Privacy Policy

1. Information We Collect

1.1 Information You Provide

• Account Information: When you sign up via Google OAuth, we receive your name, email address, and profile photo URL from Google. During onboarding you provide your preferred language (English or Hindi) and city of residence.
• Profile Information: You may customise your avatar and display name at any time.
• Chat Messages: The text you type or speak when interacting with AI agents is transmitted to our servers and stored.
• Documents & Images: Files you upload (PDFs, photos) for analysis are stored in our cloud storage. Text is extracted from these documents to enable agent-assisted analysis.
• Health & Wellness Data: If you use our habit tracking or nutrition features, we store habit names, completion logs, meal items, and calculated nutritional values.
• Saved Content: Checklists, bookmarked messages, and agent ratings you create are stored on our servers.
• User Memory: Our AI agents may record key facts you share (e.g., income, occupation, family details) to personalise future conversations. You can view and delete these facts at any time.
• Payment Information: When you subscribe to a paid tier, payment is processed by our third-party payment processor (currently Razorpay). We store your subscription status, plan, and period dates but do not store credit/debit card numbers or UPI PINs.

1.2 Information Collected Automatically

• Device Information: Device type, operating system, app version, and unique device identifiers.
• Location Data: With your permission, we access your device's GPS coordinates solely to display local weather. If you decline, we fall back to approximate location derived from your IP address. We do not continuously track your location.
• Usage Data: We record which agents you use, query counts, conversation timestamps, and feature interactions to improve the Service and enforce usage limits.
• Log Data: Server logs may include your IP address, request timestamps, and error diagnostics.

1.3 Information from Third Parties

• Google: Basic profile data (name, email, profile photo) received during OAuth authentication.
• IP Geolocation (ipapi.co): Approximate city and coordinates derived from your IP address, used only as a weather-location fallback.

2. How We Use Your Information

We use the information we collect to:

1. Provide, operate, and maintain the Service, including AI-powered agent conversations;
2. Personalise your experience (language, avatar, learned facts);
3. Process subscriptions and enforce tier-based access controls;
4. Display partner promotions (Free and Basic tiers only) based on the agent you are using — not based on your personal data;
5. Analyse usage patterns to improve and develop new features;
6. Send transactional emails (e.g., subscription confirmations);
7. Detect, investigate, and prevent fraud, abuse, or violations of our Terms;
8. Comply with legal obligations.

3. AI Processing & Third-Party AI Providers

Our Service uses third-party artificial-intelligence models to power agent conversations. When you send a message or upload a document for analysis, the content is transmitted to one or more of the following providers via our secure server-side proxy:

• OpenAI (GPT-4o-mini, GPT-4.1-mini for vision tasks)
• Anthropic (Claude Haiku)

These providers process your data solely to generate responses and may temporarily retain inputs for abuse detection and safety purposes in accordance with their own privacy policies. We do not send your name, email, or other account identifiers to these providers — only the conversation content required to generate a response.

Important: AI-generated responses are not professional advice. Responses from financial, legal, health, and other specialised agents are informational only and should not be relied upon as a substitute for qualified professional counsel. See our Terms of Service for full disclaimers.

4. Partner Promotions

Users on Free and Basic tiers may see contextual promotions from our partners within chat conversations. We record:

• Whether a promotion was shown to you (impression)
• Whether you clicked or dismissed it
• Which agent and conversation it appeared in

We share aggregated, anonymised promotion performance data (total impressions, click-through rates) with partners. We do not share your name, email, chat content, documents, or any personally identifiable information with promotion partners. You can upgrade to Pro or Premium to remove promotions entirely.

5. How We Share Your Information

We do not sell your personal information. We share data only in the following circumstances:

• Service Providers: Supabase (cloud hosting & database), OpenAI and Anthropic (AI processing), Razorpay (payment processing), Resend (transactional email), Open-Meteo and ipapi.co (weather & geolocation). Each provider processes data only on our behalf and under contractual obligations to protect it.
• Legal Requirements: We may disclose information if required by law, regulation, legal process, or governmental request.
• Safety & Rights: We may disclose information to protect the rights, property, or safety of Vaaho, our users, or the public.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your data becomes subject to a different privacy policy.
• With Your Consent: We may share information for any purpose you explicitly authorise.

