Privacy Policy

IMPORTANT — PLEASE READ CAREFULLY

This Privacy Policy is an electronic record in terms of the Information Technology Act, 2000 (IT Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules). This document is published in accordance with the Consumer Protection (E-Commerce) Rules, 2020 and Rule 3(1) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (IT Rules 2021). It is generated by a computer system and does not require any physical or digital signatures.

This Privacy Policy describes how Performance Hydration Private Limited ("Company", "We", "Us", or "Our") collects, uses, stores, processes, shares, and protects your personal data when you access or use the website www.hydro365.com (the "Website") or purchase our HydRo 365 products. It applies to all users of the Website, including registered account holders and guest visitors.

By accessing the Website or creating an account, you acknowledge that you have read, understood, and agreed to this Privacy Policy. If you do not agree, please discontinue use of the Website.

1. Data Fiduciary – Company Details

Performance Hydration Private Limited is the Data Fiduciary under the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the Data Controller for the purposes of the Information Technology Act, 2000 and applicable rules thereunder. Our details are as follows:

Company Name

Performance Hydration Private Limited

Brand Name

HydRo 365

CIN

U10712MH2025FTC446475

GSTIN

27AANCB4922E1ZP

FSSAI Licence No.

11526997000086

Registered Office

Level 2 & 3, Birla Centurion, Pandurang Budhkar Marg, Worli, Century Mill, Mumbai – 400030, Maharashtra, India

Website

www.hydro365.com

Grievance Officer

Ravi Khatri - ravi@hydro365.com

2. Scope of this Privacy Policy

   This Policy applies to personal data collected:

  • through the Website, including during account registration, product browsing, order placement, and checkout;

  • through customer support interactions (email, chat, and phone);

  • through marketing communications (email, SMS, and WhatsApp); and

  • indirectly through third-party analytics and advertising tools integrated with the Website.

    This Policy does not apply to third-party websites, payment processors, logistics providers, or other external services to which the Website may link. We encourage you to review the privacy policies of those third parties independently.

3. Personal Data We Collect

We collect only the personal data that is reasonably necessary for the purposes described in this Policy. We currently collect the following categories of personal data:

3.1 Account and Registration Data

When you create an account on the Website, you are required to provide:

  • Full name;

  • Email address;

  • Phone number; and

  • At least one delivery address.


You may save multiple delivery addresses to your account for convenience. We do not collect date of birth, gender, government-issued identification numbers, or any information about your physical or biological characteristics.

3.2 Order and Transaction Data

When you place an order, we collect and retain:

  • Order details (products, quantities, flavours, net amount);

  • Delivery address selected for the order;

  • Pricing, discounts, and promotional codes used (retained as part of order history);

  • The last four digits of your payment card, cardholder name, and transaction reference number, for order tracking and refund purposes.


We do not collect or store full card numbers, CVV/CVC codes, net banking credentials, or UPI PINs. All payment processing is handled by EaseBuzz, a PCI-DSS-compliant payment gateway. EaseBuzz may store card details for the purpose of saved cards or recurring mandates, subject to their own privacy policy and applicable RBI guidelines.

3.3 Communications Data

When you contact us through email or chat:

  • We store transcripts of email and chat-based customer support conversations.

  • We intend to record inbound customer service calls for quality and training purposes. Where applicable, you will be informed of call recording at the start of the call.

  • Retention of support communications: 2 years from the date of the interaction (subject to review upon finalisation of our data retention policy).

3.4 Technical and Device Data

When you visit the Website, we automatically collect:

  • Browser type, device type, operating system, and screen resolution (via Shopify and Google Analytics);

  • IP address (collected via Google Analytics and Meta Pixel; approximate location may be inferred from your IP address; IP data retained for up to 90 days, subject to review);

  • Session data (pages visited, duration, referring URLs, cart contents) via session cookies; and

  • Persistent preference data via persistent cookies (proposed retention: 12 months).


We do not collect IMEI numbers, IDFA/AAID mobile advertising identifiers, or precise GPS-based location data. The Website does not have a mobile application at this time.

