Privacy Policy
Effective: 11 June 2026 · Notice version 2026-06-11.v1
Compliant with India's Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025.
1. Who we are (the Data Fiduciary)
AstroKaal is published by ProGen Labs ("we", "us", "our"). For the purposes of the
Digital Personal Data Protection Act, 2023 (the "DPDP Act"), ProGen Labs is the Data Fiduciary
in respect of personal data you provide while using the AstroKaal app
(com.progenlabs.AstroKaal) or the AstroKaal website.
2. Use by individuals below 18 (children)
Under the DPDP Act, an individual below 18 years of age is a "child". If you are below 18, you must have permission from your parent or legal guardian to use AstroKaal, and that permission constitutes the consent we rely on to process your personal data.
We are in the process of implementing a verifiable parental consent mechanism in advance of the DPDP Rules' full enforcement on 13 May 2027. Once that mechanism is in place, we will require a parent or legal guardian to verify their identity and confirm consent before we process any personal data belonging to a person below 18.
Parents and guardians who believe their child has signed up without their consent, or who wish to access, correct or delete personal data we hold about their child, may contact the Grievance Officer (Section 11) at any time and we will act on the request within 30 days.
We do not target advertising at children, we do not track or monitor children, and we do not process children's personal data in any manner likely to cause detrimental effect on their well-being, in accordance with Section 9 of the DPDP Act.
3. What personal data we collect
3.1 Identity & sign-in
- Phone number (when you sign in with phone OTP) or email address (when you sign in with Google).
- A Firebase Authentication user ID, used internally to identify your wallet and reports.
- Display name and profile picture URL, when provided by Google sign-in.
3.2 Birth details you enter
- Your full name, date of birth, time of birth, place of birth (with derived latitude, longitude, and timezone).
- Optional: gender (used by certain astrology calculations).
- Optional: partner details if you add a partner for Kundali-matching or Love Astrologer chats.
3.3 Wallet, recharges and rewards
- Wallet balance, recharge history, deduction history, referral history.
- Purchases happen via Google Play Billing — your card or UPI details never reach AstroKaal. We receive only the purchase token from Google and use it to verify the purchase server-side.
3.4 AI chats and reports you request
- Chat content (your messages and the AI's replies) is not stored on our servers. It lives only on your device's local storage and within OpenAI's short-term processing window (approximately 30 days).
- Reports (Kundali, Nadi, Laal Kitab, Panchang, predictions) are not stored server-side either — they are recomputed on demand from your birth details and returned to your device.
- Optional ratings and free-text feedback you submit at the end of a chat session.
3.5 Numerology inputs
- Optional alternate names and phone numbers you submit for numerology readings.
- Processed in memory to compute the report, returned to you, and stored alongside the saved report.
3.6 Palm photos
- Held in memory only for the duration of a single analysis request, sent to Google Gemini for AI vision interpretation, then dropped.
- We never store palm photos in Firestore, Cloud Storage, or any persistent server location.
3.7 Diagnostics
- App crash reports (Firebase Crashlytics).
- Aggregated event counts (Firebase Analytics): which screen was opened, which feature was used. Chat content, report content, and personally identifying information are never captured in analytics events.
- Firebase installation ID, used to attribute crashes and analytics to a device.
3.8 Push notification tokens
- Firebase Cloud Messaging device tokens, used solely to deliver the daily horoscope notification and account-related messages you opted into. Tokens are stored against your account and removed when you sign out, uninstall the app, or disable notifications.
4. What we do not collect
- Real-time GPS location.
- Your contacts, SMS, microphone, calendar, or camera roll. The camera is accessed only when you actively take a palm photo and we do not enumerate other photos.
- Payment-instrument data such as card numbers or UPI handles — these stay with Google Play.
- Biometric data, government identifiers (Aadhaar, PAN), or any data classed as "sensitive" under earlier Indian privacy guidelines.
