Us Privacy Policy

2.1 Identifiers and Account Data

Name, email address, postal address, telephone number, login credentials (username and password) for registered users, business or organisational affiliation, job title or role, account preferences, and professional identifiers (such as NPI number for HCPs).

2.2 Professional and Employment-Related Information

Medical specialty and subspecialty, HCP type (physician, nurse, pharmacist, etc.), practice type and setting (hospital, clinic, private practice), employer or affiliated healthcare organisation, professional credentials, licensure status, board certifications, prescribing patterns, clinical behaviour indicators, and academic and publication history.

2.3 Technical Identifiers and Device Information

IP address, device identifiers (including mobile advertising IDs such as IDFA and Android Advertising ID), browser type and version, operating system, cookie identifiers and pixel tags, session identifiers, identifiers provided by identity resolution partners for user-matching purposes, and hashed email addresses or other pseudonymous identifiers used for audience matching and ad delivery.

2.4 Approximate Geolocation

General location derived from IP address (city, state, region). We do not collect precise geolocation (GPS coordinates) through our advertising platform or corporate websites. We do not use geofencing technology to identify or track individuals at healthcare facilities.

2.5 Usage, Analytics, and Interaction Data

Browsing history on Doceree websites and within our platforms, clickstream data, session behaviour events, pages visited, time spent, referring URLs, search queries, campaign interaction data (ad impressions, clicks, conversions), content engagement signals (articles read, content topics, time-on-content), and information about how users interact with Doceree advertising or platform features.

2.6 Advertising and Audience Data

Audience segment memberships derived from browsing behaviour, content engagement, and third-party data, cross-device graph data linking identifiers across devices, campaign performance data (impressions, clicks, conversions, attribution), contextual signals (content category, page URL, keywords), and de-identified or audience-level signals from advertising partners (which may include age range, gender, insurance category, and diagnosis or procedure category codes received in de-identified form).

2.7 Event Registration and Participation Data

For individuals who register for, attend, or participate in Doceree events (such as Health Decode – The Maker’s Summit, conferences, webinars, or other gatherings), we may collect: name, work email address, organisation name, job title, location, phone number, dietary preferences or accessibility requirements (where voluntarily provided), event attendance and participation records, photographs, video recordings, and audio recordings captured during the event (subject to applicable notice and consent), and feedback, survey responses, and communications related to the event.

2.8 Communications and Inquiry Data

Information submitted through contact forms, demo request forms, newsletter sign-ups, whitepaper downloads, or other inquiry mechanisms on Doceree websites, including name, email address, company, job title, and the content of your inquiry or communication.

2.9 Client and Partner Configuration Data

For pharmaceutical customers and publisher partners: campaign configurations, targeting parameters, creative assets and content, knowledge base materials, reporting preferences, integration settings, and other materials provided to configure and operate Doceree services.

2.10 Co-Pay and Patient Affordability Data

In connection with Co-Pay Spark and co-pay.com, Doceree processes data necessary to deliver patient affordability messaging through EHR systems. This may include medication identifiers (NDC codes), de-identified or aggregated patient eligibility indicators, and co-pay programme details. Co-Pay Spark is designed to operate in a HIPAA-compliant manner as required by applicable agreements. Data handling for Co-Pay solutions is governed by this Policy, applicable product-specific terms, and agreements with pharmaceutical and publisher partners.

2.11 Inferences

Inferences drawn from the above categories to understand preferences, characteristics, and professional interests, including inferred interests in specific therapeutic areas, content topics, prescribing propensities, and audience segments used for advertising delivery and campaign optimisation.

2.12 Important Notice Regarding Protected Health Information (PHI)

DOCEREE’S ADVERTISING PLATFORM AND CORPORATE WEBSITES ARE NOT DESIGNED TO COLLECT PROTECTED HEALTH INFORMATION (PHI) AS DEFINED UNDER HIPAA. USERS MUST NOT SUBMIT PATIENT NAMES, MEDICAL RECORD NUMBERS, DIAGNOSES, TREATMENT INFORMATION, OR OTHER INFORMATION THAT COULD IDENTIFY A SPECIFIC PATIENT THROUGH DOCEREE’S ADVERTISING PLATFORM OR WEBSITES.
De-identified health-related signals used in advertising workflows (such as diagnosis category codes or insurance type indicators) are received in de-identified form and are not linked to identified patients. Where Doceree’s Co-Pay solutions operate within HIPAA-regulated environments (such as EHR systems), data handling is governed by applicable Business Associate Agreements and product-specific terms. See Section 12 for additional information.

