Early - Privacy Policy
Last Updated: 4th June, 2025
1. INTRODUCTION AND COMMITMENT TO PRIVACY
● 1.1. About This Policy:
Earlyfit Health Private Limited ("Early," "Company," "we," "us," "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy ("Policy") describes how we collect, use, process, store, share, and protect your Personal Information (as defined below), including Sensitive Personal Data or Information (SPDI), when you access or use the Early mobile application ("App"), any associated website https://early.fit ("Website"), and all related services, features, content, and functionalities offered by Early, including our medically driven scientific weight loss program (collectively, the "Services").
● 1.2. Integral Part of Terms:
This Privacy Policy is an integral part of our Terms and Conditions (available at https://early.fit/termsandconditon). By creating an account, accessing, or using our Services, and by explicitly agreeing to the "Key Consent Points" and these full terms during onboarding, you signify your understanding of and agreement to the data practices described in this Policy. If you do not agree with this Policy, please do not use our Services.
● 1.3. Compliance with Indian Law:
This Policy is framed in compliance with applicable Indian laws, including the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"), and the Digital Personal Data Protection Act, 2023 ("DPDP Act, 2023") and its associated rules, as and when they come into full effect.
● 1.4. Scope:
This Policy applies to all users of the Services, including registered users and visitors to our Website or App.
2. INFORMATION WE COLLECT
We collect various types of information in connection with the Services to provide and improve them. This information includes:
● 2.1. Personal Information (PI):
This is information that can be used to identify you, directly or indirectly. We collect the following categories of PI:
○ Identity & Contact Data: This includes your full name, age, date of birth, gender, email address, mobile phone number, and mailing address (including city, state, and PIN code).
○ Account Data: This includes your username, password (which we store in a hashed, encrypted format), subscription plan details, and payment history.
○ Financial Data: When you purchase a subscription, we collect information related to your payment method (such as credit/debit card type, the last four digits of your card number, card expiry date, or UPI ID). This information is processed by our third-party payment gateway providers (e.g., Razorpay, Cashfree Payments). Early does not directly store your full credit/debit card numbers or sensitive payment credentials.
○ Technical Data: This includes your Internet Protocol (IP) address, browser type and version, device type and identifiers (e.g., device model, operating system, unique device ID), App version, login data, crash reports, and usage patterns within the App and Website (such as pages visited, features used, time spent on pages, and interaction data).
○ Communication Data: This includes records of your communications with us, such as emails to our support team (support@early.fit), chat messages with Care Team members that are not part of formal medical records (e.g., general queries with nutritionists/coaches), and feedback you provide.
○ Information from "Invite Friends & Get Rewarded" Program: If you choose to participate in our referral program, we may collect information about the individuals you refer (e.g., their name and email, with their prior consent where required by law) and track referral success.
● 2.2. Sensitive Personal Data or Information (SPDI):
This is a special category of personal information that relates to your health, financial status, biometrics, and other sensitive aspects, requiring a higher level of protection under Indian law. We collect the following categories of SPDI only with your explicit consent, which you provide when you agree to our "Key Consent Points" and these Terms and Privacy Policy during onboarding and by using specific features of the Services:
○ Health and Medical Data:
■ Medical History: Information about your past and current illnesses, surgeries, chronic conditions (e.g., diabetes, hypertension, PCOS, thyroid disorders), family medical history, allergies, and immunizations.
■ Current Health Status: Details of any diagnosed conditions, symptoms you are experiencing, and ongoing treatments.
■ Medications: Information about prescription and over-the-counter medications you are currently taking, including name, dosage, and frequency.
■ Lifestyle Information Relevant to Health: Details about your typical diet, eating habits and patterns, exercise routines, physical activity levels, sleep patterns, stress levels, and consumption of tobacco or alcohol.
■ Health Goals: Your specific objectives related to weight management, fitness, and overall wellness.
■ Consultation Information: Information shared by you and notes recorded by our Care Team members (doctors, nutritionists, physical therapists, psychologists) during your consultations, including assessments, advice provided, and therapy details where applicable. This also includes information from daily side-effect check-ins (e.g., feelings logged, specific side effects reported).
■ Laboratory Test Results: Results of diagnostic blood tests (e.g., HbA1c, lipid profile, thyroid function tests, etc.) and other laboratory investigations conducted as part of the program.
■ E-prescriptions: Digital prescriptions generated by Early-affiliated doctors through the platform, including prescribed medications, dosage, and duration.
