Privacy Policy

For the purposes of the Digital Personal Data Protection Act, 2023 ("DPDP Act"), ManaSmurti is the Data Fiduciary responsible for collecting and processing your personal data.

When you use ManaSmurti, we collect the following categories of personal data:

• Account information: Your name, email address, and date of birth. Date of birth is collected solely to verify that you are 18 years of age or older, as required by our Terms of Service.
• Conversation data: The messages you send and the responses you receive during your sessions on ManaSmurti. All conversation content is encrypted at rest using AES-256-GCM encryption and in transit using TLS.
• Usage data: Information about how you interact with the Platform, including session timestamps, features used, conversation counts, and subscription activity. This helps us improve the service and enforce usage limits.
• Payment information: When you subscribe to a paid plan, payment is processed by our authorised payment gateway partner. We do not collect, store, or have access to your card number, bank account details, or UPI credentials. We receive only a payment confirmation, transaction reference, and subscription status from the payment processor.
• Device and technical data: Your browser type and version, operating system, IP address, device type, and screen resolution. This is collected automatically and used for security, fraud prevention, and performance optimisation.
• Communication data: If you contact us via email or through the contact form, we retain the content of your communication, your email address, and our response for record-keeping and quality purposes.

Under the DPDP Act, 2023, we process your personal data on the following lawful bases:

• Consent: By creating an account and using ManaSmurti, you provide your informed consent to the collection and processing of your personal data as described in this policy. You may withdraw your consent at any time (see Section 9 below).
• Contractual necessity: Processing is necessary to provide you with the services you have requested, including generating responses, managing your account, and processing subscriptions.
• Legitimate interests: Processing for security, fraud prevention, service improvement, and enforcement of our community guidelines.
• Legal obligation: Processing required to comply with applicable Indian laws, including responding to lawful requests from government or judicial authorities.

We use your personal data for the following specific purposes:

• To create, authenticate, and manage your account on ManaSmurti.
• To provide the companion service, including processing your messages and generating responses.
• To verify that users meet the minimum age requirement of 18 years.
• To process subscription payments, manage billing, and handle refunds.
• To send transactional emails (account confirmation, password reset, billing receipts, policy updates).
• To enforce our community guidelines and acceptable use policy, including screening messages for safety.
• To detect and prevent fraud, abuse, security incidents, and unauthorised access.
• To improve the quality, reliability, and performance of the Platform.
• To comply with our legal obligations under applicable Indian law.
• To respond to your support requests and communications.

We do not use your data for any of the following purposes:

• Marketing, advertising, or promotional communications (unless you explicitly opt in).
• Profiling for advertising or commercial purposes.
• Selling, renting, or trading your personal data to any third party.
• Training machine learning models using your conversation content.

Your conversations are encrypted at rest in our database using AES-256-GCM encryption and in transit over the network using TLS. Only you can access your conversation history through your authenticated account.

Your messages are processed by our automated systems to generate responses. This processing is done solely for the purpose of providing you with the companion service. We do not read, review, or manually access your conversations except in the following limited circumstances:

• When required by law or a lawful order from a competent authority.
• When investigating a reported violation of our Terms of Service or community guidelines.
• When necessary to ensure the safety of a user or the public (such as imminent risk of self-harm).

Usage data (such as session counts and feature usage) is aggregated and anonymised before being used for analysis. Aggregated data cannot be linked back to your identity.

You can sign in to ManaSmurti in three ways:

• Email and password. The password you choose is stored only as a one-way bcrypt hash. We do not keep the password itself, and we cannot send it to you.
• Google. You can link a Google account whose email matches your ManaSmurti email. We never receive your Google password. Google tells us only that the sign-in was successful.
• A one-time sign-in link. We can send a single-use link to your registered email that signs you in without a password. The link expires shortly after issuance and cannot be reused.

You can manage your sign-in methods from your account settings, including adding a password to an account that was created with a sign-in link. We will never ask for your password by email, by chat, or by phone.

