Data Processing Agreement (DPA) & GDPR Notice

Part A: GDPR Notice (for customers & visitors)

Who is the controller?

For your shopping account, orders, prescription uploads, tele-consult bookings, and support interactions on Pinoymeds, the controller is Pinoymeds. Independent physicians who provide tele-consultations are typically independent controllers of clinical records.

What data does Pinoymeds process

Account & contact: name, email, phone, billing/shipping address, language.
Order & delivery: items, invoices, tracking events, KYC (where required).
Health & prescription (special category): uploaded Rx (images/PDF), prescriber details, diagnosis notes appearing on the Rx, and the tele-consult intake you provide.
Compliance: permit data (e.g., PUC/IC-1), ID last four digits where permitted, and customs documents.
Payments: status and limited identifiers (full card/UPI handled by payment providers).
Support & comms: WhatsApp/Messenger/email/call logs and (with notice) recordings.
Technical: IP, device/browser, language, cookies/SDKs (e.g., WooCommerce cart, WPML, analytics).

Why Pinoymeds processes your data (purposes & legal bases)

To fulfill our contract with you, we will create your account, process orders, deliver items, and handle returns.
With your consent, process health data (Rx/tele-consult), specific cookies/analytics, marketing, and call recordings where required. You can withdraw consent at any time (this won’t affect past processing).
To comply with law: tax/audit records, pharmacovigilance, and responding to regulators.
For our legitimate interests: service security, fraud prevention, basic analytics, and improving Pinoymeds (balanced against your rights).

International transfers

We operate from India and work with providers in several countries. When GDPR/UK-GDPR applies, we use Standard Contractual Clauses (SCCs) (and UK Addendum where needed) plus technical and organizational safeguards for transfers outside the EEA/UK.

How long do we keep data?

We retain data only as long as needed for the purposes above or legal requirements, e.g., invoices/tax up to [5–7] years, safety/complaints per regulation, Rx/health data for [A months/years], or as required by law, call recordings [~180 days] unless needed longer for a dispute. Then we delete or anonymize.

Your GDPR/UK-GDPR rights

You can access, correct, delete, restrict, object, port, and withdraw consent (for consent-based processing). You can also complain to a Supervisory Authority. To make a request, email [Email: info@pinoymeds.com] (we’ll verify identity and respond within statutory deadlines).

Cookies & tracking

Pinoymeds uses necessary cookies (cart, login, language), functional tools (currency, chat), and analytics (e.g., GA4). Manage non-essential cookies via our Cookie Settings banner.

Part B: Pinoymeds Data Processing Agreement (for B2B partners)

Applies only when a Business Customer/Partner (the “Controller”) engages Pinoymeds to process personal data on the Controller’s documented instructions (e.g., white-label order handling, clinical intake routing, helpdesk outsourcing). For regular consumer use, see Part A.

1) Parties & order of precedence

This DPA forms part of the Master Services Agreement (MSA)/Partner Agreement between (Pinoymeds) and [Partner Legal Name]. If there’s conflict, this DPA prevails over the MSA for data protection matters, and the SCCs prevail over this DPA where applicable.

2) Roles

Controller: Partner (and, where applicable, Partner’s customers).
Processor: Pinoymeds.
Sub-processors: Third parties engaged by Pinoymeds to deliver the services (see Annex III).

3) Subject matter, nature, and duration

Pinoymeds processes personal data to provide the contracted services (e.g., order handling, tele-consult scheduling, ticket triage, document preparation), for the term of the MSA and any data return/deletion period.

4) Categories of data & data subjects (summary; see Annex I)

Data subjects: end customers/patients, Partner staff (as contacts), prescribers, courier contacts.
Personal data: identity, contact, order/shipping info, communications metadata.
Special categories (where applicable): health data present in prescriptions or clinical intake supplied by the Controller/end user.

5) Controller instructions

Pinoymeds will process personal data only on documented instructions from the Controller (including transfers), unless required by law. If an instruction is unlawful, Pinoymeds will inform the Controller (where legally allowed).

6) Confidentiality

Pinoymeds ensures persons authorized to process data are bound by confidentiality and receive appropriate data protection training.

7) Security (technical & organizational measures)

Pinoymeds implements appropriate TOMs (see Annex II), including encryption in transit, access control/least-privilege, logging, backups, vulnerability management, secure development practices, and incident response.

