PRIVACY POLICY

IJCP PUBLICATIONS PVT. LTD.

Operating Medtalks.in | hcp.medtalks.in | eMediNexus.com

Effective Date: April 28, 2026 | Version 2.0

Compliance Scope: India DPDP Act 2023 & DPDP Rules 2025 | IT Act 2000 | Singapore PDPA | Thailand PDPA | Indonesia PDP Law | Philippines Data Privacy Act | Malaysia PDPA

1. Who We Are

IJCP Publications Pvt. Ltd. ("IJCP", "we", "us", or "our") is a medical communications, publishing, and healthcare media company incorporated under the laws of India. We operate the following digital platforms (collectively, the "Platforms"):

• Medtalks.in — our primary HCP-facing web platform
• hcp.medtalks.in — our verified physician engagement portal
• eMediNexus.com — a secondary medical knowledge and networking platform
• Medtalks TV — our video-first HCP content brand

Registered Office: Hauz Khas Village, New Delhi – 110016, India | Branch Office: Andheri East, Mumbai, Maharashtra, India | Grievance Officer Contact: privacy@medtalks.in | Phone: 011-40587512

Under the Digital Personal Data Protection Act, 2023 ("DPDP Act"), IJCP acts as a Data Fiduciary in respect of personal data collected through our Platforms. Under equivalent legislation in other jurisdictions, IJCP may act as a Data Controller or Data User as defined by local law.

2. Scope and Applicability

This Privacy Policy applies to:

• All visitors to our Platforms, whether registered or not
• Registered Healthcare Professionals (HCPs), including physicians, nurses, pharmacists, and allied health professionals
• Patients or caregivers who voluntarily upload health information to our Platforms
• Pharmaceutical companies, medical organisations, and institutional clients who access our services

This Policy applies to personal data processed in India and, where applicable, to personal data processed in connection with the offering of services to individuals located in Singapore, Thailand, Indonesia, the Philippines, and Malaysia, in accordance with the respective data protection laws of those jurisdictions.

Note for Healthcare Professionals: Our platforms are intended exclusively for verified healthcare professionals. Persons under the age of 18 are not eligible to register. If we discover that a minor has registered, we will delete their data immediately.

3. Personal Data We Collect

3.1 Registration and Identity Data

• Full name, designation, and specialisation
• Medical registration number / physician licence details
• Date of birth (for age verification)
• Official email address and mobile number
• Institutional affiliation and practice address

3.2 Professional and Academic Data

• Qualifications, fellowship details, and academic achievements
• Publications, research interests, and conference participations
• CME credits earned and educational activity records on the Platform

3.3 Health and Clinical Data (where voluntarily provided)

• Patient case data uploaded by HCPs for consultation or educational purposes
• Personal health information voluntarily shared by individuals through the Platform

Important: Health and clinical data is treated as sensitive personal data. It is collected only with your explicit, informed, and separate consent. You may withdraw this consent at any time.

3.4 Platform Usage and Technical Data

• IP address, browser type, operating system, and device identifiers
• Pages visited, time spent, and click patterns
• Search queries and content interactions
• Cookie and tracking technology data (see Section 10)

3.5 Communication Data

• Queries submitted to our support team
• Survey and poll responses
• Webinar or event registrations
• Feedback submitted through the Platform

4. Legal Basis for Processing

We process your personal data only on valid legal grounds. Under the DPDP Act 2023, we rely on one or more of the following:

4.1 Consent

We collect most personal data based on your explicit, free, informed, and specific consent. When you register on our Platform, we will present you with a clear consent notice explaining what data is collected and why. You may withdraw your consent at any time — see Section 8.5.

4.2 Legitimate Uses (Section 7, DPDP Act)

In limited circumstances, we may process data without explicit consent for the following legitimate uses permitted under the Act:

• Compliance with a court order or legal obligation under Indian law
• Medical emergency situations where the health or safety of an individual is at immediate risk
• Processing of employment-related data of our own employees and contractors

4.3 Jurisdiction-Specific Legal Bases

For users in Singapore, Thailand, Indonesia, the Philippines, and Malaysia, we rely on the equivalent consent and legitimate interest provisions under those jurisdictions' laws. Explicit, informed consent remains our primary basis for collecting health data across all jurisdictions.

5. How We Use Your Personal Data

We use personal data only for specified, lawful purposes. We will not use your data for a purpose materially different from what was stated at the time of collection without obtaining fresh consent.

