Your pharmacy does not just sell medicines. It stores prescription and medicine-history data every day.
From prescription images and WhatsApp orders to medicine history, refill reminders, delivery partners, billing software, staff phones and old customer records — pharmacies handle health-linked personal data at every step. This 3-minute scan shows where DPDPA exposure may arise. It never asks for any patient name, prescription or medicine order — only your answers about your business processes.
Most pharmacies don't have a medicine-delivery problem — they have a prescription-data control problem.
Your prescription & medicine-data risk map
The free scan scores your firm across these five areas. Here is what each one looks at.
Customer & prescription data risk
Customer name, phone and delivery address; prescription images; doctor and clinic details; medicine order history; family/caregiver orders; billing and profile data.
First move: Map prescription and customer data across in-store, WhatsApp, app and delivery, and define who can access it.
Health indicator & medicine-history risk
Chronic-care, mental-health, fertility, sexual-health, oncology, HIV and controlled medicine categories that can reveal high-impact health indicators even without a diagnosis field.
First move: Treat medicine-history as high-impact; don't use it for targeting without clear, separate consent.
Order, delivery & vendor-sharing risk
Data shared with delivery partners, payment gateways, marketplaces and aggregators, telemedicine platforms, hospital/clinic partners, insurers, CRM/marketing and IT vendors.
First move: Keep a vendor-sharing register and limit delivery/vendor access to only what fulfilment needs.
System, staff & access risk
Prescriptions and orders across billing/POS software, WhatsApp, staff phones, sheets, cloud folders and branch systems; access for pharmacists, counter staff, delivery staff and vendors.
First move: Consolidate storage, move to role-based access, and remove ex-staff and old vendor access.
Retention, refill & incident readiness risk
Old prescriptions, medicine order history, WhatsApp orders and delivery records kept for years; refill reminders based on medicine history; no clear plan for a wrong-prescription share.
First move: Set retention + refill-message rules and a simple wrong-recipient/breach response.
How the 3-minute scan works
Answer 10 quick questions
About your pharmacy type, customer and prescription data, medicine categories, intake, storage, vendor sharing, refill messaging, access and retention. ~3 minutes.
See your readiness score + risk map
A 0–100 DPDPA readiness score, your risk band, and five pharmacy-specific risk areas.
Get your priority fixes + checklist
The five controls to start with, plus the Pharmacy DPDPA Starter Checklist.
What the scan checks
Ten plain-English questions across your real prescription and medicine-data workflows. The scan collects no prescriptions or patient records.
Pharmacy DPDPA questions
Does the DPDPA apply to pharmacies and online pharmacies?
Yes. Retail pharmacies, chemist shops, online pharmacies and chains collect and store prescriptions, medicine history, doctor details, delivery addresses and payment records — health-linked personal data that makes them Data Fiduciaries under the Digital Personal Data Protection Act, 2023. Obligations apply regardless of size, and increase as you share data with delivery partners, aggregators and telemedicine platforms.
Can customers send prescription images over WhatsApp?
It is common, but prescription images on WhatsApp and staff phones are easy to forward and hard to delete consistently. Prefer a secure app or website upload, keep prescriptions in your billing/POS system rather than personal devices, restrict who can access them, and set a deletion rule once the order and any refill cycle are complete.
Is medicine history really sensitive if we don't record a diagnosis?
Yes. Medicine categories can reveal high-impact health indicators — diabetes, cardiac, mental-health, fertility, sexual-health, oncology or HIV conditions — even when no diagnosis field is stored. Treat medicine-history data as high-impact, limit who can see it, and avoid using it for promotional targeting without clear, separate consent.
What should we control when sharing data with delivery partners and aggregators?
Delivery partners, marketplaces, aggregators and telemedicine platforms should receive only what they need to fulfil the order — not full prescription or medicine-history details. Keep a vendor-sharing register, define the purpose for each, limit delivery-staff access, and review it periodically.
How long can we keep old prescriptions and order history?
The DPDPA expects data to be kept only as long as the purpose requires. Pharmacies often retain prescriptions, medicine history and WhatsApp orders indefinitely for convenience or refills — that's the main exposure. Define a retention period, archive or delete past it, and offer customers a way to request correction or deletion of old phone numbers, addresses and prescription images.
Take the free scan
10 questions · 3 minutes · free · no login. Get your firm's DPDPA readiness score.
Start Pharmacy Risk Scan →Related Briefings
Need advice?
Request Consultation →Legal baseline: DPDP Rules, 2025 notified on 14 November 2025, with phased commencement.
This page is for educational purposes and does not constitute legal advice.