Privacy Policy

Table of contents

Effective Date: 15/01/2026

Last Updated: 15/01/2026

This Privacy Policy explains how Centenarians Life Sciences Private Limited ("Company", "Decode Age", "we", "us", "our"), a company incorporated in India and operating the brand Decode Age, collects, processes, stores, uses, and protects personal data when any individual ("Customer" "Member" "User", "you", "your") accesses or interacts with our official website www.decodeage.com, our Mobile Application, or any related online services, tools, or interfaces made available by us (collectively, the "Platform"). By accessing or using any part of the Platform, creating an account, making a purchase, or voluntarily submitting information, you acknowledge and consent to the processing of your personal data in accordance with this Privacy Policy.

This Privacy Policy is issued in compliance with the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, along with all applicable Indian data-protection requirements. Your continued use of the Platform constitutes acceptance of the terms described herein, and this Privacy Policy shall be read harmoniously with the Company's Terms and Condition and any additional notices or policies governing your interaction with Decode Age.

SCOPE OF THE POLICY

This Privacy Policy governs the collection, use, processing, storage, and disclosure of personal data obtained through the Company's Website and Mobile Application, including information submitted or generated in connection with User accounts, purchases, payment processing, customer communication, support interactions, analytics tools, marketing activities, and any other functionality made available as part of the Platform.

This Policy does not apply to categories of data that are regulated under separate privacy frameworks, including:

Decode biome related data, such as biological samples, genetic or microbiome test results, diagnostic interpretations, or any health-linked insights processed under the distinct decode biome privacy terms; and

Enterprise or business-facing services, including B2B integrations, partner dashboards, or corporate solutions operated by the Company under independent contractual and privacy arrangements.

ELIGIBILITY

Access to and use of the Platform is permitted only to individuals who:

have attained 18 (Eighteen) years of age; and

possess the legal capacity to enter into valid and binding contracts under the laws of India.

By accessing or using the Platform, the User represents and warrants that they meet these eligibility requirements.

The Platform is not intended for use by minors. If the Company becomes aware that personal data belonging to an individual below 18 (Eighteen) years of age has been collected without appropriate parental or guardian consent, the Company shall take prompt steps to delete such information from its systems in accordance with applicable law.

CATEGORIES OF USERS FROM WHOM PERSONAL DATA IS COLLECTED

The Company collects and processes personal data from individuals who interact with the Platform in any of the following capacities:

Visitors, being individuals who browse, access, or interact with the Platform without creating an account or completing a purchase; and

Customers/Members, being individuals who create an account, place an order, subscribe to notifications or marketing communications, or otherwise use the Products or Services offered through the Platform.

The nature and extent of personal data collected may vary depending on the manner in which the User engages with the Platform, including whether the User browses the Platform as a Visitor or transacts as a Customer/Member. Additional information may be collected where required for payment processing, customer support, delivery fulfilment, security safeguards, or compliance obligations.

CATEGORIES OF PERSONAL DATA COLLECTED

Personal Data Voluntarily Provided by the User: The Company collects and processes personal data that You submit directly while creating an account, placing an order, subscribing to communications, requesting support, or otherwise interacting with any functionality of the Platform. Such information may include, without limitation:

Full name and contact details (email address and mobile number);

Residential, billing, and shipping addresses;

Account credentials and login identifiers used for authentication (including sign-ins via Google, Facebook, or other permitted identity providers);

Profile information, communication preferences, and any data shared when contacting customer support or responding to surveys;

Transactional details necessary for order fulfilment, including product selections and delivery-related inputs.

The Platform does not permit guest checkout; therefore, provision of certain details is mandatory for account establishment and order processing. Subscription to newsletters or marketing communications is strictly optional and requires explicit opt-in consent through Platform interfaces.

