MediMan Privacy Policy

1. Introduction

This Privacy Policy governs the MediMan Patient Application and the MediMan Doctor Application (together, the “Services”), available on Web, Google Play Store and IOS App Store. We operate with privacy-by-design and security-by-default principles to deliver compliant, reliable telehealth services at scale.

2. Our Platform Role (Intermediary)

MediMan is an intermediary technology platform that connects patients with independent doctors through our app. We do not practice medicine or make clinical decisions. Doctors provide care directly and may manage clinic bookings within the MediMan Doctor Application. Clinical responsibilities and decisions rest with the doctor and patient. MediMan is not an emergency service. In an emergency, please contact your nearest hospital, clinic, or doctor.

3. Data Controller, Representative & Contacts

Controller: Mediman Life (PVT) Ltd., #95 KKS Road, Jaffna, Sri Lanka. (Company Registration PV 00319083)
Data Protection Officer (DPO) & EU/UK Representative: [email protected] – +94 70 167 7488
Support & Data Requests: [email protected]

Last Updated: November 04, 2025 | Effective Date: November 04, 2025 | Version: 2.0

4. Scope & Audience

This Policy covers how we handle data across our Services, including identity and account management, appointment scheduling, secure video consultations, notifications, file uploads, analytics, payments, and general platform operations on both apps. It applies to patients using the MediMan Patient Application and to authorized doctors and licensed healthcare professionals using the MediMan Doctor Application.

5. Information We Collect

We collect various types of information to provide and improve our Services, including:

Patient Identity: Personal details such as name, date of birth, gender, nationality, email, phone number, and profile photo.
Health Data: Medical history and conditions, diagnoses, treatment plans, prescriptions, allergies, lab results, imaging, vaccination records, consultation notes, and clinical observations. (Any mental health data is processed only with explicit consent and with heightened safeguards.)
Doctor Profile: Professional information for doctors, including name, title, specialties, license numbers and verification documents, education and certifications, professional affiliations, tax identifiers (if required), payout/banking details, clinic schedules, and consultation fees.
Operational & Device Data: Technical information such as device model, operating system, app version, IP address, approximate location, push notification tokens, session and authentication metadata, as well as crash reports and performance diagnostics, and general interaction logs.
Financial & Billing: Payment method tokens and transaction details, insurance information (if applicable), and records of payouts to providers. We do not store raw payment card numbers (sensitive payment data is handled by secure, compliant payment processors).

6. Controller / Processor Roles

Our role under data protection law can vary depending on the data and context:

MediMan as a Data Processor: When you engage in a consultation, the clinical data generated (medical records, consultation notes, prescriptions, etc.) is processed by MediMan on behalf of the treating doctor. The doctor is responsible for that clinical data, and we act only as a processor handling it per the doctor’s instructions (aside from necessary security and compliance logging).
MediMan as a Data Controller: MediMan is the controller for other types of data necessary for operating the platform – for example, account information, appointment details (metadata like dates and doctor IDs), payment facilitation records, security and fraud logs, and analytics related to service usage. We determine how this information is used in order to run and improve the Services.
Doctors as Independent Controllers: Each doctor using our platform remains an independent controller for the clinical information they generate or use within the app. This means doctors retain responsibility for maintaining their own clinical records, notes, and prescriptions, and for complying with any regulatory requirements related to their practice.

7. Android Permissions

We request only the minimum necessary permissions in our Android app. You can manage these permissions in your device settings at any time (though revoking certain permissions may affect app functionality). Below is a summary of the permissions and why we need them:

