This Privacy Policy explains how Vyapitus ("Vyapitus", "we", "us", "our") collects, uses, shares and protects the personal data of visitors to www.vyapitus.com and all sub-domains and digital channels we operate. It is issued by Vyapitus in its capacity as a Data Fiduciary under the Digital Personal Data Protection Act, 2023 ("DPDP Act").
1. Definitions
- Personal Data - any data about an individual who is identifiable by or in relation to such data.
- Data Principal - the individual to whom the Personal Data relates.
- Data Fiduciary - Vyapitus, who determines the purpose and means of processing.
- Data Processor - any person or entity processing Personal Data on our behalf.
- Sensitive Personal Data - includes financial, health and medical data, and any data whose unauthorised disclosure could cause significant harm.
- Adverse Event Data - information related to any untoward medical occurrence in a patient using a Vyapitus product, collected under our product-safety obligations.
2. Identity of the Data Fiduciary
| Name | Vyapitus [Insert full legal entity name] |
|---|---|
| CIN | [Insert CIN] |
| Registered office | [Insert address] |
| info@vyapitus.com | |
| Website | https://www.vyapitus.com |
3. Categories of Personal Data we collect
3.1 Data you provide directly
- Contact data: name, email, phone, address, organisation, designation.
- HCP verification data: medical council registration, council, specialty, institution.
- Job applicant data: CV, education, employment history, references.
- Adverse event reporter data: name, contact details, role.
- Patient data within Adverse Event Reports: initials, age, sex, weight, history, the event description.
- Medical Information enquiry data: the contents of your clinical question and your contact details.
- Investor / grievance redressal data.
3.2 Data we collect automatically
- Technical data: IP address, device, browser, OS, referring URL, pages viewed, clickstream, approximate location.
- Cookies (see Section 12).
3.3 Children's data
The site is not directed at children under 18. Under the DPDP Act, processing children's data requires verifiable parental/guardian consent; we do not knowingly collect it without such consent.
4. Purposes of processing
| Purpose | Legal basis |
|---|---|
| Responding to enquiries | Consent |
| Providing medical information to HCPs | Consent + statutory obligation |
| Product safety - adverse event handling | Statutory obligation under the Drugs and Cosmetics Rules, 1945 |
| Recruitment | Consent + legitimate interest |
| Corporate updates / newsletter | Consent (opt-in only) |
| Website analytics, performance | Legitimate interest + consent for non-essential cookies |
| Security, fraud prevention, legal defence | Legitimate interest + legal obligation |
| Compliance with regulatory obligations | Legal obligation |
We do not engage in automated decision-making producing legal or similarly significant effects on you.
5. With whom we share Personal Data
We do not sell your Personal Data. We share it only with:
- Service providers / Data Processors (hosting, cloud, email, analytics, CRM, IT support).
- Our Product Safety partner.
- Regulatory authorities (CDSCO and state drug controllers) where required.
- Marketing-authorisation partners (for AE data, where law requires).
- Professional advisers - auditors, lawyers, bankers, insurers.
- Counterparties in corporate transactions, under confidentiality.
- Law enforcement and courts, under valid legal process.
6. Cross-border transfers
We primarily store Personal Data on infrastructure in India. Where we transfer data outside India, we do so only to jurisdictions not restricted by the Central Government under Section 16 of the DPDP Act, and under contractual safeguards.
7. Retention
| Category | Retention |
|---|---|
| General enquiries | 24 months from last interaction |
| HCP Medical Information enquiries | 5 years |
| Adverse Event Data | Lifetime of product authorisation + at least 10 years (statutory) |
| Unsuccessful job applicants | 12 months (longer with consent) |
| Newsletter subscribers | Until unsubscribe + 12 months |
| Website logs / technical data | 12 months unless required longer |
8. Your rights as a Data Principal
- Right to access - summary of data held and processing.
- Right to correction and erasure (subject to legal retention).
- Right to grievance redressal.
- Right to nominate someone to exercise rights on your behalf.
- Right to withdraw consent (where consent is the basis).
To exercise these rights, contact our Grievance Officer (Section 9). We respond within 30 days. Please note that Adverse Event Data cannot be erased on request because we are legally required to retain it.
9. Grievance Officer
| Name | [Insert] |
|---|---|
| Designation | [Insert] |
| Address | [Registered office] |
| grievance@vyapitus.com | |
| Phone | [Insert] |
| Hours | Mon–Fri, 10:00–18:00 IST |
Grievances are acknowledged within 7 working days. If you are not satisfied, you may escalate to the Data Protection Board of India.
10. Security
We implement TLS 1.3, encryption at rest, role-based access control with MFA, WAF and DDoS protection, vulnerability scanning, vendor due diligence and employee training. In the unlikely event of a personal-data breach, we will notify the Data Protection Board and affected Data Principals as required.
11. Cookies and similar technologies
We use strictly-necessary cookies (always), and performance/analytics, preference and (potentially) marketing cookies with your consent. Use the cookie banner on first visit or the "Cookie Settings" link in the footer to manage preferences.
12. Third-party links
We are not responsible for the privacy practices of third-party websites linked from this site.
13. Changes to this Policy
We may update this Policy from time to time. The "Last Updated" date above reflects the latest revision. For material changes, we will provide additional notice.
14. Contact
- Grievance Officer - grievance@vyapitus.com
- Product Safety - info@vyapitus.com
- Medical Information - medinfo@vyapitus.com
- General - info@vyapitus.com