1. About this policy and who we are
This Privacy Policy explains how Kompella Technologies Pte. Ltd. collects, uses, shares and protects your personal data when you use the InnerVeda mobile application, the InnerVeda website at innerveda.app, and any related services (together, the "Service").
In this policy:
- "Kompella Technologies", "InnerVeda", "we", "us" and "our" mean Kompella Technologies Pte. Ltd., a company incorporated in Singapore (UEN 202437801Z) with its registered office at 68 Circular Road, #02-01, Singapore 049422.
- "you" and "your" mean the individual who uses the Service.
- "personal data" means any information that identifies you or that can reasonably be linked to you. Depending on where you live, your local law may call this "personal information", "personal data" or "personal information of a data principal" — we use "personal data" throughout to mean all of these.
Kompella Technologies is the data controller (in some jurisdictions, the "data fiduciary" or "business") responsible for your personal data, except where this policy says otherwise.
InnerVeda is an AI-first Ayurvedic wellness service. It is a wellness and educational product. InnerVeda is not a healthcare provider, does not provide medical advice, diagnosis or treatment, and does not create medical records. Please also read our Terms of Service, which include important information about the limits of the Service.
If you do not agree with this policy, please do not use the Service.
2. At a glance
This summary is for convenience only and does not replace the full policy below.
- What we collect. Account details; the wellbeing focus, logs and progress you record; your Body Type Assessment answers and result; your conversations with Vaidya, our AI wellness companion; personalised audio we generate for you; device, technical and usage data; and subscription and purchase records.
- Why we collect it. To create your account, deliver and personalise the Service, operate Vaidya, keep the Service safe and secure, process your subscription, support you, comply with law, and improve the Service.
- AI. Vaidya is powered by artificial intelligence. To answer you, your messages and related context are processed by our AI model provider(s). We do not sell your personal data.
- Sharing. We share personal data only with service providers who help us run the Service, with app stores and payment processors, where the law requires, and in a business transfer. Each is described in Section 8.
- Your choices. You can access, correct, export and delete your personal data — including deleting your whole account from within the app. See Sections 13–14.
- Deletion. When you delete your account we delete your data from every system we control, and we commit to completing this within 30 days. One narrow exception (error-monitoring data) is explained in Section 11.
- Children. The Service is for adults aged 18 and over only.
- Contact. Privacy questions, requests and Data Protection Officer: legal@innerveda.app.
3. The personal data we collect
We collect the categories of personal data set out in the table below. Categories A–F mirror the data-deletion inventory in our internal DPDP deletion brief; categories G–I are additional categories we collect to operate the Service.
| # | Category | What it includes | Why we collect it |
|---|---|---|---|
| A | Account data | The name or display name you choose to give; your email address or, if you use social sign-in, the identifier from Apple or Google; a securely hashed password (only if you do not use social sign-in); your timezone and language; push-notification token references; and a device-session record used to keep one active device signed in per account. | To create, secure and operate your account, to authenticate you, and to contact you about the Service. |
| B | Wellbeing focus, logs and practice records | The wellbeing focus you choose (such as sleep, stress, digestion, energy, eating better, or general curiosity); the daily check-ins and ratings you submit; which practices you complete; your progress and protocol stage; and the nudges and insight cards the Service generates for you. | To deliver and adapt your personalised journey and to show you your progress. |
| C | Body Type Assessment data | Your answers to the Body Type Assessment and your resulting body type (Vata, Pitta or Kapha). If you retake the assessment, we keep the earlier result as well. | To provide guidance personalised to your body type. |
| D | Your conversations with Vaidya | Your chat messages, reflections and questions to Vaidya — which may include free text about your mood, physical state, lifestyle, personal life or health — together with the conversation history and the AI-generated "memory" derived from your conversations so that Vaidya can recall context over time. | To enable Vaidya to respond to you and to personalise its guidance across sessions. |
| E | Safety records | InnerVeda runs an automated safety check on messages sent to Vaidya. Where that check identifies a message that may describe distress warranting escalation, we create a safety record containing: a non-reversible, hashed identifier derived from your account; the safety categories and confidence assigned; the suppressed Vaidya response; the identifier of the escalation message shown to you; and a short (truncated) excerpt of the message that triggered the check. | To detect and respond to situations that may involve a risk to your life or immediate health or that of others, and to audit the safety system. |
| F | Generated audio | Personalised audio we create for you, such as Vaidya voice responses and meal-plan audio briefings. | To deliver the audio features you turn on or request. |
| G | Device, technical and usage data | Device model and operating system; app version; device and installation identifiers; IP address; approximate location inferred from IP address; language and timezone; crash, diagnostic and error data; and in-app activity and analytics events (such as screens viewed and features used). | To operate, secure, troubleshoot, measure and improve the Service. |
| H | Subscription and purchase data | Your free-trial status, your plan, your entitlement and access status, and your purchase and renewal history. Payments are processed by the Apple App Store or Google Play — we do not receive or store your full card or bank details. | To manage your free trial, subscription, entitlements and access to paid features. |
| I | Communications | The content of emails, support requests and other messages you send us, and our correspondence with you. | To respond to you, provide support and keep records of our communications. |
We may also create de-identified or aggregated data (data that no longer identifies you) from the categories above — for example, statistics about how features are used. We may use and share de-identified and aggregated data for any lawful purpose, and we do not attempt to re-identify it.
