Device Information: Browser type, operating system (for compatibility)
Cookies: Essential cookies for authentication, optional analytics cookies (with consent)
IP Address: For security, fraud prevention, and localized emergency resources
1.3 Information Imported from Other Platforms
If you migrate data to Asha from another application or service at your direction, we process that imported data under the same protections described in this policy. Imported data is stored in your isolated user environment and is subject to the same retention, deletion, and access controls as data created natively on Asha. We do not retain copies of data from third-party platforms beyond what is necessary to complete the migration.
1.4 Sensitive Personal Data (Special Categories)
Health information is considered sensitive personal data under GDPR and similar laws. We process this data only with your explicit consent and for the purpose of providing personalized health guidance.
2. HOW YOUR INFORMATION IS PROCESSED
2.1 AI Processing (No Humans)
Important: Your data is processed by AI software only. No humans read your conversations, review your health data, or monitor your sessions in real-time.
Your information is used by AI to:
Provide personalized health guidance based on your context
Maintain conversation continuity across sessions
Improve response accuracy and relevance
2.2 Automated Processing
Asha uses a combination of on-premise inference infrastructure and third-party AI services, all operating under zero data retention (ZDR) agreements or equivalent data isolation guarantees. This includes:
Language Models: AI inference providers under zero data retention agreements for response generation
Knowledge Retrieval: Sovereign vector database infrastructure for evidence-based information lookup
Session State: In-memory storage for conversation continuity
2.3 Legal Basis for Processing (GDPR Article 6 & 9)
We process your data under the following legal bases:
Contract (Article 6(1)(b)): To provide the Service you requested when you created your account
Explicit Consent (Article 9(2)(a)): For processing health data, including any data imported or migrated from third-party platforms at your direction
Legitimate Interests (Article 6(1)(f)): For security, fraud prevention, and service improvement
Legal Obligation (Article 6(1)(c)): Where required by law
You may withdraw consent at any time by contacting us or using in-app controls. Withdrawal does not affect the lawfulness of processing before withdrawal.
2.4 What We Do NOT Do
We will NEVER:
Sell your health data to third parties
Share your information with advertisers
Use your data to market pharmaceutical products
Allow commercial interests to influence medical guidance
Have humans review your conversations without explicit consent
Use your data to train AI models without explicit opt-in consent
Use dark patterns, pre-checked boxes, or confusing language to obtain consent
2.5 Research Contribution Program (Voluntary)
You may choose to contribute de-identified health conversations to improve Asha for future users. This program is:
Opt-In Only: Default is OFF. You must affirmatively enable it.
De-Identified: Protocols remove all identifying information
Revocable: Withdraw consent anytime; data removed within 30 days
Transparent: Preview your contribution before opting in
Asha works identically whether you contribute or not. Your choice has no impact on service quality or features.
3. DATA SECURITY
3.1 Encryption
In Transit: TLS 1.3 encryption for all data transmission
At Rest: Infrastructure-level encryption for stored data
3.2 Access Controls
Role-based access with audit logging
Secure authentication via Auth0 with JWT token management
Regular security assessments and vulnerability monitoring
Off-site backups with geographic redundancy
4. DATA RETENTION AND DELETION
Your conversation history and health profile are retained to provide continuity of care. You may request deletion of your data at any time by contacting us.
4.1 Retention Periods
Account Data: Retained until account deletion
Conversation History: Retained until account deletion or explicit request
Usage Logs: 90 days for security and debugging purposes
Security & Authentication Logs: 1 year for fraud detection and incident response
Audit Logs: 7 years where required by applicable financial, tax, or regulatory obligations
All retained data is stored on secured primary infrastructure with off-site backups. Backup copies follow the same retention schedule and are purged within 30 days of the primary data's deletion.
4.2 Deletion Rights
Under GDPR (EU/EEA), DPDP Act (India), and CCPA/CPRA (California), you have the right to request complete deletion of your personal data. Contact [email protected] to exercise this right. We will respond within:
GDPR: 30 days
CCPA: 45 days
DPDP Act: 30 days
5. DATA BREACH NOTIFICATION
In the event of a data breach that affects your personal data, we will:
Notify affected users within 72 hours of discovery
Report to relevant supervisory authorities as required by law
Provide details of the breach, potential impact, and remedial measures
Offer guidance on protective steps you can take
6. CHILDREN'S PRIVACY & MINOR SAFETY
Asha is not intended for use by children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, contact us immediately at [email protected] and we will delete it promptly.
Users between 13 and 17 may use the service with verifiable guardian consent. For minor users, the following safeguards apply:
AI guidance will not recommend caloric restriction, fasting protocols, or body weight targets for users under 18
Health content is presented in the context of well-being and education, never aesthetic goals
If the system detects language or patterns consistent with disordered eating, self-harm, or body dysmorphia, it will provide evidence-based resources and encourage the user to speak with a trusted adult or healthcare provider
Minor users are encouraged to discuss health topics with a parent, guardian, or trusted adult
7. VOICE FEATURES
Asha may offer voice-based interaction including speech-to-text and text-to-speech. When you use voice features:
Audio is processed in real-time by our voice processing providers under data processing agreements with zero data retention
Audio recordings are not stored by DNAi Systems or our providers after processing is complete
The resulting text transcription is treated the same as typed input under this policy
You can disable voice features at any time in your settings
8. COOKIES
8.1 Essential Cookies
Required for authentication and session management. Cannot be disabled.
8.2 Analytics Cookies
Optional cookies to help us understand usage patterns and improve the service. You can accept or decline these via the cookie banner.
8.3 No Tracking, No Data Brokers, No Advertising
Asha is built on a fiduciary model. To be explicit:
We do not share your data with third-party data brokers. Ever. Your health information, conversations, uploads, and identity are not sold, rented, or transferred to any data broker, ad network, or marketing company.
We do not link your data with third-party data for marketing or advertising purposes. Asha is not an advertising-supported product. We do not run, host, or embed advertising. We do not build advertising profiles.
We do not use cookies or web content for cross-site tracking.When you view web content inside Asha (mobile app or web), no cookies are collected for tracking purposes by Asha or any service we route through. Cookies are limited to authentication, session management, and (with your explicit consent) first-party analytics.
We do not implement Apple's App Tracking Transparency (ATT) prompt because we do not engage in any activity that would require one. There is no SDK in our app that tracks users across other companies' apps or websites.
If this ever changes, this policy will be updated and you will be notified before any new collection or sharing begins.
9. THIRD-PARTY SERVICES
Asha uses third-party service providers in the following categories. Specific providers may change over time; we maintain data processing agreements with all processors and will update this section as material changes occur:
Authentication: Identity verification and single sign-on
AI Inference: Language model processing under zero data retention agreements
Medical Literature: Retrieval of peer-reviewed research (queries only, no personal data transmitted)
Voice Processing: Speech-to-text and text-to-speech under data processing agreements with zero data retention
Content Delivery & Security: CDN, DDoS protection, and edge security
Typography & Assets: Web font delivery (your IP address may be shared with the font provider when fonts load)
A current list of specific sub-processors is available upon request by contacting [email protected].
9.1 Data Location
Your health data is stored on DNAi Systems' sovereign infrastructure in the United States. We do not use shared cloud databases for your personal health information.
9.2 International Data Transfers
If you access Asha from outside the United States, your data may be transferred to and processed in the United States. We protect such transfers through:
Standard Contractual Clauses (SCCs): EU-approved data transfer mechanisms
Data Processing Agreements: With all third-party processors
By using Asha, you consent to the transfer of your data to the United States, where data protection laws may differ from your jurisdiction.
10. YOUR RIGHTS
You have the right to:
Access: Request a copy of your personal data
Rectification: Correct inaccurate information
Erasure: Request deletion of your data ("right to be forgotten")
Portability: Receive your data in a machine-readable format
Object: Opt out of certain data processing
Restriction: Request limited processing while a dispute is resolved
Withdraw Consent: Revoke previously given consent at any time
Non-Discrimination: Exercise your rights without penalty to your service
EU/EEA users have rights under the General Data Protection Regulation (GDPR). California users have rights under the California Consumer Privacy Act (CCPA/CPRA). India users have rights under the Digital Personal Data Protection Act (DPDP Act).
