Enjoy healthy discounts on nutritious meals!

1. Introduction

Welcome to Kefilo.

Kefilo ("Kefilo", "we", "us", or "our") is a health and nutrition food delivery brand operating through its (Website, Mobile Application & Connected Systems) that is (the "Platform"). We are committed to providing personalised, nutrition-first meals designed to support your health and wellness goals. We deeply respect your privacy and are committed to protecting your personal data.

This Privacy Policy ("Policy") describes:

  • The types of personal data we collect from you when you access or use our Platform and Services;

  • How we collect, use, retain, share, and protect your personal data;

  • Your rights as a Data Principal under Indian law; and

  • How to contact us for any privacy-related queries or grievances.


This Policy applies to all users of the Platform, including customers who browse, register, order meals, or otherwise interact with Kefilo's Services. This Privacy Policy applies not only to our website but also to:

  • Mobile applications operated by Kefilo

  • Smart vending machines, IoT-enabled devices, and connected kitchen systems

  • APIs, dashboards, and partner-integrated platforms

  • Any software, hardware, or digital interface through which Kefilo Services are delivered


Please read this Policy carefully before using the Platform.

By accessing or using our Platform and/or registering for an account, you acknowledge that you have read, understood, and provide your informed and free consent to the collection, use, storage, and disclosure of your personal data as described herein.

If you do not agree with this Policy, please discontinue your use of the Platform.


2. Key Definitions

For the purposes of this Policy, the following terms shall have the meanings ascribed to them below:

  • "Personal Data" means any data about an individual who is identifiable by or in relation to such data, as defined under the Digital Personal Data Protection Act, 2023.

  • ‘Sensitive Personal Data" or Information (SPDI)" means personal data as classified under Rule 3 of the IT (SPDI) Rules, 2011, including passwords, financial information, health data, and biometric data.

  • "Data Principal" means the natural person (you, the user) whose personal data is being processed.

  • "Data Fiduciary" means Kefilo, which determines the purpose and means of processing your personal data.

  • "Processing" means any operation performed on personal data, including collection, storage, use, sharing, or deletion.

  • "Services" means all products, services, content, features, and functionality offered by Kefilo through the Platform, including meal ordering, nutritional content, and gym-partner integrations.

  • "Consent Manager" refers to any registered entity through which you may provide, manage, review, or withdraw your consent for processing of personal data.


3. Eligibility and Permissible Age

Our Services are intended for individuals who are 18 (eighteen) years of age or above and are competent to contract under the Indian Contract Act, 1872. By using our Platform, you represent and warrant that you are at least 18 years old.

If you are a parent or legal guardian seeking to place an order on behalf of a minor, you may do so only with your explicit consent and under your supervision.

We do not knowingly collect personal data directly from individuals below the age of 18. If we discover that personal data of a minor has been collected without valid parental consent, we will delete it promptly.

We are committed to complying with Section 9 of the Digital Personal Data Protection Act, 2023 regarding the processing of children's personal data.


4. Information We Collect


4.1 Information You Provide to Us

When you register, place an order, or interact with the Platform, we may collect the following:

  • Identity Information: Full name, date of birth, gender, and profile photograph.

  • Contact Information: Email address, mobile number, delivery address, city, state, and PIN code.

  • Account Credentials: Username and encrypted password for your account.

  • Order and Transaction Information: Meal preferences, dietary restrictions (e.g., veg/non-veg), order history, special instructions, and billing details.

  • Health and Nutrition Information: Health goals, fitness goals, dietary requirements, allergies, and nutritional preferences that you voluntarily share to enable personalised meal recommendations.

  • Payment Information: We do not store your credit/debit card details or net banking credentials directly. Payments are processed through third-party payment gateways.

  • Communication Data: Messages, queries, feedback, or complaints you send to us via email, contact forms, WhatsApp, phone or other means of communication.

  • Gym & Partner Data: If you avail Services through our gym & other partner programmes, we may collect information related to your gym membership, fitness or other activity as shared with your consent.


4.2 Information Collected Automatically

When you access and navigate our Platform, we automatically collect certain technical and usage data, including:

  • Device Information: Device type, operating system, browser type and version, screen resolution, and unique device identifiers.

  • Log and Usage Data: IP address, referring URLs, pages visited, links clicked, time and date of access, session duration, and search queries on the Platform.

  • Location Information: General location data derived from your IP address. If you enable location permissions on your device, we may collect precise GPS-based location to improve delivery accuracy and offer location-specific services.

