Last Updated: April 1, 2026 · Effective: April 1, 2026
Data Controller
This policy describes what data Med97 Inc collects through SocialMD.ai ("Platform"), where and how long it is stored, and how you can request its deletion. It supplements our Privacy Policy and complies with India's Digital Personal Data Protection (DPDP) Act 2023, GDPR, and applicable health-data regulations.
| Category | Examples | Where Stored |
|---|---|---|
| Account & Profile | Name, email, specialty, medical registration number | Supabase (encrypted at rest) |
| Clinical Case Inputs | De-identified case descriptions, outcomes, key learnings | Supabase (AES-256) |
| Generated Content | AI-generated social posts, calendars, thread outputs | Supabase |
| Training Feedback | Liked posts saved for AI model improvement (anonymised) | Supabase |
| Usage Logs | API call timestamps, feature usage, error logs | Vercel / server logs |
| Payment Records | Invoice amounts, subscription tier, dates (not card data) | Razorpay + our records |
| OAuth Tokens | Social media access tokens (encrypted) | Supabase (encrypted) |
| Cookies / Sessions | Auth session tokens | Browser + Supabase Auth |
We never store: complete payment card numbers (handled exclusively by Razorpay PCI-DSS L1), patient names, or any re-identifiable Protected Health Information.
| Data Type | Retention Period | Reason |
|---|---|---|
| Active account data | While account is active | Service delivery |
| Account data after deletion request | 30 days (grace period) | Accidental deletion recovery |
| Hard-deleted account data | Permanently removed after 30 days | Your right to erasure |
| Anonymised training data | Indefinitely | AI model improvement (no PII) |
| Payment & invoice records | 7 years | Indian GST / tax law requirement |
| Server / access logs | 90 days | Security monitoring |
| Backup snapshots | 30 days rolling | Disaster recovery |
| OAuth access tokens | Until revoked or account deleted | Platform integrations |
Data transfers outside India (to Vercel/AI providers) are covered by Standard Contractual Clauses and are necessary for service delivery.
You may delete individual generated posts, case inputs, or connected social accounts at any time from your account dashboard. Deletion takes effect immediately in the interface; data is purged from our database within 24 hours.
To permanently delete your account and all associated personal data:
Option A — Self-Service
Option B — Email Request
⚠️ What Cannot Be Deleted
| Step | Timeframe | What Happens |
|---|---|---|
| Request received | Immediately | Account access suspended, confirmation email sent |
| Grace period | Days 1–30 | Data retained for accidental deletion recovery |
| Primary database | Day 30 | All personal data hard-deleted from Supabase |
| Backups | Day 30–60 | Data purged from rolling backup snapshots |
| Logs | Day 90 | Access logs purged after 90-day retention cycle |
| Confirmation | Day 30 | Deletion confirmation email sent to you |
You may request a full export of your personal data before deletion. We will provide a machine-readable JSON export within 7 business days of your request. Email hello@med97.com with subject "DATA EXPORT REQUEST".
If you have concerns about how your data is stored or have not received a deletion confirmation, contact our Grievance Officer:
We may update this policy. Material changes will be notified via email and a notice on the Platform at least 14 days in advance. Continued use after the effective date constitutes acceptance.
By using SocialMD.ai, you acknowledge that you have read and understood this Data Storage & Deletion Policy.