ManaSmurti includes self-assessments. When you take an assessment, we collect:

• Your responses to each item in the assessment, encrypted at rest using AES-256-GCM.
• The role and profession you selected when you started the assessment, stored as plain text so we can read your report against your work context.
• Session-integrity events such as window focus changes and copy attempts during the session. These are used only to assess how settled the reading is, and they are summarised on your report.
• The report we produce from your responses, generated automatically by software and delivered to your registered email as a PDF.

How long we keep self-assessment data

• Responses: ninety days from the date you submit the assessment, then deleted. The report we generated from the responses is kept; the responses themselves are not.
• Reports: kept until you delete your account, or until you ask us to delete a specific report. You can ask via grievance@manasmurti.com.
• Norm records: if you opted in when you registered, an anonymised record of your facet scores and your role cluster is kept indefinitely so we can calibrate our scoring model across roles. The record is not linked to your name or email. If you change your mind, write to grievance@manasmurti.com and we will remove your norm record on a best-effort basis.

Who can see your self-assessment data

Only you. Even when your company sponsors your ManaSmurti account, your responses and your report are visible only to you. Sharing a report with HR, a manager, a mentor, a coach, or anyone else is something you initiate from your account. The report you share carries a clear note about who generated it and when.

Assessment reports are never aggregated into a corporate dashboard. The corporate features described elsewhere in this policy concern conversation and pulse signals only.

Before your messages are processed, they may be screened by automated safety systems to identify content that falls outside our community guidelines. This screening happens in the background and does not delay your experience.

• If a message is flagged, the content category and severity are logged for safety monitoring and enforcement purposes. This log is used strictly to enforce our community guidelines and is not shared with third parties.
• Behavioural patterns, such as your communication style, session frequency, and engagement patterns, may be analysed over time to improve the quality and relevance of responses you receive.
• All flagged content logs and behavioural data are encrypted at rest using the same AES-256-GCM standards as your conversation history.
• When you delete your account, all flagged content logs and behavioural data associated with your account are permanently deleted within 72 hours.

As a Data Principal under the Digital Personal Data Protection Act, 2023, you have the following rights regarding your personal data:

• Right to access: You have the right to obtain confirmation of whether we are processing your personal data and to request a summary of your personal data and the processing activities related to it.
• Right to correction: You have the right to request correction of inaccurate or incomplete personal data, and to have misleading data updated.
• Right to erasure: You have the right to request the deletion of your personal data. Upon such request, we will erase your data unless we are required to retain it by law.
• Right to data portability: You may request a copy of your personal data in a structured, commonly used, and machine-readable format.
• Right to withdraw consent: You may withdraw your consent to data processing at any time by contacting our Grievance Officer. Please note that withdrawal of consent will result in account closure and deletion of your data, as the service cannot function without processing your data.
• Right to grievance redressal: You have the right to file a complaint with our Grievance Officer, and if unsatisfied with the resolution, to approach the Data Protection Board of India. For details, see our Grievance Redressal page.
• Right to nominate: In the event of your death or incapacity, you have the right to nominate another individual to exercise your data rights on your behalf, as provided under the DPDP Act.

To exercise any of these rights, please contact our Grievance Officer at grievance@manasmurti.com. We will respond to your request within 48 hours and aim to fulfil it within 30 days.

We do not sell, rent, trade, or commercially share your personal data with any third party.

To operate the service, we share limited data with the following categories of service providers, who are contractually bound to maintain confidentiality and process your data only for the purposes we specify:

• Response generation: Your messages (in encrypted transit) are sent to our response generation service provider to produce companion responses. The provider does not retain your messages beyond the time required to process each request.
• Cloud infrastructure: Your encrypted data is stored on servers provided by Amazon Web Services (AWS), hosted in the Asia Pacific (Mumbai) region (ap-south-1). AWS acts as a Data Processor and is bound by its Data Processing Agreement.
• Payment processing: Payment transactions are handled by our authorised payment gateway partner. We share only the minimum data necessary to process payments (email, plan selected, amount). We do not share your conversation data with payment processors.
• Email delivery providers who send you transactional emails, including account verification, password reset, billing receipts, sign-in links, and report-ready notifications. The email service receives only your email address and the message content.

