DPDP
Compliance Notice
Digital Personal Data Protection Act, 2023 (India) — This notice explains how Curanova complies with the DPDP Act in relation to the GenExcel mobile application.
1. Data Fiduciary Information
Data Fiduciary
Curanova
Registered Address
[Full registered address]
dpo@curanova.ai
Grievance Officer
[Name]
2. Lawful Purpose of Data Processing
2.1 Based on Your Consent (Section 6)
| Data Category | Purpose |
|---|---|
| Personal identity data (name, DOB, gender) | Account creation and profile management |
| Contact data (email, phone, address) | Communication, verification, and account recovery |
| Health measurements (vitals, BMI, growth) | Personalised health tracking and insights |
| Genomic data (genetic test results, traits) | Genetic analysis and trait-based health recommendations |
| Nutrition data (dietary logs, food images) | AI-powered nutritional analysis and dietary tracking |
| Activity and sleep data | Fitness tracking and health monitoring |
| Profile picture | Account personalisation |
| Telemedicine consultation data | Connecting you with healthcare professionals |
| AI chat interactions | Providing AI-powered health and nutrition guidance |
2.2 For Legitimate Uses (Section 7)
Ensuring security and preventing fraud
Compliance with Indian law and regulations
Medical emergencies (if applicable, with appropriate safeguards)
3. Consent Mechanism
3.1 How We Obtain Consent
3.2 Withdrawing Consent
You may withdraw your consent at any time by:
Declining the consent screen (you will be logged out)
Deleting your account: Settings > Delete Account
Revoking device permissions through your device's settings
Disabling notifications: Settings > Notification Preferences
Contacting us: privacy@curanova.ai
Withdrawing consent will not affect the lawfulness of processing carried out before the withdrawal. Some services may become unavailable after consent is withdrawn.
4. Rights of Data Principals
4.1 Right to Access Information (Section 11)
You can view all your personal data within the App (Profile, Health Dashboard, Reports)
You can request a summary of your data processing activities by contacting us
4.2 Right to Correction and Erasure (Section 12)
Correction: Edit your personal information through Settings > Edit Profile
Erasure: Request deletion through Settings > Delete Account
Timeline: Account deletion is processed within 30 days of the grace period ending
Confirmation: You will receive a confirmation email when deletion is scheduled and when it is completed
4.3 Right to Data Portability
Export your data: Settings > Privacy & Data > Download My Data
Format: Your data is compiled into a ZIP file and sent to your registered email address
Contents: All personal data, health records, activity logs, and genomic data associated with your account
Processing time: Export requests are typically processed within 72 hours
4.4 Right to Grievance Redressal (Section 13)
You may raise a grievance with our Grievance Officer (details in Section 1 above)
We will acknowledge your grievance within 48 hours
We will resolve your grievance within 30 days
If unsatisfied, you may approach the Data Protection Board of India
4.5 Right to Nominate (Section 14)
You may nominate another individual to exercise your rights in the event of your death or incapacity
To register a nominee, contact privacy@curanova.ai
5. Data Processing for Children
5.1 Parental/Guardian Consent
GenExcel allows parents and legal guardians to manage health data of their minor children
We process children's personal data only with verifiable parental or guardian consent
Parents/guardians maintain full control over their children's data, including the ability to view, edit, export, and delete it
5.2 Safeguards
We do not perform behavioural tracking or targeted advertising on children's data
We do not process children's data in any manner that is likely to cause harm to them
Children's genomic and health data is subject to the same security measures as adult data (AES-256 encryption, secure storage)
6. Data Processors and Cross-Border Transfers
6.1 Data Processors
| Processor | Country | Purpose | Safeguards |
|---|---|---|---|
| Google Cloud / Firebase | US/India | Push notifications, crash reporting, file storage | Google Cloud DPA, encryption |
| Google Gemini AI (Vertex AI) | US/India | Food image analysis (NutriScan) | Processed via our backend, no direct user access |
| OpenAI | United States | AI chat assistance (Helix Chat) | Processed via our backend, no direct user access |
| Telemedicine Provider | India | Video consultations | Encrypted WebSocket connections |
6.2 Cross-Border Data Transfers
Your data may be transferred to countries where our data processors operate
All transfers comply with the provisions of the DPDP Act regarding data transfer to permissible jurisdictions
We ensure that adequate safeguards (contractual obligations, encryption) are in place before transferring data
7. Data Security Measures
In compliance with Section 8 of the DPDP Act, we implement the following reasonable security safeguards:
Encryption
AES-256 encryption for data at rest; TLS/HTTPS for data in transit
Secure Authentication
JWT tokens stored in device secure storage (iOS Keychain / Android EncryptedSharedPreferences)
Minimal Local Storage
Personal data kept in memory only during active sessions; no PII persisted in unencrypted local storage
Access Controls
Role-based access controls on all backend systems
Token Management
Push notification tokens deactivated on logout and deleted on account deletion
Regular Audits
Periodic security assessments and vulnerability testing
8. Data Breach Notification
In the event of a personal data breach:
We will notify the Data Protection Board of India as required under the DPDP Act
We will notify affected Data Principals without unreasonable delay
Notification will include the nature of the breach, data affected, and remedial measures taken
We maintain an incident response plan for prompt breach detection and response
9. Retention and Deletion
| Data Type | Retention Period | Deletion Method |
|---|---|---|
| Account data | Until account deletion + 30-day grace period | Permanent deletion after grace period |
| Health measurements | Until user deletes or account deletion | Permanent deletion |
| Genomic data | Until user deletes or account deletion | Permanent deletion |
| Nutrition & activity logs | Until user deletes or account deletion | Permanent deletion |
| Telemedicine records | As required by healthcare regulations | Per regulatory requirements |
| Push notification tokens | Until logout or account deletion | Automatic deactivation/deletion |
| AI chat history | Until user clears or account deletion | Permanent deletion |
10. Significant Data Fiduciary Obligations
If Curanova is designated as a Significant Data Fiduciary under the DPDP Act, we will:
Appoint a Data Protection Officer (DPO) based in India
Appoint an independent data auditor
Conduct periodic Data Protection Impact Assessments (DPIA)
Publish findings of such audits as required
11. Updates to This Notice
This notice may be updated to reflect changes in law or our data practices
Material changes will be communicated through in-app notifications
The latest version will always be available at genexcel.ai/dpdp
12. Contact and Grievance Redressal
For questions, concerns, or grievances regarding data processing:
| Grievance Officer | [Name] |
| grievance@curanova.ai | |
| Phone | [Phone number] |
| Address | [Full address] |
| Response Time | Acknowledgement within 48 hours; resolution within 30 days |
If your grievance is not resolved satisfactorily, you may file a complaint with the Data Protection Board of India as established under the DPDP Act, 2023.