RACHMANAS — PRIVACY & COOKIE POLICY FRAMEWORK

Version 1.0. Updated 22, 2026

1. Introduction

Rachmanas (“Company,” “we,” “our,” or “us”) is committed to protecting the privacy, dignity, and confidentiality of individuals who access or use our behavioural counselling and well-being services (collectively, the “Platform”).

We recognise that the nature of services offered through the Platform involves the collection and processing of behavioural insights, reflective disclosures, psychological questionnaires, and other personal information that may be sensitive in character. We treat such information with heightened care and responsibility.

This Privacy & Cookie Policy (“Policy”) explains how we collect, use, process, store, disclose, and protect personal data in connection with:

• Online counselling sessions;
• Behavioural assessments and activities;
• AI-assisted insights;
• Corporate or employer-sponsored programs;
• Website and application usage;
• Advertising, analytics, and tracking technologies.

This Policy forms an integral part of the Terms & Conditions governing use of the Platform.

2. Status as Data Fiduciary

Rachmanas acts as a “Data Fiduciary” within the meaning of the Digital Personal Data Protection Act, 2023 (“DPDP Act”), as we determine the purpose and means of processing personal data collected through the Platform.

As a Data Fiduciary, we undertake to process personal data:

• Lawfully and transparently;
• For specified and legitimate purposes;
• In a manner proportionate to the services provided;
• With reasonable security safeguards;
• In accordance with applicable statutory obligations.

Where required under law, Rachmanas shall comply with additional obligations applicable to designated categories of Data Fiduciaries, including but not limited to enhanced governance, impact assessments, or appointment of designated officers.

3. Legal and Regulatory Framework

This Policy is structured in alignment with applicable Indian law, including:

• The Digital Personal Data Protection Act, 2023;
• The Information Technology Act, 2000;
• The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, as applicable;
• The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, where relevant;
• Any subsequent amendments, notifications, or regulatory advisories issued by competent authorities.

In the event of conflict between this Policy and applicable statutory requirements, the latter shall prevail.

4. Scope of Application

This Privacy & Cookie Policy applies to all personal data collected, processed, stored, or otherwise handled by Rachmanas in connection with its services, whether collected directly from Users or through automated technologies.

This Policy governs data processing activities across the following channels and systems:

4.1 Digital Platforms

• The official Rachmanas website;
• Mobile applications (current or future);
• Web-based portals or dashboards;
• Any digital interface operated under the Rachmanas brand.

4.2 Counselling Services

• One-on-one online counselling sessions conducted via video, audio, or digital interface;
• Structured group-based behavioural development sessions;
• Employer-sponsored or corporate counselling programs;
• Behavioural assessments, questionnaires, and activity submissions;
• AI-assisted behavioural insights and structured feedback tools.

4.3 AI-Driven and Analytical Features

• AI-enabled behavioural analysis tools;
• Large language model (LLM) integrations;
• Automated activity recommendations;
• Insight generation systems;
• Internal quality assurance and supervision systems involving AI support.

4.4 Corporate and Enterprise Programs

• Workplace Resilience Counseling programs;
• Employer-sponsored access to the Platform;
• Aggregate reporting dashboards;
• Integration with corporate HR or scheduling systems;
• Organisational analytics generated from anonymised or aggregated data.

4.5 Communication Channels

• Customer support communications;
• Administrative coordination via email or phone;
• Messaging integrations including WhatsApp or similar platforms;
• System-generated notifications and alerts.

4.6 Technical Infrastructure and Operational Systems

• Customer Relationship Management (CRM) systems;
• Cloud hosting infrastructure;
• Session recording systems (where consented);
• Internal supervision and documentation tools.

4.7 Analytics, Advertising, and Tracking Technologies

• Web analytics tools, including third-party analytics platforms;
• Advertising pixels and conversion tracking technologies;
• Social media tracking integrations;
• Search engine remarketing tools;
• Cookie tracking and similar technologies deployed on the Platform.

4.8 Third-Party Integrations

Where Rachmanas integrates with external service providers for hosting, analytics, communication, AI processing, advertising, or payment services, this Policy applies to the extent that personal data is processed under Rachmanas’ control as Data Fiduciary.

This Policy does not apply to independent third-party platforms or websites that are not controlled by Rachmanas. Users are encouraged to review the privacy policies of such third-party services.

5. Categories of Personal Data We Collect

Rachmanas collects and processes personal data necessary for delivery of behavioural counselling services, operation of the Platform, compliance with law, and improvement of services.

The categories of personal data collected may include the following:

5.1 Identity and Contact Information

We may collect basic identifying information, including:

• Full name;
• Mobile phone number;
• Email address;
• Login credentials;
• Profile information voluntarily provided by the User.

