Privacy Policy
Last updated: May 19, 2026
Effective for all Desha AI applications including MedNote
1. Introduction
Desha AI ("Desha," "we," "our," or "us") operates the MedNote mobile and web application, a healthcare technology platform designed to support personal health management, prescription tracking, and medication adherence. We are committed to protecting your privacy and handling your health information with the utmost care and transparency.
This Privacy Policy describes what data we collect, why we collect it, how we use and protect it, and your rights regarding your personal and health information. It applies to all users of MedNote across iOS (Apple App Store), Android (Google Play Store), and our web platform.
By creating an account or using MedNote, you agree to this Privacy Policy. If you do not agree, please do not use our services.
2. Company Information
Company: Desha AI
Email: privacy@desha.ai
Website: https://desha.ai
Data Controller: Desha AI (for users in the EU/EEA and UK)
Operating Markets: Asia, Europe, and the United States
3. Information We Collect
3.1 Account and Identity Information
- Full name, date of birth, and gender
- Email address and mobile phone number
- Profile photograph (optional)
- Family member profiles added by the account holder
3.2 Health and Medical Information
This is sensitive data. We collect it only to provide core health features and only with your explicit consent.
- Prescription documents and medication details (uploaded by you)
- Medical history and chronic condition records (self-reported)
- Medication schedules and adherence logs
- Health Responsibility Score (HRS) data points
- Vitals and health readings you choose to log (blood pressure, glucose, etc.)
- Doctor consultations and clinical notes (if connected to DocNote)
- Healthcare provider information
3.3 Usage and Technical Information
- App interactions, features accessed, and session duration
- Device type, operating system version, and unique device identifiers
- IP address and approximate location (country/city level)
- Push notification interaction data
- Crash reports and app performance diagnostics
3.4 Device Permissions We Request
- Camera / Photo Library: To upload prescription images and profile photos
- Notifications: To send medication reminders and health alerts
- Biometrics (Face ID / Fingerprint): To secure your account login (optional)
You can revoke any permission at any time through your device settings. Revoking certain permissions may limit app functionality.
3.5 Payment Information
The MedNote iOS app is completely free and does not offer any In-App Purchases. Protect Plus subscriptions are purchased exclusively through the Desha AI website at desha.ai.
Web-based subscription payments are processed by our third-party payment processor. We do not store your full payment card details on our servers. Billing records are retained for legal and tax compliance purposes.
4. How We Use Your Information
Providing and personalising MedNote
To deliver medication reminders, track adherence, compute your HRS, and display your health timeline.
Prescription Intelligence Processing
AI-assisted extraction of medication names, dosages, and schedules from uploaded prescription images. Processing occurs on secure servers and extracted data is linked to your profile.
Family Health Management
To enable the account holder to manage health profiles for family members (including minors) under a single subscription.
Communications and Notifications
Medication reminders, health alerts, appointment notifications, and service updates. Marketing communications only with your explicit consent.
Safety, Security, and Legal Compliance
Fraud prevention, platform security, and compliance with applicable healthcare data laws including GDPR, DPDP Act (India), HIPAA (where applicable), and CCPA.
Service Improvement and Research
Aggregated and anonymised data may be used to improve platform features. We do not use identifiable health data for research without separate, explicit consent.
5. Third-Party AI Service: Data Sharing Disclosure
Apple App Store & Google Play: Required Disclosure
MedNote uses a third-party AI service to process prescription images. Before any prescription data is sent to this service, you are shown an explicit in-app consent prompt and must actively agree. You can opt out at any time.
5.1 What AI Service We Use
MedNote's Prescription Intelligence Engine is powered by Microsoft Azure AI Services (Azure Cognitive Services / Azure AI Document Intelligence), operated by Microsoft Corporation. Azure AI processes prescription images on our behalf under a Data Processing Agreement that requires equivalent data protection standards to those we apply.
