Privacy Policy

Privacy Policy of Nutrimate Wellness Pvt. Ltd.

Effective Date: 1st December 2025

Version: 1.0

Entity: “Nutrimate Wellness Pvt. Ltd.”

CIN: U62099PN2025PTC246976

Registered Office: Subhadra Nagar R926, 1 MG Udyan, Kopargaon, Maharashtra 423601

Contact: admin@nutrimate.in

Tagline: Smart Tech. Fitter India.

1. PREAMBLE AND LEGAL BASIS

1.1 This Privacy Policy (“Policy”) is published pursuant to the provisions of the Information Technology Act 2000, the Digital Personal Data Protection Act 2023 (“DPDP Act”), and applicable subordinate rules, together with relevant European Union General Data Protection Regulation (GDPR) principles, insofar as they apply to international data transfers.

1.2 This Policy describes the manner in which Nutrimate Wellness Pvt. Ltd. (“the Company”, “we”, “our”, “us”) collects, processes, stores, shares, protects, and deletes personal and sensitive personal data of users (“User(s)”, “You”, “Your”) who access our mobile application, web platform, WhatsApp-based interfaces, AI services, or any white-label SaaS installations.

1.3 This Policy forms an integral part of the Terms of Use of the Nutrimate application and shall be read harmoniously with it.

1.4 By accessing or using any Nutrimate platform, You acknowledge that You have read, understood, and agreed to be bound by this Privacy Policy.

2. SCOPE AND APPLICATION

2.1 This Policy applies to all personal data processed by Nutrimate Wellness Pvt. Ltd., including but not limited to:

  1. a) Data collected through our mobile application, web application, WhatsApp channels, or affiliated digital platforms;
  2. b) Data collected from Gyms, Trainers, Nutritionists, Corporate Clients, Caregivers, and End Users;
  3. c) Data shared through third-party integrations including Microsoft Azure, Google Cloud, Gemini AI, Zoho, Twilio, MSG91, Infobip, and other partners;
  4. d) Data imported, exported, or processed on behalf of any white-label client under contract with the Company.

2.2 This Policy governs processing of personal data (identifiable information) and sensitive personal data (health, biometrics, nutrition, or medical records).

2.3 The Policy applies globally to Users in India and abroad who use the Nutrimate platforms directly or through affiliated entities.

3. LEGAL DEFINITIONS

3.1 “Personal Data” means any data about an individual who is identifiable by or in relation to such data.

3.2 “Sensitive Personal Data” includes physiological information such as body metrics, BMI, BCA, BP, blood sugar, sleep patterns, nutrition logs, and any data classified as “Sensitive” under applicable law.

3.3 “Processing” means any operation such as collection, recording, organisation, storage, retrieval, use, disclosure, erasure, or destruction of data.

3.4 “Data Principal” means the individual to whom the personal data relates; equivalent to “User”.

3.5 “Data Fiduciary” means Nutrimate Wellness Pvt. Ltd., determining the purpose and means of processing.

3.6 “Data Processor” means any person or entity processing data on behalf of Nutrimate Wellness Pvt. Ltd., including but not limited to developers, vendors, and service providers.

3.7 “Consent Manager” means an interface appointed by Nutrimate to facilitate user consent in accordance with Section 6 of the DPDP Act.

4. COLLECTION OF DATA

4.1 We may collect the following categories of data directly or indirectly:

  1. a) Identification Data: Name, Gender, Age, Email Address, Phone Number, Profile Photo, and Government ID (if required for KYC).
  2. b) Health & Fitness Data: Body weight, height, BMI, BCA, activity levels, exercise habits, sleep patterns, food intake, calorie count, macro/micronutrient information.
  3. c) Medical and Diagnostic Data: Blood pressure, blood sugar, ECG metrics, lab results shared via partnered diagnostic centres.
  4. d) Technical Data: Device type, operating system, IP address, location data (if enabled), browser details, and usage logs.
  5. e) Transactional Data: Subscription plans, payment history, invoice details, and refund records processed via secure payment gateways.
  6. f) Communication Data: Chats, emails, support tickets, WhatsApp messages processed for service improvement.
  7. g) Third-Party Integration Data: Data collected through API connections from Azure Cognitive Services, Google Gemini AI, Zoho Suite, Twilio, Infobip, MSG91, and other platforms as authorized by User interaction.

