top of page

Privacy Policy

Effective date: 17 April 2026

Last updated: 17 April 2026

MedZis operated by GULDAR LABS LLP. This Privacy Policy explains how we collect, use, store, disclose, and protect personal data and health-related information when you use the MedZmobile application, backend services, support channels, and related services.

Publisher details:

1. Important Health Disclaimer

MedZprovides educational health explanations only. It does not provide medical advice, diagnosis, treatment, cure, prevention, clinical monitoring, emergency triage, paediatric assessment, medication safety decisions, or dosage recommendations. It is not a medical device and does not replace a qualified doctor, pharmacist, paediatrician, or other licensed healthcare professional.

Do not use MedZfor emergencies. If you believe you or someone else may need urgent medical help, contact local emergency services or a qualified healthcare professional immediately.

You should consult a qualified healthcare professional before acting on any information shown in the app, especially for symptoms, prescriptions, lab reports, medicines, children, pregnancy, chronic conditions, severe symptoms, allergies, drug interactions, or urgent concerns.

2. Who May Use Health Copilot

MedZis intended for adult account holders. Direct use by children is not intended.

Adult users may create family member profiles, including profiles for minors or dependents, only if they are legally authorized to provide and manage that person's information. By creating a family member profile or uploading a document for another person, you confirm that you have the authority to do so.

When a family member profile is created for a child under 10 years of age, the app displays an additional warning. This warning is intended to remind users that MedZcannot assess paediatric urgency, medicine safety, dosage, or emergencies.

3. Definitions

For this Policy:

  • Personal data means information that identifies or can reasonably identify an individual.

  • Health-related information means information about symptoms, medical history, prescriptions, lab reports, uploaded health documents, extracted health data, or educational explanations linked to a user or family member profile.

  • User means the account holder or person using the Services.

  • Family member profile means a profile created by an adult user for another person, such as a parent, spouse, child, or dependent.

  • Processing means collecting, storing, using, analyzing, sharing, deleting, or otherwise handling data.

Where applicable, terms such as Data Principal, Data Fiduciary, and Data Processor have the meanings given under India's Digital Personal Data Protection Act, 2023.

4. Data We Collect

We collect data that you provide directly, data generated through your use of Health Copilot, and technical data needed to operate and secure the service.

4.1 Account and Login Data

We may collect:

  • Username.

  • Phone number.

  • Recovery email address.

  • Name.

  • Password authentication metadata.

  • PIN session metadata.

  • Access token and refresh token metadata.

  • Login, logout, session, and account security events.

  • Account creation and update timestamps.

We do not store plaintext passwords or plaintext PINs. Passwords and PIN-related secrets should be stored using secure hashing or token mechanisms.

4.2 Profile and Family Member Data

We may collect:

  • Title, first name, last name, and display name.

  • Date of birth or age.

  • Sex.

  • Relationship to the account holder.

  • Marital status, if provided.

  • Active family member profile selection.

  • Family profile creation and update timestamps.

4.3 Health-Related Inputs

To provide the core features, we may collect and process:

  • Symptoms and symptom descriptions.

  • Symptom questionnaire answers.

  • Health questions or chat messages.

  • Medical history or lifestyle information that you choose to enter.

  • Lab report images, PDFs, values, extracted fields, and report text.

  • Prescription images, PDFs, medicine names, instructions, extracted fields, and document text.

  • Family member profile context associated with an explanation.

  • Educational explanations generated by the app.

  • Follow-up questions and responses.

You should not submit information that you are not authorized to provide or that you do not want processed through MedZand its service providers.

4.4 Uploaded Files

When you upload lab reports or prescriptions, we may collect:

  • The uploaded file.

  • File name.

  • File type.

  • File size.

  • Upload timestamp.

  • Storage path or file identifier.

  • OCR or extraction output.

  • Processing status and callback metadata.

