Privacy Policy

1. Introduction

Therayug Technologies Private Limited ("Therayug", "Company", "we", "us", or "our") is committed to protecting the privacy and security of your personal data. This Privacy Policy ("Policy") explains how we collect, use, process, store, share, and protect personal data when you access or use our AI-powered wellness and self-help platform, including the website, mobile application, and all associated services (collectively, the "Service").

This Policy constitutes the privacy notice required under Section 5 of the Digital Personal Data Protection Act, 2023 ("DPDP Act") and Rule 3 of the DPDP Rules, 2025. It is drafted in clear and plain language as mandated by the Act and is available in English. Translations in languages listed in the Eighth Schedule of the Constitution of India may be made available upon request.

By accessing or using the Service, you acknowledge that you have read, understood, and consent to the practices described in this Policy. This Policy should be read in conjunction with our Terms of Service.

2. Data Fiduciary Information

For the purposes of the DPDP Act, 2023 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("IT SPDI Rules"), the Data Fiduciary responsible for your personal data is:

3. Key Definitions

The following terms used in this Policy have the meanings ascribed to them under the DPDP Act, 2023 and related legislation:

• Personal Data: Any data about an individual who is identifiable by or in relation to such data, as defined under Section 2(t) of the DPDP Act, 2023.
• Sensitive Personal Data or Information (SPDI): Information relating to passwords, financial information, physical and mental health conditions, sexual orientation, medical records, and biometric data, as defined under the IT SPDI Rules, 2011.
• Data Principal: The individual to whom the personal data relates — i.e., you, the User — as defined under Section 2(j) of the DPDP Act, 2023.
• Data Fiduciary: Any person who, alone or in conjunction with other persons, determines the purpose and means of processing personal data — i.e., Therayug Technologies Pvt Ltd.
• Data Processor: Any person who processes personal data on behalf of a Data Fiduciary, as defined under Section 2(k) of the DPDP Act, 2023.
• Processing: Any operation or set of operations performed on personal data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment, combination, indexing, sharing, disclosure, restriction, erasure, or destruction.
• Consent: A free, specific, informed, unconditional, and unambiguous indication of the Data Principal's wishes, signified by a clear affirmative action.

4. Personal Data We Collect

In compliance with the DPDP Act's principle of data minimisation, we collect only the personal data that is necessary to provide and improve the Service. The following is an itemized list of the categories of personal data we collect:

4.1 Data You Provide Directly

4.2 Data Collected Automatically

4.3 Data We Do Not Collect

We want to be transparent about the boundaries of our data collection. We do not collect:

• Biometric data (fingerprints, facial recognition, voice prints)
• Financial data such as bank account numbers, credit or debit card numbers (these are processed exclusively by third-party payment gateways)
• Aadhaar numbers or government-issued identity numbers (unless specifically required for a lawful purpose and with explicit consent)
• Data from minors (under 18) without verifiable parental consent

5. Purpose of Processing

Under Section 4 of the DPDP Act, 2023, personal data may be processed only for a lawful purpose for which the Data Principal has given consent, or for certain legitimate uses. We process your personal data for the following specific purposes:

5.1 Purposes Based on Your Consent

1. Providing the Service: To operate, maintain, and deliver the AI wellness conversational service, including generating AI responses tailored to your inputs.
2. Account Management: To create, authenticate, and manage your user account; to communicate with you about your account.
3. Service Improvement: To analyse usage patterns (in aggregate or de-identified form), improve AI response quality, identify and fix technical issues, and develop new features.
4. Communications: To send you service-related notifications, updates regarding changes to the Service, this Policy, or our Terms of Service.
5. Customer Support: To respond to your enquiries, requests, complaints, and feedback.
6. Payment Processing: To process transactions for paid features, generate invoices, and maintain financial records.
7. Personalisation: To customise your experience based on your preferences and interaction history.

5.2 Legitimate Uses Without Consent

In accordance with Section 7 of the DPDP Act, 2023, we may process personal data without explicit consent for the following legitimate uses:

• Where processing is necessary for the State or any instrumentality of the State to provide a benefit, subsidy, or service to the Data Principal.
• Where processing is necessary for compliance with any law in force in India, including any judgment or order of a court or tribunal.
• Where processing is necessary to respond to a medical emergency involving a threat to the life or health of the Data Principal or any other individual.
• Where processing is necessary for safety and security purposes during any disaster or breakdown of public order.

