Effective Date: 10 March 2026
This Privacy Policy governs the collection, use, storage, processing, disclosure, and protection of personal data and health-related information by Pharmacure (hereinafter referred to as "the Application" or "the App"), developed and maintained by Pharmacure and Team. This document has been drafted in compliance with applicable Indian laws, international healthcare data regulations, and Google Play Store policy requirements.
By downloading, installing, registering, or using Pharmacure, you acknowledge that you have read, understood, and consent to the terms described herein. If you do not agree, please discontinue use of the Application immediately.
1. Legal Framework & Governing Laws
Pharmacure operates in compliance with the following Indian and International legal instruments:
• IT Act, 2000 (Section 43A & 72A): The Information Technology Act governs the collection, storage, and protection of sensitive personal data. Section 43A mandates reasonable security practices for body corporates handling sensitive data. Section 72A prescribes penalties for unauthorized disclosure.
• IT (Amendment) Act, 2008: Amendments expanding cybercrime provisions and data protection responsibilities applicable to mobile application developers.
• SPDI Rules, 2011: The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 classify health records and passwords as Sensitive Personal Data or Information (SPDI) requiring heightened protection.
• Digital Personal Data Protection Act, 2023 (DPDPA): India's landmark data protection legislation establishing rights of Data Principals (users), obligations of Data Fiduciaries (app developers), consent requirements, and data localization mandates.
• Drugs and Cosmetics Act, 1940: Governs drug classifications and information standards relevant to the drug information and prescription analysis features of the App.
• Pharmacy Act, 1948: Regulates the profession of pharmacy and applies to any digital platform facilitating pharmacy services or drug information.
• Medical Council of India (MCI) / National Medical Commission (NMC) Act, 2019: Standards governing medical ethics and patient data confidentiality.
• Consumer Protection Act, 2019: Provides remedies to users against unfair trade practices and deficiency of service in digital platforms.
• Indian Contract Act, 1872: Governs the enforceability of this Privacy Policy as a binding agreement between user and developer.
• GDPR (EU) 2016/679: General Data Protection Regulation - applicable where European users access the App. Establishes lawful basis for processing, data subject rights, and cross-border transfer restrictions.
• HIPAA (USA) - Health Insurance Portability and Accountability Act, 1996: Standards for protection of Protected Health Information (PHI). While primarily a US law, Pharmacure adopts HIPAA-equivalent safeguards for health data globally.
• WHO Global Digital Health Strategy 2020-2025: WHO frameworks for ethical use of digital tools in healthcare, data governance, and patient safety.
• ISO/IEC 27001:2022: International standard for Information Security Management Systems (ISMS) - our security infrastructure aspires to these standards.
• HL7 FHIR (Fast Healthcare Interoperability Resources): International standard for healthcare data exchange, used where applicable in prescription and medical record handling.
The following definitions apply throughout this Privacy Policy:
• Personal Data: Any information relating to an identified or identifiable natural person, including name, email, phone number, location, etc.
• Sensitive Personal Data or Information (SPDI): As defined under SPDI Rules 2011 - includes health records, prescriptions, medical history, and biometric data.
• Protected Health Information (PHI): Any individually identifiable health information including treatment records and prescription history.
• Data Fiduciary: Pharmacure and Team - the entity that determines the purpose and means of processing personal data.
• Data Principal: You - the individual whose personal data is being collected and processed.
• Data Processor: Supabase Inc. - the third-party entity processing data on behalf of the Data Fiduciary.
• Consent: A freely given, specific, informed, and unambiguous indication of agreement to data processing.
• Data Localization: Storing data on servers physically located within Indian territory as mandated by applicable laws.
• Anonymization: The process of altering data so that the Data Principal cannot be identified directly or indirectly.
• Full name and display name
• Email address (used for authentication via Supabase Auth)
• Mobile phone number
• Age, height, and weight (for personalized medication and health reference)
• Profile photograph (optional)
This is the most sensitive category. Pharmacure may collect:
• Prescription images and documents uploaded by users
• Medication names, dosages, and treatment schedules
• Chronic conditions, allergies, and medical history (user-entered)
• Physician names and clinic/hospital details
• Drug interaction preferences and health alerts
Note: Health data is classified as Sensitive Personal Data under SPDI Rules 2011 and as PHI under HIPAA standards. It receives the highest level of protection within our systems.