4.1 Advertising Delivery and Targeting

Delivering targeted, interest-based advertising to HCPs and other audiences on behalf of pharmaceutical advertisers, selecting and optimising advertising placements across publisher properties, building audience segments based on professional characteristics, content engagement, and inferred interests, performing cross-device matching and identity resolution to deliver consistent advertising experiences, frequency capping and ad sequencing, contextual targeting based on page content and clinical context, and measuring advertising effectiveness (impressions, clicks, conversions, attribution).

4.2 Platform Operations and Service Delivery

Operating and maintaining Doceree’s advertising platform, DataIQ, Marketplace, Co-Pay solutions, and other products, processing campaign configurations and delivering advertising pursuant to client instructions, generating analytics, reporting, and performance insights for clients, authenticating users and managing accounts, and providing customer support and responding to inquiries.

4.3 Data Intelligence and Analytics

Building and enriching HCP profiles using multiple data sources, creating audience segments and propensity models for advertising targeting, providing aggregated and de-identified analytics and engagement insights to clients, measuring and reporting on campaign performance and return on investment, and conducting research and analysis to understand advertising effectiveness and HCP engagement patterns.

4.4 Patient Affordability

Delivering patient affordability messaging (co-pay coupons, e-vouchers, assistance programme information) through EHR systems via Co-Pay Spark, maintaining and operating the co-pay.com database of patient affordability programmes, and facilitating connections between pharmaceutical manufacturers’ affordability programmes and eligible patients at the point of prescription.

4.5 Events

Administering event registration and logistics (including shortlisting, invitations, and attendance management), communicating with registrants and attendees before, during, and after events, documenting and promoting events through photographs, video recordings, and related media, and conducting post-event follow-up, surveys, and business development activities.

4.6 Marketing and Business Development

Sending marketing communications about Doceree’s products and services (where permitted by applicable law or with your consent), personalising content and communications based on your professional interests and interactions, conducting outreach to prospective customers and partners, and analysing the effectiveness of Doceree’s own marketing activities.

4.7 Security, Fraud Prevention, and Compliance

Detecting, investigating, and preventing fraudulent, malicious, or invalid ad traffic, protecting the security and integrity of Doceree’s platforms and services, enforcing our Terms of Service, Acceptable Use Policy, and other agreements, monitoring for misuse of Doceree services, and complying with applicable laws, regulations, and legal processes.

4.8 Improvement and Development

Developing new features, products, and capabilities, analysing aggregated and de-identified data for service improvement, testing and improving platform functionality, and conducting internal audits, troubleshooting, and quality assurance.

4.9 Data Minimisation

Doceree collects only personal information that is reasonably necessary and proportionate to the purposes for which it is processed, as described in this Section 4. Processing is limited to those disclosed purposes and is not extended to incompatible secondary uses without further notice or, where required, consent. Personal information is not retained beyond the period necessary for the applicable purpose, in accordance with the retention schedules set out in Section 8. This principle applies across all Doceree products and services, including the advertising platform, and Co-Pay solutions, and is consistent with the data minimisation requirement under Article 5(1)(c) of the UK GDPR and EU GDPR.

Doceree discloses certain personal information to advertising ecosystem partners, pharmaceutical clients, and data partners in connection with its advertising platform and intelligence products. These disclosures involve the exchange of data for valuable consideration, including non-monetary consideration such as advertising services, data enrichment, targeting capabilities, and audience insights, and may therefore constitute a “sale” or “sharing” of personal information under the CCPA/CPRA and similar state privacy laws.
Categories of personal information that may be “sold” in this manner include:

• Identifiers (such as hashed email addresses, cookie IDs, device identifiers, and mobile advertising IDs)
• Professional information (such as HCP specialty, practice type, and NPI data)
• Internet or electronic network activity (such as browsing history, ad engagement data, content interaction signals, and clickstream data)
• Inferences (such as inferred therapeutic area interests, audience segment memberships, and propensity scores)

You have the right to opt out of such disclosures as described in Section 9.

