Privacy Policy

Version 2.1 | Last Updated: 4 December 2025

1. Introduction

1.1 About This Policy

Neeyafit ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our online fitness coaching services at neeyafit.com.

1.2 Legal Compliance

This policy complies with the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. We are also preparing for compliance with the Digital Personal Data Protection Act, 2023 (pending finalization of rules and enforcement notification).

1.3 Data Controller

Neeyafit acts as the Data Controller under IT Rules 2011, determining the purpose and means of personal data processing. We engage third-party Data Processors who operate under Data Processing Agreements compliant with Indian data protection laws.

1.4 Privacy Notice

This policy serves as your privacy notice under IT Rules 2011 and in preparation for draft DPDP Rules 2025. It is provided in clear, plain language, itemized by data category, and accessible at all times through our website footer and account dashboard.

2. Information We Collect

2.1 Personal Information

We collect the following personal information when you register or use our services:

• Full name
• Email address
• Phone number
• Date of birth
• Physical address (for emergency purposes)
• Emergency contact information

2.2 Health Information (Sensitive Personal Data)

Important: Health and fitness data constitutes Sensitive Personal Data or Information (SPDI) under IT Rules 2011. We collect this information only with your explicit written consent through dedicated consent forms separate from general terms.

Health Data Collected:

• Medical history and health conditions
• Current injuries or physical limitations
• Fitness level assessments
• Dietary information and restrictions
• Body measurements and composition data
• Progress measurements and photos (if provided)
• Workout performance data

Granular Consent Mechanism:

We obtain separate, explicit consent for:

1. Basic health information collection (medical history, fitness level)
2. Video recording of training sessions
3. Progress photo storage and analysis
4. Sharing with third-party processors (cloud storage, AI services)

Consent Collection: Consent is obtained through clear, affirmative action (unchecked boxes that you must actively select). Pre-checked or implied consent is never used for health data processing.

Consent Records Include: Timestamp, IP address, consent version number, specific items consented to, and withdrawal mechanism explanation.

Consent Refresh: Consent is refreshed every 12 months for health data processing. You may withdraw consent at any time by contacting privacy@neeyafit.com, though this may affect service delivery.

2.3 Payment Information

Payment processing is handled by Razorpay Payments Pvt. Ltd., an RBI-authorized payment aggregator maintaining PCI-DSS Level 1 compliance and following RBI KYC regulations. We do not store your complete credit card or banking information on our servers.

Razorpay Data Collection: During checkout, Razorpay may collect additional information including billing address, email, phone number, and bank details for transaction authorization. For details on Razorpay's data processing practices, please review their privacy policy at razorpay.com/privacy

Data Retained by Neeyafit:

• Razorpay Transaction ID
• Payment status and timestamp
• Subscription plan details
• Amount paid
• Invoice number (for GST purposes)
• Last 4 digits of card (for reference only)
• Billing address
• GST information (GSTIN, if applicable)

Data NOT Retained: Full card numbers, CVV/CVC, card expiry dates. All sensitive payment data is handled exclusively by Razorpay.

Transaction Data Sharing: Transaction information (amount, timestamp, payment method, status) is shared with Razorpay for payment processing and with your bank for authorization. Razorpay may retain this information per RBI regulations.

Refund Processing: Refund requests are processed through Razorpay. Your bank details used for the original payment will be used for refunds. Refund timelines depend on your financial institution and may take 5-7 business days.

Payment Disputes: Payment disputes should be directed to support@neeyafit.com within 60 days of transaction. We work with Razorpay to investigate and resolve disputes per their dispute resolution policy.

2.4 Technical Information

• IP address
• Browser type and version
• Device information
• Operating system
• Usage data and analytics
• Cookies and similar tracking technologies

2.5 Video and Audio Data (Sensitive Personal Data)

Video and audio recordings constitute Sensitive Personal Data as they may capture biometric information (facial features, voice patterns). Explicit written consent is required before the first recording session.

Recording Purposes:

• Service delivery and performance improvement
• Quality assurance and trainer feedback
• Your personal record and progress tracking

Technical Safeguards: Video recordings are stored as standard video files without biometric extraction or automated facial analysis. Videos are NOT processed through any facial recognition, biometric authentication, or automated identification systems.

Your Rights: You may refuse recording for future sessions, request access to recorded content, or request deletion within 30 days of any session. Recordings are retained for 90 days unless you request earlier deletion.