We do not process your personal data for purposes incompatible with those for which it was originally collected, and we do not engage in behavioural monitoring or targeted advertising directed at Users.

6. Consent and Lawful Basis

6.1 How We Obtain Consent

In accordance with Section 6 of the DPDP Act, 2023, we obtain your consent through a clear affirmative action at the time of account creation. Our consent mechanism:

• Is accompanied by this Privacy Notice describing the data collected and purposes of processing.
• Is presented in clear, plain English (with additional language support available upon request).
• Is specific to the identified purposes and not bundled with unrelated terms.
• Does not use pre-checked boxes, dark patterns, or other manipulative design elements.
• Is freely given — you are not coerced or compelled to provide consent as a condition for accessing non-essential features.

6.2 Withdrawal of Consent

You have the right to withdraw your consent at any time. You may withdraw consent by:

• Sending an email to [privacy@therayug.com] with the subject line "Consent Withdrawal".
• Contacting our Grievance Officer using the details in Section 16.

Withdrawal of consent shall be as easy as giving consent. Upon withdrawal, we will cease processing your personal data for the consented purposes within a reasonable timeframe. Please note that withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal and may result in the termination of your access to the Service.

7. Sensitive Personal Data or Information

We recognise that conversational data exchanged on the Service may reveal information about your physical, physiological, or mental health condition, which constitutes Sensitive Personal Data or Information ("SPDI") under Rule 3 of the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

7.1 Enhanced Protections for SPDI

In compliance with the IT SPDI Rules, 2011, we apply the following enhanced protections to SPDI:

• Collection of SPDI is based on your explicit, written consent (provided electronically through our consent mechanism).
• SPDI is processed only for the purposes specified in this Policy and for which consent was obtained.
• SPDI is not retained beyond the period necessary to fulfil the purpose of collection, or as required by applicable law.
• SPDI is not disclosed to any third party without your prior consent, except where required by law or for the performance of a lawful contract.
• You may withdraw consent for the processing of SPDI at any time, and we will cease such processing in accordance with Section 6.2.

7.2 Body of Knowledge

While the DPDP Act, 2023 does not create a separate "sensitive data" category, we adopt a precautionary approach and treat all health-related conversational data with the heightened protections applicable to SPDI under the IT SPDI Rules, 2011, which remain in force.

8. Children's Data

In compliance with Section 9 of the DPDP Act, 2023 and Rules 10–12 of the DPDP Rules, 2025:

8.1 Age Restriction

The Service is intended for individuals aged 18 and above. We implement age-gating mechanisms during account registration to verify that Users meet the minimum age requirement.

8.2 Prohibition on Data Collection from Children

We do not knowingly collect or process personal data of children (individuals under 18 years of age) without verifiable parental consent. If we become aware that we have inadvertently collected personal data of a child without proper consent, we will:

• Immediately cease processing such data.
• Delete all personal data associated with the child's account within seventy-two (72) hours of discovery.
• Notify the parent or guardian, where contact information is available.

8.3 Restrictions on Processing

In compliance with Section 9(2) and 9(3) of the DPDP Act, we do not:

• Undertake any processing of children's data that is likely to cause detrimental effects on their well-being.
• Engage in tracking, behavioural monitoring, or targeted advertising directed at children.

9. Data Storage and Retention

9.1 Storage Location

Your personal data is stored on secure servers located in India. We use cloud infrastructure provided by reputable service providers that maintain data centres in India and adhere to industry-standard security certifications.

9.2 Retention Periods

In compliance with Section 8(7) of the DPDP Act and Rule 8 of the DPDP Rules, 2025, we retain personal data only for as long as necessary to fulfil the purpose for which it was collected. Our specific retention periods are:

9.3 Deletion and Erasure

Upon the expiry of the retention period, or upon your request for erasure (subject to legal exceptions), we will:

• Permanently delete your identifiable personal data from our active systems.
• Instruct all Data Processors to delete your data from their systems.
• Ensure that data in backups is overwritten within the next backup cycle (not exceeding 90 days).
• Provide you with 48 hours' advance notice before scheduled erasure of your data, as required by the DPDP Rules, 2025.

