Privacy Policy

This Privacy Policy explains what personal data we collect when you use Dietzeo, why we collect it, and your rights over that data. We comply with the Digital Personal Data Protection Act, 2023 of India (DPDP Act), and apply the same standards globally.

1. Who we are

2. What data we collect

Data you provide directly (Nutritionist accounts)

• Account information: name, email address, password (stored as a one-way hash, never as plain text), clinic/practice name, phone number (optional), professional credentials and bio you choose to publish.
• Subscription information: the plan you choose, billing period, payment status. Actual card or bank details are never seen by us - they are processed entirely by Razorpay.
• Profile content: photos, logos, taglines, social links, and any other content you publish on your public Dietzeo profile.

Data you upload about your End Clients

As a Nutritionist using Dietzeo, you may enter your clients' personal information into the system: names, contact details, age, weight, dietary preferences, health conditions, intake-form responses, diet plans, and notes. You do this on your own initiative as the Data Fiduciary for that information. Dietzeo stores and processes this data only on your behalf and only to provide the Service.

Data we collect automatically

• Usage and device data: IP address, browser type, operating system, pages visited, timestamps, and similar log information.
• Security logs: sign-in events, password changes, failed login attempts, and other audit-relevant events. Retained for 12 months.
• Cookies and local storage: session cookies that keep you logged in, and a small number of preference cookies (e.g., remembering your dashboard layout). We do not run third-party advertising or analytics trackers at this time.

3. Why we collect this data (purposes)

• To operate the Service: create your account, authenticate logins, render your dashboard, save your data, and provide all in-app features.
• To process payments: generate subscription invoices and payment links, in cooperation with Razorpay.
• To communicate with you: service messages (account, billing, security), trial reminders, and product updates. We do not currently send marketing emails; if we ever do, you will be able to opt out.
• To keep the Service secure: detect abuse, prevent fraud, troubleshoot incidents, and maintain audit logs.
• To comply with law: respond to lawful requests, retain transaction records for accounting and tax purposes.

4. Lawful basis for processing

We process your personal data on the following legal grounds under the DPDP Act and applicable law:

• Performance of contract: data we need to deliver the Service you signed up for.
• Consent: data we collect with your specific permission, e.g., when you optionally provide a phone number.
• Legitimate use: security, fraud prevention, and other legitimate operational needs.
• Legal obligation: records we are required to keep by Indian law (e.g., tax, payment-processor regulations).

5. Who we share data with

We do not sell your data. We share it only with parties that help us run the Service:

• Hosting and infrastructure: our servers run on Hostinger (or another reputable provider we may move to). Your data is stored on their servers in compliance with their security standards.
• Razorpay (payment processing): when you subscribe or generate a payment link, Razorpay receives the information needed to process the payment (name, email, amount). Razorpay's own privacy policy applies to that data, available at razorpay.com/privacy.
• Email delivery providers (when used): for verification codes, password resets, and service notices.
• Legal authorities: when required by Indian law, court order, or to protect our rights or the safety of users.

We do not share your End Clients' data with any third party except as required to operate the Service for you (e.g., displaying it back to you in the app).

6. Where data is stored

Your data is currently stored on servers located in India (or with our hosting provider's regional data centres). We aim to keep Indian customer data within India wherever practical. If we use any service that processes data outside India, we will ensure appropriate safeguards consistent with the DPDP Act.

7. How long we keep data

• Active accounts: we keep your data for as long as your account is active.
• After cancellation: you may export your data for up to 30 days. After that, your active data is deleted, except for:
  • Audit logs and security records - retained for 12 months for legal and security purposes.
  • Transaction and tax records - retained for the period required by Indian law (typically 7 years for tax records).
• End Client data: deletion timing follows your account deletion. If you want a specific End Client's data deleted while your account is active, you can do so directly from the app.

8. Your rights

Under the DPDP Act, you have the following rights:

• Right to access: obtain a copy of the personal data we hold about you.
• Right to correction: update inaccurate or incomplete data.
• Right to erasure: request deletion of your data (subject to our legal-retention obligations).
• Right to grievance redressal: raise a complaint about how we handle your data - see Section 11.
• Right to nominate: nominate another individual to exercise your rights in the event of your death or incapacity.

Most account-level rights (access, correction, deletion) can be exercised directly through the in-app Settings. For anything you cannot do in-app, email hello@dietzeo.com and we will respond within 30 days.

End Clients: as explained above, your Nutritionist is the Data Fiduciary for your data. Please direct your data-rights requests to them. We will support them in fulfilling those requests but cannot act on End Client data without their Nutritionist's involvement.

9. Security

We take reasonable security measures to protect your data:

• HTTPS encryption for all traffic between your device and our servers.
• Passwords stored as one-way hashes (bcrypt), never in plain text.
• Access controls limiting which parts of the system can read which data.
• Regular security reviews and prompt patching of known vulnerabilities.
• Audit logging of sensitive actions.

No system is perfectly secure. We will notify affected users and the Data Protection Board promptly if a personal-data breach occurs that is likely to cause significant harm, in accordance with the DPDP Act.

10. Children

Dietzeo accounts are only for users who are 18 or older. We do not knowingly accept registrations from minors. If you become aware that someone under 18 has created an account directly with us, please contact us and we will remove the account.

Some Nutritionists may treat minor End Clients on the platform. In that case, the Nutritionist is responsible for collecting valid guardian consent before entering the minor's data into Dietzeo.

11. Grievance redressal

If you have a complaint about how we handle your data, please reach out to our Grievance Officer:

We will acknowledge your complaint within 7 business days and aim to resolve it within 30 days. If you are unsatisfied with our response, you may approach the Data Protection Board of India.

12. Changes to this Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of the page reflects the most recent revision. Material changes will be communicated by email and in-app notice.