Mederium Logo
Mederium

Privacy Policy

Last Updated: March 28, 2026

Effective Date: March 28, 2026

1. Introduction & Scope

Mederium ("Mederium", "we", "us", or "our") operates a unified digital telehealth platform ("Platform") that connects patients with licensed healthcare providers for appointment scheduling, video and voice consultations, encrypted clinical communications, prescription management, procedure tracking, and AI-assisted symptom checking.

This Privacy Policy describes how we collect, use, disclose, store, protect, and otherwise process personal data — including sensitive personal data relating to health — when you access or use our website, web application, mobile application, and any related services (collectively, the "Services"). It is issued in compliance with the Personal Data Protection Act, 2023 ("PDPA") of the Islamic Republic of Pakistan and all applicable subordinate regulations made thereunder.

This Policy applies to all users of the Platform, including patients, dependent patients, guardians, registered healthcare providers (doctors), clinic staff (assistants), clinic administrators, and visitors. By accessing or using the Services you acknowledge that you have read, understood, and agree to the practices described in this Policy. If you do not agree, you must discontinue use of the Services immediately.

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person ("data subject"), as defined under the PDPA 2023.
  • Sensitive Personal Data: A special category of personal data under the PDPA 2023 that includes data concerning health, medical history, biometric data, and similar categories requiring heightened protection and explicit consent.
  • Health Data / PHI: Any individually identifiable health information created, received, maintained, or transmitted in connection with the provision of healthcare services, including diagnoses, prescriptions, medical histories, treatment notes, and related data.
  • Patient: A registered individual (or their legal guardian) who uses the Platform to seek or receive healthcare services.
  • Provider: A licensed healthcare professional (doctor) registered on the Platform to deliver care.
  • Assistant: A clinic staff member authorised by a Provider to manage scheduling, patient records, and administrative functions on the Provider's behalf.
  • Dependent: A patient account managed by a guardian (e.g., a minor child or family member).
  • Processing: Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
  • NCPDP: The National Commission for Personal Data Protection, the statutory supervisory authority established under the PDPA 2023.
  • PTA: The Pakistan Telecommunication Authority, which exercises oversight over digital and telecommunications services.

3. Information We Collect

3.1 Information You Provide Directly

Patients & Guardians

  • Identity & Contact: Full name, email address, phone number, date of birth, gender, and residential address.
  • Sensitive Personal Data (Health): Blood type, allergies, medical history, current medications, symptoms described during AI checker sessions, diagnoses recorded by treating physicians, procedure notes, and prescription data (medications, dosages, frequencies, durations). This data is classified as sensitive personal data under the PDPA 2023 and is processed only with your explicit consent or on another lawful basis specified in Section 5.
  • Guardian Relationship Information: Relationship type and identity of the person on whose behalf a guardian account acts.
  • Communications: Messages sent via encrypted in-platform chat with healthcare providers, voice notes attached to prescriptions, and any content submitted through the symptom checker.
  • Uploaded Documents: Medical records, lab results, imaging files, and any other health documents you upload to the Platform.

Healthcare Providers (Doctors)

  • Professional Identity: Full name, Pakistan Medical Commission (PMC) registration number, specialization, qualifications, biography, clinic affiliations, and professional photograph.
  • Contact & Location: Email address, personal phone number, and practice addresses (including multiple locations).
  • Clinical Content: Appointment diagnoses, consultation notes, prescription content, procedure templates, and voice-dictated clinical notes processed through our AI transcription service.
  • Account Credentials: Username, email, and hashed password (passwords are never stored in plaintext).

Assistants & Clinic Administrators

  • Name, email address, CNIC number (for identity verification where required), clinic affiliation, role-based permissions, and activity logs related to patient and appointment management functions.

3.2 Information Collected Automatically

  • Device & Access Data: IP address, browser type and version, operating system, device identifiers, referring URLs, and pages visited within the Platform.
  • Session Data: Authentication tokens (stored in session storage, not persistent local storage), session duration, and feature interaction logs.
  • Communication Metadata: Timestamps of messages, appointment creation and modification events, and video/voice session initiation logs. Message content is encrypted and not accessible in plaintext to Mederium except where required by law.
  • Cookies & Similar Technologies: We use strictly necessary session cookies to maintain authenticated sessions. We do not use advertising or cross-site tracking cookies. See Section 10 for details.

