Effective 2026-07-15 (operator may revise launch date before publication)
Privacy Policy
Effective: 2026-07-15
Version: 1.0
App: Esha
Operator (Data Fiduciary under DPDP 2023 / Data Controller under GDPR): Solo individual (not a company). Operator legal name: Phanidhar Rao Madduri (sole proprietor), India.
Operator country of residence: India. Primary regulatory framework: India Digital Personal Data Protection Act, 2023 (DPDP). Additionally applicable: EU General Data Protection Regulation 2016/679 (GDPR) for EU/EEA visitors; UK GDPR + Data Protection Act 2018 for UK visitors; California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA) for California residents.
Privacy contact (Data Protection Officer / Grievance Officer under DPDP §10): [email protected]. (At v1.0 the operator uses a personal mailbox; once a custom-domain mailbox [email protected] is provisioned, this Privacy Policy will be updated and existing users notified per §16.)
Public account-deletion page: https://askesha.com/delete-account
Drafting note for the operator: This Privacy Policy reflects the actual data flows of Esha at version 1.0. Phase 4.15.G G.64 has filled the operator-provided values (legal name + privacy email) and bumped the user-age floor to 18 to align with India DPDP 2023 §9(1) (parental-consent threshold for "children" defined under §2(f)) and the highest GDPR member-state digital-consent ceiling (16) in a single global floor. The document should still be reviewed by qualified privacy counsel admitted in India before publication.
1. Plain-English summary
| Topic | Plain meaning |
|---|---|
| Who runs Esha | A solo individual, not a company. |
| What we collect | Account: email + hashed password. Chart: name, birth date, birth time, birth place, latitude, longitude, timezone. Chat: your messages and AI replies. Activity: streaks, subscription tier, daily AI usage. |
| What we do not collect | Phone numbers, contacts, photos, microphone or camera input, current GPS location, health-app data, payment-card numbers, government IDs, biometric data, browsing history outside Esha. |
| Why we use OpenAI | To generate astrology readings and chat replies. |
| Selling your data | We do not. |
| Ads / third-party analytics SDKs | Esha does not run ads. Esha does not use any third-party analytics SDK (no Mixpanel, Amplitude, Firebase Analytics, PostHog, or Google Analytics) at version 1.0. |
| First-party usage telemetry | Esha collects first-party usage telemetry events (screen views, feature opens, paywall interactions) linked to your user ID. This data improves product quality and is NEVER sold or shared with third-party analytics platforms. You can opt out in Profile → Privacy (default = off, per GDPR Art. 7(2)). See §3 for the schema. |
| Your control | You can export everything we hold about you, delete a profile, or delete your entire account from inside the app at any time. |
| Minimum age | 18. Single global floor that satisfies India DPDP 2023 §2(f)/§9(1) (children defined as under-18 requiring verifiable parental consent), GDPR Art. 8 (highest member-state digital-consent ceiling is 16), and the adult-targeted nature of relationship/career/health astrology content. |
This summary is informational only; the sections below control if there is any conflict.
2. Who Esha is
Esha is operated by Phanidhar Rao Madduri (sole proprietor), a solo individual based in India. References to "Esha," "we," "us," or "our" mean that operator and any service providers acting on the operator's behalf. There is no company, partnership, or limited-liability entity behind Esha at version 1.0. The operator is the Data Fiduciary under India DPDP 2023 §2(i), and the Data Controller under GDPR Art. 4(7) / UK GDPR / CCPA-CPRA "business".
The operator is also the named Grievance Officer for DPDP §10 purposes; complaints under DPDP, GDPR data-subject rights requests, UK GDPR DSARs, and CCPA "right to know / delete / opt-out" requests all reach the same address listed at the top of this document.
If Esha later becomes operated by a legal entity, an acquirer, or a successor, this Privacy Policy will be updated and you will be notified before that change takes effect.
