Legal

Privacy Policy

Last Updated: May 2026 | Effective: May 2026

MedifastCare ("we," "our," "us," or "the Company") operates the MedifastCare mobile application (the "App") and related services. We are committed to protecting the privacy and security of every user — patients, ambulance partners, and hospital partners — who interacts with our platform.

This Privacy Policy explains in detail what information we collect, why we collect it, how we use and protect it, and your rights regarding that information. By downloading, installing, or using the App, you acknowledge that you have read and agree to this policy. If you do not agree, please discontinue use immediately.

⚠️ Important Healthcare Disclaimer

MedifastCare is an ambulance dispatch and coordination platform. It is not a substitute for professional medical advice, diagnosis, or treatment. In a life-threatening emergency, always call your local emergency services first (India: 112 / 108) and then use the App for coordinating ambulance arrival. MedifastCare does not provide medical advice and is not responsible for medical outcomes.

1. Who We Are

MedifastCare is an emergency ambulance booking and hospital coordination service operating in India. We connect patients with verified ambulance partners and empanelled hospitals to reduce response times during medical emergencies.

Registered Entity: MedifastCare (India)
Contact Email: support@medifastcare.com
Website: https://medifastcare.com
Grievance Officer: Available at support@medifastcare.com for privacy-related complaints

2. Information We Collect

We collect the following categories of information:

2.1 Personal Identification Data

Full name (first name, last name)
Mobile phone number — used for OTP-based authentication via Firebase
Email address (optional, for profile and notifications)
Profile details of family members you add (name, relation, date of birth)

2.2 Precise Location Data

Location is the core data that enables our emergency service. We collect:

Patient location (foreground): Collected when you open the App to show nearby hospitals, calculate distances, and identify your pickup point for an ambulance.
Ambulance driver location (foreground and background): When an ambulance partner is marked "online," we continuously collect their GPS coordinates to enable live tracking for the patient and the hospital, and to calculate the estimated time of arrival (ETA). This location data is written to our secure database and visible only to the assigned patient and hospital for that booking.
Why background location is needed: Ambulance drivers must share their real-time position even when the App is minimised, as emergencies require continuous tracking until the patient is safely delivered to the hospital.

2.3 Health & Insurance Information

Medical insurance provider: You may optionally link your insurance provider so the App can identify hospitals that offer cashless treatment for you or your family members.
Emergency type (SOS type): When you raise an SOS, you select the nature of the emergency (e.g., cardiac, accident, stroke). This information is shared with the dispatched ambulance and receiving hospital to enable them to prepare the appropriate care in advance.
Family member health details: Names, relations, and insurance links for family members you register for emergency booking on their behalf.

2.4 Booking & Transaction Data

Booking status, timestamps, pickup and dropoff location coordinates
OTP codes generated for pickup and hospital arrival verification
Ambulance bill amount, user charge, and hospital billing data
Booking history (for both SOS and non-SOS bookings)

2.5 Device & Technical Data

Device type, operating system (Android / iOS)
FCM (Firebase Cloud Messaging) device token — for sending push notifications
App version and crash/error logs (for improving stability)
IP address (collected automatically by Firebase)

2.6 Support & Query Data

Hospital support queries raised through the in-app chatbot (category selection, description text) — linked to your booking ID and admission record.
Help & Suggest submissions (feedback type, description, priority) — used solely for improving the platform.

2.7 Medical Bills & Uploaded Documents

Medical bills, invoices, and billing documents uploaded by authorised hospital or admin staff against a specific booking — stored in Firebase Storage under a booking-scoped path and linked to the booking in our database.
Documents are never uploaded by patients directly. Only verified hospital partners and administrators may upload files.
Uploaded files are associated with a booking ID; access is restricted to authenticated admin and hospital users by Firebase Storage security rules.
File types accepted: PDF, JPEG, PNG (max 10 MB per file). Images exceeding 2 MB are automatically compressed before storage.
A duplicate-prevention hash (MD5) is stored alongside each file to avoid re-uploading identical documents.