4.2 The Company shall not collect any data beyond the legitimate purpose for which it was collected.

4.3 In case of corporate wellness clients, data may also include anonymized employee wellness metrics and HR-shared aggregates, strictly under contractual obligations.

5. PURPOSE OF PROCESSING

5.1 All collected data is processed for lawful purposes as enumerated below:

  1. a) To enable personalized fitness and nutrition tracking using AI/ML tools;
  2. b) To facilitate trainer-member interaction, progress monitoring, and feedback;
  3. c) To provide senior-citizen caregiver connectivity through IoT or linked devices;
  4. d) To process corporate wellness program metrics and generate analytics;
  5. e) To improve platform functionality and User experience through data insight models;
  6. f) To enable payment, billing, and subscription management;
  7. g) To ensure compliance with statutory and tax obligations;
  8. h) To prevent fraud, misuse, and unauthorised access;
  9. i) For legitimate research and development purposes after anonymisation and aggregate processing.

5.2 Processing for any purpose other than those stated above shall be subject to renewed consent under Section 6 of the DPDP Act.

6. LAWFUL BASIS OF PROCESSING

6.1 Processing shall be carried out under one or more lawful bases:

  1. a) Explicit consent of the Data Principal;
  2. b) Performance of a contract with the User;
  3. c) Compliance with a legal obligation;
  4. d) Legitimate interest of the Company balanced with User rights;
  5. e) For public interest or medical emergency purposes as per law.

6.2 Where data is collected via corporate clients or white-label partners, they shall be treated as “Joint Data Fiduciaries” for the purposes of the DPDP Act.

7. CONSENT MECHANISM

7.1 Consent shall be free, specific, informed, and unambiguous.

7.2 Nutrimate shall implement digital consent capture mechanisms through check boxes, OTP validation, or electronic signatures as applicable.

7.3 Consent logs shall be maintained in encrypted form on Azure Cloud for a minimum period of 7 years or until the purpose of processing is fulfilled, whichever is earlier.

7.4 Users may withdraw consent at any time via in-app settings or by writing to admin@nutrimate.in.

8. DATA MINIMISATION AND PURPOSE LIMITATION

8.1 Nutrimate Wellness Pvt. Ltd. shall collect only such data that is adequate, relevant, and limited to what is necessary in relation to the purpose for which it is processed.

8.2 Users will be clearly informed at the time of collection about the nature of data being requested and the reason for its use.

8.3 The Company shall not retain any data beyond the period required to fulfil the stated purpose or any statutory obligation.

8.4 Aggregated or anonymised data may be retained indefinitely for statistical, analytical, or R&D purposes, provided such data cannot be used to identify any individual.

9. DATA RETENTION AND DELETION POLICY

9.1 Personal data shall be retained for as long as the User maintains an active account or subscription with Nutrimate Wellness Pvt. Ltd.

9.2 Upon account closure or withdrawal of consent, the data shall be deleted or anonymised within 90 days, unless a longer retention is required by law (e.g., tax records, audit obligations).

9.3 Backup copies stored on Azure Cloud shall undergo secure deletion cycles every 180 days, subject to technical feasibility.

9.4 Users may request early deletion by writing to admin@nutrimate.in, which will be processed in accordance with Section 12 of the DPDP Act.

10. THIRD-PARTY INTEGRATIONS AND PROCESSORS

10.1 Nutrimate Wellness Pvt. Ltd. partners with trusted third-party service providers for hosting, analytics, communication, AI-based food recognition, and operational services. Each such partner is bound by a Data Processing Agreement (DPA) with the Company.