3. What we collect
We collect only what we need to run the product. Each row below maps to a real field in our database; nothing on this list is hypothetical.
| Category | Specific fields | Where it lives |
|---|---|---|
| Account | Email address; hashed password (bcrypt); subscription tier (free / pro / premium); account creation timestamp |
users table |
| Age confirmation at registration | Date of birth used solely to enforce the minimum-age rule. Validated server-side and not persisted to the account record. If you exit the app between registration and the chart-onboarding step, the value is held briefly in your device's secure storage (iOS Keychain / Android Keystore — never plaintext on disk) so the onboarding flow can resume; it is cleared on completion or on logout. | Validated in transit; transiently held in device secure storage if onboarding is paused |
| Birth profile(s) | Profile name; birth date; birth time; birth place text; latitude; longitude; timezone; the computed astrological chart | profiles table |
| Chat | Each message you send; each AI reply; session ID; profile ID; timestamp | chat_messages table |
| Auto-extracted life events | Tags such as "career change," "relationship," "loss," extracted from your chat content using keyword rules to give the AI relevant context for future replies | life_events table |
| Streak | Current streak, longest streak, last check-in date, total check-ins | user_streaks table |
| Rate-limit state | Number of questions asked today, number of compatibility checks today | rate_limits table |
| Daily content cache | Daily insight, daily card, and daily digest payloads, keyed by profile and date | daily_insight_cache, daily_card_cache, daily_digest_cache |
| Family-plan slots | Slot ID, member user ID (if filled), action history | family_slot_changes |
| AI usage logs | Per-call token counts (prompt, completion, total), endpoint, tier, model, timestamp | token_usage_logs table |
| Crash & error diagnostics | Stack traces and request metadata, sent to Sentry only if Sentry is enabled for the deployment. We do not send your chat content or birth data to Sentry. | Third-party (Sentry) |
We do not collect: phone numbers, contact lists, photos, microphone or camera input, current GPS location, Apple Health or Google Fit data, browsing history outside Esha, payment-card numbers, government IDs, or biometric data.
We do not use third-party advertising or analytics SDKs at version 1.0.
First-party usage telemetry (server-side analytics): Esha collects a curated allowlist of telemetry events — for example, today_screen_viewed, pillar_opened, chat_message_sent, paywall_viewed, subscription_purchase_initiated — linked to your user_id. The full allowlist lives in backend/main.py under TELEMETRY_EVENT_ALLOWLIST and is also visible to App Store / Google Play reviewers on request. The data is used to (a) measure feature adoption, (b) detect breakages (e.g. a screen that nobody can open), (c) inform product decisions. It is NEVER sold, NEVER shared with any third-party analytics service, and is silently dropped for users who opt out via Profile → Privacy. The default is off (opt-in only, per GDPR Art. 7(2)). See §10 (Retention) for storage duration.
4. Why we use it (purpose limitation)
| Purpose | Data used |
|---|---|
| Calculate your astrological chart | Birth date, birth time, birth place, latitude, longitude, timezone |
| Generate AI chat responses | Your message; recent chat history (up to ten messages); chart context; current dasha context; system prompts |
| Personalize daily content | Birth profile + current date |
| Enforce minimum-age policy | Date of birth at registration only (then discarded) |
| Operate accounts and sessions | Email, hashed password, JWT |
| Apply rate limits and per-user daily AI-cost limits | rate_limits table + token_usage_logs table |
| Operate subscriptions | Subscription tier + free-trial timestamp; billing receipts handled by Apple, Google, and RevenueCat |
| Detect crisis prompts and route to safe responses | Your message text matched against keyword patterns; no detection metadata is sent to third parties |
| Diagnose crashes | Sentry crash reports (only if Sentry is enabled) |
| Respond to your privacy or support request | Your contact email and the contents of your request |
We do not use your data for automated decisions that produce legal or similarly significant effects. Esha's outputs are reflective content, not determinations.