5.2 What Data Is Sent to the AI Service
When you use the Prescription Intelligence feature, the following data is transmitted to Azure AI:
- The prescription image or document you upload (JPEG, PNG, or PDF)
- A unique request identifier (not your name, email, or account ID)
What is NOT sent: Your name, email address, date of birth, account credentials, or any other personally identifiable information is never transmitted to the AI service. The image is processed ephemerally. Azure AI does not retain it after the response is returned.
5.3 What the AI Returns
The AI service returns structured data extracted from the prescription: medication names, dosages, frequency, and prescribing doctor's name (where visible). This extracted data is then stored in your MedNote profile on our secure Azure servers and linked to your account. It is never shared with other users or third parties beyond the hosting described in Section 7.
5.4 Your Consent and How to Opt Out
You are in control. The AI prescription scan is never triggered automatically.
- When you upload a prescription for the first time, MedNote displays a consent prompt explaining that the image will be processed by Azure AI.
- You must tap "I Agree" before the scan begins. Tapping "Cancel" uploads the image without AI processing, and you can manually enter medication details instead.
- You can change your AI processing preference at any time in Settings → Privacy → Prescription AI Scan.
- Withdrawing consent stops future AI processing but does not delete previously extracted data. To remove previously extracted data, use Settings → Account → Delete Health Data.
5.5 Azure AI Data Protection
Microsoft Azure AI Services is bound by the following protections, which meet or exceed our own standards:
- ISO 27001, SOC 2 Type II, and CSA STAR certified
- HIPAA Business Associate Agreement (BAA) eligible
- GDPR compliant. Azure processes data as a Data Processor under our instructions
- Data is not used to train Microsoft's AI models unless you explicitly opt in (we do not enable this)
- Processed data is deleted from Azure's transient cache immediately after response
6. Legal Basis for Processing
| Processing Activity | Legal Basis |
|---|---|
| Account creation and service delivery | Contract performance |
| Health data processing (prescriptions, HRS, adherence) | Explicit consent (Art. 9 GDPR / equivalent) |
| Push notifications for health alerts | Contract performance + explicit consent |
| Marketing communications | Explicit consent (opt-in only) |
| Analytics and crash reporting | Legitimate interests (service improvement) |
| Legal obligations | Legal obligation |
7. Third-Party Services and Data Sharing
We do not sell your personal or health data. We share data only with the following categories of processors under appropriate data processing agreements:
Microsoft Azure (Cloud Infrastructure)
All application data, health records, and prescription files are stored on Microsoft Azure servers. Azure is certified for healthcare data (ISO 27001, SOC 2, HIPAA BAA eligible). Data is encrypted at rest (AES-256) and in transit (TLS 1.3).
Microsoft Privacy Statement →Google Firebase (Push Notifications & Analytics)
We use Firebase Cloud Messaging for medication and health reminders, and Firebase Analytics for anonymised app usage analytics. Analytics data is aggregated and does not include health records or prescription content.
Firebase Privacy Policy →Apple / Google (App Distribution)
The MedNote iOS app is distributed through the Apple App Store and the Android app through Google Play. The iOS app does not offer In-App Purchases, so no payment data is exchanged with Apple for subscriptions. App-store crash and device data may be shared with Apple/Google per their standard platform policies.
Healthcare Providers (with your consent)
If you connect MedNote to a DocNote-registered clinician, specific adherence data and health records may be shared with that provider. You control and can revoke this connection at any time from your account settings.
Legal and Regulatory Authorities
We may disclose information when required by applicable law, court order, or governmental authority in the EU, India, United States, or other jurisdictions where we operate.
8. Children and Family Accounts
Parental Consent Required
MedNote allows family account holders to add child profiles for dependant health management. Adding a child profile constitutes your explicit consent as a parent or legal guardian to collect and process that child's health information within MedNote.
- The primary account holder must be 18 years or older
- Child profiles are accessible only within the family account. Children do not have independent login access
- Health data for child profiles is subject to the same security and retention policies as adult data
- Parents/guardians may delete a child's profile and all associated data at any time from account settings
- We do not knowingly allow individuals under 18 to create independent MedNote accounts
- If you believe we have inadvertently collected information from a minor without parental consent, contact us at privacy@desha.ai to request deletion
9. Data Retention
| Data Type | Retention Period |
|---|---|
| Account and profile information | Duration of account + 30 days after deletion request |
| Health records and prescriptions | Duration of account + 30 days after deletion request |
| Medication adherence logs | Duration of account + 30 days after deletion request |
| Anonymised analytics data | Up to 24 months |
| Transaction/billing records | 7 years (legal/tax requirement) |
| Support communications | 3 years from last interaction |
10. Data Security
We apply healthcare-grade security measures to protect your data:
AES-256 Encryption
All data at rest is encrypted using AES-256. All data in transit uses TLS 1.3.
Role-Based Access Control
Strict RBAC ensures only authorised personnel access specific data categories.
Zero-Log Policy
We do not log or track your health data beyond what is necessary for care delivery.
DPIA Conducted
A Data Protection Impact Assessment has been conducted for all high-risk health data processing activities.
No method of electronic transmission or storage is 100% secure. In the event of a data breach that affects your rights and freedoms, we will notify you and relevant authorities as required by applicable law.
11. Your Privacy Rights
Depending on your country of residence, you have the following rights. To exercise any of these rights, contact us at privacy@desha.ai. We will respond within 30 days.
How to Delete Your Account
- Open MedNote app → go to Settings
- Tap Account → Delete Account
- Confirm deletion. Your data will be permanently erased within 30 days
- Alternatively, email privacy@desha.ai with the subject "Account Deletion Request"
12. Jurisdiction-Specific Rights
European Union & UK (GDPR / UK GDPR)
You have the rights described in Section 11 above under the General Data Protection Regulation. You also have the right to lodge a complaint with your national data protection authority (e.g., ICO in the UK, CNIL in France).
India (Digital Personal Data Protection Act, 2023)
We comply with the DPDP Act 2023. You have the right to access, correct, and erase your personal data. You may nominate another person to exercise your rights on your behalf. Grievances can be raised by emailing privacy@desha.ai.
United States (CCPA / State Laws)
California residents have the right to know what personal information we collect, request deletion, and opt out of any sale of personal information (we do not sell personal data). We honour opt-out requests within 15 business days.
Healthcare Data (HIPAA, US Users)
For users in the United States where HIPAA may apply, MedNote operates as a personal health record application under individual user control. Where we partner with covered healthcare entities, appropriate Business Associate Agreements are in place.
13. International Data Transfers
Your data may be processed in data centres in Europe, Asia, and the United States (via Microsoft Azure infrastructure). Where data is transferred outside your country, we ensure appropriate safeguards are in place including EU Standard Contractual Clauses, adequacy decisions, or other approved transfer mechanisms under applicable data protection laws.
14. Cookies and Tracking Technologies
Our web platform uses cookies and similar technologies for authentication, security, and analytics. The MedNote mobile app uses Firebase SDK for anonymised analytics and crash reporting.
You can control cookie preferences via our cookie banner or your browser settings. For detailed information, see our Cookie Policy.
15. Medical Information Disclaimer
MedNote is a health management tool designed to help you organise and track your medications and health information. It is not a medical device and does not provide medical diagnoses, treatment recommendations, or clinical advice. Always consult a qualified healthcare professional for medical decisions. In a medical emergency, contact your local emergency services immediately.
16. Contact and Complaints
For any privacy-related questions, data requests, or complaints, contact our Privacy team:
Privacy Email: privacy@desha.ai
Response Time: Within 30 days of receipt
Subject line for requests: "Privacy Request, [Your Name]"
If you are not satisfied with our response, you may lodge a complaint with the relevant data protection authority in your jurisdiction.
17. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices, technology, or applicable laws. When we make material changes, we will notify you via in-app notification and update the "Last updated" date above. For significant changes affecting health data processing, we will seek fresh consent where required by law. Continued use of MedNote after the effective date constitutes acceptance of the updated policy.