10.2 The list below identifies principal integrations, their purposes, and security obligations.

10.2.1 Microsoft Azure

  1. a) Purpose: Secure cloud hosting, AI computation, encrypted storage, key vault management, and backup solutions.
  2. b) Location: India data region (Primary), with secondary replication in Singapore/EU as per Microsoft India Ltd.’s SLA.
  3. c) Security: ISO 27001, SOC 2 Type II, and GDPR-aligned encryption. All keys stored in Azure Key Vault under Company control.
  4. d) Lawful Basis: Contractual necessity for platform operation.
  5. e) Compliance: Microsoft’s Data Processing Addendum and Model Contract Clauses govern international transfers.

10.2.2 Google Cloud / Gemini AI

  1. a) Purpose: Natural-language and image-based AI models for food analysis, chat responses, and wellness recommendations.
  2. b) Data Type: Only anonymised text and image payloads without personally identifiable attributes are transmitted.
  3. c) Security: HTTPS/TLS 1.3 encryption; data purged immediately post inference.
  4. d) Lawful Basis: User consent for AI-driven recommendations.
  5. e) Compliance: Google LLC is GDPR and DPDP compliant under the EU-U.S. Data Privacy Framework; cross-border data transfers occur under Standard Contractual Clauses (SCCs).

10.2.3 WhatsApp Business API / Meta Platforms Inc.

  1. a) Purpose: Two-way user engagement, meal-logging through image or text, and customer support notifications.
  2. b) Data Handling: Messages are end-to-end encrypted between User → Meta → Twilio → Nutrimate backend.
  3. c) Storage: No content is permanently stored on WhatsApp servers beyond delivery lifecycle.
  4. d) Lawful Basis: Explicit user consent upon chat initiation.
  5. e) Compliance: Meta’s India Data Transfer Addendum and DPDP consent norms observed.

10.2.4 Twilio / MSG91 / Infobip (OTP and SMS Services)

  1. a) Purpose: Authentication via OTP, transactional alerts, and communication services.
  2. b) Data Scope: Mobile number, message template, and delivery status only.
  3. c) Security: TLS encryption, time-bound message retention (<48 hours).
  4. d) Lawful Basis: Contractual and legitimate interest for secure login and notification.

10.2.5 Zoho Corporation

  1. a) Purpose: Internal business operations — CRM, email services, customer support ticketing, and document management.
  2. b) Data Scope: Limited to user contact and service records; no health or medical data stored on Zoho systems.
  3. c) Security: SOC 2 and ISO 27018 certified; data residency in Indian region.

10.2.6 Mixpanel Inc. 

  1. Company: Mixpanel Inc., 1 Front Street, Floor 28, San Francisco, CA 94111, USA. 
  2. a)  Purpose: Product analytics to understand feature usage patterns, identify usability issues, and improve app performance. Mixpanel does NOT receive any personal, health, or Sensitive Personal Data. 
  3. b)  Data Collected and Transmitted to Mixpanel: 
  4.     — Anonymous device identifier (randomly generated — not linked to your name, phone, or any identity) 
  5.     — App session start time and duration 
  6.     — Screen views and feature interaction events (e.g., ‘opened meal log screen’) 
  7.     — App version and operating system type 
  8.     — Approximate geographic region (country/state level only — not precise GPS location) 
  9.     — Crash reports and performance metrics 
  10. c)  Data Expressly NOT Sent to Mixpanel: 
  11.     — Your name, mobile number, or email address 
  12.     — Your height, weight, BMI, TDEE, or any health metric 
  13.     — Your meal logs, calorie data, or food entries 
  14.     — Your health score or fitness data 
  15.     — Your WhatsApp messages or chat content 
  16.     — Any Sensitive Personal Data as defined under the DPDP Act 2023 
  17. d)  Data Storage Location: Mixpanel stores event data on servers in the United States. This transfer is governed by Standard Contractual Clauses (SCCs) compliant with GDPR Article 46 and equivalent DPDP cross-border transfer standards. Nutrimate has executed a Data Processing Agreement (DPA) with Mixpanel Inc. 
  18. e)  Data Retention: Mixpanel retains event data for a maximum of 12 months as configured by Nutrimate. After this period, data is automatically and permanently deleted. 
  19. f)  Lawful Basis: Nutrimate processes anonymous usage analytics under the legitimate interest basis as permitted under Section 7(2)(d) of the Digital Personal Data Protection Act 2023. This analytics data helps improve the app experience for all users. No personal or health data is involved in this processing. 
  20. g)  User Objection: Users who wish to object to analytics data collection may submit a written request to admin@nutrimate.in with the subject line ‘Analytics Objection’. Requests will be processed within 30 days. Users may also opt out directly via Mixpanel’s global opt-out at: https://mixpanel.com/optout — opting out does not affect any app functionality. 
  21. h)  Mixpanel Privacy Policy: https://mixpanel.com/legal/privacy-policy/ 

