Privacy Policy

1. Who We Are

KiloCare is a clinical weight management technology platformoperated by Agentic Organizations, Mohali, Punjab, India (“KiloCare,” “we,” “us,” “our”). We connect eligible patients with independent, NMC-registered physicians for supervised GLP-1 therapy. We are a technology intermediary — not a hospital, clinic, or healthcare provider.

This policy applies to kilocare.in and all associated services. It is written in compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules), and the Telemedicine Practice Guidelines, 2020.

2. Data We Collect

2.1 Personal Data You Provide

• Identity: Name, phone number, email address.
• Demographic: Age, date of birth, gender.
• Sensitive Personal Data (SPDI): Height, weight, BMI, medical history, current medications, allergies, lab results, and clinical assessment responses you provide during screening. This is classified as Sensitive Personal Data or Information under Indian law and is subject to enhanced protections throughout this policy.
• Consultation data: Notes created by your physician, e-prescriptions, and — only with your explicit, separate consent — video recordings of consultations.
• Payment data: Transaction records only. We do not store card numbers. Payments are processed by PCI-DSS compliant third-party processors using tokenisation.

2.2 Data Collected Automatically

• Usage data: Pages visited, time on page, clicks, device type, browser, operating system, and IP address.
• Analytics data: Collected via Google Analytics 4 (measurement ID G-E2YTYWF9QD) and Meta Pixel (ID 2224149031662950) only after you grant cookie consent. These tools receive anonymised behavioural data. No health or clinical data is ever shared with these providers. See Section 9 for details.
• UTM / attribution parameters: Campaign source, medium, and name from advertising links, stored in your browser and used for internal analytics only.

3. Legal Basis for Processing

• Explicit consent: Analytics and advertising cookies (granted via the cookie banner on your first visit); video recording of consultations (separate in-call consent); WhatsApp communications (separate opt-in).
• Contractual necessity: Processing required to deliver the clinical services you have enrolled in.
• Legal obligation: Retention of medical records as required by Indian medical regulations (minimum 3 years).
• Legitimate interest: Fraud prevention, platform security, and service improvement — balanced against your privacy rights.

4. How We Use Your Data

• To facilitate clinical screening and teleconsultation by NMC-registered physicians.
• To coordinate prescription fulfilment through licensed pharmacy partners.
• To provide care coordination: follow-up check-ins, care guidance, and nutrition support.
• To communicate with you via WhatsApp or email, for purposes you have consented to.
• To measure advertising effectiveness using anonymised, aggregated data (analytics cookies only, with consent).
• To comply with Indian laws, regulations, and lawful legal processes.
• To improve platform safety and clinical protocols through de-identified aggregate analysis.

We do not sell your personal data to any third party. We do not use your health or clinical data for advertising targeting, audience profiling, or behavioural segmentation.

5. Data Sharing

We share your data only with the following categories of recipients, and only to the extent necessary:

5.1 Your Clinical Team

• Prescribing physician: Independent NMC-registered specialist who needs your medical history to provide care.
• Clinical nutritionist and care coordinator: Limited to information required for their specific role. They do not have access to your full medical record.

5.2 Service Providers (Data Processors)

All third-party processors are bound by written Data Processing Agreements that require them to protect your data to at least the same standard as this policy.

5.3 Law Enforcement

We disclose data to law enforcement or regulatory authorities only when required by a valid court order or applicable Indian law. We will notify you of such requests to the extent legally permitted.

6. Data Retention Schedule

On account deletion request, all non-medical personal data is deleted within 30 days. Medical records that must be retained by law are archived with access restricted to authorised clinical and compliance personnel only.

7. Cross-Border Data Transfers

Your clinical and personal data is stored in India (Supabase ap-south-1, Mumbai region) and does not leave India without your explicit written consent.

When you accept analytics cookies, anonymised behavioural data is processed by Google (Google Analytics 4) and Meta (Meta Pixel) on servers outside India. These providers process only anonymised usage signals — not your name, health data, or clinical records. Both Google and Meta maintain internationally recognised data protection standards (GDPR adequacy frameworks, Standard Contractual Clauses) and are subject to Data Processing Agreements with us. By accepting analytics cookies, you consent to this limited cross-border transfer of anonymised data.

If you decline analytics cookies, no data is transferred outside India.

8. Data Security

• Encryption in transit: TLS 1.2+ on all connections.
• Encryption at rest: AES-256 for all stored data.
• Access controls: Role-based access. Your health data is accessible only to your assigned care team and is segregated from marketing and analytics systems.
• Audit logging: All access to clinical records is logged with timestamp and user identity.
• Vulnerability management: Regular security assessments and penetration testing.

8.1 Breach Notification

In the event of a data breach that is likely to result in risk to your rights or interests:

• We will notify affected users within 72 hours of discovery via email and in-app notification.
• The notification will include: nature of the breach, categories and approximate number of individuals affected, likely consequences, steps we have taken or propose to take, and what you can do to protect yourself.
• We will report material breaches to the relevant Indian regulatory authority as required by the DPDP Act.

9. Cookies & Tracking

9.1 Essential Cookies

Required for the platform to function (session management, authentication, security). These cannot be opted out of while using the service.

9.2 Analytics & Advertising Cookies (Consent Required)

We use the following tools, activated only after you accept cookies via the consent banner on your first visit:

• Google Analytics 4 (measurement ID: G-E2YTYWF9QD) — tracks page views, scroll depth, and conversion events (e.g., form completion). No health data is included. Data is processed by Google LLC. You can opt out at any time using the Google Analytics Opt-out Browser Add-on.
• Meta Pixel (ID: 2224149031662950) — measures ad effectiveness by recording whether users who saw a KiloCare ad subsequently completed certain actions (e.g., submitting the intake form). Behavioural signals only; no health data is shared. Data is processed by Meta Platforms, Inc.

To withdraw cookie consent:Clear your browser's local storage for kilocare.in (DevTools → Application → Local Storage → delete “kilocare_cookie_consent”) and reload the page. The consent banner will reappear and you may choose to decline.

10. Your Rights Under the DPDP Act, 2023

You have the right to:

• Access: Request a copy of all personal data we hold about you. We will respond within 30 days.
• Correction: Request correction of inaccurate or incomplete data. We will respond within 30 days.
• Erasure: Request deletion of your personal data. Non-medical data is deleted within 30 days. Medical records required by law will be archived (not deleted) for the statutory retention period.
• Withdraw consent: Withdraw consent for analytics cookies (see Section 9.2), WhatsApp communications, or video recording at any time without affecting the lawfulness of prior processing.
• Grievance redressal: File a complaint with our Data Protection Officer (below). If not resolved to your satisfaction, you may escalate to the Data Protection Board of India.
• Nominee designation: Designate a nominee to exercise your data rights in the event of your death or incapacity, as provided under the DPDP Act.

To exercise any of these rights, email our DPO at privacy@kilocare.inwith the subject line “Data Rights Request.”

11. Children's Privacy

KiloCare is not intended for individuals under 18 years of age. We do not knowingly collect personal data from minors. If we discover that we have collected data from a minor without verifiable parental consent, we will delete it promptly.

12. Changes to This Policy

Material changes will be communicated via this website with an updated effective date, and — for active users — via direct notification on WhatsApp or email at least 14 days before the change takes effect. Continued use after the effective date constitutes acceptance of the updated policy.

13. Data Protection Officer

Data Protection Officer
Agentic Organizations
Mohali, Punjab, India
Email: privacy@kilocare.in
Response time: within 30 days of receipt

If you are not satisfied with our response, you may file a complaint with the Data Protection Board of India as established under the DPDP Act, 2023.