Privacy Policy

1. Introduction

500Kcal.fit ("we," "our," or "us") is a calorie-controlled meal delivery service based in Pune, Maharashtra, India. This Privacy Policy explains what personal information we collect when you use our app or website, how we use it, and your rights over your data.

By creating an account or using our services, you agree to this policy.

2. Information We Collect

2.1 Account & Profile Information

When you sign up or update your profile, we collect:

• Name — first and last name
• Phone number — used for OTP login and order notifications via WhatsApp
• Email address — collected when you sign in with Google
• Delivery address — your home or office address for meal delivery
• GPS coordinates — latitude and longitude associated with your delivery address (only when you provide it)

2.2 Authentication Information

• Phone OTP via Firebase — we use Firebase Authentication for phone-based sign-in; Firebase processes your phone number to send a one-time password
• Google OAuth — when you sign in with Google, we receive your name, email address, and Google account ID (UID) from Google
• Session tokens — we generate a secure session token stored on your device to keep you logged in

2.3 Order & Transaction Information

• Meal orders placed, delivery slots booked, and cancellations
• Credit purchase history (which plans you bought and when)
• Credit balance and usage history
• Referral codes used and rewards earned
• Payment transaction IDs and payment status (processed through Razorpay — we do not store card or UPI details)

2.4 Usage & Analytics Information

We use Amplitude to understand how users interact with our app. Amplitude automatically collects:

• Pages and screens visited, and how long you spend on them
• Session information (when you open and close the app)
• Device type, operating system, and browser
• Anonymous user identifier linked to your account

Amplitude does not capture form input, passwords, or payment details.

2.5 WhatsApp Notifications

We send order confirmations and delivery updates to your registered phone number via WhatsApp. Your phone number is used solely for this purpose and is not shared with third parties for marketing.

3. How We Use Your Information

• Account management — to create and maintain your account
• Authentication — to verify your identity via phone OTP or Google sign-in
• Order processing — to accept orders, schedule deliveries, and manage bookings
• Payments — to process credit purchases securely via Razorpay
• Notifications — to send order confirmations and delivery updates via WhatsApp
• Referral rewards — to track and credit referral bonuses
• Customer support — to resolve issues related to orders, credits, or your account
• Product improvement — to understand usage patterns via Amplitude analytics and improve the app experience
• Legal compliance — to meet tax, regulatory, and legal obligations

4. Third-Party Services We Use

We share limited data with the following trusted service providers:

4.1 Firebase (Google)

Used for phone OTP authentication and Google Sign-In. Firebase receives your phone number or Google account details to complete sign-in. See Firebase Privacy Policy.

4.2 Supabase

Our primary database and backend. All your account data, orders, and credits are stored in Supabase (hosted on AWS in the US region). See Supabase Privacy Policy.

4.3 Razorpay

Used to process payments for credit purchases. Razorpay handles your card, UPI, or net banking details directly — we never see or store your payment credentials. See Razorpay Privacy Policy.

4.4 Amplitude

Used for product analytics. Amplitude collects anonymized usage events (page views, sessions). No personally identifiable information like name, phone, or address is sent to Amplitude beyond an anonymous user ID. See Amplitude Privacy Policy.

4.5 WhatsApp (Meta)

Used to send order and delivery notifications to your registered phone number via the WhatsApp Business API.

We do not sell your data to any third party.

5. Data Storage & Security

• Your data is stored in Supabase hosted on AWS infrastructure
• All data in transit is encrypted via HTTPS / TLS
• Session tokens are cryptographically generated (256-bit random values) and stored securely
• Payment processing is handled entirely by Razorpay — we store only transaction IDs and payment status, never card or UPI credentials
• Admin access to user data is restricted to authorized personnel only

6. Data Retention

• Account data — retained while your account is active. Deleted upon account deletion request.
• Order and payment records — retained for up to 7 years as required by Indian GST and tax laws
• Analytics data — anonymized event data retained by Amplitude per their retention policy
• Session tokens — invalidated when you log out or delete your account

7. Your Rights

You have the following rights over your data:

• Access — request a copy of the personal data we hold about you
• Correction — update your name, address, or email from the Profile section in the app
• Deletion — delete your account and all associated data via the app or by contacting us (see Delete Account page)
• Opt-out of notifications — contact us to stop WhatsApp order notifications
• Data portability — request your data in a machine-readable format

To exercise any of these rights, contact us at 500kcalfit@gmail.com or +91 834 834 0500.

8. Children's Privacy

Our services are intended for users aged 18 and above. We do not knowingly collect personal information from anyone under 18. If you believe a child has created an account, please contact us and we will delete the account immediately.

9. Changes to This Policy

We may update this policy from time to time. We will post the revised policy on this page with an updated "Last Updated" date. For significant changes, we will notify you via WhatsApp or in-app notice. Continued use of our service after changes means you accept the updated policy.

10. Contact Us

For any privacy-related questions, requests, or complaints:

11. Governing Law

This Privacy Policy is governed by the laws of India, including the Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023. Any disputes will be subject to the exclusive jurisdiction of the courts in Pune, Maharashtra.