This information is required for account creation, communication, and session scheduling.

5.2 Behavioural and Counselling Data

Given the nature of services offered, Rachmanas may collect and process behavioural and reflective information shared by Users during counselling interactions.

This may include:

• Psychological Insight Questionnaire (PIQ) responses;
• Activity submissions and structured exercises;
• Reflective inputs shared during sessions;
• Personal disclosures relevant to stress, relationships, workplace challenges, or emotional well-being;
• Counsellor session notes;
• AI-assisted behavioural insights;
• Risk indicators identified during counselling interactions.

Such data may be sensitive in nature. Rachmanas processes this information strictly within the defined scope of behavioural counselling services.

Rachmanas does not solicit medical diagnostic records unless voluntarily disclosed by the User.

5.3 Session Recordings (Where Consented)

Sessions may be recorded only upon explicit prior consent of the User.

Where consent is provided:

• Audio and/or video recordings may be stored;
• Recordings shall be retained for a minimum period of two (2) years from the date of recording;
• Recordings may be retained longer where required by law, legal proceedings, or regulatory obligation;
• Rachmanas is not obligated to retain recordings indefinitely at the request of a User.

If consent is not provided, sessions shall not be recorded.

5.4 Technical and Usage Data

We may automatically collect technical information when Users access the Platform, including:

• IP address;
• Device type and operating system;
• Browser type and version;
• Access timestamps;
• Session duration;
• Log files and diagnostic data.

This data assists in maintaining security, improving functionality, and analysing usage patterns.

5.5 Analytics Data

Rachmanas may use third-party analytics tools to collect information regarding:

• Pages visited;
• Interaction patterns;
• Navigation behaviour;
• Conversion metrics;
• Engagement statistics.

Such analytics tools may utilise cookies, tracking pixels, or similar technologies.

5.6 Advertising and Remarketing Data

Where Rachmanas engages in online advertising and remarketing, certain tracking technologies may collect:

• Advertising identifiers;
• Pixel-based interaction data;
• Click behaviour;
• Campaign engagement metrics;
• Device-based targeting information.

This information may be used for:

• Measuring advertising performance;
• Delivering relevant advertisements;
• Retargeting Users across digital platforms.

Users may manage advertising preferences through platform-specific controls and cookie settings.

5.7 Payment Information

Payments are processed through authorised third-party payment gateways.

Rachmanas may collect:

• Transaction reference numbers;
• Payment status;
• Billing metadata.

Rachmanas does not store complete credit card, debit card, or banking credentials on its servers.

5.8 Corporate Program Data

Where Users access services through employer-sponsored programs, we may collect:

• Participation status;
• Session utilisation data;
• Organisational affiliation;
• Program engagement metrics.

Individual session content shall not be disclosed to Corporate Clients without explicit consent, except where legally required.

5.9 Communications Data

We may retain records of:

• Email communications;
• Administrative messages;
• Support requests;
• WhatsApp or messaging-based coordination where applicable.

Such records are retained for operational, compliance, and security purposes.

5.10 Derived and Analytical Data

Rachmanas may generate derived data through analysis of User inputs, including:

• Behavioural trend indicators;
• Engagement metrics;
• Aggregated statistical insights;
• Anonymised research datasets.

Where data is anonymised in a manner that prevents re-identification, it may no longer constitute personal data under applicable law.

6. Purpose of Data Collection and Processing

Rachmanas collects and processes personal data solely for specified, lawful, and proportionate purposes connected to the delivery of behavioural counselling services and operation of the Platform.

Personal data may be processed for the following purposes:

6.1 Service Delivery and Session Management

To:

• Create and manage User accounts;
• Schedule and conduct one-on-one or group counselling sessions;
• Deliver structured behavioural activities and exercises;
• Facilitate employer-sponsored or corporate programs;
• Maintain session records (where consented);
• Provide follow-up communication and support.

6.2 Behavioural Insight and AI-Assisted Analysis

To:

• Generate structured behavioural insights;
• Support counsellors with AI-assisted pattern recognition;
• Recommend activities or reflective exercises;
• Improve quality and consistency of counselling delivery.

AI-assisted tools operate as supportive systems and do not independently make medical, legal, or employment decisions.

6.3 Quality Assurance and Professional Supervision

To:

• Maintain internal quality standards;
• Review counselling practices for professional improvement;
• Conduct internal audits;
• Ensure compliance with ethical and operational guidelines.

Where session recordings are retained (with consent), they may be used for supervision, training, research, or compliance purposes.

6.4 Research and Service Improvement

To:

• Develop anonymised research insights;
• Improve behavioural tools and questionnaires;
• Refine AI models using anonymised datasets;
• Analyse usage trends to enhance user experience.

No identifiable personal data shall be published in research outputs.

