1. Who We Are

2. What We Collect

We collect information only when we have a reason to (e.g., to provide and improve the Services, personalize your experience, ensure security, and meet legal obligations).

2.1 Information you provide

Account data. Email address, password (hashed), display name, preferences, and settings.

Journal Data

We may collect and process journal data that you choose to record, upload, or otherwise make available through the Service. This includes, but is not limited to:

• Written journal entries
• Voice Recordings
• Photos, images, music, and videos
• Comments, questions, messages, and works of authorship
• Other content or information you create, transmit, or share within the Service

This journal data may also include metadata, such as:

• Information on how, when, where, and by whom a piece of content was collected
• Details on how that content has been formatted, edited, or modified
• User-added information such as keywords, location or geographical information, tags, and other contextual data

If you record audio or video through the Service, such recordings may capture your voice and related information. These recordings will be used and processed only as described in this Privacy Policy or as otherwise disclosed to you at the time of collection.

Sensitive Information

If you provide us with sensitive personal information (for example: government identifiers, information about racial or ethnic origin, political opinions, religious or philosophical beliefs, health or medical information, or information about criminal background), you explicitly consent to our processing and use of such information in accordance with this Privacy Policy and applicable law.

If you do not consent to this processing, please refrain from submitting sensitive personal information through the Service.

Payment Data

To facilitate transactions, we may collect payment-related information, such as payment card details or bank account information. This data is processed securely and in compliance with applicable payment processing standards (e.g., PCI-DSS).

AI feature inputs. Prompts and content you elect to process with AI features (see Section 5).

Support and feedback. Information you send us via forms, chat, or email, including attachments and call recordings where permitted by law.

Other Data

We may also collect other information not specifically listed above. Where this occurs, such information will be used and processed in accordance with this Privacy Policy or as otherwise disclosed to you at the time of collection.

2.2 Information we collect automatically

Usage and device data. App version, device type, OS, language, performance data, diagnostics/crash logs, and feature interactions (e.g., button taps, screens viewed, session duration).

Approximate location. Derived from IP address to tailor features and keep our systems secure. We do not collect precise GPS location unless you opt in (see Section 2.3).

Cookies and similar tech (web). Cookies/pixels help us keep you signed in, remember preferences, and understand how our site is used. See Section 8.

Online Activity and Communication Data

Online Activity Data

We may automatically collect information about your interactions with the Service and related websites or applications. This may include:

• Pages or screens you view and the features you use
• The length of time you spend on a page or screen
• The website, application, or service you visited before accessing the Service
• Navigation paths between pages or screens
• Information about your activity and actions on a page or screen
• Access times, dates, and duration of access
• Whether you open our emails and whether you click links within them

This information helps us understand usage patterns, improve the performance and usability of the Service, and provide you with a better user experience.

Communication Interaction Data

We may also collect information about how you interact with our communications, including emails, text messages, or other messages we send. For example, we may track whether you open, forward, or click links in our communications.

To do this, we may use technologies such as pixel tags (also known as clear GIFs or web beacons), which are embedded invisibly in certain emails. Pixel tags allow us to recognize when an email has been opened or when a link has been clicked. This data is used to measure the effectiveness of our communications and to improve the relevance of the content we send to you.

2.3 Information from integrations and third parties (optional)

Health & activity integrations (e.g., Apple Health, Google Fit) if you enable them: mindful minutes, activity summaries or similar non-sensitive metrics to enrich entries and insights. We do not use Health data for advertising or share it for marketing purposes. You can revoke access in your device settings at any time.

Single-Sign-On (SSO). If you log in with Apple/Google, we receive basic account info (e.g., email, user ID) from the provider.

Purchases. App Store/Play billing is handled by Apple/Google. We do not receive your full payment card details. We may receive receipts/tokens for subscription status and fraud prevention.

Sensitive information. Your journal may include sensitive topics (e.g., mental health, emotions). We process such content only to provide the Services you request, to secure our systems, and as otherwise permitted or required by law. We do not use such content for targeted advertising.

2.4 Data Storage and Encryption

Your data is stored securely in a managed PostgreSQL database hosted on Railway servers. All data is encrypted to protect your information against unauthorized access.

Railway is certified under major safety and security certifications. You can learn more here.

2.5 No Sale or Sharing of Personal Data

We do not sell, rent, or share your personal data with third parties for marketing or advertising purposes.

2.6 Use of Data

Your data is used solely to provide and improve the services of the Aksha app. We do not use your personal data to train our own AI models.

2.7 Subscription Model

We plan to introduce a subscription model in the near future. Subscription fees will be used exclusively to cover the costs of hosting, maintaining, and improving the service.

