Privacy Policy

Last Updated: 5th August, 2025

This EarlyFit Privacy Policy (“Privacy Policy”) sets forth how EarlyFit Health Private Limited (“we,” “us,” “our,” or “EarlyFit”) obtains, monitors, and processes Personal Data (as defined below) that we collect in the ordinary course of business. This Privacy Policy is an integral part of our internal control and risk/compliance management system to meet our legitimate needs and is incorporated into our Terms and Conditions.

By creating an account, accessing, or using our Platform (collectively, our mobile application (“App”) and website (“Website”)), and by explicitly agreeing to this Privacy Policy during onboarding, you signify your understanding and agreement to the data practices described herein. If you do not agree with this Privacy Policy, you must immediately cease accessing or using our Platform.

This Privacy Policy complies with applicable Indian laws, including the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and its associated rules, and applies to all users of the Platform, including registered users and visitors.

Definitions

Throughout this Privacy Policy, we use the following terms with the meanings ascribed below:

• Data Protection Board: The data protection board established by the Central Government pursuant to the DPDP Act.
• Data Protection Officer: An individual appointed by us, based in India, serving as the point of contact for the grievance redressal mechanism.
• DPDP Act: The Digital Personal Data Protection Act, 2023, as amended, read with rules framed pursuant thereto.
• Platform: Collectively refers to our App and Website.
• Processor: A natural or legal person, or any other entity, that processes Personal Data on our behalf and under our control.
• Processing: Any operation or set of operations performed on Personal Data, whether by automatic means or otherwise, such as collection, recording, organization, storage, adaptation, retrieval, use, disclosure, dissemination, alignment, combination, blocking, erasure, or destruction.
• Third-Party: Any natural or legal person, public authority, agency, or entity other than you, us, the Processor, or persons authorized to process Personal Data under our direct authority.
• User or You/Your: Any user or third person to whom the Personal Data relates, including, where applicable, (i) a child, represented by their parents or lawful guardian; or (ii) a person with a disability, including their lawful guardian acting on their behalf.
• Personal Data: Information related to an identified or identifiable person, including but not limited to:
  • Your full name, age, date of birth, gender, email address, mobile phone number, mailing address (including city, state, and PIN code), username, password (stored in hashed, encrypted format), subscription plan details, and payment history;
  • Payment method details (e.g., credit/debit card type, last four digits, expiry date, or UPI ID), processed by third-party payment gateways;
  • Technical data such as IP address, browser type/version, device type/identifiers, App version, login data, crash reports, and usage patterns;
  • Communications with us (e.g., emails to support@early.fit, chat messages with Care Team, feedback);
  • Referral program data (e.g., names and emails of referred individuals, with their consent);
  • Medical data, including past/current illnesses, surgeries, chronic conditions, family medical history, allergies, medications, diet, exercise, sleep, stress, tobacco/alcohol use, weight management goals, consultation notes, daily side-effect check-ins, diagnostic blood test results, and e-prescriptions;
  • Data from integrated devices/platforms (with your consent), such as Continuous Glucose Monitors (CGMs), Early smart scale, and third-party fitness trackers (via Apple HealthKit, Google Health Connect);
  • Survey responses for “My Metabolic Print” (e.g., weight loss history, eating habits, health conditions);
  • Food and beverage logs (item names, quantities, nutritional information);
  • Personal Data shared orally during unrecorded telephone/video calls;
  • Any other information you choose to share with us.

Any term not defined herein shall have the meaning ascribed in EarlyFit’s Terms and Conditions.

Before disclosing another person’s Personal Data to us, you must obtain their consent for both the disclosure and Processing in accordance with this Privacy Policy.

1. Scope of the Privacy Policy

This Privacy Policy applies to:

• All individuals providing Personal Data to us, including users, associates, job applicants, employees, retirees, contractors, service providers, consultants, advisors, and vendors;
• All methods of contact, including in-person, written, internet, direct mail, telephone, or facsimile;
• All locations where we operate, even where local regulations do not exist.

This Privacy Policy informs all persons of their obligations to protect the privacy of individuals who interact with us and the security of their Personal Data. We will continue to evaluate and adjust our policies to ensure compliance with applicable laws.

You acknowledge that all Personal Data provided to us is accurate, complete, and not misrepresented. We comply with applicable privacy laws, rules, and regulations in all material respects.

Our designated Data Protection Officer is Sagar Khurana, contactable at sagar@early.fit, for privacy-related matters.

2. Collection of Personal Data

We collect your Personal Data through various methods, based on your interaction with our Platform and the consents you provide, as follows:

2.1 Directly from You (User-Provided Data)

• Account Registration and Onboarding: When you sign up for an Account, purchase a subscription plan, and complete onboarding, including medical history questionnaires (e.g., name, gender, age, height, weight, BMI, comorbidities, medications, allergies) and lifestyle assessments (e.g., eating habits, physical activity, sleep, stress).
• Platform Usage and Data Logging: When you use Platform features to log meals, physical activities, body weight, symptoms, side effects, “My Metabolic Print” survey responses, reminders, and profile updates.
• Communications with Care Team: During interactions with doctors, nutritionists, physical therapists, or psychologists via secure in-App chat, audio, or video consultations.
• Support and Feedback: When you contact customer support (e.g., via support@early.fit or the “Help and Support” feature) or provide feedback, reviews, or testimonials.
• Oral Communication: When you provide information during unrecorded telephone or video calls with Early staff or Care Team members.
• Referral Program: If you participate in the “Invite Friends & Get Rewarded” program, we collect referral information (e.g., names, emails) with their consent.

2.2 From Integrated Devices and Platforms (With Your Authorization)

When you connect and authorize data sharing from:

• Continuous Glucose Monitors (CGMs): Glucose level readings and timestamps.
• Early Smart Scale: Body weight, BMI, body fat percentage, muscle mass, visceral fat, subcutaneous fat, BMR, metabolic age, bone mass, protein mass, and water weight.
• Third-Party Fitness Trackers/Platforms: Via Apple HealthKit, Google Health Connect, or direct integration, including steps, active minutes, calories burned, sleep data, heart rate, blood pressure, blood oxygen levels, and workout details.

2.3 From Your Care Team (Generated During Service Provision)

Care Team members create and record information, including professional notes, consultation observations, assessments, diet/exercise plans, e-prescriptions, and updates to your “Your Journey” record.

2.4 From Laboratory Partners (With Your Authorization)

When you undergo diagnostic blood tests, NABL-accredited (or equivalent) laboratory partners share test results with Early, uploaded to your health record for review by you and your Care Team.

2.5 Automatically Through Technology (Cookies, Analytics)

• Cookies and Similar Technologies: Used to enable essential functionalities, remember preferences, gather analytics, and (if applicable, with explicit consent) deliver personalized content or ads.
• Platform Usage Analytics: Data on features accessed, screens visited, time spent, button clicks, navigation paths, crash reports, and performance data to improve Platform usability.

3. Use of Personal Data

We may use your Personal Data, with your explicit consent where required, to:

• Manage user registration, account creation, identity verification, and ongoing account management;
• Deliver our medically driven weight loss program, including personalized diet plans, exercise recommendations, and lifestyle coaching;
• Facilitate teleconsultations with Care Team members;
• Enable doctors to generate and manage e-prescriptions;
• Track health progress, medication adherence, and provide feedback/support;
• Enable Platform features like reminders, meal logging, activity tracking, “My Metabolic Print,” “My Care Circle,” “My Plan,” “My Progress,” “My Weekly Habits,” and “Your Journey”;
• Coordinate diagnostic blood tests with partner laboratories;
• Facilitate ordering prescribed medications from partner pharmacies;
• Process subscription payments, renewals, cancellations, refunds, and billing inquiries;
• Administer the referral program;
• Send essential transactional/service-related communications (e.g., account activation, appointment reminders, payment receipts);
• Send configured reminders for medication, appointments, and logging activities;
• Respond to queries, feedback, and support requests;
• Send marketing communications (with explicit opt-in consent, withdrawable at any time);
• Analyze usage patterns and technical data to improve user experience and Platform performance;
• Conduct internal research and statistical analysis to enhance program effectiveness;
• Comply with Indian laws, regulations, court orders, or government requests;
• Protect the rights, property, or safety of EarlyFit, users, Care Team, or the public;
• Detect, prevent, investigate, and address fraud, security breaches, or misuse;
• Enforce our Terms and Conditions and other policies.