3.5 Cookies and Tracking Technologies

We use the following types of cookies and tracking technologies on the Website:

  • Session cookies: used to maintain your login session and cart contents; expire automatically when you close your browser;

  • Persistent cookies: used to remember your preferences across sessions; proposed duration of 12 months;

  • Google Analytics cookies: used for anonymised website usage analysis; and

  • Meta Pixel: used for advertising measurement, retargeting, and behavioural analysis.


A cookie consent banner is provided on the Website (implemented via Shopify). Granular opt-in and opt-out functionality for non-essential cookies is being finalised with our development team and will be implemented prior to launch in compliance with the DPDP Act, 2023 and applicable TRAI guidance on electronic privacy.


You may also manage cookies through your browser settings. Disabling cookies may affect the functionality of the Website, including your ability to maintain your session or complete a purchase.

3.6 Marketing Communications Data

Where you have opted in to receive marketing communications, we collect and process:

  • Email address (for email marketing via Brevo and/or the email service provider selected by us);

  • Phone number (for SMS marketing);

  • WhatsApp-registered phone number (for WhatsApp communications via WATI); and

  • Email engagement data: open rates and link clicks (tracked via email service provider).


We do not collect marketing preferences or communication data from users who have not explicitly opted in.

3.7 Data We Do Not Collect

For the avoidance of doubt, we do not collect any of the following:

  • Health, fitness, or wellness data (including weight, height, allergies, medical conditions, medications, or fitness goals);

  • Biological or genetic data;

  • Financial data beyond what is described in Clause 3.2 above;

  • Religious, caste, or political beliefs;

  • Sexual orientation or gender identity;

  • Government-issued identification numbers (Aadhaar, PAN, Passport, etc.); or

  • Children's personal data (our Website and products are intended for users aged 18 and above).


None of the above categories constitutes Sensitive Personal Data or Information (SPDI) as defined under the SPDI Rules, 2011, or a special category of personal data as contemplated under the DPDP Act, 2023. We do not process SPDI 

4. Purposes and Legal Bases for Processing

Under the DPDP Act, 2023, we process your personal data on the following legal bases and for the following purposes:


Contract Performance

Processing your account registration, order placement, payment facilitation, and delivery. Legal basis: performance of a contract to which you are a party (Section 7(b), DPDP Act 2023).

Legitimate Interests

Fraud detection and prevention; website security; customer support; analytics to improve Website performance; retention of support transcripts for quality assurance. Legal basis: legitimate interests of the Company, provided your rights and interests are not overridden (Section 7(d), DPDP Act 2023; Rule 3, SPDI Rules 2011).

Consent

Marketing communications (email, SMS, WhatsApp); use of non-essential cookies (Google Analytics, Meta Pixel); retargeting and advertising. Legal basis: your free, specific, informed, unconditional, and unambiguous consent (Section 6, DPDP Act 2023). You may withdraw consent at any time (see Clause 9 below).

Legal Obligation

Retention of transaction data for GST/tax compliance, regulatory reporting obligations under FSSAI, and compliance with orders from competent courts or law enforcement. Legal basis: compliance with applicable law (Section 7(c), DPDP Act 2023).

Reasonable Expectation

Personalisation of future product recommendations based on your purchase history, where such personalisation is based on your prior purchases and is reasonably expected by you. Legal basis: purposes for which personal data is reasonably expected to be used (Section 7(f), DPDP Act 2023 – to be confirmed once email personalisation tool is selected).

5. Sharing of Personal Data – Third-Party Service Providers

We share your personal data only with the third-party service providers listed below, solely to the extent necessary to fulfil the purposes described in this Policy. All third-party processors are contractually required to handle personal data securely, to process it only for authorised purposes, and not to disclose it to any other party.


