Legal · Privacy

Privacy Policy

Last updated: 12 May 2026 · Effective: 12 May 2026

Kaivo takes your privacy seriously. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, who we share it with, and your rights as a Data Principal under the Digital Personal Data Protection Act 2023 (DPDP Act) and the Information Technology Rules 2011.

The short version We collect only what we need to give you safe, effective weight-loss care: your basic health information, contact details, and consultation history. We never sell your data. We store it securely in India. You can ask us to show you, correct it, or delete it at any time.

1. Who we are

This site (getkaivo.in) is operated by Kaivo (operated by its proprietor) ("Kaivo", "we", "us"), based in India. Kaivo is currently operated as a sole proprietorship and is in the process of being incorporated as a private limited company; this Privacy Policy will be updated to reflect the registered entity's CIN and registered office address once available.

For the purposes of the DPDP Act 2023, Kaivo is the Data Fiduciary for your personal data. You ("Data Principal") are the individual whose data we process.

2. What personal data we collect

2.1 Information you give us directly

Contact information: Name, phone number, email address
Demographic information: Age, sex assigned at birth, city of residence
Health information: Height, weight, BMI, medical history, current medications, contraindications (such as pregnancy, pancreatitis history, thyroid conditions). This is "sensitive personal data" under Rule 3 of the IT (Reasonable Security Practices) Rules 2011.
Consultation data: Information shared with your doctor during video or chat consultations, prescriptions issued, treatment plans
Payment information: Processed by our payment partners (e.g., Razorpay). We do not store your card numbers or UPI details.

2.2 Information collected automatically

Usage data: Pages viewed, time on site, clicks, browser type, device type, approximate location (city-level via IP)
Cookies and similar technologies: See our Cookie Policy
Analytics: Aggregated, pseudonymous data via Google Analytics 4

2.3 Information from third parties

We may receive information from your doctor (about your consultation outcomes), our pharmacy partners (about prescription fulfilment), and our payment partners (about transaction status).

3. Why we collect your data (purposes)

To provide you with the Kaivo service — clinical screening, consultations, prescriptions, and ongoing care
To enable our doctors to make safe medical decisions about your treatment
To coordinate prescription dispensing and home delivery
To process payments and issue invoices
To communicate with you about your treatment (appointment reminders, follow-ups)
To improve our service via analytics
To comply with our legal obligations under the Drugs & Cosmetics Act, Telemedicine Practice Guidelines 2020, and tax laws
To prevent fraud, abuse, or harm

4. Legal basis for processing

Under the DPDP Act 2023, we process your personal data based on:

Your consent — which you give when signing up, taking the eligibility quiz, and accepting this Privacy Policy. You may withdraw consent at any time (see Section 8).
Specified legitimate uses — including responding to a medical emergency involving you, or compliance with judgment or order issued by an Indian court.

5. Who we share your data with

We share your personal data only with the parties below, only as needed, and under strict confidentiality obligations:

Doctors and clinicians on the Kaivo network — to provide consultations and prescribe treatment
Licensed pharmacy partners — to dispense medications you've been prescribed
Logistics and delivery partners — to deliver your medication, limited to name, address, and phone
Payment processors (e.g., Razorpay) — to handle payments, governed by their own privacy policies
Technology service providers — including Supabase (database hosting in India), Google Analytics (anonymised analytics), and similar — under contractual data protection terms
Government authorities — only when legally required (e.g., court order, drug regulator inspection, tax authority)

We do not sell, rent, or trade your personal data to advertisers or marketing companies.

6. Where your data is stored

Your data is primarily stored on servers located in India (Mumbai region). Some service providers may temporarily process data outside India for technical functions (e.g., analytics aggregation, content delivery). These transfers are governed by contractual safeguards consistent with the DPDP Act 2023.

7. How long we keep your data

Active accounts: For as long as you remain a Kaivo user, plus 3 years after your last activity
Medical records and prescriptions: Minimum 3 years from the date of the consultation, as required under the Telemedicine Practice Guidelines 2020 and Medical Council of India regulations
Transaction records: 8 years, as required under the Income Tax Act and GST law
Analytics data: Up to 26 months in Google Analytics (anonymised)
Marketing communications consent: Until you withdraw consent

After these periods, we delete or anonymise your data unless we are required to retain it longer by law.

8. Your rights as a Data Principal

Under the DPDP Act 2023, you have the right to:

Access — request a summary of the personal data we hold about you
Correction — ask us to correct inaccurate or update outdated information
Erasure — request deletion of your personal data, subject to our legal retention obligations
Withdraw consent — at any time, without affecting the lawfulness of processing carried out before withdrawal
Grievance redressal — raise a complaint with our Grievance Officer (see below) and, if unsatisfied, escalate to the Data Protection Board of India
Nominate — appoint another individual to exercise these rights on your behalf in the event of your death or incapacity

To exercise any of these rights, email our Grievance Officer at the address below. We will respond within 30 days.

9. How we protect your data

We implement reasonable security practices and procedures consistent with Rule 8 of the IT (Reasonable Security Practices) Rules 2011, including:

Encryption of data in transit (TLS 1.2 or higher)
Encryption of sensitive data at rest
Access controls and role-based permissions for our internal team and doctor network
Regular security reviews and audits
Confidentiality obligations on all personnel and partners

No system is perfectly secure. If we become aware of a personal data breach, we will notify the Data Protection Board of India and affected individuals as required under the DPDP Act.

10. Children's data

Kaivo's services are intended for adults aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, please contact us so we can delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent version. For material changes, we will notify you via email or a prominent notice on the site at least 14 days before the change takes effect.

Questions or concerns about this document?

Email us at support@getkaivo.in

Or reach our Grievance Officer:

The Kaivo Founders

grievance@getkaivo.in

We respond to grievances within 30 days of receipt, as required under the Digital Personal Data Protection Act 2023 and IT Rules 2011.