests. Patient requests received via WhatsApp or email are routed to your assigned staff with a response-time timer.

6. Security safeguards

  • Encryption at rest (AES-256) and in transit (TLS 1.2+).
  • Role-based access; principle of least privilege enforced per staff role.
  • Mandatory 2FA for clinic-admin accounts.
  • Audit log of every access to patient records.
  • Data stored in AWS Mumbai (ap-south-1); no cross-border transfer by default.

7. Breach notification

If we detect a personal-data breach affecting your clinic, we notify you within 72 hours with incident details, affected records, and remediation steps — supporting your obligation to report to the Data Protection Board of India.

8. Sub-processors

A current list of sub-processors (cloud, WhatsApp BSP, payment gateway, email/SMS) is available on request. We notify clinics at least 14 days before adding or changing a sub-processor.

9. Children's data

When a patient is flagged as a minor, additional guardian-consent controls activate, and behavioural/marketing workflows are disabled for that record.

AI and automated decision-making

Our AI features (summaries, draft replies) are assistive. No patient record is subjected to solely automated decision-making that produces legal or similarly significant effects.

Grievance Officer

Name: Saranraj
Email: grievance@cyberfreezedev.com
Response timeline: within 7 working days.

Ongoing work

DPDP rules and sector-specific notifications continue to evolve. This page reflects our current posture; we update it materially when our practices change, and email clinic admins at least 14 days before material changes take effect.

Related reading: Privacy PolicyTerms of Service.