• Precise GPS coordinates (with explicit permission) to locate nearby pharmacies, clinics, and hospitals
• Approximate city/region location for regional pharmacy availability
• Approximate area for nearby pharmacy locator feature
Note: Location is collected only when the app is in use (foreground). We do not track background location.
• Camera access is used to photograph prescriptions and medication labels for OCR-based analysis
• Camera is also used for drug research purposes such as scanning medication packaging, drug labels, and barcodes to retrieve drug information
• Gallery access is available to upload existing prescription images from the device
• Camera is activated only when the user explicitly initiates a scan or photo action within the App
• Captured images are stored securely in Supabase Storage with private bucket policies and are never shared with third parties
Note: Pharmacure does not access the camera in the background. Camera permission can be revoked at any time via device Settings > Apps > Pharmacure > Permissions.
Pharmacure requests microphone (RECORD_AUDIO) permission to support voice-based drug research features. The following terms apply to audio access:
• Microphone access is used solely for voice-based drug name search and research features within the App
• Audio is captured only when the user actively activates the voice input feature; the microphone is never accessed passively or in the background
• Audio input is processed locally or via secure speech-to-text services for query conversion only; no audio recordings are stored permanently on our servers
• Voice input is converted to text (drug name or search term) and the audio data is discarded immediately after processing
• Microphone access is not used for any surveillance, monitoring, or recording of conversations
Note: Microphone permission can be revoked at any time via device Settings > Apps > Pharmacure > Permissions. Revoking microphone access disables voice search but does not affect other App features.
Pharmacure uses push notifications to deliver timely health and medication-related alerts to users. The following apply:
• Medicine reminder notifications based on schedules set by the user
• Drug information alerts and health awareness updates relevant to the user’s saved medications
• App updates and important notices related to Privacy Policy or Terms changes
• On Android 13 and above, notification permission (POST_NOTIFICATIONS) is requested explicitly at runtime with user’s consent
• Users can manage or disable notifications at any time through device Settings > Apps > Pharmacure > Notifications or within the App under Settings > Notifications
Note: Pharmacure does not send promotional, advertising, or spam notifications. All notifications are strictly health and medication related.
• Device model, OS version, and unique device identifier
• App version and session duration
• IP address and network type
• Crash logs and error reports for debugging
• Push notification tokens for medicine reminders
Pharmacure uses Supabase as its backend database and authentication provider. The following data is stored in Supabase:
• User account records in the auth.users table (managed by Supabase Auth)
• User profile data in custom PostgreSQL tables
• Prescription records and medication schedules
• Order history and pharmacy transaction logs
• App preferences, notification settings, and user configurations
• Uploaded files stored in Supabase Storage (private buckets with signed URL access)
Note: Supabase is SOC 2 Type 2 certified and uses AES-256 encryption at rest. All connections use TLS 1.3 in transit.
Under DPDPA 2023 and GDPR, we process data only under the following lawful bases:
• Consent (Section 6, DPDPA 2023): We obtain your explicit, informed consent before collecting sensitive health data and location information. You may withdraw consent at any time.
• Contractual Necessity: Processing required to provide core App services including account creation, prescription analysis, and health information management.
• Legal Obligation: Compliance with Drugs and Cosmetics Act 1940 and Pharmacy Act 1948 requirements for prescription record-keeping.
• Vital Interests: Emergency scenarios where processing health data is necessary to protect life.
• Legitimate Interests: App improvement, fraud prevention, and security monitoring - balanced against user rights.
We use collected data exclusively for the following purposes:
• Prescription analysis using OCR for user reference and awareness
• Medication reminders and dosage tracking
• Drug interaction alerts and contraindication warnings
• Showing nearby pharmacies for user reference via location-based search
• Providing OCR-based prescription analysis for informational purposes only
• User authentication and account security via Supabase Auth
• Personalized healthcare dashboard and history
• Customer support and grievance resolution
• Providing drug schedule and dosage information for user awareness
• Supporting users in understanding their prescription content through OCR analysis
• Helping users locate nearby pharmacies for their own independent use
• Pharmacovigilance and adverse drug reaction monitoring
• Compliance with regulatory reporting requirements
• Fraud detection and platform abuse prevention
• Aggregated, anonymized usage analytics to improve app features
• Crash reporting and performance optimization
• A/B testing of new healthcare features
Note: Analytics are always based on anonymized or pseudonymized data. Individual user behavior is never sold to advertisers.
