Legal
Privacy Policy
1. Who We Are (Data Fiduciary)
Ishvaram (trading name of the business operated by Digesh Nanda, registered in India) is the Data Fiduciary responsible for the personal data you share with us through ishvaram.com, our mobile application, and related services (collectively, the "Platform").
- Registered address: [TBD — registered business address]
- General contact: support@ishvaram.com
- Privacy contact: support@ishvaram.com
- Grievance Officer: Ishvaram support team
- Grievance email: support@ishvaram.com
2. Personal Data We Collect
We collect only the data necessary to provide our Vedic astrology services. The categories below are processed under the lawful bases described in Section 3.
| Category | Examples | Sensitive? |
|---|---|---|
| Account data | Name, email, phone number, password hash | No |
| Birth data | Date, time, and place of birth used for kundali and panchang calculations | Yes — treated as sensitive personal data under DPDP S.2(t) read with anticipated rules |
| Payment data | Order amount, transaction ID, payment status (processed by Razorpay — we do not store card or UPI details) | No |
| Usage & chat data | AI Jyotish conversation history, feature interactions, pages visited | No |
| Technical data | IP address, device type, browser, crash logs, performance traces | No |
| Cookies & analytics | Session cookies (essential); first-party analytics and marketing tags (see Section 9) | No |
3. Lawful Basis for Processing
- Consent (DPDP S.6): You give explicit, informed consent when you create an account or submit your birth data for a kundali reading. You may withdraw consent at any time (see Section 7).
- Legitimate use — contract performance (DPDP S.7(b)): Processing necessary to deliver services you have purchased (e.g., generating your kundali, sending order confirmations).
- Legitimate use — legal obligation (DPDP S.7(c)): Retaining financial records for 7 years as required by the Income Tax Act and GST rules.
- Legitimate use — safety (DPDP S.7(e)): Fraud detection, security monitoring, abuse prevention.
4. How We Use Your Data
- To generate and display your kundali, rashifal, panchang, and choghadiya
- To power AI Jyotish — your birth data and conversation history improve accuracy
- To process payments and fulfil puja product orders
- To send transactional emails (order confirmations, shipping updates)
- To send service-related notifications (new panchang available, upcoming muhurat) — only with your consent
- To improve our platform through aggregated, anonymised analytics
- To comply with Indian law, including tax record-keeping
5. Sub-processors and Cross-Border Transfers
We engage the following sub-processors to deliver our services. Where data is transferred outside India, the legal basis is contractual safeguards (standard contractual clauses or equivalent data protection agreements), supplemented by the technical and organisational measures described in Section 8.
| Sub-processor | Purpose | Region | Transfer? |
|---|---|---|---|
| Razorpay | Payment processing | India | No |
| Shopify | E-commerce store, order management | Canada / US | Yes — contractual safeguards |
| Cloudflare | Web application hosting, CDN, DDoS protection, edge compute | US (global CDN) | Yes — contractual safeguards |
| Google Cloud Platform / Cloud Run | Backend API compute | India (asia-south1) | No |
| Supabase | Application database | US (AWS us-east-1) | Yes — contractual safeguards |
| Sarvam AI | Hindi-language AI content generation | India | No |
| Anthropic | AI Jyotish language model (Claude) | US | Yes — contractual safeguards |
| Sentry | Error monitoring and crash reporting | US | Yes — contractual safeguards |
| Google Analytics / Tag Manager | Acquisition analytics and marketing measurement | Global | Yes — contractual safeguards |
| Resend | Transactional email delivery | US | Yes — contractual safeguards |
Sub-processors are permitted to process your data only for the stated purpose, under written data processing agreements that include obligations equivalent to those under India's DPDP Act.
6. Data Retention
- Payment and order records: 7 years from the date of transaction, as required by the Income Tax Act 1961 and GST rules.
- AI Jyotish chat history: 2 years from the date of each conversation, unless you request earlier deletion.
- Birth data and kundali: Retained while your account is active. Deleted within 30 days of account deletion (except where retained under a legal obligation).
- Account data: Retained while your account is active. Deleted within 30 days of account deletion.
- Analytics data: Aggregated and anonymised within 90 days; anonymised data may be retained indefinitely.
7. Your Rights under the DPDP Act 2023
As a Data Principal under the Digital Personal Data Protection Act 2023 (India), you have the following rights. To exercise any right, email support@ishvaram.comwith the subject line "DPDP Rights Request". We will respond within 30 days.
- Right to access (S.11(a)): Obtain a summary of the personal data we hold about you and how it is being processed.
- Right to correction (S.11(b)): Request correction of inaccurate or incomplete personal data.
- Right to erasure (S.11(c)): Request deletion of your personal data. Note: we may retain data required by law (e.g., financial records for 7 years) or to defend legal claims.
- Right to withdraw consent (S.6(5)): Withdraw consent for processing at any time by emailing us or deleting your account in-app. Withdrawal does not affect processing that occurred before withdrawal.
- Right to nominate (S.14): Nominate another individual to exercise your rights on your behalf in the event of your death or incapacity.
- Right to grievance redressal (S.13): Lodge a complaint with our Grievance Officer at support@ishvaram.com. If unsatisfied with the response, you may approach the Data Protection Board of India once it is constituted (expected under DPDP Rules — schedule TBD by the Government of India).
8. Security Measures
- TLS 1.3 for all data in transit
- Encryption at rest for birth data and sensitive fields
- Role-based access controls — only authorised personnel access user data
- Automated anomaly detection and error monitoring via Sentry
- In the event of a personal data breach that is likely to cause harm, we will notify affected Data Principals within 72 hours of becoming aware, and report to the Data Protection Board of India as required by DPDP S.10.
9. Cookies and Analytics
We use two categories of cookies:
- Essential cookies: Required for login sessions, shopping cart, and security. These cannot be disabled without breaking core functionality.
- Analytics cookies:Used to understand how visitors use the Platform and measure marketing performance. You may withdraw consent at any time by clicking "Cookie Settings" in the site footer.
10. Children's Data (DPDP S.9)
The Platform is intended for users aged 18 and above. We do not knowingly collect personal data from children under 18. If you believe a child has provided us with personal data, please contact support@ishvaram.com and we will delete the data promptly. We do not serve behavioural advertising and do not track users we identify as minors.
11. Updates to this Policy
We will notify you of material changes by email or by prominent notice on the Platform at least 30 days before the change takes effect. Continued use of the Platform after the effective date constitutes acceptance of the updated policy.
12. Contact Us
- General enquiries: support@ishvaram.com
- Privacy requests (access, correction, erasure, consent withdrawal): support@ishvaram.com
- Grievances: support@ishvaram.com - Grievance Officer: Ishvaram support team
This policy describes our practices as of the date above. It does not constitute legal advice. References to "DPDP Act 2023" refer to the Digital Personal Data Protection Act 2023 (India). Some provisions of the Act and its Rules are pending notification by the Government of India; this policy will be updated when those provisions come into force.