4. Data Sharing and Disclosure

We do not sell your Personal Data. We may share it only in the following circumstances, with appropriate safeguards:

• With Your Care Team: Doctors, nutritionists, therapists, and psychologists access relevant Personal Data for personalized consultations, plan adjustments, and progress monitoring, limited to their role-specific needs.
• With Partner Laboratories: Name, contact details, and test requisitions are shared with NABL-accredited laboratories to conduct diagnostic tests.
• With Partner Pharmacies: E-prescription details, name, contact information, and delivery address are shared with licensed pharmacies to dispense and deliver medications.
• With Payment Gateway Providers: Transaction data is shared with providers like Razorpay or Cashfree Payments for secure payment processing.
• With Technology Service Providers: Cloud hosting, database management, and performance monitoring providers process data under our instructions with Data Processing Agreements (DPAs).
• For Aggregated Analytics: Anonymized/aggregated data may be shared with analytics providers to improve services (with DPAs, if engaged).
• For Legal Obligations and Safety: Disclosure may occur to comply with laws, enforce Terms, address fraud/security, or protect rights, property, or safety.
• In Business Transfers: Personal Data may be shared in mergers, acquisitions, or reorganizations, with notification and recipient agreement to protect data.
• With Explicit Consent: For purposes not covered above, we will seek specific consent, detailing the purpose and data involved.

We ensure DPAs are in place with all Processors to enforce strict data protection obligations.

5. Data Security Practices

We implement reasonable security measures to protect your Personal Data:

• Encryption: TLS 1.2+ for data in transit; AES-256 for data at rest.
• Access Controls: Role-based access, strong password policies, and multi-factor authentication where feasible.
• Technical Safeguards: Firewalls, intrusion detection, regular security assessments, and secure development practices.
• Administrative and Physical Safeguards: Data protection policies, employee training, confidentiality agreements, secure storage, and disposal procedures.
• Data Breach Response: A plan to identify, contain, mitigate, and notify users and the Data Protection Board of breaches, per DPDP Act requirements.
• User Responsibility: You are responsible for maintaining Account password confidentiality and device security.
• Disclaimer: No transmission or storage method is 100% secure; we strive for commercially acceptable protection but cannot guarantee absolute security.

6. Data Retention Policy

• Retention Period:
  • Account data: Retained while your Account is active or until consent is withdrawn.
  • Health/medical data: Retained for at least 3 years post-interaction or program completion, or longer per medical record retention laws.
  • Financial transaction data: Retained for 8 years per tax/company laws.
  • Other data (logs, communications): Retained for 3 years post-interaction, unless required for legal/dispute purposes.
• Post-Account Closure: Data is deleted or anonymized per retention schedules, except for legal obligations, disputes, or fraud prevention.
• Secure Disposal: Data no longer needed is securely disposed to prevent recovery or misuse.

7. Consent

Your consent is free, specific, informed, unconditional, and unambiguous, provided through clear affirmative action during onboarding. You agree to the Processing of Personal Data for purposes outlined in this Privacy Policy, limited to necessary data.

• Consent requests are presented in clear language, in English or any of the 22 languages listed in the Eighth Schedule to the Constitution of India, with Data Protection Officer contact details.
• You may withdraw consent at any time via support@early.fit, with comparable ease to giving consent.
• Withdrawal consequences are your responsibility; prior Processing remains lawful.
• Invalid consent infringing DPDP Act or other laws is void to the extent of infringement.

8. Your Rights

You have the right to:

• Access Personal Data we hold about you, subject to identity verification;
• Access our grievance redressal mechanism and Data Protection Officer for complaints;
• Nominate an individual to exercise your rights in case of death or incapacity;
• Manage consent via a consent manager;
• Withdraw consent with ease;
• Request completion, updating, correction, or erasure of Personal Data;
• Receive notice with consent requests about your right to withdraw and complain to the Data Protection Board.

