Privacy Policy

Krama by Niyama Digital Healthcare Limited

Effective Date: 22 May 2026
Last Updated: 22 May 2026

Your privacy matters to us. Krama is a digital self-care and mental well-being application that handles sensitive personal and health data. This Privacy Policy explains, clearly and completely, what data we collect, why we collect it, how we use and protect it, and what rights you have as a Data Principal under the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and other Applicable Laws in India. 

1. Introduction and Scope

1.1 Niyama Digital Healthcare Limited (“Niyama”, “we”, “our”, or “us”), a company incorporated under the Companies Act, 2013, owns and operates the mobile application Krama (“Krama”, “App”, or “Service”). Krama is a digital self-care and well-being platform delivering AI-guided psychoeducation and structured self-care content grounded in evidence-based therapeutic frameworks. 

1.2 This Privacy Policy (“Policy”) applies to all personal data collected by Niyama when you: 

  • Download, install, or access the Krama application. 
  • Register for an account and use any feature of the Service. 
  • Interact with our AI-guided sessions, chatbot, or content modules. 
  • Contact us through any channel, including support or grievance communications. 

1.3 This Policy must be read together with our Terms and Conditions, available at https://krama.care/privacy-policy/. By using Krama, you provide your free, specific, informed, unconditional, and unambiguous consent to the processing of your personal data as described in this Policy, in accordance with the DPDP Act. 

1.4 If you do not agree with this Policy, please do not use Krama.

2. Key Definitions

Unless the context otherwise requires, the following terms have the meanings set out below: 

  • “Data Fiduciary” means Niyama, as the entity that determines the purpose and means of processing your personal data. 
  • “Data Principal” means you, the individual whose personal data is being processed. 
  • “DPDP Act” means the Digital Personal Data Protection Act, 2023, and the rules made thereunder. 
  • “Personal Data” means any data about an individual who is identifiable by or in relation to such data. 
  • “Sensitive Personal Data” includes data related to mental health, psychological state, biometric data, and health conditions, which attract heightened protection under Applicable Law. 
  • “User Content” means any data, text, messages, journal entries, mood logs, assessment responses, or other information that you input, upload, or transmit through Krama. 
  • “LLM” means a Large Language Model, the AI technology used by Krama to power its conversational interface. 
  • “Applicable Law” means all laws, statutes, rules, regulations, notifications, circulars, guidelines, and judicial pronouncements applicable in India, including the DPDP Act, the Information Technology Act, 2000, and the Intermediary Rules. 

3. Personal Data We Collect

3.1 Data You Provide Directly 

  • Registration data: name, email address, mobile number, date of birth, and gender, provided when you create your account. 
  • User Content: mood logs, journal entries, responses to self-assessment questionnaires, goal-tracking entries, values exercises, and messages exchanged with the Krama app. 
  • Health and well-being data: self-reported mental health status, emotional states, psychological symptoms, and lifestyle information that you choose to share within the App. 
  • Communications: messages you send to our support team or Grievance Officer. 
  • Payment information: where applicable, transaction references and partial payment card details (we do not store your full card number, CVV, or PIN).

3.2 Data Collected Automatically 

  • Device and technical data: device type, operating system and version, app version, unique device identifiers, IP address, and mobile network information. 
  • Usage and behavioral data: session start and end times, features accessed, content modules engaged with, navigation patterns within the App, and in-app events. 
  • Crash and diagnostic data: error logs, performance metrics, and diagnostic information to enable us to identify and fix technical issues. 
  • Log data: server-side logs recording interactions with our APIs, timestamps, and request metadata. 

3.3 Data We Do Not Collect 

Krama does not, and will not: 

  • Access your device contacts, camera, microphone, or location unless you explicitly grant permission for a specific feature that requires it, in which case the purpose will be disclosed at the point of permission request. 
  • Collect biometric data such as fingerprints or facial recognition data. 
  • Collect data from minors. Krama is not directed at individuals below 18 years of age. If we become aware that we have inadvertently collected data from a minor, we will delete it promptly. 