Core connectivity & stability: INTERNET, ACCESS_NETWORK_STATE, ACCESS_WIFI_STATE, WAKE_LOCK, FOREGROUND_SERVICE, USE_FULL_SCREEN_INTENT – Needed to connect to the internet, check network status, keep the app running during a consultation, and deliver notifications reliably.
Telehealth media: CAMERA, RECORD_AUDIO, MODIFY_AUDIO_SETTINGS – Needed for video consultations (camera and microphone access) and to adjust audio settings during calls.
Engagement & alerts: POST_NOTIFICATIONS, VIBRATE – Needed to send you appointment reminders, alerts, and other notifications; vibration is used for notification alerts.
Location experiences (optional): ACCESS_COARSE_LOCATION, ACCESS_FINE_LOCATION – Optional permissions to enable location-based features such as finding nearby providers or aiding emergency services. These are only used for in-app features like maps or location tagging if you choose to enable them.
Medical file handling (optional): READ_MEDIA_IMAGES, READ_MEDIA_VIDEOS, READ_MEDIA_AUDIO – Optional permissions that allow you to select medical images, videos, or audio files from your device (for example, uploading a photo of a lab report or sharing an X-ray image during a consultation).
Device context (optional): READ_PHONE_STATE – Optional permission to detect incoming phone calls or interruptions so we can pause a video consultation if you receive a call.

Note: We do not access background location data, external storage (beyond the new media permissions listed), or use Bluetooth features, and we do not request to ignore battery optimizations. If any of these were to be introduced in the future, we would notify you and update this Policy accordingly.

8. iOS Privacy

Our iOS apps request only essential permissions through system prompts, and we explain the reason for each. The main iOS permissions we use are:

Camera Access (NSCameraUsageDescription): Allows you to participate in video consultations and to capture images (for example, uploading a photo of a document or injury).
Microphone Access (NSMicrophoneUsageDescription): Allows audio communication during video consultations.
Photo Library Access (NSPhotoLibraryUsageDescription and NSPhotoLibraryAddUsageDescription): Lets you upload medical images or save documents (e.g. downloading a prescription or saving a consultation summary).
Location Access (NSLocationWhenInUseUsageDescription, optional): Enables location-based features like map functionality for finding providers or aiding in emergency context, but only when the app is in use and only if you choose to allow it.

We may also utilize notification permissions (to send appointment reminders and alerts) and performance monitoring frameworks (to improve app stability), which will be requested via the standard iOS prompts when needed. All permission requests on iOS are accompanied by a brief explanation in your local language. We do not reduce any privacy protections with custom wording – the text is clear about why the access is needed, and you remain in control of granting or denying each permission.

9. Lawful Bases for Processing

Depending on the situation, we rely on different legal grounds to process personal data in compliance with global data protection laws (such as GDPR and related regulations):

Consent: We will ask for your consent in certain cases – for example, processing your health data for telehealth services (in many jurisdictions health data requires explicit consent), enabling app analytics or crash reporting (where not strictly necessary for service), sending marketing communications (which are opt-in), or sharing information with third parties for care coordination beyond our platform. You have the right to withdraw your consent at any time.
Contract: Much of our data processing is necessary to fulfill our contract with you. This includes enabling you to consult with doctors, managing your account, scheduling appointments, processing payments, and facilitating secure communications between you and your healthcare provider. We cannot provide the core Services without this data.
Legal Obligation: We may need to process data to comply with our legal obligations. For example, healthcare regulations might require us (or your doctor) to maintain medical records for a certain period; financial laws require us to keep payment transaction records and receipts; and we must comply with lawful requests from authorities when they are valid and binding.
Vital Interests: In rare cases, we might process personal data to protect someone’s life or well-being. For instance, if a user is in a medical emergency and unable to provide consent, we might share relevant information with emergency responders to the extent allowed by law (this is to protect the vital interests of the user or another person).
Legitimate Interests: We process data to further our legitimate interests in maintaining and improving our Services, in a way that does not override your rights and freedoms. This can include things like ensuring platform security, preventing fraud and abuse, anonymizing and aggregating data for service improvement and research, and sending important product updates. When we rely on this basis, we carefully consider and balance our interests against your privacy rights.

