Privacy Policy

This Privacy Policy ("Policy") describes how HMM Wellness ("we", "our", "the Company") collects, uses, stores, and shares information about you when you use the HMM Wellness mobile application ("App") and website at hmmwellness.com ("Site"). This Policy applies to all users regardless of subscription tier.

By using our App or Site, you agree to the collection and use of information as described in this Policy. If you do not agree, please discontinue use of the App.

Last updated: April 2025. We will notify you of material changes via in-app notification or email at least 14 days before they take effect.

Account Information: Name, email address, mobile number, profile photo, and date of birth when you register.

Health and Wellness Data: Meditation session records, Japa Mala counts, sleep logs, diet entries, food photos for scanning, wellness scores, and exercise data. This is special category sensitive data under the DPDP Act.

Panchang and Location: Your city/region to calculate accurate Panchang data (Tithi, Nakshatra, Muhurat, sunrise/sunset). We collect city-level location only — not precise GPS coordinates.

Device Information: Device model, operating system version, app version, crash reports, and anonymised usage analytics to improve app performance.

Payment Information: We do not store full payment card details. Payments are processed by Razorpay (for Indian users). We receive only the transaction reference, plan ID, and amount.

Communication Data: Emails, support tickets, and in-app feedback messages you send us.

We use your data to:

- Provide and personalise the HMM Wellness experience

- Calculate your daily Panchang, Wellness Score, and AI-powered recommendations

- Process subscription payments and manage your account

- Send appointment reminders, streak notifications, and product updates (with your consent)

- Conduct anonymised research to improve our algorithms

- Comply with legal obligations under Indian law

- Detect and prevent fraud and abuse

We will never use your health data for advertising targeting, sell your data to data brokers, or share your data with employers or insurers.

All user data is stored on Supabase (PostgreSQL) hosted in the Asia South region (Mumbai, India). Health data is encrypted at rest using AES-256 encryption and in transit using TLS 1.3.

Sensitive health records (diet logs, meditation records, doctor consultation notes) are stored in a separate encrypted vault with restricted access controls. Access by Company staff requires documented business justification and is logged.

We retain your data for as long as your account is active. If you delete your account, your data is permanently deleted within 30 days, except where retention is required by law (e.g., payment records for 7 years under Indian tax law).

We hold ISO 27001 certification and conduct annual third-party security audits.

We share data only in the following limited circumstances:

Service Providers: Supabase (database), Razorpay (payments), Firebase (push notifications), Cloudflare (CDN), Agora (live video). All providers are bound by data processing agreements with equivalent data protection standards.

Doctors and Coaches: If you book a consultation or class, the relevant professional receives only the information needed for that session (name, relevant health context you choose to share). They are bound by medical confidentiality obligations.

Legal Requirements: We may disclose information if required by law, court order, or government authority in India or another jurisdiction. We will notify you unless legally prohibited.

Business Transfers: In the event of a merger or acquisition, your data may transfer to the successor entity under the same privacy obligations.

We never share health data with third-party advertisers, data brokers, insurance companies, or employers.

Under the Digital Personal Data Protection Act 2023 (India) and GDPR principles, you have the right to:

Access: Request a copy of all personal data we hold about you (export within 14 days).

Correction: Correct inaccurate or incomplete data via Settings → Edit Profile.

Erasure: Delete your account and all associated data from Settings → Privacy → Delete Account.

Portability: Export your wellness data in JSON or CSV format from Settings → Export Data.

Withdraw Consent: Withdraw consent for non-essential data processing (analytics, personalisation) at any time from Settings → Privacy.

Opt-out of Marketing: Unsubscribe from marketing emails via the link in any email, or from Settings → Notifications.

To exercise these rights, contact us at privacy@hmmwellness.com. We will respond within 30 days.

The HMM Wellness website uses cookies for:

- Essential session management (cannot be disabled)

- Analytics via Vercel Analytics (anonymised, no cross-site tracking)

We do not use third-party advertising cookies. You can manage cookies through your browser settings. The mobile app does not use cookies; it uses device-local storage for session tokens.

HMM Wellness is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe we have inadvertently collected such data, please contact us at privacy@hmmwellness.com and we will delete it promptly.

Users between 13 and 18 require verifiable parental consent to use our health data features.

For privacy concerns, data requests, or to report a breach:

Data Protection Officer / Grievance Officer

Email: privacy@hmmwellness.com

Address: HMM Wellness Technologies Pvt. Ltd., [Registered Office], Bengaluru, Karnataka 560001, India

In accordance with the DPDP Act, you may file a complaint with us first. If unresolved, you may approach the Data Protection Board of India.