The Short Version
DharmaChat is built and operated by Sukhil Babu, a sole proprietor based in Bengaluru, Karnataka, India. We collect only what we need to run the app: your account info, your spiritual preferences, your conversations with DharmaAI, your community posts, and basic device/usage data. We do not sell your personal data to anyone, ever. Your religious preferences are sensitive personal data under GDPR and Indian law and are protected accordingly. You can export, correct, or permanently delete your data at any time from inside the app or by emailing privacy@dharmachat.in.
Jump to section
- About this Policy
- Who We Are
- Data We Collect
- Sensitive Religious Data
- How We Use Your Data
- Legal Bases for Processing
- How We Share Data
- Sub-Processors
- International Transfers
- How Long We Keep Data
- Your Rights
- Account Deletion
- Children & Minors
- Security
- Cookies & Local Storage
- Data Breach Notifications
- Changes to this Policy
- California Residents (CCPA / CPRA)
- EU/EEA & UK Residents (GDPR)
- Grievance Officer
- Contact Us
1.About this Policy
This Privacy Policy ("Policy") explains how DharmaChat (the "Service", "we", "us") collects, uses, discloses, retains, and protects your personal data when you access our website at dharmachat.in, our mobile applications on iOS and Android, our progressive web app, and any related services. By creating an account or using the Service you agree to the practices described in this Policy.
This Policy is written to comply with, at a minimum, the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Information Technology Rules, 2011 and 2021, the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR & Data Protection Act 2018, the California Consumer Privacy Act of 2018, as amended by the CPRA ("CCPA"), and the Children's Online Privacy Protection Act ("COPPA") where applicable. Where any provision of this Policy conflicts with a mandatory provision of a law that applies to you, that mandatory law prevails.
2.Who We Are (Data Fiduciary / Controller)
The entity responsible for your personal data under this Policy (your "data fiduciary" under Indian law and "controller" under European law) is:
| Operator | Sukhil Babu (sole proprietor, trading as "DharmaChat") |
| Place of business | Bengaluru, Karnataka, India |
| General contact | sukhil@dharmachat.in |
| Privacy contact | privacy@dharmachat.in |
| Legal & grievance | legal@dharmachat.in |
We do not currently meet the thresholds to be classified as a "Significant Data Fiduciary" under DPDP §10 or as a "Significant Social Media Intermediary" under the IT Rules 2021. If our user base grows past those thresholds, we will appoint a Data Protection Officer and a Resident Grievance Officer as required, and update this Policy accordingly.
3.Data We Collect
We collect only what is necessary to operate the Service. We have categorised every type of personal data we collect below. If a category does not appear here, we do not collect it.
3.1 Identity & Account Data
| What | Source | Why |
|---|---|---|
| Email address | You, at sign-up | To create your account, authenticate you, and send transactional emails (password reset, security notices) |
| Password | You, at sign-up | Authentication. Stored only in salted-hash form by Firebase; we never see or store your plaintext password |
| Display name | You, in onboarding | Shown on your community posts and inside the app |
| Firebase UID | Generated automatically | An opaque identifier we use internally to link your data across our systems |
3.2 Profile & Preference Data — includes sensitive data
| What | Source | Why |
|---|---|---|
| Preferred deity (Krishna, Shiva, Devi, Hanuman, etc.) | You, in onboarding (optional) | To personalise daily shlokas, meditations, and DharmaAI responses to your tradition. This is sensitive religious data. |
| Spiritual level (beginner, intermediate, advanced) | You, in onboarding (optional) | To calibrate the difficulty and depth of content shown to you |
| Spiritual goals | You, in onboarding (optional) | To suggest relevant scriptures and practices |
| Preferred language (English, Hindi, Tamil, etc.) | You, in onboarding | To localise the interface and DharmaAI replies |
| Notification time and timezone | You, in settings | To deliver daily shloka push notifications at the hour you chose |
3.3 User-Generated Content
| What | Source | Why |
|---|---|---|
| Community posts and comments | You | Public content visible to other signed-in users in the Sangha (community) feed |
| Likes, bookmarks, and reactions | You | Personalisation and engagement counts |
| Reports and blocks of other users | You | Moderation. We retain reports and block records to enforce community standards |
| Conversations with DharmaAI | You | To provide the AI-guided scripture chat and let you revisit past sessions. Treat as private, but not end-to-end encrypted. |
3.4 Usage & Behavioural Data
| What | Source | Why |
|---|---|---|
| Daily check-ins (sadhana tasks completed) | You, in app | To track your streak and award karma points |
| Meditation session logs (duration, track, timestamp) | App | For your meditation history and karma rewards |
| Karma points and level (Seeker, Devotee, Sadhaka, Yogi, Guru) | Calculated by app | Gamification and progress tracking |
| Streak count and last check-in date | Calculated by app | To show your daily streak and send streak-protection reminders |
| DharmaAI questions used today | Calculated by app | To enforce the free-tier daily limit |
3.5 Device & Technical Data
| What | Source | Why |
|---|---|---|
| Expo Push Token | Your device, when you grant notification permission | So we can send your daily shloka notification |
| Platform (iOS, Android, web) | Detected automatically | To deliver push notifications correctly and assist with debugging |
| Device model name (optional) | Detected via expo-device | To label tokens in your account so you can revoke a specific device |
| IP address | HTTP requests | Security, fraud prevention, abuse mitigation. We do not log IP addresses for marketing |
| Browser/app version, OS version | HTTP request headers | Compatibility and crash diagnosis |
| Crash and error reports (only if Sentry is enabled) | Automatic on crash | To find and fix bugs. Reports include stack traces, your Firebase UID, app state, and the device's OS/model. Reports do not include your password, payment details, or DharmaAI conversation contents. |
3.6 Payment Data
If you purchase a premium subscription, the actual payment instrument (card number, UPI ID, bank details, Apple/Google account) is collected and processed entirely by our payment processors — Razorpay (for India web and Android) and the relevant App Store via RevenueCat (for iOS in-app purchases). We never see, store, or transmit your full card or banking details. What we do receive and store is the order ID, payment ID, transaction status, the plan you bought, the amount, the currency, and timestamps. This is the minimum we need to recognise an active subscription, handle refunds, and provide tax-compliant invoices.
3.7 What We Do Not Collect
- We do not access your contacts, calendar, photos, microphone, camera, or precise location. The app does not request these permissions.
- We do not use behavioural advertising tracking. We do not embed Meta Pixel, Google Ads, TikTok Pixel, or any third-party advertising SDK.
- We do not perform facial recognition or biometric processing of any kind.
- We do not buy data about you from data brokers.
4.Sensitive Religious Data — Special Protections
Information about your religious or philosophical beliefs is classified as Special Category Personal Data under GDPR Article 9, and is treated as sensitive personal data under the spirit of the DPDP Act and the Indian IT Rules 2011. Because DharmaChat exists to support your spiritual journey, several fields we collect — preferred deity, spiritual goals, scriptures you read, conversations with DharmaAI, posts you make in the Sangha — necessarily reveal religious belief.
We give this category of data heightened protection:
- Explicit consent. By creating an account and choosing to fill in your deity, level, and goals, you give us your explicit, informed consent under GDPR Art. 9(2)(a) and the DPDP Act to process this religious-belief data for the purpose of personalising your spiritual experience inside the Service. You can withdraw this consent at any time by clearing the fields in your profile or by deleting your account.
- No third-party advertising. We do not share your religious-belief data with advertisers or data brokers, full stop.
- Restricted access. Only Sukhil Babu (the sole operator) can access raw religious-belief data, and only when investigating a specific support ticket, abuse report, or legal request.
- Encrypted at rest and in transit. All such data is stored in our Supabase Postgres database in Mumbai, India, encrypted at rest by the platform, and transmitted over TLS 1.2+ between your device and our servers.
- Right to deletion. You may delete this data at any time by editing your profile or by deleting your account. Deletion is permanent and unrecoverable.
5.How We Use Your Data
We use the data described above for the following specific purposes only:
- Provide the Service: create your account, sign you in, render personalised content, run DharmaAI chat, deliver push notifications, run the community feed, track your sadhana streak.
- Improve the Service: diagnose bugs, fix crashes, measure feature usage at an aggregate level (e.g., "how many users complete onboarding"), study which scriptures are most-asked-about so we can improve the corpus.
- Communicate with you: send transactional emails (password reset, payment confirmation, security alerts), respond to support requests, notify you of material changes to this Policy or our Terms.
- Process payments: create orders with Razorpay or App Store IAP, verify successful payment, grant your premium entitlement, issue refunds when due.
- Enforce our Terms and protect users: investigate reports, hide or remove content that violates community standards, enforce blocks, prevent abuse and spam.
- Comply with the law: respond to lawful requests from Indian or foreign authorities, retain records for tax and accounting, defend legal claims.
We do not use your personal data for: behavioural advertising, automated decision-making with legal effect, training third-party AI models, or selling to third parties.
6.Legal Bases for Processing
For users protected by the GDPR/UK GDPR, we rely on the following legal bases (Article 6 GDPR):
| Legal basis | What we do under it |
|---|---|
| Performance of a contract (Art. 6(1)(b)) | Account creation, sign-in, delivering subscribed content, processing payments, providing DharmaAI chat |
| Legitimate interest (Art. 6(1)(f)) | Security, fraud prevention, abuse mitigation, basic non-marketing analytics, defending legal claims |
| Consent (Art. 6(1)(a) and Art. 9(2)(a) for religious data) | Storing optional profile fields like deity and spiritual goals; sending push notifications; collecting crash reports |
| Legal obligation (Art. 6(1)(c)) | Tax records, lawful regulator/court orders, mandatory data-breach notifications |
For users in India, our processing is based on (a) your certifiable consent under DPDP §6 obtained through clear notice at sign-up, supplemented by (b) the legitimate uses permitted by DPDP §7 where applicable (for example, providing a benefit you have requested, complying with law, or responding to a medical emergency).
7.How We Share Data
We share personal data only in the limited circumstances below. We do not sell or rent personal data to anyone.
- With sub-processors who help us run the Service (listed in §8 below). They are bound by confidentiality and data-protection commitments.
- With other users, but only the parts you have chosen to publish. Your community posts, comments, likes, display name, and karma level are visible to other signed-in users. Your email, deity preference, chat history, payment history, and streak data are not.
- For legal reasons: in response to a binding court order, summons, or government request that is valid under Indian law, or where we believe in good faith that disclosure is necessary to protect the rights, property, or safety of DharmaChat, our users, or the public.
- Business transfers: if we ever sell or transfer the business, your data would transfer to the new owner under terms that continue to honour this Policy. We would notify you in-app and by email at least 30 days before any such transfer.
8.Sub-Processors We Rely On
The companies below process personal data on our behalf to deliver core parts of the Service. Each is contractually bound (by their standard Data Processing Addendum or terms of service) to use the data only as we instruct.
Firebase Authentication
Authenticates your sign-in. Stores your email and a salted hash of your password.
🇺🇸 United States · operated by Google LLCprivacy policy
Supabase
Stores your profile, community posts, chat history, and most other application data in our Postgres database.
🇮🇳 Mumbai, India region (data residency)privacy policy
Anthropic (Claude API)
Generates DharmaAI's replies. We send the chat message and your spiritual profile context (deity, level, language) — not your email or name. Anthropic does not train models on our API traffic by default.
🇺🇸 United Statesprivacy policy
Razorpay
Processes Indian payments (cards, UPI, net banking, wallets). They collect payment data directly; we receive only an order/payment ID and amount.
🇮🇳 Indiaprivacy policy
RevenueCat (when iOS launches)
Manages iOS in-app purchases by relaying App Store events to our backend.
🇺🇸 United Statesprivacy policy
Apple App Store / Google Play
Distribute the app and handle in-app purchases on iOS/Android.
🇺🇸 / globalApple · Google
Expo Push Service
Delivers push notifications by relaying messages to APNs (Apple) and FCM (Google). Stores only your push token, platform, and message metadata.
🇺🇸 United States · operated by 650 Industriesprivacy policy
Sentry (when enabled)
Receives crash reports and error stack traces to help us diagnose bugs. We scrub passwords and payment details from reports before they leave your device.
🇺🇸 United Statesprivacy policy
Google Cloud Text-to-Speech (when enabled)
Converts Sanskrit shlokas to spoken audio on request. We send only the shloka text, not your account identifiers.
🇺🇸 / 🇮🇳 multi-regionprivacy notice
Vercel / Cloudflare / GoDaddy
Domain, DNS, and website hosting. They handle the request to load the page you are reading.
🌐 globalVercel · GoDaddy
Google Analytics
Aggregate website traffic statistics, with IP-anonymisation enabled. We do not link analytics to your account.
🇺🇸 United Statesprivacy policy
We update this list whenever we add, remove, or change a sub-processor. The list above is the authoritative version.
9.International Data Transfers
DharmaChat is operated from India and our primary database (Supabase) is located in Mumbai. Some sub-processors listed above (Firebase, Anthropic, Expo, Sentry, RevenueCat) process data in the United States or other jurisdictions outside India and the EU/EEA.
For transfers out of the EU/EEA or the UK, we rely on the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914) as incorporated into each sub-processor's Data Processing Addendum, supplemented by additional safeguards where required by Schrems II considerations (encryption in transit, encryption at rest, contractual restrictions on government access).
For transfers out of India, we rely on the DPDP Act §16 framework, which permits transfer to any country except those notified by the Central Government of India as restricted (no such restriction applies as of the effective date of this Policy). When the Central Government issues a list of restricted countries, we will adapt our hosting accordingly and notify you.
10.How Long We Keep Data
| Category | Retention period |
|---|---|
| Active account data (profile, posts, chat, sadhana, etc.) | For as long as your account is active. Hard-deleted within 30 days of account deletion (see §12) |
| Backup copies after deletion | Up to 30 days in encrypted database backups, then permanently overwritten |
| Anonymised aggregate analytics | Indefinitely. These cannot be linked back to you |
| Tax and payment records | Eight (8) years from the financial year-end, as required by Indian Income Tax Act and GST law |
| Abuse / moderation records (post reports, blocks, takedown logs) | Up to 24 months after the report |
| Crash and security logs | 30 days, then deleted unless under active investigation |
| Communications with our support team | 2 years from the last message, then deleted |
11.Your Rights
You have the rights below. To exercise any of them, email privacy@dharmachat.in from the email address on your account, or use the in-app controls where indicated. We respond within 30 days (or sooner where the law requires it).
- Right to be informed. You are reading this Policy — that is how we deliver it.
- Right of access. Receive a copy of the personal data we hold about you, in a portable format (JSON).
- Right to correction. Update inaccurate or incomplete data. Most fields are editable from inside the app.
- Right to erasure. Delete your data. Account deletion is available in Profile → Delete Account inside the app and triggers a hard cascade-delete on our servers.
- Right to portability. Get a machine-readable export of your account data on request.
- Right to withdraw consent. Where we rely on your consent (e.g., religious profile fields, push notifications, crash reports), you can withdraw it at any time without affecting the lawfulness of past processing.
- Right to object to processing based on our legitimate interests, on grounds relating to your particular situation.
- Right to restrict processing while we investigate a dispute about the data's accuracy or our basis for using it.
- Right to nominate (DPDP §14): you may nominate, in writing, another individual to exercise your rights on your behalf in the event of your death or incapacity.
- Right to lodge a complaint. If you believe we have mishandled your data, you may complain to the Data Protection Board of India (under the DPDP Act once constituted) or to your local supervisory authority in the EU/EEA. We would, however, appreciate the chance to address it first via privacy@dharmachat.in.
We will not retaliate against you for exercising any of these rights.
12.Account Deletion
You can delete your account permanently at any time, satisfying Apple App Store Guideline 5.1.1(v) and Google Play's account-deletion requirement.
How to delete: open the app → Profile tab → scroll to Delete Account → confirm.
What happens:
- Your
usersrow in our database is removed immediately. - A database
ON DELETE CASCADEwipes all records that reference your account: chat sessions and messages, daily check-ins, meditation sessions, community posts, comments, likes, reports you filed, push tokens, subscription records, karma events, and bookmarks. - Your Firebase Authentication identity is detached, freeing your email to register a new account.
- Encrypted database backups containing your data roll off within 30 days.
- Tax and payment records linked to past purchases are retained for the statutory 8 years and are anonymised where possible (we keep the minimum required: invoice number, amount, date — not your spiritual profile).
Deletion is irreversible. We cannot recover a deleted account or its content.
If you cannot access the in-app delete option (for example, you forgot your password and cannot recover it), email privacy@dharmachat.in from your account email and we will verify and process the deletion within 7 days.
13.Children & Minors
The Service is intended for users aged 13 and above. We do not knowingly collect personal data from children under 13.
For users in India aged 13 to under 18, the DPDP Act §9 requires verifiable parental or guardian consent before processing children's data. By creating an account if you are under 18 in India, you confirm that your parent or legal guardian has read this Policy and consents to your use of the Service. We may require additional verification for users we identify as under 18.
For users in the European Economic Area, the digital-consent age varies by member state (13 to 16). If you are below the digital-consent age in your country, you must have your parent's or guardian's consent.
For users in the United States under 13, COPPA applies. We do not knowingly process such data; if you believe a user under 13 has registered, email privacy@dharmachat.in and we will delete the account immediately.
We do not target advertising at children, do not show ads to children, do not engage in behavioural profiling of children, and do not use any tracking technology in a way that targets children.
14.Security
No system is invulnerable, but we apply the following safeguards:
- Transport encryption: all traffic between your device and our servers is encrypted using TLS 1.2 or higher.
- Encryption at rest: our Postgres database, Firebase, and all sub-processor stores encrypt data at rest by default.
- Password handling: passwords are hashed with a strong, salted, slow algorithm by Firebase Authentication and are never visible to us.
- Row-Level Security: our database enforces, at the SQL level, that one user cannot read another user's private rows, even if our application code had a bug.