10. How We Use Data

We use the collected information to provide, maintain, and enhance our Services, as well as to ensure safety and compliance. Key uses include:

Care Delivery: We use personal and health information to facilitate healthcare services. This includes scheduling appointments and sending reminders, enabling doctors and patients to connect via secure video consultations, maintaining an electronic health record of consultations (notes, prescriptions, treatment plans), issuing e-prescriptions, providing referral letters or medical certificates when needed, and generally supporting the doctor–patient interaction through our platform.
Operations: We process data necessary for the day-to-day operation of the platform. This includes verifying your identity and credentials (for doctors), managing user accounts and login sessions, preventing unauthorized access (security/fraud monitoring), processing payments for consultations, providing customer support, and sending you essential notifications about your use of the service (for example, booking confirmations, password changes, or policy updates).
Quality & R&D: We continuously work to improve our user experience and develop new features. Usage data and feedback may be used to troubleshoot issues, optimize app performance, and guide UI/UX improvements. On an aggregated or anonymized basis, data may be used for research and development of new services or for analyzing health outcomes (for example, understanding how effective telehealth is for certain follow-ups, without using identifiable personal information). We also occasionally review interactions (with appropriate authorization) for training and quality assurance to ensure doctors and support staff provide high-quality service.
Communications: We use contact information (email, phone number) to communicate with you. This includes sending appointment confirmations and reminders via SMS, email, or push notification, notifying you of important health alerts or service updates, sending newsletters or promotional content if you have opted in to marketing, and informing you of changes to our terms or Privacy Policy. We strive to keep communications relevant and will not spam you; you can opt out of non-essential communications at any time.

11. Data Sharing & Processors (Named Only)

We value your privacy and thus limit data sharing to only what is necessary to deliver our Services. We engage only the third parties listed below to process data on our behalf, under strict agreements that bind them to confidentiality, security standards, and specific purposes. We do not sell or share your personal data with anyone else for their own use. If we ever need to add a new data processor or significantly change data sharing, we will update this Policy and, if required, seek your consent before using them. Our current third-party service providers include:

Hosting & Storage: We securely store and process data. In particular, user files and attachments are stored with encryption at rest to protect their confidentiality.
Email Delivery: We send out transactional emails (like verification codes, appointment confirmations) and support communications. These emails do not include sensitive health content in plain text.
Telehealth Video: For real-time video consultations, we integrate a platform that provides secure video and audio streaming. This service allows us to connect patients and doctors with low latency and high quality. All video calls are encrypted.
Messaging: We use trusted providers to send messages for sending SMS messages and one-time passcodes (OTP) to users’ phones (for things like phone number verification or appointment notifications).
We Send push notifications within the mobile apps, ensuring you get real-time alerts and updates. We also use performance monitoring and crash analytics, which helps improve app stability.
Location Services: We use Maps to support any mapping or location-based features in the app, such as helping patients find the location of a clinic or aiding in verifying addresses. When used, this may involve sending basic location queries to servers (e.g., for geocoding an address or showing a map preview).
Experience Analytics: We use to gather analytics about how users interact with our app (e.g., which screens are most used, where users might encounter issues). Importantly, Clarity is configured not to record or transmit any sensitive personal or health information. We use it strictly to analyze user experience and improve the app’s usability.
Payments: For handling payments, we rely on IPG (Internet Payment Gateway) by Trusted Legal Bank. These are secure payment processing services that are PCI-DSS compliant, meaning they meet industry standards for protecting payment information. When you pay for a consultation through our app, these payment processors handle the transaction. We do not store your raw credit or debit card numbers on our servers; any saved payment details are tokenized (stored by the payment gateway and referenced by us via secure tokens).

Each of these partners is bound by data protection agreements, meaning they can only use your data for the specific services they provide to us and must protect it according to applicable privacy laws.

12. International Data Transfers

MediMan is based in Sri Lanka, but we serve patients and doctors globally. This means your data might be accessed or processed in different countries. Whenever personal data is transferred across national borders, we take steps to ensure it remains protected:

If your data is transferred out of your country (for example, to data centers or service providers in another region), we will implement recognized legal mechanisms to cover the transfer. These might include Standard Contractual Clauses (SCCs) as approved by the European Commission, or similar contractual frameworks approved in other jurisdictions.
We perform transfer impact assessments to evaluate any risks to your data when it’s moved internationally and apply additional technical and organizational measures as needed (like encryption and access controls) to safeguard it.
Regardless of where your data is processed, we will handle it in accordance with this Privacy Policy and applicable law. Our primary storage (AWS servers) may be in a region outside your own, but AWS maintains high standards of security and compliance internationally.