We do not intentionally collect more data than we need, and we do not ask for special categories of data we do not use (for example, we do not ask for your government identity documents).
4. Health-related and sensitive information
Some information you choose to share with the Service may relate to your health or wellbeing — for example, how you describe your sleep, mood, digestion or energy, your wellbeing goals, your Body Type Assessment answers, and what you tell Vaidya. Some of this information may be treated as sensitive personal data or special category data under the laws that apply to you.
Please understand:
- InnerVeda is a wellness and educational service. It is not a healthcare provider, it does not provide medical advice, diagnosis or treatment, and it does not create or hold medical records.
- We collect health-related information only because you choose to share it so that the Service can personalise your wellbeing guidance.
- Where the law that applies to you requires it, we rely on your explicit consent to collect and use health-related or sensitive information, and you can withdraw that consent at any time by deleting the relevant content or your account (see Section 14).
- We apply additional care to this information, including the security measures in Section 12, and we do not use it for advertising.
Please do not share more sensitive information than you are comfortable sharing. You can use most of the Service without volunteering health details.
5. How we collect your personal data
We collect personal data in three ways:
- Directly from you — when you create an account, take the Body Type Assessment, choose a wellbeing focus, complete practices, chat with Vaidya, contact support, or otherwise use the Service.
- Automatically from your device — when you use the Service, we and our analytics and error-monitoring providers automatically collect device, technical and usage data (category G), using cookies, SDKs and similar technologies (see Section 16).
- From third parties — when you choose social sign-in, we receive a sign-in identifier (and, if you allow it, your email) from Apple or Google; and we receive subscription and purchase data from the Apple App Store, Google Play and our subscription-management provider.
6. How and why we use your personal data
We use your personal data for the following purposes:
- To provide the Service — create and maintain your account, deliver the Body Type Assessment, your personalised journey, Personalised Meal Plans, Breathing & Meditation sessions, Programmes and Vaidya.
- To personalise your experience — adapt guidance, practices, meal plans and Vaidya's responses to your body type, your chosen focus and the information you have shared.
- To operate Vaidya and AI features — process your messages and context to generate responses, maintain Vaidya's memory of relevant context, and generate personalised audio (see Section 7).
- To keep the Service and people safe — run automated safety checks, detect and respond to situations that may involve a risk to life or immediate health, and prevent, detect and investigate fraud, abuse, security incidents and prohibited use.
- To manage payments — administer your free trial, subscription, renewals, entitlements and access to paid features.
- To communicate with you — send you service, security, transactional and account messages; respond to your requests; and, where you have not opted out (or have opted in, where required), send you tips and offers about the Service. You can opt out of marketing messages at any time.
- To support you — respond to questions, troubleshoot problems and handle complaints.
- To improve the Service — measure how the Service is used, diagnose errors and crashes, conduct research and analytics, and develop new and improved features.