Pharmacure's backend infrastructure is built on Supabase, an open-source Firebase alternative. Below are the details of how Supabase handles your data:
• PostgreSQL Database: All user data, health records, prescriptions, and order history are stored in a managed PostgreSQL database hosted on Supabase infrastructure
• Supabase Auth: Handles secure user authentication including email/password login, OTP verification, and JWT token management
• Supabase Storage: Stores prescription images and uploaded documents in private, access-controlled buckets
• Supabase Edge Functions: May be used for serverless processing of health data and notifications
• Realtime: Used for live updates such as reminder notifications and app content updates
• SOC 2 Type 2 Certified infrastructure
• AES-256 encryption for all data at rest
• TLS 1.3 for all data in transit
• Row Level Security (RLS) policies ensure users can only access their own data
• Database access is restricted via API keys - no direct database exposure to clients
• Automated backups with point-in-time recovery
Supabase infrastructure is hosted on AWS. For Indian users, we configure our Supabase project to use the closest available region. We are committed to data localization compliance as DPDPA 2023 regulations are finalized by the Indian government.
Pharmacure enforces Supabase RLS policies so that:
• Each user can only read/write their own records
• Healthcare provider access is scoped to their assigned patients only
• No cross-user data leakage is possible at the database level
• Admin access requires multi-factor authentication and audit logging
Note: Supabase Privacy Policy: https://supabase.com/privacy - Supabase acts as a Data Processor under a Data Processing Agreement with Pharmacure.
Pharmacure uses Optical Character Recognition (OCR) technology to extract and display text from uploaded prescription images. This feature is strictly for the user’s personal reference and knowledge. The following apply:
• Prescription images uploaded by the user are processed using OCR to extract medication names, dosages, and instructions for informational display only
• OCR results may be supplemented by manual review processes to improve accuracy; however, the output remains informational and is not a validated medical interpretation
• Pharmacure does NOT dispense, fulfill, or deliver medications. No pharmacy or pharmacist services are involved in prescription processing within the App
• Prescription data is stored securely in the user’s personal profile for their own reference and is not shared with any third party
Note: Prescription analysis in Pharmacure is purely for the user’s own knowledge and awareness. It does not constitute dispensing, clinical review, or pharmacist consultation under the Pharmacy Act 1948 or Drugs and Cosmetics Act 1940.
Pharmacure provides drug information for educational purposes only. This does not constitute medical advice. Always consult a licensed physician or pharmacist before starting, changing, or stopping any medication.
Although HIPAA is a US regulation, Pharmacure voluntarily adopts equivalent safeguards:
• Minimum Necessary Standard: We collect only the minimum health data required for the service
• Access Controls: Role-based access ensures health data is accessed only by authorized personnel
• Audit Trails: All access to health records is logged with timestamps
• Business Associate Agreements: Any third party accessing PHI signs a data processing agreement
This Privacy Policy complies with Google Play Store Developer Program Policies including:
In the Google Play Data Safety section, Pharmacure discloses:
• Data types collected: Personal info, Health & fitness, Location, Photos, Device info
• All data collection is optional or justified for core functionality
• Data is encrypted in transit using TLS
• Users can request data deletion through in-app settings or by contacting support
• CAMERA: Required to photograph prescriptions, medication labels, and drug packaging for OCR analysis and drug research. Used only when user initiates a scan action.
• RECORD_AUDIO: Required for voice-based drug name search and research features. Microphone is activated only on explicit user action; no background audio recording occurs.
• READ_EXTERNAL_STORAGE / READ_MEDIA_IMAGES: Required to upload existing prescription photos from device gallery.
• ACCESS_FINE_LOCATION: Required to show nearby pharmacies and enable location-based drug availability.
• INTERNET: Required for all backend communication with Supabase and payment gateways.
• RECEIVE_BOOT_COMPLETED: Required to restart medication reminder alarms after device reboot.
• POST_NOTIFICATIONS: Required for Android 13+ to send medication reminders and order updates.
Any permission classified as "dangerous" by Android is requested only at runtime with clear justification shown to the user. Users may deny permissions; however, certain features will be unavailable without them.
Pharmacure is NOT directed at children under 13. If a user is identified as being under 13, their account will be suspended and data deleted promptly. The app does not collect data from children.
Pharmacure does NOT sell, rent, or trade personal data. Data is shared only under the following strictly controlled circumstances:
• Licensed Pharmacy Partners: Pharmacure does not share prescription data with pharmacies. Prescription uploads are used solely for OCR-based analysis to help users understand their medication information.