6.5 Corporate and Enterprise Reporting

To:

• Provide aggregate participation metrics to Corporate Clients;
• Deliver anonymised trend analysis;
• Measure program effectiveness.

Individual session content is not disclosed to employers without explicit consent, except where legally required.

6.6 Communication and Administrative Purposes

To:

• Send scheduling confirmations;
• Deliver system notifications;
• Respond to support requests;
• Communicate policy updates;
• Provide service-related announcements.

Users may not opt out of essential administrative communications necessary for service delivery.

6.7 Advertising, Marketing, and Analytics

To:

• Measure performance of advertising campaigns;
• Conduct remarketing and audience segmentation;
• Analyse website usage patterns;
• Improve marketing effectiveness;
• Prevent promotional abuse.

Where required, such processing is based on User consent through cookie preferences or platform settings.

6.8 Fraud Prevention and Platform Security

To:

• Detect promotional misuse;
• Prevent identity misrepresentation;
• Monitor suspicious login activity;
• Protect platform integrity;
• Maintain system security.

6.9 Legal and Regulatory Compliance

To:

• Comply with court orders, regulatory mandates, or lawful requests;
• Maintain records required under applicable law;
• Respond to disputes or legal claims;
• Fulfil statutory obligations under the DPDP Act, IT Act, or other applicable laws.

6.10 Risk Management and Safety

To:

• Identify indicators of risk during counselling sessions;
• Implement escalation protocols where necessary;
• Document safety-related interventions;
• Protect Users and the public from imminent harm.

Rachmanas does not provide continuous monitoring and does not assume ongoing supervisory responsibility beyond scheduled sessions.

7. Legal Basis for Processing Personal Data

Rachmanas processes personal data only where a valid legal basis exists under applicable law, including the Digital Personal Data Protection Act, 2023.

The legal bases relied upon may include the following:

7.1 Consent

Where required under law, Rachmanas processes personal data based on the User’s free, specific, informed, and unambiguous consent.

Consent may be obtained through:

• Account registration;
• Acceptance of Terms & Conditions;
• Completion of behavioural questionnaires;
• Consent prompts prior to session recording;
• Cookie and advertising preference banners;
• Corporate onboarding workflows.

Users may withdraw consent at any time, subject to legal or contractual limitations. Withdrawal of consent may affect the ability of Rachmanas to continue providing certain services.

7.2 Performance of Contract

Processing is necessary to perform the contractual relationship between the User and Rachmanas, including:

• Scheduling and conducting counselling sessions;
• Delivering behavioural activities;
• Processing payments;
• Providing AI-assisted insights;
• Administering employer-sponsored programs.

Where processing is essential to service delivery, withdrawal of consent may result in suspension or termination of services.

7.3 Compliance with Legal Obligations

Rachmanas may process personal data to comply with applicable legal requirements, including:

• Court orders;
• Regulatory directives;
• Law enforcement requests;
• Record-keeping obligations;
• Statutory retention requirements.

7.4 Legitimate Interests

Where permitted by law, Rachmanas may process personal data to pursue legitimate operational interests, provided such interests do not override the fundamental rights of Users.

Such legitimate interests may include:

• Platform security and fraud prevention;
• Promotional abuse detection;
• Quality assurance and service improvement;
• Aggregated analytics and performance measurement;
• Risk management and internal governance.

7.5 Deemed Consent or Voluntary Disclosure

Where Users voluntarily provide information during counselling sessions, activities, or communications, such disclosures may constitute deemed consent for processing within the defined scope of behavioural counselling services.

However, Rachmanas does not interpret voluntary disclosure as consent for public dissemination or marketing use without explicit written agreement.

7.6 Advertising and Tracking Technologies

Processing related to non-essential cookies, advertising pixels, and remarketing tools is based on User consent obtained through cookie preference mechanisms or equivalent consent tools.

Users may withdraw such consent through:

• Cookie settings;
• Browser controls;
• Advertising platform opt-out mechanisms.

Withdrawal of advertising consent does not affect core counselling services.

8. Use of Artificial Intelligence and Automated Systems

Rachmanas may utilise artificial intelligence systems, algorithmic tools, and large language model (LLM) technologies to support service delivery, enhance behavioural insights, and improve operational efficiency.

AI tools are used strictly as assistive technologies and do not replace human professional judgment.

8.1 Nature of AI-Assisted Processing

AI systems may be used for purposes including:

• Analysing questionnaire responses;
• Identifying behavioural patterns;
• Generating structured summaries;
• Recommending exercises or activities;
• Supporting counsellors with preliminary insights;
• Aggregating anonymised usage trends.

AI outputs are probabilistic in nature and may not be fully accurate, exhaustive, or contextually complete.

