Privacy Policy

1. Who we are

BHASM is a product of Aarnoaa (OPC) Private Limited, a One Person Company incorporated under the Companies Act 2013, registered in India. Registered office: Gurgaon, Haryana 122001, India. CIN: U73100HR2025OPC137642. For all privacy matters, write to privacy@bhasm.ai.

2. What data we collect and why

Account data: Name, email address, password (hashed, never stored in plain text), business name, city, industry, and market. This is used to create and manage the account and to calibrate the intelligence correctly from day one.

Customer relationship data: Transaction records, purchase history, contact identifiers (name, phone, email), and behavioural signals uploaded by the business. This data is used exclusively to generate retention intelligence — briefs, urgency scores, and suggested messages — for that specific business. It is never shared, sold, or used for any other purpose.

Usage data: Dashboard activity, feature usage, and brief generation events. Used to improve the product and to ensure system stability. Not used for advertising.

3. How data is stored and secured

Account and customer data is stored on Supabase-managed PostgreSQL databases hosted in data centres in India and the European Union. All data is encrypted at rest (AES-256) and in transit (TLS 1.3). Passwords are stored as a strong one-way hash — never in plain text, and never transmitted in logs. Access is restricted to service processes only. No human at Aarnoaa accesses individual customer records except in the event of a support request from the registered business.

3a. Indian data law — DPDP Act 2023

BHASM's data processing is designed for compliance with India's Digital Personal Data Protection Act 2023. In this framework, the registered business is the Data Fiduciary — the entity that collected consent from its own customers and determines the purpose of processing. Aarnoaa (OPC) Private Limited is the Data Processor — processing data strictly on the Fiduciary's instructions to generate retention intelligence.

BHASM does not independently collect data from end customers. It processes only data the business provides through connected sources (Shopify, GA4, Razorpay, etc.) or manual upload. The business remains responsible for having obtained valid consent from its own customers under applicable law before connecting those data sources to BHASM.

3b. Data Processing Agreement

By creating an account and connecting data sources, the registered business enters into a Data Processing Agreement with Aarnoaa (OPC) Private Limited. The terms of this agreement are as follows: Aarnoaa will process personal data only for the purpose of generating retention intelligence for that business; will not share, sell, or use that data for any other purpose; will maintain appropriate technical and organisational security measures; and will delete or return all personal data on termination of the account. Businesses requiring a formal signed DPA document may request one by writing to privacy@bhasm.ai. Access to production databases is restricted to essential personnel and is logged.

4. Data ownership

The business that uploads customer data retains full ownership of that data at all times. Aarnoaa (OPC) Private Limited acts as a data processor, not a data controller, in relation to customer relationship records. The business is responsible for ensuring it has appropriate authority to submit this data and that affected individuals have been informed in accordance with applicable law.

5. Data retention and deletion

Account data is retained for the duration of the account and for 90 days after closure to facilitate potential reactivation. Customer relationship data is retained for the duration of the account. All data is permanently deleted within 30 days of a verified deletion request. To request deletion, write to privacy@bhasm.ai with the subject line "Data Deletion Request".

6. Third-party services

BHASM uses the following third-party processors: Supabase (database infrastructure), Railway (backend hosting), and Resend (transactional email delivery). Each processes data solely to provide the service to BHASM and is bound by their respective data processing agreements. No customer relationship data is shared with these parties beyond what is necessary for infrastructure operation.

7. No advertising. No data sales.

BHASM products carry no advertising. Aarnoaa (OPC) Private Limited does not sell, license, or otherwise commercialise account or customer data to any third party, under any circumstances.

8. Rights of data subjects

Individuals whose data has been uploaded to BHASM by a business have the right to request access, correction, or deletion of their data. Such requests should be directed to the business that holds the account; businesses are required to action such requests within 30 days. Aarnoaa (OPC) Private Limited will support businesses in fulfilling these obligations upon request.

9. Cookies

BHASM uses a single session cookie to maintain authentication state. No tracking cookies, advertising cookies, or third-party analytics cookies are set. The session cookie is essential for the service to function and cannot be opted out of while logged in.

10. Changes to this policy

Material changes to this policy will be communicated by email to all registered accounts at least 14 days before they take effect. Continued use of the service after the effective date constitutes acceptance of the revised policy.

11. Contact

For any privacy-related questions or requests: privacy@bhasm.ai
Aarnoaa (OPC) Private Limited, India.