5.1 Platform Services

• Creating and managing your verified HCP profile
• Providing access to medical content, CME programmes, and educational resources
• Enabling peer-to-peer networking among healthcare professionals
• Facilitating virtual and in-person medical conferences and events

5.2 Communications

• Sending you relevant medical education alerts, journal digests, and clinical updates
• Notifying you of CME credits, certificates, and activity completions
• Responding to your queries and support requests

5.3 Platform Improvement

• Analysing aggregated and anonymised usage data to improve Platform performance
• Conducting internal research and analytics (using de-identified data only)
• Detecting and preventing fraud, abuse, and security breaches

5.4 Pharma and Healthcare Industry Services

With your explicit consent, we may enable pharmaceutical and healthcare companies to reach verified HCPs with relevant product information, clinical data, or continuing medical education content. We do not sell personal data. Any such engagement is conducted under strict data processing agreements that bind third parties to equivalent data protection standards.

We Do Not Sell Your Data: IJCP does not sell, rent, or commercially transfer your personal data to third parties for their own marketing purposes. This is an absolute commitment.

6. How We Share Your Data

6.1 Third-Party Service Providers (Data Processors)

We engage trusted third-party vendors to support our operations — including cloud hosting, email delivery, analytics, and payment processing. These vendors act as Data Processors and are contractually bound to:

• Process data only on our documented instructions
• Implement equivalent data security safeguards
• Not use the data for their own purposes
• Delete or return data upon termination of our engagement

6.2 Pharma and Institutional Clients

Where you have consented to receive communications from pharmaceutical or healthcare companies through our Platform, we may share your verified HCP profile (name, specialisation, city, and institutional affiliation) with such clients. We share only the minimum data necessary, and only to the extent covered by your consent.

6.3 Legal Disclosure

We may disclose personal data if required to do so by applicable law, court order, or at the direction of a competent regulatory authority, including the Data Protection Board of India or equivalent authorities in other jurisdictions where we operate.

6.4 Business Transfers

In the event of a merger, acquisition, demerger, or restructuring of IJCP, personal data may be transferred to the successor entity, subject to equivalent privacy protections. You will be notified of any such transfer.

6.5 Aggregated and Anonymised Data

We may share aggregated, anonymised, statistical data (which cannot identify any individual) with research institutions, public health bodies, and industry partners for healthcare analytics and research purposes.

7. Cross-Border Data Transfers

IJCP primarily stores and processes your data on servers located within India. Where data is transferred outside India — for example, to cloud infrastructure providers or international technology partners — we ensure that:

• The transfer is to a country not restricted by the Central Government of India under the DPDP Act
• Adequate contractual safeguards are in place, equivalent to those required under the DPDP Act
• Data processors in other jurisdictions are bound by standard contractual clauses or equivalent instruments

7.1 Users in South East Asia

If you are accessing our Platform from Singapore, Thailand, Indonesia, the Philippines, or Malaysia, please note that your data may be transferred to and processed in India. We ensure that such transfers comply with the cross-border transfer requirements of your local data protection law. Specific safeguards available to you are described in Section 11 of this Policy.

8. Your Rights as a Data Principal

Under the DPDP Act 2023 and equivalent laws in other jurisdictions, you have the following rights with respect to your personal data:

8.1 Right to Information

You may request a summary of the personal data we hold about you, the purposes for which it is being processed, and the names of any third parties with whom it has been shared.

8.2 Right to Access

You have the right to access a copy of your personal data that we hold. We will respond to access requests within 30 days of receipt.

8.3 Right to Correction and Erasure

You may request the correction of inaccurate or incomplete personal data. You may also request erasure of your personal data, subject to legal retention obligations. We will act on such requests within 30 days.

8.4 Right to Data Portability

Where technically feasible, you may request your personal data in a structured, machine-readable format so that you can transfer it to another service.

8.5 Right to Withdraw Consent

You may withdraw your consent to any processing activity at any time. Withdrawal does not affect the lawfulness of processing that occurred prior to withdrawal. Upon withdrawal:

• We will cease processing your data for the purpose to which consent was withdrawn
• We will delete or anonymise data that has no other lawful basis for retention
• Certain core Platform functions may become unavailable as a result

8.6 Right to Nominate

Under the DPDP Act, you may nominate another individual to exercise your data rights on your behalf in the event of your death or incapacity.

8.7 How to Exercise Your Rights

Submit a written request to our Grievance Officer at: privacy@medtalks.in

We will acknowledge your request within 72 hours and respond substantively within 30 days. If we are unable to fulfill a request, we will explain why.

8.8 Right to Complain

If you are dissatisfied with our response, you may file a complaint with:

• Data Protection Board of India (once fully operational under the DPDP Act)
• Relevant authority in your jurisdiction — see Section 11

9. Data Retention

We retain personal data for no longer than is necessary for the purpose for which it was collected, or as required by applicable law. Our general retention schedule is:

Upon expiry of the applicable retention period, we will securely delete or anonymise your personal data. You may request early deletion by contacting privacy@medtalks.in, subject to any overriding legal obligation to retain the data.

10. Children's Data

Our Platforms are intended solely for verified healthcare professionals. We do not knowingly collect personal data from individuals under 18 years of age (or the applicable age of majority in your jurisdiction). Registration is subject to verification of medical credentials, which inherently limits access to qualified adults.

If you believe a minor has registered on our Platform, please notify us immediately at privacy@medtalks.in and we will delete the relevant data without delay. We do not conduct any behavioural monitoring, targeted advertising, or tracking of minors.

Thailand: Under Thailand's PDPA, a minor is defined as a person under 20 years of age. For users in Thailand, we apply the same prohibition on registration and processing of data of individuals under 20.

11. Data Security and Breach Notification

11.1 Security Measures

We implement reasonable technical and organisational safeguards to protect personal data against unauthorised access, loss, destruction, or alteration. These include:

• Encryption of personal data in transit (TLS/SSL) and at rest
• Access controls limiting data access to authorised personnel only
• Regular security audits and vulnerability assessments
• Data processor due diligence and contractual security requirements
• Employee training on data protection and information security

11.2 Breach Notification

In the event of a personal data breach, we will:

• Notify the Data Protection Board of India (or equivalent authority in relevant jurisdictions) as required by applicable law
• Notify affected Data Principals without undue delay where the breach is likely to result in high risk to their rights
• Document the nature, scope, and remedial actions taken in respect of all breaches

Jurisdiction-Specific Timelines: India DPDP Act: as soon as practicable | Indonesia PDP Law: within 14 days of discovery | Singapore PDPA: within 3 days of determining the breach is notifiable | Philippines DPA: within 72 hours of discovery

12. Jurisdiction-Specific Rights (South East Asia)

If you are accessing our Platform from the following countries, you have additional rights under your local data protection law, exercisable by contacting privacy@medtalks.in:

Singapore (PDPA)

• Right to access and correction of personal data
• Right to withdraw consent with reasonable notice
• Right to data portability (where applicable under the PDPA)
• Complaints to: Personal Data Protection Commission (PDPC), Singapore — www.pdpc.gov.sg

Thailand (PDPA)

• Right to be informed, access, rectify, erase, restrict, and object to processing
• Right to data portability
• Right to withdraw consent at any time
• Complaints to: Office of the Personal Data Protection Committee (PDPC), Thailand

Indonesia (PDP Law)

• Right to obtain information, access, and correct personal data
• Right to request deletion of personal data
• Right to object to automated processing
• Breach notification within 14 days of discovery
• Complaints to: Ministry of Communications and Digital Affairs (MOCI), Indonesia

Philippines (Data Privacy Act 2012)

• Right to be informed, access, object, erasure, damages, and data portability
• Complaints to: National Privacy Commission (NPC), Philippines — www.privacy.gov.ph

Malaysia (PDPA, as amended 2024)

• Right to access and correct personal data
• Right to withdraw consent
• Right to prevent processing for direct marketing
• Complaints to: Personal Data Protection Commissioner, Malaysia — www.pdp.gov.my

13. Cookies and Tracking Technologies

We use cookies and similar tracking technologies on our Platforms to enhance your experience and for analytics purposes. The types of cookies we use are:

• Essential Cookies: Required for the Platform to function (e.g., session management, login). Cannot be disabled.
• Analytics Cookies: Help us understand how users interact with the Platform. We use anonymised or aggregated data only.
• Preference Cookies: Remember your settings and personalisation choices.
• Marketing Cookies: Only deployed with your explicit consent, to enable relevant healthcare content from our pharmaceutical clients.

You can manage your cookie preferences through our Cookie Preference Centre (accessible in the Platform footer) or through your browser settings. Disabling non-essential cookies will not affect your ability to use the core Platform.

14. Third-Party Links

Our Platforms may contain links to third-party websites, publications, or services. We are not responsible for the privacy practices of such third-party sites. We encourage you to read the privacy policy of any third-party site you visit. Access to third-party sites is at your own risk.

15. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or regulatory guidance. When we make material changes, we will:

• Display a prominent notice on the Platform
• Send an email notification to registered users
• Update the Effective Date at the top of this Policy

Your continued use of the Platform after a change has been notified will constitute your acceptance of the updated Policy. If you do not agree to the changes, you may deactivate your account by contacting privacy@medtalks.in.

16. Grievance Officer

In accordance with the Information Technology Act, 2000, and the DPDP Act 2023, the following officer has been appointed to address grievances related to your personal data:

Grievance Officer: Nilesh Aggarwal, CEO | IJCP Publications Pvt. Ltd. | Hauz Khas Village, New Delhi – 110016, India | Email: nilesh@medtalks.net | Phone: 011-40587512 | Response Time: Acknowledgement within 72 hours, resolution within 30 days

If your grievance is not resolved to your satisfaction, you may approach the Data Protection Board of India (once fully constituted) or the appropriate judicial forum.

For South East Asian users, please also refer to the relevant national authority listed in Section 12.

IJCP Publications Pvt. Ltd. | privacy@medtalks.in | Version 2.0 | April 2026

This policy should be reviewed by qualified legal counsel before formal adoption.