Legal

Privacy Policy

Last updated: May 19, 2026

Effective for all Desha AI applications including MedNote

1. Introduction

Desha AI ("Desha," "we," "our," or "us") operates the MedNote mobile and web application, a healthcare technology platform designed to support personal health management, prescription tracking, and medication adherence. We are committed to protecting your privacy and handling your health information with the utmost care and transparency.

This Privacy Policy describes what data we collect, why we collect it, how we use and protect it, and your rights regarding your personal and health information. It applies to all users of MedNote across iOS (Apple App Store), Android (Google Play Store), and our web platform.

By creating an account or using MedNote, you agree to this Privacy Policy. If you do not agree, please do not use our services.

2. Company Information

Company: Desha AI

Email: privacy@desha.ai

Website: https://desha.ai

Data Controller: Desha AI (for users in the EU/EEA and UK)

Operating Markets: Asia, Europe, and the United States

3. Information We Collect

3.1 Account and Identity Information

  • Full name, date of birth, and gender
  • Email address and mobile phone number
  • Profile photograph (optional)
  • Family member profiles added by the account holder

3.2 Health and Medical Information

This is sensitive data. We collect it only to provide core health features and only with your explicit consent.

  • Prescription documents and medication details (uploaded by you)
  • Medical history and chronic condition records (self-reported)
  • Medication schedules and adherence logs
  • Health Responsibility Score (HRS) data points
  • Vitals and health readings you choose to log (blood pressure, glucose, etc.)
  • Doctor consultations and clinical notes (if connected to DocNote)
  • Healthcare provider information

3.3 Usage and Technical Information

  • App interactions, features accessed, and session duration
  • Device type, operating system version, and unique device identifiers
  • IP address and approximate location (country/city level)
  • Push notification interaction data
  • Crash reports and app performance diagnostics

3.4 Device Permissions We Request

  • Camera / Photo Library: To upload prescription images and profile photos
  • Notifications: To send medication reminders and health alerts
  • Biometrics (Face ID / Fingerprint): To secure your account login (optional)

You can revoke any permission at any time through your device settings. Revoking certain permissions may limit app functionality.

3.5 Payment Information

The MedNote iOS app is completely free and does not offer any In-App Purchases. Protect Plus subscriptions are purchased exclusively through the Desha AI website at desha.ai.

Web-based subscription payments are processed by our third-party payment processor. We do not store your full payment card details on our servers. Billing records are retained for legal and tax compliance purposes.

4. How We Use Your Information

1

Providing and personalising MedNote

To deliver medication reminders, track adherence, compute your HRS, and display your health timeline.

2

Prescription Intelligence Processing

AI-assisted extraction of medication names, dosages, and schedules from uploaded prescription images. Processing occurs on secure servers and extracted data is linked to your profile.

3

Family Health Management

To enable the account holder to manage health profiles for family members (including minors) under a single subscription.

4

Communications and Notifications

Medication reminders, health alerts, appointment notifications, and service updates. Marketing communications only with your explicit consent.

5

Safety, Security, and Legal Compliance

Fraud prevention, platform security, and compliance with applicable healthcare data laws including GDPR, DPDP Act (India), HIPAA (where applicable), and CCPA.

6

Service Improvement and Research

Aggregated and anonymised data may be used to improve platform features. We do not use identifiable health data for research without separate, explicit consent.

5. Third-Party AI Service — Data Sharing Disclosure

Apple App Store & Google Play — Required Disclosure

MedNote uses a third-party AI service to process prescription images. Before any prescription data is sent to this service, you are shown an explicit in-app consent prompt and must actively agree. You can opt out at any time.

5.1 What AI Service We Use

MedNote's Prescription Intelligence Engine is powered by Microsoft Azure AI Services (Azure Cognitive Services / Azure AI Document Intelligence), operated by Microsoft Corporation. Azure AI processes prescription images on our behalf under a Data Processing Agreement that requires equivalent data protection standards to those we apply.

5.2 What Data Is Sent to the AI Service

When you use the Prescription Intelligence feature, the following data is transmitted to Azure AI:

  • The prescription image or document you upload (JPEG, PNG, or PDF)
  • A unique request identifier (not your name, email, or account ID)

What is NOT sent: Your name, email address, date of birth, account credentials, or any other personally identifiable information is never transmitted to the AI service. The image is processed ephemerally — Azure AI does not retain it after the response is returned.

