Privacy Policy

Soma Delights is a micro-wellness brand operating out of Kukatpally, Hyderabad. We make cold-pressed 300 ml drinks, 100 ml fermented shots, and small-batch meal-prep kits, all produced fresh each morning and delivered before 7 AM across the Kukatpally, Miyapur, and Chandanagar corridor.

This policy applies to somadelights.com and to any subscription, trial, or kiosk sign-up that flows through it. When we say "we", "us", or "Soma", that's us. When we say "you", that's the person whose data we're describing.

We collect the minimum data needed to deliver wellness drinks to your door and keep in touch about them. In practice, that means:

Contact details you give us — name, phone number, WhatsApp number, email, and delivery address.

Order history — the plan you chose, what you received, when deliveries were skipped or paused, wallet credit balance, and payment status.

Wellness profile answers — if you took our profile quiz or filled in taste preferences, we store those so we don't recommend a ginger shot to someone who flagged a ginger sensitivity.

Delivery operations data — rider notes, delivery timestamps, substitution requests, and complaint tickets.

Device and analytics events — strictly necessary cookies and anonymous page-view counts. We don't run any third-party advertising pixels at launch.

WhatsApp message identifiers — when we send a delivery confirmation via WhatsApp Business API, Meta returns a message ID which we store against your order for delivery-receipt reconciliation.

Everything we collect is tied to one of these purposes: fulfilling your subscription, preventing us from accepting orders we can't deliver, sending you transactional updates (delivery windows, payment reminders, skipped-day notices), responding to complaints, improving the drinks and plans based on what people actually finish or skip, and meeting our obligations under India's Food Safety and Standards Act and Goods and Services Tax rules.

We do not sell your data. We do not share it with advertisers. We don't profile you to charge you a different price than anyone else.

Under India's Digital Personal Data Protection Act, 2023 ("DPDP Act"), we rely on four legal bases:

Consent — you give it when you sign up for a subscription, a free-week trial, or the newsletter. You can withdraw it at any time; the sections below explain how.

Contractual necessity — once you're on a paid plan, we process your address and order data because we cannot deliver without it.

Legitimate interest — for fraud prevention, capacity planning, and responding to the complaints you raise with us.

Legal obligation — to issue GST invoices, keep FSSAI-required production traceability, and respond to lawful government requests.

We delete personal data within 30 days of a verified request from you. "Verified" means we've confirmed the request came from the actual account holder — usually via the phone number or email on file.

One exception, mandated by law: invoice and tax records. Under India's GST rules we are required to keep financial records for seven years. When you ask for deletion, we strip personally identifiable details (name, contact, delivery address) from the invoice records and retain only the anonymized transaction skeleton (amount, tax, SKU, date). That residue cannot be linked back to you.

If your account has been inactive for 18 months and you have no unclaimed wallet balance, we will reach out once and then delete on the same basis.

Under the DPDP Act, you have the right to: know what personal data we hold about you, correct anything that's wrong, ask us to delete it (subject to the retention rule above), receive a copy of your data in a portable format, nominate someone to act on your behalf if you are unable to, and withdraw any consent you previously gave.

To exercise any of these rights, email the grievance officer listed below. We respond within 30 days, as the DPDP Act requires. If we can't satisfy your request, we'll tell you why, and you can escalate to the Data Protection Board of India.

At launch, somadelights.com uses only strictly necessary cookies — the ones required to remember your locale choice, keep you signed in to the customer portal once it launches, and store your theme preference (light or dark). No advertising cookies, no cross-site trackers, no fingerprinting.

If we ever add analytics, it will be opt-in with a banner that actually defaults to "off". We'll update this section before that happens.

We don't knowingly collect data from anyone under 18. Subscriptions are for adults. If you're a parent or guardian and believe a child has provided data to us, email the grievance officer and we'll remove it.

We share the minimum necessary with a small set of operational partners:

Delivery riders (our own team today; contracted partners as we grow) — they receive your name, delivery address, phone number, and the order for the day. They don't receive order history or wellness-profile data.

WhatsApp Business API (Meta) — when we send you a delivery confirmation or skip notice, your phone number and the message content pass through Meta's infrastructure. Meta's own privacy policy governs that processing.

Payment processors — we're not yet integrated with any payment gateway. When we onboard Razorpay for UPI AutoPay, we will update this section before the first charge.

Government authorities — only in response to a lawful written request, and only the specific data covered by that request.

We never share data with advertisers, data brokers, or lead-generation services.

Our database (PostgreSQL, hosted on Supabase) sits in the AWS Mumbai region. Our website is served from Vercel's global edge network, which means static assets and rendered pages may be cached briefly in Mumbai, Singapore, or other points of presence — but the authoritative record of your personal data lives in Mumbai.

When we send a WhatsApp message, Meta's infrastructure may route it through servers outside India. This is permitted under the DPDP Act when the data is processed by a reasonable, internationally recognised service provider under our written instructions.

We use TLS 1.2 or higher for all data in transit. The database is encrypted at rest. Access to the admin platform is limited to named staff, each with their own login; we don't share credentials. We store no card data at all — once we onboard Razorpay, card numbers and UPI handles stay with Razorpay, not us.

We can't promise absolute security — no one honest can — but we will notify you within 72 hours if we become aware of a breach that is likely to cause you material harm, as the DPDP Act requires.

Under the DPDP Act, 2023, we are required to name a Grievance Officer to handle complaints and data-rights requests.

Grievance Officer: Sri (founder, Soma Delights) Email: hello@somadelights.in Address: Soma Delights, Kukatpally, Hyderabad, Telangana, India

We respond within 30 days of receiving a verified request. If you are not satisfied with our response, you may escalate to the Data Protection Board of India.

We update this page whenever our practices change — not when the law changes in a way that doesn't affect you, and not to introduce marketing weasel-words. The "Last updated" date at the top of the page is authoritative.

For material changes (new data categories, new sharing partners, new retention periods), we'll also send a heads-up via the email or WhatsApp number on file at least 14 days before the change takes effect, so you can review and, if needed, close your account first.