Data Collected Automatically Through Technology: When You access, browse, or use any component of the Platform, the Company automatically collects certain technical, diagnostic, and behavioural information generated by Your device or browsing activity. This may include:

IP address, device identifiers, browser type, operating system, and network information;

Page requests, navigation paths, search queries, clickstream data, and interaction patterns;

Timestamps, session frequency, duration, and access logs;

Telemetry data collected for performance analysis, security monitoring, and fraud-prevention measures.

Such information is captured through cookies, pixels, tags, SDKs, and server-side logs deployed across the Platform. All automated data collection is undertaken in accordance with the Company's Cookie Policy https://decodeage.com/pages/cookie-policy, which details the specific tracking technologies used and the choices available to Users.

Data Received from Third Parties and Integrated Services: The Company may receive certain categories of personal data about You from authorised third-party sources that support Platform operations or facilitate account creation, payments, logistics, or user authentication. Such information is obtained strictly to the extent required for the relevant transaction or service and may include:

Identity and Contact Information shared by payment service providers (such as GoKwik, Juspay, PayU, or Easebuzz) necessary for payment confirmation, fraud checks, chargeback handling, and transaction reconciliation;

Verified Login Information received from external authentication partners (Google or Facebook) when You choose to log in using single-sign-on credentials, such as verified email address, profile name, or unique account identifier;

Order and Fulfilment Data provided by logistics partners, including delivery status, shipment tracking details, and confirmation of successful or failed delivery attempts;

Review and Feedback Information submitted through external review integrators (such as Judge.me) including ratings, comments, timestamps, and verification tags;

All such information is provided to the Company in accordance with the respective third party's privacy practices and subject to compliance with applicable data-sharing obligations. The Company does not receive, collect, or process any data from third parties unless it is reasonably necessary for the provision of services, fulfilment of contractual obligations, or compliance with law. No data is purchased, rented, or obtained from unauthorised sources.

PURPOSE OF PROCESSING PERSONAL DATA

We process personal data strictly for lawful, explicit, and legitimate purposes in accordance with applicable data protection laws and in a manner that is reasonably expected in the context of your use of the Platform. Each category of Personal Data is used only to the extent necessary for the purposes stated below and for no other incompatible purpose.

Account Creation, Verification and User Management: To create and authenticate User accounts, enable secure login, prevent unauthorized access, maintain account preferences, and administer account-related settings, including integration with third-party login providers.

Order Processing, Fulfilment and Payments: To process orders, facilitate payments, manage invoices, handle cancellations, replacements, refunds, schedule deliveries, and provide shipment tracking updates. This includes sharing necessary information with logistics partners, payment intermediaries, and support vendors involved in fulfilling your transaction.

Customer Assistance and Grievance Handling: To respond to queries, complaints, service requests, warranty claims (if applicable), and general support interactions, including call-back requests, chat records, and issue escalation management.

Mandatory and Transactional Service Communications: To send essential communications such as OTP verifications, order confirmations, dispatch alerts, delivery notifications, policy updates, security alerts, and any communication strictly required for providing the contracted service.

Marketing and Promotional Communications (Consent-Based): To send newsletters, promotional offers, campaigns, discount alerts, product recommendations and brand updates through email, SMS, WhatsApp or other permitted channels, strictly subject to your explicit and revocable consent captured through Shopify or Platform-integrated consent mechanisms.

Analytics, Performance Enhancement and Security Monitoring: To analyse browsing behaviour, evaluate Website usage trends, improve functionality, diagnose technical issues, enhance user experience, monitor system performance, prevent fraudulent transactions, detect suspicious or unlawful activities, and ensure overall Platform integrity.

Legal, Regulatory and Compliance Obligations: To comply with tax, accounting, consumer protection, KYC (if applicable), and statutory record-keeping requirements; respond to lawful requests or directions from governmental authorities; and establish, exercise, or defend legal claims.

Personalisation and User Experience Enhancement: To tailor content, product recommendations, browsing experience, and interface settings based on your interactions, past purchases, preferences, and Platform engagement patterns, without profiling that results in legal or significant effects.