The retention period for uploaded files has not yet been finalized. Until a formal retention schedule is adopted, uploaded files and extracted data may be retained as needed to provide the app features, maintain user history, support debugging, comply with legal obligations, and protect the service.

4.5 Feedback and Support Data

When you submit feedback, support messages, or reports about generated content, we may collect:

  • Rating or feedback type.

  • Comment text.

  • Source screen or feature context.

  • Explanation, upload, or session identifier where relevant.

  • Account and family member association where relevant.

  • Submission timestamp.

4.6 Technical, Security, and Usage Data

We may collect:

  • Device type, operating system, and app version.

  • IP address.

  • Approximate location derived from IP address, if processed by infrastructure logs.

  • Request path, response status, and error metadata.

  • Feature usage events needed for reliability and product improvement.

  • Crash logs and performance diagnostics if crash reporting is configured in the future.

  • Security logs needed to detect abuse, unauthorized access, fraud, or service misuse.

Production logs should not intentionally store passwords, PINs, access tokens, refresh tokens, complete uploaded documents, or unnecessary sensitive health content.

5. How We Use Data

We use data to:

  • Create, authenticate, secure, and manage accounts.

  • Provide symptom, lab report, prescription, family profile, and explanation features.

  • Generate educational explanations and plain-language summaries.

  • Associate explanations and uploaded documents with the correct account and family member profile.

  • Process uploaded files and extract relevant information.

  • Maintain explanation history and profile context.

  • Provide support, respond to feedback, and review reports about generated content.

  • Improve safety, reliability, abuse prevention, and performance.

  • Debug technical issues and monitor system health.

  • Comply with applicable law, platform obligations, and lawful requests.

We do not use your data to provide medical diagnosis, treatment, emergency triage, medication dosage advice, or professional medical advice.

6. AI, Model, and Reference-Based Processing

MedZmay use artificial intelligence, document extraction, retrieval systems, and curated medical or public-health references to process user inputs and generate educational explanations.

Inputs sent for AI or document processing may include symptoms, questionnaire answers, uploaded document text, extracted prescription or lab data, and relevant family profile context.

Based on the current compose configuration, the app uses or is configured to use:

  • Main LLM model: gemma-3

  • Embedding model: gemini embedding model.

  • Processor model endpoint configuration: gemma-3

  • Google AI configuration: Google API based model and embedding calls.

  • Reference/RAG index: ICMR-related document index, where configured and seeded.

MedZmay use references such as Indian Council of Medical Research materials, standard public-health references, or other curated documents where available. However, generated explanations may still be incomplete, inaccurate, outdated, or not applicable to your situation. You must consult a qualified healthcare professional before making health decisions.

Current AI/model providers and processors:

  • Google AI services for configured Gemini/Gemma model and embedding calls.

  • AWS-hosted application infrastructure, where deployed in the production AWS environment.

7. Legal Basis and Consent

Where required by applicable law, we process personal data based on your consent, legitimate uses permitted by law, contractual necessity to provide Health Copilot, legal compliance, security needs, or another applicable lawful basis.

By creating an account, using the app, uploading health documents, entering symptoms, or creating family member profiles, you consent to the processing described in this Policy, unless another lawful basis applies.

You may withdraw consent or request deletion as described in this Policy. Withdrawal of consent may limit or prevent use of some or all app features.

8. Children and Family Member Data

MedZis intended for adult account holders. Direct use by children is not intended.

Adult users may create family member profiles for minors or dependents if legally authorized. This may involve processing health-related information about a minor, including symptoms, lab reports, prescriptions, and generated explanations.

For family profiles below 10 years of age, the app displays an additional warning before profile creation. This does not make the app a paediatric medical service and does not replace paediatric medical advice.

If you are a parent, guardian, or authorized representative and want to access, correct, or delete information associated with a minor family profile, use the in-app controls where available or contact care@guldarlabs.com.

If we become aware that a child directly used the app or provided personal data without appropriate adult authorization, we may delete or restrict that data and account access.