- To comply with law and protect rights — meet our legal and regulatory obligations, respond to lawful requests from authorities, and establish, exercise or defend legal claims.
The legal bases on which we rely to use your personal data depend on where you live and are set out in Section 20.
7. Vaidya, AI features and automated processing
Vaidya is InnerVeda's AI wellness companion. Because the Service is AI-first, we want to be especially clear about how AI processes your data.
- AI processing. When you interact with Vaidya, your messages and related context (such as your body type, chosen focus and relevant memory) are processed using artificial-intelligence models in order to generate a response. We currently use Anthropic's Claude AI models to power Vaidya, and your messages are transmitted to Anthropic for that purpose. We may, at any time and without prior notice to you, change the AI model provider(s) we use, use more than one provider, or host open-source AI models on our own infrastructure. Any such change will continue to comply with this policy.
- Vaidya's memory. To make guidance feel continuous, the Service creates and stores an AI-generated "memory" derived from your conversations and activity (category D). You can clear this by deleting your conversations or your account.
- Generated audio. Where you turn on or request audio features, text is sent to a voice-synthesis provider to generate personalised audio (category F).
- Training. We do not sell your personal data. We instruct our AI model provider(s) not to use your data to train their models, and we do not use your conversations with Vaidya to train any general-purpose AI model for any third party. We may use de-identified or aggregated information, and aggregated quality signals, to evaluate and improve Vaidya, the prompts we use, and the Service.
- Automated safety checks. Every message you send to Vaidya is automatically screened by a safety classifier. If it identifies a message that may describe distress warranting escalation, Vaidya's response is replaced with a fixed message that may include helpline information, and a safety record is created (category E). This is an automated process designed to protect you; it does not produce legal effects concerning you or similarly significantly affect you.
- AI is not a person and can be wrong. Vaidya is software, not a human, not a doctor and not a licensed practitioner. AI-generated content can be inaccurate, incomplete or inappropriate. Vaidya does not provide medical advice. Please read the wellness and AI disclaimers in our Terms of Service.
8. When and with whom we share personal data
We do not sell your personal data. We do not share your personal data for cross-context behavioural or targeted advertising.
We share personal data only as described below.
8.1 Service providers (processors / sub-processors). We share personal data with trusted companies that process it on our behalf and on our instructions, under contracts that require them to protect it and to use it only to provide their services to us. As at the date of this policy, our principal service providers are:
| Provider | What they do for us | Personal data they receive |
|---|---|---|
| Supabase | Hosts our database, manages account authentication, and stores files including generated audio | Categories A–I |
| Anthropic (Claude) | Generates Vaidya's responses to your messages | Your messages and context sent to Vaidya (category D), and related profile context |
| Langfuse | AI observability and tracing for quality and safety monitoring | A pseudonymous hashed identifier, and the prompts and responses of AI interactions |
| PostHog | Product analytics | Device, technical and usage data (category G) keyed to your account identifier |
| Sentry | Crash and error monitoring | Error and diagnostic data, request metadata, and in some cases your account identifier (see Section 11) |
| RevenueCat | Subscription and entitlement management | Subscription and purchase data (category H) and an app-user identifier |
| Resend | Sends transactional and account emails (e.g. email verification, account-link confirmation) | Your email address and the content of those emails |
| Google Workspace | Hosts our business email and support inbox (for example, when you write to legal@innerveda.app) | Your email address and the content of your correspondence with us |
| Expo (Expo Application Services) | App build delivery and push-notification routing | Push-notification tokens and device identifiers |
| DigitalOcean | Cloud hosting for our backend application servers (Singapore region) | Personal data in transit and during processing |
| Vercel | Hosts our website (innerveda.app) and handles website analytics | Website visit data; any information you submit through the website (such as your email when starting a Body Type Assessment online) |
This list may change as the Service evolves. We may, at any time and without prior notice to you, change a service provider — including to host equivalent services on our own infrastructure — provided that any new arrangement continues to comply with this policy. The current list of material service providers will be kept up to date and made available on request.
8.2 App stores and payment processors. The Apple App Store and Google Play distribute the app and process your payments and subscriptions. Their handling of your data is governed by their privacy policies. We receive purchase and subscription data from them but not your full payment-card details.