8.2 Human Oversight

All counselling decisions, interpretations, and recommendations are subject to human oversight by qualified professionals.

No AI system independently:

• Provides medical diagnosis;
• Determines psychiatric conditions;
• Certifies fitness for employment;
• Makes legal determinations;
• Approves or denies access to services based solely on automated processing.

Human judgment remains central to all counselling interactions.

8.3 No Solely Automated Decision-Making

Rachmanas does not engage in decision-making that produces legal or similarly significant effects based solely on automated processing.

Users are not subject to automated denial of services without human review.

8.4 Large Language Model (LLM) Infrastructure

Rachmanas may utilise third-party AI infrastructure providers, including large language model APIs or AI-processing platforms, to support behavioural analysis and content generation.

Where such infrastructure is used:

• Data may be transmitted to external AI service providers under contractual safeguards;
• Processing may occur on servers located outside India;
• Providers are selected based on reasonable security and compliance standards.

Rachmanas does not guarantee error-free outputs from AI systems and shall not be liable for inaccuracies inherent to probabilistic model behaviour.

8.5 Bias and Limitations

AI systems may reflect limitations or biases inherent in training data.

Rachmanas undertakes reasonable efforts to monitor and mitigate bias; however:

• AI-generated insights should not be treated as definitive conclusions;
• Users should not rely exclusively on automated outputs for medical, legal, or employment decisions.

8.6 User Responsibility for Interpretation

Users acknowledge that AI-assisted insights are supportive tools intended for behavioural reflection and guidance.

Users remain responsible for:

• Exercising independent judgment;
• Seeking qualified medical or psychiatric care where necessary;
• Not relying on AI outputs as formal diagnoses.

9. Use of Advertising and Tracking Technologies

Rachmanas may use advertising, analytics, and tracking technologies to:

• Measure performance of digital campaigns;
• Understand user engagement patterns;
• Deliver relevant advertisements;
• Conduct remarketing and retargeting campaigns;
• Improve outreach and user acquisition strategies.

These technologies may operate across websites, social media platforms, and search engines.

9.1 Analytics Tools

We may use third-party analytics services to collect and analyse information such as:

• Pages visited;
• Time spent on pages;
• Click behaviour;
• Navigation paths;
• Conversion metrics;
• Device and browser data.

Analytics tools may use cookies, tracking pixels, SDKs, or similar technologies to collect usage data.

9.2 Advertising Pixels and Conversion Tracking

Rachmanas may use advertising technologies such as:

• Pixel tags;
• Conversion tracking scripts;
• Remarketing tags;
• Audience segmentation tools.

These tools may collect information regarding:

• Interaction with advertisements;
• Visit history on the Platform;
• Campaign response data;
• Advertising identifiers linked to devices or browsers.

Such technologies may enable the display of Rachmanas advertisements on third-party websites or social media platforms.

9.3 Cross-Platform and Cross-Device Tracking

Advertising partners may use cookies or similar technologies to:

• Associate browser sessions across websites;
• Track interactions across devices;
• Build audience segments for targeted advertising.

Rachmanas does not control how third-party advertising networks process data once collected under their independent privacy policies.

Users are encouraged to review the privacy policies of such third-party providers.

9.4 Legal Basis for Advertising Processing

Processing related to non-essential advertising cookies and tracking technologies is based on User consent obtained through:

• Cookie preference banners;
• Consent management tools;
• Platform-level opt-in mechanisms.

Users may withdraw or modify advertising consent at any time through cookie settings or browser-level controls.

Withdrawal of advertising consent shall not affect access to core counselling services.

9.5 Opt-Out and Preference Controls

Users may manage advertising preferences by:

• Adjusting cookie consent settings on the Platform;
• Using browser-based cookie controls;
• Visiting opt-out pages provided by advertising networks;
• Modifying privacy settings within social media platforms.

Rachmanas does not guarantee that all advertising tracking can be fully disabled due to technical limitations inherent in third-party ecosystems.

9.6 No Disclosure of Session Content for Advertising

Under no circumstances does Rachmanas:

• Use counselling session content for targeted advertising;
• Share identifiable behavioural disclosures with advertising networks;
• Sell personal data for marketing purposes.

Advertising and tracking technologies operate independently of counselling session content.

10. Use of Cookies and Similar Technologies

Rachmanas uses cookies and similar tracking technologies to operate, secure, and improve the Platform, and to support analytics and advertising functions.

Cookies are small text files placed on a User’s device when visiting a website. Similar technologies may include:

• Pixel tags;
• Web beacons;
• Local storage objects;
• SDK-based identifiers;
• Device identifiers.

These technologies enable the Platform to recognise returning Users, maintain session integrity, and analyse interaction patterns.

