Back to home

Privacy Policy

Last updated: February 2026

Aadhyaa is built on the principle that personal Vedic guidance must be private and respectful. This policy is plain English so you know exactly what we do — and don't — with your information.

What we collect

  • Account: Email, name, password (hashed with bcrypt).
  • Birth chart inputs: Date, time, and city of birth.
  • Optional family: Names and birth details you choose to add for family members.
  • Usage: Pages you view, questions you ask the AI, your subscription tier.
  • Payment: Stripe/Razorpay handle card details directly — we never see your full card number.

What we do NOT collect

  • Health diagnoses, prescriptions, or medical records.
  • Location data (we use only city you enter for chart calculation).
  • Third-party tracking cookies without your explicit "Accept all" choice.
  • Social-graph data — we don't read your contacts.

How we use it

  • To compute your authentic Vedic birth chart and dasha periods.
  • To generate AI guidance personalised to your chart (the LLM never sees your name unless you include it in the question).
  • To enforce subscription tier limits (e.g., 3 free AI questions per week).
  • To send transactional emails (signup, password reset, billing). Marketing emails are opt-in.

Third-party processors

  • OpenAI / Anthropic / Google: AI providers, accessed via Emergent's Universal Key. Question text is sent but no personally-identifying tags.
  • Razorpay / Stripe: Payment processing. Their privacy policies govern card data.
  • MongoDB Atlas (production): Encrypted database hosting.
  • Sentry (optional, ops): Error tracking; PII stripped before send.

Your rights (GDPR + India DPDP)

  • Right to access: Download all your data via GET /api/security/gdpr/export from your account.
  • Right to erasure: Delete your account + all family data via DELETE /api/security/gdpr/delete. Permanent within 30 days.
  • Right to correct: Edit your details from your profile page anytime.
  • Right to object: Email privacy@aadhyaa.in and we will respond within 30 days.

Children's data (COPPA)

Kids features are intended for use by parents/guardians on behalf of their children. We do not knowingly create accounts for users under 13. If a parent adds a child via the family feature, only the child's first name and birth details are stored — no email or login. Parents can delete a child's record from the family panel anytime.

Retention

Active accounts: retained until you delete them. Inactive accounts (no login in 24 months): we email a deletion warning and erase unless you sign in. Deleted accounts: removed from primary database within 30 days; encrypted backups expire within 90 days.

Security

  • TLS 1.3 for all connections.
  • Passwords hashed with bcrypt (cost factor 12).
  • Rate-limiting on login (5 attempts / minute / email).
  • JWT session tokens with 72-hour expiry.
  • OWASP-baseline security headers (HSTS, CSP, X-Frame-Options, etc.).

Changes

We will notify registered users by email at least 14 days before any material change to this policy takes effect.

Contact

Questions? Email privacy@aadhyaa.in — we read every message.

Terms·