Dishaya / Privacy Policy

Privacy Policy

The shortest honest version: your words are not our data. Here is exactly what we store, what we never store, and why.

DRAFT FOR REVIEW · Effective date to be set on publication · [email protected]

This policy is a working draft prepared for founder and legal review. It describes the system accurately but is not yet in force.

What We Never Store

We also never train AI models on your content, and we never sell personal data. Both are permanent commitments, not current settings.

What We Store, And Why

DataWhyKept
Your email addressSign-in codes, receipts, service noticesUntil you delete your account
Research reports you createSo you can reopen them from your LibraryUntil you delete them or your account
Plan and usage countersTo meter monthly allowances fairlyRolling months
Payment records (amount, plan, date)Receipts, taxes, accountingAs law requires
Content-free service metadataQuality, cost, and reliability of answers (never the words of your prompts or answers)Aggregated over time

Research Uses The Web

When you run research or turn on web search, your question is sent to web search providers, and the public pages we then read receive an ordinary page request, because that is what finding sources means. We use privacy-respecting search infrastructure and never attach your identity to those queries. Regular chat without web search does not touch the internet beyond producing your answer.

Third Parties We Rely On

Model providers (to generate answers; they receive the prompt being answered, under contracts that forbid training on it), search services (for research), Stripe and Razorpay (payments), and our email service (sign-in codes). Each receives only what its job requires.

Local Mode

With the app's on-device engine, prompts and answers are processed entirely on your own hardware. Nothing about those conversations reaches us at all.

Your Rights

Email [email protected] to access, correct, export, or delete your data. Account deletion removes your email, reports, and counters within 30 days (payment records are kept as law requires). If you are in India, these rights align with the DPDP Act; if in the EU/UK, with the GDPR. We answer within 7 days.

Security

Sign-in codes are hashed, sessions are token-hashed, provider keys are encrypted at rest, and disclosure reports go to the address published at /.well-known/security.txt. No system is perfect; if a breach ever affects your data, we will tell you promptly and plainly.

Changes

Material changes are emailed at least 14 days in advance. The current version always lives at this address.