6.2 Sharing for Cross-Context Behavioural Advertising

Doceree uses cookies and similar tracking technologies to enable cross-context behavioural advertising – that is, showing advertisements based on activity across different websites and applications. Under the CCPA/CPRA and certain other state privacy laws, such use may constitute “sharing” of personal information for purposes of cross-context behavioural advertising.
You may opt out of cross-context behavioural advertising by enabling a Global Privacy Control (GPC) signal in your browser, using the opt-out methods described in Section 9, adjusting your cookie preferences through our cookie consent mechanism, or opting out through industry mechanisms described in our Cookie Policy.

6.3 Sensitive Personal Information and Consumer Health Data

We do not sell or share sensitive personal information as defined under CCPA § 1798.140(ae) for purposes of inferring characteristics about consumers. With respect to consumer health data as defined under Washington’s My Health My Data Act and similar state laws: where health-related inferences (such as therapeutic area interest indicators and prescribing propensity scores) constitute consumer health data under applicable law, Doceree processes such data in accordance with the consent and opt-out requirements described in Section 11 of this Policy. We do not sell consumer health data without obtaining consent where required by applicable law.

6.4 Do Not Sell or Share My Personal Information

Where required by the CCPA/CPRA or other applicable state privacy law, Doceree will provide a “Do Not Sell or Share My Personal Information” link on its websites. Doceree is in the process of implementing a dedicated opt-out link and will make it available in accordance with applicable legal requirements and implementation timelines.
Pending full implementation of a dedicated link, you may exercise your right to opt out of the sale or sharing of your personal information through the following currently available mechanisms:

• (a) Global Privacy Control (GPC): Doceree recognises and honours GPC signals as a valid opt-out. See Section 9.3.
• (b) Cookie Settings: Use the “Cookie Settings” link on our websites to withdraw consent for non-essential advertising and tracking cookies.
• (c) Email Request: Submit an opt-out request to privacy@doceree.com with the subject line “Opt-Out Request.”

Doceree will not treat the absence of a dedicated opt-out link as a waiver of any individual’s right to opt out. All opt-out requests submitted through the mechanisms above will be honoured in accordance with applicable law.

Depending on your state of residence, you may have the following rights regarding your personal information:

• Right to Know/Access: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purposes for collection, and the categories of third parties to whom we have disclosed your information. By default, our disclosure will cover the 12-month period preceding our receipt of your verifiable consumer request. Pursuant to Cal. Civ. Code § 1798.130(a)(2)(B) and CPPA regulations, you may also request disclosure of personal information collected on or after January 1, 2022, beyond the default 12-month period; we will provide such information unless doing so proves impossible or would involve a disproportionate effort, in which case we will provide you with a detailed explanation.
• Right to Delete: You may request that we delete personal information we have collected from you, subject to certain exceptions (such as where retention is necessary to complete a transaction, detect fraud, comply with legal obligations, or exercise legal rights).
• Right to Correct: You may request that we correct inaccurate personal information we maintain about you.
• Right to Data Portability: You may request a copy of your personal information in a portable, machine-readable format.
• Right to Opt Out of Sale/Sharing: You may opt out of the sale of your personal information and the sharing of your personal information for cross-context behavioural advertising. This is a critical right for individuals whose data is processed through Doceree’s advertising platform.
• Right to Opt Out of Targeted Advertising: You may opt out of the display of advertisements based on personal information obtained from your activities over time and across non-affiliated websites or applications.
• Right to Opt Out of Profiling: You may opt out of profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.
• Right to Limit Use of Sensitive Personal Information: Under CCPA, you may limit our use and disclosure of sensitive personal information to uses necessary to perform services or as otherwise permitted by law.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.