9. How We Share Data

We do not sell, rent, or trade your personal data or health-related information.

We may share data only in limited circumstances.

9.1 Service Providers

We may share data with service providers that help us operate Health Copilot, such as:

  • Cloud hosting providers.

  • Database and storage providers.

  • AI model or document processing providers.

  • SMS or OTP providers if phone-based authentication is enabled.

  • Security, monitoring, analytics, or crash reporting providers if configured in the future.

  • Customer support tools if configured in the future.

These providers may process data only for the purposes we authorize and subject to appropriate confidentiality, security, and data processing obligations.

Current provider list:

  • Hosting provider: AWS.

  • Database/storage provider: AWS-hosted infrastructure and application databases in the production deployment.

  • Application infrastructure region: India, AWS ap-south-1 where deployed according to current compose/environment configuration.

  • AI provider: Google AI services and NVIDIA API endpoint as configured for model calls.

  • Notification provider: Not configured for push notifications.

  • Analytics provider: Not configured.

  • Crash reporting provider: Not configured.

  • Email provider: No app-generated transactional email provider is currently configured. The company mailbox care@guldarlabs.com is used as a support and privacy contact channel.

  • SMS/OTP provider: AWS SNS is configured as the default OTP provider in compose, but phone authentication may be disabled depending on deployment settings.

9.2 Legal and Safety Reasons

We may disclose data if required to comply with applicable law, court orders, legal process, government requests, security investigations, or to protect the rights, safety, and security of users, the public, or Health Copilot.

9.3 User-Directed Sharing

We may share data when you explicitly direct us to do so, such as when you choose to share information with a healthcare professional, family member, or support channel.

10. Data Storage and Processing Location

MedZoriginates from India. Primary application infrastructure and data storage are intended to operate in India using AWS infrastructure, including the ap-south-1 region according to the current compose/environment configuration.

AI/model processing uses Google AI services and NVIDIA API endpoint integrations as configured in the application. These providers may process data according to their own infrastructure and service configurations. We will update this Policy if the production processing location or provider configuration changes materially.

11. Security Measures

We use reasonable technical and organizational safeguards designed to protect personal data and health-related information. These may include:

  • HTTPS/TLS encryption for data in transit.

  • Encryption or equivalent safeguards for sensitive data at rest where supported.

  • Secure password and PIN handling.

  • Authentication and authorization controls.

  • Role-based access controls for administrative systems.

  • Access logging and monitoring.

  • Backup and disaster recovery controls.

  • Vulnerability review and security testing.

  • Limiting staff or contractor access to data based on need.

No method of transmission or storage is completely secure. Users should protect their devices, use strong credentials, and avoid submitting information they do not want processed digitally.

12. Data Retention

We retain data only as long as needed for the purposes described in this Policy, unless a longer period is required or permitted by law, security needs, dispute resolution, backup integrity, or legitimate operational requirements.

The current codebase defines 30-day retention for backend and agent service log files. Formal retention periods for account data, uploaded files, extracted health data, explanations, feedback, support messages, and backups have not yet been finalized.

Until formal retention periods are adopted, the following working approach applies:

  • Account data is retained while the account is active and as needed for legal, security, dispute resolution, and operational purposes.

  • Profile and family member data is retained while the account is active or until removed by the user or through a verified deletion request, subject to legal and operational exceptions.

  • Uploaded files, extracted health data, and explanations may be retained to provide app features, maintain history, support debugging, and protect the service.

  • Feedback and support messages may be retained to respond to requests, improve safety, investigate reports, and maintain records of support interactions.

  • Backend and agent service log files are configured for 30-day file retention in the current codebase.

  • Security logs and backups may be retained as needed for security, fraud prevention, disaster recovery, and legal compliance.

When an account is deleted, we delete or de-identify personal data unless retention is required or permitted by applicable law, security, fraud prevention, dispute resolution, backup integrity, or legitimate operational requirements.