Service Provider

Purpose

Personal Data Shared

Country

EaseBuzz

Payment processing

Payment data (masked card details, transaction reference, cardholder name)

India

Emiza

Logistics & fulfilment

Name, phone number, delivery address

India

Unicommerce

Order management

Order data, name, delivery address (integrated with Emiza)

India

Shopify

Website hosting & e-commerce platform

All order data, account data, browsing behaviour

USA

Google Analytics

Website analytics

Anonymised browsing and behaviour data; IP address (anonymised)

USA

Meta Pixel

Advertising & retargeting

Browsing and behaviour data; approximate location from IP

USA

WATI

WhatsApp messaging

Phone number, name, message content

To be confirmed

Brevo

Email CRM & marketing

Name, email address, behavioural data (opens, clicks)

France


We do not sell, rent, or otherwise trade your personal data to any third party for their independent marketing or commercial purposes.


Where we onboard additional third-party service providers in the future (for example, additional marketing or analytics tools), this Policy will be updated and you will be notified in accordance with Clause 14.

6. Disclosure to Government Authorities and Law Enforcement

We may disclose your personal data to government authorities, law enforcement agencies, or courts of competent jurisdiction where:

  • We are legally obligated to do so under applicable Indian law (including the IT Act, DPDP Act, FSSAI Act, Consumer Protection Act, or orders of a competent court or tribunal);

  • Disclosure is necessary to protect the rights, property, or safety of the Company, its customers, or the public; or

  • Disclosure is necessary to detect, prevent, or investigate fraud, cybercrime, or other illegal activity.


We will, to the extent permissible under applicable law, endeavour to notify you of any such disclosure where we are required to make it.

7. Cross-Border Transfer of Personal Data

Several of our third-party service providers (including Shopify, Google Analytics, and Meta Pixel) are based outside India and may process your personal data in the United States or other jurisdictions. Under Section 16 of the DPDP Act, 2023, the transfer of personal data outside India is permissible only to countries or territories notified as permissible by the Central Government.


As the Central Government has not yet notified the list of permissible countries under the DPDP Act, 2023, we are currently operating under the transitional provisions of the IT Act, 2000 and the SPDI Rules, 2011, which permit cross-border transfers where the recipient country ensures a comparable level of data protection or where you have consented to the transfer.


We will update this Policy and our third-party vendor arrangements promptly upon notification by the Central Government of permissible destination countries, to ensure full compliance with Section 16 of the DPDP Act, 2023 and the DPDP Rules, 2025. Where any service provider is located in a non-notified country, we will implement contractual safeguards or obtain your specific consent for such transfers.

8. Data Retention

We retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable law. The following retention periods apply:


Account and registration data

Retained for the duration of your account, plus 2 years after account deletion (for compliance and dispute resolution purposes).

Order and transaction data

Retained for 7 years from the date of the transaction, in compliance with GST record-keeping requirements under the CGST Act, 2017.

Delivery address data

Retained for the duration of your account. You may delete saved addresses at any time via your account settings.

Customer support transcripts

Retained for 2 years from the date of the interaction. Subject to formal review upon finalisation of our data retention policy.

Call recordings (if implemented)

Retention period to be confirmed internally; proposed retention period of 90 days.

IP address data

Up to 90 days (via Google Analytics and Meta Pixel settings, subject to finalisation).

Cookie data (persistent)

Up to 12 months from the date the cookie is set (subject to finalisation with our development team).

Marketing preferences and consent records

Retained for 3 years from the date of consent or from the date of last interaction, whichever is later, for compliance demonstration purposes.

Anonymised analytics data

May be retained indefinitely in anonymised, non-identifiable form.


At the end of the applicable retention period, personal data will be securely deleted or anonymised in accordance with our data deletion procedures.

9. Your Rights as a Data Principal

Under the DPDP Act, 2023 (Sections 11 to 14), you have the following rights in respect of your personal data. You may exercise any of these rights by contacting our Grievance Officer at the details set out in Clause 12.

9.1 Right to Access Information

You have the right to obtain from us a summary of the personal data we hold about you and a list of the Data Processors (third-party service providers) to whom your personal data has been or is being disclosed.

