Overview
HealthifyMe is a major health-tech platform handling some of the most sensitive information a person can share: weight, medical history, heart rate, and dietary habits. In the eyes of the law, they are a Data Fiduciary — the entity that decides why and how your data is processed. You are the Data Principal — the owner of the data.
Because they handle health data, the stakes are incredibly high. If this data leaks or is misused, it’s not just a privacy issue; it’s a personal safety and insurance risk for the user.
DPDP Readiness: Section-by-Section Analysis
Section 6 — Consent & Notice 🔴
HealthifyMe uses what we call “bundled consent.” They fold their privacy rules into their general Terms of Use. Under the DPDP Act, this is a big no-no.
What the policy says: “By accessing the Website, the App… you agree to be bound by this Agreement and the terms contained in it.”
What the law requires: Consent must be specific, informed, and unconditional. You can’t force someone to agree to data tracking just so they can use a calorie counter. The notice must be a separate, clear document.
The problem: You can’t “unbundle” your choices. You either give them everything or you can’t use the app. This makes the consent invalid under Section 6 of the DPDP Act.
Section 7 — Certain Legitimate Uses 🔴
The law allows companies to use your data without asking for permission in very specific cases (like medical emergencies or government orders). HealthifyMe, however, takes a very broad approach.
What the policy says: “The information provided by you may be shared by us with any third party… for any other purposes.”
What the law requires: Data can only be processed for “legitimate uses” which are strictly defined. “Any other purposes” is way too broad and would not hold up in an Indian court under the new law.
The problem: This clause gives the company a “blank check” to do whatever they want with your health stats.
Section 8 — Obligations of Data Fiduciary ⚠️
HealthifyMe mentions they have “security procedures” and “confidential” login codes.
What the law requires: A Data Fiduciary (the company) must take reasonable security safeguards to prevent a data breach. If a breach happens, they must notify the government and the users.
The problem: While they mention basic security, the policy is silent on their legal duty to report breaches to you. It focuses more on your duty to keep your password safe than their duty to keep the database safe.
Section 9 — Data Retention 🔴
How long does HealthifyMe keep your weight logs and food photos after you delete the app? The policy doesn’t say.
What the policy says: “Your profile may be deleted by us… if we believe that you have violated any of the conditions.”
What the law requires: As soon as the purpose for collecting data is over (e.g., you close your account), the company must erase your data. They can’t keep it “just in case” unless a specific law requires it.
The problem: There is no “Right to be Forgotten” timeline. Your health data could theoretically stay on their servers forever.
Section 11 — Rights of Data Principal ⚠️
As the Data Principal (the person the data belongs to), you have new superpowers under the DPDP Act.
The problem:
- You have the right to nominate someone to manage your data if you pass away or are incapacitated. HealthifyMe doesn’t mention this.
- You have the right to withdraw consent easily. While they allow opting out of emails, withdrawing consent for the core health data is buried and difficult.
Section 12 — Right of Grievance Redressal 🔴
If you’re unhappy with how they treat your data, you need a clear path to complain.
What the policy says: It directs users to help@healthifyme.com for unauthorized use.
What the law requires: The company must provide a way for you to resolve grievances. If they don’t fix it, you have the right to go to the Data Protection Board of India.
The problem: Their current policy doesn’t mention a dedicated Grievance Officer or your right to escalate the issue to the government board.
Section 16 — Cross-Border Data Transfer ⚠️
HealthifyMe is a global company. Your health data might be sitting on a server in Virginia or Singapore.
What the policy says: They mention “Subsidiaries and Affiliates around the world” providing services.
What the law requires: Data can only be sent to countries that the Indian government hasn’t restricted.
The problem: The policy is too vague. It doesn’t tell you which countries your data is going to or how it’s protected once it leaves India.
Risk Assessment
| Category | Risk Level | Potential Impact |
|---|---|---|
| Regulatory Fine | High | Fines up to ₹250 Cr for failing to protect health data. |
| Invalid Consent | High | Bundled consent means they technically have no legal right to process data. |
| Data Retention | Medium | Keeping sensitive health data indefinitely is a massive liability. |
| User Rights | Medium | No path for users to nominate data heirs or escalate to the DPB. |
Recommendations
- Unbundle your consent: Create a pop-up that lets users choose: “Yes to calorie tracking” but “No to sharing my data with third-party advertisers.”
- Add a “Delete My Data” button: Don’t make people email support. Give them a clear, 1-click way to exercise their Right to Erasure.
- Appoint a Grievance Officer: Clearly list a name and contact for someone whose only job is to handle DPDP privacy complaints.
- Update the Notice: Create a “Privacy Notice” that is separate from the “Terms of Service.” Make it readable for a 10th grader.
- Add Nomination Rights: Include a simple field in the user profile: “In case of emergency, who should manage your data?”
How Does Your Policy Compare?
Not sure if your company’s privacy policy has similar gaps? Run a free instant check:
Take the free 60-second DPDP Audit to check your own company’s liability under the DPDP Act — 16 quick questions, instant risk report.
Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.