  • Cookies and Tracking Technologies: Please refer to Section 8 of this Policy for details on our use of cookies and similar technologies.


4.3 Information from Third Parties

We may receive personal data about you from:

  • Third-Party Login Providers: If you choose to log in using Google or other supported third-party authentication services, we receive your name, email address, and profile picture as shared by such service.

  • Payment Processors: Our payment partners may share transaction confirmation and fraud-prevention data with us.

  • Referrals: If you are referred to Kefilo by another user or our gym & other partner, we may receive basic contact information to facilitate onboarding.


Note:

The health and nutritional data you provide is used exclusively to customise your meal plans. It is not intended to substitute for professional medical advice, diagnosis, or treatment.

Always seek the advice of your physician or other qualified health provider with any questions you may have regarding a medical condition.

Where we receive your personal data from third parties, we use it only for the purposes described in this Policy and consistent with the permissions you granted to those third parties.


4.4 Mobile Application Permissions and Device Access

When you use Kefilo’s mobile application, we may request access to certain features of your device, including:

  • Location (precise GPS) for delivery tracking and location-based services

  • Camera for profile setup, QR scanning (e.g., vending machines, gym integrations)

  • Storage/Media for uploading images or documents

  • Notifications for order updates, health reminders, and promotions

  • Bluetooth or nearby device access (for IoT or smart vending interactions, where applicable)


You may control or revoke these permissions through your device settings. However, disabling certain permissions may limit functionality.


4.5 Data from Smart Devices and IoT Systems

Kefilo may collect data from connected devices such as smart vending machines, IoT-enabled kitchen equipment, or wearable-integrated systems. This may include:

Food selection and consumption patterns

Interaction logs (QR scans, device usage)

Device performance and diagnostics data

Time-based consumption behaviour


Such data is used to improve service efficiency, personalize nutrition offerings, and enhance system performance.


4.6 Offline and Physical Interaction Data

We may collect data when you interact with Kefilo through offline or semi-digital touchpoints such as:

Smart vending machines

QR-based ordering at gyms, hospitals, or kiosks

Franchise carts or partner outlets


This may include transaction data, device identifiers, and interaction logs.


5. How We Use Your Personal Data

We collect and process your personal data only for lawful purposes, primarily to provide and improve our Services and to fulfil our obligations under applicable law.

The key purposes for which we use your data are:

  • Service Delivery: To process and fulfil your meal orders, manage deliveries, confirm transactions, and send order-related notifications.

  • Account Management: To create and maintain your Kefilo account, authenticate your identity, and manage your account preferences.

  • Personalised Nutrition: To analyse your health goals, dietary preferences, and order history to curate personalised meal recommendations suited to your wellness objectives.

  • Customer Support: To respond to your queries, complaints, and feedback, to resolve disputes effectively.

  • Payment Processing: To facilitate secure payments, process refunds, and prevent fraudulent transactions.

  • Marketing and Promotions: With your prior consent, to send you updates about new meal offerings, health tips, exclusive offers, discount notifications, and newsletters via email, SMS, or WhatsApp. You may opt out at any time.

  • Platform Improvement: To understand usage patterns, conduct internal research, perform analytics, and enhance the features and performance of our Platform.

  • Safety and Security: To detect, prevent, and address technical issues, fraud, abuse, or violations of our Terms of Use.

  • Legal Compliance: To comply with applicable Indian laws, regulations, and valid legal orders from governmental or judicial authorities.

  • Gym & other Partner Integration: To coordinate with our gym & other partners and deliver integrated wellness benefits to our mutual customers with your consent.

  • Automated Processing and AI-Based Personalisation: Kefilo may use artificial intelligence, machine learning models, and algorithmic systems to generate personalized meal plans, recommend food based on health inputs, behaviour and predict user preferences and nutritional needs. These systems operate on probabilistic logic and may not always be fully accurate. They are designed to assist—not replace—professional medical or nutritional advice.

  • Push Notifications & In-App Communication: This may include in-app notifications, push notifications, and real-time alerts within the mobile application.

  • Cross-Platform Data Syncing: Your data may be synchronised across different Kefilo platforms, including website, mobile application, and connected devices, to ensure a seamless and consistent user experience.


We process your personal data on the following legal bases under the Digital Personal Data Protection Act, 2023:

  • Your free, specific, informed, and unambiguous consent (as the primary basis);

  • Performance of a contract or order you have placed;

  • Compliance with a legal obligation; and

  • Legitimate interests of Kefilo, where they do not override your fundamental rights.


