Privacy Policy

Patra is a premium, on-device health concierge application developed and operated by StartupManch Technologies Private Limited, incorporated under the Companies Act, 2013 and registered in India.

This Privacy Policy governs the collection, processing, storage, transfer, and deletion of your personal data in connection with your use of the Patra iOS application.

Contact: privacy@patra.startupmanch.world

We operate in compliance with:

• Digital Personal Data Protection Act, 2023 (DPDPA 2023) — India's primary data protection legislation • Information Technology (Amendment) Act, 2008 and rules thereunder • Apple HealthKit Framework Developer Agreements • General Data Protection Regulation (EU) 2016/679 (GDPR) — for EEA/UK-resident users

Where these frameworks impose conflicting obligations, we apply the standard most protective of your rights.

Health & Biometric Data (Highest Sensitivity) With your explicit consent via Apple's HealthKit permission dialogue, we read: Heart Rate Variability (HRV/SDNN), Resting Heart Rate, Active Energy Burned, Workout Records, and Sleep Analysis. We do not write health data to HealthKit. We never share, sell, or disclose Health Data to any third party.

Precise Location Data Location is processed transiently and exclusively on-device for venue recognition only. Raw GPS coordinates are never persisted to the Digital Vault, iCloud container, or any external server. Inference is architecturally blocked until you have dwelled at a location for a minimum of two (2) minutes.

Journal & Wellness Entries Stored in the Digital Vault, encrypted with AES-256-GCM using a key derived from your device's Secure Enclave. Optionally synchronised to your private iCloud Container when you enable CloudKit Sync. We never access this data.

Technical & Diagnostic Data Minimal anonymised telemetry: crash reports via Apple StoreKit (no PII), and anonymous usage events logged using an Anonymity Anchor (one-way hash of your Apple ID or device identifier).

If you enable CloudKit Sync, your data is synchronised to your personal, private Apple iCloud container (iCloud.in.patrahealth.patra). This container is associated with your Apple ID only and governed by Apple's iCloud Terms and Privacy Policy.

StartupManch Technologies Private Limited does not have access to your iCloud container. We cannot read, decrypt, or process data stored therein. Data synchronised via CloudKit is encrypted in transit (TLS 1.3) and at rest using Apple's encryption infrastructure, in addition to our own AES-256-GCM application-layer encryption.

We use no external analytics platforms, advertising networks, or data brokers. The only platform-level sharing is with Apple Inc.:

• Apple HealthKit — read permissions granted by you • Apple CloudKit (iCloud) — your private container sync (if enabled) • Apple StoreKit — anonymised crash reports only

We do not integrate with Google Analytics, Firebase, Mixpanel, Amplitude, Segment, Meta Pixel, or any equivalent tracking SDK.

• Health Data (HealthKit reads): Not retained — read transiently at inference time • Journal entries: Until you exercise your deletion right • Anonymised event logs: 90-day rolling window, then auto-deleted from Vault • Crash and diagnostic data: 30 days, Apple platform infrastructure • iCloud sync data: Until you delete from iCloud

We do not maintain any persistent server-side database of user Personal Data.

• AES-256-GCM encryption for all data at rest in the Digital Vault • Secure Enclave key derivation — keys bound to your device hardware and Face ID / Touch ID • No external API calls carrying Personal Data or Health Data • Certificate pinning for all HTTPS connections • Anonymity Anchor — all internal event logs reference data by one-way hash; no PII in logs • Dwell threshold enforcement — location inference blocked until 2-minute minimum dwell confirmed • Offline-first design — Service operates fully without network connectivity

Under DPDPA 2023 and applicable international law:

Right of Access: Export your journal via Settings → Advanced Sanctuary → Export My Journal.

Right to Correction: Edit journal entries directly within the application.

Right to Erasure ("Relinquish"): Settings → Advanced Sanctuary → Relinquish All Data. This purges all journal entries, preferences, event logs, HealthKit permission caches, and cached venue/ML model state. Cannot be reversed.

Right to Withdraw Consent: Revoke HealthKit or location access at any time via iOS Settings → Privacy & Security.

Right to Lodge a Complaint: Data Protection Board of India (once constituted), or your national DPA (EU/UK residents).

Data Controller / Grievance Officer: StartupManch Technologies Private Limited Email: privacy@patra.startupmanch.world

Response SLA: We will acknowledge your request within 72 hours and resolve it within 30 calendar days.

Effective Date: February 27, 2026 — Version 1.0 (Sattva Release)