Privacy Policy — KitchenOS

KitchenOS is built and operated in India for Indian families. This notice explains what personal data we collect, why we collect it, where it lives, how long we keep it, and the rights you can exercise under India's Digital Personal Data Protection Act, 2023 ("DPDP Act"). We have written it in plain language. If anything is unclear, write to us at privacy@ganakys.com and we will explain.

1. Who we are

KitchenOS is operated by Jineesh S, sole proprietor (the "Data Fiduciary" under DPDP §2(i)). The product is an AI meal planner for Indian households. References to "we", "us", and "our" mean KitchenOS. References to "you" mean the individual using the product or whose personal data we process.

2. What personal data we collect, and why

We collect only what is necessary to operate the meal planner safely and to honour the lawful purposes you consent to at sign-up (DPDP §6 — purpose limitation). The full registry of every data class we store, with its purpose and retention, is in our internal Data Inventory; the user-facing summary is below.

2.1 Account & contact data

Phone number (used for sign-in via OTP), display name, locale, notification preferences.
Purpose: account creation, sign-in, sending you product updates if you opted in to the waitlist or marketing communications.
Lawful basis: your consent (DPDP §6) plus performance of the service agreement (DPDP §7(a)).

2.2 Household & family profile

Household name, members' first names, role within the household (primary planner, co-adult, child, elder, helper, guest), age band, dietary preferences, and food likes/dislikes.
Purpose: personalising meal plans for everyone in the household; scoping who can see what inside the app.

2.3 Health context — Sensitive Personal Data

Per-member health conditions (e.g. diabetes, blood pressure, thyroid), allergies, doctor-prescribed dietary restrictions, and short free-text notes you add yourself.
Per-member medication list (drug name, dosage, schedule, optional prescribing doctor name). You may also log when a dose was taken.
Purpose: surfacing safe meal options, flagging drug-food interactions, and producing weekly summaries you can share with a doctor.
Lawful basis: your explicit, informed consent (DPDP §6, treated to a higher standard for sensitive data). You can withdraw consent at any time from inside the app (Settings → Privacy → Withdraw consent), which deletes this category and turns off the dependent features.

2.4 Pantry & meal data

Pantry items and quantities, meal plans we generate for you, consumption logs (what was eaten and when), shopping lists.
Purpose: meal planning, helper handover, weekly insights.

2.5 Optional media you upload

Photographs of food you cook or eat (only if you take/upload them). Voice clips of cooking-mode queries (only if you use voice commands).
Retention is configurable. Default is 90 days for food photos and 30 days for voice clips, after which they are auto-deleted. You can shorten or extend this in Settings → Privacy.

2.6 Subscription & payment metadata

Subscription plan, status, renewal date, last four digits of the card or UPI handle (passed through from Razorpay), invoice history.
We do not store your full card number, CVV, or UPI PIN. Payments are handled by Razorpay, our payments processor.

2.7 Technical & diagnostic data

Device model, operating system version, app version, crash logs, anonymised usage events (e.g. "meal plan generated"). IP address is logged transiently for abuse prevention.
We do not use third-party advertising trackers. We do not sell data. We do not run on-page ads.

3. Where your data lives (data residency)

Your Firestore data (household, members, health profile, medications, meal plans, pantry, shopping lists, consumption logs, audit trail) is stored in Google Cloud's Mumbai region (asia-south1). Object storage for media (photos, voice clips, exports) is hosted in the same region.

Our own application logic runs in the same region: every Cloud Function — the serverless backend behind meal planning, the drug-food safety check, and the rest of the app — is deployed to asia-south1. So your personal data is both stored and processed on KitchenOS infrastructure inside India, and nothing is stored at rest outside the country.

The one exception is the AI meal-suggestion step. As described in §4, we send a minimised, de-identified prompt (household role, age band, dietary preferences, and pantry items — never drug names or free-text health notes) to our AI providers, whose APIs are hosted outside India. That data is transient and is not stored at rest abroad. We will update this notice before changing where any workload runs.

4. Who we share data with, and why

We share personal data only with the data processors needed to run the service. Each one has its own privacy practices linked below.

Google LLC (Firebase, Cloud Firestore, Cloud Storage, Cloud Functions, Firebase Authentication). Infrastructure for storage, authentication, and serverless compute. Data lives in Mumbai per §3 above.
Anthropic (Claude), OpenAI (GPT), Google (Gemini). We send anonymised meal-plan prompts (containing household role, age band, dietary preferences, and pantry items) to these providers to generate meal suggestions. Each provider treats the input as transient — they do not store it for model training when accessed via their commercial API endpoints. We do not send drug names or free-text health notes to these providers; those stay on our own infrastructure (see §5).
Razorpay (Razorpay Software Private Limited, India). Payment processing and subscription management. Razorpay receives your name, email, phone number, and payment instrument as required for the transaction.
Brevo (Sendinblue SAS). Transactional email and optional product updates, if you opt in.

We do not sell personal data. We do not share data with advertisers. We do not share data with insurance providers, employers, or any third party not listed above.

