Last updated: June 2026
1. Introduction
Centro de Ayurveda values your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, share, and protect your information when you use the Vashist platform. This policy complies with the General Data Protection Regulation (GDPR — Regulation (EU) 2016/679).
2. Data We Collect
We collect the following categories of information:
- Personal data: name, email, password (stored as a bcrypt hash, never in plain text).
- Wellness data: questionnaire results (Prakriti, Vikrutti, Koshta, Guna, Ojas), dietary preferences, personal goals, practice and remedy history. This is self-reported wellness data — it is not clinical medical data.
- Usage data: AI chat conversations, progress through routines and protocols, platform activity history, community interactions.
- Technical data: IP address, device type, browser, session identifiers and cookies, access logs.
3. How We Use Your Data
We process your data on the following lawful bases (Art. 6 GDPR): performance of the subscription contract, consent (for optional features such as Mem0 persistent memory), and legitimate interest (security, fraud prevention). We use your data to:
- Provide and maintain our services (authentication, sessions, subscriptions).
- Personalise Ayurvedic recommendations and content based on your dosha and history.
- Communicate with you about your account, updates, and support.
- Improve and develop new features on the platform (using aggregated or pseudonymised data wherever possible).
4. Data Security
We implement appropriate technical and organisational security measures to protect your personal data, including: SSL/TLS encryption for all communications, secure password storage with bcrypt hashing, JWT tokens with refresh-token rotation, sessions managed in Redis with configurable expiry, restricted personal-data access by authorised staff, and regular security monitoring and backups.
5. Cookies and Similar Technologies
We only use strictly necessary and functional cookies — we do not use advertising cookies or third-party tracking for marketing.
- Essential cookies (authentication): keep your session active and protect against CSRF. Without these cookies, the platform does not work.
- Session cookies: store temporary preferences during your visit.
- Local storage (localStorage): saves language preferences, visual theme, and dismissed-notice state.
- Internal analytics: we measure aggregated usage metrics (no individual identifiers) to improve the product.
6. Third-Party Sharing
We do not sell or share your personal data with third parties for marketing purposes. We share data only with the subprocessors listed in section 7, who help us operate the platform under data-processing agreements (DPAs). We may also disclose data when required by law or to protect our legal rights.
7. Subprocessors
To deliver the Vashist service, we contract with the following subprocessors. Each one operates under a GDPR-compliant data-processing agreement (DPA). Transfers outside the EEA are protected by the European Commission's Standard Contractual Clauses (SCCs).
| Provider | Purpose | Data processed | Region |
|---|---|---|---|
| Hostinger | Application hosting (VPS) and database. | All account and application data. | EU (Lithuania / Netherlands) |
| Stripe | Payment processing and subscription management. | Email, billing name, last 4 digits of card, transaction history. | EU / US (SCCs) |
| Resend | Transactional email (verification, password reset, notifications). | Email address and message content. | US (SCCs) |
| OpenRouter | Routing requests to AI models. | AI conversation messages (without direct personal identifiers where possible). | US (SCCs) |
| Anthropic (Claude) | Language model for AI chat, embeddings, and gurus. | Messages sent to chat. Anthropic does not train its models on API data. | US (SCCs) |
| OpenAI (GPT) | Alternative language model and embeddings. | Messages sent to chat. OpenAI does not train its models on API data. | US (SCCs) |
| Google (Gemini, OAuth, Calendar) | Alternative model, OAuth login (optional), calendar sync (optional). | Only if you enable OAuth/Calendar: Google name, email, calendar events created by Vashist. | US (SCCs) |
| Mem0 | AI chat persistent memory (PRO users only, when the feature is enabled). | Contextual summaries derived from your conversations (dosha, preferences, topic history). | US (SCCs) |
| Langfuse | Observability and AI response quality (latency, cost, error flagging). | AI call metadata and prompt/response samples. | EU (Germany) — self-hosted where applicable |
This list may change as the infrastructure evolves. We will notify you of material changes 30 days in advance.
8. Data Location and Transfer
The primary database and session cache are hosted in the European Union (Hostinger VPS). Some AI operations, payment processing, and email delivery involve transfers to the United States, always covered by the European Commission's Standard Contractual Clauses (SCCs). We do not transfer data to countries without an adequate level of protection.
9. Your Rights (GDPR Articles 15–22)
Under the GDPR you have the rights below. You can exercise them at any time by contacting us at the email in section 12 — we will respond within 30 days.
- Right of access (Art. 15): obtain a copy of your personal data.
- Right to rectification (Art. 16): correct inaccurate or incomplete data.
- Right to erasure (Art. 17 — "right to be forgotten"): request deletion of your data.
- Right to restriction of processing (Art. 18): request temporary suspension of processing.
- Right to data portability (Art. 20): receive your data in a structured format and transfer it to another controller.
- Right to object (Art. 21): object to processing of your data, including AI-based personalisation.
- Rights regarding automated decisions (Art. 22): Vashist does not make legal decisions based solely on automated processing.
- Right to lodge a complaint with a supervisory authority: in Portugal, the Comissão Nacional de Proteção de Dados (CNPD).
10. Data Retention
We keep your data only as long as necessary, per the table below, unless a longer legal period applies (e.g., tax obligations).
- User account: while the account is active. After account deletion, personal data is erased within 30 days.
- Wellness data (questionnaires, practice history): while the account is active. Deleted with the account.
- AI conversations: 12 months after the last interaction, unless the user deletes them sooner.
- Mem0 (PRO persistent memory): erased immediately when the user disables memory or deletes the account.
- Technical and security logs: 90 days.
- Billing and tax data: 10 years (Portuguese legal obligation).
11. Changes to This Policy
We may update this Privacy Policy periodically. We will notify you of material changes 30 days in advance through the registered email or by a visible notice on the platform. We recommend that you review this policy regularly.
12. Contact and DPO
To exercise your rights, raise a question, or file a privacy-related complaint, please contact our Data Protection Officer (DPO):
Email: vashist@centrodeayurveda.com
Address: Rua Ernestino Elisiário Antunes, 108 Bicesse. 2645-361 Alcabideche. Portugal