Privacy Policy
Last updated: 2026-05-28
Last updated: 2026-05-28.
This Privacy Policy explains what personal data Vedic Jyoti collects, how it is used, who it is shared with, how long it is kept, and the rights you have under India's Digital Personal Data Protection Act, 2023 ("DPDP Act") and other applicable Indian laws. It applies to the website at vedicjyoti.in, our mobile clients, the Acharya consultation platform, the online shop and any supporting services (together the "Service").
The data fiduciary under the DPDP Act is Serene Soul Jewellery, a sole proprietorship of Deepak Chaudhary (registered office: [Registered office address]), which operates Vedic Jyoti. Our designated Grievance Officer is contactable via the Grievance Officer page.
By creating an account, ticking the consent boxes at signup, or otherwise using the Service, you consent to the processing described in this Policy. You can withdraw consent at any time — Section 4 explains how.
Our promises to you
A short, plain-language summary of how we behave. The rest of this Policy is the formal version of these promises.
- We never sell, rent or trade your personal data, and we do not run third-party advertising on the Service.
- Your chart and your reading stay yours. Your computed birth chart, divisional charts, dasha tables, report content and the messages you exchange with Acharyas are used only to deliver the service to you. We do not repurpose them for marketing, do not feed them into AI-training datasets (this is also enshrined in our Terms), and share them only with the processors strictly necessary to render your order (Section 5).
- We do not see your card or bank details. All payments go through Razorpay; only the order/payment metadata reaches us.
- Messages to support are used only to help you. Anything you write to support@vedicjyoti.in is used to address that specific request; it is not added to your marketing profile or otherwise repurposed.
- You stay in control. You can view, update or delete your account information at any time from your dashboard, or by writing to support — see Section 11.
1. Definitions
For ease of reference (terms used here have the meaning given in the DPDP Act where applicable):
- You / Data Principal — the individual to whom the personal data relates.
- We / Vedic Jyoti / Data Fiduciary — Serene Soul Jewellery (sole proprietorship of Deepak Chaudhary), operator of vedicjyoti.in.
- Personal Data — any data about an identifiable individual.
- Processing — any operation on personal data (collection, storage, use, transmission, deletion, etc.).
- Processor — a third party that processes personal data on our behalf, on our written instructions.
2. Data we collect
2.1 Information you give us
- Account data: email address, password (stored only as a hash by Supabase, our authentication processor) and display name.
- Phone number — used to send the one-time password (OTP) at sign-in. We store only an HMAC-SHA-256 hash of the normalised number, keyed with a server-only salt. We do not persist the raw phone number after the OTP has been verified.
- Sex when you order a Premium-tier report — drives the printed "Sex" row and the numerology Kua number.
- Birth details — date, time, place, latitude, longitude and IANA time-zone. Without these the chart cannot be computed.
- Partner birth details when you order a Kundli-matching (MARRIAGE) report — captured with a separate consent confirming that you have permission to share them.
- Consultation content — the messages you exchange with Acharyas in chat, and metadata about call/chat sessions (duration, status).
- Shipping information for physical orders (name, address, contact).
- Communication preferences — your opt-in / opt-out for marketing email.
2.2 Information we collect automatically
- Technical & device data — IP address, browser user-agent, device type, screen size, language, and basic analytics events (page views, button taps) collected via PostHog. We do not include raw phone numbers or birth data in these events.
- Error and performance data — stack traces, request IDs and similar diagnostic data captured by Sentry when something goes wrong. We strip request bodies and personal identifiers from these reports.
- Cookies — see Section 9.
2.3 Information from third parties
- Payment metadata from Razorpay — order / payment IDs, amount, status, payment method type. We never receive your card number, UPI PIN or bank credentials.
- Referral data from a "ref" cookie set when you arrive via a referrer's link — used at signup to attribute the referral.
