Rudra AI Labs (“Rudra”, “we”, “us”) builds mental-wellness tools for people in India and a practice-management platform for verified mental-health practitioners. Mental-health information is among the most sensitive data a person can share, and we treat it that way. This policy explains, in plain language, what we collect, why, where it lives, who processes it, and the rights you have under India’s Digital Personal Data Protection Act, 2023 (“DPDP Act”).
1. What we collect
- Account data — name, email address, phone number (optional), password (stored only as a one-way bcrypt hash — we cannot read it), and profile details you add.
- Wellness data you create — mood check-ins, journal entries, AI companion conversations, and assessment responses (for example PHQ-9 and GAD-7 questionnaires). You choose what to write; you can delete it.
- Care data — if you book sessions with a practitioner: bookings, session records, invoices, and any notes your practitioner keeps about your care. Clinical notes are controlled by your practitioner, who is independently responsible for their professional records.
- Practitioner verification data (practitioners only) — professional credentials and identity documents you upload for verification. These are stored in a private, access-controlled bucket and are automatically purged after the retention window; only the verification decision is kept.
- Technical data — device type, app version, and product-usage events (for example “a session was booked”). We use this to fix problems and improve the product, not to advertise to you.
2. What we do NOT do
- We do not sell your personal data. To anyone. Ever.
- We do not show third-party advertising, and we do not share your data with advertisers.
- We do not use your journal entries, conversations, or clinical data to train AI models.
3. Why we process your data (purposes and lawful basis)
We process personal data with your consent, to provide the service you signed up for: running your account, powering wellness features you choose to use, connecting you with verified practitioners, processing payments, sending service notifications (session reminders, payment reminders), keeping the platform secure, and meeting legal obligations. Where a feature involves especially sensitive processing — such as recording a therapy session — we ask for specific consent at the moment it happens, and you can say no.
4. AI features, honestly explained
Some features send data to AI service providers to work: the AI companion and journal summaries use a language-model provider (OpenAI), practitioner search uses a vector database (Pinecone), and clinical dictation/transcription uses a speech-to-text provider (Deepgram). These providers act as processors on our instructions. AI-generated clinical content (such as a drafted session note) is always a draft that a human practitioner reviews and signs — nothing AI-generated becomes part of your clinical record without a professional’s sign-off.
5. Where your data lives, and who processes it
Primary storage is in India (Mumbai region), on Supabase-managed PostgreSQL and storage. To run the service we use a small set of processors, each bound by contract to use data only to provide their service to us:
- Supabase — database and encrypted file storage (Mumbai)
- Render and Vercel — application hosting
- Cloudflare — networking and DNS
- Razorpay — payment processing (we never see or store full card details)
- Daily.co — encrypted video sessions
- OpenAI, Deepgram, Pinecone — the AI features described above
- Resend / Amazon SES — transactional email; MSG91 — SMS reminders (when enabled)
- PostHog — privacy-respecting product analytics
- Google — only if you choose “Sign in with Google”
6. Security
Data is encrypted in transit (TLS 1.3) and at rest (AES-256). Passwords are hashed with bcrypt. Access tokens are short-lived and rotate automatically. Sensitive documents live in private buckets that are never publicly accessible, and every access to a clinical record is written to an audit log. Practitioners on Rudra are verified before they can see any client, and login endpoints are rate-limited against attacks.
7. Retention and deletion
We keep personal data only as long as needed for the purposes above. Verification documents are purged automatically after their retention window (the decision outcome is retained). If you delete your account, we delete or irreversibly anonymise your personal data within 30 days, except where law requires longer retention (for example, financial invoice records) or where your practitioner must retain clinical records under their professional obligations. See How to delete your account.
8. Your rights under the DPDP Act
- Access a summary of the personal data we hold about you;
- Correct inaccurate or incomplete data;
- Delete your data (see the account-deletion page);
- Withdraw consent at any time, as easily as you gave it;
- Nominate a person to exercise your rights if you are unable to;
- Raise a grievance with us, and escalate to the Data Protection Board of India if unresolved.
9. Children
Rudra is intended for users 18 and older. We do not knowingly process data of persons under 18; if you believe a minor has created an account, contact us and we will delete it.
10. Contact and grievances
For privacy questions, data requests, or grievances, write to privacy@rudraailabs.com. We acknowledge grievances within 72 hours and aim to resolve them within 30 days.
11. Changes to this policy
If we change this policy in a way that matters, we will notify you in the app or by email before the change takes effect, and update the date at the top of this page.