Cookzy — Privacy Policy

How we collect, use, and protect your information. Last updated: 12-Jan-2024

Important Notice: This privacy policy has been prepared to comply with India's Digital Personal Data Protection Act, 2023 (DPDPA), the Information Technology Act, 2000 and rules made thereunder, the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act / California Privacy Rights Act (CCPA / CPRA). For Indian users, this document also serves as the "Notice" required under Section 5 of the DPDPA, 2023.

Thank you for choosing to be part of our community at Upsway Services Private Limited, doing business as Cookzy ("Cookzy," "we," "us," or "our"). We are the data fiduciary / data controller in respect of personal data processed through the Cookzy mobile application and our website (together, the "App"). We are committed to protecting your personal data and your right to privacy.

If you have any questions or concerns about this privacy policy or our practices with regard to your personal information, please contact our Grievance Officer at contact@cookzy.in (see Section 15). This Privacy Policy should be read together with our Terms of Use and Refund Policy.

Table of Contents

  1. What Information Do We Collect?
  2. How Do We Use Your Information?
  3. Legal Basis for Processing
  4. Will Your Information Be Shared?
  5. Who Will Your Information Be Shared With?
  6. How Do We Handle Social Logins?
  7. Cookies and Tracking Technologies
  8. How Long Do We Keep Your Information?
  9. How Do We Keep Your Information Safe?
  10. Children's Privacy
  11. Your Privacy Rights
  12. GDPR Rights (EU Users)
  13. CCPA/CPRA Rights (California Residents)
  14. DPDPA Rights (Indian Residents)
  15. Grievance Officer
  16. Data Breach Notification
  17. International Data Transfers
  18. Automated Decision-Making
  19. Do-Not-Track Features
  20. Third-Party Websites
  21. Cooks' Information
  22. Policy Updates
  23. Contact Us
  24. Review, Update, or Delete Your Data

1. What Information Do We Collect?

Personal Information You Provide

We collect personal data that you voluntarily provide to us when you register, purchase a plan, contact a cook, or contact our support team.

Contact & Profile:
  • Name, email, phone number
  • Gender, date of birth
  • Cook preferences and cooking requirements
  • Address, city, and locality
  • Allergies and dietary restrictions you choose to share
Account & Usage:
  • Login credentials (passwords are stored as one-way salted hashes)
  • Messages, ratings, reviews, and feedback
  • Plan purchases, trial bookings, and call history
  • Communication preferences

Sensitive Personal Data (SPDI Rules, 2011)

In line with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, certain categories — including financial information, identity-document numbers, and any health-related information you choose to share — receive additional protection. We process such data only with your consent and only to the extent required to deliver the relevant Service.

Payment Processing: All payment-card and bank data is collected, processed, and stored by Razorpay Payments Pvt. Ltd. on their PCI-DSS compliant infrastructure. We do not directly store your full credit-card or bank-account details.

Information Automatically Collected

When you use our App, we automatically collect certain technical information:

  • Device Data: Device type, model, operating system, mobile advertising identifier (Android Advertising ID / Apple IDFA, where available and permitted by you), app version, and unique installation identifiers.
  • Log Data: IP address, network carrier, timestamps, screens viewed, taps, crashes, and diagnostic events.
  • Usage Data: Features used, plan and trial activity, daily call counts, and interaction patterns.
  • Location Data: Approximate location (derived from IP, city selection, or coarse device location). Precise device location is only collected if you grant the permission, and only while you actively use a feature that requires it.

Social Media Login Data

We may provide the option to register using social media accounts. If you choose this option, we collect information described in Section 6.

2. How Do We Use Your Information?

We process your personal data only for specific, lawful, and proportionate purposes — to deliver the Services you request, to comply with our legal obligations, and, where required, with your consent.

