01 Scope & definitions
This Privacy Policy explains how Appneurons Technologies Private Limited ("Fitrofy", "we", "us", "our") collects, processes, stores and protects information when you use Fitrofy's website (fitrofy.com), web app (ai.fitrofy.com), mobile applications, and related services (together, the "Services").
It applies to all users — visitors, registered account holders, paid subscribers, and users referred to us by healthcare partners. By using the Services, you agree to the practices described here.
"Personal Data" means information that identifies or can be used to identify you, including health-related information such as your diet logs, body measurements and condition data. We treat health information with extra care, as required by Indian law and global standards.
02 What we collect
Account information
Name, email address, phone number (optional), age, sex assigned at birth, height, weight, country, and password (stored as a salted hash — we never see your plaintext password).
Health & nutrition data
Food logs you create (meals, ingredients, portions, photos and voice recordings used to identify food), goals (weight loss, diabetes management, PCOS, hypertension, cholesterol, pre-diabetes), and protocol thresholds derived from those goals.
If you choose to enter them: HbA1c, fasting glucose, blood pressure, lipid panel, and medications. Entering these is optional and always opt-in.
Wearable & device data
If you connect a wearable (Apple Health, Google Fit, Fitbit, or similar), we receive steps, active minutes, weight readings and heart-rate metrics. You control which permissions you grant; you can revoke them anytime.
Usage & technical data
App opens, feature interactions, crash logs, device model, OS version, IP address, and timezone. We use this to fix bugs, improve performance, and understand which features are working.
Payment data
If you subscribe, our payment processors (Razorpay, Stripe, Apple App Store, Google Play) handle your card or UPI details. We never store full card numbers or CVV. We receive only the transaction status, amount, last 4 digits, and a tokenised reference.
03 How we collect it
- Directly from you — when you create an account, log meals, set goals, or chat with Naysha (our AI coach).
- Automatically — when you use the Services, via cookies, analytics SDKs (Google Analytics, Firebase) and crash reporters.
- From wearables & integrations — only after you grant explicit permission within your device's health platform.
- From healthcare partners — if you reach Fitrofy through a partner (e.g. a hospital or diagnostics chain), they may share a referral identifier and your stated condition with us, with your consent.
04 Why we use it
We use your data only for the purposes below:
- To provide the Services — score your meals, compute your daily zone, generate swaps, and run Naysha's coaching.
- To personalise the experience — adapt protocols to your condition (e.g. lower glycemic-load thresholds for diabetes).
- To process subscriptions and send transactional emails about your account.
- To improve the product — analyse aggregate, anonymised patterns to find which features help users hit their goals.
- To communicate with you — important service updates, security alerts, and (only if you opt in) marketing messages.
- To comply with legal obligations — respond to lawful requests from authorities, prevent fraud, and protect rights, property and safety.
We do not use your health data to train third-party AI models. We do not sell your data. We do not share it with advertisers.
05 Who we share it with
We share data only with the following categories of third parties, and only to the extent necessary:
- Cloud infrastructure — Google Cloud Platform (GCP) for hosting and storage.
- AI processing — Google's Gemini API for natural-language understanding when you chat with Naysha. Inputs are processed and not retained for model training under our enterprise terms.
- Analytics & crash reporting — Google Analytics, Firebase, and similar services to monitor product health.
- Payment processors — Razorpay, Stripe, Apple, Google.
- Email & messaging — transactional providers (e.g. SendGrid, MSG91, WhatsApp Business API) to deliver service messages.
- Healthcare partners — only if you were referred by one and only the data you've consented to share.
- Legal authorities — when required by law, court order or to prevent harm.
All third parties are contractually bound to handle your data in line with this policy and applicable law.
06 Storage & security
Your data is stored on Google Cloud Platform infrastructure, with servers primarily in the Asia-South region (Mumbai, India). Where data needs to cross borders (for example, certain AI processing), we ensure adequate safeguards under Indian and EU data-protection standards.
We use industry-standard protections, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Role-based access control — only authorised personnel can access production systems, and only when necessary
- Audit logging of access to health-related records
- Regular vulnerability scanning and dependency updates
- Penetration testing by independent security firms
No system is perfectly secure. If we ever experience a breach affecting your data, we will notify you in accordance with applicable law.
07 Retention & deletion
We keep your data only as long as we need it:
- Active account data — kept for as long as your account is active.
- Food photos used for AI identification — discarded after 90 days unless you've saved them to a meal in your log.
- Voice recordings — transcribed and discarded within 30 days. The transcribed text remains in your log if you saved it.
- Inactive accounts — accounts unused for 24 months may be archived; we'll email you before any action.
- Deleted accounts — when you delete your account, we remove your personal data within 30 days, except where law requires us to retain certain records (e.g. tax invoices for 8 years).
- Anonymised aggregates — we may retain aggregated, non-identifiable statistics indefinitely for product research.
08 Your rights
Under India's Digital Personal Data Protection Act and similar frameworks, you have the right to:
- Access — request a copy of the personal data we hold about you.
- Correct — fix any inaccurate or incomplete data.
- Delete — ask us to remove your account and personal data (limits in §07 apply).
- Port — export your nutrition data in a machine-readable format.
- Withdraw consent — opt out of marketing, revoke wearable permissions, disconnect partner integrations.
- Complain — to the Data Protection Board of India if you believe we've mishandled your data.
To exercise any of these rights, email support@fitrofy.com. We respond within 7 business days and resolve verified requests within 30 days.
09 Children & minors
Fitrofy is intended for users aged 18 and above. We do not knowingly collect personal data from anyone under 18.
If you are a parent or guardian and believe your child has provided us with personal data, please email support@fitrofy.com. We will delete the account and associated data promptly.
10 Changes & contact
We may update this Privacy Policy from time to time. Material changes will be notified by email or in-app at least 14 days before they take effect. The "Effective" date at the top of this page reflects the current version.
Contact us
For any privacy questions, concerns, or to exercise your rights:
Appneurons Technologies Private Limited
Email: support@fitrofy.com
Our Data Protection Officer reviews all privacy correspondence and reports directly to the company's leadership.
