Privacy Policy
AharaOS · Effective 24 April 2026 · Version 1.0
AharaOS ("we", "us") is operated by Sumanth Malipeddi as a sole proprietorship. This is the canonical privacy policy — the in-app Privacy Notice (Me → Privacy notice) is a human-readable summary of what's below, and both stay in sync. When they disagree, this document governs.
We publish this under India's Digital Personal Data Protection Act, 2023 (DPDP) and have shaped it to satisfy DPDP Rule 3 (notice), s.6 (consent), s.8 (accuracy + security), s.11 (right of access), s.12 (right of erasure), and s.23 (breach notification).
1. Who we are
| Role | Who |
|---|---|
| Data Fiduciary | AharaOS — Sumanth Malipeddi |
| Grievance Officer | Sumanth Malipeddi (hi@aharaos.com) |
| Jurisdiction | India |
We respond to any DPDP request within 30 days. If we don't, you can escalate to the Data Protection Board of India under the DPDP Act 2023.
2. Data we collect
2.1 Identifiers
- Name, email, phone (optional), biological sex, date of birth — so you can sign in, receive coach updates, and get sex/age-calibrated nutrition targets.
- A server-generated account UUID that maps every row in our database to you.
2.2 Health & fitness data
- HealthKit (iOS) / Health Connect (Android, Phase 3) — body metrics, heart rate, HRV, SpO2, respiratory rate, sleep, activity, hydration, workouts, mindfulness, audio exposure. Only the categories you explicitly grant via the platform permission sheet.
- Manual logs — food, supplements, medicines, hydration, body-metric readings you type or scan.
- Lab test values — markers + values + reference ranges you upload or enter manually; photos of lab printouts if you use the photo-upload flow.
2.3 Behavioural + protocol data
- Onboarding answers, goals, focus areas (conditions you've flagged like blood-pressure, thyroid, PCOS).
- Daily protocols generated for you, which items you tick, when.
- Token ledger, streak history, tier placement.
- Coach chat messages (when you use the coach conversation feature).
2.4 Consent + audit
- Consent receipts (who granted what, when, IP at the time, user agent) — kept even after withdrawal so the audit trail is tamper-evident.
- Billing records if and when you subscribe (Razorpay handles card data; we only see transaction IDs + metadata).
2.5 Third-party-generated content
- LLM-generated protocols and coaching are produced by sending your profile + goals + relevant signals to Google Gemini (paid API tier). Inputs are not used to train Google's models under these terms.
3. Why we process it
Lawful purposes under DPDP s.4(a) — with your consent:
- Generate personalised daily protocols and coaching.
- Track streaks, adherence, tokens so the habit loop functions.
- Filter food suggestions against your active focus areas (ADR-011 — we refuse to recommend anything plausibly unsafe for a condition you've told us about).
- Surface body + log trends and weekly reviews.
- Answer your messages to the coach.
- Comply with our own legal + tax obligations.
Lawful purposes under DPDP s.4(b) — without separate consent (legitimate use):
- Prevent fraud, abuse, or attacks against your account or our infrastructure.
- Respond to lawful orders from Indian authorities.
We do not process your data for advertising, behavioural targeting, or sale to third parties. We don't run any third-party ad SDKs.
4. Where it lives, who processes it
| Processor | What they see | Region | Transfer basis |
|---|---|---|---|
| Supabase (Postgres + Auth + Storage) | Every row we store | ap-south-1 Mumbai |
Signed DPA; hosted in India |
| Fly.io | Request/response traffic through the API host (not at rest) | bom Mumbai |
Signed DPA; hosted in India |
| Google Gemini (paid API) | Your profile + goals + flagged markers when we generate a protocol or coach reply | Nearest available region (may be outside India) | Google's DPA + standard contractual clauses |
| Apple Health / HealthKit | On-device only unless you explicitly grant a category | On your device | N/A (stays on device) |
| Health Connect (Android, Phase 3) | On-device only unless you explicitly grant a category | On your device | N/A |
| Razorpay (when subscriptions launch) | Transaction metadata; we never see card data | India | PCI-DSS + RBI-licensed |
| Resend (transactional email) | Your email + the email body we send you | Global | Signed DPA |
Everything at rest sits on Supabase Mumbai (ap-south-1) — data
residency by default. Backups are rotating 30-day infrastructure
snapshots at the same region.
5. How long we keep it
- Live data: until you delete your account. Erasure is immediate via Me → Privacy notice → Delete account. You see the deletion reflected within seconds; infrastructure backups roll over every 30 days and are overwritten automatically.
- Consent audit rows (
user_consents) survive account deletion for 3 years after withdrawal, per DPDP s.8(7), so we can prove the consent lifecycle if audited. - LLM cost logs (
llm_cost_log) are aggregated — token counts - caller tag + user_id — retained 12 months for billing reconciliation, then pruned.
- Payment records retained 7 years per Indian tax/accounting requirements (when subscriptions launch).
6. Your rights under DPDP
You can exercise any of these at any time through the app or by writing to hi@aharaos.com:
| Right | Where |
|---|---|
| Access (s.11) — see everything we hold | Me → Privacy notice → View your consent history surfaces consents; JSON export of full data on request |
| Correction (s.12) | Me → Profile / Focus areas / Goals / Supplement stack |
| Erasure (s.12) | Me → Privacy notice → Delete account |
| Withdraw consent (s.6(4)) | Withdrawing AI or 18+ consent = account deletion; no middle state |
| Nomination (s.14) — name someone to act on your behalf if you're unable | Email us |
| Grievance (s.13) | Email hi@aharaos.com; we reply within 7 days, resolve within 30 days |
| Escalate | If unsatisfied, complain to the Data Protection Board of India |
7. Age restriction
AharaOS is 18+ only. We do not knowingly process data from anyone under 18. If we learn we have, we delete the account immediately. There is no ability for guardians to grant consent for minors in the current version — age verification is a hard gate at onboarding.
8. Security
- TLS 1.2+ on every API call, enforced by Fly.io's edge.
- Row-Level Security (RLS) on every user-scoped table in Postgres; no cross-user data leak possible via API.
- Service-role database credentials live only on the backend and are injected via Fly's secret store — never shipped to clients, never in Git.
- JWT-signed Supabase Auth sessions; access tokens expire after 1 hour with refresh rotation.
- bcrypt for any server-side passwords.
We do not hold copies of user data in unencrypted spreadsheets, email attachments, personal cloud drives, or chat threads.
9. Breach notification
If we detect a personal data breach that creates a risk to your
rights, we will notify the Data Protection Board of India and every
affected user within 72 hours of confirmation, per DPDP s.23.
Notification will name: what data was exposed, what we've done to
contain it, what you should do. Our internal response plan is
documented in docs/runbooks/breach_notification.md.
10. Changes to this policy
Material changes re-prompt consent in-app and update the "Last
updated" date below. Minor clarifications do not. You can always
read the current version at
aharaos.com/privacy (pending domain
purchase; until then, via the API at /privacy).
11. Contact
Anything privacy-related: hi@aharaos.com
Data Fiduciary + Grievance Officer: Sumanth Malipeddi
Last updated 24 April 2026.
← Back to home