3. Purposes — why we use your data
| Purpose | Data used | Legal basis |
|---|---|---|
| Compute your birth chart, divisional charts and dashas | Birth details | Contract performance |
| Generate your personalised report, including AI-assisted prose | Birth details, chart, name, sex | Contract performance |
| Run an Acharya consultation | Account, chart, your messages | Contract performance |
| Take payment and issue an invoice | Account, payment metadata | Contract + legal obligation |
| Send transactional email (receipts, order updates) | Contract performance | |
| Send optional product updates | Consent | |
| Authenticate sign-in via OTP | Phone (HMAC) | Consent + contract performance |
| Detect fraud, abuse and rate-limit abuse | Technical data, phone hash, IP | Legitimate interest + legal obligation |
| Improve the Service in aggregate | Pseudonymous analytics | Legitimate interest |
| Respond to your messages and grievances | Whatever you share with us | Contract + DPDP Act |
| Comply with tax and accounting law | Order + payment data | Legal obligation |
We do not sell your data, run third-party advertising on the Service, or share your data for any other party's marketing.
4. Notice and consent under the DPDP Act
Where the DPDP Act requires consent, we obtain it through an active choice (a ticked checkbox at signup, or an explicit confirmation in a later flow) and we record the date and a hashed IP for an auditable trail. The notice at the point of collection sets out the data, the purpose, your right to withdraw consent and your right to grievance redressal.
You can withdraw consent for a particular processing activity at any time — for marketing email this is one click in the email itself; for other purposes, write to support@vedicjyoti.in. We will stop the relevant processing prospectively. Where the processing is necessary for contract performance (for example, delivering a report you have paid for), withdrawing consent may mean we can no longer deliver that part of the Service; we will tell you if so.
5. Sharing — processors we use
We share the minimum data necessary with carefully selected processors to deliver the Service. Each processor handles your data on our written instructions, under standard contractual safeguards.
| Processor | Purpose | What we share | Region |
|---|---|---|---|
| AstrologyAPI (Vedic Rishi) | Chart, divisional, panchang, varshphal computation | Birth date / time / lat-long / time-zone | India / Cloud |
| Anthropic (Claude) | AI-assisted report prose and Acharya support | Computed chart + conversation context | US |
| Supabase | Auth + database + file storage | Account, hashed phone, birth, reports | EU / US |
| Razorpay | Payments, settlements, invoices | Name, email, amount; card details stay with Razorpay | India |
| Resend | Transactional email | Email address + message body | US / EU |
| Twilio / Supabase Phone | SMS / WhatsApp OTP | Phone number in transit; hashed at rest | India / US |
| Vercel | Hosting + request routing | Request logs, performance metrics | Multiple |
| Upstash | Redis cache + queue (rate limits, OTP throttling) | Pseudonymous keys (e.g. phone-hash) | India / EU |
| PostHog | Product analytics | Pseudonymous events; no raw PII | EU |
| Sentry | Error monitoring | Pseudonymous stack traces, request IDs | EU / US |
We may add, replace or remove processors from time to time; this table is updated when we do.
In addition, Acharyas (verified astrologers) receive only the information you choose to share within a session.
6. Cross-border transfers
Some processors host data outside India (for example, Anthropic in the United States; PostHog in the European Union; Sentry, Resend and Vercel across multiple regions). The DPDP Act permits cross-border transfers to all countries not specifically restricted by the Government of India. Where transfers occur, we contractually require appropriate technical and organisational safeguards.
7. Retention schedule
We keep personal data only for as long as necessary for the purpose for which it was collected, after which we delete or anonymise it.
| Data | Retention |
|---|---|
| Account record (User row) | While the account is active; deleted on request, see Section 11 |
| Phone-number HMAC | Same as account |
| Birth details (BirthDetail) | While the account is active; deleted with the account |
| Generated reports (PDF + content) | While the account is active; downloadable copies in your dashboard |
| Acharya conversation history | 12 months active access; archived for a further 12 months; then deleted |
| Payment invoices | 7 years from the financial year-end (Indian income-tax & GST) |
| Consent records | While the account is active + 3 years (auditability) |
| Error / diagnostic logs (Sentry) | 90 days |
| Analytics events (PostHog) | 365 days at user-level; aggregated indefinitely |
| Marketing-email delivery logs (Resend) | 30 days |
When you ask for deletion (Section 11), we erase the identifying data and retain only what we are legally required to keep (notably tax records), pseudonymising it where possible.