9.2 Right to Correction and Erasure

You have the right to request that we correct inaccurate or incomplete personal data we hold about you, and to request erasure of your personal data where it is no longer necessary for the purpose for which it was collected, or where you have withdrawn your consent and there is no other legal basis for processing.


Requests for erasure are subject to our legal retention obligations (see Clause 8 above). Where data must be retained for a legal purpose, we will inform you accordingly.

9.3 Right to Grievance Redressal

You have the right to have grievances relating to the processing of your personal data addressed by our Grievance Officer. For the procedure and timelines applicable to data-related grievances, please refer to Clause 12 of this Policy.

9.4 Right to Nominate

You have the right to nominate an individual who shall, in the event of your death or incapacity, exercise your rights under the DPDP Act, 2023 on your behalf. To register a nominee, please contact the Grievance Officer.

9.5 Right to Withdraw Consent

Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent will not affect the lawfulness of processing carried out prior to withdrawal. You may:

  • Opt out of marketing emails by clicking the "Unsubscribe" link in any marketing email;

  • Opt out of promotional SMS by replying "STOP" to any promotional SMS;

  • Opt out of WhatsApp marketing by contacting us at care@hydro365.com with "WhatsApp Opt-Out" in the subject line;

  • Manage cookie preferences via the cookie consent banner on the Website; and

  • Request deletion of your account and associated personal data by contacting the Grievance Officer.


Please note that withdrawal of consent to process data necessary for order fulfilment may affect your ability to place orders or use certain features of the Website.

9.6 Right to Escalate to the Data Protection Board

If you are dissatisfied with our response to a data-related grievance, you will have the right to approach the Data Protection Board of India upon its establishment under the DPDP Act, 2023 (Section 28). We will update this Policy with the Board's contact details and complaint filing procedure once the Board is constituted and operational.

10. Consent, Marketing Communications, and Opt-Out

10.1 Basis of Consent

Where we rely on consent as the legal basis for processing (including for marketing communications and non-essential cookies), we obtain your consent through a separate, explicit, and affirmative opt-in action. We do not rely on pre-ticked boxes, bundled consents, or consent implied from inaction.

10.2 Marketing Consent at Checkout

The following opt-in checkbox is presented at checkout for communications consent:


“I consent to receiving order updates and promotional communications from HydRo 365 via SMS and WhatsApp on the phone number provided, and via email to the email address provided. I understand that I can withdraw this consent at any time by replying STOP to any SMS, by contacting us to opt out of WhatsApp messages, or by clicking Unsubscribe in any marketing email.”


This checkbox is unchecked by default and constitutes a standalone consent distinct from the purchase transaction. Declining to check this box will not affect your ability to place an order.

10.3 Transactional Communications

Transactional communications (including order confirmations, shipping updates, delivery notifications, and refund confirmations) are sent automatically as they are necessary for the performance of your purchase contract and do not require a separate consent.

10.4 DND / NCPR Compliance

SMS and voice call marketing communications will only be sent to mobile numbers in compliance with the Telecom Commercial Communications Customer Preference Regulations, 2018 (as administered under the Telecommunications Act, 2023). Where your number is registered on the DND/NCPR registry, you will not receive unsolicited promotional SMS or voice calls from us, save to the extent expressly permitted under applicable TRAI regulations.

10.5 Email Marketing

Promotional and marketing emails are sent only to users who have explicitly opted in. We track email open rates and link clicks through our email service provider for the purpose of measuring campaign effectiveness. Email personalisation based on your purchase history or browsing behaviour may be implemented in the future, subject to appropriate disclosure and (where required) separate consent.

11. Data Security

We implement reasonable technical and organisational security measures to protect your personal data against unauthorised access, disclosure, alteration, loss, or destruction, in compliance with Rule 8 of the SPDI Rules, 2011 and Section 8(5) of the DPDP Act, 2023. These measures include:

  • SSL/TLS encryption for data in transit over the Website;

  • Secure payment processing through EaseBuzz (PCI-DSS compliant); we do not store full card numbers or CVV/CVC codes on our servers;

  • Role-based access controls to limit access to personal data to authorised personnel only;

  • Shopify's enterprise-grade infrastructure security for e-commerce data storage; and

  • Periodic review of our security measures.