Core Services:
  • Account creation and authentication
  • Listing cooks, matching, and enabling contact
  • Processing plan purchases and trial bookings
  • Customer support and grievance handling
Improvements & Communication:
  • Service-related notices, OTPs, and security alerts
  • Marketing and promotional messages (only with your consent)
  • Personalising your experience and recommendations
  • Analytics, debugging, and Service improvement
Protection:
  • Detecting and preventing fraud, abuse, or circumvention of plan limits
  • Security monitoring and incident response
  • Enforcing our Terms of Use and other policies
Legal:
  • Complying with applicable laws, regulations, and tax obligations
  • Responding to lawful requests from courts, regulators, and law-enforcement authorities
  • Establishing, exercising, or defending legal claims

We will not use your personal data for any new purpose materially different from those listed above without notifying you and, where required, obtaining your fresh consent.

3. Legal Basis for Processing

Our legal basis for processing your personal data depends on which law applies to you:

Consent (DPDPA & GDPR):

For most processing, we rely on the consent you give when you sign up, accept this policy, or enable a specific feature (such as precise location or marketing communications). You can withdraw consent at any time as described in Section 11.

Contract Performance:

Processing necessary to provide the Services you have requested — for example, to list cooks for you, charge a plan fee, or deliver a Trial & Hire booking.

Legitimate Uses (DPDPA Section 7) / Legitimate Interests (GDPR):

Where the law permits, we process data for fraud prevention, security, network and information security, debugging, defending legal claims, and other narrow legitimate uses recognised under the DPDPA and the GDPR.

Legal Obligation:

Processing required to comply with applicable laws (e.g., tax, accounting, anti-money-laundering, lawful requests from authorities).

4. Will Your Information Be Shared?

We do NOT sell your personal information to third parties.

We may share your data in the following situations:

  • With cooks: When you choose to call or hire a cook, the cook may see your phone number, name, locality, and any preferences you shared (such as cuisine, schedule, dietary requirements). This sharing is essential to enable the introduction; it is not anonymised.
  • With service providers (data processors): Vetted third-party vendors who process data on our behalf and only on our instructions — for payment processing, hosting, communications (SMS, email, WhatsApp), analytics, and customer support tooling.
  • With your consent: Whenever you ask us to share your information with another party (for example, social media login).
  • For legal reasons: When required by law or by a regulator, court, or law-enforcement authority, or to protect the safety of any person, prevent fraud, or defend our legal rights.
  • In a corporate transaction: In connection with a merger, acquisition, financing, reorganisation, or sale of all or part of our business — we will require the recipient to honour this Privacy Policy.
  • Aggregated or anonymised: We may share aggregated or de-identified information that cannot reasonably be linked back to you.

5. Who Will Your Information Be Shared With?

Categories of third-party processors and partners we currently engage:

  • Payments: Razorpay Payments Pvt. Ltd.
  • Cloud & hosting: Google Cloud / Firebase
  • Analytics & crash reporting: Google Analytics, Firebase Analytics, Crashlytics, Sentry
  • Communications: SMS gateway providers, email service providers, WhatsApp Business API (where used for OTP or service messages)
  • Support tooling: Helpdesk and ticketing platforms used by our support team
  • Cooks: Independent cooks listed on the Mobile Application (only the limited information described in Section 4)

Each processor is bound by a written agreement requiring confidentiality, security safeguards, and use of your data only for the purposes we permit. A current list of sub-processors is available on request.

6. How Do We Handle Social Logins?

If you register or log in using a third-party identity provider (such as Google or Apple), we may receive:

  • Name and username
  • Email address
  • Profile picture
  • Other publicly available information that you have authorised the provider to share

We use this information only to create and operate your account. You can revoke our access at any time through the security settings of your identity provider.

7. Cookies and Tracking Technologies

We use cookies, mobile advertising identifiers (Android Advertising ID, Apple IDFA), and software development kits (SDKs) embedded in our App to operate, secure, and improve the Service.

Categories of trackers we use
  • Strictly necessary: Required for the App and website to function (sign-in, session security, fraud prevention).
  • Analytics: Help us understand which features are used and where users encounter difficulty.
  • Functional: Remember your preferences, language, and saved choices.
  • Advertising: Only used with your consent and only for measuring our own marketing campaigns. We do not engage in cross-site behavioural advertising.