○ Data from Integrated Devices and Platforms (with your explicit consent to connect each):
■ Continuous Glucose Monitor (CGM): Blood glucose levels and associated timestamps.
■ Early Smart Scale: Body weight, Body Mass Index (BMI - calculated by the App based on your height and weight), body fat percentage, muscle mass percentage, visceral fat percentage, subcutaneous fat, Basal Metabolic Rate (BMR - calculated), metabolic age (calculated), bone weight/skeletal mass, protein mass, and water weight.
■ Activity Fitness Trackers (via Apple HealthKit, Google Health Connect, or direct integration with other compatible devices): Data points such as steps taken, active minutes/hours, distance covered, calories burned, sleep duration and quality (including sleep stages if available), average heart rate, resting heart rate, blood pressure (if the device measures and you sync this data), blood oxygen levels (SpO2, if the device measures and you sync this data), and details of logged workouts (type, duration, intensity, calories burned).
○ Biometric Data: Certain data points collected from integrated devices, such as heart rate, glucose levels, and detailed body composition metrics derived from the smart scale, are considered biometric data under SPDI Rules.
○ "My Metabolic Print" Survey Data: Your responses to the survey questions (including: how long you've been trying to lose weight, approaches tried, feelings after meals, hunger patterns, snacking habits, feelings of overeating and reasons, responses to stress, comparison to others' eating habits, weight-loss history, suspected health conditions, and 3-month goals) used by our nutritionists to generate your "Metabolic Print" profile, which is a guidance tool.
○ Meal Log Data: Detailed information about the food and beverages you consume, including item names, quantities, portion sizes, meal timings (breakfast, lunch, dinner, snacks), and associated nutritional information (calories, macronutrients – protein, carbohydrates, fats) that you log manually or is estimated through food recognition features in the App.
● 2.3. Information Provided Orally:
Personal Information and SPDI, including health details, discussed by you during unrecorded telephone or video calls with Early staff or Care Team members, as further described in Section 7 of our Terms and Conditions and Section 9 of this Privacy Policy.
3. HOW WE COLLECT YOUR INFORMATION
We collect your Personal Information and SPDI through various methods, based on your interaction with our Services and the consents you provide:
● 3.1. Directly from You (User-Provided Information):
○ Account Registration and Onboarding:
When you sign up for an Account, purchase a subscription plan, and complete the onboarding process. This includes filling out detailed medical history questionnaires (covering your name, gender, age, height, weight, BMI, existing comorbidities, past medical conditions, medications, allergies, etc.), lifestyle assessments (inquiring about your personal details, eating habits, physical activity levels, sleep patterns, stress levels, etc.), and other intake forms necessary to tailor the program.
○ App Usage and Data Logging:
When you actively use the App's features to:
■ Log your meals (including food item, quantity, timing, and nutritional details).
■ Log your physical activities and workouts.
■ Log your body weight and other measurements.
■ Log symptoms, side effects, or how you are feeling through the daily side-effect check-in feature.
■ Complete the "My Metabolic Print" survey.
■ Set up and customize reminders (for water intake, appointments, medication, walking, logging weight/meals).
■ Update your profile information.
○ Communications with Care Team: When you interact with your assigned doctors, nutritionists, physical therapists, or psychologists via the App's secure in-App chat, audio calls, or video consultations. Information shared during these interactions (e.g., about your activity, lifestyle, feelings about the program, coping mechanisms, specific health concerns) is collected.
○ Support and Feedback: When you contact Early customer support (e.g., via support@early.fit or the "Help and Support" feature in the App) with queries, issues, or when you provide feedback, reviews, or testimonials.
○ Oral Communication: When you provide information during telephone or video calls with Early staff or Care Team members (which may not be recorded, as per your consent).
○ Referral Program: If you choose to participate in the "Invite Friends & Get Rewarded" program, we collect information you provide about your referrals.
● 3.2. From Integrated Devices and Platforms (with Your Explicit Authorization):
When you choose to connect your Early account with and explicitly authorize data sharing from:
■ Continuous Glucose Monitors (CGMs): We collect glucose level readings and associated timestamps.
■ Early Smart Scale: We collect measurements such as body weight, BMI, body fat percentage, muscle mass percentage, visceral fat, subcutaneous fat, BMR, metabolic age, bone mass, protein mass, and water weight.