Internal Business Operations & Quality Control: To conduct internal audits, quality checks, service performance reviews, vendor monitoring, bug-resolution activities, and operational troubleshooting. This includes aggregated reporting for business insights while ensuring that such reporting does not personally identify you.

Prevention of Abuse, Misuse and Security Incidents: To safeguard the Platform from misuse, spam, malware, fraudulent activities, unauthorized payment attempts, or any behaviour that may compromise security, disrupt operations, or endanger other Users or the platform.

Record Maintenance and Contractual Necessity: To maintain transaction history, communication logs, consent records, and other information required to fulfil contractual obligations between you and the Company, including post-sale support and dispute management.

Service Development, Testing and Improvement: To test new features, carry out user-interface improvements, measure effectiveness of updates, and develop new products or services. To the extent feasible, such activities use aggregated or de-identified data.

Any Other Purpose Disclosed at the Time of Collection: To process personal data for any additional purposes that are disclosed explicitly at the point of data collection and for which your consent is separately obtained, wherever required by applicable law.

CONSENT

By accessing, using, or continuing to use the Website, or by voluntarily providing any personal data, you hereby provide your free, informed, and unequivocal consent for the collection, use, storage, disclosure, and processing of your personal data strictly in accordance with this Privacy Policy and as required under applicable data protection laws.

Where the processing of personal data requires explicit consent particularly for marketing and promotional communications the Platform shall obtain such consent at the point of collection through clear, affirmative opt-in mechanisms. Marketing communications shall be sent only after valid consent is recorded. You may withdraw such consent at any time by:

selecting the "unsubscribe" option available in any marketing email; or

submitting a withdrawal request to grievance@decodeage.com

Upon withdrawal, all marketing communications shall cease within a reasonable processing period.

You acknowledge that withdrawal of consent for personal data necessary for core operational activities including order processing, payment facilitation, delivery fulfilment, account servicing, fraud prevention, or other essential transactional functions may impair or prevent the Company's ability to provide services. Such withdrawal shall not affect any processing undertaken prior to the date of withdrawal, nor shall it override processing mandated under legal, regulatory, accounting, or contractual obligations.

Where required by law, the Company may rely on grounds other than consent (such as legitimate interests, statutory requirements, or contractual necessity) for specific categories of processing. In such cases, withdrawal of consent shall not limit or restrict the Company's right or obligation to continue processing such data.

SHARING OF PERSONAL DATA

General Principles: The Company does not sell, rent, or trade personal data under any circumstance. Personal data is disclosed solely on a strict need-to-know basis to third-party service providers who are engaged for legitimate business functions and are contractually bound to maintain confidentiality, ensure data integrity, and use such data exclusively for authorised purposes in accordance with applicable laws. All third-party engagements are governed by written agreements incorporating industry-standard security obligations.

E-Commerce Infrastructure & Payment Processing: For hosting, order management, payment initiation, subscription billing, fraud checks, and related transactional operations, personal data may be shared with: (a) Shopify Inc., as the primary e-commerce platform provider; (b) Juspay (Breeze), including subscription mandate processing; (c) GoKwik, for checkout optimisation and fraud mitigation; (d) PayU and Easebuzz, including recurring payment mandates. The Company does not receive or store highly sensitive financial information such as full card numbers, CVV codes, or UPI PINs; such information is processed exclusively by the respective PCI-DSS-compliant payment intermediaries.

Logistics, Fulfilment & Shipment Management: To enable order dispatch, shipping, international delivery, tracking, and returns, personal data necessary for logistics operations may be shared with: (a) Shiprocket; (b) Bluedart, including for cross-border shipments; (c) Amazon Multi-Channel Fulfilment (MCF). Only essential details such as recipient name, address, and contact information are shared to facilitate successful delivery.

