· Privacy ·

Privacy Policy.

Effective 2026-05-26

We are going to tell you what we collect, what we do with it, who else touches it, and what you can do about it. In plain English, because the law allows it and the brand demands it.

1 · Who is "we."

"Adhyatm," "we," "us," and "our" refer to the Adhyatm project, operated by Shubham Kumar as a sole proprietorship in Kolkata, India. You can reach us at privacy@adhyatm.co for anything privacy-related, and at hello@adhyatm.co for anything else.

2 · What we collect from you.

Account data

When you sign up: a phone number (for OTP-based sign-in) and optionally an email address (for occasional notes and for account recovery). We do not collect your real name unless you choose to provide it.

Session content (Darpan)

Everything you write or speak inside a Darpan session: the transcript of your turns, the timestamps, the verse and reflection composed at session close. This is what makes the mirror a mirror. It is stored in your account and visible only to you (and, narrowly, to operators of the system; see § 5).

Voice audio

If you speak rather than type, the audio is uploaded to our servers, transcribed via Google Vertex AI (see § 4), and then discarded. We do not retain the audio file. The transcript stays in your account; the audio does not.

Notes

The mirror reads each closed session and writes a small structured note: themes you sit with, threads that keep coming up. These Notes are how Adhyatm "remembers" you across sessions. They are derived from your transcripts and are deletable at any time.

Vyom releases

Anything you post to Vyom is stored anonymously (without your account identifier in the post itself) and hard-deleted after 24 hours. Vyom posts are read by other Adhyatm users at random; one read per post per reader, never re-served. We separately track that you posted (in your account, so we can show you "your releases" and so we can enforce the post-to-read exchange), but the post body is not joinable to your identity by anyone but you.

Crisis events

A safety classifier reads every turn for signs of acute self-harm risk. When it fires, we log a crisis event (timestamp, session ID, the classifier's label and confidence) so we can route you to the appropriate helpline and so the founder can review safety patterns. We do not log the message text itself in the crisis-event row. The classifier's audit trail records what it saw via the session transcript (above), not as a separate copy.

Device and usage data

Standard server logs (IP address, user-agent, timestamps) retained for 30 days for security and abuse prevention. App version and operating system, so we can deliver the right updates. No advertising or third-party analytics SDKs.

What we do not collect

Location. Contacts. Camera or photos. Microphone except when you press hold-to-record. Calendar. Browser history. Any data from other apps on your device. Adhyatm asks for the permissions it needs to run, and no more.

3 · What we do with it.

  • Run your sessions. Transcripts and Notes are read by the language models that compose your verse and reflection. This is the core of the product.
  • Safety. The crisis classifier reads each turn so we can route you to a helpline when it matters. We do not act on crisis events automatically beyond surfacing the helpline; a human operator may review patterns to tune the classifier.
  • Sending you occasional notes, if you signed up to receive them. You can unsubscribe in one click from the bottom of any note.
  • Improving the corpus and the retrieval. Aggregate signals (which verses lift, which fall flat) shape what we add to the library and how we tune the retrieval. Aggregate means we do not look at your transcript with your identity attached.
  • Keeping the lights on. Standard operational uses: backups, security, abuse prevention, payment processing if and when paid tiers exist.

What we will never do with it

  • We will not train any language model on your sessions, Vyom releases, or Notes. Not our own model (we don't train one). Not a third party's. This is a covenant, not a preference.
  • We will not sell your data, ever, to anyone.
  • We will not show you advertising inside Adhyatm.

4 · Who else touches your data.

Adhyatm is built on a small number of third-party services. We list them all here so you know exactly who has access to what, and what they have committed to in turn. If we add or replace any of them, we will update this list and announce the change before it takes effect.

Language models (composition)

  • DeepSeek. Composes the session-close reflection and the in-session register of the mirror. Receives: your session transcript at the moment of composition. DeepSeek's paid API does not retain inputs for training. We use the paid API only.
  • OpenRouter (fallback only, only when the primary composer is down). Receives the same transcript; same no-training commitment under its paid API terms.

Classifiers, embeddings, transcription

  • Google Vertex AI (Gemini). Runs the crisis classifier, generates Notes-extraction embeddings, transcribes voice audio. Receives: per-turn text for classification, voice audio for transcription. Google's paid API for Vertex AI does not use customer data for training under its enterprise terms.

Hosting and infrastructure

  • DigitalOcean (Bangalore region). Hosts our backend servers and Postgres database. Receives: everything we hold about you, because we store it there.
  • Cloudflare. Provides DNS, TLS, the CDN front edge, and R2 object storage for database backups. Receives: request headers, IPs, encrypted database backups. Backups are AES-256 encrypted at rest with a key Cloudflare does not hold.
  • Supabase (planned, for OTP authentication and possibly database hosting). Receives: phone number, email, JWT issuance for sign-in. We will update this notice before Supabase goes live.

Communication

  • SMS gateway (TBD, India-friendly). Used only to send sign-in OTPs and (rarely) password-recovery codes. Receives: phone number and a one-time code.
  • Resend or Postmark (TBD). Sends the occasional notes if you subscribe, and crisis alerts to the founder when those fire. Receives: your email address and the message body.

Error monitoring

  • Sentry (free tier). Captures errors and stack traces so we can fix bugs. We have explicitly configured Sentry to scrub session content, transcripts, and Notes from error reports. Standard system metadata (request paths, error messages, file lines) is sent.

5 · Where it lives, and who reads it.

Your data lives on a DigitalOcean droplet in Bangalore, in a Postgres database, encrypted at rest at the disk level by DigitalOcean. Database backups are encrypted in transit and at rest, and stored in Cloudflare R2 (also encrypted, in EU and US regions).

The list of humans who can read your transcripts is short: the founder (for debugging and safety review), and any operator we may employ in the future who would receive equivalent training and the same confidentiality commitment. We do not have customer-facing support staff browsing conversations. If a court orders us to produce data, we will inform you to the extent the law allows; if we have no ability to inform you, we will say so publicly via a warrant canary.

6 · Your rights.

  • See what we have. Profile → Account → Export. We will send you a JSON of everything in your account. (Until the export tool ships, write to privacy@adhyatm.co and we will assemble it by hand within seven days.)
  • Delete it. Profile → Account → Delete. Everything goes (transcripts, Notes, Vyom history, audio already gone, account row) within seven days, and we will tell you when it's done.
  • Correct it. Edit your profile fields, or email us if it's something only we can touch.
  • Withdraw consent. Stop using Adhyatm. We will retain only what we are legally required to (almost nothing) and delete the rest within seven days of your last login plus a brief grace period.

If you are in the EU, the UK, California, or another jurisdiction with statutory data rights, those rights apply to you whether or not we name them here. We will honor any valid request under any applicable framework.

7 · Retention.

  • Audio: not retained. Transcribed and discarded within seconds.
  • Vyom releases: 24 hours, hard-deleted.
  • Server logs: 30 days.
  • Transcripts, Notes, and account data: until you delete your account, or seven years from your last activity, whichever is sooner.
  • Backups: rolling 30-day window.

8 · Children.

Adhyatm is for adults. You must be 18 or older to use it. We will delete any account we learn belongs to someone under 18. If you are a parent or guardian and believe your child has signed up, write to us and we will delete the account.

9 · Cookies and tracking.

The marketing website (this site, adhyatm.co) sets one first-party cookie to remember your theme preference (light or dusk). No analytics. No advertising trackers. No third-party scripts that follow you elsewhere on the web.

The Adhyatm app stores a session token on your device for sign-in, and small caches for offline reading. Nothing else.

10 · Changes.

When we change this notice in a meaningful way, we will email subscribers, post a notice in the app, and update the effective date at the top. Cosmetic edits will not be announced; rights-altering edits will be.

11 · Talk to us.

For anything privacy-related (questions, requests, complaints, a sentence that begins with "did you know that you") write to privacy@adhyatm.co. A real person will read it and reply within a few days.