■ Third-Party Activity Fitness Trackers and Health Platforms (e.g., Apple HealthKit, Google Health Connect): We collect data you authorize us to access, which may include steps taken, active minutes/hours, calories burned, sleep duration and quality, average heart rate, blood pressure, blood oxygen levels, and workout details. Data from these sources is synced to the Early App periodically, based on your device settings and the specific permissions you grant within the Early App and the third-party platform.
● 3.3. From Your Care Team (Generated During Service Provision):
Members of your Care Team (doctors, nutritionists, physical therapists, psychologists) will create and record information as part of providing Services to you. This includes their professional notes, observations from consultations, assessments of your progress, personalized diet and exercise plans, e-prescriptions (by doctors), and updates to the "Your Journey" section of your App record.
● 3.4. From Laboratory Partners (with Your Authorization):
If you undergo diagnostic blood tests facilitated by Early as part of your program, our designated NABL-accredited (or equivalent standard) laboratory partners will conduct the tests based on requisitions from Early-affiliated doctors and will securely share your test results with Early. These results are then uploaded to your health record within the App and made available for you and your Care Team to review.
● 3.5. Automatically Through Technology (Cookies, Analytics - with your consent where legally required):
○ Cookies and Similar Technologies:
When you visit our Website or use our App, we use cookies (small text files placed on your device) and other similar tracking technologies (such as web beacons, pixels, and local storage). These technologies help us to:
■ Enable essential functionalities of the Website and App (e.g., keeping you logged in, remembering your preferences and settings).
■ Understand how you navigate and interact with our Services.
■ Gather analytics and usage data to improve user experience, service performance, and identify technical issues.
■ (If applicable in the future, and only with your explicit opt-in consent) Deliver personalized content or targeted advertising. You can manage your cookie preferences through your browser settings or device permissions. For more details, please see Section 10 ("Cookies and Tracking Technologies").
○ App Usage Analytics:
We automatically collect data about your interaction with the App, such as features accessed, screens visited, time spent on different sections, button clicks, navigation paths, and technical information like crash reports and performance data. This helps us analyze app performance, identify bugs, understand user engagement, and improve the overall usability and effectiveness of our Services. (This may involve the use of third-party analytics service providers in the future, who will process data on our behalf under strict contractual obligations and, where identifiable data is involved, with your consent).
4. HOW AND WHY WE USE YOUR INFORMATION (PURPOSES AND LAWFUL BASIS FOR PROCESSING)
Early collects and uses your Personal Information (including SPDI) only for specified, explicit, and legitimate purposes. We ensure that all processing is based on a lawful ground as required by the DPDP Act, 2023, and other applicable Indian data protection laws. Your primary consent for these uses is obtained when you agree to our "Key Consent Points" and this full Privacy Policy during the sign-up and onboarding process. This comprehensive consent covers all data processing activities integral to the delivery and improvement of the Early program.
We process your data for the following purposes, relying on the specified lawful bases:
A. Providing, Personalizing, and Managing Your Account and the Early Services:
1. Purpose:
User registration, account creation, identity verification, and ongoing account management.
○ Categories of Data Used: Identity & Contact Data, Account Data.
○ Lawful Basis: Performance of Contract (to fulfill our agreement with you); Your Consent (explicitly given at sign-up for the collection and use of this data for account purposes).
2. Purpose:
Delivering the core medically driven weight loss program, including creating and adapting personalized diet plans, exercise recommendations, and lifestyle habit coaching.
○ Categories of Data Used: Identity & Contact Data, SPDI (all categories, including Health & Medical Data, Data from Integrated Devices, "My Metabolic Print" Survey Data, Meal Log Data).
○ Lawful Basis: Your Explicit Consent (for the collection and processing of SPDI for these specific program purposes, given at sign-up); Performance of Contract (to provide the personalized program you subscribed to).
3. Purpose:
Facilitating teleconsultations (audio, video, chat) with your assigned Care Team members (doctors, nutritionists, therapists, psychologists).
○ Categories of Data Used: Identity & Contact Data, SPDI (Health & Medical Data, Data from Integrated Devices, Meal Logs, etc., as relevant for the consultation).
○ Lawful Basis: Your Explicit Consent (for engaging in teleconsultations and for the processing of SPDI shared or discussed during these sessions, given at sign-up); Performance of Contract (to provide consultation services).
4. Purpose:
Enabling affiliated doctors to generate and manage e-prescriptions for medications (e.g., GLP-1 agonists, metformin) if deemed medically appropriate.
