Privacy Policy

Meduvita ("we", "our", "us") is committed to protecting your personal data. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, who we share it with, and your rights. We are the data controller for personal data processed through our platform and services. Please read this policy carefully alongside our Terms of Service.

1 Who We Are

Meduvita operates the Meduvita Q-Bank (an AI-powered UCAT preparation platform) and Meduvita.com (live UCAT teaching courses), primarily serving students applying to UK medical schools. As data controller, we determine the purposes and means of processing your personal data. Where we engage third parties to process data on our behalf, they act as data processors under written contracts requiring equivalent data protection standards.

Our contact details are set out in Section 19.

2 Legal Framework

We process personal data in compliance with applicable Indian data protection and privacy law, including:

The Information Technology Act 2000 (IT Act) and the IT (Amendment) Act 2008;
The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (IT Rules 2011) — which govern how we collect, use, store, and transfer sensitive personal data;
The Digital Personal Data Protection Act 2023 (DPDPA) — India's primary data protection legislation, which we apply in accordance with its provisions as they come into effect;
The Consumer Protection Act 2019 and the Consumer Protection (E-Commerce) Rules 2020, which apply to our online services.

Note for UK users: Our primary user base is UK students. While these Terms are governed by Indian law, where you are located in the United Kingdom we also apply the substantive data protection standards of the UK GDPR as a baseline, ensuring the higher standard of protection prevails. You retain the right to contact the UK Information Commissioner's Office (ICO) in relation to our processing of your personal data.

3 Data We Collect

Category	Examples	Source
Account data	Full name, email address, hashed password, date of account creation, account type	Provided by you at registration
Profile data	Target exam date, intended medical school(s), UCATSEN status, country of residence	Provided by you (optional)
Performance data	Questions attempted, answers given, time per question, accuracy by section, mock exam scores, progress over time	Auto-generated during platform use
AI interaction data	Queries to the AI tutor, AI responses, feedback ratings on explanations	Generated during AI tutor sessions
Payment data	Billing name, billing address, last 4 card digits, transaction ID, subscription history	Via payment processor; full card data never stored by us
Communications data	Support emails, feedback submissions, survey responses	Provided by you when contacting us
Technical data	IP address, browser type and version, device type, OS, session duration, pages visited, error logs	Collected automatically via cookies and server logs
Live course data	Attendance records, session recordings (where applicable and consented), tutor interaction notes	Generated during live course delivery
Marketing data	Email open/click rates, marketing consent records, opt-out history	Generated through marketing communications

Sensitive Personal Data

Under the IT Rules 2011, certain categories of information are classified as "Sensitive Personal Data or Information" (SPDI). We may process the following SPDI only with your explicit consent and solely for the purpose stated:

Health-related information — only where you voluntarily disclose a medical or learning need when registering for UCATSEN mode. This is used solely to provide the extended-time feature.
Financial information — limited to what is necessary to process your subscription payment, handled via our PCI-DSS compliant payment processor.

We do not collect passwords in plain text, full payment card numbers, CVV codes, or national identity numbers.

4 How We Use Your Data

Service Delivery

Creating and managing your account;
Delivering Q-Bank content, adaptive questions, and AI explanations;
Running and scoring timed mock exams and generating AI debriefs;
Personalising question difficulty and learning pathways based on your performance;
Providing UCATSEN mode functionality;
Scheduling and delivering live course sessions;
Generating performance analytics and progress reports for you.

Subscription & Payment Management

Processing payments and managing subscription renewals and cancellations;
Verifying course enrolment eligibility for discounts;
Sending subscription confirmations, receipts, renewal reminders, and payment failure alerts;
Processing refund requests.

Communication

Responding to support queries and complaints;
Sending service-related notices (e.g. downtime, policy changes, security alerts);
With your consent, sending marketing emails about new features, UCAT tips, and Meduvita products.

Platform Improvement

Analysing aggregated, anonymised usage patterns to improve question quality, AI accuracy, and platform performance;
Conducting internal research to enhance the adaptive algorithm and AI tutor;
Testing new features and improvements.

Legal, Security & Compliance

Detecting and preventing fraud, abuse, and security incidents;
Complying with legal and regulatory obligations under Indian law;
Enforcing our Terms of Service;
Maintaining records required by applicable law.

