Privacy Policy

Medaann ("we", "our", or "us") operates a multi-vendor marketplace at medaann.com that connects buyers and sellers across Pakistan. This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and the choices you have.

By registering an account or using our platform, you agree to the practices described in this policy. If you do not agree, please do not use our services.

Account registration (buyers) When you create a buyer account we collect your full name, email address, and a hashed password. If you sign in with Google we receive your Google account ID, email, display name, and profile picture from Google's OAuth service.

Seller applications Sellers go through a two-step verification process. In step one we collect your full name, email, password, store name, business type, phone number, city, and an optional description. In step two we collect your CNIC (national identity card) number and a photo of your CNIC, which is uploaded to our secure file storage. These are used solely to verify seller identity and meet platform compliance requirements.

Seller business profile Once approved, a seller may add their store address, contact details (phone, email, website, WhatsApp), social media handles, bank account details (account name, account number, IBAN, bank name), and store branding images (logo and banner).

Orders and shipping When you place an order we collect your shipping address (street, city, state, country, postal code) and the items in your order. Medaann does not process or store payment card information. Payments for orders are arranged directly between buyer and seller — typically via bank transfer using the seller's bank details — outside of the Medaann platform.

Buyer queries (leads) When a buyer posts a query they provide a product title, category, budget, description, and contact information (email and/or phone number). This contact information is kept hidden from sellers until a seller chooses to purchase access to that lead.

Chat messages We store the content of messages sent between users, including text and any files or images shared. We also store metadata such as timestamps, read receipts, and whether a deal has been locked. Messages are automatically deleted on a schedule based on the sender's active plan (see "Message Retention" below).

Profile and preference data Users may optionally upload a profile picture and set preferences for currency, timezone, language, and notification settings (order updates, new leads, chat messages, promotions, weekly report).

Two-factor authentication If you enable two-factor authentication we store a secret key used to generate and validate one-time codes. We do not store the codes themselves.

Activity logs (sellers) We maintain internal logs of seller actions — such as creating or updating products, invoices, and expenses — for audit and support purposes.

Communications with support If you contact our support team, we retain records of those conversations.

We use the information we collect to:

• Create and maintain your account and authenticate your identity.
• Process orders and send order confirmation and status updates to buyers and sellers.
• Verify seller identity before approving a store (CNIC verification).
• Enable communication between buyers and sellers through our chat system.
• Match buyer queries to relevant sellers and facilitate lead purchases.
• Send transactional emails such as password resets, seller approval notifications, and order receipts.
• Display real-time online status to other users you are in conversation with.
• Enforce plan limits (products, leads, banner ads, message retention).
• Generate AI-assisted product descriptions using the text you provide (no personal data is sent to the AI service).
• Provide sellers with analytics on their store performance (sales, leads, reviews).
• Detect fraud, abuse, and violations of our Terms of Service.
• Respond to legal requests and comply with applicable law.

Chat messages are automatically and permanently deleted according to the active subscription plan of the seller in the conversation:

• Free plan: messages older than 30 days are deleted.
• Starter plan: messages older than 90 days are deleted.
• Growth plan: messages older than 180 days are deleted.
• Pro plan: messages are retained indefinitely.

Deletion runs automatically every day at 2:00 AM PKT. Files and images attached to deleted messages are also removed from our file storage. You should save any important information from chat conversations before the applicable retention window closes.

With sellers — when you unlock a lead When a seller purchases access to a buyer's lead, the seller receives the buyer's contact information (email and/or phone number) that the buyer provided in the lead posting. No other personal data is shared.

With other users in chat Your display name, profile picture, and real-time online status are visible to users you have an open conversation with.

With Cloudinary (file storage) Profile pictures, store images, product images, chat attachments, and CNIC photos are stored with Cloudinary. Cloudinary may process request metadata such as IP addresses as part of delivering files.

With Google (OAuth sign-in) If you choose to sign in with Google, your authentication is handled by Google. We receive only the data described in the "Information We Collect" section.

With Groq (AI features) When generating AI-assisted product descriptions we send only the product text you provide — no account identifiers or personal information are included.

With our administrators Authorised Medaann staff have access to user accounts, orders, conversations, leads, and seller applications for the purpose of operating, moderating, and supporting the platform. This access is restricted to staff who require it.

Legal disclosures We may disclose personal information if required to do so by law, court order, or government authority, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

We do not sell personal information to third parties.

Authentication cookie We set a cookie named `token` that stores your JWT authentication token. This cookie expires after 7 days and is required to keep you signed in.

Local storage We use your browser's local storage to persist your authentication state (user profile, login status) across sessions via our Zustand state store (key: `auth-storage`). Invoice template preferences are also saved locally under a key tied to your user ID.

Session storage Temporary data related to in-progress order-to-invoice conversions is stored in session storage and cleared when the browser tab is closed.

We do not use third-party advertising cookies or tracking pixels.

We take reasonable technical and organisational measures to protect your personal information:

• Passwords are hashed with bcrypt before storage and are never stored in plain text.
• Authentication uses signed JWT tokens with a 7-day expiry.
• All communication between your browser and our servers is encrypted in transit via HTTPS.
• Medaann does not collect or store payment card information. Payments are settled directly between buyers and sellers.
• CNIC photos are stored in a restricted Cloudinary folder.
• Access to sensitive admin endpoints is protected by server-side role verification.
• Two-factor authentication (TOTP) is available and recommended for all accounts.

Despite these measures, no system is completely secure. We cannot guarantee the absolute security of your information and encourage you to use a strong, unique password and to enable two-factor authentication.

Access and correction You can view and update your profile information (name, email, avatar, preferences) at any time from your account settings.

Google login If you linked your account to Google, you can disconnect Google login from your account settings. You will need to set a password before disconnecting.

Account deletion You can permanently delete your account from your account settings. Deletion requires your current password for confirmation. When your account is deleted, your user record is removed. Please note that certain associated records — such as orders, published reviews, and chat messages — may be retained in anonymised or aggregated form as required for business operations and legal compliance.

Notification preferences You can control which email and in-app notifications you receive from your account notification settings.

Lead contact information The contact information you include in a buyer query is shared with sellers who purchase that lead. Please only include information you are comfortable sharing.

Data portability If you would like a copy of the personal data we hold about you, please contact us at support@medaann.com. We will respond within 30 days.

Our platform is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us at support@medaann.com and we will delete it promptly.

Our platform may contain links to external websites — for example, a seller's website or social media profiles. We are not responsible for the privacy practices of those sites and encourage you to read their privacy policies before providing any personal information.

We may update this Privacy Policy from time to time. When we make material changes we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email or through an in-app notification. Continued use of the platform after changes are posted constitutes your acceptance of the updated policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact us:

Email: support@medaann.com Address: Karachi, Pakistan

We aim to respond to all privacy enquiries within 7 business days.