GDPR Compliance
Data Privacy Policy for EU/EEA Residents
Last Updated: July 3, 2026
For EU/EEA Residents
This page outlines your data protection rights under the General Data Protection Regulation (GDPR) if you are located in the European Union or European Economic Area.
Not in the EU? See regional privacy rights for California (CPRA), India (DPDP), or other locations.
GDPR Applicability
GDPR protections apply to you if:
- You are a resident of an EU member state or the EEA (European Economic Area)
- Your personal data is processed by LevoroFit (regardless of where you're currently located)
Data Controller
Kognos Infosystem
Operating as: LevoroFit
Location: Dwarka, New Delhi, India
Email: privacy@levorofit.com
Phone: +91 94755 40427
Data We Collect
1. Account Information
What we collect: Email address, full name, username, business name (for professionals), phone number (optional)
Legal basis: Contract performance (GDPR Art. 6.1.b) - necessary to provide our services
How we use it: Account creation, authentication, communication, service delivery
2. Health & Wellness Data (Sensitive)
Explicit Consent Required
Before collecting any health-related data, we ask for your explicit opt-in consent. You can withdraw consent at any time from your account settings.
What we collect (with your consent):
- • Weight, height, and body measurements
- • Sleep patterns and hours
- • Water and food intake logs
- • Dietary preferences and restrictions
- • Exercise habits and activity levels
- • Age and gender (for calculations)
Legal basis: Explicit consent (GDPR Art. 9.2.a) for special category data
How we use it: Nutrition coaching, meal planning, fitness tracking, personalized wellness recommendations
3. Technical & Usage Data
What we collect automatically: IP address, browser type, device information, login timestamps, API request logs
Legal basis: Legitimate interest (GDPR Art. 6.1.f) - security, fraud prevention, service improvement
How we use it: Security monitoring, fraud detection, troubleshooting, analytics
Who We Share Your Data With
We DO NOT sell your data
LevoroFit does not sell, rent, or share your personal data with third parties for marketing purposes. Your data is yours.
We share your data only with:
1. Your Chosen Wellness Professional
If you're a client, your wellness data is shared with the professional you've been invited by (nutritionist, coach, etc.). This is necessary to provide coaching services.
2. Service Providers (Data Processors)
We use trusted third-party services that process data on our behalf:
- Google Firebase (Google LLC) - Authentication, data storage (Data Processing Amendment signed)
- Google Cloud Platform - Database hosting, encryption (EU data centers for EU users)
- SendGrid (Twilio) - Email delivery
- Stripe & Razorpay - Payment processing
All processors are bound by data protection agreements (DPAs) and contractual obligations to protect your data.
3. Legal Requirements
We may disclose data when required by law, court order, or government authority, or to protect our legal rights and safety.
Where Your Data Is Stored
EU Users: Your Data Stays in the EU
For users in the European Union, all personal data is stored in EU data centers (europe-west region) and does not leave the EU.
For non-EU users, data is stored in the nearest regional data center (US, Asia, etc.).
Security: All data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
Your Data Protection Rights
Under GDPR, CPRA, and other privacy laws, you have the following rights:
1. Right to Access (GDPR Art. 15)
You can request a copy of all personal data we hold about you.
How to exercise: Email privacy@levorofit.com or use the "Export My Data" feature in your account settings.
2. Right to Rectification (GDPR Art. 16)
You can correct inaccurate or incomplete personal data.
How to exercise: Update your information directly in your account settings.
3. Right to Erasure / "Right to be Forgotten" (GDPR Art. 17)
You can request deletion of your personal data.
How to exercise: Use "Delete My Account" in settings, or email privacy@levorofit.com. Data is purged within 180 days.
4. Right to Data Portability (GDPR Art. 20)
You can receive your data in a structured, machine-readable format (JSON).
How to exercise: Use "Export My Data" feature or email privacy@levorofit.com.
5. Right to Object (GDPR Art. 21)
You can object to processing of your data for direct marketing or legitimate interests.
How to exercise: Unsubscribe from emails or contact privacy@levorofit.com.
6. Right to Withdraw Consent (GDPR Art. 7.3)
You can withdraw consent for health data collection at any time.
How to exercise: Go to Settings → Privacy → Manage Consent, or email privacy@levorofit.com.
7. Right to Lodge a Complaint
You can file a complaint with your local data protection authority if you believe we've violated your rights.
EU: Contact your local Data Protection Authority (DPA)
California: California Attorney General's Office
Data Retention
- Active accounts: Data retained while your account is active and service is in use
- Deleted accounts: All personal data purged within 180 days of account deletion
- Backups: Backup data purged within 90 days of deletion
- Audit logs: Security logs retained for 1 year (legal obligation)
- Standard logs: Server logs retained for 7 days
Cookies & Tracking
We use minimal cookies for essential functionality:
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| refresh_token | Essential | Authentication session | 30 days |
| csrf_token | Essential | Security (CSRF protection) | Session |
| cookie_consent | Essential | Store your consent preferences | 1 year |
Essential cookies are necessary for the platform to function and do not require consent. We do not currently use analytics or marketing cookies.
Security Measures
Encryption
- • TLS 1.2+ encryption in transit
- • AES-256 encryption at rest
- • Secure password hashing (bcrypt)
- • HTTPS-only connections
Access Controls
- • Role-based access permissions
- • Multi-factor authentication available
- • Audit logging of data access
- • Regular security assessments
Infrastructure
- • Google Cloud Platform (SOC 2 certified)
- • Daily automated backups
- • Redundant data storage
- • DDoS protection
Monitoring
- • 24/7 security monitoring
- • Intrusion detection systems
- • Breach notification procedures
- • Incident response plan
Children's Privacy
Minimum Age: 16 Years
LevoroFit is not intended for children under 16 (or under 13 in the U.S.). We do not knowingly collect personal data from children. If we learn we've collected data from a child, we will delete it immediately.
Contact Us
For any questions about this policy or to exercise your data protection rights:
Privacy & Data Protection Team
Email: privacy@levorofit.com
Phone: +91 94748 32695
Address: Dwarka, New Delhi, India
We will respond to all requests within 30 days (GDPR requirement).
Policy Updates
We may update this policy from time to time. We will notify you of significant changes by:
- • Updating the "Last Updated" date at the top of this page
- • Sending an email notification to your registered email address
- • Displaying a prominent notice on our platform
Your continued use of LevoroFit after changes constitutes acceptance of the updated policy.
Not Located in the EU/EEA?
This page covers GDPR rights for EU/EEA residents. If you're located elsewhere, see your regional privacy rights:
🇺🇸 California (US)
California Privacy Rights Act (CPRA)
🇮🇳 India
Digital Personal Data Protection Act 2023
🌍 Other Regions
Global privacy rights and protections