We may also disclose your personal data if required by law, including in response to a court order, summons, or lawful request from a government or law enforcement authority under applicable Indian law, including the Information Technology Act, 2000 and the Code of Criminal Procedure, 1973.

If you are using ManaSmurti through a ManaSmurti for Teams corporate account, your employer's HR team has access to a dashboard showing aggregated cohort signals only. This means:

• Signals are calculated on cohorts of at least five employees (team or function, manager group, or tenure band). Cohorts smaller than five display "not enough data yet" and no number.
• The signals surfaced include a wellbeing pulse (derived from engagement metadata, not message content), aggregate participation rate, and aggregate completion rate for any training modules assigned to the group.
• Your employer never sees your individual conversations, your individual activation status, your individual module completion, your individual usage frequency, or any direct feedback you may submit to us.
• Every query your employer's HR team runs against the dashboard is written to an immutable audit log. You can request a frequency summary of queries against your cohort at any time.

We never share individual responses, names, or written comments with your employer under any circumstance, including at the employer's direct request.

Your personal data is primarily stored and processed on servers located in India (AWS Mumbai region). However, in the course of providing the service, your data may be transferred to and processed in countries outside India, for example when your messages are processed by our response generation service provider.

Any such transfer is carried out in accordance with the provisions of the DPDP Act, 2023 and any rules or notifications issued by the Central Government regarding permissible jurisdictions for data transfer. We ensure that appropriate safeguards are in place, including contractual obligations on the receiving party to protect your data to a standard equivalent to that required under Indian law.

ManaSmurti does not transfer personal data to any country that the Central Government of India has restricted under the DPDP Act.

We retain your personal data only for as long as necessary to fulfil the purposes described in this policy:

• Free accounts: Conversation history is retained for 30 days from the date of each conversation and then permanently deleted.
• Paid accounts: Conversation history is retained for the duration of your active subscription, and for 90 days after cancellation or expiry, to allow you time to resubscribe or download your data.
• Self-assessment responses: ninety days from submission, then deleted. See Section 7 for the full assessment data lifecycle.
• Self-assessment reports: until you delete your account or ask us to delete a specific report.
• Norm records (opt-in): kept indefinitely, anonymised, not linked to your identity. Removable on request.
• Account deletion: When you delete your account (or request deletion), all personal data, including conversations, profile information, flagged content logs, and behavioural data, is permanently and irreversibly deleted from our systems within 72 hours.
• Payment records: Transaction records and billing history are retained for a period of eight (8) years after the transaction date, as required under the Income Tax Act, 1961 and the Goods and Services Tax Act, 2017.
• Support communications: Records of support emails and grievance complaints are retained for three (3) years from the date of resolution.

Anonymised, aggregated usage data that cannot be linked to any individual may be retained for service improvement and analytical purposes. This is a discretionary product-improvement choice we make under the DPDP Act anonymisation carve-out, not a legal requirement. The data that survives this way cannot be traced back to any individual user.

Anonymised, unlinkable feedback signals (thumbs taps, questionnaire ratings, guide ratings) may be retained beyond account deletion under the same discretionary carve-out. Open-ended written comments are deleted along with your account, always.

If your account is a ManaSmurti for Teams corporate account (invited by your employer and linked to your corporate email domain), you have a few additional rights beyond what a personal account gets.

Employee bill of rights at first login

The first time you log in to a ManaSmurti for Teams account, we show you a full-page screen listing exactly what your employer can and cannot see. You acknowledge it with a timestamp. If the visibility contract ever changes, you will re-acknowledge the new version. This is your permanent record that you were told the truth, in plain language, before you used the product.

Direct feedback channel

You can reach the ManaSmurti team directly through an in-app feedback channel. This channel does not route through your HR team. We never tell your employer that you submitted feedback, or what it said. Anonymous by default. This is how we find out when the product fails someone, and it is also how you know we are not your employer's analytics department.

Cohort audit frequency request

You can request a frequency summary of how often your employer's HR team has looked at your cohort's wellbeing pulse over the last 30, 90, or 365 days. The summary shows counts and recency, not the admin identity or the exact numbers returned. This is enough transparency for you to know the dashboard is not a black box, without giving you anything that would harm a specific HR person.