10.2.7 Future Third-Party Integrations

Nutrimate Wellness Pvt. Ltd. reserves the right to onboard additional third-party partners (e.g., payment gateways, telemedicine providers, IoT device vendors, insurance aggregators). Each such partnership will be governed by a separate DPA ensuring equal or higher data protection standards.

11. CROSS-BORDER DATA TRANSFER

11.1 Personal data may be processed on servers located within or outside India, subject to applicable government notifications under the DPDP Act.

11.2 Any cross-border transfer will occur only to jurisdictions ensuring an adequate level of protection or under Standard Contractual Clauses executed with the recipient.

11.3 All transfers comply with encryption standards equivalent to ISO/IEC 27018 and GDPR Article 46.

11.4 Users will be informed through updated policy notifications if new international processing locations are added.

12. DATA SECURITY AND ACCESS CONTROLS

12.1 Nutrimate employs a multi-layered security architecture combining Azure Key Vault encryption, TLS 1.3 transmission security, and role-based access management.

12.2 Access to personal data is restricted to authorized personnel, each bound by Non-Disclosure Agreements and subject to audit logging.

12.3 Critical health and biometric information is stored in encrypted format (AES-256) with hashed identifiers.

12.4 Routine penetration testing and vulnerability assessments are conducted by independent cybersecurity auditors.

12.5 In the event of a security incident, the Company shall follow its Incident Response Plan and notify affected Users and the Data Protection Board within 72 hours, as required under Section 8 (6) of the DPDP Act.

13. USER RIGHTS UNDER THE DPDP ACT

13.1 Every Data Principal shall have the following rights, exercisable via email or in-app interface:

  1. a) Right to Access: Obtain confirmation and a copy of personal data being processed.
  2. b) Right to Correction: Request rectification of inaccurate or incomplete data.
  3. c) Right to Erasure: Request deletion upon withdrawal of consent or cessation of purpose.
  4. d) Right to Grievance Redressal: Lodge complaints directly with Nutrimate’s Grievance Officer.
  5. e) Right to Nominate: Nominate an individual to exercise rights in case of death or incapacity.

13.2 Nutrimate shall respond to all rights requests within 30 days of receipt.

14. GRIEVANCE REDRESSAL MECHANISM

14.1 In compliance with Section 13 of the DPDP Act and Rule 3(11) of the Information Technology Rules 2011, Nutrimate appoints a Grievance Officer to address complaints regarding information handling.

Name: [To be nominated by the Board]

Email: admin@nutrimate.in

Response Time: 30 days from the date of complaint.

14.2 If the User remains unsatisfied, they may escalate the issue to the Data Protection Board of India (DPBI) through the procedure prescribed by the Ministry of Electronics and Information Technology (MeitY).

15. PROCESSING FOR CORPORATE AND WHITE-LABEL CLIENTS

15.1 Nutrimate Wellness Pvt. Ltd. acts as a Joint Data Fiduciary with its corporate wellness partners and white-label gym clients for processing employee or member wellness data.