5. Why we use your data — itemised purposes
We process the data above for the following specific purposes, each with the lawful basis under Section 4 of the DPDP Act on which we rely:
| Purpose | Data used | Lawful basis |
|---|---|---|
| Create and operate your account | Sign-in identifiers, display name | Consent (and necessary for the contract you enter when signing up) |
| Compute your Kundali, predictions and panchang | Birth details | Consent |
| Personalise AI astrologer chat responses | Birth details + your message text (transient) | Consent |
| Process wallet recharges, deductions and the Plus subscription | Wallet ledger, Google Play purchase token | Necessary for the contract |
| Send the daily horoscope and re-engagement push notifications you opted into | FCM token, natal moon sign | Consent (you can disable in Profile › Push Notifications) |
| Detect crashes and improve service quality | Anonymised diagnostics | Legitimate use under DPDP Section 7(b) |
| Detect and prevent abuse, fraud and policy violations | Sign-in identifiers, request metadata | Legitimate use under DPDP Section 7(c) |
| Comply with Indian tax law | Anonymised payment records keyed only to Google order ID | Legal obligation under the Income Tax Act and GST Act |
6. Third-party data processors
| Processor | Purpose | Data shared | Location |
|---|---|---|---|
| Google Firebase | Authentication, Firestore database, Crashlytics, Analytics, App Check, Cloud Messaging | Sign-in identifiers, birth details, wallet ledger, FCM token, anonymised crash + event data | asia-south1 (Mumbai) for Firestore data, multi-region for Auth and Crashlytics |
| Google Cloud Run | API server hosting | API request payloads in transit; logs are retained for up to 90 days then deleted | us-central1 (Iowa, USA) |
| Google Play Billing | Payments | Purchase tokens issued by Google for server verification | Multi-region |
| OpenAI | AI astrologer chat responses; LLM-generated narrative sections of Nadi, Laal Kitab, Panchang summary and daily horoscope | Your chat message + your birth-chart context per request; not retained by us, retained by OpenAI for up to 30 days per their data policy | USA |
| Google Gemini API | Palm-photo analysis | Palm photo per request (not retained by us) | USA |
| Google Geocoding API | Resolving "place of birth" to latitude/longitude | Place name string | Multi-region |
We do not sell your personal data and we do not use it for advertising. We do not share your data with anyone other than the processors above, which are necessary to run the service.
7. Cross-border transfers
Some of the processors above are located outside India (primarily the United States, where Cloud Run and the OpenAI / Gemini APIs are hosted). Transfers to these countries are made on the basis of the contractual safeguards each provider offers (Google Cloud's Data Processing Addendum and OpenAI's Data Processing Addendum), which include obligations equivalent to those you would expect under Indian law. As of the effective date of this notice, the Central Government has not notified any country as restricted under Section 16 of the DPDP Act.
8. How long we keep your data (retention)
- Account-bound data (profile, birth details, wallet ledger): retained for as long as your account is active. After 24 months of no activity, the account is automatically flagged for soft deletion (described below).
- Soft deletion grace window: when you (or our inactivity policy) requests deletion, we retain your data for a 30-day grace window during which you can sign back in to cancel. After 30 days, all personal data is permanently purged from our active stores.
- Server request logs: retained for up to 90 days, then deleted.
- Anonymised payment records: retained for up to 7 years as required by Indian tax law (Income Tax Act, GST Act). These records contain only the Google Play order ID, amount and date; they do not contain your name or contact information.
- Diagnostic data (crashes, analytics): retained per Firebase's default policy (currently 14 months for analytics, 90 days for Crashlytics).
9. Your rights under the DPDP Act
You have the following rights, exercisable any time:
- Right to information about processing (Section 11). This document is that information. It is updated as our practices change; a notice is shown in the app on first launch after any material change.
- Right to access and correction (Section 11). The Profile menu in the app shows your birth details and lets you edit them. To download a complete machine-readable export of everything we hold about you, open Profile › Privacy & Data › Download my data — the export covers your profile, wallet, transactions, ratings, referrals and consent history.
- Right to erasure (Section 12). Open Profile › Privacy & Data › Delete my account. Deletion is processed with a 30-day grace window as described above.
- Right to withdraw consent (Section 6(4)). You can stop the app sending you push notifications at any time from Profile › Push Notifications. To withdraw the broader consent you gave at sign-up, delete your account using the path above — this withdraws consent and erases the data it covered.
- Right to grievance redressal (Section 13). Contact our Grievance Officer (Section 11) and we will respond within 30 days. If unresolved, you may approach the Data Protection Board of India.
- Right to nominate (Section 14). You may nominate another individual to exercise these rights on your behalf in the event of death or incapacity. Write to the Grievance Officer to record a nomination.
10. Security measures
- All client–server traffic is HTTPS (TLS 1.2+).
- Firebase App Check verifies that requests come from the genuine, signed AstroKaal app.
- The wallet ledger is server-authoritative — balance changes only via atomic Firestore transactions and cannot be tampered with from the client.
- The Android signing key is stored offline and never committed to source control.
- Access to production databases is restricted to authorised ProGen Labs personnel via Google IAM with multi-factor authentication.
- We have an internal breach-response procedure that requires us to assess and, if a personal-data breach is confirmed, notify the Data Protection Board of India and affected users within 72 hours of becoming aware, in compliance with Section 8(6) of the DPDP Act.
11. Grievance Officer
Under Section 8(9) of the DPDP Act, the following contact is designated for grievance redressal in respect of personal-data processing by AstroKaal:
AstroKaal Grievance Team
Email: grievance@astrokaal.com
Response SLA: 30 days from receipt of grievance
You may also reach us via Profile › Privacy & Data › Email Grievance Officer in the app, which opens a prepared email with the right subject line.
12. Changes to this policy
If this policy materially changes, we will display a notice in the app on the next launch after the change and you will be asked to acknowledge the updated version. The notice version string at the top of this page changes with every revision; past versions are available on request from the Grievance Officer.
13. Contact
For general support: support@astrokaal.com.
For DPDP grievances: grievance@astrokaal.com.