Effective Date: March 10, 2026

HELTHOFIT PRIVATE LIMITED and its subsidiaries ("Paybycal", "Company", "we", "us", or "our") are committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy is an electronic record under the Information Technology Act, 2000, and is designed in alignment with the underlying principles of the Digital Personal Data Protection Act (DPDPA), 2023.

This Privacy Policy must be read in conjunction with our Terms of Use. By downloading, registering, or using the Paybycal mobile application (the "App") or our platform at www.paybycal.com, you provide your explicit, informed, and unconditional consent to the collection, storage, processing, and sharing of your data as described in this document. If you do not agree with these practices, you must immediately cease using the platform.

1. Strategic Definitions and Data Classification

To provide total transparency and ensure the security of your information, Paybycal legally and operationally bifurcates the data we collect into distinct categories:

  • "Personal Data" means any data about an individual who is identifiable by or in relation to such data (e.g., Name, Email, Phone Number, Date of Birth).
  • "Health Data" refers specifically to your sensitive biological and fitness metrics. This includes daily steps, calorie intake, body weight, hydration levels, and diagnostic pathology reports. This data is highly protected and subject to strict purpose limitations.
  • "App Telemetry Data" refers to behavioral, technical, and analytical data generated by your interaction with the App. This includes screen taps, session durations, feature usage, IP addresses, device identifiers (IMEI/MAC), and operating system details. Crucially, App Telemetry Data is strictly independent of Health Data.
  • "Data Fiduciary" refers to Paybycal, the entity determining the purpose and means of processing your personal data.
  • "Co-Data Fiduciary / Data Processor" refers to third-party vendors, e-commerce marketplace sellers, and diagnostic laboratories (e.g., Healthians) who process your data in conjunction with or on behalf of Paybycal to deliver requested services.

2. The Data We Collect

We collect data through three primary channels to power the Calcoin reward ecosystem, facilitate marketplace transactions, and optimize our proprietary algorithms.

2.1 Information You Provide Directly

  • Registration Data: When you create an account, we collect your full name, mobile number, email address, gender, date of birth, and password.
  • Profile & Fitness Data: To set algorithmic targets, you may manually input your height, current weight, target weight, dietary preferences, and water intake.
  • Marketplace Data: If you purchase or redeem products, or book third-party specialized regimens (e.g., Water Fasting) and diagnostic tests, we collect your shipping address, billing details, and transaction history. (Note: Payment card details are processed directly by secure, RBI-compliant payment gateways like Razorpay; Paybycal does not store your raw credit card numbers.)

2.2 Health Data via Device APIs (Explicit Opt-In)

With your explicit device-level permission, Paybycal integrates with Apple HealthKit (iOS) and Google Health Connect / Google Fit (Android).

  • We only request "read" access to specific data points (such as steps taken or active energy burned) necessary to verify your physical activity and award Calcoins.
  • You maintain absolute control over these permissions and can sever the App's access to HealthKit or Health Connect at any time via your device's native settings.

2.3 App Telemetry and Automated Collection

When you use the App, we automatically collect App Telemetry Data. We utilize SDKs, cookies, web beacons, and analytical tools to track how you navigate the platform. This data allows us to detect bugs, monitor server latency, and understand user preferences to enhance the user interface (UI) and user experience (UX).

3. How We Use Your Data

We utilize your data to operate, maintain, and legally protect the Paybycal ecosystem.

3.1 Core Operations and the Calcoin Ecosystem

  • To create and authenticate your account.
  • Health Data Utilization: We use your Health Data (steps, weight, calories) strictly and exclusively to operate the App's core functionality: tracking your progress, feeding our target-generating algorithm, and calculating your earned Calcoins.
  • Absolute Prohibition on Monetizing Health Data: In strict adherence to Apple App Store and Google Play Developer policies, Paybycal expressly warrants that your Health Data (acquired via HealthKit or Health Connect) will NEVER be sold, leased, brokered, or used for targeted advertising or marketing purposes.

3.2 Marketplace and Pathology Integrations

  • To facilitate the fulfillment of e-commerce orders by passing necessary shipping details to third-party vendors.
  • To ingest and analyze diagnostic blood test reports from empaneled laboratories (e.g., Healthians) to provide you with enhanced, personalized wellness targets within the App.

3.3 App Telemetry, Marketing, and Communications (Future-Proofing)

  • Service Notifications: We will use your contact information to send critical transactional updates, OTPs, security alerts, and order confirmations.
  • Promotional Communications: To ensure you receive the maximum benefit from our ecosystem, we reserve the right to use your Personal Data and App Telemetry Data (excluding Health Data) to send you promotional emails, SMS, push notifications, and targeted offers regarding new features, third-party regimens, or marketplace discounts. You may opt out of these marketing communications at any time without losing access to the core App functionalities.
  • Business Analytics: We analyze App Telemetry Data to identify market trends, optimize our algorithms, and conduct internal research.

