Privacy Policy

This policy explains what data Haru (“we”, “us”) collects, why we collect it, and the choices you have. We follow the principles of India's Digital Personal Data Protection Act, 2023. The short version: we collect only what the service needs, we never sell your data, and your voice audio is transcribed without being stored.

• Account data — your name, email address, and password (passwords are securely hashed; we never store them in plain text).
• Profile preferences — native language, industry, and target tone, used to personalise refinements.
• Content you submit — the text you ask Haru to refine, the refined output, tone scores, and flashcards generated from them.
• Usage data — credit consumption, session counts, and feature usage.
• Payment records — pack purchased, amount, and Razorpay payment ID. Card/UPI/bank details are handled entirely by Razorpay and never reach our servers.

Voice audio is transcribed by Amazon Transcribeinside Haru’s own AWS account — the same one that powers refinement. The audio is processed transiently, never stored or used to train any model; only the resulting text transcript is saved to your history. Playback (Listen) is generated entirely on your device.

• To provide the service: your submitted text is sent to AI models running on Amazon Bedrock (AWS) to generate refinements.
• To personalise output using your profile preferences.
• To meter credits and process purchases.
• To build your private session history, mistake patterns, and flashcards.
• To respond to support requests and feedback you submit.

We do not sell your data, use it for third-party advertising, or use your content to train AI models.

Data is stored on Amazon Web Services (Aurora PostgreSQL and S3). Processing may occur in AWS regions outside India (currently the United States and Europe). AWS holds industry-standard certifications including ISO 27001 and SOC 2.

• AWS — database (Aurora), AI refinement (Bedrock), and voice-to-text (Amazon Transcribe; audio processed transiently and not retained). Text-to-speech (Listen) runs on your device and is sent nowhere.
• Amazon SES (AWS) — sending transactional email (verification codes, password resets).
• Razorpay — payment processing, as required to complete your purchases.
• Vercel — application hosting and anonymous, cookie-free usage analytics.
• Authorities, only where required by applicable law.

We use only essential session cookies (httpOnly authentication tokens) to keep you signed in. We do not use advertising or cross-site tracking cookies, so there is no cookie banner — there is nothing to opt out of.

• Account and content data are kept while your account is active.
• You can delete individual sessions from your history at any time.
• You can delete your account yourself at any time from Settings → Account → Delete account. We email a one-time code to confirm it's you, then permanently erase your profile, sessions, and flashcards and revoke your login. Payment ledger entries are retained in anonymized form as required by Indian tax law (currently 8 years); everything else is deleted immediately.

You can delete your account and data directly from Settings → Account → Delete account (confirmed by an emailed code). You may also request access to, correction of, or deletion of your personal data, or withdraw consent, by emailing support@haru.co.in. We respond within 30 days. If you are unsatisfied with our response, you may complain to the Data Protection Board of India.

All traffic is encrypted in transit (TLS). Authentication uses short-lived signed tokens in httpOnly cookies. Database access uses IAM-authenticated, role-scoped credentials — no long-lived database passwords exist.

We will post any material changes to this policy on this page and update the date above. Grievance / privacy contact: support@haru.co.in