Privacy

Privacy Policy

Effective: 9 May 2026 · Last updated: 9 May 2026

This policy explains how PharmIT Services Private Limited ("PharmIT", "we", "us", "our") collects, uses, stores, and protects personal data when you use our software platform, websites, and related services (collectively, the "Platform"). It is drafted in line with the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000, the IT (Reasonable Security Practices) Rules, 2011, and the IT (Intermediary Guidelines) Rules, 2021.

1. Who we are

PharmIT Services Private Limited is a private limited company incorporated under the Companies Act, 2013, with its registered office at No. 1362, Sri Bhuvaneshvari Complex, 3rd Floor, East End Main Road, Jayanagar 9th Block, Bengaluru, Karnataka 560069, India. We are the Data Fiduciary in respect of personal data we process about you when you use the Platform directly. Where the Platform is operated by a customer (a "Tenant", typically a distributor, C&F agent, super stockist, retail chain, or pharmacy) and that Tenant uploads data about its own customers, retailers, employees, or patients, the Tenant is the Data Fiduciary and PharmIT is the Data Processor. Our processor obligations are set out in the Data Processing Agreement.

2. What personal data we collect

2.1 Account & tenant administrator data

Full name, email, mobile number, designation
Tenant company name, GSTIN, PAN, drug licence numbers (Form 20B / 21B), drug-licence document image
Postal address of registered office and operational godowns
Login credentials (passwords are stored as bcrypt one-way hashes; we never see your plain-text password)
Authentication audit trail (IP address, user agent, timestamps, success / failure outcome)

2.2 Operational data uploaded by Tenants

Master data: products, suppliers, customers, salesmen, headquarters, divisions, banks, schemes
Transaction data: invoices, GRNs, vendor bills, sales returns, credit notes, debit notes, receipts, payments, ledgers
Drug-specific data: batch numbers, expiry dates, schedule classification (H / H1 / X), prescription images for restricted drugs
Field-force data: medical-representative visits with optional photo proof and GPS coordinates, where the Tenant has enabled location capture
Communication data: SMS / WhatsApp / email send logs, including recipient phone / email and template variables

2.3 Technical data

Server logs (timestamp, request URL, IP, user-agent, response status) retained per Section 9
Cookies — see the Cookie Policy
Device, browser, and OS metadata
API access logs for any integration (Razorpay, NIC e-invoice, NIC e-Way Bill, ZeptoMail, etc.)

2.4 Sensitive personal data we do NOT solicit

PharmIT does not require, and discourages Tenants from uploading, the following without explicit lawful basis: biometric data, financial data beyond what is required for invoicing, sexual orientation, religious beliefs, caste, or political affiliation. Tenants who upload such data assume sole responsibility under DPDP Act §11 (sensitive data processing) and Rule 3 of the IT Rules, 2011.

3. Why we process personal data — lawful basis

Purpose	Lawful basis (DPDP Act 2023)
Provisioning your tenant workspace, authenticating you, billing you	§7(a) Consent at signup & §7(b) performance of contract
Sending essential service emails (security alerts, password resets, breach notice)	§7(b) Legitimate use — service operation
Generating GST e-invoice IRN via NIC API	§7(c) Compliance with statutory obligations under the GST Act 2017
Maintaining drug-license / Schedule H register data	§7(c) Compliance with the Drugs and Cosmetics Act 1940 and Rules 1945
Marketing communication (newsletters, product updates)	§7(a) Explicit, separately-revocable consent — you can opt out any time
Security monitoring, fraud prevention, abuse detection	§7(d) Legitimate interest, balanced against your rights
Aggregated, de-identified analytics for product improvement	De-identified data is outside the scope of DPDP §2(t); we still apply technical and contractual safeguards

We share personal data only with the following categories of recipients, all bound by written contract and confidentiality terms equivalent to ours:

Subprocessors — see the live subprocessor list
Statutory authorities — when required by Indian law (e.g., GST authorities, NIC GSP, CDSCO, state drug-control authorities, CERT-In, courts, law-enforcement under valid orders under §69, §69A IT Act 2000)
Professional advisors (auditors, lawyers, tax counsel) under non-disclosure obligations
Business successors in the event of a merger, acquisition, or substantial-asset sale, with continuity of this Privacy Policy

We do not sell personal data. We do not use personal data to train third-party AI models. We do not share personal data for cross-context behavioural advertising.

5. Where personal data is stored

Personal data is stored on infrastructure located in India. Payment-related data is processed and stored in compliance with the RBI Payment Data Storage Direction (RBI/2017-18/153 DPSS.CO.OD.No.2785/06.08.005/2017-2018) — exclusively within India.

If, in future, we use any infrastructure outside India for redundancy or disaster recovery, we will (a) update this policy with at least 30 days' notice, (b) ensure such transfers are limited to jurisdictions notified by the Central Government under DPDP §16, and (c) maintain equivalent technical and organisational measures.