Marketing, Analytics & User Engagement Tools: For communication, performance analytics, remarketing, customer engagement, and operational insights, the Company may share limited data with authorised platforms, including: (a) WebEngage, BiteSpeed, Nitro X / Nitro Ads, KwikEngage; (b) Google Analytics, Google Tag Manager, Google Ads; (c) Meta Pixel, Microsoft Clarity; (d) Infobip, 360dialog, and TrustSignal for messaging and verification workflows. Such data is restricted to what is strictly required for campaign delivery, performance measurement, fraud detection, and platform optimisation.

Reviews, Feedback & Affiliate Networks: For review collection, customer verification, and affiliate program administration, the Company may share essential user details with: (a) Judge.me for authentic review processing; (b) Simple Affiliate for affiliate management and attribution tracking.

Safeguards for Third-Party Disclosures: Every third-party service provider is subject to confidentiality obligations, data-processing restrictions, and mandatory compliance with applicable data-protection standards. They are expressly prohibited from using personal data for any unauthorised or independent commercial purpose.

DATA RETENTION

Personal data is retained only for the period strictly necessary to fulfil the lawful purposes for which it was collected, or for such extended periods as mandated under applicable Indian laws, consumer-protection requirements, and statutory record-keeping obligations. Data stored and processed through Shopify, the Company's primary e-commerce infrastructure, remains associated with the User account for the subsistence of the contractual relationship and thereafter for the statutory retention period.

Statutory and Operational Retention Periods:

Active Accounts: Personal data relating to a User with an active account remains stored for the entire duration of the commercial relationship, including order management, support services, and compliance reporting.

Terminated or Deleted Accounts: Upon account deletion, essential records (including invoices, transaction details, and financial information) are retained for 7 (seven) years to comply with mandatory obligations under applicable regulations.

Marketing and Promotional Data: Retained until the User withdraws consent or opts out through any available mechanism, upon which processing immediately ceases, except where limited retention is required for audit or compliance purposes.

Analytics and Technical Data: Held in accordance with the standard lifecycle enforced by analytics platforms, including Google Analytics' default retention period of 26 (twenty-six) months, unless extended or reduced by user-defined configuration.

System Logs and Security Data: Retained for a reasonable period necessary for fraud prevention, dispute resolution, security monitoring, and enforcing contractual rights.

Secure Disposal, Anonymization & Archival: Upon expiry of the applicable retention period, personal data is either: (a) Securely deleted, using industry-standard deletion protocols that prevent recovery or reconstruction; or (b) Irreversibly anonymized, ensuring that the data can no longer identify any individual and may thereafter be used for statistical, analytical, research, or operational purposes; or (c) Archived, where legally mandated, under secure, access-controlled environments compliant with applicable laws and internal governance policies. The Company ensures that any destruction or anonymization process is documented, auditable, and executed in alignment with reasonable security practices and procedures as recognised under Rule 8 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

DATA STORAGE AND INTERNATIONAL TRANSFERS

Personal data collected and processed through the Website may be stored on secure servers operated by Shopify, which maintains primary data centres in Canada and auxiliary processing infrastructure in the United States. Such storage is undertaken to ensure platform reliability, redundancy, efficient order processing, and continuity of services. All storage environments are governed by Shopify's certified security controls, operational policies, and industry-standard compliance frameworks.

By accessing, using, or continuing to interact with the, placing orders, or submitting personal data, you expressly acknowledge and consent to the transfer, storage, and processing of your personal data in jurisdictions outside India, subject to the protections and safeguards described herein and permitted under applicable law.

DATA SECURITY AND BREACH NOTIFICATION

The Company implements appropriate technical and organisational measures to preserve the confidentiality, integrity, and availability of personal data processed through the Platform. Such measures include, without limitation, encryption during transmission and storage, tiered access controls, continuous system monitoring, secure hosting environments, audit logging, and periodic security assessments. All security practices are aligned with recognised industry standards and are reviewed periodically to address evolving threats and ensure compliance with applicable law.