2.8 Payment Information

The App integrates Razorpay (Razorpay Software Private Limited) as our payment gateway for ambulance fare collection. When you make a payment:

Your payment is processed directly by Razorpay on their secure servers.
MedifastCare receives only the payment status (success / failure) and a transaction reference ID — we never see or store your card number, UPI ID, net-banking credentials, or CVV.
Razorpay is PCI-DSS compliant. Their data practices are governed by the Razorpay Privacy Policy.

2.9 Data We Do NOT Collect

Biometric data (fingerprints, face ID)
Raw payment card numbers, UPI IDs, or net-banking credentials (handled solely by Razorpay)
Diagnostic or medical records beyond the emergency type you choose
Social media profiles or contacts from your address book

3. How We Use Your Information

Purpose	Data Used	Legal Basis
Verify your identity at login	Phone number, OTP	Consent / Contractual necessity
Dispatch the nearest available ambulance	Your GPS location, emergency type	Vital interests (emergency) / Contract
Real-time ambulance tracking for patient	Ambulance GPS, patient GPS	Consent / Contractual necessity
Notify hospital of incoming patient	Emergency type, ETA, patient insurance	Vital interests / Contract
Cashless insurance matching	Insurance provider ID	Consent
Calculate ambulance fare (distance × rate)	Pickup & dropoff GPS coordinates	Contractual necessity
Push notifications (booking updates, alerts)	FCM token, booking status	Consent
Hospital support queries (chatbot)	Booking ID, query category, description	Consent
App analytics & crash reporting	Device info, error logs	Legitimate interests (improving safety)
Process ambulance fare payment	Booking amount, Razorpay transaction reference	Contractual necessity
Legal compliance & fraud prevention	All applicable data	Legal obligation

4. Data Sharing & Disclosure

We do not sell, rent, or trade your personal data. We share data only as described below:

4.1 Ambulance Partners

When a booking is accepted, the assigned ambulance driver receives your name, pickup location, emergency type, and real-time tracking link. This information is deleted from the driver's active view once the booking is completed.

4.2 Hospital Partners

The receiving hospital is shown your name, emergency type, SOS details, estimated arrival time, insurance provider, and cashless eligibility status. This enables the hospital to prepare appropriate care (bed, OT, specialist) before your arrival.

4.3 Firebase (Google LLC)

Our backend runs on Google Firebase (Cloud Firestore, Firebase Authentication, Firebase Cloud Messaging). Google processes data as our data processor under their Data Processing Terms. Data is stored on Google Cloud servers. Firebase Authentication uses phone number verification only — we never see raw SMS content.

4.4 Legal Authorities

We may disclose data to law enforcement, courts, or government bodies when required by applicable law (including the Information Technology Act, 2000), a court order, or to protect the safety of our users or the public.

4.5 Business Transfers

In the event of a merger, acquisition, or sale of assets, user data may be transferred. We will notify users via the App or email before data is subject to a different privacy policy.

5. App Permissions & Why We Need Them

Permission	Why It Is Required
Precise Location (Foreground)	To pinpoint your pickup location for the ambulance and to show the live map with the ambulance's position relative to yours.
Precise Location (Background)	Required for ambulance partners only — their GPS must update continuously even when the App is minimised so that live tracking works throughout the journey. Patients may also grant background location so the App can update their position if they move before the ambulance arrives.
Internet Access	To communicate with Firebase servers in real time — booking updates, OTP verification, live tracking data, and push notifications all require an active connection.
Push Notifications	To alert patients when their ambulance is dispatched, when it arrives nearby, and when the booking status changes. To alert hospital staff when a patient is en route or when an SOS booking is raised.
Microphone (optional)	Only if you choose to watch embedded first-aid guidance videos in the App. We do not record audio.
Vibration	To alert ambulance drivers and hospital staff of incoming emergency SOS notifications with a vibration pattern.
Phone State (READ_PHONE_STATE)	Used by Firebase Authentication for silent phone number verification on supported Android devices, reducing the need for manual OTP entry.
Receive SMS (RECEIVE_SMS)	Requested on Android to automatically read the one-time password (OTP) sent to your phone during login, so you do not have to type it manually. The App reads only OTP messages from our registered sender and never stores, transmits, or shares SMS content.
Payment (via Razorpay)	In-app payment for ambulance fares is processed by Razorpay. The payment sheet opens within the App but runs inside Razorpay's secure SDK — we do not handle raw card or UPI data.

You may revoke any permission through your device settings at any time. Revoking location permission will disable live ambulance tracking and SOS dispatch. Revoking notification permission will prevent you from receiving emergency booking alerts.

6. Data Security

Encryption in transit: All data between the App and our servers is encrypted using TLS 1.2 / 1.3 (HTTPS). Firebase enforces this by default.
Encryption at rest: Data stored in Firebase Cloud Firestore and Firebase Authentication is encrypted at rest by Google Cloud using AES-256.
Access controls: Firestore Security Rules restrict read and write access so that only the authenticated user, their assigned ambulance driver, and the assigned hospital can read a given booking's data. Admins have separate role-based access.
Authentication: We use phone-number OTP (one-time password) via Firebase Authentication. Passwords are not stored.
Firebase App Check: All API requests from the App are verified using Firebase App Check — Android uses Google Play Integrity, iOS uses Apple App Attest, and the web admin panel uses reCAPTCHA Enterprise. This prevents unauthorised third-party scripts or modified APKs from accessing our backend even if they obtain a valid authentication token.
Single-session enforcement: Ambulance partners and regular users are restricted to one active session at a time to prevent unauthorised concurrent access.
No open database rules: Our Firestore is not publicly readable or writable. All access requires a valid authenticated token.

Despite these measures, no system is 100% secure. If you suspect unauthorised access to your account, contact us immediately at support@medifastcare.com.

7. Data Retention & Account Deletion

Data Type	Retention Period
User account & profile data	Until account deletion is requested
Booking records (completed)	3 years (for billing and legal compliance)
Real-time ambulance location data	Deleted within 24 hours after booking completion
SOS emergency data	3 years (medical and legal records)
Hospital support queries	1 year from resolution
Push notification tokens	Refreshed automatically; deleted on account deletion
Crash / error logs	90 days

🗑️ Request Account & Data Deletion

To permanently delete your MedifastCare account and all associated personal data, send an email to:

support@medifastcare.com

Subject line: Data Deletion Request

Include your registered phone number in the email. We will permanently delete your account and all associated data within 30 days and confirm by email.

Note: Booking records required for legal or billing compliance (up to 3 years) may be retained in anonymised form after account deletion.

8. Your Rights

Under the Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023 (DPDPA) of India, you have the following rights:

Right to Access: Request a copy of the personal data we hold about you.
Right to Correction: Request correction of inaccurate or incomplete data.
Right to Erasure: Request deletion of your personal data, subject to legal retention obligations.
Right to Withdraw Consent: Withdraw consent for non-essential data processing (e.g., insurance linking) at any time without affecting past processing.
Right to Grievance Redressal: Lodge a complaint with our Grievance Officer at support@medifastcare.com. If unresolved, you may escalate to the Data Protection Board of India once operational.
Right to Nominate: Nominate another person to exercise these rights on your behalf in the event of your death or incapacity.

For users in the European Union: MedifastCare does not currently target EU residents. If you access our services from the EU, GDPR rights (Articles 15–21) may apply. Contact us at the email above for GDPR-related requests.

For users in the United States: MedifastCare is not a HIPAA-covered entity and does not currently target US residents. We do not process Protected Health Information (PHI) as defined under HIPAA.

9. Children's Privacy

MedifastCare is not directed at children under the age of 18. We do not knowingly collect personal data from children. If a parent or guardian believes their child has provided us with personal data, they should contact us immediately at support@medifastcare.com and we will delete the data promptly.

Note: Patients may book ambulances on behalf of minor family members. In such cases, the adult patient (the account holder) is the data principal and is responsible for providing consent on behalf of the minor.

