Privacy Policy

Legal name: RMG Astro Private Limited (CIN: U96906PN2026PTC250704). Registered office: Picassos Terrace Fl No 04, Sr No 66 Kedari Nagar, Wanowarie, Pune, Maharashtra, India 411040. For privacy questions, write to riteshghorpade.astro@gmail.com with the subject line 'Privacy Request'.

Under India's Digital Personal Data Protection Act, 2023 (DPDP Act) we act as the Data Fiduciary. Under the EU General Data Protection Regulation (GDPR) and the UK GDPR, where applicable, we act as the Data Controller. We may engage Data Processors (Firebase / Google Cloud, Razorpay, our SMTP email vendor) to operate the service on our behalf under written contracts.

Account and contact data: name, email address, phone number (when provided), authentication identifier from Google / Apple / LinkedIn / Phone OTP.

Booking and intake data: service selection, date and time of birth, place of birth, palm images (for palmistry), live consultation topic, and any spouse or child profiles you choose to link.

Billing data: name, billing address, country, Indian state for GST place-of-supply determination, and (optionally) GSTIN for B2B invoices. Razorpay handles your card / UPI / net-banking credentials directly; we never see or store them.

Transaction and tax invoice data: order identifiers, payment identifiers, amounts, tax breakdown (CGST / SGST / IGST), invoice number, place of supply, and time stamps. This is required to be retained under the Goods and Services Tax (GST) Acts and the Companies Act.

Operational data: IP address, browser user-agent, device type, time zone, and reCAPTCHA / App Check tokens used for fraud and abuse prevention.

Support data: any messages or files you send us when contacting support.

Booking and consultation delivery — performance of contract with you (DPDP s.7(a) consent / GDPR Art.6(1)(b)).

Payment processing and fraud prevention — performance of contract and our legitimate interest in detecting fraud (GDPR Art.6(1)(b) and 6(1)(f)).

Tax invoice generation, retention, and reporting — compliance with GST law, the Companies Act, and the Income Tax Act (GDPR Art.6(1)(c) / DPDP s.7(b) legitimate use for legal compliance).

Account security, audit logs, and abuse prevention — legitimate interest (GDPR Art.6(1)(f)).

Customer support and dispute resolution — performance of contract and legitimate interest.

Special-category data (GDPR Article 9) — to the extent that astrological intake (date / time / place of birth used for chart calculation) and the resulting interpretation could be construed as data revealing 'religious or philosophical beliefs', we process it on the basis of your explicit consent under Article 9(2)(a), provided when you book the service. You may withdraw consent at any time by writing to riteshghorpade.astro@gmail.com; withdrawal will not affect the lawfulness of processing carried out before withdrawal, and is subject to the legal-retention exceptions in Section 6 below (tax records).

We do not use your data for behavioural advertising. We do not sell your personal data.

Firebase / Google Cloud (data hosting, authentication, storage, Cloud Functions). Region: please refer to firebase.google.com/support/privacy.

Razorpay Software Private Limited (payment processing, refund processing, tax invoice payment metadata). Their privacy notice: razorpay.com/privacy.

Our transactional email / SMTP provider (delivery of receipts, tax invoices, and order updates).

Google Calendar (only for the consultant calendar sync, when the consultant explicitly authorizes the integration).

Law-enforcement or regulatory authorities, where we are legally obliged to disclose data under applicable Indian or foreign law.

A complete, up-to-date list of our sub-processors — including the personal data each one processes and the lawful basis for any cross-border transfer — is published at /processors. We update that register before adding or changing any sub-processor.

Data may be processed on servers operated by our processors outside India (typically the European Union or the United States). When we transfer EU/UK personal data abroad we rely on Standard Contractual Clauses or other approved transfer mechanisms with the processor.

If you are located outside India and access the website, you understand that your data will be processed in the country where our servers and processors are located.

Account data is retained for as long as your account is active and for a reasonable grace period after deletion to handle outstanding obligations.

Booking, payment, and tax invoice records are retained for at least eight (8) years from the end of the relevant Indian financial year, as required by the GST law (Section 36 of the CGST Act), the Companies Act, 2013, and the Income Tax Act, 1961. After that period we may anonymize or delete them.

Conflict between erasure rights (DPDPA s.13 / GDPR Art.17) and the 8-year tax-retention obligation: where you exercise an erasure right while the retention period is still running, we will delete or anonymize the directly-identifying personal fields (name, contact details, address, billing data not required by the invoice itself) but will preserve the financial record (invoice number, amount, tax breakdown, transaction reference) as required by Indian tax law. This is permitted under DPDPA s.13(2)(b) and GDPR Art.17(3)(b) (legal obligation override of the right to erasure).

Audit logs and abuse-prevention logs are retained for up to twenty-four (24) months.

Palm images and other intake uploads are retained until consultation delivery is complete and any dispute window has elapsed; after that they are scheduled for deletion.

Indian users (DPDP Act 2023): right to confirmation and access to your data, correction of inaccurate data, erasure (subject to legal-retention exceptions), grievance redressal, and nomination of a person to exercise your rights in case of incapacity or death.

EU / UK users (GDPR / UK GDPR): right of access, rectification, erasure, restriction of processing, data portability, objection, and to lodge a complaint with your local Data Protection Authority.

California users (CCPA / CPRA): right to know, delete, correct, opt out of sale or sharing (we do not sell or share for cross-context behavioural advertising), and non-discrimination.

To exercise any of these, email riteshghorpade.astro@gmail.com with the subject line 'Privacy Request' and provide enough information for us to verify your identity. We will respond within 30 days (or longer where law permits).

The service is not directed at users under 18. We do not knowingly process the personal data of children. If you believe we hold a child's data, contact us and we will delete it.

We use Firebase Authentication, transport-level encryption (HTTPS), App Check, signed callable functions, and Firestore security rules with field-level whitelists. Storage uploads are scanned before delivery.

No system can be perfectly secure. Use a strong password, do not share credentials, and report any suspected unauthorized access immediately.

If we become aware of a personal-data breach that is likely to result in risk to the rights of affected individuals, we will: (a) notify India's Data Protection Board within the timelines prescribed under the DPDP Act 2023 and DPDP Rules; (b) notify the relevant supervisory authority within 72 hours under EU GDPR Article 33 / UK GDPR; (c) notify the affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms (GDPR Article 34, DPDP s.8(6)).

Notifications include the nature of the breach, categories and approximate number of records affected, the likely consequences, and the measures taken or proposed to address the breach. We maintain an internal breach-response runbook (`SECRETS_ROTATION.md`) covering credential revocation, system isolation, forensic snapshot, and downstream notification.

Grievance Officer (DPDP Act and IT Rules 2021): Mr. Ritesh Ghorpade, RMG Astro Private Limited, riteshghorpade.astro@gmail.com.

We acknowledge grievances within 48 hours and aim to resolve them within 30 days.

We may update this Policy from time to time. Material changes will be highlighted on this page. The 'Last updated' date at the top of the page indicates the current revision.