5. AI processing — what OpenAI sees
Esha uses OpenAI to generate chat responses and structured interpretations.
When you chat with Esha, we send OpenAI:
- Your message
- Up to ten recent prior messages from the same conversation
- A compact, redacted snapshot of your chart (planetary placements, current dasha, the houses relevant to your question)
- A system prompt that instructs the model how to behave
- A response contract requiring the model to ground its reply in your chart
What we do not send to OpenAI:
- Your email address
- Your password (it is hashed and never leaves our database)
- Numeric strength scores from internal calculations (these are redacted before transmission)
- Crash diagnostics
OpenAI processes these inputs to produce a reply and may retain limited request metadata for safety, abuse prevention, and reliability under its own privacy terms. We do not control OpenAI's infrastructure.
Two important properties of how we use the model:
- Output validation. Every AI reply passes through a deterministic fact validator before you see it. The validator rejects answers that misplace a planet, misidentify a karaka, or promise a specific date for marriage, childbirth, death, or disease. Failed validations trigger a regeneration. This does not eliminate AI mistakes — it constrains them.
- Hard refusals. Requests for medical diagnosis, legal advice, financial advice, the date of someone's death, exact marriage timing, fertility prediction, or harm to another person are refused before they reach the model.
You should not submit information to Esha that you do not want processed by an AI provider.
6. Third-party services we actually use
| Provider | Role | Data potentially processed |
|---|---|---|
| OpenAI | AI inference for chat and structured interpretations | Prompt, redacted chart snapshot, recent chat context, technical metadata |
| Railway | Hosting (US region) for the API server and Postgres database | All stored data, request logs, technical metadata |
| Apple App Store / Google Play | App distribution and in-app purchases | Subscription / purchase metadata under their own terms |
| RevenueCat | Subscription orchestration across Apple and Google billing | App user ID, product IDs, entitlement state, receipt metadata |
Sentry (only if SENTRY_DSN is configured for the deployment) |
Crash and error reporting | Stack traces, request metadata. No chat content. No birth data. |
| Expo Push (Apple APNs / Google FCM) | Push notifications for daily content | Device push token; notification body |
We do not use Mixpanel, Amplitude, Firebase Analytics, PostHog, Google Analytics, or any other analytics SDK at version 1.0. We do not embed advertising SDKs of any kind. If we add any of these in the future, this Privacy Policy will be updated and you will be notified in-app before the change takes effect.
7. Data retention
| Data | How long we keep it |
|---|---|
| Account, birth profiles, chat history, life events, streak, daily caches | Until you delete the chat, the profile, or the entire account, or until your account is suspended for abuse. We do not auto-delete this content on a fixed schedule. |
| Hashed password | Until account deletion |
AI usage logs (token_usage_logs) |
Up to 24 months for cost accounting, abuse detection, and fraud prevention. We may retain aggregated, non-identifiable totals longer. |
| Crash diagnostics in Sentry (if enabled) | Per Sentry's default retention; typically 30–90 days |
| Backups | Standard Postgres backup cycle; deletion from backups can lag the live system by up to 30 days |
| Family-plan slot change history | Up to 24 months for abuse prevention |
When you delete your account, every row tied to your user_id in the tables listed in Section 3 is removed in a single database transaction, except backup snapshots which roll off naturally and aggregated cost totals where required for fraud and accounting purposes.
8. Your rights
| Right | How to use it |
|---|---|
| Access / export | Call GET /api/v1/user/export from inside the app, or email the privacy contact. We return a JSON document containing your account, every birth profile, every chat message, every life event, your streak, your daily caches, and an export timestamp. |
| Delete a single birth profile | Use the in-app profile delete control, which calls DELETE /api/v1/profiles/{profile_id}. |
| Delete your entire account | Use the in-app account delete control, which calls DELETE /api/v1/user. You may also use the public page at https://askesha.com/delete-account or email the privacy contact. |
| Correct your data | Edit a birth profile in-app; recompute the chart if you change birth details. |
| Object to or restrict processing | Stop using the app and delete your account. |
| Withdraw consent for AI processing | Stop sending chat messages and delete your account. AI processing only happens when you initiate a chat. |
| Lodge a complaint | You may contact your local data-protection authority. We will cooperate with regulator inquiries. |
We respond to verifiable rights requests within 30 days, or sooner where required by local law. We may need to verify your identity before fulfilling sensitive requests.
9. Account deletion
You can delete your account in three ways:
- In-app: Settings → Delete account (calls
DELETE /api/v1/user). - Web:
https://askesha.com/delete-account. - Email: the privacy contact below; we will verify and delete within 30 days.
Deleting your account does not cancel a paid subscription. Subscriptions are managed by Apple, Google, or RevenueCat under their own rules. To stop being billed, cancel the subscription in your App Store or Google Play account before deleting your Esha account.
After deletion, we retain only what is strictly necessary: aggregated cost-accounting totals, fraud signals, and backup snapshots that roll off naturally. We do not keep your chat content or birth profiles after deletion completes.
10. Children and minors (DPDP §9 / GDPR Art. 8 / COPPA)
Esha is intended for users 18 years of age and older. The app enforces this floor at registration: you cannot create an account if your supplied date of birth indicates you are under 18.
The 18-year floor is a single global rule that satisfies three independent regimes:
| Regime | Citation | What it requires | How Esha meets it |
|---|---|---|---|
| India DPDP 2023 | §2(f) "child" = under 18; §9(1) verifiable parental consent for processing children's personal data | Either obtain verifiable parental consent OR refuse children | Refuses registration under 18 — no children's data ever enters the system. |
| EU GDPR | Art. 8 sets a member-state-configurable digital-consent age between 13 and 16; highest member-state floor (DE, NL) is 16 | A digital-consent age must be set; processing of under-floor users requires parental consent | 18 > 16, so the highest GDPR member-state floor is satisfied by construction. |
| US COPPA | 15 U.S.C. §6501(1) "child" = under 13 | Requires verifiable parental consent for under-13 collection; "child-directed service" framework | 18 > 13, so the service is outside COPPA scope by construction. |
If a parent or guardian believes a person under 18 has nonetheless created an account (for example, by providing an inaccurate date of birth), please contact the privacy address at the top of this document and we will delete the account and all associated data.
Esha does not produce content intended to be sexual, exploitative, manipulative, or upselling toward minors. The app does not give marriage, fertility, or death timing for any user — adult or otherwise.
11. International transfers
Esha's production servers are hosted on Railway, in the US region. If you use Esha from outside the US — including from the EU, the UK, India, or anywhere else — your data is transferred to and processed in the US.
Specific transfer mechanisms by jurisdiction:
| Source region | Mechanism | Reference |
|---|---|---|
| EU/EEA | EU Standard Contractual Clauses (Commission Decision 2021/914 of 4 June 2021, Module 1 controller-to-controller for Railway/OpenAI relationships; Module 2 controller-to-processor where the sub-processor acts on documented instructions) plus a Transfer Impact Assessment ("Schrems II" requirement); supplementary technical measures include TLS 1.2+ in transit, AES-256-GCM at rest for PII columns (AAD-bound; see §12). | GDPR Art. 46(2)(c) |
| UK | UK International Data Transfer Addendum to the EU SCCs ("UK Addendum", ICO IDTA published 21 March 2022), executed with each US-based sub-processor. | UK GDPR Art. 46; DPA 2018 §17A |
| India | DPDP 2023 §16 allows transfer to any jurisdiction except those specifically restricted by the Central Government via notification. At v1.0 the US is not on any DPDP §16 restricted list. | DPDP 2023 §16 |
| California | CCPA / CPRA does not restrict cross-border transfers per se, but requires disclosure of "categories of personal information sold or shared" — none for Esha (we do not sell). | Cal. Civ. Code §1798.100(c) |
Sub-processors listed in Section 6 transfer and process data under their own contractual safeguards. Specifically:
- OpenAI: US-based; DPA at https://openai.com/policies/data-processing-addendum executes the EU SCCs Module 2 (controller-to-processor) and UK Addendum on the operator's behalf.