3.3 Information from Third Parties

  • WhatsApp (via Evolution API): If your treating provider has scheduled medication reminders on a prescription issued to you, automated messages are sent to your registered WhatsApp number. We receive your response status (e.g., "Taken", "Missed") and the message identifier for tracking purposes. Reminder scheduling is configured by your provider, not by Mederium.
  • Twilio: For video and voice consultations, Twilio provides session tokens and call routing. Twilio may collect technical call metadata as described in its own privacy policy.
  • Google Gemini AI: Symptom descriptions you submit are processed by Google's Gemini AI model to generate a non-diagnostic health analysis. This constitutes a cross-border transfer of sensitive personal data; see Section 14.

4. How We Use Your Information

We process personal data only for the following purposes and only to the extent necessary ("data minimisation" principle under PDPA 2023):

4.1 Providing the Services

  • Creating and authenticating user accounts (patients, providers, assistants).
  • Facilitating appointment booking, scheduling, rescheduling, cancellation, and walk-in queue management.
  • Enabling encrypted video and voice consultations between patients and providers.
  • Rendering the prescription management system, including creation, storage, and PDF generation of prescriptions.
  • Displaying and tracking patient procedures and clinical protocols.
  • Sending automated medication reminders and prescription notifications via WhatsApp to your registered number, when your treating provider has configured reminders on a prescription issued to you.
  • Delivering AI-powered symptom analysis results — clearly labelled as informational tools only, not clinical diagnoses.
  • Enabling encrypted in-platform chat between patients and providers.
  • Managing dependent/guardian account relationships and profile switching.

4.2 Platform Safety, Security & Integrity

  • Verifying the identity and PMC registration status of healthcare providers during the approval workflow.
  • Detecting and preventing fraudulent access, unauthorised account activity, and offences under the Prevention of Electronic Crimes Act, 2016 (PECA).
  • Maintaining audit trails for regulatory compliance.
  • Enforcing role-based access controls to ensure only authorised parties can access specific patient data.

4.3 Communications

  • Sending transactional communications: appointment confirmations, reminders, and status updates.
  • Sending service announcements, security alerts, and policy update notifications.
  • Responding to support inquiries or reported concerns.

4.4 Legal & Regulatory Obligations

  • Complying with the PDPA 2023, PECA 2016, Electronic Transactions Ordinance 2002, PMC regulations, and any other applicable Pakistani law.
  • Responding to lawful court orders, government requests, or directions from the NCPDP or any competent authority.
  • Asserting or defending against legal claims before courts of competent jurisdiction in Pakistan.

4.5 Analytics & Platform Improvement

  • Analysing aggregated, de-identified usage patterns to improve platform features and performance. We do not use identifiable health data for analytics purposes.

We do not sell your personal data or health data to any third party. We do not use your health information for advertising or marketing profiling.

5. Lawful Basis for Processing

Under the Personal Data Protection Act, 2023, we process your personal data on one or more of the following lawful grounds. For sensitive personal data (including all health data), we additionally require explicit consent unless another specific ground under the PDPA applies.

  • Explicit Consent (Section 4, PDPA 2023): For all health and sensitive personal data — for example, creation of your health profile, sharing your medical history with a provider, enabling WhatsApp medication reminders, or submitting data to the AI symptom checker. Consent is obtained at registration and at each relevant point of data collection. You may withdraw consent at any time without penalty; withdrawal does not affect the lawfulness of processing carried out before withdrawal.
  • Performance of a Contract (Section 4, PDPA 2023): Processing necessary to deliver the Services you have requested — including scheduling appointments, maintaining consultation records, and transmitting prescriptions.
  • Compliance with a Legal Obligation (Section 4, PDPA 2023): Processing required to comply with applicable Pakistani law, including medical records retention obligations under PMC regulations, and responses to lawful government orders or court directions.
  • Protection of Vital Interests: In exceptional circumstances where processing is necessary to protect the life or physical integrity of the data subject or another person.
  • Legitimate Interests (Section 4, PDPA 2023): For security monitoring, fraud prevention, and platform integrity — only where such interests are not overridden by your rights and freedoms as a data subject.

6. Sharing Your Information

We do not sell, rent, or trade your personal data. We share information only in the following limited circumstances:

6.1 With Healthcare Providers & Clinic Staff

Your health data is accessible only to the specific doctors with whom you have booked an appointment or explicitly shared records. Clinic assistants may access your appointment and scheduling information only to the extent authorised by the treating provider and within the permissions granted to that assistant role. Providers cannot share your records with other providers without your consent.

6.2 Data Processors (Sub-processors)

We engage the following third-party service providers as data processors under written agreements that bind them to process your data only for the purpose of providing services to us and in compliance with the PDPA 2023:

  • Google Cloud Platform: Cloud infrastructure, database hosting, and file storage (Google Cloud Storage) for medical records, prescription voice notes, avatars, and clinic assets.
  • Twilio Inc.: Video consultation infrastructure and voice call routing. Twilio processes call metadata and session tokens only; it does not receive clinical content.
  • Google AI (Gemini): AI inference for the symptom checker and prescription voice dictation. Input data is transmitted to Google's API for processing. This constitutes a cross-border transfer; see Section 14.
  • Firebase (Google LLC): Supplemental application services.
  • Evolution API (WhatsApp Gateway): Delivery of medication reminder and appointment notification messages to your registered WhatsApp number when this feature is enabled by your provider.

6.3 Disclosure to Competent Authorities

We may disclose personal data where required by applicable Pakistani law, a court order of competent jurisdiction in Pakistan, or a direction from the NCPDP, PTA, or any other lawful governmental authority. Where legally permitted, we will notify you of such requests before complying.

6.4 Business Transfers

In the event of a merger, acquisition, asset sale, or restructuring involving Mederium, user data may be transferred to the successor entity, subject to the same privacy protections described herein. We will notify you via email and/or a prominent notice on the Platform before your data is subject to a materially different privacy policy.

6.5 With Your Explicit Consent

We may share your information for any other purpose disclosed to you at the time of collection or with your prior written consent.

7. Data Security

We implement technical and organisational security measures consistent with the security obligations under the PDPA 2023 and industry best practice:

  • Encryption at Rest: All health data — including patient demographics, diagnoses, prescriptions, medical records, chat messages, procedure notes, and symptom check results — is encrypted using AES-256-GCM with PBKDF2 key derivation (100,000 iterations). Encryption and decryption occur at the application layer; data is never stored in plaintext.
  • Encryption in Transit: All data transmitted between your browser or device and our servers is protected using TLS 1.2 or higher.
  • Authentication & Access Control: Role-based access controls restrict data visibility strictly to authorised parties. JSON Web Tokens (JWT) are used for session authentication with 60-minute access token expiry and 1-day refresh token expiry. Tokens are stored in session storage (not persistent browser storage) and are invalidated on session end.
  • Credential Security: Passwords are stored using strong one-way hashing. We never store plaintext passwords.
  • File Storage Security: Uploaded files (medical records, voice notes, avatars, prescription backgrounds) are stored in Google Cloud Storage with access controls preventing direct public access.
  • Rate Limiting: API endpoints are rate-limited to mitigate brute-force and automated abuse, consistent with cybersecurity obligations under PECA 2016.

Despite these measures, no electronic system is 100% secure. We cannot guarantee absolute security and encourage you to use strong, unique passwords and to notify us immediately at privacy@mederium.com if you suspect unauthorised access to your account.

8. Data Retention

We retain personal data and health records for as long as necessary to:

  • Maintain your account and provide the Services.
  • Comply with the minimum retention period for medical records required under Pakistan Medical Commission (PMC) regulations and applicable guidelines — currently not less than five (5) years from the date of last treatment, and longer where specific clinical or regulatory circumstances require it.
  • Comply with any applicable retention requirements under the PDPA 2023 or other Pakistani law.
  • Resolve disputes, enforce our agreements, and protect our legal rights before courts of competent jurisdiction in Pakistan.