You can reset or limit your mobile advertising identifier through your device settings, and you can manage cookies through your browser settings. Disabling certain trackers may impact App functionality.

8. How Long Do We Keep Your Information?

We retain personal data only for as long as it is necessary for the purposes described in this policy, or for as long as required by law.

  • Account data: Until you close your account, plus up to 90 days for backup rotation
  • Inactive accounts: May be closed after 12 months of continuous inactivity (see Terms of Use, Section 17)
  • Transaction & tax records: 8 years (Income Tax Act, GST law)
  • Marketing preferences: Until you opt out
  • Support communications: 2 years after the last interaction
  • Aggregated / anonymised analytics: Indefinitely (cannot be linked back to you)
  • Data required for legal claims: Until limitation period expires

Once a retention period ends, we securely delete or irreversibly anonymise the relevant data, in line with Section 8(7) of the DPDPA.

9. How Do We Keep Your Information Safe?

We implement reasonable technical and organisational security measures appropriate to the sensitivity of the data we process:

Technical measures:
  • Encryption in transit (TLS) and encryption at rest for sensitive data
  • Salted, one-way password hashing
  • Role-based access controls and audit logging
  • Network security, rate limiting, and abuse detection
Organisational measures:
  • Confidentiality obligations on all staff and processors
  • Access on a need-to-know basis, reviewed periodically
  • Security training and incident-response procedures
  • Periodic backups with restricted access
Important: No electronic transmission or storage system is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. You are responsible for keeping your account credentials confidential and notifying us promptly of any suspected unauthorised access.

10. Children's Privacy

Age requirement: Our App and Services are not directed to, and we do not knowingly collect personal data from, individuals below the age of 18 years.

If a person under 18 (a "Child" under the Digital Personal Data Protection Act, 2023) is required to be registered for any reason, we will only process their personal data with the verifiable consent of a parent or lawful guardian. We will not (a) undertake any tracking, behavioural monitoring, or profiling of a Child, or (b) target advertising at a Child, in line with Section 9 of the DPDPA.

If you are a parent or guardian and believe your child has provided us with personal data without your consent, please write to our Grievance Officer at contact@cookzy.in. We will verify the request and delete such information promptly.

11. Your Privacy Rights

Subject to applicable law, you have the following rights in respect of your personal data:

Right to Access

Obtain a summary of the personal data we hold about you and the processing activities we undertake with it.

Right to Correction

Request correction of inaccurate, misleading, or incomplete personal data.

Right to Erasure / Deletion

Request deletion of your personal data, subject to retention exceptions described in Section 8.

Right to Withdraw Consent

Withdraw consent at any time. Withdrawal is as easy as giving consent — simply email contact@cookzy.in with the subject line "Withdraw consent" or use the in-app settings where available. Withdrawal does not affect processing already done on the basis of your earlier consent.

Right to Object / Restrict Processing

Object to processing for direct marketing, or restrict processing in specific circumstances permitted by law.

Right to Grievance Redressal

File a complaint with our Grievance Officer (see Section 15). If you are dissatisfied with our response, you may approach the Data Protection Board of India, your local supervisory authority, or any other competent authority.

Exercise Your Rights

We will respond to verified requests within 30 days.

12. GDPR Privacy Rights (EU Users)

For Users in the European Union / EEA

In addition to the rights in Section 11, GDPR gives EU/EEA users:

  • Right to data portability: Receive your data in a structured, commonly used, machine-readable format.
  • Right to object to automated decision-making: Not be subject to a decision based solely on automated processing producing legal or similarly significant effects (see also Section 18).
  • Right to erasure ("right to be forgotten"): Request deletion of your personal data subject to lawful retention exceptions.
  • Right to lodge a complaint: File a complaint with the supervisory authority of your habitual residence or place of alleged infringement.
GDPR contact: Please email contact@cookzy.in with the subject line "GDPR Request". We will route the request to the responsible person in our team.

