Privacy Policy
Version 2.1 | Effective from December 1, 2025
Your Privacy Matters: We are committed to protecting your personal data in compliance with Indian laws including DPDPA 2023, IT Act 2000, and RBI guidelines.
1. Introduction
KadamPe IT Private Limited ("KadamPe", "we", "us", "our") operates the KadamPe mobile application ("App") and website (www.kadampe.com), collectively referred to as the "Services." The App converts verified walking steps into monetary rewards credited to your Rewards Balance, fostering a healthy and rewarding walking experience.
This Privacy Policy explains what data we collect, why we collect it, how we use it, and the choices you have regarding your personal information. We are committed to protecting your privacy in compliance with:
- Digital Personal Data Protection Act, 2023 (DPDPA)
- Information Technology Act, 2000
- RBI guidelines on data protection
- Other applicable Indian laws
2. Scope & Consent
This Privacy Policy applies to all users who install or use the App, as well as visitors to www.kadampe.com. By using the Services, you consent to the data practices described in this Policy, as well as our Terms & Conditions, Reward & Earning Policy, and Withdrawal Policy.
Important: If you do not agree with these practices, you must discontinue use of the Services and uninstall the App immediately.
3. Data We Collect
We collect the following categories of data to provide, improve, and secure the Services:
| Category |
Examples |
Purpose |
| Account Data |
Name, mobile number, email, password hash, KYC documents (PAN, Aadhaar or equivalent ID) |
Registration, user authentication, processing withdrawals, tax compliance (TDS under Section 194R), and regulatory reporting |
| Subscription & Payment Data |
Plan selected (Lite, Standard, Premium), Apple/Google order ID, Razorpay UPI/bank details, GST invoice data |
Billing for subscriptions (₹349 for Lite), processing refunds, handling disputes, and regulatory reporting |
| Device & App Data |
Device model, OS version (Android 8+, iOS 12+), unique device ID, IP address, crash logs |
Ensuring App functionality, fraud detection (multi-device logins), diagnostics, and user support |
| Health & Motion Data |
Step counts, distance, accelerometer data, optional GPS pings (via Google Fit/Apple Health) |
Calculating rewards (₹1 per 50 steps above 5,000), detecting fake steps, and analytics |
| Usage Data |
Session length, buttons tapped, Boosters bought (2× Earnings), screens viewed |
Analytics, feature improvement, personalized nudges |
| Marketing Data (Optional) |
Referral code, campaign source, push-notification tokens |
Rewarding referrals (₹25 per referral), sending promotional offers (opt-out available) |
Important Data Collection Notes:
- Location Privacy: We do not collect precise location data continuously. Brief GPS snapshots are used solely for anti-fraud purposes and are deleted after 30 days.
- KYC Requirements: KYC documents are collected only when required for withdrawals exceeding ₹50,000 annually, ensuring compliance with RBI's Master Direction on KYC, 2016.
- Health Data: Health & Motion Data is sourced from third-party integrations (Google Fit, Apple Health) with user consent.
4. How We Use Your Data
We use your data for the following purposes:
4.1 Core Functionality
- Track steps and calculate rewards (₹1 per 50 steps above 5,000)
- Manage your Rewards Balance
- Enable features like Boosters (2× Earnings) and challenges
4.2 Transaction Processing
- Process subscriptions (Lite: ₹349/month, Standard: ₹699/month, Premium: ₹1,299/month)
- Handle withdrawals (Instant Withdraw up to ₹5,000 for Premium)
- Process in-app purchases (Booster purchases)
4.3 Fraud Prevention & Security
- Detect and prevent fraud using AI-driven anomaly detection
- GPS-accelerometer cross-checks with <0.7% false-positive rate
- Multi-device login monitoring
4.4 Customer Support
- Provide support and grievance redressal
- Resolve billing disputes or fraud flags within 72 hours
4.5 Communications
- Send transactional messages (OTPs, payout alerts)
- Optional promotional notifications (with opt-out available)
Example Use Case: If you walk 6,250 steps, we use your Health & Motion Data to calculate earnings (1,250 steps above 5,000 = ₹25), credit your Rewards Balance, and send a notification ("You earned ₹25 today!"), while anonymized data may inform corporate clients about average step counts.
5. Legal Bases for Processing
We process your data under the following legal bases, as recognized under the DPDPA 2023:
- Contract Performance: To fulfill our contractual obligations (step tracking, reward calculation, withdrawals)
- Explicit Consent: For optional data processing (GPS snapshots, promotional notifications, Health & Motion Data access)
- Legal Obligation: To comply with regulatory requirements (KYC verification, TDS deductions, GST reporting)
- Legitimate Interests: For fraud prevention, security, and aggregated analytics
Consent Withdrawal: You may withdraw consent for optional processing at any time via App settings or by emailing
grievance@kadampe.app. Withdrawal does not affect the lawfulness of prior processing.
