Privacy Policy

Replate ("we", "us") is a clinical nutrition practice operated by Saraswathi Usha from Bengaluru — 560 061, Karnataka, India. For the purpose of the DPDP Act, we are the Data Fiduciary for the personal data described below.

• Identity & contact: name, date of birth, gender, phone number, email address, residential location.
• Health data (sensitive personal data under SPDI Rules): medical history, current conditions, prescribed medications, allergies, family history, vitals (weight, height, BMI, blood pressure, pulse), lab results (HbA1c, lipid panel, hormonal panels, vitamin levels), recall of recent meals, measurements you log between consults.
• Consultation records: appointment metadata, consultation notes, plans we issue you, your feedback on those plans.
• Operational: a session cookie (rp-role) to keep you signed in, a one-time cookie (rp-consent) to remember that you have seen this notice. We do not run third-party analytics or advertising trackers.

• To deliver clinical nutrition consultations you have booked.
• To prepare and review your personalised plan and track outcomes over time.
• To send you appointment reminders, follow-up messages and your plan documents — typically by email and via WhatsApp deep-links the doctor opens with the message pre-filled. WhatsApp Inc. processes the message contents per its own privacy terms once you send it.
• To meet our record-keeping obligations under applicable Indian health and tax law.
• To improve our practice in aggregate (de-identified analytics only — we never share your individual data for this purpose).

We process your data primarily on the basis of your explicit, informed consent obtained at the time of patient intake (DPDP Act §6). For appointment scheduling and payment records we additionally rely on the contract between us. We do not rely on "legitimate interest" for any health data.

• Within the practice: only the treating clinician and operations admin see your record.
• Service providers (Data Processors): Supabase (database hosting, India region ap-south-1) and Resend (transactional email). Both are bound by data-processing agreements limiting use of your data to providing the service.
• Lab partners: only when you choose to order tests through us, and only the data needed to fulfil that order.
• Disclosures by law: where required by Indian law, court order, or to protect a person from imminent harm.
• We do not sell your data and do not share it with advertisers.

Personal data is stored in India (ap-south-1, Mumbai) on Supabase. Email transit goes through Resend, processed in their Tokyo region (ap-northeast-1) — only the contents of the email message itself (subject, body, your email address), not your full record. Resend retains delivered email bodies for up to 30 days for delivery diagnostics, after which they are deleted. We do not transfer your medical record outside India.

• Patient records: minimum 3 years from your last consultation (Indian Medical Council professional norms), maximum 7 years thereafter unless you request earlier deletion.
• Audit logs: 1 year from event. We keep these as a security-of-processing measure under DPDP §8(4) — they record who accessed which record and when — so they are retained independently of erasure requests for the underlying records.
• Marketing email opt-in: until you withdraw.

Under the DPDP Act and the SPDI Rules you have the right to:

• Access a summary of the personal data we hold about you.
• Correct, complete, or update any inaccurate data.
• Erase your data, subject to the retention rules above and any legal obligation we are under to keep it. We may retain clinical records to comply with medical record-keeping obligations under Indian Medical Council norms; where we do, we will erase identifiers from non-clinical fields and stop all future contact.
• Withdraw consent at any time. Withdrawal does not affect processing already done in good faith.
• Nominate another individual to exercise these rights on your behalf in case of incapacity (DPDP §14).
• Grievance redressal: write to our Grievance Officer (below) — we will respond within 30 days.

To exercise any of these rights, email privacy@replate.in from the email address on file. We may ask one verification question to confirm identity.

We do not knowingly create patient records for children under 18 in their own name. Where treatment involves a minor, the parent or lawful guardian is the Data Principal and must give consent on the child's behalf (DPDP §9).

We follow reasonable security practices proportionate to the sensitivity of health data: TLS in transit, encryption at rest, role-based access, audit logging on every record read or write, minimum-privilege service credentials, and regular review of access. No system is perfectly secure; if we ever experience a breach affecting your data, we will notify you and the Data Protection Board within the timelines required by law. We maintain an internal incident-response runbook that defines who decides what, and when, if a breach occurs. We are not currently a Significant Data Fiduciary under DPDP §10; should the Government notify thresholds that designate us as one, we will take on the additional obligations that follow — such as appointing a Data Protection Officer and carrying out periodic audits — and update this notice.

We do not make automated decisions about your treatment, eligibility, or pricing. Every recommendation in your plan is composed by your treating clinician and reviewed before you receive it.

We use only first-party cookies that are strictly necessary for the service. We do not set advertising or analytics cookies and do not allow third parties to do so on our pages.

• rp-role — a session cookie identifying your role for the duration of your visit.
• rp-consent — a 365-day cookie that remembers you have seen this notice so we don't show it again.

We will publish a new version of this policy with a fresh effective date if we make material changes. Where the change affects how we process data you have already given us, we will ask for fresh consent before relying on the new basis.