Privacy Policy

1. Identity of the data fiduciary

This Privacy Policy is issued under the Digital Personal Data Protection Act, 2023 (DPDPA 2023), read with the Information Technology Act, 2000 and the Consumer Protection Act, 2019, as applicable. The data fiduciary for personal data collected on this website is Vynza Pharmaceuticals Pvt. Ltd., a company incorporated under the laws of India. Registered office: Plot No. 115, Phase 1, Industrial Area Phase 1, Panchkula, Haryana 134113. EX1 (Exact Nutrition) is a brand of Vynza Pharmaceuticals Pvt. Ltd.

2. Purpose of processing and lawful basis

Each processing activity below is tagged with its lawful basis under DPDPA 2023 (consent under Section 6, or legitimate use under Section 7).

• Newsletter signup, to send periodic updates about EX1 products, science articles, and brand announcements. Lawful basis: explicit consent at the point of signup (Section 6).
• Customer support, to respond to enquiries sent to care@ex1nutrition.com. Lawful basis: legitimate use, to respond to a service request you initiated (Section 7).
• Site analytics, to understand aggregate traffic patterns and improve site usability. Lawful basis: legitimate use for service improvement, on a cookieless, non-identifying basis (Section 7).
• Legal and regulatory compliance, where retention or disclosure is required by Indian law. Lawful basis: legal obligation under DPDPA Section 7(d).

3. Categories of personal data collected

• Email address, when you subscribe to The EX1 Journal newsletter.
• Email body content, name, and any details you voluntarily share when you email care@ex1nutrition.com.
• IP address and browser metadata, collected via Cloudflare Web Analytics in a privacy-respecting, cookieless manner.

We do not collect financial data, government identifiers, or health condition data on this website. Purchases happen on Amazon India under Amazon's own privacy terms; we do not receive customer transaction data beyond aggregate sales reports.

Children's data: EX1 products are formulated for adults and our marketing is directed at adults. We do not knowingly collect personal data from individuals under 18 years of age. If you believe a minor has provided us personal data, email care@ex1nutrition.com and we will delete it. Where DPDPA 2023 requires verifiable parental consent for any future processing of a minor's data, we will obtain that consent before processing.

4. Recipients and third-party processors

Personal data may be processed by the following third-party services that EX1 relies on for site infrastructure and communications:

• Cloudflare: content delivery network and Web Analytics. Data may transit through Cloudflare's global edge, including the Singapore region for traffic from the Indian subcontinent.
• Google Workspace: email handling for the care@ inbox.
• Amazon India: for product purchases. Amazon's own privacy policy governs transactions on their platform. EX1 does not receive your name, address, or payment data through Amazon beyond aggregate sales reports.
• Resend: email delivery for EX1 Updates (welcome email on signup and bulk newsletter sends). Data processed in the United States. See Resend's privacy policy.
• Anthropic: used at content-generation time only to draft EX1 Updates newsletter copy. Subscriber personal data is not sent to Anthropic; only product and blog content from the site is included in prompts. See Anthropic's privacy policy.
• Cloudflare D1: subscriber email and consent metadata (timestamp, IP address, and user agent captured at signup) are stored in a D1 database in the Asia-Pacific region, separate from the CDN-only Cloudflare relationship described above.
• Cloudflare Turnstile: CAPTCHA challenge on the newsletter signup form to mitigate automated abuse. Processes IP and challenge-interaction signals at the moment of signup. See Cloudflare's privacy policy.

5. Retention periods

• Newsletter email addresses: retained until you unsubscribe via the link in every email or by emailing care@ex1nutrition.com. Unsubscribed records are retained for 30 days for audit purposes before deletion.
• Newsletter consent metadata (consent timestamp, IP address, and user agent recorded at signup): retained alongside the subscriber record for the same period as above. This is the DPDPA Section 6 audit trail evidencing your explicit consent.
• Email correspondence with care@: retained for 24 months from the date of last interaction.
• Cloudflare Web Analytics data: 90 days (Cloudflare default).

6. Your rights as a data principal under DPDPA 2023

Under the Digital Personal Data Protection Act, 2023 (DPDPA 2023), you have the following rights as a Data Principal:

• Right to access information about personal data (Section 11 of DPDPA 2023): obtain a summary of personal data being processed, the processing activities, and the identities of data fiduciaries and processors with whom your data is shared.
• Right to correction and erasure (Section 12): request correction of inaccurate or incomplete personal data, or erasure of personal data that is no longer necessary for the purpose for which it was processed, subject to legal retention requirements.
• Right of grievance redressal (Section 13): file a complaint with the Grievance Officer named in Section 7 below. The Grievance Officer is required to respond within the period prescribed by DPDPA 2023.
• Right to nominate (Section 14): nominate any other individual who shall, in the event of your death or incapacity, exercise these rights on your behalf.
• Right to withdraw consent: where processing is based on your consent, you may withdraw that consent at any time by emailing care@ex1nutrition.com. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• Right to port your data to another service, where technically feasible.

To exercise any of these rights, email care@ex1nutrition.com with the subject line "DPDPA Request" and a description of the right you wish to exercise. We respond within 30 days of receipt.

7. Grievance Officer

As required under Section 13 of DPDPA 2023, EX1 has designated a Grievance Officer for the resolution of any complaint relating to personal data processing.

• Name: Ayush Goyal
• Designation: Grievance Officer
• Email: care@ex1nutrition.com (subject line: "Grievance")
• Response SLA: 30 days from receipt of grievance, per the timeline prescribed by DPDPA 2023

If your grievance is not resolved within the SLA, you may escalate to the Data Protection Board of India, which is the appellate authority constituted under Chapter V of DPDPA 2023.

8. Cross-border data transfer

Because Cloudflare operates a global edge network, IP address and request metadata may transit through Cloudflare data centres outside India, including but not limited to Singapore. This transfer is incidental to content delivery, not a deliberate export of personal data. We do not store personal data outside India.

9. Cookies and similar technologies

This website does not use third-party tracking cookies. The Cloudflare Web Analytics beacon is first-party and collects no personally identifiable data beyond what is needed to compute aggregate traffic statistics. No advertising, social-media, or behavioural-tracking cookies are placed on your device by EX1.

10. Policy updates

We review this Privacy Policy at least once every six months and update it when our data practices materially change. The Last reviewed date at the top of this page reflects the most recent review. Material changes are communicated to newsletter subscribers ahead of taking effect.

11. Data breach notification

In the event of a personal data breach, EX1 will notify the Data Protection Board of India and each affected Data Principal in the manner and within the timelines prescribed under Section 8(6) of DPDPA 2023. We will provide a description of the breach, the categories and approximate number of Data Principals affected, the likely consequences, and the measures taken or proposed to mitigate the effect.

12. Security

We implement reasonable security safeguards proportionate to the volume and sensitivity of personal data we process, including transport-layer encryption (HTTPS) for all data in transit, access controls on internal systems, and vendor selection that prioritises providers with established security certifications. No system is fully secure, and we make no warranty that breaches cannot occur.