Shopify, as the primary e-commerce and data-hosting infrastructure, maintains PCI DSS (Payment Card Industry Data Security Standard) compliant payment environments and adheres to SOC 2 Type II (System and Organization Controls 2 Type II) certified security controls. These certifications reflect adherence to audited standards relating to data security, operational integrity, and controlled access. All third-party processors engaged by the Company are contractually required to implement comparable safeguards.

In the event of any personal-data breach affecting information originating from or controlled by the Company, an investigation shall be initiated without delay, and appropriate remedial measures shall be undertaken. Where the breach is likely to cause harm to Users, the Company shall notify the affected Users and the Data Protection Board of India within the timelines mandated under the Digital Personal Data Protection Act, 2023, which currently requires notification within 72 (Seventy-two) hours of becoming aware of the incident. Notifications shall include the nature of the breach, categories of data affected, likely consequences, and the measures taken or proposed to mitigate potential risks.

USER RIGHTS

Rights to Access, Correction, and Deletion: Subject to applicable Indian laws, including the Digital Personal Data Protection Act, 2023, Users are entitled to: (a) Request access to the personal data processed by the Company and stored in their account or dashboard. (b) Correct or update any inaccuracies in their personal information to ensure accuracy and completeness. (c) Request deletion of personal data, except where retention is necessary to comply with statutory, regulatory, contractual, or legal obligations.

Users may withdraw previously provided consent for the processing of personal data at any time. Withdrawal of consent may affect the Company's ability to provide certain services, including order fulfilment, account management, and other essential functionalities.

Where automated systems or algorithms are employed, including anti-fraud or risk-assessment systems, Users are entitled to request human review of decisions affecting them.

All requests to exercise these rights, including access, correction, deletion, or withdrawal of consent, may be submitted via email to grievance@decodeage.com The Company shall verify the identity of the requesting User and respond in a timely manner, in accordance with applicable legal requirements.

The exercise of these rights shall be subject to applicable statutory, contractual, or regulatory restrictions, including requirements to retain data for legal compliance, audit purposes, dispute resolution, or legitimate business interests.

COOKIES AND TRACKING TECHNOLOGIES

The Company employs cookies, pixels, tags, and other tracking technologies on the Platform to enhance functionality, improve user experience, monitor website performance, conduct analytics, and deliver personalized content and marketing communications.

These technologies may collect information such as device identifiers, browser type, operating system, IP address, access time, pages visited, clickstream data, and session duration. Such data is used solely for operational, analytical, and marketing purposes, in accordance with applicable laws.

By using the Platform, Users consent to the placement of cookies and similar technologies on their devices. Users may manage or withdraw consent through browser settings or other tools provided by the Platform. Disabling certain cookies may affect the availability or functionality of some features.

Details regarding the types of cookies, their purpose, duration, and management options are provided in the Cookie Policy https://decodeage.com/pages/cookie-policy, which forms an integral part of this Privacy Policy.

THIRD-PARTY LINKS

The Platform may contain links to external websites, applications, payment gateways, social media platforms, review systems, or other third-party services ("Third-Party Services"). These Third-Party Services are operated independently and are not controlled, owned, or managed by the Company.

The Company does not assume any responsibility for the privacy practices, content, security, or compliance of Third-Party Services. Accessing such services is at the User's own risk.

Users are advised to review the privacy policies, terms of use, and data-handling practices of all Third-Party Services before interacting with or providing personal information to such platforms. The Company shall not be liable for any loss, disclosure, or misuse of personal information arising from such interactions.