3. Why We Use Your Information

Provide the Services. Operate accounts, sync and store content, generate insights and summaries (including via AI if enabled), send transactional messages, and provide support.

Personalize & improve. Understand usage, fix bugs, develop new features, and improve recommendations and prompts.

Safety & security. Detect, investigate, and prevent fraud, abuse, and security incidents.

Research. With your consent, we may use de-identified and/or aggregated data to conduct and publish science and product research, quality improvements, and publications. De-identification means we remove direct identifiers and apply technical and organizational measures designed to prevent re-identification. We do not attempt to re-identify de-identified data. Results are reported only in aggregate. No individual is identified.

Payments. Processing your financial information and other payment methods for Services purchased.

4. Our Legal Bases (EEA/UK/Switzerland)

Where GDPR or similar laws apply, we rely on:

Contract – to provide the Services you requested.

Legitimate interests – to maintain and improve Services, protect security, and prevent abuse (you can object where applicable).

Consent – for optional analytics, certain cookies, health integrations, AI settings using historical entries, and research uses.

Legal obligation – to comply with applicable laws.

Vital interests – only in rare emergency circumstances.

Special-category data (e.g., mental-health-related content): Where required, we rely on your explicit consent (GDPR/UK GDPR Art. 9(2)(a)) to process special-category data. You can withdraw this consent at any time in Settings → Privacy; if withdrawn, related features may stop working and you can delete your data (see §7, §10).

No automated decisions with legal or similarly significant effects. We don't use algorithms to make decisions about your rights, access, pricing, or other outcomes that significantly affect you without human review.

5. AI Features

Aksha offers AI-powered features that generate suggestions, summaries, prompts, mentor-style reflections, and notifications.

Who processes it. We use vetted third-party AI providers (e.g., large-language-model APIs) under data-processing terms. We prohibit providers from using your content to train their foundation models and restrict retention to what's necessary to provide the feature, troubleshoot, and meet legal requirements.

Minimization & storage. We minimize the data we send and may store limited embeddings/vectors or pseudonymous context to personalize your experience.

Retention (AI providers). AI provider request logs are retained no longer than 30 days for abuse detection and troubleshooting, unless a longer period is legally required. Providers are prohibited from training on your content.

No automated decisions with legal effects. AI outputs are assistive and do not produce legal or similarly significant effects about you without human involvement.

Controls. You can delete your data at any point you would like. (Section 7).

6. How We Share Information

We share information only as needed, with appropriate safeguards:

Service providers (processors). Cloud hosting, storage, analytics, error monitoring, customer support tools, authentication/SSO, email/SMS providers, and AI processors. We require binding data-processing terms and confidentiality.

Affiliates. Within our corporate group under this Policy.

Business transfers. In a merger, acquisition, or asset sale, data may transfer in compliance with this Policy.

Legal and safety. To comply with laws, enforce terms, respond to lawful requests, and protect rights, safety, and security.

With your direction or consent. For example, when you export or share content.

We do not allow third parties to use your journal content for their own marketing.

7. Your Choices & Controls

Access, edit, export, delete. Manage your entries and account data in the app. You can request an export and/or deletion of your account and content.

Cookies. Manage cookie preferences in your browser and our web banner (see Section 8).

AI settings. Enable/disable use of historical entries; clear AI memory/embeddings; and control personalization.

Marketing communications. Unsubscribe via email footer or settings (we may still send transactional messages).

Health integrations. Revoke access in device settings at any time.

Push notifications. Control or disable push notifications in your device OS settings or within the app at any time.

Response times for rights requests. We respond within one month (EEA/UK; extendable by two months for complex requests) and within 45 days in the U.S. (extendable by 45 days where permitted).

8. Cookies & Similar Technologies (Web)

We use cookies/pixels to: keep you logged in, remember preferences, measure site traffic, and improve content. You can control cookies via your browser settings and our cookie banner. Turning off certain cookies may affect site functionality. We do not use cookies for third-party targeted advertising.

9. Your Privacy Rights

Depending on where you live, you may have rights such as access, correction, deletion, portability, restriction/objection, and opt-out of certain processing (e.g., targeted advertising, profiling for legal effects). In the United States, several states (including California, Colorado, Connecticut, Utah, Virginia) grant rights to know, delete, correct, and to opt out of the sale/sharing of personal information. We do not sell or share your personal information for cross-context behavioral advertising.

How to submit a request: email support@aksha.ai from the address associated with your account. We may need to verify your identity or request additional details. You may authorize an agent to submit a request on your behalf where permitted by law.