9.2 How to Exercise Your Rights

You may submit a privacy rights request by:

• Email: privacy@doceree.com
• Mail: Doceree, Inc., Attn: Privacy, 150 John F Kennedy Pkwy, Suite 403, Short Hills, NJ 07078

9.3 Opt-Out of Sale/Sharing and Targeted Advertising

Because Doceree’s advertising platform processes data for targeted advertising at scale, we provide multiple opt-out mechanisms:

• Global Privacy Control (GPC): We recognise and honour GPC signals as a valid opt-out of the sale or sharing of personal information. When we detect a GPC signal, we will apply the opt-out to the browser or device from which the signal is sent. To enable GPC, visit globalprivacycontrol.org.
• Cookie Consent Mechanism: Use the “Cookie Settings” link on our websites to manage your preferences.
• Industry Opt-Out Tools: You may opt out of targeted advertising from Doceree and other participating companies through the Digital Advertising Alliance (DAA) at optout.aboutads.info, the Network Advertising Initiative (NAI) at optout.networkadvertising.org, and individual platform ad settings (Google, Meta, LinkedIn).
• Mobile Device Settings: On iOS, go to Settings > Privacy > Tracking. On Android, go to Settings > Google > Ads > Opt out of Ads Personalisation.
• Email Request: Email privacy@doceree.com with the subject line “Opt-Out Request.”

We will process opt-out requests promptly and apply them to future data processing activities.

9.4 Verification of Requests

To protect your privacy, we must verify your identity before fulfilling access, deletion, or correction requests. Our verification process may include matching information you provide against our records, requesting additional documentation, or using a third-party verification service. For requests to know specific pieces of personal information or requests to delete, we apply a higher standard of verification.

9.5 Authorised Agents

You may designate an authorised agent to submit a privacy request on your behalf by providing the agent with written permission signed by you, verifying your identity directly with us, and having the agent submit proof of authorisation with the request.

9.6 Response Timing

We will acknowledge receipt of your request within 10 business days and provide a substantive response within 45 days. If we need additional time (up to 45 additional days), we will notify you of the extension and the reason. There is no limit on deletion, correction, or opt-out requests.

9.7 Right to Appeal

If we decline to take action on your request, you have the right to appeal our decision. To appeal, contact us at privacy@doceree.com with the subject line “Privacy Appeal” within 45 days of receiving our response. We will respond within the timeframe required by applicable law (typically 45–60 days). If your appeal is denied, you may contact your state’s Attorney General to submit a complaint.

17.1 Event Registration

Information submitted through event registration forms (including name, work email, organisation, job title, location, and phone number) is used for event administration, shortlisting and selection of participants, event communications (confirmations, logistics, reminders), and post-event follow-up and business development.
Event registration forms will include a conspicuous link to this Privacy Policy and, where required, a consent mechanism for processing personal information for the stated purposes.

17.2 Photography, Video, and Recordings

Doceree may photograph, film, or record events for promotional, marketing, and documentation purposes. By attending a Doceree event, and subject to any separate consent obtained at the time of registration or check-in, you acknowledge that your name, image, likeness, and professional affiliation may be captured and used in connection with the promotion and documentation of the event and Doceree’s activities.
If you wish to opt out of specific uses of your image or likeness, please notify Doceree in writing prior to the event at events@doceree.com. To the extent required by applicable law (including UK GDPR), you may withdraw consent at any time by contacting privacy@doceree.com.

17.3 Event Participation Terms

Attendance at certain Doceree events may be subject to separate Event Participation Terms and Waiver Agreements, which will be presented to selected participants prior to or at the event. Such terms govern confidentiality, liability, intellectual property, and related matters specific to the event and are separate from this Privacy Policy.

This entire Policy is intended to comply with the California Consumer Privacy Act and California Privacy Rights Act. The following is a summary of disclosures required by California law:
Categories of personal information collected in the preceding 12 months: Identifiers, professional information, internet or electronic network activity information, geolocation data, inferences, and sensitive personal information (login credentials only). See Section 2 for details.
Categories of sources: Directly from you, customers and partners, public and commercial data sources, advertising ecosystem partners, automatic collection through technology, and EHR/clinical systems. See Section 3 for details.
Business and commercial purposes for collection: Advertising delivery and targeting, platform operations, data intelligence and analytics, patient affordability, events, marketing, security, and improvement. See Section 4 for details.
Categories of third parties to whom personal information is disclosed: Service providers, advertising ecosystem partners, pharmaceutical clients, publishers, data partners, affiliates, event-related third parties, and legal/regulatory entities. See Section 5 for details.
Categories that may be “sold” or “shared”: Identifiers, professional information, internet activity, and inferences. See Section 6 for details.
Your CCPA/CPRA rights are detailed in Section 9. To exercise your rights, use the methods described in Section 9.2.

