How Unlock Truth handles your data.

1. Introduction

Welcome to Unlock Truth ("we", "us", "our", or "the App"), a Vedic astrology, spiritual guidance, AI-assisted palm reading, Panchang, Kundli, Muhurta timing, and reflection journal mobile application available at unlocktruth.app. Unlock Truth is owned and operated by Indryaa E-Wellness Private Limited, a company incorporated under the Companies Act, 2013 on 23 May 2022, bearing Corporate Identification Number (CIN) U52100DL2022PTC398824, Permanent Account Number (PAN) AAGCI6786C, and Goods & Services Tax Identification Number (GSTIN) 07AAGCI6786C1ZD, with its registered office at C-41, Basement Floor, Nangal Dewat, Vasant Kunj, New Delhi — 110070, India.

This Privacy Policy ("Policy") explains, in plain English, what personal information we collect from you, why we need it, how we use and protect it, whom we share it with, how long we keep it, and what choices and statutory rights you have. It is written to comply with India's Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"), the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 ("IT Rules 2021"), and, for users in the European Economic Area and United Kingdom, the EU General Data Protection Regulation 2016/679 ("GDPR") and the UK GDPR.

Vedic astrology requires precise, personal birth information to produce a meaningful reading. Palm reading involves an image of your hand. We therefore handle some sensitive information, and we take that responsibility seriously. We follow the principles of lawful processing, purpose limitation, data minimisation, storage limitation, and accountability. We do not sell your personal information. We do not run ads. We do not track you across other apps or the web. We do not collect any advertising identifier.

By creating an account or otherwise using Unlock Truth, you confirm that you are at least 18 years old and you consent to the processing of your personal data as described in this Policy. If you do not agree with any part of this Policy, please discontinue use of the App and write to our Grievance Officer (contact details in Section 15) to request deletion of any data we may already hold.

2. Definitions

The following terms have the meanings given below. Where a term is defined in the DPDP Act, the SPDI Rules, or the GDPR, we use the statutory meaning.

• Personal data — any data about an individual who is identifiable by or in relation to such data (DPDP Act §2(t)).
• Sensitive personal data or information (SPDI) — as defined in Rule 3 of the SPDI Rules, this includes passwords, financial information, physical / physiological / mental health data, sexual orientation, medical records, and biometric information.
• Biometric data — for the purposes of this Policy includes any image of a palm uploaded to the App for the Palm Reading feature.
• Data Principal — you, the individual to whom the personal data relates (DPDP Act §2(j)).
• Data Fiduciary — Indryaa E-Wellness Private Limited, which determines the purpose and means of processing your personal data (DPDP Act §2(i)).
• Data Processor — any person who processes personal data on our behalf (listed in Section 10 below) (DPDP Act §2(k)).
• Processing — any operation performed on personal data, including collection, recording, storage, use, disclosure, or erasure.

3. Information we collect

We only collect what is necessary for the features you actually use. The following categories describe every type of information that the App may collect.

3.1 Account information

When you sign up we collect your name, email address, and (optionally) phone number. We also receive a Clerk user identifier, and if you sign in using Google or Apple OAuth we receive the basic profile information those providers return (typically name, email, and an opaque account identifier). Passwords, where used, are hashed and managed entirely by Clerk; we never see or store plaintext passwords.

3.2 Birth profile (sensitive astrological data)

To compute your Kundli, Dasha, Shadbala, Yogas, Doshas, Panchang, and Muhurta scores we collect date of birth, exact time of birth, city and latitude / longitude of birth, gender, and a time-confidence flag indicating whether the time is known precisely or approximately. If you create additional profiles for family members (spouse, children, parents) we store the same fields for each profile, plus the relation. These fields are treated as sensitive and require your explicit consent at the point of collection.

3.3 Palm images (biometric identifiers)

If you choose to use the Palm Reading feature, you will be shown an explicit consent screen before any image is captured or uploaded. Palm images are stored encrypted at rest in a dedicated palm_imagescollection scoped to your user ID. We do not use palm images to train any model. We do not perform facial recognition, fingerprint matching, or other biometric identification on them. You can delete a palm image from Settings at any time, and we honour the retention limits described in Section 8.

3.4 Usage and product analytics

We log which screens you visit, which features you open, the category of decisions you compute, and the category of questions you ask the AI Jyotish Guru. Where this data is sent to PostHog, it is pseudonymised: your raw name, email, and exact date of birth are never forwarded — only a stable random identifier and aggregate signals (for example, tithi, nakshatra, rashi, or feature name).

3.5 Device information

Operating system and version, device model, app version, installed locale, time zone, and (if you opt in to notifications) a push notification token issued by Apple Push Notification service or Firebase Cloud Messaging.

