Digital Personal Data Protection Act 2023

Who we are under the Act

Teravu (operated by K3hale Technologies Private Limited) is a Data Fiduciary under the DPDPA 2023. We determine the purpose and means of processing your personal data. We are not a Data Processor acting on behalf of another fiduciary.

We process personal data solely to provide the Teravu platform — eight pillars (Learn, Career, Wealth, Health, Relationships, Soul, Legacy, Joy) and associated platform services (Vault, Tools, News, Connectors, AI Model Hub). We do not sell, rent, or trade personal data.

Consent — how we collect and record it

Every cross-pillar data flow requires explicit, informed, specific, and unambiguous consent. Teravu records consent in a consent ledger — a tamper-evident log that captures:

• The precise data being shared (e.g., "Health ABHA records shared with Legacy handover packet")
• The purpose for which consent was granted
• The timestamp of grant
• The version of the privacy notice displayed at time of consent
• The expiry date (where applicable)

You can review all active consent records and revoke any individual consent at /account/privacy. Revocation is immediate. Where revocation affects a feature, you are shown exactly what functionality will change before confirming.

Data subject rights

To submit a Data Subject Access Request (DSAR), email [email protected] with subject line "DSAR — [your registered email]". We acknowledge within 48 hours and fulfil within 30 days.

Sensitive personal data

Under the DPDPA, certain categories require additional safeguards. Teravu handles the following as sensitive:

• Health and medical records (ABHA-linked, FHIR format, stored with AES-256-GCM encryption)
• Financial data (Sahamati Account Aggregator consent-gated, read-only)
• Biometrics (we do not collect biometrics. Aadhaar authentication uses DigiLocker's verified assertion — raw Aadhaar numbers are never stored)
• Mental health journal entries (AES-256-GCM encrypted, AI review opt-in only)
• Soul journal entries (AES-256-GCM encrypted, optional user-held second key)

Data breach notification

In the event of a personal data breach that is likely to result in harm to data principals, Teravu will:

1. Notify the Data Protection Board of India within 72 hours of becoming aware of the breach.
2. Notify affected users within 72 hours via their registered email, describing the nature of the breach, data affected, and steps taken.
3. Maintain a breach log for at least 3 years.

Data residency

All personal data processed by Teravu is stored on servers located in India. We use Railway (India region) for compute and Cloudflare for CDN edge caching of non-personal static assets only. No personal data is transferred outside India without explicit consent and a valid legal basis.

Data retention

We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, or as required by law. On account deletion:

• Account data is soft-deleted immediately and purged after 30 days.
• Vault documents and pillar data are deleted within 30 days.
• Payment transaction records are retained for 7 years (Income Tax Act requirement).
• Audit logs are retained for 2 years.
• Consent ledger entries are retained for 3 years after revocation (to demonstrate prior lawful processing).

Grievance Officer