8) Sub-processors

Controller authorizes Pinoymeds to use Sub-processors listed in Annex III and future Sub-processors that are materially similar. Pinoymeds will impose data protection obligations that are no less protective than this DPA and will notify the Controller of material changes (the Controller may object on reasonable, documented grounds).

9) Assistance to Controller

Pinoymeds will assist the Controller, taking into account the nature of processing, with:

Data subject requests (access, deletion, etc.)
Security & breach notifications (see §10)
DPIAs and consultations with Supervisory Authorities, as relevant
Deletion/return at the end of services (see §12)

10) Personal data breach

Pinoymeds will notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller’s data, and provide available information to support the Controller’s assessment and notification duties.

11) International transfers

Where GDPR/UK-GDPR applies and data is transferred outside the EEA/UK, the parties agree the SCCs (Module 2 Controller→Processor or Module 3 Processor→Processor as applicable), plus the UK Addendum and Swiss addendum (if relevant). Governing law for SCCs: [Choose an EU Member State law, e.g., Ireland].

12) Return or deletion of data

Upon termination or on Controller’s written request, Pinoymeds will return all personal data and then securely delete remaining copies within [X days], unless retention is required by law (in which case data will be restricted and deleted after the retention period).

13) Audits

Pinoymeds will provide relevant documentation to demonstrate compliance and, where required, allow audits once per year (or more after a substantiated incident), subject to reasonable notice, scope, confidentiality, and business continuity safeguards. Third-party certifications or reports (e.g., penetration test summaries) may satisfy audit needs where appropriate.

14) Liability & indemnity

Each party’s liability is as stated in the MSA, subject to applicable law. Nothing in this DPA limits a party’s liability for violations of data protection laws where such limitation is not permitted.

15) Miscellaneous

If any provision is invalid, the remainder remains in effect. This DPA may be updated to reflect changes in law or services; material changes will be notified to the Controller.

Annex I — Details of Processing

Data subjects
End-customers/patients; Partner staff as business contacts; prescribers; courier contacts.
Categories of personal data
Identification; contact; account/order info; delivery and customs data; communication logs/metadata; health data contained in Rx/clinical intake (if provided via services).
Special categories of data
Health data (only where the Controller or end-user supplies it to the services).
Processing operations
Collection, storage, organization, consultation, transmission to Sub-processors/authorities/couriers (as instructed), retrieval, restriction, deletion, and destruction.
Purpose
To provide, secure, support, and improve the contracted services; to meet legal obligations (e.g., tax, safety).
Duration
For the term of the MSA, plus data return/deletion period and any legally required retention.

Annex II — Technical & Organizational Measures (TOMs)

Governance: privacy by design/default, role-based access, need-to-know, employee NDA & training.
Identity & access: SSO/MFA for admins, least privilege, periodic access reviews, immediate revocation on role change.
Encryption: TLS in transit; at-rest encryption for databases and backups where supported.
Application security: secure SDLC, code reviews, dependency scanning, and change management.
Infrastructure: hardened hosts, network segmentation, firewalling, secrets management, clock sync.
Monitoring & logging: centralized logs, anomaly detection, audit trails for privileged actions.
Data integrity & availability: backups with periodic restore testing; DR/BCP; anti-DDoS/rate limits.
Vendor & Sub-processor risk: due diligence, SCCs/UK Addendum where relevant, ongoing monitoring.
Incident response: documented runbooks, breach assessment, timely notification to the Controller, and corrective actions.
Customer controls: configurable retention periods, export tools, consent, and cookie settings.

Annex III — Authorized Sub-Processors (by category)

Replace placeholders with your exact vendors/legal entities and locations.

Hosting & storage: [Cloud provider/region], object storage, CDN.
Payments: [Stripe Payments Europe Ltd. / Razorpay / Cashfree, payment processing & fraud tools.
Comms & support: [WATI/Gupshup (WhatsApp Business), Meta (Messenger), MyOperator (voice)], email/SMS gateways, ticketing (FreeScout self-hosted).
Analytics & ops: [Google Analytics 4], error monitoring, performance logs.
Tele-consult platform: [Zoom/Jitsi] to facilitate patient-doctor calls; doctors remain independent controllers of clinical records.
Logistics: Carriers such as [DHL / FedEx / UPS] and local delivery partners to transport parcels and perform customs clearance.

Pinoymeds will maintain an up-to-date Sub-processor list and notify Controller of material changes in accordance with §8.

Contact & requests

Email: info@pinoymeds.com

Phone: +639667705788