9.4 Exceptions to Erasure

We may retain specific data beyond the stated retention periods only where:

• Retention is required to comply with a legal obligation under Indian law, including an order of a court, tribunal, or regulatory authority.
• Data is required for the establishment, exercise, or defence of legal claims.
• Data has been fully anonymised such that it cannot be re-identified; such anonymised data is no longer classified as personal data.

10. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data to any third party. We may share your data only in the following limited circumstances:

10.1 Data Processors (Service Providers)

We engage third-party Data Processors to assist in providing the Service. All Data Processors are bound by valid contracts under Section 8(2) of the DPDP Act, requiring them to:

• Process data solely on our documented instructions.
• Implement appropriate technical and organisational security measures.
• Delete or return all personal data upon termination of the service agreement.
• Assist us in fulfilling Data Principal rights and breach notification obligations.

Categories of Data Processors we may engage include:

• Cloud hosting and infrastructure providers
• Payment gateway providers
• Analytics service providers (receiving only aggregated or de-identified data)
• Email and communication service providers
• Customer support platform providers

10.2 Legal and Regulatory Disclosure

We may disclose your personal data where required or permitted by law, including:

• In response to a lawful request by a court, tribunal, or competent authority under Indian law.
• To comply with a legal obligation, including under the Information Technology Act, 2000 (Section 69, 69A, 69B) or directions from CERT-In.
• To the Data Protection Board of India, in the event of a personal data breach or as part of any investigation or inquiry.
• To law enforcement agencies where we have a good-faith belief that disclosure is necessary to prevent harm, investigate suspected illegal activity, or protect our legal rights.

10.3 Business Transfers

In the event of a merger, acquisition, reorganisation, or sale of all or substantially all of our assets, your personal data may be transferred to the successor entity, provided that the successor agrees to be bound by the terms of this Policy and the requirements of the DPDP Act.

11. Cross-Border Data Transfer

We primarily store and process your personal data within India. In the event that any transfer of personal data outside India is necessary (for example, where a Data Processor's infrastructure extends beyond India), we will ensure:

• Compliance with Section 16 of the DPDP Act, 2023, which permits transfer of personal data to any country or territory outside India except those specifically restricted by the Central Government through notification.
• That the transfer is made only to countries not appearing on the restricted list notified by the Central Government (no countries have been restricted as of the effective date of this Policy).
• That appropriate contractual safeguards are in place with the receiving entity, ensuring a level of data protection substantially equivalent to that provided under Indian law.

We will update this section if the Central Government notifies any restrictions on cross-border data transfer.

12. Cookies and Tracking Technologies

12.1 What Are Cookies?

Cookies are small text files placed on your device when you visit our website. They help us recognise your device and remember your preferences.

12.2 Types of Cookies We Use

12.3 Cookie Consent and Control

We do not use third-party advertising or marketing cookies. You may control cookie preferences through your browser settings. Disabling strictly necessary cookies may impair the functionality of the Service.

13. Security Measures

In compliance with Section 8(4) of the DPDP Act, 2023, and the IT SPDI Rules, 2011, we implement reasonable security practices and procedures commensurate with the nature and sensitivity of the personal data we process. Our security programme is aligned with the ISO/IEC 27001 standard and includes the following measures:

13.1 Technical Safeguards

• Encryption of data in transit using TLS 1.2 or higher.
• Encryption of data at rest using AES-256 or equivalent industry-standard encryption.
• Multi-factor authentication for administrative access.
• Regular vulnerability assessments and penetration testing.
• Intrusion detection and prevention systems.
• Secure software development lifecycle (SDLC) practices.
• Automated log monitoring with minimum 12-month log retention as required by the DPDP Rules.

13.2 Organisational Safeguards

• Role-based access controls with the principle of least privilege.
• Background checks for employees and contractors with access to personal data.
• Mandatory data protection training for all staff.
• Non-disclosure agreements with employees, contractors, and third-party processors.
• Documented incident response plan and business continuity procedures.
• Periodic internal and external security audits.

14. Data Breach Notification

In the event of a personal data breach, we will comply with the breach notification requirements under the DPDP Act, 2023 and the DPDP Rules, 2025:

14.1 Notification to the Data Protection Board

• We will intimate the Data Protection Board of India without delay upon becoming aware of a personal data breach.
• A detailed breach report will be submitted to the Board within seventy-two (72) hours, including the nature of the breach, categories and approximate number of Data Principals affected, likely consequences, and measures taken or proposed to address the breach.

