Privacy Policy

1. Introduction

K.R. Medicines House (“we,” “us,” or “the pharmacy”) is a licensed neighborhood pharmacy operating in Dilshad Garden, Delhi since 2001. We are committed to handling your personal information with the same care we apply to your medicines: only what is necessary, stored securely, and used solely to serve you.

This policy explains what personal data we collect, why we collect it, how long we keep it, who we share it with, and the rights you have over it. It applies to everyone who visits this website, sends us a message through our contact form or WhatsApp, calls us, or visits our store.

We process personal data in accordance with the Digital Personal Data Protection Act, 2023 (DPDP Act) and applicable provisions of the Drugs and Cosmetics Act, 1940 and Drugs and Cosmetics Rules, 1945. Under the DPDP Act, K.R. Medicines House is the Data Fiduciary for the personal data described in this policy.

2. Information we collect

We collect only what we need to respond to your inquiry, dispense your medicines, or run the website. We do not buy personal data from third parties, and we do not sell or rent your information to anyone.

Information you provide directly:

• Contact form — full name (up to 80 characters), email address (up to 254 characters), phone number (up to 30 characters), and your message (up to 2000 characters).
• WhatsApp orders — whatever you choose to send us when you message +91-9868085045, including prescriptions, product photos, medicine names, your delivery address, and any preferences. WhatsApp messages may also include health-related information; we treat this as sensitive and confidential.
• Phone calls — details you share when you call our pharmacy desk, including names, addresses, medicine requests, and prescription details that may be relayed verbally.
• In-store visits — prescription documents you hand over for dispensing, plus any details required by the Drugs and Cosmetics Rules to be entered in our prescription register (Schedule H, H1, and X medicines).

Information collected automatically when you use the website:

• Technical and usage data — browser type, device type, approximate region (derived from IP), pages viewed, links clicked, time on page, and similar telemetry, collected by the analytics vendors listed in Section 5.
• Rate-limit identifier — when you submit the contact form we compute a one-way SHA-256 hash of your IP address and store it for one hour to enforce a limit of 5 submissions per hour. Your raw IP is never written to durable storage.
• Bot-verification token — a short-lived token issued by Cloudflare Turnstile when you complete the contact-form verification challenge.

3. How we use your information

We use the information we collect for the following purposes, each tied to a lawful basis under the DPDP Act and applicable pharmacy regulations:

• To respond to your inquiries — when you send us a message, we use your contact details to reply with availability, pricing, or guidance. Lawful basis: consent (you submitted the form / sent the message).
• To process and fulfill orders — we use your delivery address, phone, prescription details, and medicine preferences to dispense and deliver your order. Lawful basis: performance of the requested service.
• To meet regulatory obligations — we maintain prescription registers, retain copies of prescriptions for scheduled medicines, and provide records to inspectors or law enforcement when required by law. Lawful basis: legal obligation under the Drugs and Cosmetics Act, 1940 and Rules, 1945.
• To protect against fraud and abuse — we use Cloudflare Turnstile to detect automated form submissions, and we rate-limit submissions per IP to prevent spam and abuse. Lawful basis: legitimate interest in protecting the service.
• To understand and improve the website — anonymized analytics tell us which pages are useful, where users get stuck, and whether the site loads quickly. We do not use this data to identify individual visitors. Lawful basis: consent (where required) and legitimate interest.

We do not use your information for behavioral advertising, profiling, or automated decision-making that produces legal or similarly significant effects on you. We do not send marketing emails or SMS without your explicit consent.

4. Cookies and similar technologies

We use a small number of cookies and similar storage mechanisms (such as localStorage and sessionStorage) to make the site work and to understand how it is used. These fall into two groups:

• Strictly necessary — set by our own server and by Cloudflare Turnstile to run the contact form and verify that submissions come from real visitors. The site does not function correctly without these.
• Analytics (set only with your consent) — once you accept analytics tracking via our cookie banner, Google Tag Manager (which loads Google Analytics 4) and Microsoft Clarity set pseudonymous identifier cookies to measure traffic and engagement. Before you accept, these scripts load in a ‘denied’ consent state and do not set cookies on your device. Vercel Analytics is cookieless and runs without setting cookies on your device.

You can change your decision at any time through the “Cookie preferences” link in the footer. You can also block or delete cookies through your browser settings. Blocking analytics cookies will not affect your ability to use the site, but it may prevent us from detecting and fixing issues that affect your visit.

5. Third-party services we use

We rely on a small set of vendors to operate the site and the contact channel. Each receives only the data needed for its specific role, is bound by its own data-processing terms, and is contractually prohibited from using your data for any other purpose.

• Cloudflare Turnstile — bot verification on the contact form. Cloudflare receives a short-lived token and your IP at the moment you complete the verification challenge. See Cloudflare’s privacy policy.
• Resend — transactional-email provider that delivers your contact-form submission to our pharmacy inbox. Receives the form fields listed in Section 2. See Resend’s privacy policy.
• Upstash Redis / Vercel KV — managed key-value store used solely to enforce the contact-form rate limit. Stores the SHA-256 hash of your IP for one hour. See Upstash’s privacy policy.
• Google Tag Manager & Google Analytics 4 — anonymized traffic analytics. May set cookies and collect pseudonymous identifiers, page views, and interaction events. IP addresses are truncated by Google before storage. We use Google Consent Mode v2 to declare a default ‘denied’ state for analytics and advertising cookies until you accept the banner. Before consent, GTM and GA4 may still send non-identifying beacon pings used by Google to generate aggregated modeled-traffic estimates — but no identifiers or cookies are stored on your device. We have Google’s Signals feature enabled in our GA4 admin: for visitors whose Google account has ad personalization turned on, GA4 also links pseudonymous behavioral data to that Google account for cross-device tracking, demographics, and interests. You can disable this for your own account at My Ad Center. See Google’s privacy policy.
• Microsoft Clarity — session replay and heatmaps used to understand how visitors interact with the site. Clarity records mouse movement, clicks, and scrolls, but masks the contents of input fields, including form fields that contain personal data. See Microsoft’s privacy statement.
• Vercel Analytics & Speed Insights — first-party anonymized traffic and performance telemetry collected by our hosting provider. See Vercel’s privacy policy.

These vendors may process data on servers located outside India. Where personal data is transferred outside India, transfers are made only to jurisdictions not restricted by the Central Government under Section 16 of the DPDP Act, and only under each vendor’s contractual safeguards.

Separately, when you tap one of our WhatsApp links, your conversation is carried by WhatsApp LLC (Meta). WhatsApp messages are end-to-end encrypted between you and us, but metadata about the conversation is handled under WhatsApp’s own privacy policy.

6. How long we keep your information

We keep personal data only for as long as we need it for the purpose it was collected, or for as long as the law requires — whichever is longer.

• Contact form submissions — kept in our pharmacy email inbox until your inquiry is resolved and for a reasonable period after for follow-up, then deleted on request or during periodic inbox review.
• Rate-limit IP hash — automatically deleted after 1 hour by the Upstash Redis / Vercel KV time-to-live.
• WhatsApp conversations — retained on the pharmacy device for our reference until manually deleted. WhatsApp’s own retention applies separately.
• Prescription records — retained for at least 3 years from the date of sale. This meets the strictest floor that applies to our dispensing activity: Schedule H1 drugs require a 3-year sale register (introduced by GSR 588(E), 2013), while Schedule H and Schedule X drugs require a 2-year register under Rule 65(11) of the Drugs and Cosmetics Rules, 1945. Schedule X prescriptions also remain subject to the additional preservation requirements set out in the Rules.
• Website analytics — retained according to each vendor’s default settings (typically up to 14 months for Google Analytics 4, 1 year for Microsoft Clarity, and shorter for Vercel Analytics).

7. Your rights

Under the DPDP Act, you have the following rights with respect to your personal data:

• Right to access — request a summary of the personal data we hold about you and how we have processed it.
• Right to correction and erasure — ask us to correct inaccurate information, complete incomplete information, or delete data we no longer need to retain (subject to our legal obligations).
• Right to withdraw consent — where our processing relies on your consent, you may withdraw it at any time. Withdrawal does not affect processing done before withdrawal or processing we are required to continue by law.
• Right of grievance redressal — raise a concern with our Grievance Officer (see Section 10) and, if not resolved, with the Data Protection Board of India under Section 27 of the DPDP Act.
• Right to nominate — nominate another person to exercise these rights on your behalf in the event of death or incapacity.

To exercise any of these rights, write to us using the contact details in Section 12. We aim to respond within 30 days of receiving your request. We may need to verify your identity before acting on a request that involves personal data.

8. How we protect your information

We take reasonable technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or loss:

• All traffic to this website is encrypted in transit with HTTPS, enforced by HTTP Strict Transport Security (HSTS).
• The contact form is protected by Cloudflare Turnstile bot verification, server-side input validation, length limits on every field, and a rate limit of 5 submissions per hour per visitor.
• Vendors (Section 5) are reputable infrastructure and analytics providers with their own published security programs and data-processing agreements.
• Access to the pharmacy email inbox and devices that hold WhatsApp conversations is restricted to staff who need it for their work.

No system can guarantee absolute security. If we become aware of a personal-data breach that is likely to result in significant harm, we will notify affected individuals and the Data Protection Board of India as required by the DPDP Act.

9. Children

This website is not directed at children, and we do not knowingly collect personal data from anyone under the age of 18 without the verifiable consent of a parent or lawful guardian, as required by Section 9 of the DPDP Act.

If you believe we have collected personal data of a minor without proper consent, please contact us using the details in Section 12 and we will take prompt steps to delete it.

10. Grievance Officer

In accordance with Section 8(9) of the DPDP Act, the Grievance Officer for K.R. Medicines House is responsible for addressing any questions, concerns, or complaints relating to this policy or your personal data.

If you are not satisfied with our response, you may approach the Data Protection Board of India under Section 27 of the DPDP Act.

11. Changes to this policy

We may update this policy from time to time to reflect changes in our practices, our technology, or the law. When we do, we will update the “Effective” date at the top of this page.

If a change is material — for example, a new category of data we collect, a new processor we share data with, or a change in retention periods — we will take reasonable steps to notify you in advance, including by posting a prominent notice on the website or contacting you directly.

12. Contact us

Questions about this policy or your personal data? Reach the pharmacy directly:

• Phone: +91-9868085045
• Email: care@krmedicines.com
• WhatsApp: +91-9868085045
• In person: Shop no. 18, Pocket-F, D.D.A market, GTB Enclave, Dilshad Garden, Delhi 110093