Go Back

Privacy Notice and Privacy Policy

Last Updated: [●]

This Privacy Notice and Privacy Policy (“Policy”) explains how MetaGo Healthcare Private Limited (“Company”, “we”, “us”, “our”) collects, processes, stores, uses, protects and discloses Personal Data of individuals (“you” or “Data Principals”) who access or engage with our weight-management, metabolic health, teleconsultation, and related support services (“Services”) through our website https://metago.health / mobile application,  social media platforms such as Meta, Instagram and WhatsApp, teleconsultation platform and other digital interfaces (“Platform”). This Policy is prepared in accordance with the Digital Personal Data Protection Act, 2023 (“DPDP Act”), the Digital Personal Data Protection Rules, 2025 (“DPDP Rules), Information Technology Act, 2000 and other applicable rules thereunder.

By accessing the Platform, creating an account, enrolling in any programme or otherwise providing Personal Data to us after being presented with this Policy, you acknowledge that you have read and understood the terms of this Policy and, where applicable, provide your explicit consent to the processing of your Personal Data for the purposes described herein. If you do not agree with this Policy, you should refrain from using the Platform or the Services.

  • Categories of Personal Data Processed

We may process various categories of Personal Data depending on your interaction with the Platform and the Services. This includes identity and contact information such as your name, age, gender and communication details; health, medical and diagnostic information relating to your medical history, treatments, medications, laboratory results and other clinical indicators; lifestyle and wellness data relating to your habits, behaviours and self-reported wellbeing inputs; information generated by our care team during consultations, including clinical notes, assessments and recommendations; technical and device-related information such as IP addresses, system logs, usage analytics and data collected through cookies; financial and transactional information associated with payments and subscriptions; data received from authorised integrated devices and third-party platforms, including smart scales, continuous glucose monitors and wearables; diagnostic information shared by laboratory partners; communications sent through chat, email, support channels or telephone; audio or video recordings of consultations where you have explicitly consented to such recording; information relating to referrals and interactions through social media platforms; and any additional Personal Data you voluntarily provide in the course of using the Services. 

A detailed description of which Personal Data is collected and in which manner is provided in Section 3 below. 

You may access this Policy and any consent requests in English or Hindi, and we will make them available in other languages listed in the Eighth Schedule to the Constitution upon reasonable request, to ensure that you can understand the information before providing consent.


  • Purpose of Processing

Your Personal Data is processed for specific, lawful and necessary purposes. These purposes include onboarding and determining your suitability for our health programmes; facilitating medical and nutritional consultations; enabling prescription management, including GLP-1 and other medications and supplements; delivering ongoing health coaching and monitoring; ensuring continuity of care; processing payments and managing your subscriptions; responding to your requests and concerns; complying with legal and regulatory obligations; informing you about our services; and evaluating and improving the effectiveness, safety and quality of our Services. We may also process de-identified or anonymised data for research, analytics and operational improvement. Such de-identified or anonymised data does not identify you and may be used without further notice or consent to support research, statistical modelling and operational optimisation.

In addition to the purposes described above, the Company may, with your separate and explicit consent, process your Personal Data to contact you regarding new programmes, service offerings, wellness initiatives or other products that may be relevant to your health journey. Such communication will only be undertaken where you have provided voluntary and unambiguous consent for marketing or promotional outreach, and you may withdraw this consent at any time without affecting your ability to continue using the Services for which you initially provided consent. You may opt out of such marketing communications at any time by using the unsubscribe mechanisms included in such communications or by contacting us through any of the channels specified in this Policy.

  • Collection of Personal Data


    • Personal Data Collected Directly from You

We collect Personal Data directly from you when you create an account, purchase a subscription plan, complete onboarding steps, or otherwise interact with the Platform. During onboarding, you may provide information such as your name, gender, age, height, weight, BMI, medical history, comorbidities, medications, allergies, and other health-related information. You may also provide lifestyle and behavioural information, including eating habits, patterns of physical activity, sleep quality, stress levels, and similar wellness indicators. As you continue using the Platform, you may enter data relating to meals, body weight, symptoms, side effects, exercise, progress assessments, reminders, and responses to proprietary assessments, along with updates to your personal profile.
We further collect information during your interactions with members of our healthcare team, including doctors, nutritionists and other qualified health professionals, as well as authorised non-clinical personnel such as sales representatives, customer support staff and operational team members, when you communicate via WhatsApp chat, audio or video consultations. Personal Data is also collected when you contact customer support through email, WhatsApp, telephone, or when you provide feedback, testimonials. Personal Data may also be collected during oral communications, including telephone calls with our healthcare team or support staff, where you choose to disclose information relevant to your Services. 

    • Personal Data Collected from Integrated Devices and Third-Party Platforms

Where you connect or authorise integration with third-party devices or platforms, we collect Personal Data generated by those systems. This may include glucose readings and timestamps from continuous glucose monitors; body weight and body composition metrics from smart scales; and health, fitness or activity data from platforms such as Apple HealthKit, Google Health Connect or wearable devices. Such data may include steps taken, active minutes, calories burned, sleep patterns, heart rate, blood pressure, blood oxygen levels and exercise details. These integrations occur only with your explicit authorisation and may be discontinued by you at any time by revoking access through the Platform or the connected device.

    • Personal Data Generated by HealthCare Team During Service Provision

Members of the healthcare team may generate Personal Data during the course of providing Services. This includes professional notes, clinical observations, assessments, diagnosis-related information, treatment plans, nutritional or exercise recommendations, e-prescriptions and entries made into your health records maintained by us. Such data is created to ensure continuity, accuracy, safety and quality of care, and forms an integral part of your engagement with the Platform.

    • Personal Data Obtained from Laboratory Partners

If you undergo diagnostic tests through laboratory partners and authorise the sharing of results with us, the laboratory partners may provide us with your test reports. These results are uploaded to your health record and made accessible to you and your care team for review and clinical decision-making. Laboratory data constitutes sensitive Personal Data and is subject to enhanced confidentiality safeguards.

    • Personal Data Collected Through Cookies, Analytics and Similar Technologies

We automatically collect certain information when you access or use the Platform. This includes device identifiers, operating system and browser details, IP address, system logs, crash reports, timestamps, navigation patterns, usage analytics and performance metrics. Cookies and similar technologies may be used to support essential functions, store preferences, enhance your experience, analyse user behaviour and, where you have explicitly consented, personalise content or marketing communications.
You may adjust your browser or device settings to restrict cookies; however, doing so may impact certain functionalities of the Platform.

Certain analytics or performance monitoring tools may receive pseudonymised or aggregated information to help us analyse usage trends and improve Platform functionality, subject to appropriate contractual safeguards.

    • Recorded Audio or Video Consultations (With Explicit Consent)

Consultation calls may be recorded, but only after your explicit consent is obtained before the consultation begins. You will be informed at the start of the consultation if such recording is proposed, and your participation will be entirely voluntary. These recordings may capture your voice, face, surroundings or, where medically relevant, images of your body or body parts, such as when demonstrating injection techniques or other treatment-related procedures. Recordings constitute sensitive Personal Data and are collected solely for purposes relating to the accuracy and continuity of medical care, safety supervision, clinical quality assurance, internal training, and compliance with legal or regulatory requirements.
If you do not wish to be recorded, you must inform us before the consultation begins, and we will provide an alternative method of consultation where feasible. All recordings are encrypted, securely stored, accessed only by authorised personnel on a strict need-to-know basis, and retained only for the period necessary to fulfil the purposes identified or as required by law. Recordings are never used for promotional purposes and are accessible only to authorised personnel.

    • Voluntary Non-Participation and Consequences

You may decline to provide certain categories of Personal Data; however, doing so may affect our ability to deliver parts of the Services that rely on such data. Where your refusal to provide Personal Data prevents us from fulfilling a core functionality, we may be unable to provide the associated Service.

    • Collection and Retention 

The Company is the agency collecting and retaining your Personal Data for the purposes stated in this Policy.

  • Legal Basis for Processing 

We process Personal Data primarily on the basis of your explicit, informed consent. Your Personal Data is used only for specific, lawful, and necessary purposes connected with your engagement with our medically supervised weight-management and metabolic health programmes. Depending on your interactions with the Platform and the Services, we may use your Personal Data to:

  • Manage user registration, create and verify your account, authenticate your identity, and administer ongoing account access and profile management.
  • Deliver our medically supervised weight-management and metabolic health programmes, including eligibility assessment, personalised diet and nutrition plans, exercise recommendations, behavioural coaching, and ongoing lifestyle support.
  • Facilitate teleconsultations and other clinical or non-clinical interactions with members of your Care Team, including doctors, nutritionists, coaches, and authorised support staff.
  • Use audio or video recordings of consultations, where you have explicitly consented to such recording, for the limited purposes of ensuring medical accuracy, safety supervision, clinical quality assurance, internal training, and compliance with legal or regulatory requirements.
  • Enable doctors and other authorised healthcare professionals to generate, issue, and manage e-prescriptions and treatment plans, including GLP-1 or other medications and supplements where clinically appropriate.
  • Monitor your health progress, treatment adherence, and response to interventions, and to provide feedback, alerts, and support based on your reported data and integrated device information.
  • Operate Platform features such as reminders, meal logging, activity tracking, progress dashboards, care-team communication tools, habit-tracking modules, and other programme features made available from time to time.
  • Coordinate diagnostic tests and investigations with partnered laboratories, receive and display your test results, and integrate such information into your health records for clinical decision-making.
  • Facilitate the ordering, packing, dispatch, and delivery of prescribed medications or other health products through pharmacy or logistics partners, where applicable.
  • Process subscription payments, renewals, cancellations, refunds, charge-backs, discounts, offers, and billing-related queries.
  • Administer referral or rewards programmes, track referral activity, and credit benefits where applicable.
  • Send necessary transactional or service-related communications, such as account activation messages, security alerts, appointment and follow-up reminders, dosage or medication reminders, and payment or invoice confirmations.
  • Respond to your questions, feedback, grievances, and support requests, and to improve the quality and responsiveness of our customer support.
  • With your separate and explicit opt-in consent, send marketing or promotional communications about new programmes, product features, offers, and wellness initiatives, which you may opt out of at any time without affecting your access to the core Services.
  • Analyse usage patterns, technical logs, and device information to maintain and improve Platform security, stability, performance, and user experience.
  • Conduct internal research, analytics, and statistical analysis (including on de-identified or anonymised data) to evaluate and enhance the safety, effectiveness, and outcomes of our programmes and to develop new features and services.
  • Comply with applicable Indian laws, regulations, professional obligations, court orders, or requests from government or regulatory authorities that we are legally required to follow.
  • Protect the rights, property, or safety of the Company, our users, our Care Team, or the public, and to detect, prevent, investigate, and respond to fraud, misuse, security incidents, or violations of law.
  • Enforce our Terms and Conditions, programme rules, and other applicable policies, including investigating potential violations and managing disputes.
  • Consent Mechanisms

Your consent is obtained through clear and affirmative actions, including checkboxes, toggles, and confirmations presented during onboarding or at the point of data collection. Consent is obtained separately for specific processing activities that require unbundled consent, including:

  • Recording of consultations (audio or video)
  • Marketing and promotional communications

Languages: In accordance with DPDP Act, consent requests  are available in English and Hindi, and may be provided in additional Eighth Schedule languages on request.

  • Withdrawal of Consent

You may withdraw your consent at any time through the same ease and accessibility with which consent was given. Withdrawal of consent may limit or prevent our ability to provide some or all of the Services, but will not affect the lawfulness of processing undertaken prior to such withdrawal. Following withdrawal, we will cease processing your Personal Data and will ensure that any Data Processors acting on our behalf also discontinue processing unless retention is required under applicable law.


You may withdraw consent at any time through the following channels:

Withdrawal requests are processed within 72 hours. Withdrawal does not affect the lawfulness of processing already carried out prior to the withdrawal.

  • Sharing and Disclosure of Personal Data

We do not sell, rent, or otherwise commercially exploit your Personal Data. We disclose Personal Data only where necessary for the provision of the Services, or where required under applicable law. All disclosures are subject to appropriate contractual and organisational safeguards, including Data Processing Agreements requiring processors to maintain confidentiality, security, and purpose limitation

Recipient

Categories of Data Shared

Purpose of Disclosure

Healthcare Team (doctors, nutritionists, health coaches) who may not be a part of the Company

Clinical notes, prescriptions, laboratory results, health metrics, relevant history

Medical assessment, treatment planning, monitoring, coaching and continuity of care

Partner Laboratories

Name, contact details, requisition information

Conducting diagnostic tests and providing results for clinical review

Partner Pharmacies / Dispensaries

E-prescriptions, name, delivery address

Dispensing medications and coordinating delivery

Payment Service Providers

Transaction details, billing information

Secure payment collection and fraud prevention

Technology and Infrastructure Providers

Technical logs, system events, usage analytics, device metadata

Hosting, platform operations, performance optimisation and security management

Customer Support Providers

Contact details, communication logs

Responding to queries, supporting service delivery

Government Authorities, Regulators, Courts or Law Enforcement

Any information legally mandated to be disclosed

Compliance with legal obligations, court orders, regulatory inquiries, or safety-related disclosures


All disclosures are made strictly on a need-to-know basis.

  • Cross-Border Transfers

As of the date of this Policy, your Personal Data is primarily stored and processed on servers located in India. Where we rely on cloud or infrastructure providers, we ensure that the primary hosting location is within India, subject to appropriate contractual and technical safeguards.

If, in future, we transfer or store Personal Data outside India, such transfer will occur only in accordance with the DPDP Act and Rules, including any country or territory restrictions notified by the Government, and will be subject to technical, contractual and organisational safeguards to ensure a level of protection that is materially comparable to that available under Indian law.

