1. Who we are
Sattvah Labs is the operator of the Sattvah mobile app, studio.sattvah.ai, and related properties (collectively, Sattvah). We are the Data Fiduciary for your personal data under India's Digital Personal Data Protection Act 2023.
- Registered office: Sattvah Labs Pvt Ltd, registered office to be confirmed.
- Email for privacy matters: privacy@sattvah.ai
- Grievance Officer: see Grievance Redressal for current contact details and response timelines.
2. What this policy covers
This policy explains what personal data we collect from you, why we collect it, how we use and share it, how long we keep it, and the rights you have over it. It applies to anyone who creates a Sattvah account, browses our public surfaces, or interacts with Sattvah on a partner platform.
3. The data we collect
We collect personal data in three buckets.
Account and identity
Email address, name or display name, country, language, profile photo, federated identity claims if you sign in with Google or Apple. Collected when you sign up, sign in, or update your profile.
Activity and content
Diary entries, mood check-ins, chat conversations with Sattvah, community posts and replies, course enrollments and progress, lesson watch position, certificates earned, expert bookings, notes, ratings. Collected while you use Sattvah.
Technical
Device model, OS version, app version, IP address, time zone, browser type, crash logs, basic analytics events, Cognito sub identifier. Collected automatically while you use Sattvah.
What we do not knowingly collect
- Government identifiers (Aadhaar, PAN, passport) unless required for KYC during a paid product flow.
- Sensitive personal data categories (race, religion, biometric) unless you choose to mention them in your own content.
- Health records as defined by the Mental Healthcare Act 2017. Sattvah is a wellbeing service, not a clinical-care provider.
Payment data. When you buy a paid course or session, Razorpay handles the card or UPI details directly. Sattvah only stores a transaction reference and amount.
4. Lawful bases under DPDPA
- Consent for processing not strictly required to deliver the service (optional marketing emails, optional analytics, optional AI-powered features sent to a third-party processor).
- Legitimate use under DPDPA Section 7 for processing required to deliver the service you asked for.
- Compliance with law, including responding to lawful information requests from Indian authorities.
You can withdraw consent at any time using the controls in Settings, or by emailing privacy@sattvah.ai. Withdrawal does not affect processing carried out before the withdrawal.
5. How we use your data
- Provide the service: account, sign-in, courses, progress, community, scheduled rituals, expert booking.
- Keep Sattvah safer, including routing concerning language to relevant helpline information.
- Improve the product through aggregated, de-identified usage signals.
- Send service emails (account verification, security alerts, receipts, booking confirmations).
- Send optional product updates only if you opt in.
- Process payments through Razorpay.
- Respond to your support and grievance requests.
- Meet legal and regulatory obligations, including CERT-In incident reporting.
We do not sell your personal data. We do not use your personal data to train third-party AI models. We do not show third-party advertisements.
6. Data Processors we share data with
| Processor | Country | Purpose |
|---|---|---|
| Amazon Web Services | India (Mumbai, primary) | Hosting, identity (Cognito), storage |
| Anthropic PBC (Claude API) | United States | AI processing for chat, diary summaries, classification |
| Mux Inc. | United States, global CDN | Video hosting, encoding, captions, delivery |
| Razorpay | India | Payments, subscriptions, KYC |
| Resend | United States | Transactional email delivery |
| Google / Apple | Global | Federated sign-in |
| Sentry / Datadog (if enabled) | United States | Error and performance monitoring |
We do not share your personal data with advertisers, data brokers, or social networks for marketing purposes.
7. International data transfers
Sattvah primarily stores data in India (AWS Mumbai region). Some processors are based outside India and may process limited data abroad. Where the Government of India restricts transfers under DPDPA, we will adjust. Where GDPR applies, transfers outside the EEA are made under Standard Contractual Clauses or an Adequacy Decision.
8. How long we keep your data
| Category | Retention |
|---|---|
| Account profile | Active + 90 days for restore |
| Diary, mood check-ins, chat history | Active, you can delete any time |
| Community posts | Active. Public anonymous posts may persist in anonymized form |
| Enrollments, progress, certificates | Active. Certificates may be retained in hashed form for verification |
| Payment transaction records | 8 years (Indian tax and accounting law) |
| Server, security and incident logs | 180 days (CERT-In) |
| Crash and error logs | 30 days, then aggregated |
| Backups | 35 days rolling, then purged |
9. Your rights under DPDPA
- Right of access. Request a copy of the personal data we hold about you. Settings -> Export my data gives you a JSON export immediately for most categories.
- Right of correction and erasure. Update or delete inaccurate or outdated personal data. Settings -> Profile, or privacy@sattvah.ai.
- Right to grievance redressal. See Section 14.
- Right to nominate. Nominate a person to exercise your rights in case of death or incapacity (planned).
- Right to withdraw consent. Settings -> Privacy.
10. Account deletion
You can delete your Sattvah account from Settings, or by emailing privacy@sattvah.ai with the subject "delete my account."
- Within 24 hours, your account is deactivated and you can no longer sign in.
- Within 30 days, your personal content is permanently deleted from active systems.
- Within 90 days, the data is removed from rolling backups.
- Certain records are retained as required by law (payment records for 8 years).
11. Children
Sattvah is intended for users aged 18 and above. If you are under 18, you may use Sattvah only with the consent of a parent or lawful guardian. We do not knowingly collect personal data from anyone under 13, or under 18 without verifiable parental consent. We do not behaviorally monitor children. We do not show targeted advertising of any kind.
12. Cookies and similar technologies
The sattvah.ai web surfaces use cookies to keep you signed in and remember your preferences. The Sattvah mobile app does not use cookies but stores equivalent identifiers locally. You can clear them by signing out or deleting the app.
13. Security
- Encryption in transit (TLS 1.2+) and at rest (AES-256, AWS-managed).
- Tokens stored in AWS Secrets Manager with KMS-managed keys.
- Least-privilege access controls with audit logging.
- Quarterly access list reviews.
- Mandatory two-factor authentication for production access.
- Coordinated disclosure at security@sattvah.ai.
If we suffer a breach affecting your personal data, we will notify you and the relevant authorities (CERT-In, the DPDPA Board when constituted) within the timelines they require (currently 6 hours for CERT-In after detection).
14. Grievance redressal
If you have a concern about how Sattvah handles your personal data, contact our Grievance Officer.
- Email: grievance@sattvah.ai
- Postal address: registered office address to be confirmed.
- Acknowledgement timeline: 24 hours.
- Resolution timeline: 15 days (default).
If you are not satisfied with our resolution, you may escalate to the Data Protection Board of India once it is constituted. File a grievance.
15. Changes to this policy
We may update this Privacy Policy as Sattvah evolves and as the law evolves. When we make a material change, we will notify you in-app and by email at least 14 days before the change takes effect, unless a shorter period is required by law.
16. Region-specific information
EU and UK (GDPR / UK GDPR). Additional rights including data portability and to lodge a complaint with your supervisory authority.
California (CCPA / CPRA). We do not sell or share personal information as defined by California law. You have rights to know, delete, correct, and limit use of sensitive personal information.
Australia, Canada, Singapore. Local privacy authorities can be contacted where applicable.
17. Contact
- General privacy questions: privacy@sattvah.ai
- Grievance redressal: grievance@sattvah.ai
- Security disclosures: security@sattvah.ai