Privacy Policy — Fitvario

Last updated: 26 April 2026

Fitvario ("we", "us", "our") provides a cloud-based gym management software platform (web dashboards and mobile applications) for fitness businesses and their members. This Privacy Policy describes how we collect, use, store, share, and protect personal information when you use our websites, products, or services (collectively, the "Service").

Data Controller / Data Fiduciary.For personal data processed in connection with the Fitvario Service, the data fiduciary (as defined under India's Digital Personal Data Protection Act, 2023) and data controller is Fitvario, registered in Bhopal, Madhya Pradesh, India. Contact: support@fitvario.com. Where a gym or organization uses Fitvario to process data about its own members or staff, that organization may also act as an independent controller or data fiduciary for certain processing—we process such data on their instructions as a data processor where applicable.

Governing law.This policy is governed by and intended to comply with India's Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000 (as amended), and other applicable Indian and international privacy laws.

1. Information we collect

Depending on your role (visitor, gym operator, staff, or end-user member), we may collect:

• Identity & contact: name, email address, phone number, OTP verification data, profile photo (if provided).
• Account & business: gym name, branding, address, timings, facilities, subscription or plan selections, billing identifiers, and configuration you provide.
• Members & operations: membership status, attendance (including QR or biometric events where enabled), class bookings, measurements, assigned workout/diet content consumption signals, and CRM or enquiry records you or your team create.
• Health & fitness related (sensitive data): BMI, calorie estimates, progress metrics, and similar data you or members enter—treated as sensitive personal data where required under the DPDP Act 2023 and applicable law. Explicit consent is obtained before processing.
• Commerce & payments: product interest, orders, payment references, and related metadata. Full payment card details are handled exclusively by Razorpay (our payment gateway partner) and are never stored on our servers.
• Communications: messages sent through the platform, support tickets, WhatsApp/SMS delivery logs, email delivery records, and marketing preferences where applicable.
• Technical & usage: IP address, device type, operating system, browser, app version, cookies or similar identifiers (including advertising identifiers), diagnostic logs, and security audit trails.
• Media: images and videos you upload (e.g., gym gallery, workout content), stored in our cloud object storage provider.
• Location (limited): where QR attendance is configured location-aware, we may process signals to validate check-in integrity.
• Advertising data (if marketing enabled): Meta Pixel may collect page-view events, conversion signals, and device identifiers when you interact with our marketing website. See Section 4 and our Cookie Policy for details.

2. How we use information

• To provide, operate, secure, and improve the Fitvario Service (including multi-gym data isolation and access controls).
• To authenticate users, send OTPs, and deliver transactional notifications (SMS, WhatsApp, email, push).
• To process subscriptions, messaging credits, payments via Razorpay, and ecommerce flows.
• To generate analytics, exports, and reports for authorized roles.
• To comply with law, respond to lawful requests, and enforce our Terms of Service.
• To send product updates, promotional messages, or marketing (with appropriate legal basis and opt-out).
• To measure advertising effectiveness via Meta Pixel and similar tools (where you consent).
• To detect and prevent fraud, abuse, and security incidents.

3. Legal bases for processing (DPDP Act 2023 & applicable law)

Under India's Digital Personal Data Protection Act, 2023, and other applicable laws, we process your personal data based on:

• Consent: For health/sensitive data, optional marketing communications, analytics cookies, and Meta Pixel. You may withdraw consent at any time.
• Contractual necessity: To perform our agreement with you (provide subscriptions, attendance, payments, etc.).
• Legal obligation: Where required by Indian law (IT Act, tax/accounting requirements, court orders).
• Legitimate interests: For security, fraud prevention, service improvement, and direct marketing to existing customers, balanced against your rights.

4. Third-party processors & integrations

We use the following subprocessors and third-party services. Specific vendor versions may change; material changes will be disclosed:

• Razorpay Financial Solutions Pvt. Ltd.— Payment gateway for subscriptions, credits, and ecommerce transactions. Razorpay is PCI DSS compliant and RBI-authorised. Card data is processed directly by Razorpay and not stored by us. Razorpay's Privacy Policy governs data it collects during payment flows.
• Meta Platforms, Inc. (Meta Pixel / Meta Business):We use Meta Pixel on our marketing website to measure ad campaign effectiveness and show relevant advertisements on Facebook and Instagram. Meta may receive event data (page views, conversions) and device identifiers. Meta's Data Policy governs their use of this data. You can opt out via our Cookie Policy.
• WhatsApp Business Cloud API (Meta Platforms):We send transactional and operational messages (OTPs, attendance alerts, fee reminders) via WhatsApp's official Business Cloud API. Your phone number is shared with Meta to facilitate message delivery, subject to WhatsApp's Business Policy. Only approved message templates are used.
• Zoho Mail (Zoho Corporation Pvt. Ltd.):Our business email and support communications are handled via Zoho Mail. Support emails you send us are processed and stored on Zoho's infrastructure under their Privacy Policy.
• SMS gateway provider(s): For OTP delivery and SMS reminders. Your phone number is transmitted to the SMS provider to facilitate delivery.
• Firebase Cloud Messaging (Google LLC):For push notifications to Android member app users. Device tokens are shared with Firebase to enable message delivery. Governed by Google's Privacy Policy.
• Google Play Store (Google LLC): The Fitvario member app is distributed via Google Play. Google processes app installation and usage data per their Privacy Policy. The in-app Data Safety section on Play Store reflects data collected by the app.
• Cloud hosting & object storage: AWS S3-class services for media storage (gym gallery, workout content). Data is stored with encryption at rest.
• Analytics & error monitoring (optional): We may use aggregated analytics or error tracking tools to improve performance.

