Privacy Policy

1. Who This Applies To

This Privacy Policy applies to anyone who:

• Visits healthxlab.com
• Creates a customer account
• Places an order with us
• Subscribes to our emails or SMS communications
• Interacts with us via social media, email, phone, or WhatsApp

The data controller responsible for your personal data is Saroj Biotech Private Limited, operating as HealthX Labs, registered in India. For privacy-related matters, contact us at support@healthxlab.com.

2. Information We Collect

We only collect information that is necessary to serve you well. Here's what we collect and why:

Personal Information — Collected when you register, order, or contact us:

• Full name
• Email address
• Phone number
• Delivery address (street, city, state, PIN code)
• Payment method type (e.g., card, UPI) — payment credentials are NOT stored by us and are handled entirely by PCI-DSS compliant payment processors

Usage Data — Collected automatically when you browse our website:

• IP address and approximate location
• Browser type and version
• Pages visited and time spent
• Session duration and click behaviour (via Google Analytics)

Device Data:

• Device type (mobile, desktop, tablet)
• Operating system
• Referring URL (how you arrived at our site)

Order & Purchase Data:

• Order history and product purchases
• Returns and refund interactions
• Product preferences and review submissions

3. How We Use Your Data

Your data is used specifically for the following purposes:

• Fulfil, process, and manage your orders from placement to delivery
• Send order confirmations, shipping updates, and delivery notifications
• Respond to customer service enquiries, complaints, and return requests
• Improve our website, product listings, and customer experience
• Send marketing emails, offers, or product updates — only if you have opted in
• Comply with our legal and tax obligations under Indian law (GST, FSSAI, consumer protection)
• Detect, prevent, and investigate fraud or misuse of our platform

We will never use your data for purposes not listed here without informing you first.

4. Legal Basis for Processing

Under India's Digital Personal Data Protection Act (DPDPA) 2023 and the IT Act 2000, we process your personal data on the following legal grounds:

• Contract fulfilment — Processing your order, managing payments, and arranging delivery
• Legitimate interest — Fraud prevention, website security, and improving our product and service quality
• Consent — Marketing emails, SMS, and WhatsApp communications. You can withdraw consent and unsubscribe at any time
• Legal obligation — Maintaining GST records, complying with FSSAI regulations, and responding to lawful government requests

5. Who We Share Data With

We share your data only with trusted service providers who help us operate our business. Each third party is bound by a data processing agreement and is only permitted to use your data for the specific purpose we engage them for:

• Payment processors (e.g., Razorpay, PayU) — to securely process your transactions
• Courier and logistics partners (e.g., Delhivery, Bluedart, DTDC) — to fulfil and deliver your order
• Analytics providers (Google Analytics) — to understand website usage via anonymised, aggregated data
• Email and SMS service providers — to send transactional and marketing communications
• Legal authorities — only when required to do so by law, court order, or government directive

We do not share your data with any advertising networks, data brokers, or unrelated third parties.

6. Cookies

Our website uses cookies — small text files stored in your browser — to provide a better experience. Here's what we use:

• Essential cookies — Required for the website to function (cart, checkout, login sessions). Cannot be disabled.
• Analytics cookies — Google Analytics tracks page views, session duration, and user journeys in anonymised form to help us improve the site.
• Marketing/retargeting cookies — Used to show relevant ads on third-party platforms. Only set if you have consented.

You can manage or delete cookies at any time through your browser settings. Disabling analytics or marketing cookies will not affect your ability to browse the website or place an order.

7. Data Security

We take the protection of your personal data seriously and implement industry-standard security measures, including:

• SSL/TLS encryption for all data transmitted between your browser and our website
• Strict access controls — only authorised personnel can access customer data
• Secure cloud hosting with regular backups
• Payment data handled exclusively by PCI-DSS certified payment processors

While we take every reasonable precaution, no method of internet transmission or electronic storage is 100% secure. In the unlikely event of a data breach that affects your rights, we will notify you as required under applicable law.

8. Data Retention

We retain your data only for as long as necessary. Here's our retention schedule:

• Order and transaction records — 7 years (required under GST and tax compliance rules)
• Account data — Retained until you delete your account or request erasure
• Marketing preferences and email lists — Until you unsubscribe or withdraw consent
• Analytics data — 26 months (Google Analytics default retention)
• Customer support records — 2 years after case resolution

After the applicable retention period, data is securely deleted or anonymised.

9. Your Rights (DPDPA 2023)

Under India's Digital Personal Data Protection Act 2023, you have the following rights regarding your personal data:

• Right to access — Request a copy of the personal data we hold about you
• Right to correction — Ask us to correct any inaccurate or outdated personal data
• Right to erasure — Request deletion of your personal data where legally permissible (note: some data must be retained for legal compliance)
• Right to withdraw consent — Unsubscribe from marketing communications at any time, without affecting your ability to purchase
• Right of nomination — Nominate another individual to exercise your data rights on your behalf in the event of your incapacity or death

To exercise any of these rights, email us at support@healthxlab.com with your request. We will acknowledge your request within 72 hours and respond fully within 30 days.

10. Children's Privacy

Our products are intended for adults aged 18 years and above. We do not knowingly collect, store, or process personal data from individuals under the age of 18.

If you believe that a child under 18 has provided us with personal information, please contact us immediately at support@healthxlab.com and we will take prompt steps to delete that data.

11. Third-Party Links

Our website may contain links to third-party platforms — including social media profiles, blog references, or partner websites. Clicking these links will take you away from healthxlab.com.

We are not responsible for the privacy practices, content, or data handling of any third-party websites. We encourage you to read their privacy policies before sharing any personal information.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we do, we will update the "Last Updated" date at the top of this page.

For significant changes that materially affect your rights, we will notify you via email (if we hold your address) or a prominent notice on our website.

Your continued use of healthxlab.com after changes are posted constitutes your acceptance of the revised policy.

13. Contact Our Privacy Team

For any privacy-related questions, data requests, or concerns, please get in touch:

• Email: support@healthxlab.com
• Postal address:
  Saroj Biotech Private Limited
  28, Mahalaya Bunglows, B/h Kargil Petrolpump
  Sola, Ahmedabad, Gujarat – 380060, India

We will acknowledge your request within 72 hours and aim to resolve it within 30 days.