5.3 What the AI Returns

The AI service returns structured data extracted from the prescription: medication names, dosages, frequency, and prescribing doctor's name (where visible). This extracted data is then stored in your MedNote profile on our secure Azure servers and linked to your account. It is never shared with other users or third parties beyond the hosting described in Section 7.

5.4 Your Consent and How to Opt Out

You are in control. The AI prescription scan is never triggered automatically.

  1. When you upload a prescription for the first time, MedNote displays a consent prompt explaining that the image will be processed by Azure AI.
  2. You must tap "I Agree" before the scan begins. Tapping "Cancel" uploads the image without AI processing — you can manually enter medication details instead.
  3. You can change your AI processing preference at any time in Settings → Privacy → Prescription AI Scan.
  4. Withdrawing consent stops future AI processing but does not delete previously extracted data. To remove previously extracted data, use Settings → Account → Delete Health Data.

5.5 Azure AI Data Protection

Microsoft Azure AI Services is bound by the following protections, which meet or exceed our own standards:

  • ISO 27001, SOC 2 Type II, and CSA STAR certified
  • HIPAA Business Associate Agreement (BAA) eligible
  • GDPR compliant — Azure processes data as a Data Processor under our instructions
  • Data is not used to train Microsoft's AI models unless you explicitly opt in (we do not enable this)
  • Processed data is deleted from Azure's transient cache immediately after response
Microsoft Privacy Statement →

6. Legal Basis for Processing

Processing ActivityLegal Basis
Account creation and service deliveryContract performance
Health data processing (prescriptions, HRS, adherence)Explicit consent (Art. 9 GDPR / equivalent)
Push notifications — health alertsContract performance + explicit consent
Marketing communicationsExplicit consent (opt-in only)
Analytics and crash reportingLegitimate interests (service improvement)
Legal obligationsLegal obligation

7. Third-Party Services and Data Sharing

We do not sell your personal or health data. We share data only with the following categories of processors under appropriate data processing agreements:

Microsoft Azure (Cloud Infrastructure)

All application data, health records, and prescription files are stored on Microsoft Azure servers. Azure is certified for healthcare data (ISO 27001, SOC 2, HIPAA BAA eligible). Data is encrypted at rest (AES-256) and in transit (TLS 1.3).

Microsoft Privacy Statement →

Google Firebase (Push Notifications & Analytics)

We use Firebase Cloud Messaging for medication and health reminders, and Firebase Analytics for anonymised app usage analytics. Analytics data is aggregated and does not include health records or prescription content.

Firebase Privacy Policy →

Apple / Google (App Distribution)

The MedNote iOS app is distributed through the Apple App Store and the Android app through Google Play. The iOS app does not offer In-App Purchases — no payment data is exchanged with Apple for subscriptions. App-store crash and device data may be shared with Apple/Google per their standard platform policies.

Healthcare Providers (with your consent)

If you connect MedNote to a DocNote-registered clinician, specific adherence data and health records may be shared with that provider. You control and can revoke this connection at any time from your account settings.

Legal and Regulatory Authorities

We may disclose information when required by applicable law, court order, or governmental authority in the EU, India, United States, or other jurisdictions where we operate.

8. Children and Family Accounts

Parental Consent Required

MedNote allows family account holders to add child profiles for dependant health management. Adding a child profile constitutes your explicit consent as a parent or legal guardian to collect and process that child's health information within MedNote.

  • The primary account holder must be 18 years or older
  • Child profiles are accessible only within the family account — children do not have independent login access
  • Health data for child profiles is subject to the same security and retention policies as adult data
  • Parents/guardians may delete a child's profile and all associated data at any time from account settings
  • We do not knowingly allow individuals under 18 to create independent MedNote accounts
  • If you believe we have inadvertently collected information from a minor without parental consent, contact us at privacy@desha.ai to request deletion

9. Data Retention

Data TypeRetention Period
Account and profile informationDuration of account + 30 days after deletion request
Health records and prescriptionsDuration of account + 30 days after deletion request
Medication adherence logsDuration of account + 30 days after deletion request
Anonymised analytics dataUp to 24 months
Transaction/billing records7 years (legal/tax requirement)
Support communications3 years from last interaction

10. Data Security

We apply healthcare-grade security measures to protect your data:

AES-256 Encryption

All data at rest is encrypted using AES-256. All data in transit uses TLS 1.3.