20.2 Virginia, Colorado, Connecticut, Texas, New Jersey, and Other State Residents

Residents of states with comprehensive privacy laws (including the Virginia Consumer Data Protection Act, Colorado Privacy Act, Connecticut Data Privacy Act, Texas Data Privacy and Security Act, New Jersey Data Privacy Act, and others) have similar rights to those described in Section 9. You may exercise your rights using the methods in Section 9.2. You also have the right to appeal our decision (see Section 9.7).
New Jersey Residents: The New Jersey Data Privacy Act (NJDPA) applies to Doceree’s processing of personal data of New Jersey residents. In addition to the rights described in Section 9, New Jersey residents have the right to obtain a list of specific third parties to whom personal data have been disclosed. Doceree recognises and honours Universal Opt-Out Mechanisms (UOOM), including Global Privacy Control (GPC), as required by NJDPA. Doceree has conducted Data Protection Assessments for its targeted advertising, profiling, and data sale activities as required under NJDPA. To exercise your rights or submit an appeal, use the methods described in Sections 9.2 and 9.7.

20.3 Nevada Residents

Nevada residents may opt out of the sale of certain “covered information” under Nevada SB 220. To submit an opt-out request, contact privacy@doceree.com.

21.1 UK/EEA Controller

For users located in the United Kingdom, Doceree UK Limited acts as the controller of personal information processed in connection with Doceree’s services under the UK GDPR and the Data Protection Act 2018. Doceree UK Limited can be contacted at:

Doceree UK Limited
Jubilee Business Centre, 213 Kingsbury Road, Suite 15
First Floor, London NW9 8AQ
Email: privacy@doceree.com

For users in the EEA, Doceree, Inc. is the controller, with Doceree UK Limited acting as a point of contact. Contact details for Doceree, Inc. are provided in Section 19.

21.2 Legal Bases for Processing

We process your personal information under the following legal bases:

• Contract Performance (Article 6(1)(b)): Processing necessary to provide Doceree’s services you have requested, including account creation and authentication, delivering advertising and platform services, and processing inquiries.
• Legitimate Interests (Article 6(1)(f) UK GDPR / Article 6(1)(f) EU GDPR): Processing necessary for Doceree’s legitimate interests, which are: (i) operating, maintaining, and improving our advertising platform, conducting analytics and measurement; (ii) delivering targeted pharmaceutical advertising to healthcare professionals in their professional capacity; (iii) building and activating HCP intelligence profiles for advertising targeting and analytics; (iv) maintaining the security and integrity of Doceree’s platforms and preventing fraud and invalid traffic; and (v) providing campaign performance analytics and reporting to pharmaceutical clients. We have conducted balancing assessments and determined these interests are not overridden by your rights and freedoms, taking into account the professional B2B context, the reasonable expectations of HCPs in a commercial healthcare communications environment, and the safeguards we implement. You have the right to object to processing on this basis at any time (see Section 21.3).
• Legal Obligation (Article 6(1)(c)): Processing necessary for compliance with legal obligations, including responding to lawful requests from authorities and regulatory compliance.
• Consent (Article 6(1)(a)): Where required by applicable law, including for certain marketing communications, non-essential cookies, and processing of consumer health data. You may withdraw consent at any time by contacting privacy@doceree.com. Withdrawal does not affect the lawfulness of processing conducted prior to withdrawal.
• Recognised Legitimate Interests (Article 6(1)(ea) UK GDPR, introduced by the Data (Use and Access) Act 2025): Where processing falls within a category of recognised legitimate interests specified under the DUAA (such as safeguarding national security, preventing crime, or safeguarding vulnerable individuals), Doceree may rely on this basis without conducting a separate balancing test. This basis is not currently relied upon for Doceree’s core advertising activities but may apply in limited compliance and security contexts.

21.3 Your Additional Rights

In addition to the rights described in Section 9, UK and EEA users have:

• Right to Restrict Processing: You may request restriction of processing in certain circumstances.
• Right to Object: You may object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time.
• Right to Lodge Complaint: You may lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk or your local EEA supervisory authority.