UPDATES TO THIS PRIVACY POLICY

The Company reserves the right to amend, modify, or update this Privacy Policy at its sole discretion to comply with applicable laws, reflect changes in business practices, or enhance data protection measures. Any such updates will be published on the Platform with the revised "Last Updated" date prominently indicated. Users are encouraged to review the Privacy Policy periodically to remain informed of any changes. In cases where material modifications affect the processing of personal data or Users' rights, the Company shall obtain fresh consent prior to implementing such changes. Continued access to or use of the Platform after publication of the updated Policy constitutes acceptance of the revised terms.

GRIEVANCE REDRESSAL

In compliance with applicable Indian laws, including the Digital Personal Data Protection Act, 2023, the Company has designated a Grievance Officer responsible for addressing complaints and concerns related to personal data:

Name: Nirav Pancholi

Designation: Chief Technology Officer

Email: grievance@decodeage.com

Registered Office: 1004–1005, Central Business Hub, Parle Point, Surat – 395007, Gujarat, India

The Grievance Officer shall address complaints, disputes, and queries regarding the collection, storage, processing, sharing, or deletion of personal data. Users may submit their grievances in writing, providing sufficient details to enable prompt investigation and resolution.

Acknowledgment of receipt of grievances will be provided within 48 (forty-eight) hours. The Company aims to resolve complaints promptly, with a final response provided within 10 (ten) working days from the date of receipt, subject to the complexity of the issue.

CONTACT INFORMATION

For any questions, clarifications, or concerns relating to this Privacy Policy or the Company's data processing practices, Users may contact:

Centenarians Life Sciences Private Limited

Email: grievance@decodeage.com

Website: www.decodeage.com

All communications regarding personal data, access requests, correction, deletion, or consent withdrawal should be sent to the designated email address. Users are advised to provide accurate and complete information to facilitate timely and effective resolution.

The Company may provide further guidance or clarification in response to inquiries about privacy, data security, and User rights in accordance with applicable laws and regulatory requirements.

FAQ

What information does Decode Age collect about me?

We collect personal information that you provide when creating an account, interacting with our Services, or communicating with us. This includes details such as your name, email address, date of birth, gender, and contact number. We may also collect automatically generated information, like device details, IP address, browsing history, and usage patterns, as well as information from third-party sources such as social media platforms and analytics partners.

How does Decode Age use my personal information?

We use your personal information to provide and improve our Services, personalize your experience, communicate with you about updates, offer customer support, analyze usage patterns, and ensure the security of our platform. We may also use your data to comply with legal obligations.

How long does Decode Age retain my personal information?

We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, or as required or permitted by law.

How does Decode Age protect my personal information?

We implement reasonable security measures to protect your personal information from unauthorized access, alteration, disclosure, or destruction. We are committed to protecting your data through industry-standard security practices.

What rights do I have over my personal information?

As a user in India, you have the right to access, correct, update, or request the deletion of your personal information. You can also object to the processing of your data for direct marketing purposes. To exercise these rights, please contact us using the details below.

Does Decode Age collect information from children?

No, our Services are not intended for children under the age of 18. We do not knowingly collect personal information from children. If you believe that your child has provided us with personal information, please contact us, and we will take steps to remove it.

Does Decode Age use third-party websites or services?

Yes, our Services may contain links to third-party websites or services. We are not responsible for their privacy practices, so we encourage you to review their privacy policies before engaging with them.

How can I contact Decode Age regarding privacy concerns?

If you have any questions or concerns about our Privacy Policy or privacy practices, please contact us at:

Does Decode Age comply with privacy and data protection laws?

Yes, Decode Age complies with various international standards for data security and privacy. We are HIPAA-compliant, meeting GDPR, NEN 7510, and IRAP requirements, and certified under HITRUST CSF. We also follow government-approved standards such as FedRAMP and DoD compliance.

Will this Privacy Policy be updated?

Yes, we may update this Privacy Policy from time to time. We will notify you of significant changes by posting the updated Privacy Policy on our website. By continuing to use our Services after such updates, you accept the revised terms.

Explore the Open World of Longevity, Free E-book Inside