Prohibited Uses: Recordings will NOT be used for facial recognition, biometric identification, third-party sharing, marketing, or commercial use beyond service delivery without separate explicit consent.

3. How We Use Your Information

We use your information for the following purposes:

• Provide and deliver our fitness coaching services
• Process payments and send transaction confirmations
• Communicate with you about your account and services
• Personalize your fitness program and recommendations
• Monitor your progress and provide feedback
• Send important updates, newsletters, and promotional materials (with consent)
• Improve our services and develop new features
• Ensure safety during workouts (emergency contact information)
• Comply with legal obligations and resolve disputes
• Prevent fraud and maintain security

4. Information Sharing and Disclosure

4.1 Third-Party Data Processors

We engage the following Data Processors who operate under Data Processing Agreements compliant with IT Rules 2011 and ensure equivalent security standards:

• Razorpay Payments Pvt. Ltd. (India): Payment processing and transaction management - PCI-DSS Level 1 compliant
• Supabase Inc. (United States): Database hosting and authentication services - SOC 2 Type II certified
• LiveKit Technologies (United States): Video conferencing and live session delivery
• Google Cloud Platform (United States): AI services, analytics, and data storage - ISO 27001 certified
• Sentry Inc. (United States): Error tracking and performance monitoring
• ZeptoMail by Zoho (India): Transactional email delivery

Data Processing Agreements Include: Data security obligations, sub-processor restrictions, data breach notification timelines (24-48 hours), audit rights, and data deletion obligations upon contract termination.

Each processor has contractual obligations to maintain data security, confidentiality, and compliance with Indian data protection laws.

4.2 Legal Requirements

We may disclose your information if required by law or in response to:

• Court orders or legal processes
• Government or regulatory requests
• Protection of our rights, property, or safety
• Emergency situations requiring immediate action

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you via email at least 30 days before any such change in ownership and provide you the opportunity to delete your account.

5. Data Security

We implement industry-standard security measures to protect your information:

• TLS 1.2+ encryption for data transmission
• AES-256 encryption for data at rest
• Regular security audits and vulnerability assessments
• Multi-factor authentication for administrative access
• Access controls and role-based permissions
• Secure payment processing through PCI-DSS Level 1 compliant providers
• Regular backups and disaster recovery procedures
• Security monitoring and intrusion detection systems
• Annual penetration testing by third-party security firms

Privacy by Design: We implement privacy by design principles including data minimization, purpose limitation, storage limitation, and security by default in all system development.

Security Limitations: However, no method of transmission over the internet is 100% secure. While we implement reasonable security measures and strive to protect your information, we cannot guarantee absolute security against all potential threats.

Force Majeure: We are not liable for data breaches or service interruptions caused by circumstances beyond our reasonable control, including but not limited to: natural disasters, acts of terrorism, government actions, pandemics, cyberattacks on critical infrastructure, or infrastructure failures by third-party service providers.

6. Data Retention

Data Retention Principles: We adhere to storage limitation principles - data is retained only as long as necessary for the specific purpose for which it was collected or as required by law (e.g., 7 years for GST compliance).

General Personal Data:

• Email, name, phone: 2 years after account closure
• Login credentials: Until account closure + 6 months

Health and Fitness Data:

• Fitness assessments and measurements: 12 months after account closure
• Medical history and health conditions: 6 months after account closure
• Session recordings: 90 days (deletable upon request)
• Progress analytics: 1 year after account closure

Financial Data:

• Transaction records, invoices, GST data: 7 years (per GST Act and financial audit requirements)
• Subscription and payment history: 7 years

Security Logs:

• Access logs: 1 year
• Security audit logs: 2 years
• Breach investigation records: 5 years

Post-Deletion: Deleted data may remain in backups for 30 additional days before permanent deletion. Disaster recovery copies retained for 6 months. Anonymized data (with all personal identifiers removed) may be retained indefinitely for analytics.

Retention Review: Upon enforcement of Digital Personal Data Protection Rules, retention periods will be reviewed and adjusted within 180 days to ensure compliance with mandated limits as specified in the final rules.