By using our Services, you understand that your information may be transferred to and stored on servers in countries other than your own. We will always ensure such transfers comply with privacy laws so that your personal data remains secure.

13. Security Posture

We are committed to protecting your personal data through strong security practices and measures. Some key aspects of our security program include:

Encryption: All data transmitted between your device and our servers is encrypted using HTTPS/TLS protocols. This means that any information (including video consultations, messages, etc.) is protected in transit from eavesdropping. For data stored on our servers, we use encryption at rest (for example, files and database records stored in AWS are encrypted on disk). We also enforce strong encryption and hashing for passwords, authentication tokens, and other sensitive elements.
Access Controls: We limit access to personal data strictly on a need-to-know basis. Our team members and service providers only access the minimum data necessary to perform their duties. We employ role-based access control (RBAC) to ensure each user or staff role has appropriate permissions. Administrative access to systems requires strong authentication (including multi-factor authentication where possible), and all access is logged and audited.
Secure SDLC (Software Development Life Cycle): We follow secure coding standards throughout our product development. Our code is reviewed for security and privacy considerations. We keep our software dependencies updated to patch vulnerabilities, and we manage secrets (like API keys and passwords) securely. We also run regular vulnerability scans and, when possible, penetration tests to identify and fix potential weaknesses in our applications and infrastructure.
Monitoring & Response: We maintain centralized logging of key activities in our systems (while respecting user privacy in logs). Our security systems monitor for unusual patterns or potential intrusions (for example, repeated failed logins or suspicious network traffic). We have an incident response plan in place. This means if a security incident or data breach is suspected or detected, we have a defined process to investigate, mitigate, notify affected parties and regulators as required, and improve our systems to prevent future incidents.
Resilience: We regularly back up critical data using secure backup processes, and those backups are encrypted. We have disaster recovery and business continuity plans so that in the event of an outage or disaster, we can restore services and data with minimal disruption. These plans are tested periodically to ensure they work when needed.
Organizational Measures: All Mediman staff are trained on privacy and security best practices. Employees and contractors with access to personal data sign confidentiality agreements (NDAs) and undergo background checks as permitted by law. We restrict third-party subcontractors unless they are approved and under similar obligations. Additionally, we conduct periodic audits and may bring in independent experts to assess our security posture.

While we do our best to protect your data, it’s also important for users to play a part in security. Keep your account credentials confidential and notify us immediately if you suspect any unauthorized access to your account.

14. Data Retention

We retain personal data only for as long as it is needed for the purposes described in this Policy, or as required by law. Retention periods can vary based on the type of data and applicable regulations:

Medical records: We generally retain electronic medical records (consultation notes, prescriptions, etc.) for 7 to 10 years, depending on local healthcare regulations. This is to ensure continuity of care and to comply with legal obligations in many jurisdictions that require medical data retention for a minimum period.
Booking records: Information about appointments (such as appointment dates and times, the doctor you saw, the type of visit, and payment references) is retained permanently. This permanent retention is to satisfy medical audit requirements and healthcare regulatory compliance (for example, to have a log of all consultations provided through the platform).
Account profile data: Your account information (like your name, contact details, and other profile info) is kept for the lifetime of your account. If you delete your account, we will remove or anonymize your personal profile data, but we may keep limited information after deletion for a defined period (generally up to 3 years) to comply with legal requirements or to protect our legal rights (for instance, keeping records in case of a dispute or to demonstrate compliance with law).
Communications logs: Records of communications (such as support tickets, chat logs with customer support, or technical logs of notifications sent) are typically kept for up to 2 years. We keep these to monitor service quality, train support staff, and have a history of support interactions in case issues reoccur.
Payments and payout records: Financial records, including transaction logs, receipts, and payout records to doctors, are retained for about 7 years. This retention aligns with accounting and tax laws, which often require businesses to keep financial records for a number of years.
Analytics data: Data collected for analytics or performance monitoring is usually retained for a shorter period (for example, up to 13 months) since we mainly look at recent trends to improve the service. Analytics data may include things like usage statistics or crash reports, and when possible, we aggregate or anonymize this data over time.
Marketing data: If you have consented to receive marketing communications, we will keep the information necessary for that (like your email address or preferences) until you withdraw your consent or opt out of marketing. Once you unsubscribe, we will stop sending you marketing messages, though we may keep a record of the withdrawal to ensure we respect your preference in the future.

When data is no longer needed, we ensure it is deleted or anonymized in a secure manner. Please note that in some cases we may retain certain information for longer if required by law (e.g., if a legal hold or court order is in place, or an investigation is ongoing).

15. Account Deletion & Data Rights

You have the right to delete your account and personal data, as well as other rights regarding how your data is used. This section explains how you can exercise those rights:

Account Deletion: If you wish to delete your MediMan account, you can initiate the process by visiting our account deletion page: https://mediman.life/delete-account/. We will guide you through a verification process to confirm your identity (for your protection, we need to be sure the request is authentic). You will also be asked to acknowledge the consequences of deletion (for example, losing access to your data and history). Once confirmed, we will schedule your data for deletion from our active systems. Backup data will be phased out over our backup retention cycle, except for any information we are required to keep by law (as noted below).

Deletion Acknowledgment (shown during account deletion): “Important: In accordance with healthcare regulations and legal requirements, we will retain your booking records (appointment dates, doctor information, visit types, and payment references) for medical audit and legal compliance purposes. All other personal profile data and system data will be permanently deleted or anonymized. I understand the data retention policy stated above and confirm my request to permanently delete my MediMan account. I acknowledge that this action cannot be undone and that booking records will be retained as described for legal compliance.”

This acknowledgment is shown to ensure you are aware that while most of your data will be deleted, certain minimal information must be kept for regulatory reasons.

Your Data Protection Rights: Depending on the laws that apply to you (for example, GDPR if you are in the EU, or CCPA if you are in California), you may have some or all of the following rights regarding your personal data:

Right of Access: You can request a copy of the personal data we hold about you, and information about how we process it.
Right of Rectification: If any of your information is incorrect or incomplete, you have the right to ask us to correct it.
Right to Erasure: You can request that we delete your personal data. If you request deletion, we will remove the data we are not legally required to keep. (This is also known as the “right to be forgotten,” though there are some exceptions where we may have to retain data.)
Right to Data Portability: You have the right to request your personal data in a structured, commonly used, and machine-readable format, and you have the right to have that data transmitted to another service provider where technically feasible.
Right to Restrict Processing: You can ask us to limit the processing of your data in certain circumstances (for instance, if you contest the accuracy of the data or object to us processing it, we will consider requests to restrict usage while we review the issue).
Right to Object: You have the right to object to certain types of processing. For example, you can object to the use of your data for direct marketing at any time, and we will honor that. You can also object if you believe we have no legitimate grounds to process your data or if you dispute that our legitimate interests override your rights.
Right to Withdraw Consent: If we are processing your personal data based on your consent, you have the right to withdraw that consent at any time. For example, you can opt out of marketing emails by withdrawing consent, or disable certain app analytics if they were consent-based. Withdrawing consent will not affect the lawfulness of any processing we did before your withdrawal.

California Residents (CCPA/CPRA): If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including: – The right to know what personal information is collected, used, disclosed, or sold, and to access that information.
– The right to delete personal information held by us (and by extension, direct service providers), with certain exceptions (such as if the information is needed to complete a transaction or for legal compliance).
– The right to correct inaccurate personal information.
– The right to opt out of the sale or sharing of personal information. (Note: MediMan does not sell personal information to third parties for profit. We also do not share personal information for cross-context behavioral advertising.)
– The right to not receive discriminatory treatment for exercising any of these rights. We will not deny you services, charge you different prices, or provide a different level of service because you exercised your privacy rights.

To exercise any of your rights or make a privacy-related request, please contact us at [email protected]. For security, we may need to verify your identity (and authority, if you are making a request on behalf of someone else) before fulfilling your request. We aim to respond to all valid requests within the timeframe required by law (generally within 30 days, though this can be extended if necessary with notice to you). There is no fee for making a request, but if a request is unfounded or excessive, we may charge a reasonable fee or refuse to act on it.