○ Categories of Data Used: Identity & Contact Data, SPDI (Health & Medical Data necessary for diagnosis and prescription, details of the prescribed medication).
○ Lawful Basis: Your Explicit Consent (for the generation of e-prescriptions and processing of related SPDI, given at sign-up); Performance of Contract (as part of the doctor-patient relationship established for medical treatment).
5. Purpose:
Tracking your health progress, medication adherence (through reminders and logs), and providing feedback and support based on this data.
○ Categories of Data Used: SPDI (all categories, particularly Health & Medical Data, Data from Integrated Devices, Meal Log Data, Side Effect Logs, Medication Logs).
○ Lawful Basis: Your Explicit Consent (for processing SPDI for progress tracking and support, given at sign-up); Performance of Contract.
6. Purpose:
Enabling various App features such as reminders (for water, appointments, medication, walking, logging weight/meals), meal logging, activity tracking, "My Metabolic Print," "My Care Circle," "My Plan," "My Progress," "My Weekly Habits," "Your Journey," and daily side-effect check-ins.
○ Categories of Data Used: Identity & Contact Data, Account Data, SPDI (as relevant to each specific feature, e.g., medication details for medication reminders).
○ Lawful Basis: Your Consent (implied by your use of these features after initial explicit consent for the overall program and data processing); Performance of Contract.
B. Facilitating Third-Party Services (Based on Your Program Enrollment and Explicit Authorization):
7. Purpose:
Booking and coordinating diagnostic blood tests with our designated partner laboratories on your behalf.
○ Categories of Data Used: Identity & Contact Data, SPDI (Health & Medical Data required for test requisitions, e.g., doctor's order, relevant health conditions).
○ Lawful Basis: Your Explicit Consent (for Early to facilitate these tests and share necessary data with labs, given as part of your overall program consent and authorization in the "Key Consent Points").
8. Purpose:
Ordering prescribed medications from licensed partner e-pharmacies or local pharmacies on your behalf.
○ Categories of Data Used: Identity & Contact Data, SPDI (E-prescription details, delivery address).
○ Lawful Basis: Your Explicit Consent (for Early to facilitate medication orders and share necessary data with pharmacies, given as part of your overall program consent and authorization in the "Key Consent Points").
C. Managing Payments and Commercial Activities:
9. Purpose:
Processing your subscription payments, managing renewals, and handling other financial transactions related to the Services.
○ Categories of Data Used: Identity & Contact Data, Financial Data, Account Data.
○ Lawful Basis: Performance of Contract (to process payments for services); Legitimate Interest (for maintaining financial records and business operations).
10. Purpose:
Managing cancellations, processing eligible refunds, and addressing billing inquiries.
○ Categories of Data Used: Identity & Contact Data, Financial Data, Account Data.
○ Lawful Basis: Performance of Contract; Legal Obligation (e.g., consumer protection laws).
11. Purpose:
Administering the "Invite Friends & Get Rewarded" referral program, if you participate.
○ Categories of Data Used: Identity & Contact Data (of referrer and, with consent, the referred individual).
○ Lawful Basis: Your Consent (by choosing to participate in the program); Legitimate Interest (to promote our services).
D. Communication with You:
12. Purpose:
Sending essential transactional and service-related communications, such as Account activation emails, service updates, appointment confirmations and reminders, payment receipts, changes to our Terms or Policies, and security alerts.
○ Categories of Data Used: Identity & Contact Data, Account Data.
○ Lawful Basis: Performance of Contract; Legitimate Interest (to keep you informed about essential service aspects).
13. Purpose:
Sending reminders for medication, appointments, logging activities (weight, meals, water, walking), as configured by you or recommended by your Care Team.
○ Categories of Data Used: Identity & Contact Data, SPDI (as relevant to the specific reminder, e.g., medication name for medication reminder).
○ Lawful Basis: Your Consent (you can manage reminder preferences in the App); Performance of Contract (as part of program support).
14. Purpose:
Responding to your queries, feedback, and support requests submitted through the "Help and Support" feature or via support@early.fit.
○ Categories of Data Used: Identity & Contact Data, Account Data, Communication Data, (SPDI if your query relates to your health or program data).
○ Lawful Basis: Performance of Contract (to provide customer support); Legitimate Interest (to address user concerns and improve service).
15. Purpose:
Sending you marketing and promotional communications about Early's new features, services, or special offers (only if you have separately and explicitly opted-in to receive such communications).
○ Categories of Data Used: Identity & Contact Data.
○ Lawful Basis: Your Explicit Consent (which must be opt-in and easily withdrawable).
E. Service Improvement, Analytics, and Research:
16. Purpose:
Analyzing App and Website usage patterns, technical data, and user interactions to understand user behavior, identify areas for improvement, enhance features, ensure stability, and optimize user experience.
○ Categories of Data Used: Technical Data, (Anonymized and/or Aggregated PI & SPDI where feasible and appropriate).
○ Lawful Basis: Legitimate Interest (to maintain and improve the quality and effectiveness of our Services); Your Consent (if identifiable data is used for purposes beyond direct service provision or basic operational analytics).
17. Purpose:
Conducting internal research and statistical analysis to evaluate and enhance program effectiveness, develop new services, or contribute to general wellness knowledge (primarily using anonymized or aggregated data to protect your privacy).
○ Categories of Data Used: Anonymized and/or Aggregated PI & SPDI.
○ Lawful Basis: Legitimate Interest (for service development and improvement); Your Explicit Consent (if your identifiable data is proposed to be used for specific research projects not covered by program delivery, and you will be informed).
F. Ensuring Legal Compliance, Safety, and Security:
18. Purpose:
Complying with applicable Indian laws, regulations, court orders, summons, or other legal processes and government requests.
○ Categories of Data Used: All relevant categories of PI & SPDI as may be lawfully required.
○ Lawful Basis: Legal Obligation.
19. Purpose:
Protecting the rights, property, or safety of Early, our users, our Care Team, or the public, as required or permitted by law.
○ Categories of Data Used: All relevant categories of PI & SPDI as may be necessary.
○ Lawful Basis: Legitimate Interest (to protect our legal rights and the safety of others); Vital Interests (in rare cases, to protect someone's life); Legal Obligation.
20. Purpose:
Detecting, preventing, investigating, and addressing fraud, security breaches, unauthorized access, or misuse of the Services.
○ Categories of Data Used: Technical Data, Account Data, Communication Data, (PI & SPDI if relevant to a specific investigation).
○ Lawful Basis: Legitimate Interest (to maintain the security and integrity of our Services); Legal Obligation.
21. Purpose:
Enforcing our Terms and Conditions and other policies.
○ Categories of Data Used: Account Data, Communication Data, (PI & SPDI if relevant to a dispute or enforcement action).
○ Lawful Basis: Legitimate Interest (to ensure compliance with our contractual terms).
5. DATA SHARING AND DISCLOSURE
Early is committed to protecting your privacy. We do not sell your Personal Information or SPDI to third parties. We may share your Personal Information (including SPDI) with third parties only in the following circumstances, strictly on a "need-to-know" basis, and with appropriate contractual and security safeguards in place:
● 5.1. With Your Assigned Care Team:
Your designated doctors, nutritionists/coaches, physical therapists, and psychologists who are part of your Care Team will have access to your relevant Personal Information and SPDI. This access is necessary for them to provide you with personalized consultations, create and adjust your plans, monitor your progress, offer support, and fulfill their professional responsibilities as part of the Early program. Access for Care Team members is role-based and limited to the information required for their specific function in your care.
● 5.2. With Partner Laboratories:
If you undergo diagnostic blood tests as part of the Early program (your consent for which is part of your overall program consent and authorization in the "Key Consent Points"), we will share your necessary Personal Information (name, contact details, age, gender) and health information (test requisitions prepared by doctors) with our designated NABL-accredited (or equivalent standard) laboratory partners to enable them to conduct the tests and provide results.
● 5.3. With Partner Pharmacies (E-pharmacies or Local Pharmacies):
If your Early-affiliated doctor prescribes medications for you as part of the program and you have authorized Early (via the "Key Consent Points" and program agreement) to facilitate the ordering of these medications on your behalf, we will share your e-prescription details (as issued by the doctor), name, contact information, and delivery address with licensed third-party e-pharmacies or local pharmacies to enable them to dispense and deliver your medication.
● 5.4. With Third-Party Payment Gateway Providers:
We use third-party payment gateway providers (e.g., Razorpay, Cashfree Payments) to securely process your subscription payments. When you make a payment, you provide your payment information directly to these providers. We only receive transaction confirmation and limited details (like transaction ID, payment status). These providers have their own robust security and privacy policies. We will ensure Data Processing Agreements (DPAs) are in place with them.
● 5.5. With Technology Service Providers (Data Processors):
We may use third-party service providers for essential technology infrastructure, such as cloud hosting (servers located in India), database management, and app performance monitoring. These providers will only process your data on our behalf and under our instructions, and we will ensure they have appropriate data protection agreements (DPAs) and security measures in place.
● 5.6. For Aggregated Analytics and Service Improvement (Anonymized/Aggregated Data):
We may share anonymized or aggregated data (from which individuals cannot be identified) with third-party analytics providers (in the future, if engaged) to help us understand usage trends and improve our Services. DPAs will be established if such providers are engaged. We will not share your identifiable SPDI with such providers for these purposes without your separate explicit consent.
● 5.7. For Legal Obligations and Safety:
We may disclose your Personal Information (including SPDI) if we believe in good faith that such disclosure is necessary to:
■ Comply with any applicable Indian law, regulation, legal process (such as a court order, summons, or warrant), or a binding governmental or law enforcement request.
■ Enforce our Terms and Conditions, including investigation of potential violations.
■ Detect, prevent, investigate, or otherwise address fraud, security vulnerabilities, or technical issues.
■ Protect against harm to the rights, property, or safety of Early, our users, our Care Team, or the public, as required or permitted by law. We will assess such requests carefully and disclose only the minimum information necessary.
● 5.8. In Connection with Business Transfers:
If Early is involved in a merger, acquisition, amalgamation, sale of assets, financing, bankruptcy, or reorganization of all or a portion of our business, your Personal Information may be shared, sold, or transferred as part of that transaction to the acquiring or successor entity. We will notify you before your Personal Information is transferred and becomes subject to a different privacy policy, and we will ensure that the recipient agrees to protect your information in a manner consistent with this Policy or seeks your consent for any material changes.
● 5.9. With Your Explicit Consent (Other than above):
We will explicitly ask for your specific consent before sharing your Personal Information with any third parties for purposes not covered above (e.g., for specific research projects using identifiable data not directly related to program delivery). We will inform you about the purpose of such sharing and the specific data involved before seeking your consent.
6. DATA SECURITY PRACTICES
We are committed to implementing and maintaining "reasonable security practices and procedures" as mandated by the SPDI Rules and the DPDP Act, 2023 to protect your Personal Information from unauthorized access, use, alteration, disclosure, or destruction. These measures include:
● 6.1. Encryption:
We will use industry-standard encryption protocols for data in transit (e.g., Transport Layer Security - TLS 1.2 or higher) and for data at rest (e.g., AES-256 encryption for databases and stored files).
● 6.2. Access Controls:
○ Role-based access controls to limit access to Personal Information (especially SPDI) to authorized personnel (e.g., your specific Care Team members, limited Early administrative staff including the CEO and co-founder as indicated) on a "need-to-know" basis.
○ Strong password policies and multi-factor authentication (MFA) for internal systems where feasible.
● 6.3. Technical Safeguards:
○ Firewalls, intrusion detection/prevention systems.
○ Regular security assessments, vulnerability scanning, and penetration testing (planned as best practice).
○ Secure software development practices.
● 6.4. Administrative and Physical Safeguards:
○ Internal data protection policies and training for employees and contractors who handle Personal Information.
○ Confidentiality agreements with employees and contractors.
○ Secure physical storage for any hard-copy documents (though primary storage is electronic).
○ Procedures for secure data disposal.
● 6.5. Data Breach Response:
Early is developing an internal data breach response plan to promptly identify, contain, mitigate, and notify relevant authorities (Data Protection Board of India) and affected users in the event of a personal data breach, as required by the DPDP Act, 2023.
● 6.6. User Responsibility:
While we take significant steps to protect your data, the security of your Account also depends on you. You are responsible for keeping your Account password confidential and for securing the devices you use to access our Services.
7. DATA RETENTION POLICY
● 7.1. Retention Period:
We will retain your Personal Information (including SPDI) only for as long as it is necessary to fulfill the purposes for which it was collected, as outlined in this Privacy Policy, and to comply with our legal and regulatory obligations.
○ Account Data: Retained for as long as your Account is active.
○ Health and Medical Data (SPDI): Retained for as long as your Account is active and for a subsequent period of at least three (3) years after your last interaction or program completion, or for such longer periods as may be required or permitted by applicable Indian laws and regulations concerning medical records. We will align with relevant medical record retention guidelines.
○ Financial Transaction Data: Retained for the period required by tax and company laws (typically 7-8 years).
○ Other Data (Logs, Communications, etc.): Generally, retained for a period of three (3) years from the date of your last interaction with the Services or the closure of your Account, unless a longer period is required for legal, dispute resolution, or regulatory purposes.
● 7.2. Post-Account Closure/Termination:
○ Upon closure or termination of your Account, or upon your valid request for erasure (see Section 8), we will securely delete or effectively anonymize your Personal Information in accordance with our retention schedules and applicable law. The process for deletion will involve secure removal from relevant database tables.
○ Some data may be retained in an aggregated and anonymized form for research, analytics, and service improvement purposes, where it can no longer be used to identify you.
○ We may also retain certain information if necessary to comply with our legal obligations, resolve disputes, prevent fraud, or enforce our agreements.
● 7.3. Secure Disposal:
When Personal Information is no longer needed, it will be securely disposed of using methods that prevent its recovery or misuse.
8. YOUR RIGHTS REGARDING YOUR DATA (AS PER INDIAN LAW)
Under the DPDP Act, 2023, and other applicable Indian data protection laws, you have certain rights concerning your Personal Information. We are committed to upholding these rights.
● 8.1. Right to Access Information:
You have the right to obtain confirmation from us as to whether or not your Personal Information is being processed, and where that is the case, access to the Personal Information and a summary of the processing activities.
● 8.2. Right to Correction and Erasure:
○ Correction: You have the right to request the correction of inaccurate or incomplete Personal Information.
○ Erasure (Right to be Forgotten): You have the right to request the erasure of your Personal Information if it is no longer necessary for the purpose for which it was collected, you withdraw consent (where consent is the sole basis for processing), or if the processing is unlawful, subject to legal or regulatory retention requirements.
● 8.3. Right to Withdraw Consent:
Where we rely on your consent to process your Personal Information (especially SPDI, which is obtained at sign-up for the program's purposes), you have the right to withdraw that consent at any time by contacting support@early.fit. Withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal. If you withdraw consent for processing essential to the program, we may not be able to continue providing certain Services to you, potentially leading to the termination of your program. We will advise you if this is the case at the time you withdraw your consent.
● 8.4. Right of Grievance Redressal:
You have the right to lodge a grievance with our designated Grievance Officer (details in Section 13) if you have any concerns about the processing of your Personal Information. You also have the right to complain to the Data Protection Board of India (once established) if you are not satisfied with our response.
● 8.5. Right to Nominate:
You have the right to nominate another individual who, in the event of your death or incapacity, shall exercise your rights under the DPDP Act, 2023 on your behalf.
● 8.6. (Future Right to Data Portability):
The DPDP Act, 2023 mentions data portability, but specifics may be detailed in subsequent rules. Once clarified, we will facilitate this right.
● 8.7. How to Exercise Your Rights:
To exercise any of these rights, please contact us at support@early.fit or directly contact our Grievance Officer (details in Section 13). We will respond to your request in accordance with applicable law and within the prescribed timelines (e.g., acknowledgment within 48 hours, resolution within 30 days, extendable with justification). We may need to verify your identity before processing your request.
9. INFORMATION PROVIDED ORALLY (E.G., OVER CALLS)
● 9.1. Consent for Collection:
When you provide Personal Information (including SPDI) to Early staff or Care Team members over telephone or video calls, which may not be recorded, your agreement to the Terms and Conditions and this Privacy Policy at sign-up constitutes your consent to our collection and use of this information for the purposes of providing the Services and as outlined in this Privacy Policy.
● 9.2. User Responsibility for Accuracy:
You are responsible for ensuring that any information you provide orally is accurate, complete, and truthful. Early relies on this information.
● 9.3. Confirmation and Disclaimer:
While Early staff will make reasonable efforts to accurately capture information provided orally, the ultimate responsibility for its correctness lies with you. Early disclaims liability for any issues, errors in service, or adverse health outcomes arising from incorrect, incomplete, or misleading information provided by you orally. You acknowledge that without call recordings, verifying the exact information shared can be challenging, and you agree to hold Early harmless for discrepancies arising from orally communicated information where Early has acted in good faith based on its understanding of that communication.
10. COOKIES AND TRACKING TECHNOLOGIES
● 10.1. Use of Cookies:
We use cookies and similar tracking technologies (e.g., web beacons, pixels, device identifiers) on our Website and App to:
○ Enable core functionalities (e.g., keeping you logged in).
○ Remember your preferences and settings (e.g., for reminders).
○ Understand how you use our Services and improve user experience.
○ Gather analytics and usage data.