10.1 Categories of Cookies Used

Rachmanas may deploy the following categories of cookies:

(a) Strictly Necessary Cookies

These cookies are essential for:

• Account authentication;
• Session management;
• Security and fraud prevention;
• Platform functionality.

These cookies cannot be disabled without affecting core services.

(b) Performance and Analytics Cookies

These cookies collect information regarding:

• Website traffic;
• User interaction patterns;
• Page performance;
• Technical diagnostics.

Such data is generally aggregated and used to improve platform performance and user experience.

(c) Functional Cookies

These cookies enable:

• Remembering user preferences;
• Saving login sessions;
• Customising interface settings.

(d) Advertising and Targeting Cookies

These cookies may be used to:

• Deliver relevant advertisements;
• Conduct remarketing campaigns;
• Measure advertising effectiveness;
• Build audience segments.

Advertising cookies may be set by Rachmanas or third-party advertising partners.

10.2 Third-Party Cookies

Certain cookies and tracking technologies may be placed by third-party providers, including:

• Analytics service providers;
• Advertising networks;
• Social media platforms;
• Search engine marketing tools.

Rachmanas does not control the independent data processing practices of such third parties. Users are encouraged to review the privacy policies of these providers.

10.3 Cookie Consent Mechanism

Upon first access to the Platform, Users may be presented with a cookie consent banner allowing them to:

• Accept all cookies;
• Reject non-essential cookies;
• Customise cookie preferences.

Consent for non-essential cookies (including analytics and advertising cookies) may be withdrawn or modified at any time through cookie preference settings.

10.4 Managing Cookies

Users may manage or delete cookies through:

• Browser settings;
• Device-level privacy controls;
• Platform cookie management tools.

Disabling certain cookies may impact functionality or limit access to specific features.

10.5 Retention of Cookie Data

Cookies may remain on a User’s device for varying durations, including:

• Session cookies (deleted upon browser closure);
• Persistent cookies (retained until expiration or manual deletion).

Retention periods are determined based on operational necessity and third-party provider configurations.

10.6 Do Not Track Signals

The Platform may not respond to “Do Not Track” browser signals due to technical limitations and varying industry standards.

11. Disclosure of Personal Data

Rachmanas does not sell, rent, or trade personal data for monetary consideration.

Personal data may be shared only in the circumstances described below and strictly for legitimate purposes.

11.1 Service Providers and Data Processors

Rachmanas may engage trusted third-party service providers (“Data Processors”) to support operational activities, including:

• Cloud hosting providers;
• Customer Relationship Management (CRM) platforms;
• Payment gateways;
• Analytics service providers;
• Advertising technology partners;
• AI and large language model infrastructure providers;
• Communication platforms (including messaging services such as WhatsApp);
• Session recording storage providers;
• Technical maintenance and security vendors.

Such service providers process personal data only under contractual safeguards and are required to implement reasonable security measures.

Rachmanas remains responsible for ensuring that such processing is conducted in accordance with applicable law.

11.2 AI and LLM Infrastructure Providers

Where AI tools or large language model APIs are used:

• Data may be transmitted to external AI infrastructure providers;
• Processing may occur on servers located outside India;
• Providers are selected based on reasonable security, confidentiality, and compliance standards.

Rachmanas does not authorise such providers to use personal data for independent marketing purposes.

11.3 Corporate and Enterprise Clients

Where services are provided under employer-sponsored programs:

• Only anonymised and aggregated data may be shared with Corporate Clients;
• Individual session content, counsellor notes, or identifiable behavioural disclosures shall not be shared without explicit written consent of the User, except where legally required;
• Participation data may be shared in aggregate form for program reporting.

Rachmanas does not permit Corporate Clients to access confidential counselling content.

11.4 Advertising and Analytics Partners

Advertising and analytics partners may collect certain technical or device-level data through tracking technologies as described in Part VII and Part VIII.

Such partners may act as independent data controllers under their own privacy policies.

Rachmanas does not share counselling session content, PIQ responses, or behavioural disclosures with advertising partners.

11.5 Legal and Regulatory Disclosures

Rachmanas may disclose personal data:

• In response to court orders or legal process;
• To comply with regulatory directives;
• To respond to lawful requests from governmental authorities;
• To protect the rights, safety, or property of Users or the public;
• Where required in cases of risk escalation involving imminent harm.

Disclosure shall be limited to what is legally necessary.

11.6 Business Transfers

In the event of:

• Merger;
• Acquisition;
• Restructuring;
• Asset transfer;

personal data may be transferred to a successor entity, subject to confidentiality safeguards and applicable law.

Users shall be notified where required by law.

11.7 No Public Disclosure

Rachmanas does not publicly disclose identifiable personal data without explicit consent.