7. Your Rights Under Indian Law

Under IT Rules 2011 and in preparation for the Digital Personal Data Protection Act 2023, you have the following rights:

7.1 Right to Access

Request a copy of your personal data by emailing privacy@neeyafit.com with "Data Access Request" in the subject line. We will provide within 30 days:

• Copy of your data in machine-readable format
• Data categories processed
• Processing purposes
• List of third-party recipients
• Retention periods

7.2 Right to Correction

Update or correct inaccurate information through Settings → Profile or email privacy@neeyafit.com. Corrections completed within 30 days.

7.3 Right to Deletion (Right to Erasure)

Request deletion by emailing privacy@neeyafit.com with "Deletion Request" in the subject line. Most data deleted within 30 days; backup copies purged within 90 days.

Legal Exceptions: Transaction records (7 years for GST compliance), dispute records (until resolution), security logs (1 year), and anonymized analytics may be retained.

7.4 Right to Data Portability

Receive your data in structured, machine-readable format (JSON/CSV) within 30 days of request to privacy@neeyafit.com.

Exported Data Includes: User profile, health assessments, workout history, progress measurements, and communication logs. Video recordings can be requested separately in MP4 format.

7.5 Right to Withdraw Consent

Withdraw consent for health data processing, video recording, or marketing communications anytime via privacy@neeyafit.com or Settings → Preferences.

Note: Withdrawal may affect service delivery. We will inform you of the impact before processing your withdrawal request.

Response Timeline: All requests responded to within 30 days as per IT Rules 2011 and in preparation for DPDPA 2023 requirements.

8. Cookies and Tracking Technologies

We use cookies and similar technologies to:

• Remember your preferences and settings
• Authenticate your login sessions
• Analyze website traffic and usage patterns
• Improve user experience
• Deliver personalized content

Cookie Consent: Upon first visit, users are presented with a cookie consent banner allowing granular acceptance or rejection of non-essential cookies as per draft DPDP Rules 2025. Essential cookies for authentication and security are used regardless of consent.

Cookie Categories:

• Essential Cookies: Required for login, security, and basic functionality (cannot be disabled)
• Analytics Cookies: Help us understand how you use our website (optional)
• Preference Cookies: Remember your settings and preferences (optional)

You can control cookies through your browser settings. However, disabling cookies may affect website functionality. For more information on managing cookies, visit your browser's help documentation.

9. Age Verification and Children's Privacy

Age Requirement: Neeyafit is intended for users 18 years of age or older. We do not knowingly collect personal information from minors.

Policy Rationale: We have chosen not to offer services to minors (under 18) to avoid verifiable parental consent requirements under upcoming data protection regulations and to ensure appropriate fitness guidance for adult physiology.

Age Verification: Upon account creation, users must affirm they are 18 years or older through checkbox confirmation. We reserve the right to require government-issued ID for age verification.

Violations:

Discovery of underage users will result in:

• Immediate account suspension
• Notification to provided email address
• Deletion of all health data within 30 days
• Refund of any unused subscription fees

If you believe we have collected information from a minor, contact us immediately at privacy@neeyafit.com.

10. International Data Transfers

Your personal data may be transferred to and processed in countries outside India, including the United States and European Union, where our service providers operate data centers.

Countries of Transfer:

• United States: Supabase (database), LiveKit (video infrastructure), Google Cloud (AI/analytics), Sentry (monitoring)
• India: Razorpay (payments), ZeptoMail (email)

Safeguards for International Transfers:

• All data transfers use industry-standard encryption (AES-256 for data at rest, TLS 1.2+ for data in transit)
• Standard Contractual Clauses (SCCs) in Data Processing Agreements for transfers to countries without adequacy determinations under Indian law
• Service Provider Agreements include data protection clauses requiring equivalent security standards to Indian regulations
• Restricted access controls limiting processor access to data on a need-to-know basis
• Regular security audits and compliance certifications (SOC 2, ISO 27001)
• For SPDI (health data): Explicit consent obtained before transfer, additional encryption layers, comprehensive access logs maintained

Your Rights:

You may request:

• The specific location where your data is stored
• A copy of the safeguards we have implemented for international transfers
• Information about which data categories are transferred to which countries

We will provide this information within 15 days of your request to privacy@neeyafit.com.

Data Localization: While we currently use international data processors for technical and cost efficiency, we are prepared to migrate to India-based infrastructure if data localization requirements are mandated by law. We maintain the capability to relocate all SPDI to Indian servers within 90 days of regulatory requirement.