8.3 Social sign-in providers. If you choose to sign in with Apple or Google, those providers process the sign-in interaction under their own privacy policies.
8.4 Legal, safety and compliance. We may disclose personal data where we believe in good faith it is necessary to: comply with a law, regulation, legal process or enforceable governmental request; enforce our Terms of Service; detect, prevent or address fraud, security or technical issues; or protect the rights, property or safety of InnerVeda, our users or the public.
8.5 Business transfers. If Kompella Technologies is involved in a merger, acquisition, financing, reorganisation, or sale of all or part of its assets, personal data may be transferred as part of that transaction. We will require the recipient to honour this policy or notify you of any material change.
8.6 With your direction. We share personal data with others where you ask us to or otherwise direct us to.
9. International transfers of personal data
Kompella Technologies is based in Singapore, and our service providers operate in a number of countries, including the United States and the European Union. This means your personal data may be transferred to, stored in, and processed in countries other than the country where you live, and those countries may have data-protection laws that differ from yours.
When we transfer personal data across borders, we take steps to ensure it remains protected, including by using appropriate safeguards such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Agreement / Addendum, and equivalent contractual or other lawful transfer mechanisms required by the laws that apply to you. You may request more information about these safeguards using the contact details in Section 19.
10. How long we keep your personal data
We keep your personal data for as long as your account is active and for as long as we need it for the purposes set out in this policy. When personal data is no longer needed, we delete it or irreversibly anonymise it.
When you delete your account, we delete your personal data from every system under our direct control. We commit to completing account deletion within 30 days of your request, and we aim to complete most deletions within 7 days. The data we delete on account deletion includes categories A–F (your account, Body Type Assessment, wellbeing logs and practice records, conversations with Vaidya, safety records, and generated audio), along with the corresponding analytics and AI-trace records held by our analytics and AI-observability providers. The one exception is error-monitoring data, explained in Section 11.
After deletion, we retain one minimal record of the deletion request itself — including the email address used to make the request, the date it was received and completed, and a technical summary of what was deleted. We keep this record so that we can prove we honoured your request and so we can re-run deletion if a future issue requires it. This record contains no content from your use of the Service — no conversations, no journal entries, no Body Type Assessment results and no logs.
We may also retain personal data for longer where we are required or permitted to by law, or where we need it to establish, exercise or defend legal claims, in which case we retain only what is necessary for that purpose.
11. Error-monitoring data (the one exception)
We use an error-monitoring provider (Sentry) to capture crashes and technical errors so we can fix them. Error-monitoring data may include your account identifier and the technical details of a request that was in progress when an error occurred (such as a request path). It does not include your conversations with Vaidya, your journal entries, your Body Type Assessment results or your wellbeing logs.
Our error-monitoring provider does not offer a way for us to delete a specific person's records on request. Instead, that data is automatically removed by the provider's standard retention process, which deletes records after 90 days. This means that, in a worst case, some error-monitoring data may persist for up to 60 days beyond our 30-day deletion commitment before the provider's automatic 90-day deletion removes it. This data is operational and technical, and materially less sensitive than the data we delete on schedule.
We disclose this exception both here and in the in-app screen you see when you delete your account, so that you are aware of it before you confirm deletion.
12. How we keep your personal data secure
We use technical and organisational measures designed to protect your personal data against loss, misuse, and unauthorised access, disclosure, alteration and destruction. These measures include encryption of data in transit (TLS) and encryption of data at rest, access controls and least-privilege access for our team, row-level security in our database, hashing of passwords and of certain identifiers, automated monitoring and logging, and regular security review.
No method of transmission or storage is completely secure, and we cannot guarantee absolute security. You also play a part: please use a strong, unique password, keep it confidential, and contact us promptly at legal@innerveda.app if you believe your account has been compromised.
13. Your privacy rights
Depending on where you live, you may have some or all of the following rights in relation to your personal data:
- Access — to be told whether we process your personal data and to obtain a copy of it.
- Correction (rectification) — to have inaccurate or incomplete personal data corrected.
- Deletion (erasure) — to have your personal data deleted.
- Portability — to receive certain personal data in a portable, machine-readable format.