3.6 Network information

Your IP address is observed transiently by our Lambda runtime and CDN for rate-limiting, abuse prevention, and Sentry crash diagnostics. IP addresses are not stored in our primary database as a user attribute; they appear only in short-lived request logs and Sentry breadcrumbs which age out per Section 8.

3.7 Crash and error reports

We use Sentry to capture application crashes and unhandled exceptions. Our server-side _sentry_before_sendfilter strips personally identifiable information (email, name, phone, palm image URLs, full DOB) from stack traces and breadcrumbs before transmission. Only sanitised technical context is sent.

3.8 Payment information

When you make a purchase we store a tokenised reference to the transaction: payment aggregator transaction ID, amount, currency, status, product SKU, and, for card payments, the masked last-four digits returned to us by the aggregator. Full card numbers, CVV, UPI PIN, OAuth passwords, and bank credentials never touch our servers. They are handled exclusively by Razorpay (PCI-DSS Level 1 certified, RBI-authorised), Apple App Store, or Google Play Billing, each of which is independently bound to its own regulatory regime.

3.9 Journal and reflection content

Anything you type into the Reflect or Journal feature is treated as private personal content owned by you. It is encrypted in transit and at rest and is visible only to you within your authenticated account.

4. Purposes of processing

In accordance with DPDP Act §5(2), we disclose below the specific, legitimate purposes for which we process your personal data. We do not re-use data collected for one purpose for any unrelated purpose without obtaining fresh consent.

• Account creation and authentication — to create, secure, and maintain your user account.
• Astrological feature delivery — to compute your birth chart, Dashas, Shadbala, Yogas, Doshas, daily horoscope, Panchang, and Muhurta scores using your birth profile.
• AI-assisted palm reading — to generate a palmistry interpretation based on an image you explicitly uploaded.
• AI Jyotish Guru chat — to produce conversational astrological guidance based on your anonymised aggregate chart signals.
• Muhurta and timing computations — to evaluate auspicious timing for decisions you enter.
• Notifications — to send daily Panchang reminders, reflection prompts, and service updates (only if you have enabled notifications).
• Payments and subscription management — to process one-time purchases and the Satya Pro subscription via Razorpay or the platform IAP providers.
• Product improvement and diagnostics — to fix crashes, identify regressions, and understand aggregate usage.
• Fraud, abuse, and safety — to prevent, detect, and investigate misuse and violations of our Terms of Service.
• Legal and regulatory compliance — to comply with Indian tax, accounting, consumer protection, and information-technology laws, and with valid court orders or government requests.
• Grievance redressal — to receive, acknowledge, and resolve complaints raised by you or a third party on your behalf.

We do not use your personal data for behavioural advertising, we do not build cross-service profiles, and we do not sell or rent personal information to anyone.

5. Legal bases for processing

We process personal data only when we have a valid legal basis to do so. The basis we rely on depends on the type of data and the purpose.

• Consent — DPDP Act §6 / GDPR Art. 6(1)(a) & Art. 9(2)(a). For birth profile, palm images, family profiles, and any other sensitive personal information we rely on your free, specific, informed, unconditional, and unambiguous consent, captured at the point of collection with a clear affirmative action.
• Certain legitimate uses — DPDP Act §7. For operational purposes such as authenticating sessions, preventing fraud, enforcing our Terms of Service, complying with Indian law, and responding to legal process, we rely on the specified legitimate uses enumerated in §7 of the DPDP Act.
• Legal obligation — DPDP Act §7(c) / GDPR Art. 6(1)(c). For retention of payment and tax records as required by Indian law.
• Contractual necessity — GDPR Art. 6(1)(b) (EEA / UK users only). For fulfilment of the service contract you entered into by accepting our Terms of Service.

We do not rely on "legitimate interest" or "performance of contract" as a basis to process sensitive personal data such as palm images or exact time of birth. Those categories are processed only with your explicit consent, and you may withdraw consent at any time (see Section 7).

6. Children

Unlock Truth is intended only for users aged 18 years and above. We do not knowingly collect personal data from anyone under 18. During onboarding we ask for your date of birth; if the value indicates that you are under 18, the App blocks account creation and exits the signup flow.

In accordance with DPDP Act §9, processing of personal data of a child or a person with disability is permitted only on the basis of verifiable parental or lawful guardian consent. If you are a parent or guardian and believe a minor has created an account or provided us data, please contact our Grievance Officer (Section 15) and we will verify and delete the data within 7 business days.

We do not undertake tracking, behavioural monitoring, or targeted advertising directed at children, as prohibited by DPDP Act §9(3).

7. Your rights

The DPDP Act confers the following rights on you as a Data Principal. Where you are located in the EEA or UK, equivalent rights arise under the GDPR and UK GDPR. To exercise any right, write to our Grievance Officer at Growth@Indryaa.com.