4. How We Use Your Personal Data

The table below summarizes the categories of personal data we process, the purposes for which they are used, and the legal basis under the DPDP Act:  

Category of Personal Data Purpose of Processing Legal Basis (DPDP Act) 
Registration data (name, email, phone, date of birth, gender) Account creation, authentication, subscription management Consent (s.6); Legitimate uses (s.7) 
User Content (mood logs, journal entries, assessment responses, chat messages) Delivering personalised sessions, tracking progress, improving clinical safety guardrails Consent (s.6) 
Health and well-being data (self-reported mental health information) Personalizing content, clinical safety messaging, program delivery Explicit Consent (s.6) for sensitive personal data 
Device and technical data (IP address, device identifiers, OS, app version, crash logs) Security, fraud prevention, technical maintenance, analytics Legitimate uses (s.7) 
Usage and behavioral data (session duration, feature interactions, navigation patterns) Product improvement, AI model evaluation (aggregated/de-identified only) Legitimate uses (s.7); Consent (s.6) 
Payment data (transaction reference, last 4 digits of card — no full card data stored) Payment processing, subscription management, dispute resolution Contractual necessity; Legitimate uses (s.7) 
Communications data (support messages, grievance communications) Responding to queries, grievance resolution, legal compliance Legitimate uses (s.7); Legal obligation (s.7) 

4.1 AI Model Training: We will never use your identifiable personal data, or identifiable User Content, to train our AI models or any third-party AI or Large Language Model. Where User Content is used for AI improvement purposes, it will first be irreversibly de-identified or pseudonymized, and only aggregated or synthetic data will be used. 

4.2 Marketing Communications: We may send you service-related communications (such as updates, feature releases, or safety alerts) and, with your separate consent, promotional communications. You may withdraw your consent to marketing communications at any time by using the unsubscribe link in any email or by updating your preferences in the App settings.

5. Disclosure and Sharing of Personal Data

5.1 We do not sell your personal data. We do not share your personal data with third parties for their independent marketing purposes. 

5.2 We may disclose your personal data to the following categories of recipients, strictly as necessary for the purposes set out in this Policy:  

Recipient Category Purpose Safeguards 
LLM / AI service providers Processing conversational inputs to generate responses Data processing agreements; no training on identifiable data; encryption in transit 
Cloud hosting and infrastructure providers Secure storage and computation ISO 27001 / SOC 2 certified providers; data residency in India where required 
Payment gateway providers Processing subscription payments PCI-DSS compliant; tokenization; Niyama does not store full card details 
Analytics providers Aggregated product analytics and crash reporting Pseudonymised/aggregated data only; no sharing of health content 
Legal, regulatory, and law enforcement authorities Compliance with court orders, government directives, or legal obligations Disclosed only as required by Applicable Law; minimized to the extent permissible 
Successor entities (merger / acquisition) Business continuity in the event of a corporate transaction Subject to equivalent privacy obligations; users notified in advance where feasible 


5.3 All third-party service providers with whom we share personal data are required to maintain the confidentiality and security of that data and to process it only for the specific, limited purposes for which it is shared, under contractual obligations that are no less protective than those set out in this Policy. 

5.4 If we are involved in a merger, acquisition, or restructuring, your personal data may be transferred to the successor entity. We will provide you with notice before your personal data is transferred and becomes subject to a materially different privacy policy. 

6. Sensitive Health and Mental Well-Being Data

6.1 Krama by its nature processes sensitive personal data, including self-reported mental health status, emotional experiences, psychological assessments, and well-being information. We treat this category of data with the highest degree of care, in accordance with our obligations under the DPDP Act and other Applicable Law. 

6.2 We apply the following additional safeguards specifically to sensitive personal data: 

  • Explicit, granular consent is obtained before processing mental health or well-being data. 
  • Access to sensitive data within Niyama is strictly role-limited and governed by access control policies. 
  • Sensitive data is encrypted both in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent). 
  • Sensitive data is never used in identifiable form for AI training, analytics outside of service delivery, or any commercial purpose. 
  • Retention of sensitive data is limited to the period strictly necessary for the purpose for which it was collected, or as required by Applicable Law. 

6.3 Krama’s conversational AI may detect language that could suggest psychological distress or risk. In such cases, the App provides safety messaging and helpline information. This is a safety guardrail and does not amount to clinical assessment, diagnosis, or therapeutic intervention.

7. Artificial Intelligence and Large Language Model Processing

7.1 Krama’s conversational interface is powered by a Large Language Model (“LLM”) operated under contractual arrangements with one or more third-party AI providers. When you interact with the Krama chatbot, your inputs (messages) are transmitted to the LLM provider solely to generate a response. 

