Privacy Policy

For the purposes of the Digital Personal Data Protection Act, 2023 ("DPDP Act"), ManaSmurti is the Data Fiduciary responsible for collecting and processing your personal data.

When you use ManaSmurti, we collect the following categories of personal data:

• Account information: Your name, email address, and date of birth. Date of birth is collected solely to verify that you are 18 years of age or older, as required by our Terms of Service.
• Conversation data: The messages you send and the responses you receive during your sessions on ManaSmurti. All conversation content is encrypted at rest using AES-256-GCM encryption and in transit using TLS.
• Usage data: Information about how you interact with the Platform, including session timestamps, features used, conversation counts, and subscription activity. This helps us improve the service and enforce usage limits.
• Payment information: When you subscribe to a paid plan, payment is processed by our authorised payment gateway partner. We do not collect, store, or have access to your card number, bank account details, or UPI credentials. We receive only a payment confirmation, transaction reference, and subscription status from the payment processor.
• Device and technical data: Your browser type and version, operating system, IP address, device type, and screen resolution. This is collected automatically and used for security, fraud prevention, and performance optimisation.
• Communication data: If you contact us via email or through the contact form, we retain the content of your communication, your email address, and our response for record-keeping and quality purposes.

Under the DPDP Act, 2023, we process your personal data on the following lawful bases:

• Consent: By creating an account and using ManaSmurti, you provide your informed consent to the collection and processing of your personal data as described in this policy. You may withdraw your consent at any time (see Section 7 below).
• Contractual necessity: Processing is necessary to provide you with the services you have requested, including generating responses, managing your account, and processing subscriptions.
• Legitimate interests: Processing for security, fraud prevention, service improvement, and enforcement of our community guidelines.
• Legal obligation: Processing required to comply with applicable Indian laws, including responding to lawful requests from government or judicial authorities.

We use your personal data for the following specific purposes:

• To create, authenticate, and manage your account on ManaSmurti.
• To provide the companion service, including processing your messages and generating responses.
• To verify that users meet the minimum age requirement of 18 years.
• To process subscription payments, manage billing, and handle refunds.
• To send transactional emails (account confirmation, password reset, billing receipts, policy updates).
• To enforce our community guidelines and acceptable use policy, including screening messages for safety.
• To detect and prevent fraud, abuse, security incidents, and unauthorised access.
• To improve the quality, reliability, and performance of the Platform.
• To comply with our legal obligations under applicable Indian law.
• To respond to your support requests and communications.

We do not use your data for any of the following purposes:

• Marketing, advertising, or promotional communications (unless you explicitly opt in).
• Profiling for advertising or commercial purposes.
• Selling, renting, or trading your personal data to any third party.
• Training machine learning models using your conversation content.

Your conversations are encrypted at rest in our database using AES-256-GCM encryption and in transit over the network using TLS. Only you can access your conversation history through your authenticated account.

Your messages are processed by our automated systems to generate responses. This processing is done solely for the purpose of providing you with the companion service. We do not read, review, or manually access your conversations except in the following limited circumstances:

• When required by law or a lawful order from a competent authority.
• When investigating a reported violation of our Terms of Service or community guidelines.
• When necessary to ensure the safety of a user or the public (such as imminent risk of self-harm).

Usage data (such as session counts and feature usage) is aggregated and anonymised before being used for analysis. Aggregated data cannot be linked back to your identity.

Before your messages are processed, they may be screened by automated safety systems to identify content that falls outside our community guidelines. This screening happens in the background and does not delay your experience.

• If a message is flagged, the content category and severity are logged for safety monitoring and enforcement purposes. This log is used strictly to enforce our community guidelines and is not shared with third parties.
• Behavioural patterns, such as your communication style, session frequency, and engagement patterns, may be analysed over time to improve the quality and relevance of responses you receive.
• All flagged content logs and behavioural data are encrypted at rest using the same AES-256-GCM standards as your conversation history.
• When you delete your account, all flagged content logs and behavioural data associated with your account are permanently deleted within 72 hours.

As a Data Principal under the Digital Personal Data Protection Act, 2023, you have the following rights regarding your personal data:

• Right to access: You have the right to obtain confirmation of whether we are processing your personal data and to request a summary of your personal data and the processing activities related to it.
• Right to correction: You have the right to request correction of inaccurate or incomplete personal data, and to have misleading data updated.
• Right to erasure: You have the right to request the deletion of your personal data. Upon such request, we will erase your data unless we are required to retain it by law.
• Right to data portability: You may request a copy of your personal data in a structured, commonly used, and machine-readable format.
• Right to withdraw consent: You may withdraw your consent to data processing at any time by contacting our Grievance Officer. Please note that withdrawal of consent will result in account closure and deletion of your data, as the service cannot function without processing your data.
• Right to grievance redressal: You have the right to file a complaint with our Grievance Officer, and if unsatisfied with the resolution, to approach the Data Protection Board of India. For details, see our Grievance Redressal page.
• Right to nominate: In the event of your death or incapacity, you have the right to nominate another individual to exercise your data rights on your behalf, as provided under the DPDP Act.

To exercise any of these rights, please contact our Grievance Officer at grievance@manasmurti.com. We will respond to your request within 48 hours and aim to fulfil it within 30 days.

We do not sell, rent, trade, or commercially share your personal data with any third party.

To operate the service, we share limited data with the following categories of service providers, who are contractually bound to maintain confidentiality and process your data only for the purposes we specify:

• Response generation: Your messages (in encrypted transit) are sent to our response generation service provider to produce companion responses. The provider does not retain your messages beyond the time required to process each request.
• Cloud infrastructure: Your encrypted data is stored on servers provided by Amazon Web Services (AWS), hosted in the Asia Pacific (Mumbai) region (ap-south-1). AWS acts as a Data Processor and is bound by its Data Processing Agreement.
• Payment processing: Payment transactions are handled by our authorised payment gateway partner. We share only the minimum data necessary to process payments (email, plan selected, amount). We do not share your conversation data with payment processors.
• Email delivery: Transactional emails (account verification, password reset, billing receipts) are sent through Amazon Simple Email Service (SES). Only your email address and the email content are shared for delivery purposes.

We may also disclose your personal data if required by law, including in response to a court order, summons, or lawful request from a government or law enforcement authority under applicable Indian law, including the Information Technology Act, 2000 and the Code of Criminal Procedure, 1973.

If you are using ManaSmurti through your employer's wellness program, aggregated and fully anonymised feedback (average ratings, common themes, participation rates) may be shared with your employer's HR team. We never share individual responses, names, or written comments with your employer.

Your personal data is primarily stored and processed on servers located in India (AWS Mumbai region). However, in the course of providing the service, your data may be transferred to and processed in countries outside India, for example when your messages are processed by our response generation service provider.

Any such transfer is carried out in accordance with the provisions of the DPDP Act, 2023 and any rules or notifications issued by the Central Government regarding permissible jurisdictions for data transfer. We ensure that appropriate safeguards are in place, including contractual obligations on the receiving party to protect your data to a standard equivalent to that required under Indian law.

ManaSmurti does not transfer personal data to any country that the Central Government of India has restricted under the DPDP Act.

We retain your personal data only for as long as necessary to fulfil the purposes described in this policy:

• Free accounts: Conversation history is retained for 30 days from the date of each conversation and then permanently deleted.
• Paid accounts: Conversation history is retained for the duration of your active subscription, and for 90 days after cancellation or expiry, to allow you time to resubscribe or download your data.
• Account deletion: When you delete your account (or request deletion), all personal data, including conversations, profile information, flagged content logs, and behavioural data, is permanently and irreversibly deleted from our systems within 72 hours.
• Payment records: Transaction records and billing history are retained for a period of eight (8) years after the transaction date, as required under the Income Tax Act, 1961 and the Goods and Services Tax Act, 2017.
• Support communications: Records of support emails and grievance complaints are retained for three (3) years from the date of resolution.

Anonymised, aggregated usage data that cannot be linked to any individual may be retained indefinitely for service improvement and analytical purposes.

Anonymised, unlinkable feedback signals (thumbs taps, questionnaire ratings, guide ratings) may be retained beyond account deletion under the DPDP anonymisation carve-out for product improvement purposes. Open-ended written comments are deleted along with your account.

We implement and maintain reasonable security practices and procedures, as required under Section 8 of the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011:

• All data in transit is encrypted using TLS (Transport Layer Security) via HTTPS.
• All conversation content and sensitive personal data is encrypted at rest using AES-256-GCM encryption.
• Passwords are hashed using bcrypt with a work factor of 12 and are never stored in plain text.
• API keys and credentials used by the Platform are encrypted using AES-256-GCM and stored in the database, never in configuration files.
• Access to production systems is restricted to authorised personnel only, using SSH key-based authentication.
• Regular security reviews and updates are performed on all Platform components.
• Database access is restricted by IP allowlisting and encrypted connections (SSL/TLS).

Despite these measures, no method of electronic storage or transmission over the internet is completely secure. While we strive to protect your personal data, we cannot guarantee absolute security. If you believe your account has been compromised, please contact us immediately at support@manasmurti.com.

In the event of a personal data breach that is likely to cause harm to you, ManaSmurti will:

• Notify the Data Protection Board of India as required under the DPDP Act, 2023, within the prescribed timeframe.
• Notify affected users by email (to the registered email address) as soon as reasonably practicable, and in any case within 72 hours of becoming aware of the breach.
• Provide details of the nature of the breach, the categories of data affected, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects.

ManaSmurti uses a limited number of essential and functional cookies to operate the Platform. We do not use advertising, tracking, or third-party analytics cookies. For full details about the cookies we use and how to manage them, please see our Cookie Policy.

ManaSmurti is intended exclusively for adults aged 18 years and above. We do not knowingly collect, process, or store personal data from anyone under the age of 18.

In accordance with the DPDP Act, 2023, if we discover or have reasonable grounds to believe that personal data has been collected from a minor (a person below 18 years of age), we will immediately delete the account and all associated personal data without prior notice.

If you are a parent or guardian and believe that a minor under your care has registered on our Platform, please notify us immediately at grievance@manasmurti.com.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons.

When we make material changes, we will notify registered users by email or through a prominent notice on the Platform at least 15 days before the changes take effect. The updated policy will always display the version date at the top of this page.

Continued use of ManaSmurti after the changes take effect constitutes your acceptance of the updated policy. If you do not agree with the changes, you must stop using the Platform and delete your account.

This Privacy Policy is governed by and construed in accordance with the laws of the Republic of India, including the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000, and the rules and regulations made thereunder.

Any disputes arising out of or relating to this policy shall be subject to the exclusive jurisdiction of the competent courts in Bangalore (Bengaluru), Karnataka, India.

In accordance with the Information Technology Act, 2000 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, the contact details of our Grievance Officer are as follows:

The Grievance Officer will acknowledge your request within 48 hours and endeavour to resolve it within 30 days from the date of receipt. For the full grievance process, visit our Grievance Redressal page.