Privacy Policy

      Plain-English Summary: We collect your health details and food preferences to build your personalised meal plan. We don’t sell your data or use it for advertising. Your health data is encrypted and treated as sensitive. You can access, correct, or delete your data at any time. We comply with India’s Digital Personal Data Protection (DPDP) Act, 2023.
    

1. Who We Are

Rozkaana Tech Private Limited (“Rozkaana,” “we,” “us,” “our”) operates the Rozkaana personalised meal plan service available at rozkaana.in and its subdomains (the “Service”). We are the Data Fiduciary as defined under India’s Digital Personal Data Protection Act, 2023 (“DPDP Act”).

Registered address: [Address], India. For all privacy matters, contact our Grievance Officer as described in Section 13.

2. Data We Collect

We collect personal data in the following categories:

Category	Data Points	How Collected
Identity	Name, email address	You provide during sign-up
Body & Physical	Age, gender, weight (kg), height (cm), BMI	You provide during onboarding
Health (Sensitive)	Medical conditions (diabetes, PCOS, hypertension, etc.), food allergies, dietary restrictions	You provide during onboarding; updated via Settings
Wellness Signals	Daily energy level, sleep quality, digestion, hair loss, muscle cramps, blood sugar indicators	You log daily via the app (voluntary)
Dietary Preferences	Eating mode, cuisine preferences, non-veg days	You provide during onboarding; updated via Settings
Usage & Technical	Login timestamps, page views, plan generation events, error logs, IP address, browser type	Automatically collected via server logs
Payment	Transaction ID, plan type, subscription status. We do NOT store card numbers or UPI credentials.	Processed by Razorpay (PCI-DSS compliant)
Communications	Support emails and messages you send us	You provide when contacting support

We do not collect biometric data, government ID numbers, financial account details, or location data beyond what is provided voluntarily in your profile.

3. How We Use Your Data

Meal plan generation: Your body stats, health conditions, dietary preferences, and wellness signals are the core inputs to our nutrition AI. Without this data, the Service cannot function.
Plan delivery: We use your email address to deliver your daily meal plan PDF and system notifications.
Account management: OTP authentication, subscription management, billing communications.
Service improvement: Aggregated, anonymised usage data helps us improve recipe coverage, fix bugs, and improve plan quality. This data cannot be traced back to you.
Safety: We may process technical data to detect fraud, abuse, or security threats.
Legal compliance: We process data as required by Indian law, including the DPDP Act, GST regulations, and any valid legal orders from competent authorities.

We do not use your data for advertising, profiling for commercial purposes unrelated to the Service, or selling to third parties.

4. Legal Basis for Processing

Under the DPDP Act, 2023, we process your personal data on the following bases:

Consent: For health data (sensitive personal data), wellness signals, and marketing communications. You provide explicit consent during onboarding and can withdraw it at any time.
Contract performance: For account creation, meal plan generation, and delivery — necessary to provide the Service you have subscribed to.
Legitimate interest: For service improvement using anonymised aggregates, fraud prevention, and system security — balanced against your privacy rights.
Legal obligation: For retention of billing records and compliance with tax law (GST) and other applicable Indian legislation.

We share your data only in the following limited circumstances:

Service Providers (Data Processors)

We engage trusted third-party processors who act on our instructions and are bound by data processing agreements:

Razorpay: Payment processing. Processes transaction data; does not receive health data.
Amazon Web Services (AWS): Cloud infrastructure hosting the application and database. Servers located in India (ap-south-1 region).
Zoho Mail: Transactional email delivery (OTPs, meal plan PDFs, notifications).
Anthropic (Claude API): Used for recipe generation assistance. Only recipe-related parameters (meal type, cuisine, dietary constraints) are sent — no personal identifiers or health data.

Legal Disclosures

We may disclose your data to government authorities or courts when required by a valid legal order under Indian law. We will notify you where legally permissible.

Business Transfers

If Rozkaana is acquired or merged with another entity, your data may be transferred as part of the transaction. We will notify you at least 30 days before such a transfer and give you the option to delete your account.

We do not sell, rent, or share your personal data with advertisers or data brokers under any circumstances.