7.2 The following safeguards govern LLM processing: 

  • Your data is transmitted to LLM providers only under binding data processing agreements that prohibit the provider from using your data for training their own models or for any purpose other than generating your response. 
  • Data is encrypted in transit. 
  • Conversation data is not stored by the LLM provider beyond the immediate processing session, unless otherwise required by our contractual terms (in which case such retention is time-limited and subject to the same confidentiality obligations). 

7.3 You acknowledge that AI is a developing technology and that AI-generated responses, while subject to clinical safety guardrails, may not always be accurate, complete, or suitable. You must not rely on AI-generated outputs for any medical, clinical, legal, or financial decision. 

8. Data Retention

8.1 We retain your personal data only for as long as is necessary to fulfil the purpose for which it was collected, or as required by Applicable Law, whichever is longer. The following indicative retention periods apply: 

  • Account and registration data: retained for the duration of your account and for 3 (three) years following account deletion, or as required by any Applicable Law. 
  • User Content (mood logs, journal entries, chatbot conversations): retained for the duration of your account and for up to 1 (one) year following account deletion, unless you request earlier deletion. 
  • Health and well-being data: retained for the duration of your account and for such period as is required by applicable health records or data protection regulations, subject to any valid request for deletion by you. 
  • Payment and transaction records: retained for 8 (eight) years or as otherwise required by applicable tax, financial, or consumer protection law. 
  • Support and grievance communications: retained for 3 (three) years from the date of resolution, or as required by Applicable Law. 

8.2 Upon expiry of the applicable retention period, personal data will be securely deleted or anonymized in a manner that renders re-identification impossible. Anonymized or aggregated data, from which you cannot be identified, may be retained indefinitely for analytical, research, or product improvement purposes. 

8.3 If you delete your account, we will initiate deletion of your personal data within 30 (thirty) days of the account deletion request being processed, subject to retention obligations under Applicable Law. 

9. Your Rights as a Data Principal

9.1 Under the DPDP Act and other Applicable Law, you have the following rights in respect of your personal data processed by us: 

9.1.1 Right to Access and Information 

You have the right to obtain from us a summary of the personal data we hold about you and the processing activities being carried out in respect of that data. You may exercise this right by submitting a request to our Grievance Officer. 

9.1.2 Right to Correction and Completion 

You have the right to request that we correct inaccurate, outdated, or incomplete personal data that we hold about you. You may update certain information directly through the App settings. 

9.1.3 Right to Erasure 

You have the right to request the erasure of your personal data that is no longer necessary for the purposes for which it was collected, subject to any overriding legal obligation requiring us to retain it. 

9.1.4 Right to Withdraw Consent 

Where our processing of your personal data is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent will not affect the lawfulness of processing carried out before the withdrawal. If you withdraw consent for processing that is necessary for the provision of the Service, we may not be able to continue to provide you with the Service or certain features of it. 

9.1.5 Right to Grievance Redressal 

You have the right to raise a grievance regarding our processing of your personal data and to have it addressed within the timelines prescribed under the DPDP Act (see Section 13 below). 

9.1.6 Right to Nominate 

You have the right to nominate another individual who may exercise your rights in the event of your death or incapacity, in accordance with the procedures specified under the DPDP Act. 

9.2 To exercise any of the above rights, please contact our Grievance Officer at grievance@krama.care We will respond within the timelines prescribed under the DPDP Act and, in any event, within 30 (thirty) days of receipt of a valid request. 

9.3 If you are not satisfied with our response, you may escalate your grievance to the Data Protection Board of India, once constituted and operational under the DPDP Act. 

10. Data Security

10.1 We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, disclosure, alteration, or destruction. These measures include: 

  • Encryption of data in transit using TLS 1.2 or higher. 
  • Encryption of data at rest using AES-256 or equivalent industry-standard encryption. 
  • Role-based access controls limiting access to personal data to authorized personnel on a need-to-know basis. 
  • Regular security assessments, vulnerability scanning, and penetration testing. 
  • Security monitoring, logging, and incident response procedures. 
  • Employee training on data protection and security obligations. 

10.2 While we take all reasonable and appropriate steps to secure your personal data, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security. In the event of a personal data breach that is likely to affect your rights and interests, we will notify you and the relevant authorities as required by the DPDP Act and other Applicable Law. 

10.3 You are responsible for maintaining the security of your Account credentials. Please notify us immediately at support@krama.care if you suspect any unauthorized access to your Account.