11. Data Breach Notification

In the event of a data breach compromising your personal information, we will notify you promptly as required by IT Rules 2011 and in accordance with best practices in preparation for DPDPA 2023 enforcement.

Notification Timeline:

• High-risk breaches (SPDI/health data): Within 24 hours of discovery
• Standard breaches: Within 72 hours of discovery
• Low-risk breaches: Within 15 days

Notification Method:

• Email to registered address (primary)
• In-app notification
• SMS alert (if phone number available)
• Website banner notice for widespread breaches

Notification Content:

• Description of the breach and how it occurred
• Types of data affected
• Potential impact and risks
• Steps you should take to protect yourself
• Our remediation measures
• Contact details for breach inquiries
• Timeline of breach discovery and response

Authority Notification:

Breaches involving SPDI will be reported to the Ministry of Electronics and Information Technology within 72 hours of discovery, and to other appropriate regulatory authorities (including the Data Protection Board once established) as required by law.

User Protection:

• You will not be liable for unauthorized transactions resulting from a breach of our security systems
• For financial data breaches, we will provide credit monitoring services and identity theft protection resources
• Dedicated breach response hotline: Available within 12 hours of notification
• Assistance with password resets and account security measures

12. Automated Decision-Making and AI Processing

We use AI-powered tools (Google Cloud AI services) to analyze workout performance data and provide personalized fitness recommendations.

AI/ML Processing Safeguards:

• Machine learning models trained on your data shall not identify you personally
• AI systems are used only to improve coaching recommendations and service quality
• Automated systems do not make decisions that significantly affect your legal rights without human review
• All AI-generated recommendations are reviewed by certified fitness trainers
• Separate explicit consent is required before implementing new AI/ML features
• AI models are regularly audited for bias and accuracy

Your Rights:

• You have the right to request human review of any AI-generated fitness recommendations
• You may opt-out of automated decision-making processes by contacting privacy@neeyafit.com
• You may request an explanation of how AI recommendations were generated

AI Transparency:

AI recommendations are clearly labeled within the platform with an "AI-Assisted" badge, and you can access information about the factors considered in generating recommendations.

13. Purpose Limitation

Your data will be processed only for the following purposes as required by IT Rules 2011:

Permitted Uses:

• Delivery of fitness coaching and personalized training programs
• Performance tracking and progress analytics
• Health and safety assessments (to customize coaching)
• Communication regarding services
• Technical maintenance and system improvement
• Security and fraud prevention
• Legal compliance and regulatory obligations

Prohibited Uses:

Your data will NOT be used for:

• Marketing or selling fitness products/supplements without separate consent
• Sharing with third-party fitness brands, wellness products, or supplement companies
• Behavioral profiling for purposes outside fitness coaching
• Sale to data brokers or marketing agencies
• Insurance underwriting or health-based discrimination
• Employment screening or background checks
• Credit scoring or financial assessments

AI/ML Processing:

Machine learning models trained on your data shall not identify you personally, shall be used only to improve coaching recommendations, and require separate explicit consent before implementation of new AI features.

14. Limitation of Liability

14.1 Service Limitations

While we implement reasonable security measures, you acknowledge and agree that:

• No internet transmission is 100% secure
• Fitness recommendations are educational and not medical advice
• You must consult a healthcare provider before starting any fitness program
• You assume responsibility for following fitness programs safely and within your capabilities
• We are not liable for injuries resulting from improper exercise execution, overexertion, or failure to follow safety guidelines
• Emergency contact information is for our internal use; we are not a medical alert service or emergency response provider
• You must have appropriate medical clearance for physical activity
• You are responsible for using appropriate equipment and safe exercise environments

14.2 Indemnification

You agree to indemnify, defend, and hold Neeyafit harmless from any claims, damages, liabilities, costs, or expenses (including reasonable attorneys' fees) arising from:

• Your violation of this privacy policy or terms of service
• Your misuse of our services
• Your provision of inaccurate, incomplete, or misleading health information
• Your failure to disclose relevant medical conditions, injuries, or physical limitations
• Injuries or health complications arising from exercise participation
• Your unauthorized sharing of account credentials
• Your violation of any applicable laws or regulations

14.3 Dispute Resolution

You agree to resolve disputes individually through binding arbitration as per the Arbitration and Conciliation Act, 1996.