10. Consent & How It Is Obtained

At registration: By completing OTP verification and creating an account, you consent to this Privacy Policy and our Terms of Service.
Location permission: Android and iOS prompt you explicitly before the App accesses your location. You must grant this to use the core booking service.
Notification permission: You are prompted to grant notification access on first launch (required on iOS; requested on Android 13+).
Emergency SOS: By tapping the SOS button, you consent to immediate broadcast of your location and emergency type to the nearest available ambulance and the best-matched hospital.
Insurance data: Linking an insurance provider is optional and can be removed from your profile at any time.

11. Third-Party Services

Service	Provider	Purpose	Privacy Policy
Cloud Database	Google Firebase (Firestore)	Store all app data	Google Privacy Policy
Authentication	Firebase Authentication	Phone OTP login	Google Privacy Policy
Push Notifications	Firebase Cloud Messaging	Booking alerts, SOS alerts	Google Privacy Policy
Maps & Navigation	Google Maps Platform	Live tracking, location search, route display	Google Privacy Policy
File Storage	Firebase Storage (Google Cloud)	Secure storage of medical bills and uploaded booking documents	Google Privacy Policy
First-Aid Videos	YouTube (Google LLC)	In-app first-aid guidance during emergencies	Google Privacy Policy
App Integrity Verification	reCAPTCHA Enterprise (Google LLC)	Silent background check on the web admin panel to confirm requests originate from a genuine browser — no user challenge or visible CAPTCHA is shown	Google Privacy Policy
Payment Processing	Razorpay Software Pvt. Ltd.	Secure in-app collection of ambulance fares via card, UPI, net-banking, or wallets. MedifastCare receives only payment status and a transaction reference — no raw financial credentials are shared with us.	Razorpay Privacy Policy

We encourage you to review the privacy policies of these third-party services. MedifastCare is not responsible for data practices of third-party services beyond our control.

12. Data Safety Summary (Google Play Store)

The following is a summary of our data practices for the Google Play Data Safety form:

Data collected: Name, phone number, precise location, emergency type, insurance provider, device ID, medical bills / invoices (uploaded by hospital/admin only); payment status & transaction reference ID (via Razorpay)
Data shared: Location and emergency type shared with ambulance and hospital partners during active bookings only; payment data processed by Razorpay (PCI-DSS compliant)
Data encryption: All data encrypted in transit (TLS) and at rest (AES-256 via Firebase)
Data deletion: Users can request deletion — contact support@medifastcare.com
Independent security review: Not independently audited (we rely on Firebase/Google Cloud's certifications)
Committed to Play Families Policy: App is not designed for children

13. Legal & Regulatory Compliance

Information Technology Act, 2000 (India): We handle Sensitive Personal Data or Information (SPDI) — including health data and precise location — in accordance with the IT (Reasonable Security Practices) Rules, 2011.
Digital Personal Data Protection Act, 2023 (India): We act as the "Data Fiduciary" for personal data processed through MedifastCare. We maintain a Grievance Officer and honour user rights as defined under the Act.
Consumer Protection Act, 2019 (India): Our terms of service align with consumer protection obligations for digital service providers.
Telecom Regulatory Authority of India (TRAI): SMS OTP messages are sent through registered telecoms in compliance with TRAI's commercial communication regulations.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our services, legal requirements, or data practices. When we do:

We will update the "Last Updated" date at the top of this page.
For material changes (e.g., new categories of data collection, new sharing partners), we will notify users via a push notification or in-app banner at least 7 days before the change takes effect.
Continued use of the App after the effective date constitutes acceptance of the updated policy.

15. Contact Us & Grievance Redressal

For any privacy-related questions, requests, or complaints:

Email: support@medifastcare.com
Subject line for requests: "Privacy Request – [Your Name]"
Response time: We aim to respond within 72 hours and resolve within 30 days.
Website: https://medifastcare.com

If you are not satisfied with our response, you may approach the Data Protection Board of India (once operational under the DPDPA 2023) or the relevant consumer court in your jurisdiction.

This Privacy Policy was last reviewed by MedifastCare on May 2026. Previous versions are available on request.