15.2 Each corporate or gym partner shall execute a Data Processing Addendum (DPA) specifying data ownership, permitted use, and retention schedules.

15.3 End-user data of a partner gym shall remain the property of the respective user; Nutrimate shall process such data only for providing contracted services and analytics.

15.4 Partners are prohibited from exporting, reselling, or repurposing any personal data obtained through the Nutrimate platform.

15.5 Upon termination of a white-label contract, Nutrimate shall purge or anonymise all data within 60 days unless legally required to retain it for compliance, audit, or dispute-resolution purposes.

16. DATA ANONYMISATION AND RESEARCH USE

16.1 Nutrimate may aggregate and anonymise data to derive statistical insights for research and product improvement.

16.2 Such anonymised datasets shall contain no direct identifiers and cannot be reverse-engineered to reveal individual identities.

16.3 The Company may share aggregated datasets with academic institutes, government bodies, or health-tech collaborators for public-interest research, subject to ethical review and contractual safeguards.

17. CHILDREN’S DATA AND PARENTAL CONSENT

17.1 The platform is not intended for children under 18 years of age without supervision of a parent or guardian.

17.2 If a minor’s data is to be collected (e.g., via family plans or school wellness programs), parental consent shall be obtained through digital signature or verified email confirmation.

17.3 Parents may request access, correction, or erasure of a child’s data at any time by contacting admin@nutrimate.in.

17.4 Violation of this clause by partners or affiliates will invite immediate termination and legal liability under the DPDP Act and POCSO guidelines if applicable.

18. MARKETING, PROMOTIONS AND COMMUNICATION PREFERENCES

18.1 Nutrimate may send transactional and service-related messages (such as OTP, billing updates, and policy changes) to all users.

18.2 Promotional or marketing communications will be sent only to users who have opted in through explicit consent checkbox or in-app preference center.

18.3 Users may unsubscribe at any time without affecting their core service access.

18.4 Third-party advertisers are not allowed to access or profile user data for ad targeting without explicit consent and contractual verification.

19. COOKIES AND ONLINE TRACKING POLICY

19.1 Nutrimate platforms use first-party and third-party cookies for authentication, session persistence, analytics, and performance optimisation.

19.2 Cookie categories include:

 a) Strictly Necessary Cookies – essential for login and security.

 b) Analytical Cookies – to measure traffic and usage patterns via Mixpanel or Google Analytics.

 c) Preference Cookies – to store user language and UI settings.

 d) Functional Cookies – to enable personalised recommendations and saved workout/meal plans.

19.3 Users can manage cookie settings from the browser or application dashboard; disabling certain cookies may limit functionality.

19.4 Cookies do not store sensitive personal information (such as health or payment data).

20. DISCLOSURE AND LEGAL OBLIGATIONS

20.1 The Company may disclose personal data only under the following circumstances:

 a) To law-enforcement authorities when required under law or court order.

 b) To auditors, regulators, or tax authorities for statutory compliance.

 c) To third-party vendors for service delivery under binding DPAs.

 d) In case of business reorganisation, merger, or acquisition (subject to continued data protection obligations).

20.2 No data shall be sold or commercially rented to any third party.

20.3 Nutrimate shall maintain detailed records of every disclosure and ensure transparency as mandated by Section 9(4) of the DPDP Act.

21. RETENTION OF BUSINESS RECORDS

21.1 Transactional records, audit logs, and system backups shall be retained for a minimum of seven (7) years to comply with taxation, statutory filings, and litigation defence.

21.2 Health and wellness data shall be retained for no more than three (3) years post account deactivation, unless explicitly extended by user consent.

21.3 Encrypted backup files older than seven years shall be automatically purged via Azure’s retention policy.

22. AUDIT, MONITORING AND COMPLIANCE

22.1 Nutrimate conducts internal data-protection audits at least once per financial year and external audits through a certified cybersecurity auditor once every two years.

22.2 Each vendor is subject to annual DPA renewal and audit rights clauses.

22.3 Non-compliance by employees or vendors may result in disciplinary actions, termination of contracts, and legal penalties under Sections 29–33 of the DPDP Act.

23. BUSINESS CONTINUITY AND DISASTER RECOVERY

23.1 All critical data is replicated across two Azure regions (Primary India, Secondary Singapore/EU) to ensure 99.9% availability.

23.2 Daily incremental and weekly full backups are maintained under AES-256 encryption.

23.3 Disaster Recovery Plan (DRP) ensures re-activation of core services within 24 hours of any major incident.

23.4 Regular fire-drills and failover testing are conducted to verify system resilience.

24. ADVERTISING AND AFFILIATE DISCLOSURES

24.1 Nutrimate does not permit third-party ad networks to directly target Users within its platforms without explicit opt-in consent.

24.2 Any advertising content displayed shall be labelled as “Promoted Content” or “Partner Offer.”

24.3 Affiliate links or sponsored programs (if any) shall always be disclosed with a clear statement to the User.

24.4 Nutrimate does not engage in behavioural retargeting using health or biometric data.

24.5 Corporate partners wishing to cross-promote services must enter a separate Affiliate Compliance Agreement approved by the Company’s legal counsel.

25. DATA BREACH PROTOCOL AND NOTIFICATION

25.1 A “Data Breach” means any unauthorised access, disclosure, loss or destruction of personal data.

25.2 Upon suspected breach, the Incident Response Team shall activate the Company’s Cyber Security Incident Response Plan within two (2) hours.

25.3 Containment measures include log analysis, account suspension, credential rotation and forensic preservation of evidence.

25.4 If the breach is likely to cause significant harm to Data Principals, Nutrimate shall notify the affected Users and the Data Protection Board of India within 72 hours.

25.5 The Company shall maintain a register of all incidents with mitigation actions and lessons learned.

25.6 Periodic drills shall be conducted to train employees and vendors on breach-management protocols.

26. DATA PROTECTION OFFICER (DPO)

26.1 In accordance with Section 10 of the DPDP Act, Nutrimate shall appoint a qualified Data Protection Officer responsible for:

 a) Overseeing data-governance implementation;

 b) Advising management on compliance requirements;

 c) Conducting Data Protection Impact Assessments (DPIA);

 d) Serving as contact point for the Data Protection Board of India and foreign regulators;

 e) Ensuring staff training and vendor alignment.

26.2 The DPO shall operate independently of commercial functions and report directly to the Board of Directors.

26.3 Interim Contact: admin@nutrimate.in

27. INTERNATIONAL COOPERATION AND TRANSFER ASSURANCES

27.1 Where cross-border data flows occur (for example with Azure or Google services), Nutrimate shall ensure compliance with the DPDP Act’s forthcoming Section 16 notifications on “Permitted Jurisdictions.”

27.2 Transfers shall only be made to countries that provide adequate data-protection standards comparable to India’s.

27.3 All international vendors must execute Standard Contractual Clauses (SCCs) and undertake to implement encryption and access-control protocols.

27.4 Users may request information on the specific jurisdictions where their data is processed by writing to admin@nutrimate.in.

28. AUDIT TRAILS AND ACCOUNTABILITY

28.1 All access to personal data is logged with timestamp, user identity, and purpose of access.

28.2 Audit logs are preserved for a minimum of three years and reviewed quarterly by the Compliance Committee.

28.3 Automated anomaly-detection systems shall monitor abnormal data-usage patterns.

29. ANONYMISATION AND DE-IDENTIFICATION STANDARDS

29.1 Nutrimate adopts ISO/IEC 20889 standards for data anonymisation.

29.2 All datasets shared externally for research or AI-model training shall undergo two-layer hashing and randomisation.

29.3 Re-identification attempts by any party shall constitute a material breach of contract and trigger penalties under Sections 30 and 33 of the DPDP Act.