• Supabase (Data Processor): Backend infrastructure provider. Processes data under a Data Processing Agreement. Does not use data for its own purposes.
• Payment Gateways: Pharmacure does not process direct payments. No financial data is collected or stored on Pharmacure servers.
• Healthcare Providers: With your explicit consent, your medical data may be shared with a treating physician or specialist.
• Legal & Regulatory Authorities: Disclosure to courts, law enforcement, or regulators when legally required under Indian law (e.g., NDPS Act, court orders).
• Emergency Situations: Health data may be disclosed to emergency services when there is an immediate risk to life.
• Business Transfers: In case of merger, acquisition, or sale, users will be notified 30 days in advance and their data will remain protected.
Under DPDPA 2023 (India) and GDPR (for EU users), you have the following rights:
• Right to Access (Section 11, DPDPA): Request a copy of all personal data we hold about you.
• Right to Correction & Erasure (Section 12 & 13, DPDPA): Request correction of inaccurate data or complete deletion of your account and data.
• Right to Grievance Redressal (Section 13, DPDPA): Lodge complaints with our Grievance Officer. Unresolved complaints may be escalated to the Data Protection Board of India.
• Right to Nominate (Section 14, DPDPA): Nominate another individual to exercise your data rights in case of death or incapacity.
• Right to Withdraw Consent: Withdraw consent for any optional data processing at any time via app settings.
• Right to Data Portability (GDPR Art. 20): Request your data in a machine-readable format (applicable to EU users and as adopted voluntarily for all users).
• Right to Object to Automated Decisions: Object to any purely automated decision-making that significantly affects you.
To exercise any right, contact us at: curecoders25@gmail.com or via in-app Settings > Privacy > Data Request. We will respond within 30 days as required by law.
Pharmacure implements comprehensive technical and organizational security measures:
• TLS 1.3 encryption for all API communications between app and Supabase
• AES-256 encryption for all data stored in Supabase database and storage
• JWT-based authentication with short-lived access tokens and refresh token rotation
• Row Level Security (RLS) at the PostgreSQL database level
• Supabase Storage private buckets with signed URL access (time-limited)
• API rate limiting and DDoS protection
• Regular automated security vulnerability scanning
• Access to production data is restricted to authorized personnel only
• All third-party integrations are reviewed for security compliance
• Incident response plan for data breaches
• Regular security audits and penetration testing
In the event of a data breach, Pharmacure will:
• Notify affected users within 72 hours of discovery (per GDPR Article 33 and DPDPA 2023 requirements)
• Report significant breaches to the Data Protection Board of India
• Provide details of what data was affected and remediation steps taken
We retain data only as long as necessary for the stated purpose or as required by law:
• Account Data: Retained for the duration of account existence + 1 year after deletion (for legal compliance)
• Prescription Records: Minimum 2 years as required under Drugs and Cosmetics Act, 1940
• Health Data: Retained per user consent; deleted within 30 days of deletion request
• Crash Logs & Technical Data: Maximum 90 days
• Anonymized Analytics: May be retained indefinitely as no personal data is involved
As a mobile application, Pharmacure does not use browser cookies. However, the following tracking technologies are used:
• Firebase Analytics / Supabase telemetry for crash reporting and performance metrics
• Device identifiers for push notification delivery
• Session tokens stored securely in device keychain/secure storage
You may opt out of analytics in Settings > Privacy > Analytics. This does not affect core functionality.
Pharmacure is intended for adults aged 18 and above. Users between 13-17 may use the app only with verifiable parental consent as per DPDPA 2023 provisions for minors. The App does not knowingly collect data from children under 13 years of age. If discovered, such data will be deleted immediately and the account will be suspended.
We reserve the right to modify this Privacy Policy to reflect changes in law, technology, or our services. When material changes are made:
• The revised policy will be posted within the App with the updated Effective Date
• Users will be notified via in-app notification and email
• For significant changes affecting rights, 30 days advance notice will be provided
• Continued use of the App after the effective date constitutes acceptance of the revised policy
As required under IT Act 2000 (Section 5(9), SPDI Rules) and DPDPA 2023, Pharmacure designates the following Grievance Officer:
Grievance Officer & Developer: Pharmacure and Team
Application: Pharmacure
Email: curecoders25@gmail.com
Response Time: Within 30 days of receipt of complaint
Escalation: Unresolved complaints may be escalated to the Data Protection Board of India (once constituted under DPDPA 2023)