Arbitration Terms:

• Disputes shall be resolved in Bangalore, Karnataka, India under Indian law
• Arbitration shall be conducted by a single arbitrator mutually agreed upon by both parties
• Each party waives the right to participate in class actions, collective proceedings, or representative actions
• Disputes shall be resolved on an individual basis only
• The arbitrator's decision shall be final and binding
• Each party shall bear their own costs unless the arbitrator determines otherwise

Exceptions to Arbitration: You may bring claims in small claims court if they qualify, and either party may seek injunctive relief in court for intellectual property or confidentiality violations.

14.4 Severability

If any provision of this Privacy Policy is found to be invalid, illegal, or unenforceable by a court of competent jurisdiction, the remaining provisions shall continue in full force and effect. Invalid provisions shall be replaced with valid provisions that most closely reflect the original intent and economic effect of the invalid provision.

15. Grievance Redressal Officer

As required by IT Rules 2011, we have designated a Grievance Officer to address data privacy concerns:

How to File a Complaint:

1. Email support@neeyafit.com with "Privacy Grievance" in subject line
2. Include: Your name, contact information, description of issue, desired resolution
3. Attach any supporting documentation
4. You will receive acknowledgment within 3 business days
5. Resolution provided within 30 days

Escalation: For complaints regarding privacy violations, you may also lodge a complaint with:

• Ministry of Electronics and Information Technology (MeitY)
• Data Protection Board (once established under DPDPA 2023)
• Other applicable regulatory authorities

16. Regulatory Monitoring and Future Compliance

16.1 Active Monitoring

We actively monitor developments in Indian data protection law and will update our practices within 180 days of any new law or regulation coming into force. Material changes will be communicated with 30 days advance notice via email and website banner.

16.2 Phased Compliance

Upon finalization of DPDP Rules 2025, we will comply with:

• Data Protection Board establishment provisions: Immediately
• Substantive data processing requirements: Within the timeline specified by the government (likely 6-12 months from notification)
• Technical and organizational measures: Within 12 months of rule notification

16.3 Consent Management Platform

We are evaluating implementation of a registered Consent Manager platform to streamline consent collection and withdrawal processes in compliance with draft DPDP Rules 2025. This will provide centralized consent management across all digital services you use.

16.4 Significant Data Fiduciary Status

Risk Assessment: Given that we process sensitive health data and may serve a large user base, we anticipate potential designation as a Significant Data Fiduciary upon enforcement of DPDPA 2023.

Enhanced Obligations Preparation:

• Appointment of a Data Protection Officer (separate from Grievance Officer)
• Independent third-party security audits (annual)
• Data Protection Impact Assessments (DPIAs) for new processing activities
• Periodic audits as may be required by the Data Protection Board once established
• Enhanced breach notification and reporting requirements
• Additional safeguards for international data transfers

We are proactively implementing these enhanced protections to ensure seamless compliance.

17. Contact Us

For questions about this Privacy Policy or to exercise your rights:

Response Times:

• General inquiries: 15 days
• Data access/correction/deletion requests: 30 days per IT Rules 2011
• Grievances: 30 days per IT Rules 2011
• Urgent security matters: 24-48 hours

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect:

• Changes in our practices or services
• Legal or regulatory requirements
• Industry best practices
• User feedback and concerns

Notification of Changes:

• Material changes: Email notification + prominent website banner 30 days before effective date
• Minor changes: Website notification + in-app notice 7 days before effective date
• Emergency changes (legal compliance): Immediate notification with explanation

Your continued use of our services after changes take effect constitutes acceptance of the updated policy. If you do not agree with changes, you may delete your account before the effective date.

Version Control:

This is Version 2.1 of our Privacy Policy, effective December 4, 2025.

A complete changelog of policy updates is maintained and accessible upon request to privacy@neeyafit.com. Previous versions are archived and available for review.

Changelog:

• Version 2.1 (December 4, 2025): Enhanced DPDPA compliance language, added cookie consent banner details, strengthened arbitration clauses, added severability provision, clarified age verification policy, enhanced AI transparency
• Version 2.0 (November 2, 2025): Added medical disclaimer, Razorpay integration details, international transfer safeguards, AI processing disclosure, indemnification clause
• Version 1.0 (Initial): Original privacy policy

Last Review Date: December 4, 2025

Next Scheduled Review: June 4, 2026 (or sooner upon DPDP Rules enforcement)

© 2025 Neeyafit. All rights reserved.