Anonymized or aggregated data that does not identify an individual may be retained for research, analytics, safety, and service improvement.

13. Account Deletion and Data Deletion

You may request deletion of your account and associated data by emailing care@guldarlabs.com. A public account deletion URL will be published before Google Play submission.

The app currently includes an in-app account deletion screen. During review of the current codebase, the screen appears to record a deletion request in the user interface, while a fully wired backend deletion implementation still needs to be verified before this is represented as completed self-service deletion.

We may need to verify your identity before processing a deletion request. Deletion requests should describe the account to be deleted, such as username, phone number, or recovery email. If the request concerns a family member profile, please identify the relevant profile.

Some data may remain temporarily in backups, logs, security records, or systems where retention is required or permitted by law or legitimate operational needs. Such data will be deleted or de-identified according to the applicable retention schedule once finalized.

14. Your Rights

Depending on applicable law, including the Digital Personal Data Protection Act, 2023 where applicable, you may have rights to:

  • Access information about personal data processed by us.

  • Request correction or update of inaccurate or incomplete personal data.

  • Request deletion or erasure of personal data that is no longer needed.

  • Withdraw consent where processing is based on consent.

  • Raise a grievance about privacy or data handling.

  • Nominate another individual to exercise rights in the event of death or incapacity, where applicable.

To exercise these rights, contact care@guldarlabs.com or use the in-app controls where available.

We may ask for information needed to verify your identity and protect your account before acting on a request.

15. Privacy and Grievance Contact

We provide a privacy and grievance contact for data protection questions, rights requests, deletion requests, and privacy complaints.

Contact details:

  • Name or team: GULDAR LABS LLP Privacy Team

  • Email: care@guldarlabs.com

  • Phone: Not configured for privacy requests at this time

  • Postal address: A303, Vartika Chowk, Bestech Park, Sector 49, Gurgaon, Gurgaon - 122018, Haryana, India

We will acknowledge and respond to privacy or grievance requests within a reasonable period, subject to applicable law, request complexity, and verification requirements.

If MedZis later classified as a Significant Data Fiduciary or another law requires a formal Data Protection Officer or Grievance Officer, this section should be updated with the required officer details.

16. Cookies, Local Storage, and Similar Technologies

The app may use local storage, secure device storage, cookies, or similar technologies to:

  • Keep users signed in.

  • Store app preferences.

  • Remember onboarding or consent state.

  • Maintain PIN/session state.

  • Improve app performance and security.

We do not use tracking technologies for third-party advertising or cross-app profiling unless this Policy is updated and users are provided required notices and choices.

17. Third-Party Links and References

MedZmay include links or references to third-party websites, medical references, public-health resources, or support services. We are not responsible for the privacy practices, content, security, or accuracy of third-party services. You should review their privacy policies before submitting information to them.

18. Notifications and Communications

Push notifications are not currently configured. If notification features are enabled in the future, we may send service-related notifications such as processing completion, account security alerts, support updates, or feature status updates. Marketing notifications, if any, will be handled separately and subject to applicable consent requirements.

Current notification provider: Not configured.

19. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify users through the app, email, or another reasonable method before or when the changes take effect, as required by applicable law.

The updated Policy will show the latest effective date. Continued use of MedZafter the updated Policy takes effect means you accept the updated Policy, where permitted by law.

20. Governing Law and Jurisdiction

This Policy is governed by the laws of India.

Subject to applicable law, disputes relating to this Policy will be subject to the courts located in Gurgaon, Haryana, India.

21. Contact Us

For privacy questions, support, deletion requests, or data rights requests, contact:

  • Privacy and grievance email: care@guldarlabs.com

  • Support email: care@guldarlabs.com

  • Postal address: A303, Vartika Chowk, Bestech Park, Sector 49, Gurgaon, Gurgaon - 122018, Haryana, India

  • Account deletion URL: To be published before Google Play submission. Until then, email care@guldarlabs.com.

bottom of page