• Right to information (§11). A summary of personal data processed by us and the categories of processing activities.
• Right to access (§11). An export of the personal data we hold about you.
• Right to correction and erasure (§12). Correction of inaccurate or incomplete data and erasure of personal data that is no longer necessary for the purpose for which it was processed.
• Right of grievance redressal (§13). A readily available means of grievance redressal through the Grievance Officer named in Section 15.
• Right to nominate (§14). You may nominate another individual who shall, in the event of your death or incapacity, exercise your rights under the Act. Written requests may be sent to Growth@Indryaa.com.
• Right to withdraw consent (§6(4)). You may withdraw consent to processing at any time, with the same ease with which it was given. The withdrawal will not affect the lawfulness of processing performed before withdrawal.
• Right to data portability. Receive your data in a structured, commonly used, machine-readable format (JSON export).
• Right to restriction of processing. Ask us to temporarily pause processing while a correction, dispute, or investigation is underway.
• Right to object. Object to processing that relies on legitimate uses, on grounds relating to your particular situation.
• Right against automated decision-making. Astrological computations and AI guidance are informational and do not produce legal or similarly significant effects on you. You may nonetheless request human review of any output.
• Right to be forgotten. Permanent deletion of your account and associated personal data, subject to the retention exceptions in Section 8 and DPDP Act §17.
• Right to lodge a complaint. You may approach the Data Protection Board of India once notified and constituted, or your local supervisory authority if you are in the EEA / UK.

Exceptions. Certain rights may be limited where DPDP Act §17 applies — for example, where processing is necessary to enforce a legal right, investigate an offence, or comply with a court order. Where an exception applies, we will tell you so and explain the reason.

8. Data retention

We retain personal data only for as long as it is needed for the purpose for which it was collected or for as long as law requires. When a retention period ends, data is deleted or irreversibly anonymised.

Upon deletion of your account, backups containing your data are purged on the next scheduled backup rotation (typically within 35 days).

9. Security practices

We have implemented reasonable security practices and procedures commensurate with the nature of the personal data we process, as required by SPDI Rule 8 and DPDP Act §8(5). Our controls include:

• Encryption in transit. TLS 1.3 (minimum TLS 1.2) for all traffic between the App, our CDN, and our Lambda backend.
• Encryption at rest. AES-256 encryption for MongoDB Atlas primary data, palm images, and backups.
• Authentication. Clerk-managed OAuth and email / password, with JWTs signed using HS256 and short expiry. Tokens on device are stored in platform-native secure storage (iOS Keychain, Android Keystore).
• Access control. AWS Lambda and IAM policies enforce least-privilege access to production systems. MongoDB Atlas access is restricted to allow-listed network peers and individually audited IAM users.
• No secrets in the client. API keys and third-party tokens are never shipped in the mobile bundle; all privileged calls are proxied through our backend.
• Sentry PII scrubbing. A server-side before-send filter strips identifiers from error reports.
• Regular review. Quarterly internal security review of IAM, dependencies, and vendor posture.
• Vendor contracts. All processors are bound by a written data processing agreement or equivalent contractual terms.

Breach notification. In the unlikely event of a personal data breach that causes, or is likely to cause, harm to you, we will notify you and the Indian Computer Emergency Response Team (CERT-In) within 72 hours of becoming aware, as required by DPDP Act §8(6) and CERT-In Directions of 28 April 2022. Notifications will describe the nature of the breach, categories of data affected, likely consequences, and the measures we are taking.

10. Sub-processors

In the operation of Unlock Truth we engage the following third parties to process personal data on our behalf. Each processor is bound by contract to process data only on documented instructions from us, to implement appropriate security, and to assist us with data-principal rights requests.

An up-to-date list is maintained on this page. When we onboard a new processor we will update this list; for material additions that expand the scope of data sharing we will also provide in-app notice in advance.

11. International data transfers

Your personal data is primarily stored in India — our Lambda compute, MongoDB Atlas cluster, and S3 object storage all run in the AWS Mumbai region (ap-south-1). However, certain processors listed in Section 10 operate outside India (typically in the United States or the European Union). Sentry, PostHog, Clerk, Anthropic, OpenAI, Google, Apple, and Cloudflare may process limited categories of your data outside India.

Transfers of personal data outside India are made in compliance with DPDP Act §16 and are not directed to any country restricted by notification of the Central Government. Where EEA / UK data is transferred, we rely on the European Commission's Standard Contractual Clauses or the recipient's own certifications (for example, the EU—US Data Privacy Framework).

In every case, we require the recipient to apply a level of protection essentially equivalent to the one described in this Policy, through binding contractual terms.