Appeals (where required). If we deny your request, you may appeal by replying to our decision email. If your appeal is denied, you may contact your state attorney general or local authority.

Verification. We may request information sufficient to verify your identity before acting on a request. You may designate an authorized agent where permitted by law.

Non-discrimination. We will not discriminate against you for exercising your privacy rights.

EEA/UK/Swiss users. You may lodge a complaint with your data protection authority. We encourage you to contact us first so we can try to resolve your concern.

Global Privacy Control (GPC) & Universal Opt-Out Mechanisms. We currently do not sell or share your personal information for cross-context behavioral advertising. If that changes, we will provide a "Do Not Sell/Share" control and honor browser-based opt-out signals such as GPC and other legally recognized universal opt-out mechanisms.

10. Retention

We retain personal information only as long as needed for the purposes in this Policy and as required by law. Typical periods:

Account & journal content: retained while your account is active. If you request deletion, active-system records are removed within 7 days; encrypted backups are overwritten on a rolling basis within 45 days.

Logs/diagnostics: 90 days (error/security logs up to 180 days where necessary).

Support tickets: 18 months after closure.

Marketing preferences: until you unsubscribe; suppression records retained to honor your choice.

Research data: anonymized/de-identified data may be retained for longitudinal research unless you withdraw consent; withdrawal stops future collection/use.

11. Security

We use administrative, technical, and physical safeguards to protect information, including encryption in transit and at rest, access controls, least-privilege practices, and continuous monitoring for abuse. No method of transmission or storage is 100% secure; we work to improve our protections continually and notify you of material incidents as required by law.

12. International Data Transfers

We may process and store information in countries outside your own. Where required, we use European Commission-approved Standard Contractual Clauses (SCCs) and other lawful mechanisms to safeguard cross-border transfers. You can contact us for a copy of relevant transfer safeguards.

13. Children & Minimum Age

The Services are not intended for children under the Minimum Age (13 in the US and UK, 16 in the EEA, or a higher age set by local law). We do not knowingly collect personal information from anyone under the Minimum Age. If you believe a child has provided us data, contact support@aksha.ai. If we learn that such information was provided, we will delete it and may close the account. If local law requires a higher minimum age for Aksha to lawfully process data without parental consent, we will comply with that higher age.

14. State & Regional Disclosures (Summary)

California (CCPA/CPRA). In the last 12 months we collected identifiers (e.g., email), internet activity (usage), geolocation (approximate), and in-app content you provide. We use this data to operate the Services, personalize features (if enabled), secure our systems, and support research (with consent and de-identification). We disclose data to service providers under written contracts. We do not sell or share personal information for cross-context behavioral advertising and we do not use sensitive personal information for purposes that require a right to limit. You have rights to know, delete, correct, and to not be discriminated against for exercising rights. Submit requests as described in Section 9.

Colorado/Connecticut/Utah/Virginia and others. We honor applicable state rights and opt-outs. We do not process personal data for targeted advertising or sell personal data.

Washington & Nevada Consumer Health Data. For residents of Washington and Nevada, some information you enter (e.g., mood, emotions, mental-health reflections) may be "consumer health data."

• We only collect what's necessary to provide the Services you request.
• We will obtain opt-in consent for any processing beyond necessity and a separate opt-in for any sharing (including with affiliates).
• You may withdraw consent and delete your data at any time (see §7).
• We do not sell consumer health data.
• Our current processors are listed in our Subprocessors List (see §18). We do not use geofencing to target health-care providers or consumers.

EEA/UK/Switzerland. See Section 4 (legal bases), Section 12 (transfers), and Section 9 (rights/complaints).

15. Third-Party Services

Our Services may link to or enable integrations with third-party services. Their privacy practices are governed by their own policies. Please review those policies before enabling integrations or sharing information with third parties.

16. Changes to This Policy

We may update this Policy from time to time. We will post the updated version and change the "Last Updated" date. If changes are material, we will provide additional notice (e.g., in-app notice or email). Your continued use of the Services after the effective date constitutes acceptance of the updated Policy.

17. How to Contact Us

Questions, concerns, or requests?

Email: support@aksha.ai

Postal: Aksha, Inc., 2108 N St, Ste N, Sacramento, Ca 95816

18. Service Provider List (Summary)

We use trusted processors to operate the Services. A current list is available here: https://aksha.app/legal/subprocessors. Typical categories include: cloud hosting and storage; error monitoring; analytics (optional/consent); email and notifications; payment verification (app stores); authentication/SSO; and AI processing providers used for optional features.