Privacy Policy

Last updated: 25 April 2026

NumaHaven is a product of CareSoul.ai, a digital health wellness ecosystem. This Privacy Policy describes how we collect, use, and protect your personal data when you use the NumaHaven mobile application and related services ("NumaHaven", "the app", "our services").

1. Who We Are

NumaHaven is a self-guided mental wellness mobile application offering breathing exercises, guided meditations, journaling, mood tracking, and personalised wellness session plans. NumaHaven is operated by Shahnawaz Khan and Kirtimaan Gogna, founders of CareSoul.ai.

NumaHaven is not a mental health establishment under the Mental Healthcare Act, 2017, and does not provide clinical services, diagnosis, or treatment. We are a technology platform offering self-reflection and wellness tools.

Data Fiduciary (under India DPDPA 2023): Shahnawaz Khan and Kirtimaan Gogna, operating CareSoul.ai.

2. Data We Collect

We collect only what is necessary to provide our services:

Account information: email address and display name
Authentication data: passwords (irreversibly hashed using bcrypt), refresh tokens (hashed), OAuth identifiers if you sign in with Google
Wellness content you create:
- Assessment responses and scores
- Journal entries (titles and content you write)
- Mood check-ins (mood labels, energy levels, optional notes)
- Session practice logs and post-session reflections
- Goals and check-ins
- Practice week tracking
AI-generated content: wellness summaries and personalised session plans created from your assessments
Consent records: your opt-in/opt-out choices for health data processing and AI analysis
Technical metadata: timezone (for scheduling reminders), anonymised crash reports, error context

We do not collect:

Location data (GPS, IP-based location, or otherwise)
Microphone recordings
Contacts
Device advertising identifiers
Browsing history outside the app
Biometric data
Financial information (the app has no payment features)

About camera and photo-library permissions: the Android build of NumaHaven declares the CAMERA and photo-library permissions as part of bundled libraries that support a planned profile-photo feature. This feature is not enabled in the current version — the app does not access your camera, photo library, or any media on your device. If we enable any feature that actually uses these permissions in a future release, we will update this policy and request your explicit consent at the moment of use through the standard Android runtime permission prompt.

3. How We Use Your Data

Your data is used only to:

Deliver personalised wellness recommendations based on your assessments
Generate AI-based wellness summaries and session plans (Section 7)
Track your practice progress across sessions and days
Send reminder notifications you explicitly opt in to
Provide account authentication and security
Improve our services through aggregated, anonymised analytics

We never:

Sell your personal data to any third party
Use your wellness data for advertising or retargeting
Use your data to train AI models
Share your journal entries, mood notes, or assessment responses with anyone outside the processors named in Section 7
Use sensitive health data for employment, insurance, credit, or eligibility decisions, or for unauthorised social sharing

4. Data Storage and Security

Your data is stored on secure servers in Helsinki, Finland (European Union), operated by Hetzner Online GmbH in ISO 27001-certified data centres. By using NumaHaven, you consent to your personal data being transferred to and processed in the European Union.

Data stored in the EU is protected under the General Data Protection Regulation (GDPR). If you are located in India, we also comply with the Digital Personal Data Protection Act (DPDPA) 2023, and the transfer of your data to the European Union is a permitted cross-border transfer under the DPDPA framework.

Security measures

All data encrypted in transit using TLS 1.2 or higher
Certificate pinning enforced in the mobile app
Passwords hashed with bcrypt (cost factor 12); never stored in readable form
Authentication tokens stored in your device's secure keychain (iOS Keychain / Android Keystore / EncryptedSharedPreferences)
JWT access tokens expire within 24 hours; refresh tokens rotate with theft-detection family revocation
Database is not exposed to the public internet; access restricted to authorised personnel through role-based access controls
Password changes invalidate all existing sessions across devices

5. Your Rights Under DPDPA 2023 and GDPR

You have the right to:

Access your personal data
Correct inaccurate or incomplete data
Delete your data ("right to erasure") — see Section 10 and our Data Deletion page
Export your data in a portable, machine-readable JSON format
Withdraw consent for AI analysis or health data processing at any time
Object to or restrict certain processing (under GDPR)
Lodge a complaint with a supervisory authority — the Data Protection Board of India, or your EU Member State's data protection authority

To exercise these rights, use Settings → Your Data in the app, or contact us at numahaven@gmail.com.

6. Data Retention

We retain your data for as long as your account is active. When you delete your account (via the in-app flow or by emailing us), all personal data is permanently removed within 30 days.

Anonymised, aggregated data that cannot be linked to you personally may be retained for service improvement. Such data does not include journal entries, mood notes, or any free-text content.

7. Third-Party Services

We use the following third-party services that process limited data strictly for the purposes described:

OpenAI — receives your assessment responses when generating personalised wellness session plans and summaries. Only users who have explicitly granted AI consent have their data sent to OpenAI. OpenAI's API data usage policy states that data submitted to the OpenAI API is not used to train OpenAI models. See OpenAI API data usage policies.
Google (Sign-In) — if you choose to sign in with Google, Google provides us your email address, Google user ID, and display name. No NumaHaven data is sent to Google.
Hetzner Online GmbH — hosts our servers and database in Helsinki, Finland under ISO 27001 certification.
Expo Application Services (EAS) / Expo Push / Firebase Cloud Messaging (FCM) — delivers push notifications you opt in to. Notification content contains only generic reminders, never journal content or mood data. Google FCM is the underlying delivery mechanism on Android devices.
Sentry — receives anonymised crash reports and error context. Journal entries, mood entries, and assessment responses are never sent to Sentry. User identifiers are stripped of personal information before transmission.
SMTP provider (Gmail) — sends transactional emails (email verification, security notifications). Receives only your email address and the message content.

Each third-party provider is contractually or operationally bound to protect your data and use it only for the specified purpose.

8. Grievance Redressal

In accordance with the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the Digital Personal Data Protection Act, 2023, our Grievance Officers are:

Shahnawaz Khan — Co-founder and Grievance Officer
Kirtimaan Gogna — Co-founder and Grievance Officer

Email: numahaven@gmail.com
Response time: Within 24 hours of receipt
Resolution time: Within 15 days of receipt for substantive complaints

9. Age, Consent, and Children's Privacy

NumaHaven is intended for users aged 13 and above. Under India's DPDPA 2023, anyone under 18 is considered a child.

If you are between 13 and 17 years old You may use NumaHaven only with the verifiable consent of a parent or legal guardian. By creating an account and confirming the age-and-consent statement at sign-up, you represent that you are either (a) 18 years or older, or (b) 13–17 years old and your parent or guardian has consented to your use of NumaHaven and the processing of your personal data as described in this policy.

We do not:

Knowingly collect personal data from children under 13
Use tracking, behavioural monitoring, or retargeting against users of any age, especially minors
Direct advertising of any kind to users, including minors
Use children's data for any purpose that could cause detriment to their well-being

If you are a parent or guardian and believe your child has created an account without your consent, or if you are aware of a user under 13 who has created an account, email numahaven@gmail.com and we will promptly delete the account and all associated data.

We will implement verifiable parental consent mechanisms in line with DPDP Rules 2025 within the timeline specified by the Data Protection Board of India.

10. Account Deletion

You can delete your account and all associated data at any time:

In-app: Settings → Profile → Delete Account (requires password confirmation)
By email: send a request to numahaven@gmail.com from the email address associated with your account

See our dedicated Data Deletion Page for complete instructions and the list of data that is removed.

11. California Privacy Rights

If you are a California resident, you have the right to:

Know what personal information we collect and how it is used
Request deletion of your personal information
Opt out of the "sale" of personal information

We do not sell personal information. To exercise your rights, contact us at numahaven@gmail.com.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you through the app and update the "Last updated" date at the top of this policy. Continued use of NumaHaven after changes constitutes acceptance of the updated policy.

13. Contact

For any questions about this policy, our data practices, or to exercise your rights:

Email: numahaven@gmail.com
Operators: Shahnawaz Khan and Kirtimaan Gogna
Parent company: CareSoul.ai
Data hosting: Hetzner Online GmbH, Helsinki, Finland (EU)