30. ACCOUNTABILITY OF EMPLOYEES AND CONTRACTORS

30.1 Every employee, developer, and vendor of Nutrimate is bound by a Confidentiality and Data-Protection Undertaking.

30.2 Access to personal data is granted on a “least-privilege” basis using multi-factor authentication and periodic review.

30.3 Violation of data-handling protocols may lead to disciplinary action including termination and civil liability.

31. ENFORCEMENT AND PENALTIES

31.1 Failure to comply with this Policy may result in monetary penalties as prescribed under the DPDP Act (up to ₹250 crore for serious violations).

31.2 The Company may pursue legal remedies against any party found negligent in handling data.

31.3 Users shall not be liable for incidental loss caused by third-party failures beyond their control.

32. RESEARCH, INNOVATION AND AI ETHICS FRAMEWORK

32.1 Nutrimate follows a strict AI Ethics Charter aligned with NITI Aayog’s Responsible AI Principles and OECD Guidelines.

32.2 AI outputs (such as nutrition or fitness recommendations) are advisory and not a substitute for medical diagnosis.

32.3 Users are encouraged to consult certified health professionals before making medical decisions based on app insights.

32.4 All AI training datasets are curated from lawful, consensual, and non-discriminatory sources.

33. POLICY AWARENESS AND TRAINING

33.1 All employees and partners receive mandatory data-protection training within 30 days of onboarding and annual refreshers thereafter.

33.2 Specialised training is conducted for engineers, customer-support teams, and data-analysts involved in sensitive processing.

33.3 Training records are retained for audit purposes for a minimum of five years.

34. GRIEVANCE ESCALATION AND REMEDIES

34.1 Users who are not satisfied with the initial response of the Grievance Officer may escalate the matter to the Company’s Board Oversight Committee through admin@nutrimate.in.

34.2 If unresolved, Users may approach the Data Protection Board of India within 60 days of the final response.

34.3 The Company shall co-operate with all investigations and adhere to any directions issued by the Board.

35. MISCELLANEOUS AND GOVERNING LAW

35.1 This Policy shall be governed and construed in accordance with the laws of India.

35.2 The courts of Chhatrapati Sambhajinagar (Aurangabad) shall have exclusive jurisdiction over any dispute arising out of this Policy.

35.3 If any provision is held invalid by a competent court, the remaining provisions shall remain in full force and effect.

35.4 This Policy forms an inseparable part of the Terms of Use and any other service-specific agreements executed by Nutrimate.

36. JURISDICTION AND DISPUTE RESOLUTION PROCEDURE

36.1 All disputes, controversies, or claims arising out of or relating to this Policy shall first be attempted to be resolved amicably through written negotiations between the User and Nutrimate.

36.2 If such negotiations fail within thirty (30) days, the dispute shall be referred to arbitration in accordance with the Arbitration and Conciliation Act 1996 (as amended).

36.3 The arbitration tribunal shall consist of a single independent arbitrator appointed jointly by both parties.

 a) Seat of arbitration – Chhatrapati Sambhajinagar (Aurangabad), Maharashtra.

 b) Language – English.

 c) Governing law – Laws of India.

36.4 The award of the arbitrator shall be final and binding on both parties.

36.5 Each party shall bear its own costs of arbitration except where otherwise directed by the tribunal.

37. NOTICE AND SERVICE OF PROCESS

37.1 Any legal notices, complaints, or communications under this Policy shall be sent to:

Nutrimate Wellness Pvt. Ltd.

Subhadra Nagar R926, 1 MG Udyan, Kopargaon, Maharashtra 423601

Email: admin@nutrimate.in

37.2 Digital communication through verified email shall be considered valid service of notice in accordance with Section 4 of the Information Technology Act 2000.

38. UPDATES AND POLICY AMENDMENTS

38.1 Nutrimate reserves the right to amend or update this Privacy Policy from time to time to reflect changes in law, technology, or business practices.

38.2 All revisions shall carry a version number and effective date, published on the official website (www.nutrimate.in/legal).

38.3 Material changes that affect user rights or data usage will be communicated via in-app notifications or registered email prior to implementation.