6. Data Storage & Security

Your data is stored on Supabase-managed PostgreSQL servers. Files you upload are stored in Supabase Storage. All data is encrypted in transit (TLS 1.2+) and at rest.

On your device, we cache profile data and recent conversations using AsyncStorage for faster loading. Authentication tokens are stored securely using platform-native secure storage.

While we implement industry-standard security measures, no system is 100% secure. We cannot guarantee the absolute security of your data.

7. Data Retention

• Active accounts: We retain your data for as long as your account is active and as needed to provide the Service.
• Deleted accounts: When you delete your account, we soft-delete your profile (mark it as deleted). Your personal data is retained for up to 90 days to allow account recovery, after which it is permanently purged from our active systems. Anonymised aggregate data (e.g., usage statistics) may be retained indefinitely.
• Chat messages: Stored until you delete the conversation or your account.
• Documents: Stored until you delete them or your account.
• Legal holds: We may retain data longer if required by law or to resolve disputes.

8. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your personal data. You can delete your account directly from the app's profile settings.
• Data Portability: Request your data in a structured, commonly used, machine-readable format.
• Restriction: Request that we restrict processing of your data in certain circumstances.
• Objection: Object to processing of your data for direct marketing or on grounds relating to your particular situation.
• Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at dpo@vaaho.ai. We will respond within 30 days (or sooner if required by applicable law).

9. International Data Transfers

Your data may be processed in countries other than your country of residence, including the United States (where our AI providers operate) and the country where our cloud infrastructure is hosted. We ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission;
• Data Processing Agreements with all sub-processors;
• Compliance with applicable data transfer mechanisms under the GDPR, UK GDPR, India's Digital Personal Data Protection Act 2023, and other applicable laws.

10. Jurisdiction-Specific Disclosures

10.1 European Economic Area, UK & Switzerland (GDPR)

Legal Bases: We process your data on the following bases:

• Contract performance (providing the Service)
• Legitimate interests (analytics, security, fraud prevention)
• Consent (location data, promotional communications)
• Legal obligation (tax, regulatory requirements)

Data Protection Officer: You may contact our DPO at dpo@vaaho.ai. You have the right to lodge a complaint with your local supervisory authority.

10.2 United States — California (CCPA/CPRA)

If you are a California resident:

• We do not sell your personal information.
• We do not share personal information for cross-context behavioural advertising.
• You have the right to know, access, delete, and correct your personal information.
• You have the right to opt out of the sale or sharing of personal information.
• You will not be discriminated against for exercising these rights.

To exercise your rights, email privacy@vaaho.ai.

10.3 India — Digital Personal Data Protection Act, 2023

If you are an Indian resident, you have the right to:

• Access a summary of your personal data and processing activities;
• Request correction and erasure of your personal data;
• Nominate another individual to exercise your rights in case of death or incapacity;
• File a complaint with the Data Protection Board of India.

We process your data with your consent (obtained during sign-up and as indicated throughout the app) or as permitted under the Act.

10.4 Brazil (LGPD)

If you are a Brazilian resident, you have rights under the Lei Geral de Proteção de Dados including access, correction, anonymisation, portability, deletion, and information about sharing. Contact dpo@vaaho.ai to exercise these rights.

11. Device Permissions

The app may request the following device permissions. All are optional — the core Service works without them:

• Camera: To photograph meals for nutrition analysis or documents for text extraction.
• Photo Library: To select existing photos for analysis or upload.
• Microphone: For voice input features.
• Location: To show local weather on the home screen.
• Notifications: To send habit reminders and important updates.

You can revoke any permission at any time through your device's settings.

12. Children's Privacy

The Service is not intended for individuals under the age of 16 (or the minimum age of digital consent in your jurisdiction, whichever is higher). We do not knowingly collect personal information from children. If we learn that we have collected data from a child without parental consent, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at privacy@vaaho.ai.

13. Cookies & Local Storage

The mobile app does not use cookies. We use device-local storage (AsyncStorage) to cache your profile, theme preference, and recent conversations for performance. The web version uses localStorage for the same purposes. We do not use third-party tracking cookies, pixels, or fingerprinting technologies.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy in the app and updating the "Last Updated" date above. For significant changes, we may also notify you via email or an in-app notification. Your continued use of the Service after such changes constitutes acceptance of the updated policy.

15. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us: