Back to Home
Back to Home

Privacy Policy

Effective Date: April 1, 2026  ·  Last Updated: April 17, 2026

Version 2.0

Med97 Inc. ("Company", "we", "us", "our") operates SocialMD.ai ("Platform", "Service"). We are deeply committed to protecting your privacy and being transparent about how we collect, use, share, and protect your personal information. This Privacy Policy explains our practices and your rights in accordance with applicable law, including India's Digital Personal Data Protection Act 2023 (DPDP Act), the Information Technology Act 2000, and where applicable, the EU General Data Protection Regulation (GDPR).

By creating an account or using the Service, you agree to this Privacy Policy. If you do not agree, please do not use the Service.

1. Definitions

  • "Personal Data" — any information relating to an identified or identifiable natural person.
  • "Clinical Input" — de-identified medical information you provide to generate content.
  • "Training Data" — anonymised input-output pairs used to train AI models.
  • "Data Fiduciary" — Med97 Inc., as the entity determining the purpose and means of processing (under DPDP Act 2023).
  • "Data Principal" — you, the individual whose personal data is being processed.
  • "Processing" — any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
  • "Third-Party Services" — external services we use or integrate with, including Supabase, Groq, Razorpay, Twilio, and social media APIs.

2. Information We Collect

2.1 Information You Provide Directly

During Registration:

  • Full name and professional title.
  • Email address.
  • Mobile phone number (for OTP verification).
  • Password (stored as a one-way bcrypt hash — we never see your plaintext password).
  • Medical specialty and sub-specialty.
  • City and state (for local relevance in AI outputs).
  • Medical Registration Number (optional, for credential verification).

During Use:

  • De-identified clinical case descriptions, diagnoses, symptoms, and treatment information you enter.
  • Your AI content preferences (tone, language, style).
  • Feedback signals on generated content (liked, copied, published).
  • Social media account connection details (OAuth tokens — encrypted).
  • Support and grievance communications.

Payment Information:

  • Billing name and address.
  • GSTIN (optional, for B2B invoicing).
  • Transaction history and subscription records.
  • Full card numbers are never stored by us — handled exclusively by Razorpay.

2.2 Information Collected Automatically

  • IP address and approximate geolocation (city-level).
  • Device type, operating system, and browser.
  • Pages visited, features used, and session duration.
  • Error logs and performance data.
  • Cookies and similar tracking technologies (see Section 12).

2.3 Information We Do NOT Collect

  • Patient names, Aadhaar numbers, PAN numbers, or any identifiable patient information. Our Terms prohibit this and our system does not request it.
  • Full payment card numbers (handled by Razorpay).
  • Sensitive personal data beyond what is necessary for the Service.

3. How We Use Your Information

3.1 Service Delivery

  • Creating and managing your account.
  • Generating AI-powered social media content tailored to your specialty.
  • Processing payments and managing subscriptions.
  • Sending OTPs for account verification and security.
  • Enabling direct publishing to connected social media platforms.

3.2 Communication

  • Sending transactional emails (invoices, receipts, password resets, quota notifications).
  • Product updates, new feature announcements (you may opt out).
  • Responding to support requests and grievances.
  • Security alerts and account activity notifications.

3.3 Platform Improvement

  • Analysing usage patterns to improve features.
  • Debugging errors and fixing performance issues.
  • Conducting A/B testing of features and UI (on aggregated data).

3.4 AI Model Training

AI Training Data — Important Notice

Your anonymised Clinical Input and the AI-generated content produced from it may be used as training data to fine-tune and improve our AI models. "Liked" posts are treated as high-quality training signals. All data is stripped of personal identifiers before training. You cannot opt out of this use. If you do not consent, please discontinue use of the Service.

3.5 Legal and Regulatory Compliance

  • Complying with court orders, legal processes, and regulatory requests.
  • Enforcing our Terms of Service and Acceptable Use Policy.
  • Protecting the rights, property, and safety of the Company and its users.

4. Legal Basis for Processing

Under the DPDP Act 2023 and GDPR, we process your personal data on the following legal bases:

Processing PurposeLegal Basis
Account creation and service deliveryContractual necessity
Payment processingContractual necessity
OTP verification and securityLegitimate interest / legal obligation
Service improvement and analyticsLegitimate interest
AI model training (anonymised)Consent given at account creation
Marketing communicationsConsent (opt-in)
Legal complianceLegal obligation
Fraud preventionLegitimate interest

5. Data Sharing and Disclosure

We do not sell your personal data. We share data only in the following circumstances:

5.1 Service Providers

We work with trusted third-party service providers who process data on our behalf under strict data processing agreements:

ProviderPurposeData Shared
Supabase (USA)Database and authenticationAll user account data
Groq / Mistral / DeepSeekAI content generationAnonymised clinical input only
Razorpay (India)Payment processingBilling name, amount, email
Twilio (USA)SMS OTP deliveryMobile phone number only
Vercel (USA)Web hosting and CDNApplication logs, IP address

5.2 Social Media Platforms

When you use direct publishing, we send your generated content to the connected social media platform's API on your behalf. We share only the content you instruct us to post — no other personal data.

5.3 Legal Requirements

We may disclose personal data if required by applicable law, court order, government authority, or to protect the rights, safety, or property of the Company or its users.

5.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you via email or in-app notice before your data is transferred and becomes subject to a different privacy policy.

6. International Data Transfers

Some of our service providers are located outside India. Your data may be transferred to and processed in the United States and other countries. Where required by law, we ensure appropriate safeguards are in place for such transfers, including standard contractual clauses and data processing agreements that provide equivalent protection to Indian and EU data protection laws.

7. Data Security

We implement industry-standard technical and organisational measures to protect your personal data:

  • Encryption at rest: All database data encrypted using AES-256.
  • Encryption in transit: All data transmitted over TLS 1.2 or higher.
  • Access controls: Row-Level Security (RLS) enforced at the database level. Service role keys restricted to server-side operations only.
  • OAuth tokens: Connected social media tokens are stored encrypted and never exposed client-side.
  • Password security: Passwords stored as bcrypt hashes with appropriate cost factor. Plaintext passwords are never stored.
  • OTP security: One-time passwords expire within 10 minutes and can only be used once.
  • Regular security reviews: Periodic audits of access policies and vulnerability scanning.

Despite these measures, no internet transmission is 100% secure. If you discover a security vulnerability, please responsibly disclose it to hello@med97.com.

8. Data Retention

Data TypeRetention PeriodReason
Active account dataWhile account is activeService delivery
Account data after deletion30 days (recoverable)Accidental deletion protection
Account data after 30 daysPermanently deletedUser right to erasure
Payment records & invoices7 yearsTax and legal compliance (GST Act)
Security and access logs90 daysSecurity investigation
Anonymised AI training dataIndefinitelyAI model improvement
Phone verification records90 daysFraud prevention

9. Cookies and Tracking Technologies

We use the following types of cookies and similar technologies:

  • Strictly Necessary Cookies: Required for authentication, session management, and security (e.g., session tokens, CSRF tokens). Cannot be disabled.
  • Functional Cookies: Remember your preferences such as language and display settings.
  • Analytics Cookies: Help us understand how users interact with the Platform (aggregated and anonymised). You may opt out via your browser settings.

We do not use third-party advertising cookies. You can manage cookie preferences through your browser settings, though disabling strictly necessary cookies will impair the Service's functionality.

10. Children's Privacy

The Service is intended for licensed medical professionals who must be at least 18 years of age. We do not knowingly collect personal data from individuals under 18. If we become aware that a minor has provided personal data, we will delete it promptly. If you believe we have inadvertently collected data from a minor, contact us at hello@med97.com.

11. Your Rights

11.1 Rights Under DPDP Act 2023 (India)

  • Right to Access: Request a summary of your personal data we hold and how it is being used.
  • Right to Correction: Request correction of inaccurate or incomplete personal data.
  • Right to Erasure: Request deletion of your personal data, subject to legal retention obligations.
  • Right to Grievance Redressal: Lodge a complaint with our Grievance Officer and escalate to the Data Protection Board of India if unresolved.
  • Right to Nominate: Nominate another individual to exercise rights on your behalf in the event of death or incapacity.

11.2 Additional Rights Under GDPR (EU Users)

  • Right to Data Portability: Receive your data in a machine-readable format.
  • Right to Restriction: Request that we restrict processing in certain circumstances.
  • Right to Object: Object to processing based on legitimate interest.
  • Right to Withdraw Consent: Withdraw consent for processing activities based on consent, without affecting the lawfulness of prior processing.

11.3 Limitations on Rights

The right to erasure does not apply to: (a) anonymised Training Data incorporated into AI models (as re-identification is not possible); (b) payment records required for legal compliance; (c) data needed to resolve outstanding disputes or enforce agreements.

12. How to Exercise Your Rights

To exercise any of your rights, you may:

  • Use the self-service options in Settings → Account (for correction, data export, and account deletion).
  • Email our Grievance Officer at hello@med97.com with the subject line "Privacy Request — [Your Right]".
  • Include your registered email address and a clear description of your request.

We will acknowledge your request within 24 hours and respond substantively within 30 days. We may request identity verification before actioning certain requests. We do not charge for requests unless they are manifestly unfounded or excessive.

13. Marketing Communications

We send product update and feature announcement emails only to users who have opted in. You may opt out of marketing communications at any time by:

  • Clicking "Unsubscribe" in any marketing email.
  • Updating your notification preferences in Settings → Notifications.
  • Emailing hello@med97.com with "Unsubscribe" in the subject line.

Opting out of marketing does not affect transactional communications (invoices, security alerts, service updates) which are necessary for the provision of the Service.

14. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email to your registered address or an in-app notice at least 14 days before the changes take effect. We will also update the "Last Updated" date at the top of this page. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.

15. Contact and Grievance Redressal

If you have questions about this Privacy Policy, wish to exercise your rights, or wish to lodge a complaint, contact our Grievance Officer:

Grievance Officer: Sathish

Email: hello@med97.com

Phone: +91 7780771768

Response: Acknowledged within 24 hours, resolved within 30 days.

If you are dissatisfied with our response, you may file a complaint with the Data Protection Board of India (once operationalised under the DPDP Act 2023), or with your local data protection authority if you are an EU resident.

16. Company Details

Legal Name: Med97 Inc.

Trade Name: SocialMD.ai

Registered Address: 8-43/5/12, Balaji Hills, Hyderabad, Telangana – 500089, India

Email: hello@med97.com

Phone: +91 7780771768

Data Fiduciary: Med97 Inc.

Grievance Officer: Sathish

By using SocialMD.ai, you acknowledge that you have read and understood this Privacy Policy and consent to the collection and use of your information as described herein.

© 2026 Med97 Inc · 8-43/5/12 Balaji Hills, Hyderabad, Telangana · hello@med97.com