Role-Based Access Control

Strict RBAC ensures only authorised personnel access specific data categories.

Zero-Log Policy

We do not log or track your health data beyond what is necessary for care delivery.

DPIA Conducted

A Data Protection Impact Assessment has been conducted for all high-risk health data processing activities.

No method of electronic transmission or storage is 100% secure. In the event of a data breach that affects your rights and freedoms, we will notify you and relevant authorities as required by applicable law.

11. Your Privacy Rights

Depending on your country of residence, you have the following rights. To exercise any of these rights, contact us at privacy@desha.ai. We will respond within 30 days.

Access
Request a copy of all personal and health data we hold about you.
Correction
Request correction of inaccurate or incomplete personal information.
Deletion
Request deletion of your account and all associated data. You may also delete your account directly in the MedNote app under Settings → Account → Delete Account.
Portability
Request a structured, machine-readable export of your health data (FHIR R4 format where applicable).
Objection
Object to processing based on legitimate interests. Opt out of analytics or marketing at any time.
Withdraw
Withdraw consent for health data processing at any time. This will limit certain features but will not affect lawfulness of prior processing.

How to Delete Your Account

  1. Open MedNote app → go to Settings
  2. Tap AccountDelete Account
  3. Confirm deletion — your data will be permanently erased within 30 days
  4. Alternatively, email privacy@desha.ai with the subject "Account Deletion Request"

12. Jurisdiction-Specific Rights

European Union & UK (GDPR / UK GDPR)

You have the rights described in Section 11 above under the General Data Protection Regulation. You also have the right to lodge a complaint with your national data protection authority (e.g., ICO in the UK, CNIL in France).

India (Digital Personal Data Protection Act, 2023)

We comply with the DPDP Act 2023. You have the right to access, correct, and erase your personal data. You may nominate another person to exercise your rights on your behalf. Grievances can be raised by emailing privacy@desha.ai.

United States (CCPA / State Laws)

California residents have the right to know what personal information we collect, request deletion, and opt out of any sale of personal information (we do not sell personal data). We honour opt-out requests within 15 business days.

Healthcare Data (HIPAA — US Users)

For users in the United States where HIPAA may apply, MedNote operates as a personal health record application under individual user control. Where we partner with covered healthcare entities, appropriate Business Associate Agreements are in place.

13. International Data Transfers

Your data may be processed in data centres in Europe, Asia, and the United States (via Microsoft Azure infrastructure). Where data is transferred outside your country, we ensure appropriate safeguards are in place including EU Standard Contractual Clauses, adequacy decisions, or other approved transfer mechanisms under applicable data protection laws.

14. Cookies and Tracking Technologies

Our web platform uses cookies and similar technologies for authentication, security, and analytics. The MedNote mobile app uses Firebase SDK for anonymised analytics and crash reporting.

You can control cookie preferences via our cookie banner or your browser settings. For detailed information, see our Cookie Policy.

15. Medical Information Disclaimer

MedNote is a health management tool designed to help you organise and track your medications and health information. It is not a medical device and does not provide medical diagnoses, treatment recommendations, or clinical advice. Always consult a qualified healthcare professional for medical decisions. In a medical emergency, contact your local emergency services immediately.

16. Contact and Complaints

For any privacy-related questions, data requests, or complaints, contact our Privacy team:

Privacy Email: privacy@desha.ai

Response Time: Within 30 days of receipt

Subject line for requests: "Privacy Request — [Your Name]"

If you are not satisfied with our response, you may lodge a complaint with the relevant data protection authority in your jurisdiction.

17. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, technology, or applicable laws. When we make material changes, we will notify you via in-app notification and update the "Last updated" date above. For significant changes affecting health data processing, we will seek fresh consent where required by law. Continued use of MedNote after the effective date constitutes acceptance of the updated policy.