38.4 Continued use of the services after notification shall constitute the User’s acceptance of the revised Policy.

39. AUDIT CERTIFICATION AND COMPLIANCE ASSURANCE

39.1 Nutrimate Wellness Pvt. Ltd. shall maintain periodic compliance certificates issued by independent auditors confirming conformance with the Digital Personal Data Protection Act 2023, ISO 27001, and ISO 27701 standards.

39.2 Audit summaries may be made available to regulators, incubators, or investors under confidential NDA.

39.3 Each white-label partner shall be required to undergo data-protection training and submit self-declaration of DPDP compliance annually.

39.4 Nutrimate shall update its public “Trust and Safety Report” annually, summarising security posture, incident metrics, and regulatory responses.

40. DATA PORTABILITY AND INTEROPERABILITY

40.1 Users have the right to request a structured, machine-readable copy of their personal data maintained by Nutrimate.

40.2 Such data may be transferred to another service provider upon written request, subject to technical feasibility and protection of third-party rights.

40.3 Nutrimate shall facilitate interoperability through standard APIs without compromising security or trade secrets.

41. LIMITATION OF LIABILITY

41.1 To the maximum extent permitted by law, Nutrimate shall not be liable for any indirect, incidental, consequential, or punitive damages arising from use or inability to use the services.

41.2 The total aggregate liability of the Company for any claim shall not exceed the total fees paid by the User for the service during the preceding twelve months.

41.3 This limitation shall not apply to cases of wilful misconduct, fraud, or gross negligence by the Company.

42. USER ACKNOWLEDGEMENT AND CONSENT

42.1 By using the Nutrimate applications, web portal, or WhatsApp integrations, the User acknowledges that they have read, understood, and agree to be bound by this Privacy Policy.

42.2 If a User does not agree with any term hereof, they should immediately discontinue use of the services and request data deletion as per Clause 13.

42.3 This Policy constitutes a legally binding electronic record under the Information Technology Act 2000 and does not require physical signature.

43. DIGITAL SIGNATURE AND EVIDENTIARY VALUE

43.1 This Privacy Policy and its digital acceptance by the User shall be treated as a valid electronic contract under the Information Technology Act 2000.

43.2 All click-wrap and consent-capture records shall be retained for audit and litigation defence purposes.

43.3 The Company’s electronic records, server logs, and email confirmations shall be conclusive evidence of consent and transaction history.

44. EFFECTIVE DATE AND VERSION CONTROL

Effective Date: 1 December 2025

Version: 1.0 (Initial DPDP Compliant Edition)

Approved By: Board of Directors, Nutrimate Wellness Pvt. Ltd.

Place of Approval: Chhatrapati Sambhajinagar (Aurangabad), Maharashtra

45. CONTACT INFORMATION SUMMARY

Purpose / ConcernContact Person / DepartmentContact MethodResponse Timeline
General Queries (User App, Features, Data Access)Customer Support Teamadmin@nutrimate.inWithin 72 hours
Data Protection, Consent Withdrawal, Data Erasure RequestsGrievance Officer – Mrs. Pradnya Ganorkar (Authorized Representative, Nutrimate Wellness Pvt. Ltd.)admin@nutrimate.inWithin 7 days
Legal Notices / Compliance QueriesLegal & Compliance Deskadmin@nutrimate.inWithin 10 working days
Partner / Corporate Wellness / B2B QueriesBusiness Relations Officeadmin@nutrimate.inWithin 5 working days
Senior Citizen Wellness SupportCare & Wellness Deskadmin@nutrimate.inWithin 3 working days

46. FINAL DECLARATION

This Privacy Policy forms an integral part of the Terms of Use and any associated agreements executed between Nutrimate Wellness Pvt. Ltd. and its Users, Partners, Vendors, or Affiliates.

Any failure by the Company to enforce a right or provision herein shall not constitute a waiver of such right.

Users are encouraged to retain a copy of this Policy for their records.