- Server-side payment validation: Razorpay payment signatures are HMAC-verified server-side before any premium entitlement is granted. The client cannot fake a payment.
- Principle of least privilege: only Sukhil Babu has production database access, protected by multi-factor authentication.
- Sub-processor security: we choose vendors that maintain SOC 2 Type II, ISO 27001, or equivalent independent security audits.
- Regular review: we audit our Edge Function code, RLS policies, and dependency advisories regularly.
15.Cookies & Local Storage
The DharmaChat website uses a small number of cookies and similar technologies (LocalStorage, IndexedDB):
- Strictly necessary: tokens that keep you signed in. Without these the Service cannot function. We cannot disable these.
- Preferences: a LocalStorage entry that remembers your last sadhana state and theme between visits. You can clear this from your browser at any time.
- Analytics: Google Analytics with IP anonymisation, used only for aggregated traffic counts. You can opt out by installing Google's opt-out browser extension.
The mobile app does not use cookies; it uses the device's secure storage for the equivalent purposes (signed-in token, preferences).
16.Data Breach Notifications
If we suffer a personal-data breach that is likely to result in risk to your rights and freedoms, we will:
- Notify the Indian Data Protection Board as required by DPDP §8(6) and the Indian Computer Emergency Response Team (CERT-In) within the deadlines set out in the IT Rules 2021 (currently 6 hours for major incidents).
- Notify the relevant EU/UK supervisory authority within 72 hours where GDPR applies.
- Notify you, the affected user, in plain language, by email and in-app banner, without undue delay where the breach is likely to result in a high risk to your rights — including: what happened, what data was affected, what we are doing about it, and what you can do.
17.Changes to this Policy
We may update this Policy from time to time. When we do:
- We will post the updated version at this URL with a new "Last Updated" date and version number.
- For material changes (changes that expand the data we collect, the purposes we use it for, or the parties we share it with), we will give you at least 30 days' advance notice by email and in-app banner before they take effect.
- If you continue to use the Service after the new Policy takes effect, you accept the updated Policy. If you do not accept it, you may delete your account.
18.California Residents (CCPA / CPRA)
If you are a California resident, you have the additional rights under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020:
- Right to know the categories of personal information we have collected, the sources, the purposes, and the categories of third parties we have shared with — for the past 12 months.
- Right to delete your personal information.
- Right to correct inaccurate personal information.
- Right to limit use of sensitive personal information (for us, this is your religious-belief data).
- Right to opt out of sale or sharing. We do not sell or "share" personal information as those terms are defined under the CCPA. There is therefore nothing to opt out of, but if this ever changes we will provide a "Do Not Sell or Share My Personal Information" link on our home page.
- Right of non-discrimination for exercising any of the above.
Categories of personal information collected, in CCPA terms: identifiers (email, Firebase UID), commercial information (subscription history), internet activity (app usage), geolocation (only at city level, derived from IP for security), sensory data (none), professional information (none), education information (none), inferences drawn (your karma level, your spiritual interests), and sensitive personal information (religious belief).
To exercise any of these rights, email privacy@dharmachat.in. You may designate an authorised agent to act on your behalf — we will require written proof of authorisation.
19.EU/EEA & UK Residents (GDPR)
If you are in the European Economic Area, the United Kingdom, or Switzerland, the GDPR or UK GDPR applies in addition to the rights described in §11. The data fiduciary/controller is identified in §2 of this Policy. We do not currently operate an establishment in the EU/EEA. We have not appointed an Article 27 representative, as our processing scale is below the threshold; we will appoint one if our regular monitoring of EEA users grows beyond a small scale, and update this Policy accordingly.
You have the right to lodge a complaint with the supervisory authority in your member state. A list is available at edpb.europa.eu.
20.Grievance Officer (India — IT Rules 2021)
In compliance with the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, the Grievance Officer for DharmaChat is:
Grievance Officer
Name: Sukhil Babu
Designation: Founder & Sole Proprietor, DharmaChat
Email: legal@dharmachat.in
Address: Bengaluru, Karnataka, India (full postal address available on lawful request)
Hours: Monday–Friday, 10:00–18:00 IST (excluding Indian public holidays)
We acknowledge grievances within 24 hours and aim to resolve them within 15 days of receipt, in line with Rule 3(2)(a) of the IT Rules 2021.
21.Contact Us
For any question, concern, or request relating to this Policy or your personal data:
- Privacy & data requests: privacy@dharmachat.in
- Legal & grievances: legal@dharmachat.in
- General & founder: sukhil@dharmachat.in
- Postal address: Sukhil Babu, DharmaChat, Bengaluru, Karnataka, India (full address on lawful request)