Privacy Policy

We process your personal and sensitive personal data for the following purposes, each supported by a lawful basis under the DPDPA and GDPR:

• Waitlist management and communication - Legal basis: Consent (explicit opt-in at signup)
• Processing and displaying your physiological data within the Dhritam app - Legal basis: Contract performance (delivery of the service you purchased)
• Computing personal baselines, stress indices, and anomaly detection - Legal basis: Contract performance and explicit consent for health data processing
• Delivering adaptive binaural audio and BCI neurofeedback sessions - Legal basis: Contract performance
• Product improvement, bug fixes, and hardware reliability analysis - Legal basis: Legitimate interest (using anonymized and aggregated data only)
• Sending product updates, shipping notifications, and early access communications - Legal basis: Consent and legitimate interest
• Responding to inquiries from investors, press, researchers, and partners - Legal basis: Consent (contact form submission)
• Complying with legal obligations under Indian law and applicable regulations - Legal basis: Legal obligation
• Fraud prevention and protection of our services - Legal basis: Legitimate interest

Local-first architecture. All physiological data (ECG, EEG, HRV, stress indices, baseline models, neurofeedback logs) is processed and stored locally on your personal device by default. Raw waveform data never leaves your smartphone unless you explicitly opt in to cloud synchronization.

Cloud synchronization (opt-in only). If you choose to enable cloud sync for backup or multi-device access, your data is encrypted end-to-end using AES-256 encryption before transmission. We use Google Firebase infrastructure hosted on Google Cloud Platform servers. Data at rest is encrypted with Google-managed encryption keys.

Waitlist and account data (name, email, city, referral codes) is stored in Google Firestore databases operated through Firebase. This data is protected by Firebase Security Rules, TLS 1.3 in transit, and AES-256 at rest.

Data retention. Waitlist data is retained until you request deletion or until the waitlist program concludes, whichever is earlier. Physiological data stored on your device is under your control - you may delete it at any time through the Dhritam app. Cloud-synced data is retained as long as your account is active and is permanently deleted within 30 days of an account deletion request.

No data monetization. We do not sell, rent, license, trade, or otherwise monetize your personal or physiological data. This is not a future promise - it is a present architectural constraint. Our business model is hardware and subscription revenue, not data brokerage.

We implement reasonable security practices and procedures as required under Rule 8 of the SPDI Rules, including but not limited to:

• AES-256 encryption for all data at rest (local device and cloud)
• TLS 1.3 encryption for all data in transit
• End-to-end encryption for cloud-synced physiological data
• Firebase Security Rules restricting database access to authenticated users
• BLE 5.0 encrypted communication between hardware devices and companion app
• Regular security audits and vulnerability assessments
• Access controls limiting employee access to personal data on a need-to-know basis
• Incident response procedures for data breach notification within 72 hours (GDPR) and as required under DPDPA
• No storage of payment information on our servers (processed by third-party payment processors with PCI-DSS compliance)

We use the following third-party services, each with its own privacy policy:

• Google Firebase (Firestore, Authentication, Hosting) - Purpose: Database, user authentication, website hosting. Data shared: Waitlist entries, contact form submissions, account data
• Google Analytics 4 - Purpose: Website analytics (anonymized). Data shared: Page views, session duration, traffic sources. IP anonymization enabled. No personal identifiers transmitted.
• Vercel - Purpose: Website deployment and CDN. Data shared: Standard HTTP request logs (IP, user agent). Automatically purged per Vercel retention policy.
• Google Cloud Platform - Purpose: Cloud infrastructure (if cloud sync is enabled). Data shared: Encrypted physiological data (only if user opts in)

We do not use any advertising networks, data brokers, or behavioral tracking services. We do not place advertising cookies. We do not participate in real-time bidding or programmatic advertising ecosystems.

Under the DPDPA 2023, SPDI Rules, and GDPR (where applicable), you have the following rights:

• Right to Access: Request a copy of all personal data we hold about you.
• Right to Correction: Request correction of inaccurate or incomplete data.
• Right to Erasure: Request deletion of your personal data. We will comply within 30 days, subject to any legal retention obligations.
• Right to Data Portability: Request your data in a structured, commonly used, machine-readable format (JSON or CSV).
• Right to Withdraw Consent: Withdraw consent for data processing at any time. This does not affect the lawfulness of processing performed before withdrawal.
• Right to Restrict Processing: Request that we restrict processing of your data in certain circumstances.
• Right to Object: Object to processing based on legitimate interests.
• Right to Grievance Redressal: File a complaint with our Grievance Officer or with the Data Protection Board of India under the DPDPA.

To exercise any of these rights, contact us at sahil@dhritam.com. We will respond within 30 days.

dhritam.com uses the following cookies and tracking technologies:

• Essential cookies: Session management and CSRF protection. These are strictly necessary and cannot be disabled.
• Analytics cookies: Google Analytics 4 with IP anonymization enabled. Used to understand aggregate traffic patterns. No personal identifiers are transmitted.
• No advertising cookies. No retargeting pixels. No social media tracking widgets.

You may disable non-essential cookies through your browser settings without affecting the core functionality of our website.