5 Legal Basis for Processing

Under Indian data protection law including the IT Rules 2011 and the Digital Personal Data Protection Act 2023, we process your personal data on the following lawful bases:

Legal Basis	When We Rely on It
Consent	Registration and account creation; processing of SPDI (UCATSEN health data); sending marketing communications; setting non-essential cookies. You may withdraw consent at any time.
Contractual necessity	Processing required to deliver the subscription or live course — account management, service delivery, payment processing, and customer support.
Legitimate interests	Platform improvement using anonymised data, fraud prevention, security monitoring, and direct marketing to existing customers.
Legal obligation	Complying with applicable Indian law, tax regulations, court orders, and regulatory requirements.

Under the IT Rules 2011, we obtain your written consent (which includes consent via electronic means) before collecting sensitive personal data. You have the right to withdraw this consent at any time, though doing so may affect our ability to provide certain features (such as UCATSEN mode).

7 AI Features & Your Data

The Q-Bank uses AI and machine learning to power real-time explanations, adaptive difficulty, performance analysis, the persistent AI tutor, and post-exam debriefs. Here is how your data interacts with these systems:

Your question responses and accuracy data are used to personalise your adaptive question feed in real time;
AI tutor interactions may be logged for quality assurance and safety monitoring;
We use anonymised and aggregated performance data to improve our AI models. Individually identifiable data is not shared with third-party AI providers for their own model training;
AI-generated explanations are produced automatically and are not individually human-reviewed unless flagged for quality or safety issues;
Where our AI infrastructure is provided by a third-party (e.g. an LLM API), that provider processes query data as a data processor under a written agreement only.

        Automated processing: The adaptive difficulty engine makes automated decisions about question selection based solely on your performance data to improve your preparation. These decisions do not produce legal or similarly significant effects. See Section 15 for your rights regarding automated processing.
      

8 Data Retention

We retain personal data only for as long as necessary for the purposes described in this policy and as required by applicable law:

Data Category	Retention Period	Reason
Account & profile data	Duration of active account + 2 years after closure	Reactivation, dispute resolution, legal claims
Performance & question history	Duration of active account + 2 years after closure	Service delivery, account reactivation
Payment & transaction records	8 years from transaction date	Indian tax law (Income Tax Act 1961) and financial regulations
AI interaction logs	Up to 12 months after the interaction	Quality assurance, then anonymised or deleted
Support communications	3 years after issue resolution	Dispute records, service quality
Marketing consent records	Until withdrawal of consent + 1 year	Compliance demonstration
Security & fraud logs	Up to 3 years	Security monitoring and incident investigation
Live course recordings	12 months after course completion	Student revision access; then deleted or anonymised
Cookie and analytics data	Up to 13 months	Usage analysis and platform improvement

Upon expiry of retention periods, data is securely deleted or irreversibly anonymised so it can no longer be attributed to any individual.

9 Security

We implement reasonable security practices and procedures as required under the IT Rules 2011 to protect your personal data, including:

Encryption of data in transit using TLS/HTTPS and encryption of sensitive data at rest;
Hashed and salted password storage — we never store plain-text passwords;
Role-based access controls limiting data access to authorised personnel on a need-to-know basis;
Regular security reviews and vulnerability assessments;
Multi-factor authentication for administrative access to systems containing personal data;
Incident response procedures for detecting, reporting, and responding to data breaches;
Staff training on data protection and security obligations.

Despite these measures, no system is completely secure. You are responsible for maintaining the security of your own account credentials. If you suspect your account has been compromised, contact us immediately at support@meduvita.com.

10 Cookies & Tracking Technologies

We use cookies and similar technologies on our platform. A cookie is a small text file stored on your device when you visit a website.

Essential Cookies

Required for the platform to function — including authentication tokens, session management, and security features. These cannot be disabled without breaking platform functionality.

Analytical / Performance Cookies

Used to understand how users navigate the platform. Data is aggregated and anonymised. Set only with your consent.

Functional Cookies

Used to remember your preferences (e.g. display settings). Set with your consent.

Managing Cookies

You can manage or delete cookies through your browser settings at any time. Disabling non-essential cookies will not affect your ability to access core Q-Bank features.

11 Children's Privacy

The platform is intended for users aged 13 and over. Users under 18 require parental or guardian consent. We do not knowingly collect personal data from children under 13 without verified parental consent.

Under the Digital Personal Data Protection Act 2023, processing of personal data of children (under 18) requires verifiable parental consent. If we become aware that we hold data from a child under 13 without parental consent, we will take immediate steps to delete that data.

If you believe we hold data relating to a child under 13 without consent, please contact us at support@meduvita.com.