5. Drug-food safety — how we keep AI out of the safety path

Drug-food interaction alerts (for example, warning against grapefruit with statins, or dark leafy greens with warfarin) are generated by a deterministic, rules-based interaction ruleset — never by an AI model. AI models can hallucinate and vary across runs; that is not acceptable for safety. We treat this as a hard architectural rule (recorded in our internal decision log as ADR-004). This ruleset is curated and advisory-only, and is pending pharmacist review — it is not a clinically signed or licensed medical product. Alerts are always advisory and never replace medical advice — see the Terms of Service for the full disclaimer.

6. How long we keep data (retention)

Account & household: for as long as your account is active. On deletion, a 30-day grace period, then full purge.
Health profile & medications: account lifetime. Purged within 7 days of member removal or 30 days of account deletion.
Meal plans: rolling 24 months. Older weeks are pruned automatically.
Shopping lists: 6 months after completion.
Food photos: default 90 days, configurable in Settings → Privacy.
Voice clips: default 30 days, configurable in Settings → Privacy.
Exports (PDF/JSON bundles): 30 days, then auto-deleted from our storage. You retain your downloaded copy.
Audit log: 7 years (regulatory minimum under DPDP §28 records of processing). Audit log entries do not contain meal content or health detail — only "who did what, when".

7. Your rights under the DPDP Act

Under DPDP §11–§14 you have the following rights with respect to your personal data. You can exercise all of them yourself from inside the KitchenOS app — no email, no waiting.

Right to access & portability (§11). Get a machine-readable copy of every personal data record we hold about you. App location: Settings → Privacy → Export my data (ExportDataPage). You'll receive a JSON bundle with a signed link valid for one hour.
Right to correction (§12). Edit your profile, household members, health information, and medications directly in the app. No form, no review queue.
Right to erasure (§12). Delete the entire account and all data we hold about you. App location: Settings → Account → Delete account (DeleteAccountPage). 30-day grace period before irreversible purge. You can cancel during the grace period by signing back in.
Right to withdraw consent (§6(4)). Withdraw consent for any specific processing purpose (e.g. AI meal planning, drug-food safety, photo logging) without deleting your whole account. App location: Settings → Privacy → Withdraw consent (WithdrawConsentPage). Dependent features are disabled when consent is withdrawn.
Right to opt out of AI training. By default your data is not used to train any AI model. If we ever want to use anonymised, aggregated patterns to improve our prompts, you can opt in or out granularly at Settings → Privacy → AI training (AITrainingOptInPage). Default is opt-out.
Right to grievance (§13). See §10 below to contact our Grievance Officer.

8. Children's data (DPDP §9)

KitchenOS is designed to be used by adults to plan meals for the whole family, which may include children. The DPDP Act treats data about a person under 18 as requiring verifiable parental consent. We do not create separate child accounts. When the Primary Planner adds a child as a household member, the Primary Planner is providing parental consent on the child's behalf. We do not process children's data for advertising, profiling, or behavioural tracking, and we keep the same retention and deletion rights for child member records as we do for adults.

9. Security

Data in Firestore, Cloud Storage, and Cloud Function logs is encrypted at rest using Google-managed AES-256 keys, and in transit using TLS 1.2+. Access to production data is restricted to a short list of administrators and is logged in our immutable audit trail. We do not write database backups to laptops or unmanaged storage. Our public endpoints (such as the waitlist form) are protected by Firestore security rules that constrain what can be written and block reads; where enabled, we additionally use Firebase App Check (reCAPTCHA v3) to attest that requests come from our own app and block automated abuse. If we ever discover a personal data breach affecting you, we will notify you and the Data Protection Board of India as required by DPDP §8(6).

10. Cookies, local storage, and trackers

The marketing website at this domain uses no advertising cookies and does not track you across other websites. For aggregate traffic insight we use Plausible Analytics, a privacy-friendly service that is cookieless — it sets no cookies, collects no personal data, and does not follow you across sites; all metrics are anonymous and aggregated. We use Google Fonts, which may set a short-lived cookie when fonts load. The KitchenOS app stores authentication tokens and offline cache in your device's secure storage; these are not used for cross-site tracking.

11. Grievance Officer & how to reach us (DPDP §13)

Grievance Officer / Data Protection Officer: Snehalatha Ganaky (snehalatha@ganakys.com).

Email: grievance@ganakys.com
We acknowledge complaints within 7 days and aim to resolve them within 30 days, per DPDP §13(3).

If you are not satisfied with our response, you have the right to escalate to the Data Protection Board of India once it is constituted under DPDP §18.

12. Changes to this policy

We will update this notice when our processing changes — for example, when we add a new processor, change retention, or add a new data class. Material changes will be flagged in-app and on this page. The "Last updated" date at the top of this page is always the most recent revision.

13. Governing law

This privacy notice and any dispute arising out of it are governed by the laws of India. Courts in Bengaluru, Karnataka have exclusive jurisdiction.