16. Children’s Privacy

Protecting children’s privacy is extremely important to us. The MediMan Patient Application is not intended for children under the age of 18 (or the minimum age of digital consent in your region) unless a parent or legal guardian has provided verifiable consent and is supervising the child’s use of the service. We do not knowingly allow children under 18 to create accounts or use the Patient app without the required consent.

The MediMan Doctor Application is only for licensed medical professionals aged 24 or older; we do not allow minors to register as doctors on our platform.

For any pediatric medical services facilitated through MediMan (i.e., where a parent/guardian is arranging a consultation for a minor), we treat the child’s health data with heightened safeguards and only collect what is necessary for the service. Any personal data about a child is only provided to us by the parent or guardian or by a healthcare professional with proper consent.

We do not market our Services to minors, nor do we knowingly use any personal data of minors for marketing purposes. If we become aware that we have collected personal data from a child under the relevant age without proper consent, we will take steps to delete that information. Parents or guardians who believe we might have information about a child under 13 (in an unauthorized way) can contact us to request deletion.

17. Cookies, SDKs & Tracking

Our Services utilize a minimal amount of tracking technology, primarily for the operation of the app and to improve your experience:

In the Mobile Apps: We do not use traditional “cookies” in mobile applications, but we use similar mechanisms:
We maintain session tokens after you log in, so you remain authenticated during your session.
We use analytics and performance SDKs (Software Development Kits) like Firebase and Microsoft Clarity to understand app performance and usage. These help us identify crashes or UI issues. These tools are configured not to capture sensitive personal data (for example, Clarity will blur or ignore any potential health information on screen).
We use crash reporting tools to automatically report app errors to our developers, so we can fix them quickly. Crash reports include technical info like device model and error logs, not your personal content.
We store certain preferences on the device (for example, if you disable a tutorial or set a language preference, that might be stored locally or in-app memory).
In Web Interfaces (if applicable): If you use a web portal or our website, we may use cookies:
Essential cookies: to maintain your login session, security, or preferences (like language). These cookies are required for the site to function and cannot be disabled in our system.
Analytics cookies (with consent): if we use any web analytics, we would do so with notice and consent where required. These help us understand website traffic and improve the site.
Third-party integration cookies: if we embed content or integrate with a third party (for example, a payment gateway on the web might set its own cookies), those would be governed by the third party’s policies, but we would endeavor to notify you when such cookies are in use.

We do not use any tracking for advertising purposes, and we do not allow third-party advertisers to track you through our platform.

For more details on our use of cookies and similar technologies, you may refer to our Cookie Policy (if available) or reach out to us with questions. You can control cookies through your browser settings (for web) and control analytics/telemetry in the app settings or by contacting support.

18. Platform & App Store Compliance

We adhere to app store policies and privacy requirements set by platform providers:

Google Play (Android): We maintain accurate Data Safety information on our Google Play Store listing, disclosing what data is collected and how it’s used, in line with Google’s requirements. Our app also complies with Google Play’s Developer Policies, including those on user data, permissions, and (if ever applicable) the Families Policy for apps that might be used by children (though our app is generally not for young children, we still ensure compliance where relevant). We provide in-app privacy notices and prompts in clear language.
Apple App Store (iOS): On our Apple App Store listing, we include an App Privacy section that details what data is collected and for what purposes, as required by Apple. We honor Apple’s App Tracking Transparency (ATT) framework – currently, we do not perform any ad tracking across apps, but if that changes, we will use the ATT prompt to seek permission. We do not integrate with HealthKit or CareKit at this time; if we ever introduce HealthKit functionality (for instance, to import health data from your device), we will only do so with your explicit consent and in strict accordance with Apple’s guidelines (HealthKit data cannot be used for marketing or stored in iCloud without permission, etc.).

In summary, we make sure that our apps meet the privacy expectations of the platforms they run on, and we keep those disclosures up to date as our app evolves.

19. Third-Party Links

The MediMan platform and communications may occasionally contain links to external websites or services that we do not operate. For example, a doctor might share a link to an external resource, or our website might link to a medical article or a regulatory authority’s site for informational purposes. Please be aware that once you leave our platform or are redirected to a third-party site/app, this Privacy Policy no longer applies.