12 Cross-Border Data Transfers

Some of our service providers may store or process data outside India. Where personal data is transferred internationally, we ensure appropriate safeguards are in place consistent with applicable Indian law, including:

Contractual obligations requiring overseas recipients to maintain equivalent data protection standards;
Transfer only to countries or entities that provide an adequate level of data protection;
Your explicit consent for specific transfers where required by applicable law.

Key cross-border processors include: Supabase (data may be hosted in the US or EU); Stripe (US); email and analytics providers (US or EU). All are bound by written data processing agreements.

13 Your Rights

Under Indian data protection law (including the IT Rules 2011 and the Digital Personal Data Protection Act 2023), you have the following rights regarding your personal data:

Right of Access

Request a copy of the personal data we hold about you and information about how it is processed.

Right to Rectification

Request correction of inaccurate or incomplete personal data we hold about you.

Right to Erasure

Request deletion of your personal data where it is no longer necessary for the purpose it was collected, or where you withdraw consent.

Right to Data Portability

Request your data in a structured, commonly used format to transfer to another service provider.

Right to Withdraw Consent

Withdraw consent at any time where processing is consent-based. Withdrawal does not affect prior lawful processing.

Right to Grievance Redressal

Raise a complaint about how your data is handled. We will acknowledge and address grievances within 30 days as required by Indian law.

Rights re: Automated Processing

Request an explanation of the logic used in automated decisions that affect you (see Section 15).

Right to Nominate

Under the DPDPA 2023, you may nominate another person to exercise your data rights on your behalf in the event of your death or incapacity.

To exercise any right, email support@meduvita.com with your account email and the right you wish to exercise. We will respond within 30 days. We may verify your identity before acting on a request. There is no charge for reasonable requests.

UK users: You additionally retain the right to contact the UK Information Commissioner's Office (ICO) at ico.org.uk or 0303 123 1113 regarding our processing of your personal data.

14 Marketing Communications

We send marketing communications only with your consent or, for existing customers, on the basis of legitimate interests where you have not opted out. Marketing may include emails about new features, UCAT preparation tips, live course availability, and promotional offers.

Opting Out

You can unsubscribe at any time by clicking "Unsubscribe" in any marketing email, updating your preferences in Account Settings, or emailing support@meduvita.com. Opting out does not affect essential service communications such as receipts and account security alerts.

15 Automated Decision-Making & Profiling

We use automated systems to personalise your learning experience:

Adaptive difficulty engine: Automatically selects questions and adjusts difficulty based on your answer accuracy;
Performance profiling: Identifies relative strengths and weaknesses across UCAT sections;
AI tutor personalisation: Tailors explanations based on your question history and error patterns.

These automated processes do not produce legal or similarly significant effects — they are solely intended to improve your UCAT preparation. We do not use automated processing to make decisions about credit, employment, or other high-stakes outcomes.

You have the right to request an explanation of the logic applied in any automated process that affects your use of the platform. Contact us at support@meduvita.com to exercise this right.

16 Data Breach Response

In the event of a personal data breach, we will:

Assess the nature, scope, and likely consequences of the breach immediately;
Take steps to contain the breach and mitigate harm;
Notify the relevant data protection authority as required by applicable Indian law;
Notify affected users directly where the breach is likely to result in a significant risk to your rights and interests;
Maintain an internal record of all data breaches.

If you believe you have identified a security vulnerability or data breach, please report it immediately to support@meduvita.com with the subject line [SECURITY REPORT].

17 Complaints & Grievances

Under the IT Rules 2011, we have appointed a Grievance Officer to address complaints about the use of your personal data. If you are unhappy with how we have handled your personal data, please contact us first at support@meduvita.com with the subject line [PRIVACY GRIEVANCE]. We will acknowledge your complaint within 24 hours and resolve it within 30 days.

If you remain unsatisfied, you may escalate to the relevant supervisory authority:

India — Data Protection Board of India
(Established under the Digital Personal Data Protection Act 2023)
Website: meity.gov.in

UK users — Information Commissioner's Office (ICO)
Website: ico.org.uk | Helpline: 0303 123 1113

18 Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email at least 14 days before changes take effect and display a prominent notice on the platform. Continued use after the effective date constitutes acknowledgement. If you do not agree, you may delete your account before the effective date.

19 Contact Us

For privacy-related queries, data access requests, or grievances:

Meduvita — Grievance Officer & Data Controller
India
Email: support@meduvita.com
Subject line for privacy matters: [PRIVACY GRIEVANCE]
Website: meduvita.com
Response time: Within 30 days (grievances acknowledged within 24 hours)