6. Data Retention

Data Type	Retention Period	Reason
Account & profile data	Until account deletion + 7 days for deletion processing	Service delivery
Health & wellness data	Until account deletion + 7 days	Plan personalisation; deleted on request
Meal plan records	24 months from generation	History feature; review and audit
Billing & payment records	7 years from transaction	GST compliance (Indian tax law requires 6-year retention)
Support communications	3 years from last contact	Dispute resolution
Server logs	90 days	Security and debugging
OTP session data	10 minutes (auto-purged)	Authentication security

7. Your Rights Under the DPDP Act

As a Data Principal under India’s Digital Personal Data Protection Act, 2023, you have the following rights:

Right to access: Request a copy of the personal data we hold about you.
Right to correction: Request correction of inaccurate or incomplete data. Most profile data can be updated directly in Settings.
Right to erasure: Request deletion of your personal data. Exercise this via Settings → Danger Zone → Delete Account, or by emailing [email protected]. Note: billing records are retained for 7 years as required by law.
Right to grievance redressal: Raise a complaint with our Grievance Officer (Section 13). If unresolved, you may approach the Data Protection Board of India.
Right to withdraw consent: You can withdraw consent for health data processing at any time. Withdrawing consent for core service data will necessitate account closure.
Right to nominate: You may nominate a person to exercise your rights in the event of your incapacity or death.

To exercise any right, email [email protected] from your registered email address. We will respond within 30 days as required by the DPDP Act.

8. Health Data — Special Protections

      Your health data is sensitive. Medical conditions, dietary restrictions related to health, and wellness signals constitute sensitive personal data under the DPDP Act. We apply additional protections to this data.
    

Health data is collected only with your explicit, informed consent.
It is encrypted at rest using AES-256 and in transit using TLS 1.3.
It is never shared with third parties for commercial purposes.
It is processed only by the Rozkaana meal plan engine — not exposed to any external AI model in identifiable form.
Access within Rozkaana is restricted to personnel with a legitimate operational need.
You can delete all health data by deleting your account (Settings → Danger Zone).

Rozkaana is not a medical service. The meal plans we generate are based on nutrition science and your profile inputs — they are not medical advice and should not replace consultation with a qualified doctor or registered dietician.

9. Security

We maintain technical and organisational measures appropriate to the sensitivity of the data we hold:

All data is encrypted at rest (AES-256) and in transit (TLS 1.3).
Databases are not publicly accessible; all access is restricted to the application layer via private networking.
Authentication uses time-limited OTPs with rate limiting to prevent brute-force attacks.
We conduct regular security reviews and vulnerability assessments.
Access to production systems is restricted to authorised personnel using multi-factor authentication.

In the event of a personal data breach that is likely to result in harm to you, we will notify the Data Protection Board of India within 72 hours and notify affected users without undue delay, as required by the DPDP Act.

10. Cookies and Local Storage

We use browser local storage (not traditional cookies) to store your authentication token (rzk_token) and refresh token (rzk_refresh) on your device. These are essential for keeping you logged in. They are deleted when you log out.

We do not use advertising cookies, tracking pixels, or cross-site tracking of any kind. We do not integrate with Google Analytics, Facebook Pixel, or any advertising network.

11. Children’s Privacy

Rozkaana is not intended for individuals under 13 years of age. We do not knowingly collect personal data from children under 13. If you are a parent or guardian and believe your child has provided us with personal data, contact [email protected] and we will delete it promptly.

For household accounts on the Family plan, parents may add children (under 13) to the household. In such cases, the parent or guardian is responsible for obtaining appropriate consent on the child’s behalf, and the child’s data is processed under the parent’s account authority.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes — changes that meaningfully affect how we use your data — we will notify you by email at least 30 days before the changes take effect and update the “Last updated” date at the top of this page.

Continued use of the Service after the effective date constitutes acceptance of the updated policy. If you do not agree to a material change, you may delete your account before the effective date.

13. Contact & Grievance Redressal

General Privacy Enquiries

Email: [email protected]
Response time: Within 30 days of receipt.

Grievance Officer

As required by the DPDP Act, 2023, we have appointed a Grievance Officer:

Name: [Grievance Officer Name]
Designation: Grievance Officer, Rozkaana Tech Private Limited
Email: [email protected]
Address: [Company Address], India
Response time: Within 30 days of complaint receipt.

If you are not satisfied with our response, you may approach the Data Protection Board of India once constituted under the DPDP Act, or any other competent authority under applicable Indian law.

This Privacy Policy is governed by the laws of India. Any disputes arising from this policy shall be subject to the jurisdiction of courts in [City], India.