Cookzy is not currently established in the EU/EEA and has not appointed a representative under Article 27 GDPR. We are nevertheless committed to honouring GDPR rights for any EU/EEA users.

13. CCPA / CPRA Privacy Rights (California Residents)

For California Residents

Under the CCPA and CPRA, California residents have specific rights:

Your rights:
  • Right to know what data we collect
  • Right to delete your information
  • Right to opt out of sale (we do not sell data)
  • Right to non-discrimination
  • Right to correct inaccurate data
  • Right to limit use of sensitive data
Categories of data collected:
  • Identifiers (name, email, phone, IP)
  • Commercial information (purchases)
  • Internet activity (App usage)
  • Geolocation data
  • Inferences (preferences)
We do NOT sell your personal information.
Exercise your rights: Email contact@cookzy.in with the subject "CCPA Request". We will verify your identity and respond within 45 days, as required by the CCPA.

14. DPDPA Rights (Indian Residents)

For Users in India

For users in India, this Privacy Policy serves as the "Notice" under Section 5 of the Digital Personal Data Protection Act, 2023. The Data Fiduciary is Upsway Services Private Limited.

Specified purpose

Your personal data is processed only for the specific purposes described in Section 2 ("How Do We Use Your Information?"). The categories of personal data we collect are described in Section 1.

Lawful basis

We process your personal data either with your consent (Section 6 DPDPA) or on the basis of a "legitimate use" recognised under Section 7 DPDPA — including processing necessary for the performance of any function under any law, for compliance with judgments or orders, in response to a medical emergency, for employment-related purposes, or for any fair and reasonable purpose specified by the rules made under the DPDPA.

Your rights as a Data Principal

Right to access information about your personal data

Obtain a summary of your personal data being processed, the processing activities, and the identities of any data fiduciaries / processors with whom it has been shared.

Right to correction and erasure

Correct, complete, or update inaccurate personal data, and request erasure of personal data that is no longer necessary for the purpose for which it was processed.

Right to withdraw consent

Withdraw consent at any time, with the same ease as giving it. Email contact@cookzy.in with the subject line "Withdraw consent".

Right of grievance redressal

Raise a grievance with our Grievance Officer (see Section 15) who will respond within the timelines prescribed under applicable law.

Right to nominate

Nominate another individual to exercise your rights under the DPDPA in the event of your death or incapacity. Please email us to record your nominee.

Right to complain to the Data Protection Board

If you are not satisfied with our response, you may file a complaint with the Data Protection Board of India established under the DPDPA.

Consent Manager

When the Data Protection Board operationalises the Consent Manager framework under Section 6(7) of the DPDPA, you will be able to give, manage, review, and withdraw your consent through a registered Consent Manager. We will integrate with this framework when the Rules are notified.

Data Fiduciary: Upsway Services Private Limited (Cookzy)
Grievance Officer: See Section 15 for contact details
DPDPA enquiries: Email contact@cookzy.in with the subject line "DPDPA Request"
Response time: Within 30 days, or such shorter timeline as prescribed under DPDPA Rules

By using our Services, you consent to the collection and processing of your personal data for the purposes set out in this Notice. You may withdraw consent at any time, subject to the consequences described above.

15. Grievance Officer

In accordance with the Information Technology Act, 2000, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the Digital Personal Data Protection Act, 2023, we have appointed a Grievance Officer who is the single point of contact for all complaints relating to this Privacy Policy, the App, or your personal data.

Name: Palkesh Jain
Designation: Grievance Officer, Upsway Services Private Limited (Cookzy)
Email: contact@cookzy.in (subject line: "Grievance")
Postal address: Cookzy, Rajasthan, India

We will acknowledge receipt of a grievance within twenty-four (24) hours and will dispose of it within fifteen (15) days from the date of receipt, in line with the IT Rules 2021. For complaints under the DPDPA, we will respond within the timelines prescribed under the DPDPA Rules.

