Folio २ · Privacy policy

On the care of your data आपके आँकड़ों का संरक्षण

Last updated 17 May 2026

Hastha (“we”, “us”) is a mobile application that produces palmistry readings rooted in Hasta Samudrika Shastra. This policy describes what data we collect, why, how we keep it safe, and the rights you have under India’s Digital Personal Data Protection Act, 2023 (the DPDP Act).

Hastha is operated by Marar Inc., registered in India. We are the Data Fiduciary for all personal data processed through the app.

  1. What we collect
  2. Why we collect it
  3. How long we keep it
  4. Your rights under DPDP
  5. Third parties
  6. Children
  7. Security
  8. Changes to this policy
  9. Grievance officer
  10. General contact
§ I

What we collect क्या एकत्रित किया जाता है

We collect the minimum data needed to deliver a palmistry reading.

Category
Examples
Source
Account
Email, password (hashed with bcrypt)
You, at sign-up
Profile
Display name (optional), date of birth
You, during onboarding
Palm photographs
Photographs of your hands you capture in‑app
You, before each reading
Usage
Reading history, compatibility pairings, in‑app actions
Generated as you use the app
Device
Push notification token, Android version
Your device, with permission
Purchase
Order IDs, product purchased, amount
Google Play / Apple App Store

We do not collect: phone numbers, location, contacts, files outside the app, social‑graph data, or browsing history.

§ II

Why we collect it किसलिए

  • Account & profile. To identify your account and personalise readings.
  • Palm photographs. To generate the reading. Photos are processed by an external AI vision model — see §V.
  • Usage. To show you your past readings and to operate features like the compatibility share link.
  • Device. Only if you opt into reading‑freshness notifications. You can disable this in Settings at any time.
  • Purchase. To grant the in‑app credits you paid for.

We do not use any of this data for advertising. We do not sell data. We do not build profiles for any purpose other than producing the reading you asked for.

§ III

How long we keep it अवधि

Data
Retention
Palm photographs
Auto‑deleted within 24 hours of the reading being generated.
Account, profile, readings, compatibility pairings
Until you delete your account from Settings → Delete my account, or under specific legal‑retention requirements.
Purchase records
Seven years (Indian tax law).
Push tokens
Until you withdraw notification consent or delete your account.
§ IV

Your rights under DPDP आपके अधिकार

You may, at any time:

  1. Access

    Request the data we hold about you, in machine‑readable form. Write to the Grievance Officer (§IX).

  2. Correct

    Update your name and date of birth from Settings → Edit profile.

  3. Withdraw consent

    Revoke consent for palm‑photograph processing from Settings → Privacy & data → Withdraw photo consent. After withdrawal you can still view past readings but cannot create new ones until you re‑consent.

  4. Erase

    Delete your account and all associated data from Settings → Delete my account. This is a hard delete and cannot be reversed.

  5. Nominate

    Designate another individual to exercise these rights on your behalf in the event of your death or incapacity (write to the Grievance Officer).

  6. Complain

    Lodge a complaint with the Data Protection Board of India if you believe we have mishandled your data.

§ V

Third parties who process your data सहायक संस्थाएँ

Partner
Role
What they see
Supabase (Singapore)
Hosting, database, authentication, storage
Account, profile, readings, palm photos (transient)
OpenAI (USA)
AI vision model that interprets palm features
Palm photo (during reading), date of birth
RevenueCat (USA)
In‑app purchase orchestration
Email, purchase records
Google Play / Apple
Billing
Email, purchase records
Expo Application Services
Build & over‑the‑air updates
Build infrastructure only — no user data
Sentry, PostHog (optional)
Crash reporting & product analytics
App events; no palm photos, no date of birth

We process palm photographs in the United States via OpenAI’s API. Cross‑border transfers comply with Section 16 of the DPDP Act.

§§ VI · VII · VIII

On children, security, and changes सुरक्षा एवं संशोधन

§ VI — Children

Hastha is for users aged thirteen and above. We block under‑13 sign‑ups at the database level. If you believe a child under thirteen has registered, write to the Grievance Officer below and we will delete the account within seven days.

§ VII — Security

  • All transport encrypted via HTTPS / TLS 1.2 and above.
  • Database encrypted at rest by Supabase.
  • Palm photographs in a private bucket with row‑level access policies; URLs are signed and short‑lived.
  • Passwords hashed with bcrypt by Supabase Auth — never stored in plain text, never visible to us.

§ VIII — Changes to this policy

We will notify you in‑app and by email at least fourteen days before any material change takes effect.

§ IX

Grievance officer शिकायत अधिकारी

Under §10 of the DPDP Act, the following individual is designated to receive privacy‑related complaints:

Name
Anurag Ramdasan
Email
[email protected]
Response window
Within fifteen days of receipt, as required by §13(3) of the DPDP Act.
§ X

General contact पत्राचार

For non‑grievance enquiries, write to [email protected]. We aim to reply within a few working days.

← Return to Folio १