14.2 Notification to Affected Data Principals

• We will notify affected Data Principals without delay, in clear and plain language, describing the nature of the breach, the categories of personal data affected, the likely consequences, and the steps you may take to protect yourself.
• Notifications will be sent via email and, where applicable, through in-app notifications or other effective communication channels.

15. Your Rights as a Data Principal

Under Chapter III of the DPDP Act, 2023, you have the following rights in relation to your personal data. You may exercise these rights by contacting us at [privacy@therayug.com] or through the account settings in the Service.

15.1 Right to Access (Section 11)

You have the right to obtain from us confirmation of whether your personal data is being processed, and if so, a summary of the personal data being processed, the processing activities undertaken, the identities of all Data Fiduciaries and Data Processors with whom your data has been shared, and any other information as may be prescribed.

15.2 Right to Correction and Erasure (Section 12)

You have the right to:

• Request the correction of inaccurate or misleading personal data.
• Request the completion of incomplete personal data.
• Request the updating of personal data that is no longer current.
• Request the erasure of personal data that is no longer necessary for the purpose for which it was collected.

We will process your request within a reasonable timeframe, not exceeding thirty (30) days from receipt of a valid request. Where we are unable to fulfil a request (for example, due to a legal retention obligation), we will inform you of the reasons.

15.3 Right to Grievance Redressal (Section 13)

You have the right to submit a grievance to our Grievance Officer regarding any act or omission in relation to the processing of your personal data. If you are not satisfied with our response, you may lodge a complaint with the Data Protection Board of India.

15.4 Right to Nominate (Section 14)

You have the right to nominate any individual who shall, in the event of your death or incapacity, exercise your rights as a Data Principal. You may register a nominee through your account settings.

15.5 Response Timeline

We will acknowledge your request within twenty-four (24) hours and will endeavour to fulfil valid requests within thirty (30) days. If additional time is required, we will inform you of the reason for the delay and the expected timeline.

16. Grievance Officer

In compliance with Rule 3(2) of the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and Section 13 of the DPDP Act, 2023, we have designated a Grievance Officer to address your concerns:

If you are not satisfied with the resolution provided by the Grievance Officer, you may escalate your complaint to the Data Protection Board of India in accordance with the DPDP Act, 2023.

17. AI-Specific Data Processing Disclosures

Given the AI-driven nature of our Service, we provide the following additional disclosures about how personal data is processed in connection with our AI systems:

17.1 How the AI Processes Your Data

• Your text inputs are processed by AI models to generate contextually relevant wellness-oriented responses.
• Processing occurs in real-time during your chat session and does not involve human review of individual conversations.
• Conversation data may be used in aggregated and de-identified form to improve the quality, safety, and accuracy of AI responses.

17.2 Automated Decision-Making

The Service does not make decisions that produce legal effects or similarly significant effects on you based solely on automated processing. AI-generated responses are informational and wellness-oriented; they do not constitute professional advice, diagnosis, or clinical decisions.

17.3 AI Training and Data Use

• We do not use your identifiable conversational data to train, fine-tune, or improve AI models without additional, separate consent.
• Where your data is used for AI improvement purposes, it is anonymised and de-identified such that it cannot be attributed to any individual.

17.4 Labelling of AI-Generated Content

In accordance with the MeitY advisory dated 15 March 2024 and the IT (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2026, all responses generated by the Service are clearly identified as AI-generated content. We implement appropriate labelling to ensure transparency.

18. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, legal requirements, or regulatory guidance. When we make material changes:

• We will provide notice at least thirty (30) days before the changes take effect, via email and a prominent notification within the Service.
• The updated Policy will be posted on our website with a revised "Last Updated" date.
• Where required by the DPDP Act, we will seek fresh consent for any changes that materially alter the purposes for which your data is processed.

Your continued use of the Service after the effective date of the revised Policy constitutes your acceptance of the updated terms. If you do not agree with the changes, you should discontinue use of the Service and delete your account.

19. Applicable Law and Regulatory Framework

This Policy is governed by the following Indian laws and regulations:

In the event of any conflict between this Policy and applicable law, the provisions of applicable law shall prevail.

20. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: