whatsinit

whatsinit · privacy

Privacy Policy

Last updated: 17 May 2026 · Written for the India Digital Personal Data Protection Act (DPDPA), 2023

Who we are

whatsinit (“we”, “us”) operates the website at whatsinit.in and the food-information services available on it. We are the Data Fiduciary for the personal data collected through the site, in the sense defined by the India DPDPA, 2023.

What we collect, and why

We only collect what we need to run the service. Every category below is tied to a specific purpose, and we don't use any of it for anything else.

Google account profile (name, email, profile image)

Sign-in via Google OAuth. We use the email as your account identifier and to reply to contact-form messages.

Authentication cookies

Strictly necessary. Keeps you signed in across pages on whatsinit.in.

Product analytics (anonymous usage events)

Aggregate analytics via PostHog — pageviews, button clicks, sign-in conversion. Helps us see which parts of the site are useful and where people get stuck.

Error reports

When the site crashes, the browser sends a stack trace to Sentry so we can fix it. May include the URL you were on and your account id, but not your message text.

Contact-form submissions

When you message us through /contact or the in-context Report-an-issue link, we store your message, the category, your account email (as reply-to), and — if you submitted from a product page — the product ID. We keep this until the conversation is resolved.

Affiliate link clicks (post-launch)

If you click a 'Buy on Amazon' link, Amazon may receive a referral tag identifying whatsinit as the referrer. We don't see your purchase or its value.

What we don't collect

  • We don't sell your data. Ever.
  • We don't use third-party advertising cookies or trackers (Facebook Pixel, Google Ads, etc.).
  • We don't profile you or build a behavioural ad target from your activity.
  • We don't verify age — the site is open to anyone — but it is intended for a general audience. If you're a parent or guardian and want a child's account or data removed, write to the grievance officer below and we'll delete it.

Who we share it with

We share data only with the service providers that help us run the site. We don't sell or rent personal data to anyone.

Google (OAuth)

Sign-in identity provider.

Amazon Web Services (AWS)

Hosting (EC2, RDS, Amplify). Servers are in the ap-south-1 region (Mumbai).

PostHog (US cloud)

Product analytics. Configured without session replay.

Sentry

Error monitoring.

Amazon.in (affiliate program)

When you click a 'Buy on Amazon' link, your browser is redirected with our referral tag in the URL.

How long we keep it

  • Account data — as long as you have an active account. Sign out + email us, and we'll delete it.
  • Analytics events — 12 months in PostHog, then rolled up into aggregates and the raw events are dropped.
  • Error reports — 90 days in Sentry, then deleted.
  • Contact messages — kept until the conversation is resolved + 6 months for audit, then deleted.

Your rights as a Data Principal (DPDPA)

You have the right to:

  • Know what personal data we hold about you.
  • Ask us to correct anything that's wrong.
  • Ask us to delete your data.
  • Withdraw consent (we'll stop processing, with the limitation that we may still need to retain some data for legal / audit purposes).
  • Nominate someone to exercise these rights on your behalf in the event of death or incapacity.
  • Raise a grievance with our Grievance Officer (below). If unresolved, you can escalate to the Data Protection Board of India.

To exercise any of these rights, email support@whatsinit.in from the address associated with your account. We'll respond within 30 days.

Cookies

We use a small number of first-party cookies and one third-party analytics provider:

  • Authentication cookies (essential) — set by NextAuth so you stay signed in. Cannot be disabled if you want to use account features.
  • Analytics (PostHog) — anonymous unless you sign in, in which case events are associated with your account id.

You'll see a one-time banner on your first visit explaining this. Continuing to use the site after dismissing the banner counts as acknowledgement.

Security

We use industry-standard encryption in transit (HTTPS) and at rest (AWS RDS encryption). Account passwords are never collected — sign-in is delegated to Google. We run automated security monitoring and patch known vulnerabilities promptly.

Changes to this policy

We'll update the “Last updated” date at the top whenever this policy changes materially. If the change affects how we use your data, we'll notify you by email before it takes effect.

Grievance Officer

Under the DPDPA you can raise any privacy concern directly with our Grievance Officer:

Jyoti Awasthi

Grievance Officer, whatsinit

jyoti.awasthi@whatsinit.in

We aim to acknowledge grievances within 7 days and resolve them within 30 days.