16. Data Breach Notification

In the event of a personal data breach that affects your personal data, we will:

  • Notify the Data Protection Board of India and each affected Data Principal in the manner and within the timelines prescribed under the DPDPA and its Rules;
  • Notify the Indian Computer Emergency Response Team (CERT-In) where required under CERT-In Directions, 2022;
  • For users covered by GDPR, notify the relevant supervisory authority within 72 hours of becoming aware (where feasible);
  • Describe the nature of the breach, the categories and approximate volume of data affected, the likely consequences, and the measures we have taken or propose to take to address it; and
  • Provide guidance on protective steps you can take.

Notifications to you will be sent via email to your registered address and, where appropriate, via in-app notice.

17. International Data Transfers

We primarily store and process personal data in India. Some of our service providers (for example, cloud hosting, analytics, and email) may process your data in other jurisdictions, including the United States and the European Union.

Safeguards we implement:

  • Where transfers are subject to GDPR, we rely on the European Commission's Standard Contractual Clauses (SCCs) or applicable adequacy decisions.
  • For Indian users, transfers are made only to countries that have not been notified by the Central Government as restricted under Section 16 of the DPDPA.
  • All processors are bound by written agreements imposing confidentiality and security obligations equivalent to those in this policy.
Primary data storage: India
Some service providers may store data in the United States, the European Union, or other jurisdictions to provide their services.

18. Automated Decision-Making

We do not use your personal data for automated decision-making — including profiling — that produces legal effects concerning you or similarly significantly affects you. Where we use algorithmic ranking or matching to suggest cooks or content, those suggestions are non-binding and do not replace your own decision to engage a cook.

19. Do-Not-Track Features

Most web browsers and some mobile operating systems include a "Do-Not-Track" (DNT) feature. Our App does not currently respond to DNT browser signals because no uniform technical standard for them has been adopted.

If a standard for online tracking is adopted that we must follow, we will inform you in a revised privacy policy.

20. Third-Party Websites

Our App may contain links to third-party websites, plug-ins, and applications.

Important: We do not control these third-party websites and are not responsible for their privacy practices. We encourage you to review the privacy policy of every website you visit.

21. Cooks' Information

Cooks who register on the Mobile Application also fall within the scope of this Privacy Policy in respect of the personal data they submit to us (such as name, contact details, photographs, identity-document numbers, address, work experience, and bank account information for any cook payouts under our Trial & Hire programme). Cooks have the same rights of access, correction, erasure, and grievance redressal as any other Data Principal under Section 11 and Section 14.

When a customer engages a cook, Cookzy is acting as an intermediary that facilitates the introduction; it is not the employer of the cook. See Sections 14 and 15 of our Terms of Use for the role we play in cook–customer engagements.

22. Do We Make Updates to This Policy?

Yes, we may update this policy from time to time to keep it accurate and aligned with applicable law.

For changes that materially affect your rights, we will notify you by:

  • Posting an in-app notice;
  • Sending an email to your registered email address; and
  • Where the change requires fresh consent under applicable law, asking for your acknowledgement on next login.

The updated version will be indicated by the "Last updated" date at the top of this page. We encourage periodic review of this policy.

23. How Can You Contact Us?

Company name: Upsway Services Private Limited
Business name: Cookzy

General enquiries:
contact@cookzy.in

Privacy-specific requests (please use the matching subject line):

  • India / DPDPA: subject "DPDPA Request"
  • EU / GDPR: subject "GDPR Request"
  • California / CCPA: subject "CCPA Request"
  • Withdraw consent: subject "Withdraw consent"
  • Grievance: subject "Grievance" (routed to the Grievance Officer)

Contact Us

24. How Can You Review, Update, or Delete Your Data?

To exercise your data rights:

In-app access

Open the App and go to Settings → Account to view and update your personal information directly within the App.

Account deletion
Two ways to delete your account:
  • In the App: Settings → Account → Delete Account
  • By email: Write to contact@cookzy.in with the subject "Delete account". We will verify your identity and complete deletion within 30 days.
Data deletion exceptions: We may retain certain information when we have a legal obligation or legitimate business need (for example, transaction records for tax purposes, anti-fraud records, or records needed to defend a legal claim). Such retention is described in Section 8.