Overview
Cult.fit (formerly Cure.fit) is a prominent health and fitness platform in India, offering a range of services including physical fitness centers, online classes, nutrition plans, mental wellness programs, and healthcare services. As a platform that collects extensive personal data, including sensitive health and biometric information, its privacy policy is subject to strict scrutiny under India’s Digital Personal Data Protection Act 2023.
DPDP Readiness: Section-by-Section Analysis
Section 6 — Consent & Notice ⚠️
Cult.fit’s consent mechanism is fundamentally bundled with the terms of service and website usage, stating: “By visiting or using our website www.cultfit.in… you acknowledge that you accept the practices and policies outlined in this privacy policy. In addition, you hereby render your consent to us so as to enable us to collect, use, and share your information in the following ways as detailed below.”. Further, “By using the Services and Products, you accept the terms hereof and hereby consent to the storage and processing of personal information and SPDI by third parties and in any of location within or outside India. You hereby consent to collection of such information.”. This “take it or leave it” approach falls short of the DPDP Act’s requirement for consent to be “free, specific, informed, unconditional, and unambiguous, with a clear affirmative action.”. There is no indication of granular consent options for different data processing purposes, meaning users cannot easily consent to one type of data processing while opting out of another.
What the policy says: “By visiting or using our website www.cultfit.in… you acknowledge that you accept the practices and policies outlined in this privacy policy. In addition, you hereby render your consent to us so as to enable us to collect, use, and share your information in the following ways as detailed below.”
DPDP requirement: Consent must be free, specific, informed, and unconditional. It must be given for a specific purpose and can be withdrawn at any time.
Gap: Consent is obtained through implied acceptance of terms rather than explicit, granular, and freely given affirmative action for each purpose. The policy does not detail mechanisms for easy withdrawal of consent.
Section 7 — Certain Legitimate Uses ⚠️
The policy details the collection of a wide range of personal information, including sensitive personal data like “name, user name, email address, gender, birth date, weight, height, location, nutrition data, workouts, physical activity, photographs, biometric information, and sleep habits”, for the provision of services, personalization, and potential marketing. While these are business purposes, the DPDP Act 2023 narrowly defines “legitimate uses” (Section 7) to specific scenarios such as voluntary provision by the Data Principal, state functions, medical emergencies, or employment purposes.
Gap: Cult.fit’s stated uses for data, particularly those related to general service improvement, personalization, and sharing with partners for broad purposes, may not align with DPDP’s narrower framework of legitimate uses without explicit and specific consent.
Section 8 — Obligations of Data Fiduciary ⚠️
The policy mentions compliance with older legislation for security: “This Website and our collection of information through our Services complies with the security formalities and procedures envisaged by Information Technology Rules, 2011 with regard to reasonable security practices and procedures and sensitive personal data or information.”. It also states, “We endeavor to protect the privacy of your account and other personal information we hold in our records, but we cannot guarantee complete security.”. While complying with IT Rules 2011 is a baseline, the DPDP Act requires more robust and demonstrable “reasonable security safeguards”.
Strength: Disclosure of compliance with IT Rules, 2011. Gap: The policy lacks explicit details on the specific, DPDP-aligned technical and organizational measures employed, such as encryption standards, data anonymization/pseudonymization, regular security audits, or breach notification protocols as mandated by the DPDP Act.
Section 9 — Data Retention 🔴
Critical gap. The policy uses vague language regarding data retention: “We will retain Your personal information for a reasonable period or as long as the law requires.”.
DPDP requirement (Section 9): Data shall be erased when consent is withdrawn or the purpose for which it was collected is fulfilled. The Data Fiduciary must ensure data is erased within a reasonable period, and ideally, specific retention timelines should be defined.
Gap: The policy provides no specific retention periods for different categories of data, nor does it describe automated deletion triggers or clear guidelines for what constitutes a “reasonable period.” This ambiguity creates a significant compliance risk under DPDP.
Section 11 — Rights of Data Principal ⚠️
Cult.fit acknowledges the right to request deletion or modification of data by contacting them: “If you’d like us to delete/modify Information that you have provided via the Website or otherwise to us, please contact us at hello@cure.fit and we will respond in a reasonable time.”. However, this falls short of the comprehensive rights outlined in DPDP.
DPDP requirement (Section 11): Data Principals have rights to access information about their data, correction, erasure, and the significant right to nominate another person to exercise these rights in case of death or incapacity (Section 14).
Gap: The policy does not explicitly outline all Data Principal rights as per DPDP, such as the right to information about processing activities or specific self-service mechanisms. Crucially, there is no mention of the nomination rights under Section 14 of the DPDP Act.
Section 12 — Right of Grievance Redressal ⚠️
The policy provides a general email contact for inquiries and data modification/deletion requests: hello@cure.fit.
DPDP requirement (Section 12): Requires a designated Grievance Officer, with contact details published, clear timelines for responding to grievances (e.g., within 30 days), and the Data Protection Board of India (DPBI) as an escalation path.
Gap: The policy does not designate a specific Grievance Officer, provide guaranteed response timelines, or explicitly mention the Data Protection Board of India as an appellate authority for unresolved grievances.
Section 16 — Cross-Border Data Transfer ⚠️
The policy states that personal information and sensitive personal data (SPDI) may be transferred and processed “in any of location within or outside India” and that they will “make best efforts to ensure that the third party or the location to which the SPDI is transferred affords same level of data protection as would be afforded under Indian law.”
DPDP requirement (Section 16): Cross-border transfer of personal data is permitted only to such countries or territories as may be notified by the Central Government. Specific safeguards, such as standard contractual clauses or binding corporate rules, are typically expected.
Gap: Cult.fit’s policy provides a blanket consent for transfers outside India without specifying which countries are involved, whether those countries are on a permitted list (which is yet to be notified by the Central Government), or detailing the specific safeguards implemented to ensure DPDP-level protection in such transfers.
Risk Assessment
| Category | Risk Level |
|---|---|
| Consent & Notice | High |
| Legitimate Uses | Medium |
| Obligations of Data Fiduciary (Security) | Medium |
| Data Retention | High |
| Rights of Data Principal | High |
| Grievance Redressal | High |
| Cross-Border Data Transfer | High |