Anonymised and non-identifiable data may be used for research, awareness, or marketing purposes in accordance with this Policy.

12. International Processing and Cross-Border Data Transfers

Rachmanas primarily operates within India. However, certain service providers engaged by Rachmanas may process personal data on infrastructure located outside India.

Such cross-border processing may occur in connection with:

• Cloud hosting services;
• Analytics tools;
• Advertising technology platforms;
• AI and large language model infrastructure providers;
• Communication platforms;
• Payment gateways.

12.1 Legal Basis for Cross-Border Transfers

Where personal data is transferred outside India, such transfer shall occur:

• In accordance with the Digital Personal Data Protection Act, 2023;
• Subject to any restrictions or notifications issued by the Government of India;
• Under contractual safeguards designed to protect confidentiality and security.

Rachmanas shall take reasonable steps to ensure that overseas service providers implement appropriate data protection measures.

12.2 Safeguards and Due Diligence

Rachmanas undertakes reasonable due diligence when selecting third-party service providers, including assessment of:

• Security controls;
• Confidentiality obligations;
• Compliance frameworks;
• Data protection commitments.

However, Rachmanas does not control the internal operational practices of independent third-party infrastructure providers.

12.3 Limitation of Guarantee

While reasonable security measures are implemented, Rachmanas cannot guarantee that data processed outside India will be subject to identical legal standards as those applicable under Indian law.

By using the Platform, Users acknowledge that cross-border processing may occur in connection with legitimate service delivery and infrastructure support.

12.4 No Unauthorised Commercial Exploitation

Cross-border transfers shall not be made for the purpose of selling personal data or permitting independent commercial exploitation by third parties.

13. Data Retention and Deletion

Rachmanas retains personal data only for as long as necessary to fulfil the purposes described in this Policy, comply with legal obligations, resolve disputes, and enforce contractual rights.

Retention periods may vary depending on the nature of the data and the purpose of processing.

13.1 General Account and Service Data

Identity information, communication records, behavioural activity logs, and related service data may be retained for up to five (5) years from the date of the User’s last interaction with the Platform, unless:

• A shorter retention period is required by law;
• A longer retention period is mandated by statutory or regulatory obligations;
• Legal proceedings or disputes require extended preservation.

13.2 Counselling Session Notes and Behavioural Data

Session notes, behavioural insights, questionnaire responses, and activity records may be retained for up to five (5) years from the date of the last session, subject to legal requirements and internal governance policies.

Retention beyond this period may occur where:

• Required by court order;
• Necessary for defence of legal claims;
• Mandated under applicable law.

13.3 Session Recordings (Where Consented)

Where Users have expressly consented to session recording:

• Recordings shall be retained for a minimum period of two (2) years from the date of recording;
• Recordings may be retained longer if required for legal, regulatory, or dispute resolution purposes;
• Rachmanas shall not be obligated to retain recordings indefinitely at the request of the User.

After expiry of the applicable retention period, recordings may be securely deleted or anonymised in accordance with internal policies.

13.4 Advertising and Analytics Data

Analytics and advertising-related data may be retained in accordance with:

• Operational requirements;
• Third-party provider retention policies;
• Applicable legal limitations.

Such data is typically aggregated or pseudonymised.

13.5 Legal Hold and Regulatory Retention

Where Rachmanas is required to preserve data in connection with:

• Legal proceedings;
• Regulatory investigations;
• Law enforcement requests;
• Arbitration or dispute resolution;

such data may be retained beyond standard retention periods until the matter is resolved.

13.6 Deletion and Anonymisation

Upon expiry of the applicable retention period:

• Personal data may be permanently deleted; or
• Irreversibly anonymised such that it no longer constitutes personal data.

Anonymised data may be retained for research, statistical analysis, service improvement, or AI training purposes.

13.7 No Obligation for Indefinite Preservation

Rachmanas shall not be obligated to preserve personal data, session records, or recordings beyond the retention periods described herein, unless required by law.

Users may request deletion in accordance with applicable rights; however, such requests remain subject to legal, contractual, and operational limitations.

14. Security Safeguards

Rachmanas implements reasonable technical, administrative, and organisational safeguards to protect personal data against unauthorised access, alteration, disclosure, or destruction.

Security measures are proportionate to:

• The nature of the data processed;
• The sensitivity of behavioural and counselling information;
• The scale of operations;
• Applicable statutory requirements.

14.1 Technical Safeguards

Security measures may include:

• Encryption of data in transit using secure communication protocols;
• Encryption of data at rest where appropriate;
• Secure cloud hosting infrastructure;
• Firewall protection and network monitoring;
• Access authentication mechanisms;
• Secure storage of session recordings (where consented).

14.2 Access Controls

Access to personal data is restricted on a need-to-know basis.