21.4 International Transfers

Your personal data may be transferred to and processed in the United States and other countries outside the UK and EEA. For such transfers, Doceree relies on the following lawful transfer mechanisms- UK transfers: UK International Data Transfer Agreement (IDTA) or UK Addendum to EU Standard Contractual Clauses, together with a Transfer Risk Assessment (TRA) assessing whether the data protection standard in the destination country is not materially lower than in the UK, as required under the DUAA’s updated “data protection test”; the UK Extension to the EU-US Data Privacy Framework (for certified US recipients); and UK adequacy regulations where applicable. EEA transfers: EU Standard Contractual Clauses (SCCs); the EU-US Data Privacy Framework (where applicable); and adequacy decisions where applicable. The European Commission renewed its adequacy decisions for the UK in December 2025, valid until 27 December 2031, permitting the continued free flow of personal data from the EEA to the UK without additional safeguards. We implement appropriate technical and organisational safeguards to ensure your personal data remains protected during international transfers. Copies of the relevant transfer mechanisms are available on request by contacting privacy@doceree.com.

21.5 Automated Decision-Making and Profiling

Doceree’s advertising platform uses automated systems, including audience segmentation algorithms, propensity scoring, and real-time bidding, to select and deliver targeted advertising to healthcare professional audiences. Under the Data (Use and Access) Act 2025 (DUAA), which amended Article 22 UK GDPR with effect from 5 February 2026, solely automated decision-making that produces legal or similarly significant effects on individuals is permitted under certain conditions, including where Doceree informs you of the decision, allows you to contest it, and provides for human intervention. We have assessed our advertising platform activities and determined that, in the context of professional pharmaceutical communications delivered to HCPs in their professional capacity, they do not produce legal or similarly significant effects on individuals within the meaning of Article 22 UK GDPR as amended by the DUAA. However, we acknowledge that these activities involve profiling of healthcare professionals. You have the right to object to such profiling under Article 21 UK GDPR. You may also opt out of targeted advertising using the methods described in Section 9.3.
For EEA users, the pre-DUAA Article 22 EU GDPR framework continues to apply. Our assessment that these activities do not constitute solely automated decision-making producing legal or similarly significant effects remains the same under the EU GDPR framework.

21.6 Cookies, Tracking Technologies, and PECR (UK Users)

For users in the United Kingdom, Doceree’s use of cookies and similar tracking technologies on its websites and advertising platform is governed by the Privacy and Electronic Communications Regulations 2003 (PECR), as amended by the Data (Use and Access) Act 2025 (DUAA), in addition to the UK GDPR.
Consent requirement: Non-essential cookies – including advertising, behavioural tracking, cross-device matching, and third-party analytics cookies, require your prior, explicit, and informed consent before being placed on your device. This applies to all tracking technologies used for targeted advertising, including pixels, web beacons, device fingerprinting, and similar technologies. The ICO’s final Storage and Access Technologies guidance (April 2026) confirms that advertising and behavioural tracking cookies remain subject to the consent requirement notwithstanding the limited new exemptions introduced by the DUAA.
Exemptions: Strictly necessary cookies (required for authentication, security, and core platform functionality) do not require consent. Under the DUAA, certain analytics cookies used solely by the website operator for its own statistical purposes may also be exempt from consent; however, advertising and third-party tracking cookies used by Doceree’s advertising platform do not fall within this exemption.
How to manage your cookie preferences: You can manage your cookie preferences at any time using the “Cookie Settings” link on our websites, or by using the opt-out mechanisms described in Section 9.3. Withdrawing consent for non-essential cookies will not affect the lawfulness of processing prior to withdrawal.
Penalties: Non-compliance with PECR may result in enforcement action by the ICO.
For full details of the cookies and tracking technologies we use, please see our Cookie Policy.

22.1 Data Fiduciary

Doceree Media India Private Limited (Doceree’s Indian affiliate) acts as the Data Fiduciary under the Digital Personal Data Protection Act, 2023 (DPDPA) for personal data of individuals located in India. For all other matters, Doceree, Inc. remains responsible as described in this Policy. Doceree Media India Private Limited can be contacted at:

Doceree Media India Private Limited
C-53 B/P IIND, Malviya Nagar,
South Delhi, Delhi 110017, India
Email: privacy@doceree.com

