A Project by Meridian Bridge Strategy
Archived analysis

This page is old. MediBuddy was reviewed on 2026-04-17.

This is a historical, policy-only review. Policies, product behavior and source URLs may have changed since this analysis was published.

For current public evidence from website trackers, policy findings and proof samples, go to State of Privacy 2026.

View current public evidence
Healthcare

MediBuddy

Ready Score 42/100
Functional Gaps vs Industry Avg: 48
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
📅 17 Apr 2026

Discuss this page with an LLM

ChatGPT Claude Gemini Perplexity

Executive Summary

MediBuddy's privacy policy is comprehensive under older regulations but lacks explicit alignment with the DPDP Act 2023. Given its handling of sensitive health data, the absence of granular consent, specific data retention periods, and clear cross-border transfer rules poses significant compliance challenges and potential liabilities.

How To Read This Analysis

This is an archived policy-only review of the company's public privacy policy. It is not a government certification and it is not legal advice.

For current public evidence from website trackers, policy findings and proof samples, see State of Privacy 2026.

We look for:

  • Notice and consent clarity
  • Purpose limitation
  • Data minimization
  • Retention and deletion language
  • Vendor and processor disclosures
  • Data Principal rights
  • Grievance redressal
  • Breach and security posture

Source Check

  • Source policy was reviewed for this archived analysis, but the old policy URL is not linked because public policy locations may have changed.
  • Date reviewed: 2026-04-17
  • Company: MediBuddy
  • Readiness score: 42/100
  • Policies and product behavior may have changed since review
  • Whether the current source policy still matches this archived policy-only review
  • Whether app, web and product flows match the policy

What To Do With This

If your company has a similar data model, use this analysis as a warning map. Do not copy the score. Map your own data flow.

Ask internally:

  • Do we collect similar categories of personal data?
  • Do we share data with the same number or type of vendors?
  • Can users understand why their data is shared?
  • Can we prove deletion, retention and grievance workflows?
  • What evidence would we show if questioned?

If this analysis resembles your business model, the next step is not a better privacy-policy paragraph. It is a data map and gap analysis.

Book a DPDP readiness call

⚠️ Compliance Gaps

  • No explicit DPDP Act 2023 reference
  • Bundled consent for all data processing purposes
  • Vague data retention period: 'as long as necessary'
  • No mention of Data Protection Board as grievance escalation
  • Cross-border transfers lack specific countries or safeguards
  • Nomination rights under Section 14 not addressed
  • Absence of explicit right to data portability

✅ Strengths

  • Comprehensive list of data collected
  • Detailed security measures including encryption, firewalls
  • Grievance Officer contact published with 30-day response
  • Commitment to breach notification to authorities and users
  • Right to access, correct, delete data acknowledged

Overview

MediBuddy is a prominent Indian digital healthcare platform offering online doctor consultations, medicine delivery, lab tests, and health check-ups. As a Data Fiduciary (the entity determining why and how your data is processed), MediBuddy handles highly sensitive personal data, including medical history, health records, biometric data, and financial information. For you, the Data Principal (the individual whose data is being processed), understanding how they manage this critical information under India’s new privacy law, the DPDP Act, is crucial.

DPDP Readiness: Section-by-Section Analysis

Section 6 — Consent & Notice 🔴

MediBuddy’s policy relies on a bundled consent model. When you sign up or use their services, you agree to their privacy policy and all terms. This is a “take it or leave it” approach that does not meet the “freely given” standard required by Section 6 of the DPDP Act.

What the policy says: “By visiting the Website and/or using the App/Services and/or registering on the Website/App, you signify your assent to this Privacy Policy.”

DPDP requirement: Consent must be free, specific, informed, and unconditional. It must be given for a specific purpose, not for a bundle of unrelated activities, and must be easily withdrawn.

The problem: You can’t, for example, agree to medical consultations but decline the use of your health data for “product improvement” or “research” without opting out of the entire service.

Section 7 — Certain Legitimate Uses ⚠️

The policy lists various purposes for processing data, including “improving our services,” “research and analytics,” and “marketing purposes.” While some uses might align with the DPDP’s narrow definition of “legitimate uses” (like providing the service you explicitly requested), others, especially those relating to marketing and broader “product improvement,” would typically require specific, separate consent under the DPDP Act, not be claimed as legitimate interests without explicit opt-in.

DPDP requirement: Section 7 limits “legitimate uses” to specific scenarios like voluntary sharing by the Data Principal, state functions, medical emergencies, or employment-related purposes.

The problem: MediBuddy’s broad interpretation for purposes like personalization and marketing without granular consent could be challenged.

Section 8 — Obligations of Data Fiduciary ✅

MediBuddy outlines several security safeguards, including data encryption, firewalls, and secure socket layer technology. They also mention a commitment to notify “applicable regulatory authorities and affected Users” in case of a data breach. This generally aligns well with the DPDP Act’s requirement for reasonable security safeguards and data breach notification.

Strength: The policy details various technical and organizational measures to protect personal data.

Section 9 — Data Retention 🔴

This is a critical gap. The policy uses vague language regarding how long your sensitive health data is kept.

What the policy says: “We retain your personal information for as long as your account is active or as needed to provide you services… We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.”

DPDP requirement (Section 9): Data Fiduciaries must erase data when the purpose for which it was collected is fulfilled, or consent is withdrawn. There must be a clear, specific retention period.

The problem: You have no clear idea when your medical history, consultation records, or test results will be purged after you stop using MediBuddy. This exposes users to long-term data risks.

Section 11 — Rights of Data Principal ⚠️

MediBuddy acknowledges the right to access, correct, update, and delete personal information, which is a good start. However, the mechanism is limited (via logging into the account or contacting the Grievance Officer), and it lacks several DPDP-specific rights.

DPDP requirement: Section 11 grants Data Principals rights like access, correction, erasure, and the right to nominate another person to exercise these rights (Section 14). There’s also the implicit right to data portability.

The problem: There’s no mention of the right to nominate another person (e.g., in case of incapacitation) or an explicit right to data portability.

Section 12 — Right of Grievance Redressal ⚠️

MediBuddy provides details of a Grievance Officer (name, email, address) and commits to responding within 30 days. This is a positive step. However, it fails to mention the Data Protection Board of India as an escalation path.

DPDP requirement: The Act mandates that the Grievance Redressal Officer is the first point of contact, but if the Data Principal isn’t satisfied, they have the right to escalate their complaint to the Data Protection Board.

The problem: Without mentioning the DPB, users might not know their ultimate recourse if their grievance isn’t resolved internally.

Section 16 — Cross-Border Data Transfer 🔴

MediBuddy states they may transfer data outside India, but the details are alarmingly vague, especially for sensitive health data.

What the policy says: “We may transfer your Personal Information to third-party service providers located outside India… These countries may not have the same data protection laws as India.”

DPDP requirement (Section 16): Cross-border data transfer is only permitted to countries or territories notified by the Central Government. Specific safeguards for such transfers must also be clearly stated.

The problem: This blanket statement about transferring data to countries potentially without adequate data protection is a major red flag under the DPDP Act. It doesn’t specify which countries or what specific contractual/technical safeguards are in place.

Risk Assessment

CategoryRisk LevelPotential Impact
Regulatory fineHighUp to ₹250 Cr per instance for serious breaches
Consent complianceHighBundled consent invalidation affects all users
Data retentionCriticalIndefinite retention of sensitive health data = massive exposure
Cross-border transferCriticalTransfer to unapproved jurisdictions risks penalties & data misuse
Data principal rightsMediumIncomplete rights framework leads to user dissatisfaction & non-compliance
DPDP Act alignmentHighPolicy not updated to India’s new privacy law

Recommendations

  1. Implement layered, granular consent: Provide clear, separate checkboxes for different purposes (e.g., service delivery, marketing, research). Let users choose.
  2. Define specific data retention periods: State clear timelines for different types of data (e.g., “consultation records: 8 years as per medical retention guidelines; marketing data: deleted on consent withdrawal within 30 days”).
  3. Update DPDP Act 2023 references: Explicitly mention compliance with the DPDP Act 2023 throughout the policy.
  4. Add Data Protection Board escalation: Clearly state that users can escalate unresolved grievances to the Data Protection Board.
  5. Specify cross-border transfers: Name the specific countries data is transferred to and detail the safeguards used (e.g., standard contractual clauses). If unknown, state data is only processed within India.
  6. Include nomination rights: Allow users to nominate a person to act on their behalf as per Section 14 of the DPDP Act.

📖 Related Compliance Guides

city DPDP Consulting in Lucknow city DPDP Consulting in Noida guide DPDP Cross-Border Data Transfer Rules

What Should You Do Next?

🔍 Map Your Own Exposure

Book a DPDP readiness call if this analysis resembles your business model.

🎓 Train Your Team

Book a DPDP compliance workshop — available online, onsite, and hybrid.

📰 Stay Updated

Get the daily DPDP news digest. Track enforcement, breaches, and policy changes.

Fix these compliance gaps today.

Book 1:1 Consultation >
Book clarity call