Measures include:

• Role-based access control;
• Authentication credentials for authorised personnel;
• Logging and monitoring of administrative access;
• Periodic review of access privileges.

Counsellors and staff are granted access only to information necessary for service delivery and operational duties.

14.3 Confidentiality Obligations

All employees, counsellors, contractors, and service providers who process personal data are bound by:

• Confidentiality obligations;
• Contractual data protection commitments;
• Ethical standards applicable to behavioural counselling practice.

14.4 Third-Party Security

Where third-party service providers process personal data on behalf of Rachmanas, contractual safeguards are implemented to require:

• Reasonable security measures;
• Confidentiality protections;
• Compliance with applicable data protection laws.

Rachmanas undertakes reasonable due diligence when selecting service providers but does not control their internal operational systems.

14.5 Incident Response and Breach Management

Rachmanas maintains internal processes to:

• Identify and assess suspected security incidents;
• Contain and mitigate potential harm;
• Investigate root causes;
• Implement corrective measures.

Where required under applicable law, affected Users and regulatory authorities shall be notified in accordance with statutory obligations.

14.6 No Absolute Guarantee

While Rachmanas employs reasonable security measures, no method of electronic transmission or storage is completely secure.

Accordingly, Rachmanas cannot guarantee absolute security of personal data.

Users are encouraged to:

• Maintain confidentiality of login credentials;
• Use secure internet connections;
• Notify Rachmanas promptly of suspected unauthorised access.

15. Rights of Data Principals

In accordance with the Digital Personal Data Protection Act, 2023, individuals whose personal data is processed by Rachmanas (“Data Principals”) may exercise certain rights, subject to applicable legal limitations.

Requests may be submitted through the grievance or data protection contact details provided in this Policy.

15.1 Right to Access Information

Users may request confirmation as to whether Rachmanas is processing their personal data.

Where applicable, Users may request access to:

• Categories of personal data processed;
• Purposes of processing;
• Categories of recipients to whom data has been disclosed;
• Retention practices.

Access requests shall be fulfilled within statutory timelines, subject to identity verification and lawful exemptions.

15.2 Right to Correction and Updating

Users may request correction of:

• Inaccurate personal data;
• Incomplete information;
• Outdated identity details.

Rachmanas may require reasonable verification before implementing corrections.

15.3 Right to Erasure

Users may request erasure of personal data where:

• The data is no longer necessary for the purpose for which it was collected;
• Consent has been withdrawn and no other lawful basis applies;
• Retention is not required under law.

Erasure requests remain subject to:

• Legal retention obligations;
• Ongoing dispute resolution;
• Fraud prevention requirements;
• Risk management documentation;
• Regulatory mandates.

Where erasure is granted, data may be deleted or irreversibly anonymised.

15.4 Right to Withdraw Consent

Where processing is based on consent, Users may withdraw such consent at any time.

Withdrawal shall not affect processing conducted prior to withdrawal.

Withdrawal of consent may:

• Impact service delivery;
• Result in suspension or termination of counselling services;
• Limit functionality of AI-driven features;
• Disable advertising personalisation.

15.5 Right to Grievance Redressal

Users may lodge grievances regarding:

• Alleged misuse of personal data;
• Delayed response to requests;
• Unlawful disclosure;
• Failure to comply with statutory rights.

Grievances shall be addressed within the timelines prescribed under applicable law.

If unresolved, Users may approach the appropriate statutory authority as permitted under the DPDP Act.

15.6 Right to Nominate

Users may nominate another individual to exercise their rights under applicable law in the event of death or incapacity, in accordance with statutory provisions.

Rachmanas may require appropriate verification prior to acting upon such nomination.

15.7 Limitations on Rights

The exercise of rights under this section shall be subject to:

• Applicable legal exemptions;
• Ongoing legal proceedings;
• Prevention of fraud or misuse;
• Protection of rights of other individuals;
• Public safety considerations.

Rachmanas reserves the right to decline requests that are manifestly unfounded, excessive, repetitive, or abusive, in accordance with applicable law.

16. Children and Minors

Rachmanas provides behavioural counselling services exclusively to individuals who are eighteen (18) years of age or older.

The Platform is not intended for use by minors.

Rachmanas does not knowingly collect, solicit, or process personal data from individuals below the age of eighteen (18).

16.1 Age Representation

By registering or using the Platform, Users represent and warrant that they are at least eighteen (18) years of age and legally capable of entering into a binding agreement.

Rachmanas shall not be liable for misrepresentation of age by any User.

16.2 Inadvertent Collection

If Rachmanas becomes aware that personal data of a minor has been collected without lawful authority:

• The relevant account may be suspended;
• The data may be deleted;
• Further processing shall cease unless legally permitted.

Parents or guardians who believe that a minor has provided personal data may contact Rachmanas through the grievance mechanism provided in this Policy.

16.3 No Behavioural Profiling of Minors

Rachmanas does not engage in behavioural profiling, targeted advertising, or counselling services directed at minors.

17. Security Incident and Data Breach Management

Rachmanas maintains internal procedures to identify, assess, and respond to suspected or confirmed personal data breaches in a timely and responsible manner.

A “personal data breach” refers to unauthorised access, disclosure, alteration, destruction, or loss of personal data.

17.1 Detection and Assessment

Upon becoming aware of a suspected incident, Rachmanas shall:

• Conduct a preliminary assessment of the nature and scope of the incident;
• Determine whether personal data has been compromised;
• Evaluate potential risks to affected individuals.

17.2 Containment and Mitigation

Where appropriate, Rachmanas shall take reasonable steps to:

• Contain the breach;
• Prevent further unauthorised access;
• Secure affected systems;
• Implement corrective measures to reduce recurrence risk.

17.3 Regulatory Notification

Where required under the Digital Personal Data Protection Act, 2023, or other applicable laws, Rachmanas shall notify the relevant regulatory authority within prescribed timelines.

17.4 User Notification

Where a breach is likely to result in significant harm to affected individuals, Rachmanas may notify impacted Users in accordance with legal requirements.

Such notification may include:

• Nature of the incident;
• Categories of data affected;
• Steps taken to mitigate harm;
• Recommended protective actions for Users.

17.5 Documentation and Review

Rachmanas may document:

• The nature of the breach;
• Investigation findings;
• Remedial actions taken;
• Lessons learned.

Internal review processes may be implemented to strengthen security posture.

17.6 Limitation of Liability

While reasonable security safeguards are implemented, Rachmanas shall not be liable for unauthorised access or breaches resulting from:

• Force majeure events;
• Sophisticated cyberattacks beyond reasonable control;
• User negligence in safeguarding credentials;
• Security failures attributable to independent third-party service providers.

18. Grievance Redressal Mechanism

Rachmanas is committed to addressing concerns relating to personal data processing in a timely and transparent manner.

Users may submit grievances relating to:

• Alleged misuse or unauthorised disclosure of personal data;
• Delay or refusal in responding to data rights requests;
• Inaccurate or incomplete data;
• Concerns regarding AI-assisted processing;
• Advertising or tracking concerns;
• Any matter related to privacy or data protection.

Grievances may be submitted via email at support@rachmanas.com.

18.1 Grievance Officer

Rachmanas shall designate a Grievance Officer in accordance with applicable law.

The Grievance Officer shall be responsible for:

• Acknowledging receipt of complaints;
• Investigating privacy-related concerns;
• Coordinating with internal teams;
• Providing reasoned responses within statutory timelines.

Unless otherwise required by law, grievances shall be addressed within sixty (60) working days from receipt.

18.2 Data Protection Officer (Where Applicable)

Where required under the Digital Personal Data Protection Act, 2023, or where Rachmanas is designated as a Significant Data Fiduciary, a Data Protection Officer (DPO) may be appointed.

The DPO, if appointed, shall:

• Oversee compliance with data protection obligations;
• Monitor internal data governance practices;
• Act as a point of contact for regulatory authorities.

Contact details of the DPO, where applicable, shall be made publicly available.

18.3 Escalation to Statutory Authority

If a grievance remains unresolved after internal review, Users may approach the appropriate statutory authority as permitted under the Digital Personal Data Protection Act, 2023.

Nothing in this Policy restricts statutory rights available under applicable law.

18.4 Identity Verification

To protect confidentiality, Rachmanas may require reasonable identity verification before acting upon grievance or data access requests.

19. Updates and Modifications

Rachmanas reserves the right to modify, amend, or update this Privacy & Cookie Policy at any time to reflect:

• Changes in legal or regulatory requirements;
• Modifications to services or technology;
• Introduction of new features, including AI tools or integrations;
• Changes in advertising or analytics practices;
• Operational or organisational developments.

19.1 Publication of Revised Policy

Any updated version of this Policy shall:

• Be published on the Platform;
• Indicate the effective date of revision.

The “Last Updated” date shall reflect the date on which the revised version becomes operative.

19.2 Continued Use as Acceptance

Continued access to or use of the Platform after the effective date of a revised Privacy & Cookie Policy shall constitute acceptance of the updated terms.

Where material changes significantly affect User rights or data processing practices, reasonable efforts may be made to notify Users through:

• Email communication;
• In-app notifications;
• Prominent website notice.

19.3 Supremacy Over Prior Versions

This Policy supersedes all prior versions of privacy notices issued by Rachmanas with respect to the matters addressed herein.