Kefilo adheres to the principles of data minimisation and purpose limitation and collects only such personal data as is necessary for the specific purposes outlined in this Policy.


6. Sensitive Personal Data or Information (SPDI)

Under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, certain categories of personal data are treated as Sensitive Personal Data or Information (SPDI) and require heightened protection.


Kefilo may collect and process the following categories of SPDI where you voluntarily provide them:

  • Health and nutritional data (dietary restrictions, health conditions, fitness goals) — to personalise your meal plans;

  • Financial information (bank account details for refunds processed via payment gateway);

  • Passwords (stored in encrypted form only).


We collect SPDI only with your explicit consent and use it solely for the purpose for which it was collected. We do not sell, transfer, or disclose SPDI to any third party without your consent, except as required by law or for the performance of a lawful contract.

We do not collect biometric data, sexual orientation data, or any other SPDI not listed above.

Kefilo does not act as a medical service provider. Any health-related insights, recommendations, or meal plans generated through the Platform are informational in nature and should not be treated as medical advice, diagnosis, or treatment.


7. How We Share Your Personal Data

We do not sell, rent, or trade your personal data. We share your data only in the following circumstances:


7.1 Service Providers and Vendors

We share data with trusted third-party service providers who assist us in operating our business, including:

  • Delivery and logistics partners (for order fulfilment);

  • Payment gateway and processing partners (for secure payment transactions);

  • Cloud hosting and IT infrastructure providers;

  • Email and SMS communication platforms;

  • Analytics and marketing service providers.


All such partners are bound by confidentiality obligations and are permitted to use your data only for the specific purpose for which it is shared.


7.2 Gym and Wellness Partners

If you access Kefilo's Services through our partner gym programmes or other partner programmes, we may share limited information (such as your name and contact details) with the relevant gym partner to facilitate the programme, subject to your prior consent.


7.3 Legal and Regulatory Authorities

We may disclose your personal data to government authorities, law enforcement agencies, courts, or other regulatory bodies if required to do so by law, court order, or governmental directive under any applicable Indian law, including the Information Technology Act, 2000 or the Digital Personal Data Protection Act, 2023.


7.4 Business Transfers

In the event of a merger, acquisition, restructuring, or sale of all or a part of Kefilo's business, your personal data may be transferred to the acquiring entity, subject to equivalent data protection commitments.


7.5 With Your Consent

In any other circumstances not listed above, we will share your personal data with third parties only with your explicit consent obtained at the time of such sharing.


7.6 API and Technology Integrations

Kefilo may provide or integrate with APIs, partner platforms, and third-party systems (including gyms, hospitals, and corporate partners).

Where such integrations exist:

Data sharing is limited to what is necessary

Partners act as independent data fiduciaries where applicable

Users may be subject to the privacy policies of such partners


8. Cookies and Tracking Technologies

Our Platform uses cookies, web beacons, pixel tags, and similar technologies to enhance your experience and collect usage data.

The types of cookies we use are:

  • Essential Cookies: Necessary for the Platform to function correctly (e.g., session management, authentication). These cannot be disabled.

  • Functional Cookies: Remember your preferences (e.g., language, delivery address) to provide a personalised experience.

  • Analytics Cookies: Help us understand how users interact with our Platform (e.g., Google Analytics). Data collected is anonymised and aggregated.

  • Marketing/Advertising Cookies: Used to serve relevant advertisements and track campaign performance, where you have consented to receive marketing communications.


You can control and manage cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of the Platform. By continuing to use our Platform with your browser set to accept cookies, you consent to our use of cookies as described in this Policy.


9. Data Storage and Retention

Your personal data is stored on secure servers located within India. In cases where data is processed or stored outside India (for example, by third-party cloud infrastructure providers), such transfers shall be made only to countries and entities that meet the data protection standards notified by the Government of India under the Digital Personal Data Protection Act, 2023.

We retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected, including for satisfying legal, regulatory, accounting, or reporting obligations.

The general retention principles are:

  • Account data: Retained for the duration of your account and for up to 3 (three) years after account closure.

  • Order and transaction data: Retained for a period of 7 (seven) years as required under applicable Indian tax and financial regulations.

  • Health and dietary data: Retained for the duration of your account and deleted within 90 days of a deletion request, unless required by law.

  • Communication records: Retained for 2 (two) years for customer service and dispute resolution purposes.


Note:

Once retention periods expire, or upon a valid deletion request, we shall securely delete or anonymise your personal data so that it is no longer identifiable to you.