- Objection and restriction — to object to, or ask us to restrict, certain processing.
- Withdraw consent — to withdraw any consent you have given, at any time, without affecting processing already carried out.
- Opt out of marketing — to opt out of marketing communications.
- Non-discrimination — not to be treated unfairly for exercising your rights.
- Complain — to lodge a complaint with your data-protection regulator (see Sections 19 and 20).
Some of these rights are qualified, and we may decline a request where the law allows or requires us to — for example, where keeping data is necessary to comply with a legal obligation, or where a request affects another person's rights. We will tell you if that happens, and why.
How to exercise your rights is set out in Section 14. Region-specific rights and procedures are in Section 20.
14. How to access, correct, download or delete your data
- In the app. You can review and update much of your account information directly in the app's settings. You can delete your entire account and data from Settings → Privacy & data → Delete account. The app explains exactly what will be deleted before you confirm.
- By email. You can also make any privacy request — including access, correction, portability and deletion — by emailing legal@innerveda.app. Our Data Protection Officer is also reachable at that address.
We will verify your identity before acting on a request, respond within the time required by the law that applies to you, and complete account deletion within the 30-day commitment described in Section 10. You may use an authorised agent to make a request where the law allows; we may ask for proof of their authority.
We do not charge a fee for handling a request unless the law allows it (for example, for a manifestly unfounded or excessive request); if a fee applies, we will tell you first.
15. Children and age limits
The Service is intended for adults aged 18 and over. It is not directed to children, and we do not knowingly collect personal data from anyone under 18. If you are under 18, please do not use the Service or provide us with any personal data.
If we learn that we have collected personal data from a person under 18, we will delete it promptly. If you believe a person under 18 has provided us with personal data, please contact us at legal@innerveda.app.
16. Cookies, SDKs and similar technologies
The InnerVeda app and website use cookies, software development kits (SDKs) and similar technologies to operate the Service, keep it secure, remember your preferences, and measure and improve how it is used.
We group these into:
- Strictly necessary — required to run the Service, sign you in and keep it secure. These are always on.
- Analytics and performance — help us understand how the Service is used and diagnose errors.
Where the law that applies to you requires consent for non-essential technologies (such as analytics), we will ask for your consent and you can change your choice at any time in the app's settings or your device settings. We honour recognised browser privacy signals (such as Global Privacy Control) on our website where required.
17. Third-party links and services
The Service may contain links to third-party websites, content or services that we do not own or control — including links that open inside an in-app browser. This policy does not apply to those third parties. We are not responsible for their content or their privacy practices, and we encourage you to read their privacy policies.
18. Changes to this policy
We may update this policy from time to time to reflect changes to the Service, our data practices, or legal requirements. When we make a material change, we will take reasonable steps to notify you in advance — for example, by an in-app notice or by email — before the change takes effect. The "Last updated" date at the top of this policy shows when it was last revised. Your continued use of the Service after a change takes effect means you accept the updated policy, except where your consent is required, in which case we will ask for it.
19. How to contact us and make a complaint
For any privacy question, request or concern, contact:
Kompella Technologies Pte. Ltd. (UEN 202437801Z) 68 Circular Road, #02-01, Singapore 049422 Privacy enquiries, requests and Data Protection Officer: legal@innerveda.app
We take complaints seriously. If you are not satisfied with our response, you also have the right to complain to your data-protection regulator — see Section 20 for the regulator in your region.
20. Region-specific terms
If you live in one of the regions below, the following additional terms apply to you and, in the event of any conflict with the rest of this policy, prevail.
20.1 European Economic Area (EEA) and United Kingdom — GDPR / UK GDPR
Controller. Kompella Technologies Pte. Ltd. is the controller of your personal data.
Legal bases. We process your personal data on the following legal bases:
| Purpose | Legal basis (GDPR Article 6) |
|---|---|
| Creating and operating your account; delivering the Service and paid features you have subscribed to | Performance of a contract with you (Art. 6(1)(b)) |
| Personalising the Service; analytics; product improvement; security, fraud prevention and protecting the Service | Our legitimate interests, where not overridden by your rights (Art. 6(1)(f)) |
| Health-related and other sensitive information you choose to share; non-essential cookies and SDKs; marketing where consent is required | Your consent (Art. 6(1)(a)), and for health-related data your explicit consent (Art. 9(2)(a)) |
| Automated safety checks and responding to situations that may involve a risk to life or immediate health | Protecting the vital interests of you or another person (Art. 6(1)(d); Art. 9(2)(c) where relevant) |
| Complying with our legal obligations and establishing, exercising or defending legal claims | Legal obligation (Art. 6(1)(c)); legitimate interests / Art. 9(2)(f) |
You can withdraw consent at any time without affecting processing already carried out. Where we rely on legitimate interests, you may object (see below).
Your rights. In addition to the rights in Section 13, you have the right to object to processing based on legitimate interests, the right to restrict processing, and the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. We do not make such decisions about you.
International transfers. See Section 9. We rely on the European Commission's Standard Contractual Clauses and the UK Addendum for transfers out of the EEA and the UK.
Complaints. You may lodge a complaint with your local Data Protection Authority; in the UK, the Information Commissioner's Office (ICO).
20.2 United States
California (CCPA / CPRA). In the 12 months before the "Last updated" date, we collect the categories of personal information described in Section 3, which map to the following CCPA categories: identifiers; customer records; commercial information; internet or other electronic network activity; geolocation data (approximate, from IP address); audio information; and inferences. Some of this is sensitive personal information (such as account credentials and health-related information).
- We do not "sell" your personal information, and we do not "share" it for cross-context behavioural advertising, as those terms are defined under California law.
- We do not use or disclose sensitive personal information for purposes other than those permitted by California law.
- You have the right to know, access, correct and delete your personal information, the right to opt out of sale/sharing (not applicable, as we do not sell or share), the right to limit the use of sensitive personal information, and the right not to receive discriminatory treatment for exercising your rights.
- To exercise these rights, use the methods in Section 14. We will not discriminate against you for doing so.
Other US states. If you live in a US state with a comprehensive privacy law (such as Virginia, Colorado, Connecticut, Utah, Texas, Oregon and others), you have similar rights to access, correct, delete and obtain a copy of your personal data, and to opt out of targeted advertising and "sales" — which we do not engage in. Use the methods in Section 14 to exercise these rights.
20.3 Singapore — Personal Data Protection Act (PDPA)
Kompella Technologies is incorporated in Singapore and complies with the Personal Data Protection Act 2012.
- We collect, use and disclose your personal data with your consent (including deemed consent where permitted) or as otherwise authorised or required under the PDPA, for the purposes in Section 6.
- You may withdraw consent on reasonable notice, request access to and correction of your personal data, and we will respond as required by the PDPA.
- We have appointed a Data Protection Officer, contactable at legal@innerveda.app, who is responsible for ensuring our compliance with the PDPA.
- If you are not satisfied with how we have handled your personal data, you may contact our Data Protection Officer and, if still unsatisfied, lodge a complaint with the Personal Data Protection Commission (PDPC) of Singapore.
20.4 India — Digital Personal Data Protection Act, 2023 (DPDP)
For users in India, we process your personal data in accordance with the Digital Personal Data Protection Act, 2023.
- We are the Data Fiduciary for your personal data. We process it on the basis of your consent, given when you create your account and agree to this policy, and on the limited "legitimate uses" the DPDP permits (such as responding to situations involving a threat to life or immediate health).
- You may withdraw your consent, and you have the right to access, correction and erasure of your personal data, the right to grievance redressal, and the right to nominate another person to exercise your rights in the event of your death or incapacity.
- To exercise these rights or raise a grievance, contact our Data Protection Officer at legal@innerveda.app. If your grievance is not resolved, you may approach the Data Protection Board of India.
- Our account-deletion mechanism and our 30-day deletion commitment are described in Sections 10–11 and in our internal DPDP deletion brief.
20.5 Other countries
If you live elsewhere — for example, in Australia, Canada, or another country with a data-protection law — you may have similar rights to access, correct and delete your personal data and to complain to your local regulator. Please use the contact details in Section 19, and we will handle your request in accordance with the law that applies to you.
Version privacy-v1.0-2026-05-24