- Railway: US-based; provides DPA + SCCs to its customers under its Terms of Service.
- Apple App Store / Google Play / RevenueCat: US-based; each maintains its own privacy posture for billing flows that the operator does not control.
- Sentry (if enabled): US-based; DPA available at https://sentry.io/legal/dpa/.
- Expo Push (Apple APNs / Google FCM): Push tokens transit through Apple/Google infrastructure under their own terms.
12. Security
We use:
- TLS for all traffic in transit
- bcrypt password hashing (we never see your plaintext password after the moment you create or change it)
- JWT-based session authentication with bounded lifetimes
- Environment-isolated secrets (the JWT signing key is required to be present in production; the application will refuse to boot otherwise)
- An admin endpoint guard requiring a separate admin token in production
- Per-user daily message and AI-cost caps to prevent abuse
- A deterministic AI output validator that blocks fact hallucinations and deterministic event-timing claims before they reach you
No system is completely secure. If we become aware of a personal-data breach affecting you, we will notify the relevant supervisory authority within the time window required by applicable law (72 hours under GDPR / UK GDPR for qualifying breaches) and notify affected users where the law requires direct notice.
You are responsible for the security of your device, your email account, your app-store account, and your Esha password.
13. AI accuracy and the nature of astrology
Esha is a reflective astrology product. Three things you must understand:
- AI outputs may be wrong. Even with our validation layers, AI replies may be inaccurate, incomplete, biased, outdated, or unsuitable for your situation.
- Astrology is not deterministic. Esha gives windows of activation and reflective patterns, never calendar guarantees. We block the model from claiming a specific date for marriage, childbirth, death, or disease, and we refuse user requests for that kind of prediction.
- Esha is not professional advice. It is not medical, legal, financial, or psychological advice. For any of those, see a licensed professional.
14. Crisis and safety
If you tell Esha you are thinking about self-harm or suicide, the app will replace the astrology reply with a crisis response that lists helplines (US 988, UK Samaritans, India Tele MANAS, and a global pointer to local emergency services). The app cannot replace emergency services. If you are in immediate danger, call your local emergency number.
We do not share crisis-detection metadata with third parties.
15. No sale, no targeted advertising
We do not sell personal data. We do not run third-party ads. We do not share birth data, chat content, or chart data with anyone for advertising purposes. If this changes, we will update this Privacy Policy and obtain any consent required by law before the change takes effect.
16. Changes to this policy
We may update this Privacy Policy. The effective date at the top of the document changes when we do. Material changes — for example, adding a new third-party processor, changing retention defaults, or starting to use data for a new purpose — will be communicated in-app, or by an email to your account address, before the change takes effect.
17. Contact
For privacy questions, rights requests, or deletion requests: [email protected]
The operator is the named Grievance Officer for the purposes of DPDP 2023 §10 and the Data Protection Officer equivalent for other jurisdictions. Verifiable rights requests will be acknowledged within 7 days and completed within the timelines required by the applicable law (typically 30 days under GDPR Art. 12(3) / DPDP 2023 §11(2); 45 days under CCPA §1798.130(a)(2)).
If you do not receive a reply within 30 days, you may contact your local data-protection authority. For India users specifically, the Data Protection Board of India (https://www.dpb.gov.in once notified into operation under DPDP §28). For EU users, the supervisory authority of your member state of habitual residence (list at https://edpb.europa.eu/about-edpb/about-edpb/members_en). For UK users, the Information Commissioner's Office (https://ico.org.uk). For California residents, the California Privacy Protection Agency (https://cppa.ca.gov).
Questions about this policy? Email [email protected].