Your partner in TeleHealth – Download App Now..!

Mediman Privacy Policy

Mediman Life (PVT) Ltd.
Company Registration: PV 00319083
Hotline: +94 11 466 8668
Registered Address: #95 KKS Road, Jaffna, Sri Lanka
Last Updated: September 25, 2025
Effective Date: September 25, 2025
Version: 2.0

1. Introduction

This global Privacy Policy governs the MediMan Patient Application and the MediMan Doctor Application (together, the “Services”), available on Google Play Store and Apple App Store. We operate privacy-by-design and security-by-default to deliver compliant, reliable telehealth at scale.

We align with GDPR (EU/UK), CCPA/CPRA (California), PIPEDA (Canada), LGPD (Brazil), POPIA (South Africa), and internationally recognized healthcare privacy/security practices (HIPAA-aligned principles where applicable). Where local laws impose higher safeguards, those prevail.

2. Our Platform Role (Intermediary)

MediMan is an intermediary technology platform that connects patients and independent doctors inside our app. We do not practice medicine or make clinical decisions. Doctors provide care and may manage clinic bookings within the MediMan Doctor Application. Clinical responsibilities and decisions rest with the doctor and patient. MediMan is not an emergency service. In the event of an emergency, please contact your nearest hospital, clinic, or Doctor.

3. Data Controller, Representative & Contacts

Controller: Mediman Life (PVT) Ltd., #95 KKS Road, Jaffna, Sri Lanka.

Data Protection Officer (DPO) & EU/UK Representative: Jeyakumar Tisankan — [email protected] — +94 70 167 7488

Support & Data Requests: [email protected]

4. Scope & Audience

This Policy covers identity and account management, scheduling, secure video consultations, notifications, file uploads, analytics, payments, and platform operations across both apps. It applies to patients, authorized doctors, and licensed healthcare professionals using the MediMan Doctor Application.

5. Information We Collect

Patient Identity: name, date of birth, gender, nationality, email, phone, profile photo.

Health Data: medical history, symptoms, diagnoses, treatment plans, prescriptions and allergies, lab results and imaging, vaccination records, consultation notes and clinical observations. Mental health data is processed only with explicit consent and heightened safeguards.

Doctor Profile: name, title, specialties, license numbers and verification documents, education/certifications, affiliations, tax identifiers (where required), payout details, clinic schedule and fees.

Operational & Device Data: device model/OS, app version, IP address, approximate location, push tokens, session/auth metadata, crash/performance diagnostics, interaction telemetry.

Financial & Billing: payment method tokens and transaction metadata; insurance information (where applicable); provider payout reports. We do not store raw payment card numbers.

6. Controller / Processor Roles

MediMan as Processor: processes clinical data generated during consultations on behalf of the treating doctor (except required security/compliance logs).
MediMan as Controller: processes account data, booking metadata, payments facilitation records, security/fraud logs, and service analytics for platform operations.
Doctors as Independent Controllers: doctors retain responsibility for clinical records, clinical notes, prescriptions, and regulatory compliance relating to their practice.

7. Android Permissions (Purpose Summary)

We request minimum-necessary permissions. Manage them in device settings; revocation may affect functionality.

  • Core connectivity & stability: INTERNET; ACCESS_NETWORK_STATE; ACCESS_WIFI_STATE; WAKE_LOCK; FOREGROUND_SERVICE; USE_FULL_SCREEN_INTENT.
  • Telehealth media: CAMERA; RECORD_AUDIO; MODIFY_AUDIO_SETTINGS.
  • Engagement & alerts: POST_NOTIFICATIONS; VIBRATE.
  • Location experiences: ACCESS_COARSE_LOCATION; ACCESS_FINE_LOCATION (optional, for maps/provider discovery and emergency context).
  • Medical file handling: READ_MEDIA_IMAGES; READ_MEDIA_VIDEOS; READ_MEDIA_AUDIO (optional, for clinical attachments).
  • Device context: READ_PHONE_STATE (optional, to handle interruptions). Not used unless reintroduced with notice: ACCESS_BACKGROUND_LOCATION; legacy external storage; BLUETOOTH; REQUEST_IGNORE_BATTERY_OPTIMIZATIONS.
8. iOS Privacy Prompts (Summary)

Our iOS apps request only essential prompts for telehealth: NSCameraUsageDescription (video consults & document capture), NSMicrophoneUsageDescription (audio in consults), NSPhotoLibraryUsageDescription/NSPhotoLibraryAddUsageDescription (upload/export medical images), and NSLocationWhenInUseUsageDescription (optional maps/provider discovery). Notification and performance prompts are used as needed. We localize wording without reducing privacy protections.

9. Lawful Bases for Processing

Consent: telehealth processing of health data; analytics where required; marketing (opt-in); specific third-party sharing for care coordination.
Contract: delivering consultations; managing accounts; processing payments; secure communications.
Legal Obligation: medical recordkeeping; tax/finance compliance; responding to lawful requests.
Vital Interests: emergency scenarios and critical safety notifications.
Legitimate Interests: platform security, fraud prevention, and continuous improvement—balanced against user rights.

10. How We Use Data

Care Delivery: booking and reminders; secure video consults; electronic health record management; e-prescriptions; referrals; secure patient–doctor conseltation.
Operations: identity verification; account lifecycle; fraud monitoring; customer support; essential service notifications.
Quality & R&D: UX/performance optimization; feature development; outcomes research using anonymized/aggregated data; training and QA.
Communications: confirmations and reminders (SMS/push/email), health alerts, policy updates, optional marketing (with consent).

11. Data Sharing & Processors (Named Only)

We engage only the third parties named below under binding data processing terms requiring confidentiality, security, and purpose limitation. We explicitly confirm we do not share personal data with any other services, service providers, or persons beyond those listed. If this list changes, we will update this Policy and, where required, obtain consent before activation.

Hosting & Storage: Amazon Web Services (AWS) exclusively for hosting; Amazon S3 encrypted at rest for object storage. (Other AWS components are intentionally not enumerated.)

Email Delivery: AWS-managed email infrastructure for transactional and support emails (no sensitive content in clear text).

Telehealth Video: ZEGOCLOUD for secure, real-time consultations.

Messaging: YV SMS Gateway and Twilio (SMS/OTP); Firebase (push notifications; performance monitoring).

Location: Google Maps API for mapping/geocoding where relevant.

Experience Analytics: Microsoft Clarity (configured to avoid capturing sensitive health content).

Payments: PayHere and IPG Seylan Bank (regulated, PCI-DSS compliant). We do not store raw card data.

12. International Data Transfers

Where cross-border access or processing occurs, we implement recognized safeguards (e.g., Standard Contractual Clauses or analogous mechanisms), maintain transfer impact assessments, and apply supplementary controls as required.

13. Security Posture

Encryption: TLS in transit; Amazon S3 encrypted at rest; strong cryptographic hygiene for keys/tokens. Access Controls: least-privilege; role-based authorization; MFA options. Secure SDLC: code review; dependency health; secret management; vulnerability management. Monitoring & Response: centralized logging; anomaly detection; incident/breach protocols aligned to law. Resilience: tested backups; disaster recovery; business continuity. Organizational: staff training; NDAs; periodic audits and penetration testing.

14. Data Retention

Medical records: generally 7–10 years (jurisdiction-dependent). Booking records (appointment dates, doctor identifiers, visit types, payment references): retained permanently for audit and healthcare regulatory compliance. Account profile: account lifecycle plus a limited period (generally up to 3 years) for legal defense/compliance. Communications logs: typically up to 2 years. Payments/payouts: 7 years (finance/tax). Analytics: up to 13 months. Marketing (opt-in): until consent is withdrawn.

15. Account Deletion & Data Rights

Initiate deletion at https://mediman.life/delete-account/. Identity verification and explicit acknowledgment are required. Backups roll off on a defined cycle, except where preservation is legally required.

Deletion Acknowledgment (shown during deletion): Important: In accordance with healthcare regulations and legal requirements, we will retain your booking records (appointment dates, doctor information, visit types, and payment references) for medical audit and legal compliance purposes. All other personal profile data and system data will be permanently deleted or anonymized. I understand the data retention policy stated above and confirm my request to permanently delete my Mediman account. I acknowledge that this action cannot be undone and that booking records will be retained as described for legal compliance.

Your rights (jurisdiction-dependent): access, rectification, portability, restriction, objection (including to direct marketing), and withdrawal of consent. Under CCPA/CPRA: right to know, delete, and correct; right to opt-out of sale/share (we do not sell personal information); non-discrimination. To exercise rights, email [email protected].

16. Children’s Privacy

Patient App is not intended for users under 13 (or the local age of consent) without verified parental/guardian consent and supervision. The MediMan Doctor Application is restricted to licensed professionals aged 18+. Pediatric health data receives heightened safeguards. We do not market to minors.

17. Cookies, SDKs & Tracking

Mobile apps use session tokens, analytics/performance SDKs, crash reporting, and preference storage. Web interfaces (if used) may set essential cookies and, with consent, analytics/performance cookies and third-party integration cookies. Microsoft Clarity is tuned to avoid capturing sensitive health content. Firebase supports push notifications and performance monitoring. Google Maps API powers location features.

18. Platform & Store Compliance

Google Play: Data Safety disclosures maintained; clear in-app privacy notices; Family Policy where applicable. Apple App Store: App Privacy details current; App Tracking Transparency honored; any HealthKit use (if introduced) requires explicit, purpose-limited consent.

19. Third-Party Links

External sites or services accessible via our platform operate under their own privacy policies. Review their policies; we are not responsible for their practices.

20. Accessibility

This Policy can be provided in multiple languages for supported regions and in accessible formats upon reasonable request. Plain-language summaries and explainer content may accompany key updates.

21. Changes to This Policy

We update this Policy to reflect regulatory changes, product evolution, and security enhancements. For material updates, we provide advance notice via in-app message, email, website notice, or store release notes, and obtain renewed consent where required.

22. Dispute Resolution & Regulatory Recourse

Please contact us first for resolution: DPO at [email protected] or Support at [email protected]. We target responses within 30 days (or statutory timelines). You may escalate to your local data protection authority. Arbitration or venue terms may apply per our Terms of Service where lawful.

23. Technology & Hosting Statement

We use Amazon Web Services (AWS) exclusively for hosting and end-to-end platform management. For storage, Amazon S3 is encrypted at rest. We intentionally do not list any other AWS components in this Policy.

Acknowledgment

By using the MediMan Patient Application or MediMan Doctor Application, you acknowledge that you have read, understood, and agree to this Privacy Policy.

© 2025 Mediman Life (PVT) Ltd. All rights reserved.