Privacy Policy
1. Information We Collect
1.1 Information You Provide
| Data Type | Examples | Retention |
|---|---|---|
| Account Information | Name, email, role (trainer/client) | Until account deletion |
| Profile Information | Age, gender, country | Until account deletion |
| Health Context (Asha) | Medications, conditions, allergies | Until account deletion |
| Fitness Data (Harley) | Workouts, sets, reps, weight, body measurements | Until account deletion |
| Nutrition Data (Harley) | Food logs, macro targets | Until account deletion |
| Conversations | Chat messages, AI responses | Until you delete them (Asha*); 1 year then anonymized (Harley*) |
| Trainer Business Data | Client lists, schedules, exercise libraries | Until account deletion |
| Progress Photos | Photos uploaded by clients | Until deleted by user |
*Conversation retention note: Asha conversations are retained until you manually delete them because users often reference prior health discussions over long periods. Harley conversations are automatically anonymized after 1 year because fitness coaching interactions have a shorter useful lifespan and anonymization reduces the data protection burden on trainers acting as data controllers. In both cases, you may delete your conversations at any time.
1.2 Information Collected Automatically
| Data Type | Purpose | Retention |
|---|---|---|
| Device Information | Service optimization | 90 days |
| Usage Data | Product improvement (anonymized) | 90 days |
| IP Address | Security, regional content | 30 days |
| Server Logs | Security, debugging | 30 days |
1.3 Wearable Device Data (Optional)
If you connect a wearable device (e.g., Whoop), we may collect recovery scores, heart rate variability (HRV), resting heart rate, sleep metrics, strain scores, skin temperature, and SpO2.
Wearable data is biometric data. It is never sold, never shared with advertisers or insurance companies, never used for underwriting, and is used only to personalize your fitness recommendations. You may disconnect your device at any time to stop collection and request deletion.
1.4 Information We Do NOT Collect
- Fingerprints or facial recognition data
- Precise GPS location
- Contacts or address book
- Financial information beyond payment processing
2. How We Use Your Information
2.1 Service Provision
- Generate personalized health information and fitness recommendations
- Track exercise progress, personal records, and nutrition
- Manage trainer-client relationships
- Integrate wearable data for recovery-based insights
- Remember your context across sessions
2.2 Service Improvement
- Analyze anonymized usage patterns
- Identify and fix technical issues
- Develop new features
2.3 Communication
- Service-related notifications and security alerts
- Subscription and billing notifications
- Responses to support requests
2.4 What We Will NEVER Do
- Sell your personal data to any third party
- Share your data with advertisers
- Share biometric data with insurance companies or employers
- Use identifiable health or fitness data to train AI models without explicit consent
- Allow trainers to access other trainers' client data
- Make coverage, pricing, or employment decisions based on your data
3. AI Processing
3.1 How Your Data Is Processed
When you interact with any DNAi product: your message is encrypted and sent to our servers; we retrieve relevant context from your profile; your query is processed by our AI system; a response is generated and returned to you.
3.2 AI Service Providers
We use the following AI providers to process queries. This list is updated as providers change; your data may be processed by any provider listed below:
| Provider | Use | Data Handling |
|---|---|---|
| Google Vertex AI (Gemini) | Primary LLM for query processing | Enterprise data protection, Zero Data Retention (ZDR) |
| Anthropic (Claude) | LLM for query processing and analysis | Enterprise data protection, Zero Data Retention (ZDR) |
| Local Models | Privacy-sensitive operations, knowledge synthesis | Processed on DNAi-controlled infrastructure |
All third-party AI providers process data under strict contractual obligations with zero data retention (ZDR) — your queries are processed and immediately discarded. No third-party provider uses your data to train their models. We may add or change AI providers over time; this policy will be updated to reflect any changes, and material changes will be notified per Section 13.
3.3 Knowledge Synthesis and Improvement
Our AI systems may generate structured knowledge units (such as synthesized medical or fitness insights) derived from your interactions. These knowledge units:
- Are stored in our knowledge base to improve response quality for all users.
- Are derived from the topic of your query (e.g., "information about condition X"), not from your personal identity or health profile.
- Do not contain personally identifiable information (PII), personal health identifiers, or data that can be linked back to you.
- Are retained indefinitely as part of our knowledge infrastructure.
Example: If you ask about a rare condition, our system may generate a synthesized knowledge summary about that condition from medical literature. This summary is stored to improve future responses for anyone asking about the same topic. Your name, account, health profile, and the fact that you asked the question are never included in or linked to the knowledge unit.
We will never use your identifiable health or fitness information to train AI models without your explicit, informed consent. Anonymized, aggregated interaction patterns (such as which topics are most frequently asked about) may be used to prioritize product improvements.
4. Trainer-Client Data Flow (Harley AI)
4.1 What Trainers Can See
Trainers can view their own clients' workout logs, nutrition logs (if used), wearable data summaries (if connected), and progress metrics.
4.2 What Trainers Cannot See
Other trainers' client data, client conversations with Harley AI (unless shared by the client), or client data from other platforms.
4.3 Client Privacy Controls
Clients can view only their own data, disconnect wearable devices at any time, request deletion, and opt out of data sharing with their trainer.
5. Data Security
5.1 Technical Safeguards
| Measure | Description |
|---|---|
| Encryption in Transit | TLS 1.3 for all data transmission between clients, servers, and third-party APIs |
| Encryption at Rest | Database-level encryption for PostgreSQL and Redis datastores. Application data files (e.g., exported trainer data) are stored on access-controlled infrastructure but are not individually encrypted at the application layer. We are actively working toward full application-level encryption at rest. |
| Password Hashing | bcrypt with salting |
| Access Controls | Role-based access with JWT-based authentication; multi-factor authentication via Auth0 |
| Tenant Isolation | User-scoped data access at both application and storage layers, preventing cross-tenant data leakage |
5.2 Organizational Safeguards
- Limited employee access to personal data
- Incident response procedures
- Regular security audits and vulnerability assessments
5.3 Data Breach Notification
- EU Users (GDPR): Supervisory authority notified within 72 hours; affected individuals notified without undue delay.
- India Users (DPDP Act): Data Protection Board and affected individuals notified without delay.
- US Users: Compliance with applicable state breach notification laws.
- All Users: Notification via email and in-app with details of the breach, data affected, and remediation steps.
5.4 Limitations
While we implement industry-standard security measures, no system is 100% secure. We cannot guarantee absolute security of your data.
6. Information Sharing
6.1 Service Providers
| Provider Category | Purpose | Safeguards |
|---|---|---|
| Cloud Infrastructure | Hosting, storage | Data processing agreements |
| AI Providers (Google Vertex AI) | Query processing | Zero Data Retention, contractual protection |
| Payment Processor (Stripe) | Subscription billing | PCI-DSS compliant |
| Cloudflare (CDN, Pages, DNS) | Content delivery, static site hosting, DDoS protection, DNS | IP addresses, request metadata, and static page requests. Cloudflare Pages hosts the frontend applications for Asha and Harley. |
| Wearable APIs (Whoop) | Device sync | User-initiated OAuth, revocable |
| Food Databases (Open Food Facts, USDA) | Nutrition lookup | Search queries only, no personal data |
| Authentication (Auth0) | Identity management | Enterprise data protection agreement |
All providers are bound by data processing agreements and are prohibited from using your data for their own purposes.
6.2 Legal Requirements
We may share information if required by valid legal process (subpoena, court order), to protect rights, property, or safety, or to investigate fraud or security issues.
6.3 We Will NEVER Share With
- Advertisers or ad networks
- Data brokers
- Insurance companies
- Employers (without your explicit consent)
7. Cookies and Tracking
- Essential Cookies: Required for authentication and session management. Cannot be disabled.
- Analytics: Anonymized usage analytics to improve the service. Can be disabled in product settings.
- No Advertising Cookies: We do not use advertising cookies, tracking pixels, or third-party advertising technology.
- No Cross-Site Tracking: We do not track you across other websites.
8. Your Rights
8.1 All Users
- Access: Request a copy of all data we hold about you in a machine-readable format.
- Correction: Update or correct your information at any time.
- Deletion: Delete your account and all associated data. Account info deleted within 30 days; conversations deleted immediately; anonymized analytics retained.
- Export: Receive your data in a portable format.
- Disconnect: Revoke third-party device and service access.
- Opt Out: Opt out of non-essential data processing and communications.
8.2 EU Users (GDPR)
- Legal Basis: We process data based on consent, contractual necessity, and legitimate interests (GDPR Articles 6 and 9).
- Right to restriction of processing, right to object, right to withdraw consent at any time.
- Right to lodge a complaint with your local data protection authority.
- Data Protection Officer: dpo@dnai.systems
8.3 California Users (CCPA/CPRA)
- Right to know what personal information is collected.
- Right to delete personal information.
- Right to opt out of the "sale" of personal information. We do not sell data.
- Right to non-discrimination for exercising privacy rights.
8.4 India Users (DPDP Act 2023)
- DNAi Systems acts as the Data Fiduciary under the Digital Personal Data Protection Act, 2023.
- Rights to access, correction, erasure (subject to legal retention), and consent withdrawal.
- Right to nominate a representative.
- Grievance Officer: grievance@dnai.systems
- This notice is available in other languages upon request per the Eighth Schedule to the Constitution of India.
8.5 US HIPAA Considerations
DNAi products are wellness tools and not "Covered Entities" under HIPAA. However, we maintain technical safeguards informed by HIPAA standards (TLS 1.3 in transit, database-level encryption at rest, access controls, audit logging, Business Associate Agreements with applicable providers) as part of our Privacy by Design commitment.
8.6 How to Exercise Your Rights
Email privacy@dnai.systems with subject "Data Request — [Your Request Type]". We will respond within 30 days.
9. International Data Transfers
Your data may be processed in the United States and the European Union (via compliant providers). When transferring data internationally, we use Standard Contractual Clauses (EU), Data Processing Agreements, and compliance with local data protection laws.
10. Children's Privacy
Asha is not intended for users under 18. Harley AI is not intended for users under 16. We do not knowingly collect personal information from children below these age thresholds. Users between 16 and 18 (Harley) require parental consent. If you believe we have collected information from a child, contact us immediately at privacy@dnai.systems.
11. De-Anonymization Safeguards
We use industry-standard k-anonymization and differential privacy techniques to ensure that retained analytics cannot be re-linked to an individual. Our anonymization processes are designed to prevent re-identification even when combined with external data sources.
12. Data Retention Summary
| Data Type | Retention Period |
|---|---|
| Account information | Until account deletion |
| Health profile / Fitness data | Until account deletion |
| Wearable data | Until device disconnected or account deletion |
| Conversations (Asha) | Until you delete them |
| Conversations (Harley) | 1 year, then anonymized |
| Usage analytics | 90 days, then anonymized |
| Server logs | 30 days |
| Payment records | As required by tax law (typically 7 years) |
| Anonymized data | Indefinitely (cannot be linked to you) |
13. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be notified via email, in-app notification, and banner on the website at least 30 days before taking effect. The "Last Updated" date at the top indicates the most recent revision. Continued use constitutes acceptance.
14. Contact Information
| Purpose | Contact |
|---|---|
| Privacy inquiries / Data requests | privacy@dnai.systems |
| General support | support@dnai.systems |
| Harley support | harley@dnai.systems |
| Data Protection Officer (EU) | dpo@dnai.systems |
| Grievance Officer (India) | grievance@dnai.systems |
Quick Reference
| Do we sell your data? | No, never. |
| Do we share with advertisers? | No, never. |
| Can you delete your data? | Yes, at any time. |
| Is your data encrypted? | Yes, in transit (TLS 1.3) and at rest (AES-256). |
| Who can see your health information? | Only you and our systems. |
| Do we use your data for ads? | No, never. |