Hello Aria Privacy Policy

Effective Date: November 12, 2025

Entity: Realityrift Innovations Private Limited ("Realityrift", "we", "us", "our")

Product: Hello Aria — AI‑enabled productivity platform (multi-channel access + web dashboard + optional voice)

Quick Summary (Plain‑English)

We collect only what we need to run Hello Aria (e.g., your phone number, login details, tasks/reminders you create, and limited diagnostics).
We do not sell your personal data.
We do not use your personal data to train public, third‑party AI models.
Messages you send to Hello Aria over channels like WhatsApp are received and processed by us to provide the service (e.g., turn a message into a reminder). Do not share highly sensitive information in chat.
You can access, correct, export, or delete your data at any time by contacting info@realityrift.co.

1) Scope & Who We Are

This Privacy Policy explains how Realityrift processes personal data when you use Hello Aria via chat channels (e.g., WhatsApp/Telegram/SMS), the web dashboard, mobile or desktop apps, and optional integrations (e.g., Google/Microsoft). This Policy primarily addresses Indian law (Digital Personal Data Protection Act, 2023 — DPDP), and also describes rights under the EU/UK GDPR and California CPRA/CCPA where applicable.

Controller vs Processor.

For individual users, Realityrift is the data controller.
For enterprise customers, we act as a data processor on behalf of the organization (controller). A Data Processing Addendum (DPA) is available on request.

2) What We Collect

We collect the minimum data necessary for Hello Aria to function and to improve reliability and security.

A. Data you provide directly

Account identifiers: phone number, name, and (if you choose) email.
Task content: reminders, to‑dos, notes, tags, lists, due dates, attachments you upload.
Support messages: when you contact support.
Consent records: opt‑ins for specific features, marketing, or integrations.

B. Data we receive via chat channels

Message content sent to Hello Aria (including text, voice notes, images, files) so we can create tasks, reminders, summaries, and automations.
Channel metadata: message timestamps, delivery status, and channel IDs (e.g., WhatsApp number).

Important:

Unlike person‑to‑person chats, messages to a business service (Hello Aria) may be available to the business via the channel's API to deliver the service. We process your messages to operate Hello Aria's productivity features. Avoid sending passwords, full card numbers, government IDs, or other highly sensitive information.

C. Data from integrations (optional)

Enabled only if you connect them and with granular consent.

Google (e.g., Calendar, Drive, Gmail/Compose): event titles/times/IDs, files you select, draft content you ask Aria to prepare/send, and related metadata required to fulfill your request.
Microsoft (e.g., Outlook Calendar/Mail, OneDrive): similar categories as above.
Payments (e.g., Razorpay, PayPal): payer name, contact info, plan, and transaction metadata (we do not store full card or UPI credentials).

D. Device, usage & website data

Device/diagnostics: device type, OS, app version, crash/error logs.
Usage: feature interactions, frequency, and performance metrics.
Web: cookies or local storage for session management, preferences, analytics.

We do not intentionally collect special categories of data (e.g., health, biometrics) and ask you not to share such data in chat unless a feature explicitly requires it and you consent.

3) Why We Process Your Data (Purposes & Legal Bases)

Provide the service (contract/consent): create reminders, to‑dos, notes; send notifications; enable dashboard and voice; process integrations you enable.
Security & abuse prevention (legitimate interests/legal obligation): detect fraud/abuse, protect accounts, maintain audit logs.
Improve reliability & features (legitimate interests/consent): aggregated analytics, debugging, user research.
Communications (contract/consent): service messages (e.g., passwordless login codes, reminders). Marketing messages are opt‑in and you can opt out anytime.
Legal compliance: tax, accounting, law‑enforcement requests as required by applicable law.

We do not use your personal data for interest‑based advertising. We do not sell or share personal data as defined by CPRA/CCPA.

4) AI & Automated Processing

Hello Aria uses automation to interpret your messages (e.g., "remind me at 4 pm"), extract task details, summarize meetings, and draft messages on request.
AI Providers: Our core AI reasoning is provided by OpenAI (USA), Anthropic (USA), and Google Gemini (USA). These providers are contractually bound to not use your data for model training.
We do not use your personal data to train public, third‑party AI foundation models.
We may use de‑identified and aggregated analytics to improve quality (e.g., success rates of reminder parsing).
Human review is limited to troubleshooting, safety, abuse prevention, research with consent, or as required by law.

5) Channel‑Specific Notes (e.g., WhatsApp)

When you message Hello Aria on a channel like WhatsApp or Telegram, we receive your messages via that platform's Business/API interface to operate the service. Messages are encrypted in transit; they are processed by our systems to fulfill your requests.
Each channel has its own terms and policies (e.g., WhatsApp Business Solution Terms). Your use of those channels is also governed by their privacy policies.

6) Integrations

Google User Data (Limited Use)

We comply with Google's API Services User Data Policy (including the Limited Use requirements):

Access is scoped and consent‑based; we request only what is necessary.
Data is used solely to provide the requested features (e.g., add calendar events, read file names you select, generate drafts you ask for).
No human review of Gmail content except with your consent, for security, to comply with law, or to diagnose service issues.
No transfer to third parties except as necessary to provide the features, comply with law, or with your consent.
No use for ads.
You can revoke access anytime in your Google Account's security settings.