Upon account deletion, we will de-identify or securely delete personal data within a reasonable period, except where retention is required by law. Health data forming part of a clinical record will be retained in an anonymised or archived form in compliance with PMC record-keeping obligations. You may submit a data deletion request as described in Section 9.

9. Your Rights as a Data Subject

Under the Personal Data Protection Act, 2023, you have the following rights regarding your personal data. These rights apply subject to limitations set out in the PDPA and other applicable law (for example, clinical records may be subject to mandatory retention obligations):

  • Right of Access: Request a copy of the personal data we hold about you, the purposes for which it is processed, and the categories of third parties with whom it is shared.
  • Right to Rectification: Request correction of inaccurate or incomplete personal data. Note: Clinical records (diagnoses, prescriptions, physician notes) may only be amended by the treating provider in accordance with PMC guidelines.
  • Right to Erasure: Request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, subject to our legal obligations to retain health records under PMC regulations.
  • Right to Restriction of Processing: Request that we restrict processing of your data in certain circumstances, for example while the accuracy of the data is being contested.
  • Right to Data Portability: Request your personal data in a structured, machine-readable format (e.g., CSV or JSON) where technically feasible and to the extent provided for under the PDPA 2023.
  • Right to Object: Object to processing based on legitimate interests or to processing for direct marketing purposes.
  • Right to Withdraw Consent: Withdraw any previously given consent (e.g., opting out of AI-assisted features or WhatsApp reminders) without affecting prior lawful processing.
  • Right Not to Be Subject to Automated Decision-Making: No decision producing legal or similarly significant effects on you is made solely by automated means, including AI.

To exercise any of these rights, submit a written request to privacy@mederium.com. We will respond within 30 days of receipt of the request, as required by the PDPA 2023. For complex requests, we may extend this period by a further 30 days with prior notification. We may require reasonable identity verification before processing sensitive requests.

If you believe your rights under the PDPA 2023 have not been adequately addressed, you have the right to lodge a complaint with the National Commission for Personal Data Protection (NCPDP), the competent supervisory authority in Pakistan.

10. Cookies & Tracking Technologies

We use the following categories of cookies and similar technologies:

  • Strictly Necessary Cookies: Essential for the Platform to function, including session authentication tokens and security tokens. These cannot be disabled without impairing the Services.
  • Functional Cookies: Remember your preferences, such as language settings or role context.

We do not use advertising cookies, behavioural tracking cookies, or cross-site tracking technologies. We do not participate in cross-site data broker arrangements.

You may configure your browser to block or delete cookies, but doing so may impair certain Platform functionality, including the ability to remain authenticated.

11. Minors & Age of Majority

Under the Majority Act, 1875 of Pakistan, the age of majority is 18 years. Independent account registration on the Platform is available only to persons who have attained the age of 18. Where a minor (a person below 18 years of age) receives care through the Platform, their account must be created and managed by a parent or legal guardian who agrees to these policies on the minor's behalf and who takes full legal responsibility for the accuracy of information provided. If you become aware that a minor has independently registered without guardian consent, please notify us immediately at privacy@mederium.com and we will take prompt steps to remove that account.

12. Guardian & Dependent Accounts

The Platform supports guardian accounts that allow an adult to manage one or more dependent patient profiles (e.g., minor children, elderly family members). Guardians may switch between their own profile and dependent profiles within the same authenticated session. Guardians are legally responsible for the accuracy of information submitted on behalf of dependents and must hold lawful authority — whether as parent, legal guardian, or otherwise under Pakistani law — to consent to the collection, processing, and storage of the dependent's health data. All guardian access to a dependent's records is validated server-side at each request.