If your employer cancels the ManaSmurti for Teams contract

When a corporate contract ends, we do the following:

• Same day:Your employer's HR dashboard access is disabled. HR can no longer run any cohort query against your data.
• Same day: You receive an email and an in-app notice letting you know the contract has ended, when your account will be deleted, and how to export your conversation history before then if you want to keep it.
• 90-day grace period: You keep full access to the product. You can finish conversations in progress, export your data, and register a separate personal account with a personal email if you want to continue using ManaSmurti after your corporate account is deleted.
• Day 90: Your corporate account and all personal data linked to it is permanently deleted. Anonymised signals that cannot be traced back to you may be retained per the data retention section above.
• Never: No data is handed back to your employer at cancellation. Not a summary, not a count, not a name, not a snapshot. The data belongs to you.

If you want a private account your employer is not paying for

You can register a separate personal account with a personal email (Gmail, Yahoo, or any non-corporate domain) at any time. Your personal account is entirely separate from your corporate account, and we make no attempt to correlate the two. Your employer has no way to find out that you have a personal account, and no one at ManaSmurti has a lookup that would connect them. This is an architectural guarantee, not a policy choice.

We implement and maintain reasonable security practices and procedures, as required under Section 8 of the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011:

• All data in transit is encrypted using TLS (Transport Layer Security) via HTTPS.
• All conversation content and sensitive personal data is encrypted at rest using AES-256-GCM encryption.
• Passwords are hashed using bcrypt with a work factor of 12 and are never stored in plain text.
• API keys and credentials used by the Platform are encrypted using AES-256-GCM and stored in the database, never in configuration files.
• Access to production systems is restricted to authorised personnel only, using SSH key-based authentication.
• Regular security reviews and updates are performed on all Platform components.
• Database access is restricted by IP allowlisting and encrypted connections (SSL/TLS).

Despite these measures, no method of electronic storage or transmission over the internet is completely secure. While we strive to protect your personal data, we cannot guarantee absolute security. If you believe your account has been compromised, please contact us immediately at support@manasmurti.com.

In the event of a personal data breach that is likely to cause harm to you, ManaSmurti will:

• Notify the Data Protection Board of India as required under the DPDP Act, 2023, within the prescribed timeframe.
• Notify affected users by email (to the registered email address) as soon as reasonably practicable, and in any case within 72 hours of becoming aware of the breach.
• Provide details of the nature of the breach, the categories of data affected, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects.

ManaSmurti uses a limited number of essential and functional cookies to operate the Platform. We do not use advertising, tracking, or third-party analytics cookies. For full details about the cookies we use and how to manage them, please see our Cookie Policy.

ManaSmurti is intended exclusively for adults aged 18 years and above. We do not knowingly collect, process, or store personal data from anyone under the age of 18.

In accordance with the DPDP Act, 2023, if we discover or have reasonable grounds to believe that personal data has been collected from a minor (a person below 18 years of age), we will immediately delete the account and all associated personal data without prior notice.

If you are a parent or guardian and believe that a minor under your care has registered on our Platform, please notify us immediately at grievance@manasmurti.com.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons.

When we make material changes, we will notify registered users by email or through a prominent notice on the Platform at least 15 days before the changes take effect. The updated policy will always display the version date at the top of this page.

Continued use of ManaSmurti after the changes take effect constitutes your acceptance of the updated policy. If you do not agree with the changes, you must stop using the Platform and delete your account.

This Privacy Policy is governed by and construed in accordance with the laws of the Republic of India, including the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000, and the rules and regulations made thereunder.

Any disputes arising out of or relating to this policy shall be subject to the exclusive jurisdiction of the competent courts in Bangalore (Bengaluru), Karnataka, India.

In accordance with the Information Technology Act, 2000 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, the contact details of our Grievance Officer are as follows:

The Grievance Officer will acknowledge your request within 48 hours and endeavour to resolve it within 30 days from the date of receipt. For the full grievance process, visit our Grievance Redressal page.