Privacy Policy

• Lowpill is committed to protecting your privacy.
• This policy explains our data practices.
• We comply with the DPDP Act 2023.
• We comply with the Consumer Protection Act.
• We respect your data rights.
• Questions? Email help@lowpill.com.

What we collect

• Account info: name, email, phone, age.
• Health info: medicine searches, preferences (optional).
• Usage data: pages visited, features used, timestamps.
• Technical data: IP address, device info, browser info.
• Location data: approximate location (for nearby pharmacies).

How we collect

• Forms (registration, search, profile).
• Cookies and analytics.
• Server logs.
• Third-party analytics.

Why we collect

• Personalization for better recommendations.
• Analytics to improve our service.
• Security to prevent fraud and attacks.
• Affiliate tracking for commission attribution.
• Customer support.
• Legal compliance.

Required vs optional

• Required: email and phone (for account).
• Optional: age and health history (for better recommendations).

You must consent before we collect data.

• Price comparison improvement.
• User experience personalization.
• Analytics and reporting.
• Affiliate tracking (hashed, anonymized).
• Marketing communications (with opt-out).
• Security monitoring and fraud detection.
• Customer support and troubleshooting.
• Legal compliance and regulatory requirements.
• Business analytics and improvement.
• Service optimization.
• Personalized medicine recommendations.
• Search history personalization.

Limited sharing with processors

• Razorpay (payment processor — payment info only, not health).
• Cloudflare (security provider — IP info only, not health).
• Google Analytics (usage analytics — anonymized, not health).

• Pharmacy affiliate data: hashed, no personal health info.
• Legal requirement: may share with authorities if required by court.
• Data Processing Agreements in place with all partners.
• Data processors only use data as authorized.
• No sharing with third-party pharmacies (except referral cookies).
• No health data shared outside our control.

• HTTPS / TLS encryption (256-bit, industry standard).
• Password hashing with bcrypt (one-way, never plaintext).
• Cloudflare DDoS protection.
• Quarterly third-party security audits.
• Database encryption (AES-256).
• Rate limiting (100 requests / minute per IP).
• CAPTCHA to prevent automated bot attacks.
• Account lockout after 5 failed login attempts.
• Session timeout after 30 minutes of inactivity.
• No storage of credit card numbers (PCI-DSS compliance via Razorpay).
• Breach response: notification within 72 hours.
• Security headers: HSTS, X-Frame-Options, CSP and more.

• Active accounts: data retained until deletion.
• Deleted accounts: 30-day grace period, then deletion.
• Legal compliance: retained per law (7 years for tax / compliance).
• Affiliate tracking: 90 days maximum.
• Analytics: 14 months default.
• Backups: retained for 90 days.
• Support tickets: 1 year after closure.
• Legal holds: may exceed normal retention.

To exercise any right, email help@lowpill.com. Include your name, registered email, request type and reason. We respond within 7 days.

Right to access

Response within 3 days. Machine-readable copy provided.

Right to correct

Fix inaccurate or incomplete data. Verification may be required.

Right to delete (right to be forgotten)

30-day notice period; deletion within 7 days of the period ending. Exception: legal compliance data retained for 7 years.

Right to data portability

Get a copy in machine-readable format (CSV, JSON or equivalent) and transfer it to another service provider.

Right to restrict processing

Request that we stop processing your data. We will stop, except where legal requirements force retention.

Right to object

Object to specific processing. We will stop if possible.

Right to lodge a complaint

You can lodge a complaint with the Data Protection Authority if you believe we have violated your rights.

For full details, see our Cookie Policy. Summary below.

Why we use cookies

• Session management.
• User preferences (language, theme, settings).
• Affiliate tracking.
• Analytics.

First-party cookies

• Session ID — expires after logout.
• Language preference — persistent (30 days).
• Theme preference — persistent (30 days).
• User ID — expires after logout.

Third-party cookies

• Google Analytics — usage tracking.
• Pharmacy affiliate cookies — referral tracking.
• Cloudflare — security (minimal).

You can disable cookies in your browser settings. This may affect functionality. We respect Do Not Track requests.

• Razorpay (payment) — razorpay.com/privacy
• Cloudflare (security) — cloudflare.com/privacy
• Google Analytics (analytics) — google.com/privacy — opt out at google.com/analytics/optout
• Pharmacy affiliate partners — their privacy policies apply on their sites.
• Email service — used for transactional and opt-in marketing email only.

• We do not knowingly collect data from anyone under 18.
• If we find such data, it is immediately deleted.
• Parental consent is required for any minor.
• If you are a parent and believe we hold a minor's data, contact help@lowpill.com.
• Parents can access, correct, or delete a child's data.
• No marketing is sent to minors.
• Age verification may be required.

• Notification within 72 hours of discovery (DPDP requirement).
• Notification via email and SMS.
• We tell you: what data was breached, when, how we discovered it, steps to protect yourself, our remediation plan and a contact for questions.
• We report to authorities when required by law.
• Public disclosure if it affects many people.

• Data is stored in India.
• No cross-border transfer without consent.
• RBI data localization guidelines complied with.
• EU data: GDPR compliant where applicable.
• Server and backup location: India.
• Transfer restrictions honored.

See Data Localization for the full statement.

• EU users: GDPR applies.
• Standard contractual clauses in place.
• Adequacy decision relied on where available.
• Your rights are protected.
• Consent is required.

• Email: help@lowpill.com.
• Subject: "Privacy request" (include: data access / correction / deletion).
• Response time: acknowledgment within 24 hours; detailed response within 7 days.

What to include:

• Your name and registered email.
• Type of request.
• Relevant details.
• Any supporting documents.

If unsatisfied, you can file with the Data Protection Authority. The DPA process is free and government-run.

• We can update this policy at any time.
• Email notification to all users for material changes.
• Continued use means acceptance.
• Check regularly for updates.
• Major changes: 30-day notice.