Privacy Policy

1. Who is the data fiduciary?

emwithdrsumit.com (“the Platform”) is operated by Dr Sumit Kumar Mandal (MBBS · DipEM · MRCEM), an Indian medical practitioner. For the purposes of the Digital Personal Data Protection Act 2023 (“DPDP Act”) Dr Mandal is the Data Fiduciary for personal data processed through the Platform.

2. What personal data we collect

We collect only what we need to run the Platform:

• Account basics — your email address, name, and the role you selected at signup (nurse, EM physician, consultant or EMT).
• Clinician profile (optional) — date of birth, job title, current hospital / institution, and either your medical council registration number (doctors) or hospital employee ID (nurses, EMTs, techs). Used to issue CME-style certificates that are verifiable by state medical councils.
• Medico-legal attestation — when you sign the clinical-profile declaration we record the timestamp and the IP address you signed from. This is your consent receipt.
• Usage data— which chapters, algorithms, procedures and tools you opened, your quiz progress, and the last page you visited (so we can show a “continue where you left off” card).
• Payment data — if you subscribe, Razorpay handles your card or UPI details directly and we only receive a subscription ID and status. We do not see or store your payment instrument.
• Feedback you send us — any message you post through the feedback form, plus the email you attach to it (if any).

No patient data. The Platform is read-only educational guidance. We do not ask for, store, or process any patient names, demographics or clinical details. Please do not paste patient-identifiable information into any AI feature, the feedback form, or any other field.

3. Why we use your data (purposes)

• To authenticate you (email + one-time code login).
• To save your learning progress, bookmarks and certificates.
• To run your subscription and trial.
• To attribute referral rewards if you signed up via a colleague’s link.
• To send you transactional emails (login codes, payment receipts, certificate issuance).
• To diagnose bugs and improve the Platform from aggregated, non-identifying usage data.

We do not use your data for advertising profiling, do not run third-party ad trackers on the site, and do not sell your data to anyone.

4. Who we share data with (processors)

We rely on a small set of vendors to operate the Platform:

• Supabase (Postgres database + authentication) — stores your account, progress and subscription rows. Hosted in AWS Mumbai. Data encrypted at rest (AES-256) and in transit (TLS).
• Vercel (web hosting and CDN) — serves the site itself. Sees request logs (IP, user-agent, path) for the standard 24-hour retention window.
• Razorpay (payments) — receives your name, email and payment instrument when you subscribe. Razorpay is a PCI DSS compliant Indian payment gateway regulated by the RBI.
• Anthropic / OpenAI(AI features) — when you use an “Ask Dr Sumit” chat or other AI feature, your query is sent to a third-party large language model for inference. Do not include patient-identifiable information.
• Transactional email (Supabase Auth’s default mail provider) — sends your one-time login codes and certificate notifications.

We do not transfer your personal data to any other party. If that changes we will update this page and notify registered users by email.

5. How long we keep your data

• Account data — for as long as your account exists. When you delete your account (Profile → Delete Account) all rows are hard-deleted within 30 days, except where a longer retention is legally required.
• Payment records — kept for 8 years as required by the Indian Income Tax Act and GST law, even after account deletion.
• CME certificates— the certificate file remains valid for the credit-holder’s records, but is removed from your profile when you delete your account. You should download a copy first.
• Server logs — Vercel request logs roll off after 24 hours; Supabase database backups are retained for 7 days.

6. Your rights under the DPDP Act

As a Data Principal, you have the right to:

• Access — download everything we store about you (Profile → Export My Data).
• Correction — edit your name, role, institution and other profile fields from your profile page; for anything you cannot edit yourself, email the address below.
• Erasure — delete your account and all associated personal data (Profile → Delete Account). Hard deletion completes within 30 days.
• Grievance redressal — raise any complaint about how we handle your data with the Grievance Officer below. If unresolved within 30 days you may escalate to the Data Protection Board of India.
• Nominate — designate another person to exercise your rights in the event of your death or incapacity, by email to the Grievance Officer.
• Withdraw consent — at any time, with the same ease as you gave it. Withdrawing consent has the effect of deleting your account.

7. Security

All traffic to and from the Platform is encrypted with TLS. Your data is stored in Supabase Postgres (AWS Mumbai) with AES-256 disk encryption at rest. Passwords are not stored — we use passwordless login with a 6-digit one-time code emailed to you. Administrative access to the database is limited to Dr Mandal and audited through Supabase’s logs.

No system is 100% secure. If we discover a personal-data breach we will notify the Data Protection Board of India within 72 hours and email all affected users.

8. Children

The Platform is for qualified healthcare professionals only and is not intended for anyone under 18. We do not knowingly collect personal data from children. If you believe a child has signed up, please notify the Grievance Officer and we will delete the account.

9. Cookies and tracking

We use only the cookies the Platform needs to function: a Supabase auth-session cookie (so you stay signed in), a language preference cookie, and a referral attribution cookie that expires after 30 days. We do not run Google Analytics, Meta Pixel, or any third-party advertising trackers.

10. Changes to this policy

If we make material changes to how we handle your data we will update the “Last updated” date at the top of this page and email registered users at least 14 days before the change takes effect.