6. Data Sharing
We do not sell your personal data. Limited sharing occurs only with the following entities under strict confidentiality agreements:
6.1 Authorized Third Parties
- Payment Processors: Apple, Google, Razorpay, and NPCI-UPI banks for processing subscriptions and withdrawals
- Cloud & Analytics Providers:
- AWS (ap-south-1 Mumbai region) for secure storage ensuring data residency in India
- Firebase Crashlytics for crash diagnostics (anonymized data only)
- Amplitude for aggregate usage metrics (no personal identifiers shared)
- KYC & Compliance Vendors: Government-authorized verification APIs (UIDAI for Aadhaar validation) for KYC compliance
- Corporate Wellness Clients: Only aggregated, de-identified step totals for analytics and CSR reporting
- Legal Authorities: Law enforcement or regulators when required by law or court order
Safeguards: All partners are contractually obligated to protect your data, limit its use to the specified purpose, and comply with applicable laws, ensuring alignment with DPDPA 2023 and RBI data protection guidelines.
7. Cross-Border Transfers
7.1 Primary Storage: Your data is primarily stored and processed in India on AWS ap-south-1 (Mumbai) servers, ensuring compliance with RBI's data localization requirements.
7.2 Overseas Processing: In limited cases (analytics via Amplitude, crash reporting via Firebase), data may be processed overseas. We use adequate safeguards such as Standard Contractual Clauses (SCCs) and data protection agreements.
7.3 User Notification: If cross-border transfers expand to new jurisdictions, we will notify you via email or in-app banner, allowing you to opt-out of optional processing.
8. Data Security
🔒 Enterprise-Grade Security Measures Implemented
We implement robust security measures to protect your data:
8.1 Encryption
- Data in Transit: TLS 1.2 or higher for all API traffic
- Data at Rest: AES-256 encryption for Rewards Balance and KYC documents
- Key Management: AWS KMS with annual key rotation
8.2 Access Controls
- Least-privilege access enforced through IAM roles
- Multi-factor authentication (FIDO2 keys) required for all admin logins
8.3 Monitoring & Testing
- Continuous anomaly detection for fraud and security incidents
- Quarterly penetration testing by CREST-certified firms
- 24×7 monitoring with incident response hotline
8.4 Incident Response
- Breaches reported to CERT-In within 6 hours
- Users notified within 24 hours as per CERT-In Directions, 2022
- ISO 27001-certified AWS data centers in India
9. Data Retention
We retain your data only as long as necessary for the stated purposes or as required by law:
- Account & Financial Data: 8 years after account closure (RBI and Income-tax Act compliance)
- Health & Motion Data: 24-month rolling window; older data anonymized
- GPS Snapshots & Fraud Logs: 30 days unless under investigation
- Crash & Diagnostic Logs: 12 months for support purposes
Deletion Process: Data deletion is performed via secure wipe or irreversible anonymization. Upon account closure, you may request deletion of personal data, subject to legal retention obligations.
10. Cookies & Similar Technologies
10.1 Website Usage
The website (www.kadampe.com) uses:
- Essential Cookies: Required for core functionality (session management, authentication)
- Google Analytics: Aggregate traffic statistics with anonymized IP addresses
10.2 App Usage
The App uses device identifiers for analytics and fraud detection (no cookies).
10.3 User Control
- Disable non-essential cookies via browser settings
- Manage cookie preferences via consent banner on website
- Disable push notifications in App settings
11. Your Rights Under DPDPA 2023
🔍 Access
Request a copy of your personal data (Account Data, step history)
✏️ Rectification
Correct inaccurate or incomplete data (email, mobile number)
🗑️ Erasure
Request deletion of your data (subject to legal retention requirements)
📤 Portability
Receive your data in structured, machine-readable format (CSV export)
🚫 Withdraw Consent
Opt-out of optional processing (promotional notifications, GPS snapshots)
⚖️ Object to Processing
Object to data use based on legitimate interests (analytics)
How to Exercise Your Rights:
- In-App: App > Settings > Data Request
- Email: grievance@kadampe.app
- Response Time: We will respond within 30 days as mandated by DPDPA 2023
12. Children's Privacy
12.1 The Services are not intended for persons under 18 years of age, as per the Indian Majority Act, 1875.
12.2 If we discover data belonging to a minor, we will promptly delete it via secure wipe.
12.3 KadamPe is exploring a coin-only (non-cash) version for users under 18, expected in Q4 2025.
13. Grievance & Data Protection Officer
Escalation Process:
- Resolution Time: We aim to resolve grievances within 15 days as mandated by IT Rules 2021
- Further Escalation: Unresolved issues may be escalated to CERT-In or relevant consumer forum
- Governance Oversight: The Grievance Officer operates under director oversight ensuring accountability
14. Changes to This Policy
14.1 We may update this Privacy Policy to reflect changes in law, business practices, or Service features.
14.2 Material changes will be announced at least 15 days in advance via in-app banners, registered email, SMS, or website notifications.
14.3 Continued use of the Services after the effective date constitutes acceptance of changes. If you disagree, you must discontinue use and uninstall the App.
This Privacy Policy was last updated on December 1, 2025. Please check our website regularly for the most current version.
For the latest updates, visit: www.kadampe.com/privacy
Legal Compliance: This policy complies with DPDPA 2023, IT Act 2000, RBI guidelines, and other applicable Indian laws.
For questions about compliance, contact our legal team at legal@kadampe.app