11. Cookies, Analytics, and Tracking Technologies

11.1 Krama, as a mobile application, does not use browser cookies. However, we may use the following technologies to collect usage and analytics data: 

  • Mobile analytics SDKs: to collect aggregated and pseudonymized data about App performance, crash frequency, and feature usage. 
  • Device identifiers: such as advertising IDs (with your consent, where required by Applicable Law) or internal App identifiers for analytics and fraud prevention. 
  • Attribution tools: to understand how you discovered and installed Krama, to attribute downloads to marketing campaigns. 

11.2 You may opt out of analytics tracking at any time through the App settings. Please note that opting out of analytics will not affect your ability to use the core features of Krama.

12. Children’s Privacy

12.1 Krama is not directed at, and is not intended to be used by, individuals below 18 (eighteen) years of age. We do not knowingly collect personal data from minors. 

12.2 If you believe that we may have inadvertently collected personal data from a minor, please contact us immediately at support@krama.careUpon confirmation, we will promptly delete such data and, where appropriate, notify the relevant authorities.

13. Grievance Officer and Contact Details

13.1 In compliance with the DPDP Act, the Information Technology Act, 2000, and the Intermediary Rules, we have appointed a Grievance Officer who is responsible for addressing your privacy-related concerns. 

 

You may contact our Grievance Officer at:

 

Name: Mr. Prabhakar Govindarajan 

Designation: Grievance Officer, Niyama Digital Healthcare Limited. – U85300TN2022PTC153899 

Address: Registered Office Address- Jaya Krishna, 29/11 Yogambal St, T.Nagar, Chennai 600017.  

Email:  grievance@krama.care.in 

Phone: +9183003 83004 

Working Hours: Monday to Friday, 10:00 AM to 6:00 PM IST 

 

13.2 The Grievance Officer will acknowledge your complaint within 24 (twenty-four) hours of receipt and will endeavor to resolve it within 15 (fifteen) days of receipt, in compliance with the Intermediary Rules. For grievances relating to personal data, we will respond within the timelines prescribed under the DPDP Act. 

 

13.3 If you are not satisfied with the response of the Grievance Officer, you may escalate your complaint to: 

  • The Grievance Appellate Committee constituted under the Intermediary Rules. 
  • The Data Protection Board of India, once constituted and operational under the DPDP Act. 
  • Any other competent authority under Applicable Law. 

14. Cross-Border Data Transfers

14.1 Krama is operated by Niyama Digital Healthcare Limited, an Indian company, and we process personal data primarily within India. 

14.2 In limited circumstances, personal data may be transferred to and processed in countries outside India, where our LLM or cloud infrastructure providers operate servers in other jurisdictions. Any such transfer will be: 

  • Carried out only to countries notified by the Central Government of India as providing adequate data protection, or under contractual arrangements that ensure an equivalent level of protection to that provided under the DPDP Act. 
  • Subject to data processing agreements with the receiving entity that impose obligations no less protective than those in this Policy. 

14.3 By using Krama and consenting to this Policy, you consent to any such cross-border transfer of your personal data, where it occurs, subject to the safeguards described above.

15. Updates to This Privacy Policy

15.1 We may update this Privacy Policy from time to time to reflect changes in our data practices, legal obligations, or the features of Krama. Material changes will be communicated to you through the App, by email to the address associated with your account, or by other reasonable means, at least 7 (seven) days prior to the effective date of the change, where feasible. 

15.2 Your continued use of Krama after the effective date of a revised Privacy Policy constitutes your acceptance of the revised Policy. If you do not agree with the revised Policy, you must stop using Krama and delete your account. 

15.3 We encourage you to review this Policy periodically. The “Last Updated” date at the top of this Policy indicates when it was most recently revised. 

16. Governing Law

This Privacy Policy is governed by and shall be construed in accordance with the laws of India. Any disputes arising in connection with this Policy shall be subject to the dispute resolution mechanism and jurisdiction as set out in the Terms and Conditions of Krama. 

17. Contact Us

For any questions, concerns, or requests relating to this Privacy Policy or our data processing practices, please contact:

  

Niyama Digital Healthcare Limited Registered Office Address

Jaya Krishna, 29/11 Yogambal St, T.Nagar, Chennai 600017. CIN: U85300TN2022PTC153899.  

 

Email (General Queries): support@krama.care  

Email (Legal): legal@krama.care 

Email (Grievance Officer): grievance@krama.care 

Phone: +91 83003 83004. 

Website: www.krama.care