○ (If applicable in the future, and only with your explicit opt-in consent) Deliver personalized content or targeted advertising.
● 10.2. Types of Cookies:
We may use session cookies (which expire when you close your browser) and persistent cookies (which remain on your device for a set period or until you delete them). The specific cookies used will be for essential operations, performance analytics, and functionality.
● 10.3. Your Choices:
Most web browsers are set to accept cookies by default. You can usually modify your browser settings to decline cookies or to alert you when cookies are being sent. If you disable cookies, some parts of our Services may not function properly (e.g., staying logged in, remembering preferences). For more information on managing cookies, please refer to your browser's help documentation or device settings. We will also provide clear information and choices regarding non-essential cookies if they are introduced.
11. CHILDREN'S PRIVACY
Our Services are intended for individuals who are at least eighteen (18) years of age. We do not knowingly collect Personal Information from children under 18. If we become aware that we have inadvertently collected Personal Information from a child under 18 without verifiable parental consent (where required by law for specific services, though our current program is for adults), we will take steps to delete such information from our records promptly.
If Early plans to extend services to teenagers (e.g., for PCOS management or other conditions) in the future, this Policy will be updated. Appropriate age verification and parental/guardian consent mechanisms compliant with the DPDP Act, 2023, and other applicable laws (such as specific rules for processing children's data) will be implemented before any such data collection from minors occurs.
12. DATA BREACH NOTIFICATION
In the event of a personal data breach that is likely to cause harm to you, Early is committed to:
● Taking immediate steps to contain, assess, and mitigate the breach.
● Conducting a thorough investigation to understand the scope, nature, and impact of the breach.
● Notifying the Data Protection Board of India (DPBI) and affected users of the breach in accordance with the timelines and procedures prescribed under the DPDP Act, 2023, and its associated rules. The notification to users will include details about the nature of the breach, the type of data involved, potential consequences, and measures being taken by Early to address the breach and mitigate potential harm.
Early is in the process of formalizing its internal Data Breach Response Plan to ensure timely, effective, and compliant management of any such incidents.
13. GRIEVANCE OFFICER (FOR DATA PRIVACY)
In accordance with the Information Technology Act, 2000, the SPDI Rules, 2011, and the DPDP Act, 2023, we have appointed a Grievance Officer to address your concerns and grievances regarding the processing of your Personal Information.
● Name of Grievance Officer: Sagar Khurana
● Email Address: sagar@early.fit
● Mailing Address: G80, Lajpat Nagar-1, Delhi -110024
We will endeavor to acknowledge your grievance promptly (e.g., within 48 hours of receipt) and resolve it within a reasonable period, aiming for resolution within thirty (30) days from the date of receipt, or such other period as may be prescribed by applicable law (e.g., the DPDP Act may specify shorter timelines for certain actions).
14. INTERNATIONAL DATA TRANSFERS
Currently, Early stores and processes all user data on servers located within India. We do not transfer your Personal Information outside of India. If, in the future, Early contemplates transferring Personal Information outside of India (e.g., for using specialized global service providers for specific processing activities not available in India, or for disaster recovery purposes), we will do so only in strict compliance with the provisions of the DPDP Act, 2023, and other applicable Indian laws. This would involve:
● Ensuring that the recipient country or entity provides an adequate level of data protection as determined or restricted by the Central Government of India.
● Implementing appropriate safeguards such as Standard Contractual Clauses (or equivalent mechanisms approved by the Indian government).
● Or, where applicable and permissible, obtaining your explicit, informed consent for such restricted transfers after fully informing you of the associated risks and the specific purpose of the transfer.
15. UPDATES TO THIS PRIVACY POLICY
We may update this Privacy Policy from time to time to reflect changes in our data practices, service offerings, or legal and regulatory requirements. We will notify you of any material changes by:
● Posting the updated Policy on our Website and App with a revised "Last Updated" date.
● Sending an email to the address associated with your Account.
● Or, providing an in-App notification. We encourage you to review this Policy periodically to stay informed about how we are protecting your information. Your continued use of the Services after any changes to this Policy are posted and, where required, your affirmative acceptance of such changes, will constitute your agreement to the revised Policy. For significant changes, we may seek your fresh consent.
16. CONTACT US
If you have any general questions, comments, or concerns about this Privacy Policy or our data practices (not related to lodging a formal grievance, for which please see Section 13), please contact our general support at: Email: support@early.fit Address: G80, Lajpat Nagar-1, Delhi -110024