All processors are engaged under contractual terms requiring appropriate data protection measures.

5. Cookies & similar technologies

We use cookies, pixels (including Meta Pixel), local storage, and mobile SDK identifiers for session management, security, preferences, analytics, and marketing. See our Cookie Policy for details on categories, specific technologies, and your choices.

6. Data retention

We retain personal data only as long as needed for the purposes described, plus legal, tax, accounting, and dispute resolution requirements (typically 7 years for financial records under Indian law). Gym organizations may configure data export or deletion within product limits. Backup copies may persist for a limited period (typically up to 30 days) after deletion requests are processed.

7. Security

We implement administrative, technical, and organizational measures including: encrypted connections across all services; authenticated and access-controlled APIs; staff permission controls (each role accesses only what is permitted); encryption of personal data at rest; private and access-restricted media delivery; daily automated backups; access logging and security audit trails. Payment data security is delegated to Razorpay (PCI DSS compliant). No transmission or storage method is 100% secure; we continuously improve our safeguards.

8. International data transfers

Our primary infrastructure is based in India. Some third-party processors (e.g. Meta, Firebase, cloud storage) operate internationally. Where data is transferred across borders, we ensure appropriate safeguards are in place as required by applicable Indian law, including data processing agreements with Standard Contractual Clauses or equivalent protections where applicable.

9. Your rights as a Data Principal (DPDP Act 2023)

Under India's DPDP Act 2023 and other applicable laws, you have the right to:

• Access: obtain a summary of personal data we hold about you.
• Correction & update: request we correct inaccurate or incomplete data.
• Erasure (right to be forgotten): request deletion of your personal data, subject to legal retention requirements.
• Withdraw consent: at any time, where processing is based on consent, without affecting prior processing.
• Nomination: nominate another person to exercise data rights on your behalf in case of death or incapacity.
• Grievance redressal: raise a complaint with our Grievance Officer (see Section 13 and our Grievance page).
• Data Protection Board: if unsatisfied with our response, lodge a complaint with India's Data Protection Board once constituted.

Members should often contact their gym first; gym administrators should contact us at support@fitvario.com for account-level requests. We will verify your identity before fulfilling requests.

10. Children's data

Our Service is intended for businesses and their adult members. We do not knowingly collect personal data from children below the age of 18 (or the applicable minimum age in your jurisdiction) without verifiable parental consent. In compliance with the DPDP Act 2023, where a user is a child, we will seek verifiable parental consent before processing. If you believe we have inadvertently collected a child's data without consent, contact us for prompt deletion.

11. Data sharing

We do not sell your personal data. We may share data with:

• Service providers and processors listed in Section 4 who assist in operating the platform.
• Your gym organization, as visible within the product permissions you configure.
• Government authorities, courts, or law enforcement when required by Indian law or a lawful order.
• A successor entity in a merger, acquisition, or asset sale, with advance notice where required by law.
• Meta Platforms, for advertising measurement via Meta Pixel (where consent is given).

12. Google Play & app-specific disclosures

The Fitvario Android app (distributed via Google Play Store) collects data as described in this Privacy Policy and our Play Store Data Safety section. The app requests permissions including: Camera (QR scanning), Storage (downloading content/reports), Internet (core functionality), Notifications (push alerts), and Biometrics (optional attendance—where device supports it and user enables it). You can review and manage app permissions in your device settings. To delete your account and associated data, visit our Delete Account page.

13. Grievance Officer

In accordance with the Information Technology Act, 2000 and IT (Intermediary Guidelines) Rules, 2021, and in anticipation of the DPDP Act 2023, we have appointed a Grievance Officer:

See our Grievance Officer page for full details on how to raise a complaint.

14. Changes to this policy

We may update this Privacy Policy periodically. We will post the updated version with a new "Last updated" date. For material changes, we will provide additional notice (e.g. email or in-app notification) as required under the DPDP Act 2023 and other applicable law.

15. Contact us

Privacy-related questions: support@fitvario.com

Disclaimer. This policy is provided for transparency. It is not a substitute for legal advice. Consult qualified counsel for compliance with all laws applicable to your organization and jurisdiction.