Digital Personal Data Protection Act 2023
Privacy Policy for India Residents
Last Updated: July 3, 2026
For India Residents
This page outlines your data protection rights under India's Digital Personal Data Protection Act 2023 (DPDP Act), which came into force to protect the digital personal data of Indian citizens.
Not in India? See regional privacy rights for EU (GDPR), California (CPRA), or other locations.
What is the DPDP Act?
The Digital Personal Data Protection Act 2023 is India's comprehensive data protection law that regulates the processing of digital personal data. It establishes the rights of individuals (Data Principals) and the obligations of organizations (Data Fiduciaries) that process personal data.
LevoroFit as Data Fiduciary
Under the DPDP Act, LevoroFit acts as a Data Fiduciary - an entity that determines the purpose and means of processing your personal data.
You are the Data Principal - the individual whose personal data is being processed. This policy explains your rights and our obligations.
Does DPDP Act Apply to Me?
DPDP Act protections apply to you if:
- You are a citizen of India or resident of India
- Your personal data is processed in digital form by LevoroFit
Consent-Based Processing
Your Consent is Required
Under the DPDP Act, we can only process your personal data after obtaining your free, specific, informed, unconditional, and unambiguous consent.
You can withdraw your consent at any time through your account settings.
Personal Data We Collect
We collect the following categories of personal data with your consent:
1. Account & Contact Information
What we collect: Name, email address, phone number, username
Purpose: Account creation, authentication, communication
Legal basis: Consent for providing services (Section 6)
2. Health & Wellness Data (Sensitive Personal Data)
Sensitive Data - Explicit Consent Required
Health data is classified as sensitive personal data under DPDP Act. We obtain explicit consent before collection.
What we collect (with explicit consent): Weight, height, body measurements, sleep patterns, dietary preferences, exercise habits, water intake, age, gender
Purpose: Nutrition coaching, meal planning, fitness tracking, wellness recommendations
Shared with: Your chosen wellness professional (nutritionist, coach)
3. Financial Information
What we collect: Subscription plan details, payment transaction records
Purpose: Billing, subscription management
Note: Payment card details are processed directly by Razorpay/Stripe (payment processors)
4. Technical Data
What we collect: IP address, device information, browser type, usage logs
Purpose: Security monitoring, fraud prevention, service improvement
Legal basis: Legitimate purposes (security and fraud prevention)
Your Rights as Data Principal
Under the DPDP Act, you have the following rights:
1. Right to Access (Section 11)
You have the right to obtain confirmation whether we are processing your personal data and access a summary of such processing activities.
How to exercise: Email privacy@levorofit.com or use "Export My Data" in account settings.
2. Right to Correction (Section 12)
You can request correction, completion, or updating of your personal data if it is inaccurate or incomplete.
How to exercise: Update information directly in account settings or email privacy@levorofit.com.
3. Right to Erasure (Section 13)
You can request deletion of your personal data when consent is withdrawn or processing is no longer necessary.
How to exercise: Use "Delete My Account" in settings or email privacy@levorofit.com.
Processing time: We will process deletion requests within 30 days. Data is purged within 180 days after account deletion.
4. Right to Data Portability
You can request your personal data in a structured, commonly used, and machine-readable format (JSON).
How to exercise: Use "Export My Data" feature in account settings.
5. Right to Withdraw Consent
You can withdraw your consent for processing personal data at any time, with the same ease as giving consent.
How to exercise: Go to Settings → Privacy → Manage Consent or email privacy@levorofit.com.
6. Right to Nominate
You can nominate another person to exercise your rights in case of death or incapacity.
How to exercise: Email privacy@levorofit.com with nomination details.
7. Right to Grievance Redressal
You can file a grievance regarding processing of your personal data.
How to exercise: Email privacy@levorofit.com. We will respond within 30 days.
Data Localization & Storage
Your Data Stays in India
In compliance with DPDP Act data localization requirements, personal data of Indian residents is stored within India.
Data Center Location: Google Cloud Platform - asia-south1 (Mumbai, India)
Security: All data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
Cross-Border Data Transfer
Under certain circumstances, we may transfer your personal data outside India to service providers:
| Service Provider | Location | Purpose | Safeguards |
|---|---|---|---|
| Google Cloud | India (primary) | Data storage, hosting | DPA signed, ISO 27001 |
| SendGrid (Twilio) | USA | Email delivery | DPA signed, encryption |
| Razorpay | India | Payment processing | PCI-DSS compliant |
All cross-border transfers are conducted with adequate safeguards including Data Processing Agreements (DPAs), standard contractual clauses, and encryption.
Data Retention Period
- Active accounts: Data retained while your account is active and you continue using our services
- Deleted accounts: Personal data purged within 180 days of account deletion request
- Financial records: Retained for 7 years (Indian tax law and accounting standards requirement)
- Audit logs: Retained for 1 year for security and compliance purposes
- Consent records: Retained for 7 years after consent withdrawal (legal obligation)
Security Measures (Section 8)
As a Data Fiduciary, we implement reasonable security safeguards to protect your personal data:
Technical Measures
- • TLS 1.2+ encryption in transit
- • AES-256 encryption at rest
- • Secure password hashing (scrypt)
- • Regular security audits
Organizational Measures
- • Role-based access controls
- • Employee training on data protection
- • Access logging and monitoring
- • Incident response procedures
Data Breach Notification (Section 9)
In Case of Data Breach
If we experience a data breach that affects your personal data, we will:
- • Notify the Data Protection Board of India immediately
- • Notify you (the affected Data Principal) without undue delay
- • Provide details about the nature of the breach, categories of data affected, and remedial measures taken
- • Offer guidance on protective steps you can take
Children's Data (Section 7)
Minimum Age: 18 Years
LevoroFit is not intended for children below 18 years of age. We do not knowingly collect or process personal data of children without verifiable parental consent.
If we learn that we've collected data from a child without proper consent, we will delete it immediately.
Grievance Redressal Officer
In compliance with Section 14 of the DPDP Act, we have appointed a Grievance Redressal Officer to address your complaints regarding processing of your personal data.
Name: Privacy & Data Protection Team
Email: privacy@levorofit.com
Phone: +91 94748 32695
Address: Dwarka, New Delhi, India
Response Time: We will acknowledge your complaint within 7 days and resolve it within 30 days.
Right to Approach Data Protection Board
If you are not satisfied with the resolution of your grievance, you have the right to file a complaint with the Data Protection Board of India.
Data Protection Board of India
The Data Protection Board is the regulatory authority responsible for enforcing the DPDP Act and protecting the rights of Data Principals.
Website: www.dataprotection.gov.in (when operational)
Our Obligations as Data Fiduciary
Under the DPDP Act, we commit to:
✓ Transparency
Provide clear notice about data collection, purpose, and processing activities
✓ Purpose Limitation
Process data only for lawful purposes specified at the time of collection
✓ Data Minimization
Collect only necessary data that is adequate and not excessive
✓ Accuracy
Ensure personal data is accurate, complete, and updated
✓ Storage Limitation
Retain data only as long as necessary for the specified purpose
✓ Reasonable Security
Implement appropriate technical and organizational safeguards
Contact Us
For any questions about this DPDP policy or to exercise your rights as a Data Principal:
Privacy & Data Protection Team
We will respond to all requests within 30 days (DPDP Act requirement).
Not in India?
See your regional privacy rights:
🇪🇺 EU/EEA
GDPR Data Protection
🇺🇸 California (US)
CPRA Privacy Rights
🌍 Other Regions
Global privacy rights