In the event of a personal data breach that is likely to result in a risk to your rights or interests, we will notify you and the Data Protection Board of India in a timely manner in accordance with the requirements of the DPDP Act, 2023 and the DPDP Rules, 2025.


You are responsible for maintaining the confidentiality of your account credentials. Please notify us immediately at care@hydro365.com if you suspect any unauthorised access to your account.

12. Grievance Redressal

In accordance with the IT Act, 2000 (Rule 5(9), SPDI Rules 2011), the IT Rules, 2021, the DPDP Act, 2023, and the Consumer Protection (E-Commerce) Rules, 2020, we have designated the following Grievance Officer:


Grievance Officer

Ravi Khatri

Company

Performance Hydration Private Limited

Address

Level 2 & 3, Birla Centurion, Pandurang Budhkar Marg, Worli, Century Mill, Mumbai – 400030, Maharashtra, India

Email

care@hydro365.com

Phone

+91 8097416642

Support Hours

Monday – Saturday, 10:00 AM – 6:00 PM (IST)


Grievances will be handled as follows:

  • Grievances relating to content published on the Website (including reviews, UGC, or third-party material): acknowledged within 24 (twenty-four) hours, resolved or actioned within 15 (fifteen) days of receipt, in accordance with Rule 3(2)(a) of the IT Rules, 2021.

  • Grievances relating to personal data processing or exercise of rights under the DPDP Act, 2023: acknowledged promptly, resolved within the timelines prescribed under the DPDP Rules, 2025.

  • All other consumer grievances: acknowledged within 24 (twenty-four) hours, resolved within 30 (thirty) days of receipt, in accordance with the Consumer Protection (E-Commerce) Rules, 2020.


If you are dissatisfied with our resolution, you may approach:

  • The National Consumer Disputes Redressal Commission (NCDRC) or the relevant State/District Consumer Disputes Redressal Commission under the Consumer Protection Act, 2019;

  • The National Consumer Helpline (NCH) at www.consumerhelpline.gov.in or call 1800-11-4000; and

  • The Data Protection Board of India (upon its constitution) for data-related grievances, under Section 28 of the DPDP Act, 2023.

13. Children's Personal Data

The Website, products, and services of HydRo 365 are intended exclusively for individuals aged 18 years and above. We do not knowingly collect, process, or store personal data of children below the age of 18 years.


In compliance with Section 9 of the DPDP Act, 2023, if we become aware that personal data of a minor has been inadvertently collected through the Website, we will take immediate steps to delete such data. If you believe that a minor has submitted personal data through the Website, please notify our Grievance Officer immediately at the contact details in Clause 12.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, business operations, or applicable law. Where any change is material (for example, a new category of data collected, a new purpose of processing, or a new category of third-party processor), we will:

  • notify you by email to your registered email address; and/or

  • display a prominent notice on the Website prior to the change taking effect.


For non-material changes, the updated Policy will be effective upon posting on the Website. The "Last Updated" date at the top of this Policy will reflect the date of the most recent revision. We encourage you to review this Policy periodically.


Your continued use of the Website following notification of material changes constitutes your acknowledgment of the updated Policy. Where any change requires fresh consent under the DPDP Act, 2023, we will seek that consent separately before resuming the relevant processing.

15. Language

This Privacy Policy is currently available in English. In compliance with the phased rollout requirements of the Digital Personal Data Protection Rules, 2025, we will progressively make this Policy available in additional languages listed in the Eighth Schedule of the Constitution of India, in accordance with the compliance timeline notified by the Central Government.

16. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of India. Any dispute arising out of or in connection with this Policy shall be subject to the exclusive jurisdiction of the courts in Mumbai, Maharashtra, India.


© 2026 PERFORMANCE HYDRATION PRIVATE LIMITED. All rights reserved. | www.hydro365.com