1 Who We Are
Meduvita operates the Meduvita Q-Bank at prep.meduvita.com (an AI-powered UCAT preparation platform) and Meduvita.com (live UCAT teaching courses), primarily serving students applying to UK medical schools. As data controller, we determine the purposes and means of processing your personal data. Where we engage third parties to process data on our behalf, they act as data processors under written contracts requiring equivalent data protection standards.
Platform: prep.meduvita.com
Grievance Officer: Meduvita Privacy Team — support@meduvita.com
Registered company details: available on request (subject line [LEGAL ENTITY])
Our contact details are set out in Section 19.
2 Legal Framework
We process personal data in compliance with applicable Indian data protection and privacy law, including:
- The Information Technology Act 2000 (IT Act) and the IT (Amendment) Act 2008;
- The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (IT Rules 2011) — which govern how we collect, use, store, and transfer sensitive personal data;
- The Digital Personal Data Protection Act 2023 (DPDPA) — India's primary data protection legislation, which we apply in accordance with its provisions as they come into effect;
- The Consumer Protection Act 2019 and the Consumer Protection (E-Commerce) Rules 2020, which apply to our online services.
3 Data We Collect
| Category | Examples | Source |
|---|---|---|
| Account data | Full name, email address, hashed password, date of account creation, account type | Provided by you at registration |
| Profile data | Target exam date, intended medical school(s), UCATSEN status, country of residence | Provided by you (optional) |
| Performance data | Questions attempted, answers given, time per question, accuracy by section, mock exam scores, progress over time | Auto-generated during platform use |
| AI interaction data | Queries to the AI tutor, AI responses, feedback ratings on explanations | Generated during AI tutor sessions |
| Payment data | Billing name, billing address, last 4 card digits, transaction ID, subscription history | Via payment processor; full card data never stored by us |
| Communications data | Support emails, feedback submissions, survey responses | Provided by you when contacting us |
| Technical data | IP address, browser type and version, device type, OS, session duration, pages visited, error logs | Collected automatically via cookies and server logs |
| Live course data | Attendance records, session recordings (where applicable and consented), tutor interaction notes | Generated during live course delivery |
| Consent records | Terms & Privacy Policy acceptance timestamp, document version accepted, sign-up method (email or Google), marketing opt-in/opt-out history | Recorded at registration and when preferences change |
| Marketing data | Email open/click rates, marketing consent records, opt-out history | Generated through marketing communications |
Sensitive Personal Data
Under the IT Rules 2011, certain categories of information are classified as "Sensitive Personal Data or Information" (SPDI). We may process the following SPDI only with your explicit consent and solely for the purpose stated:
- Health-related information — only where you voluntarily disclose a medical or learning need when registering for UCATSEN mode. This is used solely to provide the extended-time feature.
- Financial information — limited to what is necessary to process your subscription payment, handled via Razorpay (PCI-DSS compliant payment processor). We do not store full card numbers.
We do not collect passwords in plain text, full payment card numbers, CVV codes, or national identity numbers.
4 How We Use Your Data
Service Delivery
- Creating and managing your account;
- Delivering Q-Bank content, adaptive questions, and AI explanations;
- Running and scoring timed mock exams and generating AI debriefs;
- Personalising question difficulty and learning pathways based on your performance;
- Providing UCATSEN mode functionality;
- Scheduling and delivering live course sessions;
- Generating performance analytics and progress reports for you.
Subscription & Payment Management
- Processing payments and managing subscription renewals and cancellations;
- Verifying course enrolment eligibility for discounts;
- Sending subscription confirmations, receipts, renewal reminders, and payment failure alerts;
- Processing refund requests.
Communication
- Responding to support queries and complaints;
- Sending service-related notices (e.g. downtime, policy changes, security alerts);
- With your consent, sending marketing emails about new features, UCAT tips, and Meduvita products.
Platform Improvement
- Analysing aggregated, anonymised usage patterns to improve question quality, AI accuracy, and platform performance;
- Conducting internal research to enhance the adaptive algorithm and AI tutor;
- Testing new features and improvements.
Legal, Security & Compliance
- Detecting and preventing fraud, abuse, and security incidents;
- Complying with legal and regulatory obligations under Indian law;
- Enforcing our Terms of Service;
- Maintaining records required by applicable law.
5 Legal Basis for Processing
Under Indian data protection law including the IT Rules 2011 and the Digital Personal Data Protection Act 2023, we process your personal data on the following lawful bases:
| Legal Basis | When We Rely on It |
|---|---|
| Consent | Registration and account creation; processing of SPDI (UCATSEN health data); sending marketing communications; setting non-essential cookies. You may withdraw consent at any time. |
| Contractual necessity | Processing required to deliver the subscription or live course — account management, service delivery, payment processing, and customer support. |
| Legitimate interests | Platform improvement using anonymised data, fraud prevention, security monitoring, and essential service communications to existing customers. |
| Legal obligation | Complying with applicable Indian law, tax regulations, court orders, and regulatory requirements. |
Under the IT Rules 2011, we obtain your written consent (which includes consent via electronic means) before collecting sensitive personal data. You have the right to withdraw this consent at any time, though doing so may affect our ability to provide certain features (such as UCATSEN mode).
7 AI Features & Your Data
The Q-Bank uses AI and machine learning — primarily via OpenAI and Anthropic APIs, proxied through our secure Cloudflare infrastructure — to power question generation, content review, real-time explanations, adaptive difficulty, performance analysis, AI tutors, and post-exam debriefs. Here is how your data interacts with these systems:
- Your question responses and accuracy data are used to personalise your adaptive question feed in real time;
- When you use an AI tutor, your messages, relevant question context, and a summary of your performance profile may be sent to OpenAI to generate a response;
- AI-generated questions may be sent to Anthropic for automated quality review before being shown to you;
- AI tutor interactions may be logged for up to 12 months for quality assurance and safety monitoring;
- We use anonymised and aggregated performance data to improve our platform. Individually identifiable data is not shared with AI providers for their own model training;
- AI-generated explanations are produced automatically and are not individually human-reviewed unless flagged for quality or safety issues;
- All AI provider processing is governed by written data processing terms and is limited to delivering the service to you.
8 Data Retention
We retain personal data only for as long as necessary for the purposes described in this policy and as required by applicable law:
| Data Category | Retention Period | Reason |
|---|---|---|
| Account & profile data | Duration of active account + 2 years after closure | Reactivation, dispute resolution, legal claims |
| Performance & question history | Duration of active account + 2 years after closure | Service delivery, account reactivation |
| Payment & transaction records | 8 years from transaction date | Indian tax law (Income Tax Act 1961) and financial regulations |
| AI interaction logs | Up to 12 months after the interaction | Quality assurance, then anonymised or deleted |
| Support communications | 3 years after issue resolution | Dispute records, service quality |
| Consent records (Terms, Privacy, marketing) | Duration of account + 3 years after closure | Demonstrate lawful basis and compliance |
| Marketing consent records | Until withdrawal of consent + 3 years | Compliance demonstration (PECR / DPDPA) |
| Security & fraud logs | Up to 3 years | Security monitoring and incident investigation |
| Live course recordings | 12 months after course completion | Student revision access; then deleted or anonymised |
| Cookie and analytics data | Up to 13 months | Usage analysis and platform improvement |
Upon expiry of retention periods, data is securely deleted or irreversibly anonymised so it can no longer be attributed to any individual.
9 Security
We implement reasonable security practices and procedures as required under the IT Rules 2011 to protect your personal data, including:
- Encryption of data in transit using TLS/HTTPS and encryption of sensitive data at rest;
- Hashed and salted password storage — we never store plain-text passwords;
- Role-based access controls limiting data access to authorised personnel on a need-to-know basis;
- Regular security reviews and vulnerability assessments;
- Multi-factor authentication for administrative access to systems containing personal data;
- Incident response procedures for detecting, reporting, and responding to data breaches;
- Staff training on data protection and security obligations.
Despite these measures, no system is completely secure. You are responsible for maintaining the security of your own account credentials. If you suspect your account has been compromised, contact us immediately at support@meduvita.com.
11 Children's Privacy
The platform is intended for users aged 13 and over. Users under 18 require parental or guardian consent. We do not knowingly collect personal data from children under 13 without verified parental consent.
Under the Digital Personal Data Protection Act 2023, processing of personal data of children (under 18) requires verifiable parental consent. If we become aware that we hold data from a child under 13 without parental consent, we will take immediate steps to delete that data.
If you believe we hold data relating to a child under 13 without consent, please contact us at support@meduvita.com.
12 Cross-Border Data Transfers
Some of our service providers may store or process data outside India. Where personal data is transferred internationally, we ensure appropriate safeguards are in place consistent with applicable Indian law, including:
- Contractual obligations requiring overseas recipients to maintain equivalent data protection standards;
- Transfer only to countries or entities that provide an adequate level of data protection;
- Your explicit consent for specific transfers where required by applicable law.
Key cross-border processors include: Supabase (US/EU); Razorpay (India); OpenAI (US); Anthropic (US); Cloudflare (US/EU); Google (US/EU, if you use Google sign-in); and email/analytics providers (US or EU, where enabled). All are bound by written data processing agreements or equivalent contractual safeguards including Standard Contractual Clauses where applicable.
13 Your Rights
Under Indian data protection law (including the IT Rules 2011 and the Digital Personal Data Protection Act 2023), you have the following rights regarding your personal data:
Request a copy of the personal data we hold about you and information about how it is processed.
Request correction of inaccurate or incomplete personal data we hold about you.
Request deletion of your personal data where it is no longer necessary for the purpose it was collected, or where you withdraw consent.
Request your data in a structured, commonly used format to transfer to another service provider.
Withdraw consent at any time where processing is consent-based. Withdrawal does not affect prior lawful processing.
Raise a complaint about how your data is handled. We will acknowledge and address grievances within 30 days as required by Indian law.
Request an explanation of the logic used in automated decisions that affect you (see Section 15).
Under the DPDPA 2023, you may nominate another person to exercise your data rights on your behalf in the event of your death or incapacity.
14 Marketing Communications
We send marketing communications only with your explicit opt-in consent, collected at registration via checkbox (email or Google sign-up) or when you enable marketing in Account Settings. We do not send promotional emails to users who have not opted in. Marketing may include emails about new features, UCAT preparation tips, live course availability, and promotional offers.
Under the UK Privacy and Electronic Communications Regulations 2003 (PECR), we require consent before sending marketing emails to individuals in the UK. Transactional emails (receipts, password resets, security alerts, service notices) are sent on the basis of contractual necessity and do not require separate marketing consent.
Opting Out
You can unsubscribe at any time by clicking "Unsubscribe" in any marketing email, updating your preferences in Account Settings, or emailing support@meduvita.com. Opting out does not affect essential service communications such as receipts and account security alerts.
15 Automated Decision-Making & Profiling
We use automated systems to personalise your learning experience:
- Adaptive difficulty engine: Automatically selects questions and adjusts difficulty based on your answer accuracy;
- Performance profiling: Identifies relative strengths and weaknesses across UCAT sections;
- AI tutor personalisation: Tailors explanations based on your question history and error patterns.
These automated processes do not produce legal or similarly significant effects — they are solely intended to improve your UCAT preparation. We do not use automated processing to make decisions about credit, employment, or other high-stakes outcomes.
You have the right to request an explanation of the logic applied in any automated process that affects your use of the platform. Contact us at support@meduvita.com to exercise this right.
16 Data Breach Response
In the event of a personal data breach, we will:
- Assess the nature, scope, and likely consequences of the breach immediately;
- Take steps to contain the breach and mitigate harm;
- Notify the relevant data protection authority as required by applicable Indian law;
- Notify affected users directly where the breach is likely to result in a significant risk to your rights and interests;
- Maintain an internal record of all data breaches.
If you believe you have identified a security vulnerability or data breach, please report it immediately to support@meduvita.com with the subject line [SECURITY REPORT].
17 Complaints & Grievances
Under the IT Rules 2011, we have appointed a Grievance Officer to address complaints about the use of your personal data:
Email: support@meduvita.com
Subject line: [PRIVACY GRIEVANCE]
If you are unhappy with how we have handled your personal data, please contact us first using the details above. We will acknowledge your complaint within 24 hours and resolve it within 30 days.
If you remain unsatisfied, you may escalate to the relevant supervisory authority:
(Established under the Digital Personal Data Protection Act 2023)
Website: meity.gov.in
UK users — Information Commissioner's Office (ICO)
Website: ico.org.uk | Helpline: 0303 123 1113
18 Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will notify you by email at least 14 days before changes take effect and display a prominent notice on the platform. Continued use after the effective date constitutes acknowledgement. If you do not agree, you may delete your account before the effective date.
19 Contact Us
For privacy-related queries, data access requests, or grievances:
Trading name: Meduvita
Country of operation: India
Platform: prep.meduvita.com
Email: support@meduvita.com
Grievance Officer: Meduvita Privacy Team (same email)
Subject line for privacy matters: [PRIVACY GRIEVANCE]
Subject line for company/regulatory enquiries: [LEGAL ENTITY]
Website: meduvita.com
Response time: Within 30 days (grievances acknowledged within 24 hours)