9. Information Provided Orally

• Consent for Collection: Your agreement to the Terms and this Privacy Policy at sign-up constitutes consent for collecting orally provided Personal Data during unrecorded calls.
• User Responsibility: You are responsible for the accuracy, completeness, and truthfulness of orally provided information.
• Disclaimer: EarlyFit relies on your oral information. We disclaim liability for issues arising from incorrect, incomplete, or misleading oral data. Without recordings, verifying oral information is challenging, and you hold EarlyFit harmless for discrepancies where we acted in good faith.

10. Disclosures

We may disclose Personal Data as necessary for purposes outlined in this Privacy Policy, including:

• Government functions related to sovereignty, security, or integrity of India;
• Legal obligations to disclose information;
• Compliance with court orders or judgments;
• Medical emergencies threatening life or health;
• Public health measures during epidemics or threats;
• Safety measures during disasters or public order breakdowns;
• Disclosure to courts/authorities likely to order such disclosure.

11. Access to Personal Data

We ensure Personal Data accuracy and provide reasonable access during normal working hours to update, complete, or correct inaccurate/misleading information upon request, subject to identity verification.

12. Grievance Redressal

• Data Protection Officer: Sagar Khurana, sagar@early.fit, G80, Lajpat Nagar-1, Delhi -110024.
• We acknowledge grievances within 48 hours and aim to resolve them within 30 days, or as prescribed by the DPDP Act.

13. Cookies and Tracking Technologies

• Use of Cookies: Cookies, web beacons, pixels, and device identifiers enable core functionalities, remember preferences, gather analytics, and (with explicit consent) deliver personalized content/ads.
• Types of Cookies: Session (expire on browser close) and persistent (remain until deleted or expired) cookies for operations, analytics, and functionality.
• Your Choices: Modify browser settings to decline cookies or receive alerts. Disabling cookies may affect Platform functionality. Refer to browser help documentation for management.

14. Transfer of Personal Data

Currently, all user data is stored and processed on servers in India. If future transfers outside India are contemplated, we will comply with DPDP Act provisions, ensuring adequate protection, contractual safeguards, or your explicit consent.

We partner with Microsoft Clarity and Microsoft Advertising to capture how you use and interact with our website through behavioral metrics, heatmaps, and session replay to improve and market our products/services. Website usage data is captured using first and third-party cookies and other tracking technologies to determine the popularity of products/services and online activity. Additionally, we use this information for site optimization, fraud/security purposes, and advertising. For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement

15. Updates to this Privacy Policy

We may update this Privacy Policy to reflect changes in data practices or legal requirements. We will notify you via:

• Posting the updated Policy on our Platform with a revised “Last Updated” date;
• Email to your registered address;
• In-App notification.

Your continued use after changes, or affirmative acceptance where required, constitutes agreement to the revised Policy.

16. Children's Privacy

Our services are for individuals 18 years or older. We do not knowingly collect Personal Data from children under 18 without verifiable parental consent. If such data is inadvertently collected, we will delete it promptly. Future services for teenagers will include age verification and parental consent mechanisms per DPDP Act.

17. Data Breach Notification

In case of a Personal Data breach likely to cause harm, we will:

• Notify affected users promptly via registered communication channels, detailing the breach, data involved, consequences, and mitigation measures;
• Notify the Data Protection Board about the breach’s nature, extent, timing, location, and impact;
• Within 72 hours, provide the Data Protection Board a report with breach details, reasons, mitigation measures, responsible parties, and preventive actions.

18. Accountability

We expect employees, suppliers, service providers, consultants, contractors, advisors, and vendors to follow this Privacy Policy. We may periodically audit their compliance.

19. Enforcement

We use a self-assessment approach to ensure compliance, verifying that this Privacy Policy is accurate, comprehensive, prominently displayed, implemented, and accessible. Concerns can be raised via contact information provided, and we will investigate and resolve complaints.

20. Disciplinary Actions

We adopt a zero-tolerance policy for data breaches. Improper or unauthorized access, use, disclosure, alteration, destruction, or loss of Personal Data will result in disciplinary actions, including contract termination.

21. Procedure for Enquiries and Complaints

For corrections, updates, complaints, or questions about this Privacy Policy or our treatment of your Personal Data, contact us at: