Privacy Policy

FitNFresh ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains what personal information we collect when you visit our website (fitnfresh.in), create an account, place an order, or interact with our services — and how we use, store, and safeguard that information. By using our website, you consent to the practices described here.

1. Information We Collect

a. Account Information

When you register for an account, we collect your full name, email address, and password (stored as a securely hashed value — we never store your plain-text password).

b. Order & Shipping Information

When you place an order or submit an order request, we collect your shipping name, phone number, complete delivery address (including house/flat number, street, city, state, and PIN code), and any additional delivery notes you provide. For international orders, we collect equivalent address details along with your country and postal code.

c. Payment Information

All online payments are processed securely through Razorpay, a PCI-DSS compliant payment gateway. We do not store your card number, CVV, UPI ID, or net banking credentials on our servers. We only retain the Razorpay Order ID, Payment ID, and payment status for order record-keeping and GST compliance.

d. Usage & Technical Data

We may collect browser type, IP address, referring URL, pages visited, and session duration through server logs and standard web technologies. This data is used in aggregate form to improve website performance and user experience and is not linked to your personal identity.

2. How We Use Your Information

• Order Processing: To create, confirm, dispatch, and track your orders; issue GST-compliant invoices; and handle cancellations or refunds.
• Transactional Emails: To send order confirmation, shipping updates, delivery notifications, cancellation approvals, refund intimations, and password reset emails. These are not marketing emails and cannot be unsubscribed from as they relate directly to your transactions.
• Customer Support: To respond to your queries, complaints, or cancellation requests submitted through the website or via email.
• Compliance: To maintain tax and financial records as required under the Goods and Services Tax Act, 2017 and other applicable Indian laws.
• Fraud Prevention: To detect and prevent fraudulent transactions, duplicate orders, or misuse of our platform.

3. Cookies & Session Data

We use essential cookies and session storage to operate the website. These include:

• Authentication cookies to keep you logged in across page visits.
• Cart session data to persist your shopping cart between pages.
• Currency preference — your selected display currency (INR, USD, GBP, or CAD) is stored in your session and detected from your IP address region on first visit using a third-party geolocation service (ip-api.com).
• CSRF tokens to protect form submissions from cross-site request forgery attacks.

We do not use advertising, tracking, or third-party analytics cookies. You can disable cookies in your browser settings, though this may affect website functionality (cart, login).

4. Third-Party Services

5. Data Access & Admin Controls

Our internal admin team can access order data, customer contact details, and shipping information strictly for the purpose of order fulfilment, customer support, and GST compliance. Admin access is role-controlled and limited to authorised personnel. Admins do not have access to your payment instrument details, which are held exclusively by Razorpay.

6. Data Retention

• Order records (including invoices and GST data) are retained for a minimum of 7 years as required under the GST Act, 2017 and Indian accounting standards.
• Account data is retained for as long as your account remains active. Upon account deletion, personal data not required for legal compliance is deleted within 30 days.
• Session data and cookies are temporary and expire when you close your browser or as configured in your browser settings.

7. Data Security

We implement industry-standard security measures to protect your data:

• All data transmission uses HTTPS / TLS encryption.
• Passwords are stored using bcrypt hashing — never in plain text.
• All form submissions are protected with CSRF tokens.
• Payment verification uses HMAC-SHA256 signature validation via Razorpay — no payment is marked as successful without server-side verification.
• Admin panel access is restricted by role-based authentication middleware.

8. Your Rights

As a user, you have the following rights with respect to your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Update your profile information directly from your account settings, or contact us to correct any inaccuracies.
• Deletion: Request deletion of your account and associated personal data. Note that order records may be retained for legal compliance purposes.
• Portability: Request an export of your order history and account data in a readable format.

To exercise any of these rights, email us at privacy@fitnfresh.in.

9. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we do, we will update the "Last updated" date at the top of this page. Continued use of the website after any changes constitutes your acceptance of the updated policy.