  • Security Measures

We implement reasonable and appropriate technical, organisational and administrative measures to safeguard Personal Data against unauthorised access, disclosure, alteration, loss or destruction, in accordance with ISO/IEC 27001 or an equivalent ISMS framework, verified through periodic independent audits. These safeguards include encryption or equivalent obfuscation or masking of Personal Data at rest and in transit, the use of virtual tokens mapped to identifiers where appropriate, role-based access controls and authentication, logging and monitoring of access to Personal Data and retention of such logs for at least one year, security monitoring, data-backup mechanisms and internal security policies.

Where we engage Data Processors, we ensure through written contracts that they implement security safeguards at least equivalent to those described in this Section and process Personal Data only on documented instructions from us.

While we take all reasonable precautions, no digital system is completely free of vulnerabilities.

  • Data Retention and Deletion

Personal Data is retained only for as long as necessary to fulfil the purposes for which it was collected or as required under law, regulation or professional standards. Once the purpose has been fulfilled or upon withdrawal of consent, and where continued retention is not legally required, Personal Data will be deleted or irreversibly anonymised. Where mandated by the DPDP Rules, we will notify you at least forty-eight hours in advance of the scheduled deletion of your Personal Data. We will also ensure that any Data Processor acting on our behalf deletes corresponding Personal Data in accordance with the Act.

  • Exercise of Rights and Grievance Redressal

As a Data Principal, you have the right to access a summary of your Personal Data being processed and the processing activities undertaken by us; the right to request correction or updating of inaccurate or misleading Personal Data; the right to request erasure of Personal Data where permissible; the right to withdraw consent; the right to register grievances; and the right to nominate an individual who may exercise your rights in the event of your death or incapacity. 

You may submit requests relating to access, correction, erasure, withdrawal of consent, nomination or any other statutory right by contacting the Grievance Officer or DPO. Upon receiving such we may require you to verify your identity or provide supporting information to ensure that your request is lawful and relates to your own Personal Data.

 All grievances will be addressed within the timelines prescribed under applicable law. If your grievance remains unresolved, you may approach the Data Protection Board of India.

Grievance Process and Timelines

  • Acknowledgement: We will acknowledge receipt of a grievance within 48 hours.
  • Resolution: We aim to resolve grievances within 30 days, and in any event no later than 90 days, in accordance with the DPDP Rules.
  • Periodic Updates: If a grievance remains unresolved, we will provide status updates at 15, 30, and 60-day intervals.
  • Escalation: If you are dissatisfied with our response, you may escalate your grievance to the Data Protection Board of India.
  • Processing of Children’s Data

The Services are not intended for individuals who have not attained eighteen years of age. We do not knowingly collect or process Personal Data relating to children, and any such data identified by us will be deleted in accordance with applicable legal requirements.

  • Processing of Data of Persons with Disabilities Having Lawful Guardians

Where we process Personal Data relating to an individual who is a person with disability and has a lawful guardian under applicable law, we will obtain verifiable consent from such lawful guardian in the manner prescribed under the DPDP Act and Rules. We may request supporting documentation evidencing the appointment of the lawful guardian (such as an order of a court, designated authority or local level committee) and will use such documentation solely for verifying authority and maintaining compliance records.

  • Personal Data Breach Notification

In the event of a personal data breach, we will notify the affected Data Principals and the Data Protection Board of India without undue delay and in the manner prescribed by law. Such notification will include the nature of the breach, its scope, potential risks, and steps taken or proposed to mitigate any harm.

  • How to Contact Us, File Grievances or Communicate with the Board

All queries regarding this Policy, as well as requests to exercise your rights, may be addressed to our Grievance Officer and Data Protection Officer (DPO):

Name: Neha Shah

Designation: Data Protection Officer and Grievance Officer

Email: support@metago.health
Phone: +91-9653305925
Postal Address: 1401 B Suvidha Square, Corner of Ceaser Road and S.V. Road, Andheri West, Mumbai-400058, Maharashtra

You may also contact the Grievance Officer through the business contact number provided on the Platform.

If you are not satisfied with our response, you may escalate your grievance to the Data Protection Board of India in accordance with applicable law.

  • Changes to this Policy

We may amend this Policy from time to time to reflect changes in legal requirements, regulatory guidance or our operational practices. Any updated version will be published on the Platform along with the revised effective date. Where changes are material, we will endeavour to inform you through one or more channels such as email, in-app notifications, SMS or prominent notices on the Platform. Continued use of the Platform after such updates constitutes your acceptance of the revised Policy.

Nothing in this Policy affects the confidentiality obligations applicable to healthcare professionals involved in providing clinical care, nor does it limit any rights you may have under applicable laws.

Note: If and when we are notified or classified as a Significant Data Fiduciary under the DPDP Act, we will comply with all additional obligations applicable to such entities, including appointing a Data Protection Officer based in India reporting to our governing body, appointing an independent data auditor, conducting periodic Data Protection Impact Assessments and audits, and implementing any data localisation or additional safeguards notified by the Central Government in respect of specified categories of Personal Data.