Privacy Policy
This Privacy Policy describes how Chidvilas Life (“we”, “us”) collects, uses, and protects your personal data when you use the Chidvilas Life mobile application (the “App”). The App is a private, invite-only media archive for the Chidvilas spiritual community and is not available to the general public.
1. Who this policy applies to
You must be invited by an existing community administrator to use Chidvilas Life. By creating an account and signing in, you agree to this Privacy Policy. If you do not agree, do not create an account.
2. What we collect
Information you provide
- Account information — email address, display name, and a password (stored only as a salted hash by AWS Cognito; we never see your plaintext password).
- Profile photo — if you choose to upload one.
- Reactions and reflections — emoji reactions you tap and any reflections you write on daily teachings or media items.
Information collected automatically
- Listening history — which audio tracks you listened to and your playback progress, so you can resume where you left off.
- Device and diagnostic data — device model, operating system version, app version, and anonymised crash logs, used only for debugging and stability.
- IP address — used at the moment of a request for delivery and rate-limiting; not stored beyond standard server logs.
3. How we use your information
- To authenticate you and keep your session secure.
- To deliver and personalise the App experience (e.g. resuming playback, showing your reflection history).
- To diagnose crashes and improve stability.
- To send invitation, password-reset, and other transactional emails.
We do not use your data for advertising. We do not sell or share your personal information with third parties for commercial purposes. We do not track you across other apps and websites.
4. Third-party service providers
We use the following providers as data processors. Each acts on our behalf and is bound by their own privacy and security commitments.
| Provider | Purpose | Data sent |
|---|---|---|
| Amazon Web Services — Cognito | Authentication and password management | Email, display name, hashed password |
| Amazon Web Services — S3 / CloudFront | Media storage and delivery | Profile photo, IP address (for delivery) |
| Amazon Web Services — RDS (PostgreSQL) | Application database | Display name, listening history, reactions, reflections |
| Amazon Web Services — SES (or SendGrid) | Transactional email | Email address, name |
| Google Firebase Crashlytics | Crash reporting | Device model, OS version, anonymised stack traces (no personal content) |
| Apple App Store / Google Play Store | App distribution | Subject to Apple's and Google's own privacy policies |
Most data is stored in AWS's Asia Pacific (Mumbai) region. Crash reports are processed by Google globally.
5. Apple App Store data categories
For the iOS App Store privacy nutrition labels:
- Contact info — email, name (linked to identity)
- User content — profile photo, reflections, reactions (linked to identity)
- Identifiers — internal user ID (linked to identity; not used for tracking, not an advertising identifier)
- Usage data — listening history, reactions, in-app navigation (linked to identity, not used for advertising)
- Diagnostics — crash logs (not linked to identity)
We do not collect: precise location, health or fitness data, financial information, browsing history outside the App, contacts, or advertising identifiers. We do not use any data for “tracking” as Apple defines that term.
6. Data retention
- Account data — retained for the duration of your account plus up to 24 months after account closure for legal and audit purposes.
- Cognito credentials — refresh tokens valid for up to 10 years from last sign-in; deleted when your account is deleted.
- Profile photos — retained until you replace or delete your account.
- Crash reports — auto-expire after 90 days per the provider's defaults.
- Server logs — retained up to 24 months.
7. Your rights
Depending on where you live, you may have the following rights over your personal data:
- EU / EEA (GDPR) — access, rectification, erasure, restriction, data portability, objection, and withdrawal of consent. Lawful bases: consent (granted at sign-up) and contract performance.
- California (CCPA / CPRA) — right to know, delete, correct, and opt out of any “sale” or “sharing”. We do not sell or share personal information.
- India (DPDP Act 2023) — withdraw consent, request correction or erasure, nominate a representative.
To exercise any of these rights, email privacy@chidvilas.org. We respond within 30 days, or sooner where required by your local law.
8. Children's privacy
Chidvilas Life is intended for adult members of a private spiritual community. The App is not directed at children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, contact us and we will delete it.
9. Security
Personal data is encrypted in transit (TLS) and at rest (AES-256). Passwords are stored only as salted hashes by AWS Cognito. Access to backend systems is restricted to authorised administrators and audited.
10. Changes to this policy
We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page reflects the most recent change. Material changes will be communicated through the App or by email.
11. Contact
For privacy-related questions or requests, email privacy@chidvilas.org. For general support, email support@chidvilas.org.