Any information you provide to those third-party sites is governed by their own privacy policies. We strongly encourage you to read the privacy policies of any external sites or services before providing your personal data to them. MediMan is not responsible for the content, privacy practices, or handling of information by any third parties that are not under our control.

20. Accessibility

We are committed to ensuring our Privacy Policy is accessible and understandable to all users:

We can provide this Privacy Policy in different languages to serve our global user base. If the app is offered in a certain language, we aim to have the Privacy Policy available in that language as well.
If you have a disability or require the Privacy Policy in an alternative format (such as large print, audio, or braille), please contact us at [email protected], and we will do our best to accommodate you.
We strive to write our policies in plain language. We may also offer plain-language summaries or FAQ documents that explain key points of the Privacy Policy in simpler terms, especially when we roll out significant updates.

Your understanding of your privacy rights and our practices is important. If anything in this Policy is unclear, feel free to reach out to us with questions.

21. Changes to This Policy

We may update or modify this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes, we will change the “Last Updated” date at the top of this Policy.

If there are material changes (significantly new practices or rights we want to introduce, or changes that affect how your data is handled), we will provide you with prominent notice. This may include notifications through the MediMan apps, sending you an email, posting a notice on our website, or highlighting the update in app store release notes. In certain cases, especially if required by law, we may ask for your consent to changes.

We encourage you to review this Privacy Policy periodically. Continuing to use the MediMan services after a Policy update means you acknowledge and agree to the revised terms (unless further action is required, such as explicit consent). If you do not agree with the changes to the Policy, you should stop using the Services and may delete your account as described above.

22. Dispute Resolution & Regulatory Recourse

If you have questions, concerns, or complaints about how we handle your privacy or personal data, we’re here to help:

Contact Us First: We encourage you to contact us so we can address your concern directly. You can reach out to our Data Protection Officer or our support team at [email protected]. We will acknowledge your complaint and work with you to find a solution. We aim to respond within 30 days or sooner, in line with applicable laws.
Local Data Protection Authorities: If you are in a jurisdiction with a data protection or privacy authority (for example, the Information Commissioner’s Office in the UK, a Data Protection Authority in the EU, or the Privacy Commissioner in certain other countries), you have the right to contact them regarding any concerns. You can lodge a complaint with the supervisory authority in the country where you live or work, or where you believe a violation may have occurred. We will cooperate fully with any official inquiries and follow the directives of regulatory authorities.
Legal Dispute Resolution: Any disputes that cannot be resolved amicably may be subject to the dispute resolution procedures outlined in our Terms of Service. This could include arbitration or a specific venue/jurisdiction for legal claims, to the extent such requirements are enforceable and do not contradict applicable law granting you rights. We will abide by all lawful processes in resolving disputes and will not retaliate against anyone for exercising their rights.

Your trust is of utmost importance to us. We will do our best to resolve any privacy-related issues in a fair and transparent manner.

23. Technology & Hosting Statement

We use an exclusive technology platform for hosting MediMan’s applications and data. This means all your personal data and all operational data of our service reside on secure servers. It is a leading cloud provider with robust security certifications and compliance with international standards, which helps us maintain a high level of security and reliability.

For data storage, we specifically utilize Simple Storage Service for storing files and backups, and all data stored and encrypted at rest. We also employ managed databases and other services to ensure uptime and scalability. By leveraging infrastructure, we inherit strong physical security and network protections.

We intentionally do not list every server component or service we use in this Policy, to keep it concise. However, know that no external hosting providers are used outside. We continuously monitor and manage our cloud environment to promptly apply security patches and follow best practices in cloud security architecture.

By using our Services, you benefit from a secure environment as well as our own security measures described above. If you have specific questions about our technology stack or hosting, feel free to contact us.

Acknowledgment

By using the MediMan Services, Patient Application or the MediMan Doctor Application, you confirm that you have read and understood this Privacy Policy and agree to its terms. If you do not agree with any part of this Policy, please refrain from using our Services or contact us to discuss any concerns.

MediMan Privacy Policy