6. How we protect personal data

We follow controls aligned with internationally recognised information-security standards and Rule 8 of the IT (Reasonable Security Practices) Rules, 2011. A high-level summary is published in the Security Statement. Highlights:

Modern transport-layer encryption for all client and integration traffic; encryption at rest where supported by the underlying platform
Multi-tenant isolation enforced in code and at the data layer; cross-tenant access is structurally blocked
One-way salted cryptographic hashing of passwords; plain-text passwords are never stored, logged, or transmitted
An immutable audit trail on every business-data mutation
Multi-layer perimeter and host protections, including web-application-layer defences and intrusion detection
Encrypted backups with appropriate retention and periodic restore drills
Time-synchronised logging consistent with the CERT-In Direction

For security reasons, specific tools, vendors, software versions, and configuration values are not disclosed publicly.

7. How long we retain personal data

Data category	Retention period	Basis
Tenant transaction data (invoices, GRNs, ledgers, GST records)	8 years from end of relevant financial year	§36, GST Act 2017
Drug-licence and Schedule H / H1 / X registers	5 years from last entry	Drugs Rules 1945, Rule 65(7)
Personal data of tenant administrators (active accounts)	For the duration of the active subscription	Performance of contract
Personal data of tenant administrators (closed accounts)	Up to 90 days for re-activation; then anonymised. Audit trail of administrative actions retained per first row.	Legitimate interest + statutory obligation
Server access logs	180 days	CERT-In Direction No. 20(3)/2022 dated 28 April 2022
Authentication / security event logs	180 days minimum, up to 12 months	CERT-In direction + reasonable security practices
Marketing-consent records	3 years from withdrawal	Limitation Act 1963
Aggregated, de-identified analytics	Indefinitely (no longer personal data)	Outside DPDP scope

8. Your rights as a Data Principal

Under the DPDP Act 2023 you have the following rights, exercisable by writing to privacy@pharmit.in:

Right to access — a summary of personal data we process about you (§11)
Right to correction & erasure — correct inaccurate data; erase data no longer required for the original purpose (§12)
Right to grievance redressal — escalate to our Grievance Officer; if unresolved within 30 days, escalate to the Data Protection Board of India (§13, §14)
Right to nominate — nominate another individual to exercise your rights in case of death or incapacity (§14)
Right to withdraw consent — easily revoke consent for any consent-based processing (§6(4))

We will respond within 30 days of a verifiable request. We may charge a reasonable fee for repeat or excessive requests, capped at the prescribed amount under the DPDP Rules.

9. Children's data

The Platform is not directed at, and we do not knowingly process personal data of, individuals under 18. If you become aware that a child has provided personal data, contact privacy@pharmit.in and we will delete it. Tenants warrant that they have lawful basis (DPDP §9, parental consent) for any data of minors they upload — for example in pharmacy retail records of paediatric prescriptions.

10. Data breach notification

If we discover a personal-data breach affecting your data, we will:

Notify the Data Protection Board of India in the form and timeline prescribed under DPDP §8(6) (currently expected within 72 hours of discovery, subject to final Rules)
Notify CERT-In within 6 hours as required by the CERT-In Direction (Apr 2022)
Notify affected Data Principals without undue delay, with details of the nature, scope, likely consequences, and the measures taken

11. Grievance Officer

Per Rule 3(11) of the IT (Intermediary Guidelines) Rules 2021 and §8(7) of the DPDP Act 2023:

Grievance Officer: (name to be appointed and published)
Email: grievance@pharmit.in
Postal address: No. 1362, Sri Bhuvaneshvari Complex, 3rd Floor, East End Main Road, Jayanagar 9th Block, Bengaluru, Karnataka 560069, India
Acknowledgement: within 24 hours of receipt
Resolution: within 15 days, or as required by law for the specific category

12. Use of artificial intelligence

The Platform contains AI-assisted features (rate intelligence, product search, compliance review, smart suggestions). When AI features are used:

Tenant data is sent to the AI provider (Anthropic / OpenAI / Google Gemini, or a self-hosted model the Tenant has configured) only at the moment of inference
We do not permit AI providers to train their models on Tenant data; this is enforced contractually and technically (provider zero-retention modes are used wherever available)
AI outputs are recommendations only. The Tenant remains responsible for verifying outputs before acting on them — particularly for billing, compliance, and clinical contexts
AI features can be disabled at the Tenant level by the SuperAdmin

13. Changes to this policy

We may update this Privacy Policy. Material changes will be communicated by email and / or by an in-platform notice at least 30 days before they take effect. Continued use after the effective date constitutes acceptance.

14. How to contact us

PharmIT Services Private Limited
No. 1362, Sri Bhuvaneshvari Complex, 3rd Floor, East End Main Road, Jayanagar 9th Block, Bengaluru, Karnataka 560069, India
General: info@pharmit.in
Privacy / DPDP requests: privacy@pharmit.in
Grievance Officer: grievance@pharmit.in