🇪🇺

GDPR Compliance

Data Privacy Policy for EU/EEA Residents

Last Updated: July 3, 2026

For EU/EEA Residents

This page outlines your data protection rights under the General Data Protection Regulation (GDPR) if you are located in the European Union or European Economic Area.

Not in the EU? See regional privacy rights for California (CPRA), India (DPDP), or other locations.

GDPR Applicability

GDPR protections apply to you if:

  • You are a resident of an EU member state or the EEA (European Economic Area)
  • Your personal data is processed by LevoroFit (regardless of where you're currently located)

Data Controller

Kognos Infosystem

Operating as: LevoroFit

Location: Dwarka, New Delhi, India

Email: privacy@levorofit.com

Phone: +91 94755 40427

Data We Collect

1. Account Information

What we collect: Email address, full name, username, business name (for professionals), phone number (optional)

Legal basis: Contract performance (GDPR Art. 6.1.b) - necessary to provide our services

How we use it: Account creation, authentication, communication, service delivery

2. Health & Wellness Data (Sensitive)

Explicit Consent Required

Before collecting any health-related data, we ask for your explicit opt-in consent. You can withdraw consent at any time from your account settings.

What we collect (with your consent):

  • • Weight, height, and body measurements
  • • Sleep patterns and hours
  • • Water and food intake logs
  • • Dietary preferences and restrictions
  • • Exercise habits and activity levels
  • • Age and gender (for calculations)

Legal basis: Explicit consent (GDPR Art. 9.2.a) for special category data

How we use it: Nutrition coaching, meal planning, fitness tracking, personalized wellness recommendations

3. Technical & Usage Data

What we collect automatically: IP address, browser type, device information, login timestamps, API request logs

Legal basis: Legitimate interest (GDPR Art. 6.1.f) - security, fraud prevention, service improvement

How we use it: Security monitoring, fraud detection, troubleshooting, analytics

Who We Share Your Data With

We DO NOT sell your data

LevoroFit does not sell, rent, or share your personal data with third parties for marketing purposes. Your data is yours.

We share your data only with:

1. Your Chosen Wellness Professional

If you're a client, your wellness data is shared with the professional you've been invited by (nutritionist, coach, etc.). This is necessary to provide coaching services.

2. Service Providers (Data Processors)

We use trusted third-party services that process data on our behalf:

  • Google Firebase (Google LLC) - Authentication, data storage (Data Processing Amendment signed)
  • Google Cloud Platform - Database hosting, encryption (EU data centers for EU users)
  • SendGrid (Twilio) - Email delivery
  • Stripe & Razorpay - Payment processing

All processors are bound by data protection agreements (DPAs) and contractual obligations to protect your data.

3. Legal Requirements

We may disclose data when required by law, court order, or government authority, or to protect our legal rights and safety.

Where Your Data Is Stored

EU Users: Your Data Stays in the EU

For users in the European Union, all personal data is stored in EU data centers (europe-west region) and does not leave the EU.

For non-EU users, data is stored in the nearest regional data center (US, Asia, etc.).

Security: All data is encrypted at rest (AES-256) and in transit (TLS 1.2+).

Your Data Protection Rights

Under GDPR, CPRA, and other privacy laws, you have the following rights:

1. Right to Access (GDPR Art. 15)

You can request a copy of all personal data we hold about you.

How to exercise: Email privacy@levorofit.com or use the "Export My Data" feature in your account settings.

2. Right to Rectification (GDPR Art. 16)

You can correct inaccurate or incomplete personal data.

How to exercise: Update your information directly in your account settings.

3. Right to Erasure / "Right to be Forgotten" (GDPR Art. 17)

You can request deletion of your personal data.

How to exercise: Use "Delete My Account" in settings, or email privacy@levorofit.com. Data is purged within 180 days.

4. Right to Data Portability (GDPR Art. 20)

You can receive your data in a structured, machine-readable format (JSON).

How to exercise: Use "Export My Data" feature or email privacy@levorofit.com.

5. Right to Object (GDPR Art. 21)

You can object to processing of your data for direct marketing or legitimate interests.

How to exercise: Unsubscribe from emails or contact privacy@levorofit.com.

6. Right to Withdraw Consent (GDPR Art. 7.3)

You can withdraw consent for health data collection at any time.

How to exercise: Go to Settings → Privacy → Manage Consent, or email privacy@levorofit.com.

7. Right to Lodge a Complaint

You can file a complaint with your local data protection authority if you believe we've violated your rights.

EU: Contact your local Data Protection Authority (DPA)
California: California Attorney General's Office

Data Retention

  • Active accounts: Data retained while your account is active and service is in use
  • Deleted accounts: All personal data purged within 180 days of account deletion
  • Backups: Backup data purged within 90 days of deletion
  • Audit logs: Security logs retained for 1 year (legal obligation)
  • Standard logs: Server logs retained for 7 days

Cookies & Tracking

We use minimal cookies for essential functionality:

CookieTypePurposeDuration
refresh_tokenEssentialAuthentication session30 days
csrf_tokenEssentialSecurity (CSRF protection)Session
cookie_consentEssentialStore your consent preferences1 year

Essential cookies are necessary for the platform to function and do not require consent. We do not currently use analytics or marketing cookies.

Security Measures

Encryption

  • • TLS 1.2+ encryption in transit
  • • AES-256 encryption at rest
  • • Secure password hashing (bcrypt)
  • • HTTPS-only connections

Access Controls

  • • Role-based access permissions
  • • Multi-factor authentication available
  • • Audit logging of data access
  • • Regular security assessments

Infrastructure

  • • Google Cloud Platform (SOC 2 certified)
  • • Daily automated backups
  • • Redundant data storage
  • • DDoS protection

Monitoring

  • • 24/7 security monitoring
  • • Intrusion detection systems
  • • Breach notification procedures
  • • Incident response plan

Children's Privacy

Minimum Age: 16 Years

LevoroFit is not intended for children under 16 (or under 13 in the U.S.). We do not knowingly collect personal data from children. If we learn we've collected data from a child, we will delete it immediately.

Contact Us

For any questions about this policy or to exercise your data protection rights:

Privacy & Data Protection Team

Email: privacy@levorofit.com

Phone: +91 94748 32695

Address: Dwarka, New Delhi, India

We will respond to all requests within 30 days (GDPR requirement).

Policy Updates

We may update this policy from time to time. We will notify you of significant changes by:

  • • Updating the "Last Updated" date at the top of this page
  • • Sending an email notification to your registered email address
  • • Displaying a prominent notice on our platform

Your continued use of LevoroFit after changes constitutes acceptance of the updated policy.