13. AI-Powered Features

Mederium uses artificial intelligence in two features:

  • Symptom Checker (Genkit + Google Gemini): You may submit a free-text description of symptoms. This text is transmitted to Google's Gemini AI model for analysis. The output is a non-diagnostic informational tool — it is not a medical diagnosis and must not be relied upon as such. Results are stored encrypted on your patient profile together with a confidence score. Your explicit consent is obtained before each submission. This feature constitutes a cross-border transfer of sensitive personal data; see Section 14.
  • Voice Dictation for Prescriptions (OpenAI Whisper + Language Model): Providers may dictate clinical notes by voice. The audio is transcribed and structured by AI. The resulting content is attributed to the prescribing doctor and stored encrypted in the prescription record. Audio recordings are processed transiently and are not retained by the AI service after transcription. All AI-generated clinical content must be independently reviewed and approved by the treating provider before it is used.

No automated decision-making with legal or similarly significant effects on you is made solely by AI. All clinical decisions remain the exclusive responsibility of the treating healthcare provider.

14. Cross-Border Data Transfers

The PDPA 2023 restricts the transfer of personal data outside Pakistan unless the receiving country or territory provides an adequate level of data protection as determined by the NCPDP, or appropriate safeguards are in place (such as binding contractual clauses or equivalent measures approved by the NCPDP).

Our use of Google Cloud Platform, Google Gemini AI, Twilio, and Firebase involves the processing of personal data on infrastructure located outside Pakistan. We rely on contractual safeguards with these providers and, where required, seek NCPDP-compliant transfer mechanisms to ensure your data is protected to a standard equivalent to Pakistani law. By using the Platform and consenting to these Terms, you acknowledge that certain personal data — including health data submitted to the AI symptom checker — will be processed in jurisdictions outside Pakistan as described in this Section.

We do not transfer data internationally beyond what is strictly necessary to provide the Services.

15. Applicable Laws & Regulatory Framework

Our data processing practices are governed by and comply with the following primary Pakistani legislation and regulations:

  • Personal Data Protection Act, 2023 (PDPA): The primary data protection statute, governing collection, processing, storage, and transfer of personal and sensitive personal data. Establishes the NCPDP as the supervisory authority.
  • Prevention of Electronic Crimes Act, 2016 (PECA): Governs cybercrime and data security obligations, including unauthorised access and data breach offences.
  • Electronic Transactions Ordinance, 2002 (ETO): Recognises the legal validity of electronic records and transactions, including this Policy and any consent given electronically.
  • Pakistan Medical Commission Act, 2020 & PMC Regulations: Govern provider registration, medical record-keeping, and the practice of telemedicine in Pakistan.
  • Constitution of Pakistan, 1973 (Article 14): Guarantees the inviolability of dignity and privacy of every person.

Where regulations impose specific requirements (such as minimum retention periods, breach notification timelines, or data subject rights), those requirements are incorporated into our operating procedures and take precedence over any conflicting provision in this Policy.

16. Data Breach Notification

In the event of a personal data breach, we will comply with the notification obligations under the PDPA 2023:

  • We will notify the NCPDP as soon as reasonably practicable, and in any event within the timeframe prescribed by the PDPA 2023 and any applicable regulations, from the moment we become aware of the breach.
  • Where the breach is likely to result in a high risk to the rights and interests of affected data subjects, we will also notify those individuals directly without undue delay, describing: the nature of the breach; the categories and approximate number of data subjects affected; the likely consequences; and the measures we are taking or propose to take to address the breach.
  • We maintain an internal breach register and have designated staff responsible for breach response consistent with our obligations under PECA 2016 and the PDPA 2023.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or applicable law. When we make material changes, we will update the "Last Updated" date at the top of this page and notify you via email and/or a prominent notice on the Platform at least 14 days before the changes take effect. Your continued use of the Services after the effective date constitutes acceptance of the revised Policy. If you do not agree to the changes, you must discontinue use and may request deletion of your account subject to applicable retention obligations.

18. Contact Us

For questions, concerns, or to exercise your rights under the PDPA 2023, please contact us:

Email: mederium.pk@gmail.com

We aim to respond to all legitimate requests within 30 days. For complex requests, we may extend this by a further 30 days with prior notification and reasons.

If you are not satisfied with our response, you have the right to escalate your complaint to the National Commission for Personal Data Protection (NCPDP), the statutory supervisory authority under the PDPA 2023.