8. Security
- Hashing. Phone numbers and IP addresses are stored only as HMAC-SHA-256 hashes (keyed with a server-only salt). The raw values are not persisted.
- Card details never reach our servers — Razorpay handles them under PCI-DSS Level 1 compliance.
- Defence-in-depth. Row-Level Security (RLS) policies on the Supabase database; advisory locks on credit operations to prevent double-spend; signed, short-lived URLs for report downloads.
- Webhooks are the only authoritative path for credit grants (locked architectural decision); client-side amounts are never trusted.
- Transport. All traffic is TLS-encrypted. Inter-service calls use authenticated APIs with rotated secrets.
- Access control. Production data is accessed only by authorised personnel, on a need-to-know basis, and is logged.
- No production data on developer machines for routine work.
9. Cookies and similar technologies
We use a small number of first-party cookies:
- Session cookie — required to keep you signed in.
- Referral cookie (
jyoti_ref, 30-day max-age) — set when you arrive via a referrer's link so the credit reaches the correct referrer at signup. - Locale preference cookie — remembers the language you selected.
- Pseudonymous analytics cookie — set only after you accept analytics; you can decline.
We do not use third-party advertising or cross-site tracking cookies. We honour the browser's "Do Not Track" signal for analytics.
10. Children
The Service is intended for users 18 years and older. We do not knowingly collect personal data from children. If you believe a minor has created an account, please email support@vedicjyoti.in so we can verify and delete it.
11. Your rights under the DPDP Act
As a Data Principal you have the right to:
- Access the personal data we hold about you and a summary of how it has been processed.
- Correct inaccuracies or update outdated information.
- Erase your data, subject to the retention exceptions in Section 7.
- Withdraw consent for any processing that relies on consent — notably marketing email (one-click unsubscribe in every such mail).
- Nominate another individual to act on your behalf in the event of your death or incapacity.
- Grievance redressal with our designated Grievance Officer (Section 16) and, if unresolved, escalation to the Data Protection Board of India once notified by the Government.
To exercise any of these rights, email support@vedicjyoti.in from your registered email, or use the in-product controls (Profile → Privacy). We will acknowledge within 48 hours and resolve within 30 days (complex matters get an interim status update at 30 days and a final resolution within 90 days).
12. Automated decision-making and AI
We do not make any solely automated decisions that produce a legal or similarly significant effect on you. The AI-assisted prose in our reports is constrained to your computed chart and is reviewed against deterministic computations. Nothing automatic determines whether you qualify for the Service, the price you pay, or your access to your account.
13. Data breach notification
If we become aware of a personal-data breach affecting your data, we will notify you and the appropriate authority (the Data Protection Board of India, once it is notified by the Government) without undue delay, with the information required by the DPDP Act and the rules made under it. We will also publish a notice describing the breach and the remedial steps taken.
14. Marketing communications
If you have opted in (the "marketing" consent at signup), we may send occasional product updates by email. Every such email carries a one-click unsubscribe link. Transactional emails (order receipts, account notices) are not optional while your account is active.
15. Third-party links
The Service may link to third-party sites or services (for example, payment gateways or social media). Their privacy practices are governed by their own policies, not by ours. We do not control and are not responsible for their content.
16. Grievance Officer
In compliance with the DPDP Act, 2023 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, our designated Grievance Officer is reachable via the Grievance Officer page. The page sets out the officer's name, email, phone, postal address, working hours, and the timelines for acknowledgement and resolution.
17. Changes to this Policy
We may update this Privacy Policy from time to time. Material changes will be notified by email and on this page, with the "Last updated" date refreshed at the top.
18. Contact
- Privacy questions: support@vedicjyoti.in
- Postal address: Serene Soul Jewellery (sole prop. of Deepak Chaudhary), [Registered office address], India
- Grievances: see the Grievance Officer page

