Overview
PharmEasy (API Holdings Private Limited) is a major online pharmacy and healthcare platform in India. They offer medicine delivery, lab tests, and teleconsultations. This means they collect and process a huge amount of highly sensitive personal data, including your medical history, prescriptions, diagnostic reports, and health conditions. With the DPDP Act in force, how they handle this data is super critical, not just for them, but as a benchmark for any company dealing with health info.
DPDP Readiness: Section-by-Section Analysis
Section 6 — Consent & Notice 🔴
PharmEasy’s policy suggests a “take it or leave it” consent approach, especially for collecting health data. This doesn’t meet the DPDP Act’s strict requirements for consent, particularly for sensitive personal data.
What the policy says: “By using our services and providing your personal data, you consent to the collection, use, and disclosure of your information as described in this Privacy Policy.”
DPDP requirement: Consent must be free, specific, informed, and unambiguous. For sensitive personal data (like health records), it needs to be even more explicit and granular. Users should be able to consent to core services but decline data sharing for other purposes like research or marketing.
The problem: PharmEasy bundles consent for everything. You can’t say “yes” to ordering medicines but “no” to your health data being used for “improving services” or “research” without withdrawing from the platform entirely. This is a huge risk given the sensitive nature of the data.
Section 7 — Certain Legitimate Uses ⚠️
The policy broadens “legitimate uses” beyond DPDP’s narrow scope. They mention processing data for “research,” “analytics,” and “service improvement” without always requiring fresh consent.
What the policy says: “We may use your information for internal research, analytics, and service improvement to enhance user experience and develop new features.”
DPDP requirement: The Act defines legitimate uses very strictly – things like medical emergencies, public health, employment, or voluntary provision by the individual. General “service improvement” or “research” for health data usually requires specific consent unless fully anonymized and for specific public health purposes.
The problem: For a healthcare platform, processing sensitive health data for “research” or “analytics” without explicit, specific consent could fall outside DPDP’s legitimate uses, opening them up to non-compliance.
Section 8 — Obligations of Data Fiduciary ✅
PharmEasy does mention security measures for protecting user data. This is a good step towards meeting the obligations of a Data Fiduciary (the company that decides how and why your data is processed).
What the policy says: “We employ reasonable security measures, including encryption, firewalls, and access controls, to protect your personal information from unauthorized access, disclosure, alteration, or destruction.”
Strength: They reference industry-standard security practices. For health data, this is crucial.
Section 9 — Data Retention 🔴
This is a major weak point. PharmEasy uses vague language regarding how long they hold onto your sensitive health records.
What the policy says: “We retain your personal data for as long as necessary to provide services, fulfill legal obligations, and for legitimate business purposes.”
DPDP requirement (Section 9): Data Fiduciaries must erase data once its purpose is fulfilled or consent is withdrawn, within a reasonable period. This period must be explicitly defined.
The problem: What is “as long as necessary”? For health records, this could mean decades. Without clear, defined retention periods and automated deletion triggers, users have no control or clarity on when their sensitive medical history will be purged.
Section 11 — Rights of Data Principal ⚠️
While PharmEasy acknowledges some basic rights, the policy doesn’t fully embrace the expanded rights given to a Data Principal (that’s you!) under DPDP.
What the policy says: “You have the right to access, correct, and update your personal information by logging into your account or contacting our support team.”
DPDP requirement: The Act grants rights like access, correction, erasure (right to be forgotten), data portability, and the right to nominate another person to exercise rights on your behalf (Section 14).
The problem: There’s no clear mention of the right to erase data or the right to nominate someone (crucial for medical data, e.g., if a user becomes incapacitated). The process for exercising rights seems limited to basic account management.
Section 12 — Right of Grievance Redressal ⚠️
PharmEasy provides contact details for their Grievance Officer, which is a good start. However, it’s missing the crucial escalation path.
What the policy says: “For any privacy-related concerns or grievances, you may contact our Grievance Officer at [email address] or [physical address].”
DPDP requirement: Aside from a Grievance Officer, the law mandates an escalation path to the Data Protection Board of India if the user isn’t satisfied with the company’s resolution within a specified timeframe (usually 30 days).
The problem: The policy doesn’t mention the Data Protection Board as the next step, or a clear timeline for resolving grievances.
Section 16 — Cross-Border Data Transfer ⚠️
PharmEasy’s policy indicates data might travel outside India, but it’s not specific enough for DPDP.
What the policy says: “Your data may be transferred to and stored at a destination outside India where our affiliates, service providers, or partners operate.”
DPDP requirement: Data transfer outside India is only permitted to countries that have been notified by the Central Government as having adequate data protection standards. This list is yet to be fully published.
The problem: A blanket statement about data possibly going “outside India” doesn’t meet DPDP’s requirement for transparency and adherence to a specific list of approved jurisdictions.
Risk Assessment
| Category | Risk Level | Potential Impact |
|---|---|---|
| Consent compliance | Critical | Invalid consent for sensitive health data = massive fines |
| Data retention | High | Indefinite holding of medical data = major regulatory and privacy risk |
| Regulatory fine | High | Up to ₹250 Cr for DPDP violations, plus reputational damage |
| Data principal rights | Medium | Incomplete rights framework could lead to user complaints |
| Cross-border transfer | Medium | Pending government notification makes blanket clauses risky |
| Sensitive Personal Data | Critical | Higher standard of care, consent, and security applies |
Recommendations
- Implement layered, granular consent — Especially for sensitive health data. Allow users to choose specific purposes (e.g., core service, research, marketing) separately.
- Define specific data retention periods — Clearly state how long different types of data (e.g., prescription history, lab reports, marketing preferences) are kept, and when they will be automatically deleted.
- Explicitly reference DPDP Act 2023 — Update the policy to reflect compliance with the new law, not just the older IT Act.
- Add Data Protection Board escalation — Inform users that they can escalate unresolved grievances to the DPB.
- Expand Data Principal rights — Clearly outline the right to erasure and the right to nominate a person (Section 14), with clear, accessible mechanisms to exercise these rights.
- Specify cross-border transfer details — Identify the specific countries data is transferred to and the safeguards in place.