22.2 Consent

Before processing personal data of Indian Data Principals, Doceree Media India Private Limited provides a standalone consent notice that includes: (a) an itemised description of the personal data to be collected; (b) the specific purpose(s) for which the personal data will be processed; (c) a link or mechanism to withdraw consent with the same ease as giving consent; (d) a link to the mechanism for exercising Data Principal rights under Section 22.3; and (e) a link to lodge a complaint with the Data Protection Board of India. Consent is obtained through a clear affirmative action and is free, specific, informed, and unambiguous. Consent may be withdrawn at any time by contacting privacy@doceree.com or through the mechanism provided in the consent notice. Withdrawal of consent will not affect the lawfulness of processing conducted prior to withdrawal. Upon withdrawal, personal data will be erased in accordance with Section 8 of this Policy, unless retention is required by applicable law.

22.3 Your Rights

Under the DPDPA, Indian Data Principals have the following rights:

• Right to Access Information: to obtain a summary of personal data being processed, the purposes of processing, and the identities of Data Processors and other recipients with whom personal data has been shared;
• Right to Correction and Erasure: to correct inaccurate or incomplete personal data, and to request erasure of personal data where the purpose of processing is no longer served or consent has been withdrawn, subject to any legal retention obligations;
• Right to Withdraw Consent: to withdraw consent for processing at any time, with the same ease as giving consent, by contacting privacy@doceree.com or using the mechanism provided in the consent notice;
• Right to Grievance Redressal: to have grievances addressed by Doceree Media India Private Limited and, if unresolved, to escalate to the Data Protection Board of India; and
• Right to Nominate: to nominate another individual to exercise these rights on your behalf in the event of your death or incapacity. To exercise any of these rights, contact privacy@doceree.com.

22.4 Grievance Redressal

Doceree Media India Private Limited has established a grievance redressal mechanism as required under Section 8(7) and Section 13 of the DPDPA. Complaints or queries regarding the processing of your personal data may be directed to the designated Grievance Officer at: Email: privacy@doceree.com. We will acknowledge receipt of your complaint promptly and respond within a reasonable period not exceeding ninety (90) days of receipt, as prescribed under Rule 14(3) of the DPDP Rules 2025. Indian Data Principals must exhaust this grievance redressal mechanism before approaching the Data Protection Board of India. If your complaint is not resolved to your satisfaction within the prescribed period, you may escalate to the Data Protection Board of India.

22.5 Cross-Border Transfers

Under Section 16 of the DPDPA, personal data may be transferred outside India to any country or territory, except those that the Central Government of India restricts by notification (the “negative list” model). As of the date of this Policy, the Central Government has not notified any restricted countries. Doceree will monitor and comply with any future notifications restricting transfers to specific countries or territories. Sector-specific data localisation requirements (such as those imposed by the Reserve Bank of India or other regulators) may apply to certain categories of data and will be complied with separately.

22.6 Data Breach Notification

In the event of a personal data breach affecting Indian Data Principals, Doceree Media India Private Limited will, in accordance with Section 8(6) of the DPDPA and Rule 7 of the DPDP Rules 2025: (a) notify each affected Indian Data Principal promptly, providing a description of the breach, its likely impact, and the safety measures they may adopt to protect their interests; (b) submit an initial notification to the Data Protection Board of India without undue delay, describing the nature, extent, timing, and likely impact of the breach; and (c) submit a detailed report to the Data Protection Board of India within 72 hours of becoming aware of the breach (or within such extended period as the Board may permit), including the circumstances leading to the breach, remedial measures taken, and a report on notifications given to affected Data Principals. General information about Doceree’s security safeguards and incident response procedures is set out in Section 13 of this Policy.

22.7 Data Processors and Significant Data Fiduciary

Doceree Media India Private Limited engages Data Processors to process personal data on its behalf only under valid written contracts that restrict the processor’s use of personal data to the purposes specified by Doceree, in accordance with Section 8(2) of the DPDPA. If Doceree Media India Private Limited is designated as a Significant Data Fiduciary by the Central Government of India under Section 10 of the DPDPA (based on factors such as the volume and sensitivity of personal data processed and the risk to Data Principals), it will comply with the additional obligations applicable to Significant Data Fiduciaries, including appointing an India-based Data Protection Officer, conducting periodic Data Protection Impact Assessments, and undergoing independent data audits. This Policy will be updated to reflect any such designation.