Privacy Policy
Last Updated: May 2026
DPDP Compliance Notice (India)
In accordance with the Digital Personal Data Protection (DPDP) Act, 2023 of India, this Privacy Policy outlines how BellyBox processes, stores, and protects the personal data of its Indian users. By using our platform, you explicitly consent to the collection and processing of your personal data as described herein.
1. Personal Data We Collect
To provide subscription tiffin services, we collect and process the following categories of personal data:
- Identity Data: Full name, date of birth, username, gender, and profile picture (mandatory for KYC verification of home chefs).
- Contact Data: Phone number (mandatory for SMS/WhatsApp verification), email address, and precise physical delivery address.
- PWA & Mobile Permissions (Location Data): With your permission, our progressive web app (PWA) accesses your device's background and foreground GPS coordinates to facilitate accurate door-to-door delivery.
- Financial & Transaction Data: UPI handles, net banking preferences, and payment logs. All payments are processed securely by Razorpay Software Private Limited. We do not store full credit card numbers or banking PINs on our servers.
- App Interaction & Technical Data: IP address, device specifications, browser details, FCM device tokens (for push notifications), and crash logs.
2. Purpose of Processing Personal Data
We process your personal data under the lawful grounds of your explicit consent and for the performance of our subscription agreements:
- Onboarding & Verification: Verifying customer accounts and executing strict KYC / FSSAI checks for home chefs.
- Meal Deliveries: Sharing your name, phone number, and delivery address with our logistics network and home cooks to ensure successful delivery.
- Transaction Security: Secure processing of recurring UPI Autopay mandates and manual subscription renewals.
- Real-time Notifications: Sending critical order alerts, daily menu changes, skip/pause confirmation messages, and delivery tracking updates via Firebase Cloud Messaging (FCM) and WhatsApp.
3. Safe Data Sharing with Third Parties
We do not sell your personal data. We share only the necessary minimum data with vetted third parties strictly under confidentiality agreements:
- Home Chefs & Tiffin Vendors: Shared to enable meal preparation customized to diet preferences (e.g., veg/non-veg exclusions).
- Payment Partners (Razorpay): Transaction details are shared to process UPI, Netbanking, Cards, and recurring autopay mandates.
- Notification Vendors (FCM, Brevo): Data is utilized to trigger push notifications, emails, and WhatsApp transactional updates.
4. Data Storage and Retention
All personal data is stored securely in databases hosted inside India (Supabase) and file storage servers (Cloudflare R2). We retain your data as long as your account remains active. If you choose to delete your account or withdraw consent, we will permanently delete or anonymize your personal data within 30 days, unless retention is mandated for legal, taxation, or audit compliance.
5. Your Rights as a Data Principal
Under the DPDP Act 2023, you hold the following rights:
- Right to Access & Correction: Review or update your profile data via the dashboard at any time.
- Right to Erasure: Request the deletion of your account and personal data.
- Right to Withdraw Consent: Revoke permissions for location tracking or marketing notifications, though this may impact core delivery operations.
6. Grievance Officer & Contact
For any inquiries regarding data protection, consent withdrawal, or to file a grievance, please contact our designated Grievance Officer:
Name: Vishal Ranjan
Designation: Data Protection & Grievance Officer, BellyBox
Email: hello@bellybox.in
Address: BellyBox Tech HQ, Bangalore, Karnataka, India.