12. Cookies, local storage, and on-device identifiers

Unlock Truth is a native mobile application and does not set browser cookies. The App uses the following on-device storage primitives:

• AsyncStorage (unencrypted, sandboxed to the app) — for UI preferences such as language, theme, onboarding completion, and a cached session token hint.
• SecureStore / Keychain / Keystore (platform-encrypted) — for the JWT session token issued by Clerk.
• PostHog anonymous ID (random UUID) — a stable but pseudonymous identifier that lets us join events from the same device without knowing who you are.

We do not use third-party tracking cookies, cross-app advertising SDKs, or the Android Advertising ID / Apple IDFA. We do not integrate with any ad network.

13. AI and large language model disclosure

Portions of Unlock Truth use large language models (LLMs) to generate astrological commentary, palm reading interpretations, and Jyotish Guru chat responses. This section explains exactly how those features work.

• Providers. We use Anthropic (Claude family) and OpenAI (GPT family) via the LiteLLM routing layer. Our server forms the prompt, calls the provider, and returns the answer to you.
• Anonymised prompts. Prompts sent to providers do not include your name, email, phone number, exact date of birth, or exact time of birth. We send only the computed aggregate astrological signals required for the task, for example your tithi, nakshatra, rashi, current Dasha lord, and a high-level question category.
• No training. Our API calls set the relevant provider flags disabling use of your prompts or outputs for model training (Anthropic's default no-train posture, OpenAI's data-sharing opt-out flag).
• Retention at the provider. Providers retain prompts for the time periods published in their own privacy policies (typically up to 30 days for abuse monitoring), after which they are deleted. We do not control this retention but we select providers with clear, audited deletion practices.
• Accuracy. LLM output is non-deterministic. Readings, palm interpretations, and Guru answers are provided for spiritual reflection only and are not a substitute for medical, legal, financial, or psychological advice.
• Opt-out. You may disable AI features from Settings. Doing so limits certain product functions (Palm Reading and Jyotish Guru in particular) but does not affect core Kundli, Panchang, or Muhurta computations, which are performed deterministically on our own servers using open astrological algorithms.

14. Payments

Paid features of Unlock Truth are delivered through the following channels:

• Razorpay — an RBI-licensed payment aggregator, used primarily for web and UPI flows in India.
• Apple App Store (StoreKit) — for iOS in-app purchases and the Satya Pro auto-renewing subscription on iOS.
• Google Play Billing — for Android in-app purchases and the Satya Pro auto-renewing subscription on Android.

We store, for each transaction, the aggregator transaction ID, order ID, amount, currency, status, product SKU, timestamp, and a masked reference (last four digits) where supplied. We do not store full card numbers, CVV, UPI PINs, net-banking passwords, or any other authentication credential — those are handled entirely by the aggregator under its own PCI-DSS / RBI / app-store compliance regime.

Subscriptions auto-renew according to the terms disclosed at purchase and can be cancelled through the App Store, Play Store, or Razorpay customer portal as applicable. Our refund policy is published separately at unlocktruth.app/refund-policy.

15. Grievance Officer and Data Protection Officer

In accordance with Rule 3(11) of the IT Rules 2021, Rule 5(9) of the SPDI Rules, and the DPDP Act's requirement to provide a readily available means of grievance redressal, we have appointed a Grievance Officer who also serves as our single point of contact for data protection matters.

How to raise a grievance. Write to Growth@Indryaa.com from the email registered against your account. Please include your full name, a description of the issue, the feature or data involved, and the outcome you are seeking. We will acknowledge receipt within 48 hours and respond with a final resolution within 15 business days.

Escalation. If you are not satisfied with our resolution, or if we do not respond within the stipulated time, you may escalate to the Data Protection Board of India once it is notified and operational under the DPDP Act. Users in the EEA / UK may also lodge a complaint with their local supervisory authority (for example, the CNIL, the ICO, or the Datenschutzkonferenz).

16. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in the App, in our practices, or in the law.

• Material changes (such as new categories of data, new processors in a new jurisdiction, or narrowing of your rights) will be notified to you at least 15 days in advance by email to your registered address and through an in-app banner. Where required by law, material changes will take effect only after fresh consent.
• Non-material changes (such as clarifications, typographical fixes, or contact-detail updates) take effect when published; a brief change-log is maintained at the foot of this page.
• The Last updated date at the top of this page always reflects the most recent revision.

Your continued use of the App after the effective date of a change constitutes acceptance of the updated Policy, except where your fresh consent is required.

17. Contact us

For any question, request, or complaint relating to this Privacy Policy or your personal data, please use the following channels.

Directors: Nipun Kathuria, Gaurav Singh Tawtia, Garima Singh Tawtia. Incorporated under the Companies Act, 2013 on 23 May 2022.