10. Security of Your Personal Data

Kefilo takes the security of your personal data seriously and implements reasonable security practices and procedures as mandated under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

Our security measures include:

  • Encryption of data in transit using SSL/TLS protocols;

  • Encryption of passwords and sensitive data at rest;

  • Restricted access to personal data on a need-to-know basis;

  • Regular security assessments and vulnerability testing;

  • Contractual security obligations imposed on our third-party service providers.


Despite our best efforts, no method of transmission over the Internet or method of electronic storage is completely secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials and for all activities that occur under your account.


Notifications of data breaches may also be communicated via in-app alerts or push notifications, where applicable. In the event of a personal data breach that is likely to result in a risk to your rights, we shall notify you and the relevant authority in accordance with the obligations prescribed under the Digital Personal Data Protection Act, 2023.


11. Your Rights as a Data Principal

As a Data Principal under the Digital Personal Data Protection Act, 2023, you have the following rights with respect to your personal data:

  • Right to Access: You have the right to obtain a summary of the personal data we hold about you and information about how it is being processed.

  • Right to Correction and Erasure: You may request that we correct inaccurate or incomplete personal data, or erase your personal data where it is no longer necessary for the purpose for which it was collected.

  • Right to Withdraw Consent: You may withdraw your consent for the processing of your personal data at any time. Withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal, but may result in us being unable to continue providing certain Services.

  • Right to Grievance Redressal: You have the right to raise a grievance with our Grievance Officer regarding any aspect of the processing of your personal data.

  • Right to Nominate: You may nominate another individual to exercise your rights on your behalf in the event of your incapacity or death.

  • Right to Complaint: If your grievance is not resolved to your satisfaction, you have the right to file a complaint with the Data Protection Board of India, once established under the DPDPA.


To exercise any of the above rights, please contact our Grievance Officer as detailed in Section 14 of this Policy. We will respond to your request within a reasonable period, and in any case, within the timelines prescribed under applicable law.

Users may also exercise certain controls directly within the mobile application, including:

Managing notification preferences

Updating personal and dietary information

Deleting account or requesting data deletion


12. Third-Party Websites and Links

Our Platform may contain links to third-party websites, applications, or services (including payment gateways, social media platforms, and gym partner websites).

This Policy does not apply to any third-party platforms. We are not responsible for the privacy practices or the content of such third-party websites.

We strongly encourage you to review the privacy policies of any third-party websites or services you visit through links on our Platform before providing any personal data to them.


13. Updates to This Privacy Policy

We reserve the right to update or amend this Privacy Policy from time to time to reflect changes in applicable law, our data practices, the features of our Services, or advances in technology.

Any material changes will be notified to you via:

  • A prominent notice on the Platform; and/or

  • An email or SMS notification to your registered contact details.


The updated Policy will be effective from the date of its publication on the Platform. Your continued use of our Services after such update constitutes your acceptance of the revised Policy.

If you do not agree with the revised Policy, you should stop using the Platform and may request deletion of your account.


14. Grievance Officer and Contact Details

In accordance with the Information Technology Act, 2000 and the rules made thereunder, and the Digital Personal Data Protection Act, 2023, Kefilo has appointed a Grievance Officer to address any concerns or queries related to the processing of your personal data.

If you have any questions, grievances, or requests regarding this Privacy Policy or the processing of your personal data, please contact:


Grievance Officer

Name: Pabitra Kumar Das

Designtion: Grievance Officer, Kefilo

Email: pabitra@kefilo.com

Phone: [+91 8310356039]

Address: Bhubaneswar


Response time: We shall acknowledge all grievances within 48 hours and endeavour to resolve them within 30 (thirty) days of receipt, as required under applicable law.

If you are not satisfied with the resolution provided by the Grievance Officer, you may, upon the establishment of the Data Protection Board of India under the Digital Personal Data Protection Act, 2023, escalate your grievance to the Board.


15. Governing Law and Jurisdiction

This Privacy Policy is governed by and shall be construed in accordance with the laws of India, including but not limited to:


  • The Information Technology Act, 2000 and the rules framed thereunder;

  • The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011;

  • The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021; and

  • The Digital Personal Data Protection Act, 2023.


Any disputes arising out of or in connection with this Privacy Policy shall be subject to the exclusive jurisdiction of the courts located in Cuttack, India.

Jurisdiction for digital platform applies to the same irrespective of the mode of access, including website, mobile application, or device-based interaction.


By using the Kefilo Platform and Services, you acknowledge that you have read, understood, and agreed to this Privacy Policy. Thank you for trusting Kefilo with your health journey.


— Kefilo Team —

www.kefilo.com