Microsoft Data

We comply with Microsoft's applicable API Terms/Policies:

Access is scoped and consent‑based; used only to deliver requested features (e.g., create calendar events, prepare drafts you ask for).
No use for ads; revoke access in your Microsoft account settings at any time.

7) Data Sharing & Disclosures

We share personal data only as needed to run Hello Aria or as required by law:

Service providers / subprocessors: cloud hosting, databases, analytics, error monitoring, communications, customer support, payments. These providers are bound by confidentiality and data‑processing terms. A current list is available on request.
Enterprise customers: if your account is provisioned by your employer, certain administrators may access usage and workspace data under your organization's policies.
Legal: to comply with court orders/lawful requests, enforce terms, or protect rights/safety.
Business transfers: in a merger, acquisition, or asset sale, subject to this Policy's protections.

We do not sell personal data.

8) International Data Transfers

We may process data in countries where we or our providers operate. When transferring personal data internationally, we use appropriate safeguards (e.g., contractual protections such as Standard Contractual Clauses where applicable). Storage regions may vary by provider.

9) Retention

We keep personal data only as long as needed for the purposes in this Policy, then delete or anonymize it. Typical retention:

Category	Typical Retention
Account identifiers (phone, email, name)	While account is active + up to 12 months for security/audit/backups
Task/reminder content & attachments	Until you delete them or close your account; backups may persist up to 30–45 days
Channel message content processed by Aria	Transient processing; if turned into tasks, stored as above; raw logs typically ≤ 30 days
Integration tokens (Google/Microsoft)	Until you revoke/disable the integration or close your account; short‑lived tokens auto‑expire
Payment records (metadata)	As required by tax/accounting laws (typically 5–8 years)
Security/audit logs	90 days (unless needed longer for investigation/legal reasons)

If an enterprise contract specifies different retention, we follow that contract.

10) Security

We apply layered technical and organizational measures including:

Encryption in transit (TLS) and at rest for stored data.
Role‑based access controls, credential management, device protections.
Environment segregation, vulnerability management, and logging.
Employee confidentiality obligations and least‑privilege access.

No system is perfect; if we learn of a breach affecting you, we will notify you and regulators as required by law.

11) Your Rights

Under India's DPDP Act, 2023

You can: (i) access and confirm processing, (ii) correct and erase personal data, (iii) withdraw consent (where processing relies on consent), (iv) nominate another person to exercise rights in case of death/incapacity, and (v) seek grievance redressal.

Under GDPR (EU/UK)

You may have rights to access, rectify, erase, restrict, object, port, and to not be subject to solely automated decisions with legal/significant effects. Our legal bases are described in Section 3.

Under CPRA/CCPA (California)

You may have rights to know/access, correct, delete, and to opt out of "sale" or "sharing" of personal information (we do not sell/share as defined). You have the right to non‑discrimination for exercising these rights.

Exercising your rights

Email info@realityrift.co from your registered email/number. We may verify your identity before acting. Agents can submit requests with proof of authorization.

12) Children's Data

Hello Aria is not intended for individuals under 18. We do not knowingly collect personal data from children. If you believe a child has provided data, contact us to delete it.

Parental Responsibility: If a minor accesses Hello Aria, the parent or legal guardian assumes full responsibility for the minor's use of the service, including compliance with our Terms of Service, any content accessed or generated, and any consequences arising from the minor's interactions with the platform. Parents and guardians should supervise their children's use of AI-powered services.

13) Managing Your Data

Download/Portability: request an export (JSON/CSV) of your tasks, reminders, and settings.
Deletion: send an email from your registered address/number to info@realityrift.co with subject "Delete my Hello Aria account". We will confirm deletion timelines and what will be retained in backups or for legal obligations.
Integrations: revoke in Google/Microsoft account settings or in Hello Aria settings (where available).
Marketing opt‑out: email us.

14) Do‑Not‑Track & Signals

Browsers may send "Do‑Not‑Track" or similar signals. We do not respond to these signals at this time; you can manage cookies and permissions in your browser.

15) Changes to This Policy

We may update this Policy to reflect changes in features or laws. We will post updates and, if changes are material, notify you via in‑product notice, email, or chat message before they take effect. The "Effective Date" will be updated accordingly.

16) Contact & Grievance Redressal

Grievance Officer (India):

Realityrift Innovations Private Limited

Hyderabad, Telangana, India

Email: info@realityrift.co

(Include "Privacy Request" in the subject.)

For EU/UK residents, you may also lodge a complaint with your local data protection authority. For California residents, you may contact us using the email above.

17) Definitions (short)

Personal data: information that identifies or can identify a person.
Processing: any operation on personal data (collect, store, use, disclose, delete).
Controller/Processor: as defined by applicable laws (Section 1).
Subprocessor: a third‑party processor engaged by us.

Annex A — Enterprise Processing (Summary)

For enterprise customers, Realityrift processes personal data only on documented instructions from the controller, subject to confidentiality, security, subprocessor controls, breach notification, assistance with data‑subject requests, deletion/return at termination, and audit rights as set out in our DPA.

Annex B — Sensitive Data Guidance (User‑Facing)

Do not send passwords, full payment card numbers, government ID numbers, or medical records in chat. If a feature requires sensitive data, we will present a clear notice and obtain your explicit consent.