4. How We Share Your Data

Paybycal is not a data broker. We only share your data under the following strictly defined operational contexts:

4.1 Co-Fiduciaries and Third-Party Vendors

When you interact with the Marketplace or book a diagnostic test, we must share specific data (Name, Phone number, Address, Email Address, and context-specific health requirements) with the respective third-party vendor, laboratory (e.g., Healthians), or logistics provider for the creation of orders and to be able to provide you services as may be necessary. These entities act as Co-Data Fiduciaries or Data Processors. Their use of your data is governed by their independent privacy policies once the data is transferred for service fulfillment. Paybycal assumes no liability for the data practices of these independent third parties.

4.2 Instructors for Specialized Programs

If you enroll in specialized, high-risk programs (such as the Water Fasting regimen), relevant fitness profile data may be shared with the independent, third-party instructors guiding those programs to ensure your safety and suitability for the regimen.

4.3 Legal Compliance and Protection

We reserve the absolute right to disclose any category of your data if requested by law enforcement, judicial authorities, or government agencies under a valid legal mandate. We will also disclose data to enforce our Terms of Use, investigate fraud (including Calcoin manipulation), or protect the rights, property, or physical safety of Paybycal, our users, or the public.

4.4 Corporate Restructuring

In the event of a merger, acquisition, restructuring, bankruptcy, or sale of all or a portion of our assets, your data will be securely transferred to the acquiring entity as a core business asset, subject to the continuity of this Privacy Policy.

5. Data Storage, Localization, and Cybersecurity

5.1 Flexible Cloud Infrastructure

Paybycal utilizes state-of-the-art, globally recognized cloud infrastructure to host the platform. While we prioritize the localization of data within the territory of India in compliance with emerging regulations, you explicitly acknowledge and consent that your data may be routed, processed, or stored on secure servers located in other global jurisdictions as required for operational efficiency, redundancy, and disaster recovery.

5.2 Security Posture (Limitation of Liability)

We implement commercially reasonable, industry-standard cryptographic and administrative safeguards to protect your data. However, transmitting data over the internet is inherently risky. Paybycal makes no absolute guarantee of data security. We expressly disclaim liability for any unauthorized access, cyber-attacks, ransomware, or data exfiltration events perpetrated by malicious third parties that are beyond our reasonable, direct control.

6. Data Retention and Your Erasure Rights

6.1 Retention Period

Paybycal retains your Personal Data, Health Data, and App Telemetry Data for as long as your account remains active, or as long as necessary to fulfill the purposes outlined in this Policy. We also retain data indefinitely as required by Indian law to resolve disputes, prevent fraud, enforce our agreements, and comply with tax and audit requirements regarding your e-commerce and Calcoin transactions.

6.2 The Right to be Forgotten (Explicit Deletion Request)

We do not automatically delete your data upon mere app uninstallation or prolonged inactivity. If you wish to exercise your right to erasure, you must submit an explicit data deletion request via the App settings or by contacting our Grievance Officer. Upon verification of your identity, we will sever your access to the platform, instantly void your accrued Calcoins, and securely purge your primary Health Data, retaining only the minimal transaction logs required by law.

7. Your Privacy Rights

Subject to the notification and full enforcement of the respective provisions of the Digital Personal Data Protection Act, 2023, you are entitled to the following rights regarding your data:

  • Right to Access: You may request a summary of the personal data we process about you.
  • Right to Correction: You may update, correct, or complete inaccurate personal data via your profile dashboard.
  • Right to Withdraw Consent: You may withdraw your consent for data processing at any time. Warning: Because the processing of your Health Data is fundamentally tied to the Calcoin algorithm, withdrawing consent for Health Data processing will render the App's core reward ecosystem entirely inoperable for your account.

8. Children's Privacy

The Paybycal ecosystem is strictly age-gated. We do not knowingly collect, solicit, or process personal data from individuals under the age of eighteen (18). If we become aware that a minor has provided us with personal data, we will take immediate steps to terminate the account and purge the information.

9. Modifications to This Policy

Paybycal reserves the unilateral right to update, modify, or amend this Privacy Policy at any time to reflect changes in our operational practices, new API integrations, or evolving legal frameworks (such as the imminent enforcement of the DPDPA 2023 rules). We will notify you of material changes via an App notification or email. Your continued use of the platform after such modifications constitutes your binding acceptance of the updated Policy.

10. Grievance Redressal Mechanism

In strict compliance with the Information Technology Rules, 2021, and the DPDPA, 2023, if you have any questions, concerns, or grievances regarding our data processing practices, please contact our designated Grievance / Data Protection Officer:

Our Grievance Officer is mandated to acknowledge your concern within twenty-four (24) hours and will endeavor to resolve data-related disputes within fifteen (15) working days.