Privacy & Data Policy

Effective date: 1 May 2025  ·  Last updated: 9 May 2025

This Privacy Policy describes how Bodha Labs Ltd. ("we", "our", "us") collects, uses, and protects personal data across Bodha App (bodhaapp.com) and Pivot by Bodha (pivot.bodhaapp.com) (together, the "Platform"). It applies to all users worldwide and includes specific sections for users in the EU/EEA, India, California, and Brazil.

1. What Data We Collect

  • Account data: name and email address (when provided or used for magic-link login).
  • Journey & career data: reflections, values, goals, experiments, and narrative inputs you submit through the platform.
  • Organisation data: employer or programme name, cohort membership (for organisation accounts).
  • Usage data: page visits, feature interactions, browser type, device type, and IP address.
  • Session data: authentication tokens and session identifiers.

We do not intentionally collect special-category data (health, race, religion, political opinions, etc.). Please avoid including such information in free-text fields.

2. Use of AI Services

The Platform uses large language model (LLM) providers — currently OpenAI and/or OpenRouter (routing to models such as Google Gemini, Mistral, Meta Llama, and others) — to generate career insights and facilitate guided journeys. Your text inputs are transmitted to these providers to produce responses.

Important: do not enter names, contact details, government IDs, financial information, health data, or other directly identifying information in free-text fields. Bodha Labs Ltd. remains the data controller for your stored journey data. Transient AI processing is governed by each provider's own privacy policy (OpenAI / OpenRouter).

3. AI Transparency & Automated Processing

In compliance with the EU AI Act (Regulation (EU) 2024/1689) and related principles:

  • You are always interacting with an AI system, not a human advisor. The platform clearly identifies itself as AI-powered.
  • AI-generated career insights are informational only and do not constitute professional career, legal, or financial advice.
  • No fully automated decision carries legal or similarly significant effects on you without a human in the loop.
  • You may request a human review of any AI-generated output by contacting privacy@bodhaapp.com.
  • We maintain logs of AI model versions and prompts used to generate outputs for auditability purposes.

4. Analytics & Cookies

We use analytics tools (e.g. Google Analytics) to measure platform performance using aggregated, pseudonymised data. These tools may set cookies on your device. See our Cookie Policy for full details and opt-out options.

5. Sub-processors & Third-Party Services

Processor Purpose Location
OpenAI, Inc.LLM inferenceUSA
OpenRouter (Notdiamond, Inc.)LLM routing & inferenceUSA
Render Services, Inc.Cloud hosting & databaseUSA
Zoho CorporationTransactional emailIndia / USA
Google LLCAnalyticsUSA

All processors are bound by data processing agreements. Transfers outside the EEA are covered by EU Standard Contractual Clauses (SCCs) or equivalent safeguards.

6. Data Retention

  • Active account data: retained while your account is active.
  • Journey & experiment data: retained for 24 months of inactivity, then deleted.
  • Usage/analytics logs: retained for up to 13 months.
  • Magic-link tokens: expire after 30 minutes.

You may request deletion or export at any time at privacy@bodhaapp.com.

7. EU/EEA Users — GDPR Rights

Our lawful bases under the GDPR are: consent (analytics, optional features), contractual necessity (registered/org accounts), and legitimate interests (platform security and improvement).

You have the right to:

  • Access your personal data (Art. 15)
  • Rectify inaccurate data (Art. 16)
  • Request erasure ("right to be forgotten") (Art. 17)
  • Restrict processing (Art. 18)
  • Data portability (Art. 20)
  • Object to processing based on legitimate interests (Art. 21)
  • Withdraw consent at any time (Art. 7(3))
  • Lodge a complaint with your national supervisory authority

Our Data Protection Officer (DPO) can be contacted at privacy@bodhaapp.com.

8. India Users — DPDPA Rights

Under India's Digital Personal Data Protection Act, 2023 and the 2025 Rules:

  • We process your personal data only with your free, informed, specific, and unconditional consent or on other lawful grounds specified in the Act.
  • You have the right to access information about your data, correct inaccuracies, erase data, and nominate a representative.
  • You have the right to grieve and redress any processing concerns.
  • The Platform is intended for users aged 18 and above. We do not knowingly process data of children. If a child's data is provided, it will be deleted upon discovery.
  • In the event of a data breach affecting your rights, we will notify the Data Protection Board of India and affected users as required.

Grievance Officer (India): privacy@bodhaapp.com. Grievances will be acknowledged within 48 hours and resolved within 30 days.

9. California Users — CCPA / CPRA Rights

Under the California Consumer Privacy Act (CCPA) as amended by the CPRA, California residents have the right to:

  • Know what personal information we collect, use, disclose, or sell.
  • Delete personal information we have collected, subject to exceptions.
  • Correct inaccurate personal information.
  • Opt out of the sale or sharing of personal information for cross-context behavioural advertising.
  • Limit use of sensitive personal information to necessary purposes.
  • Non-discrimination — we will not deny service or charge different prices for exercising your rights.

We do not sell your personal information to third parties for monetary consideration. We do not share personal information for cross-context behavioural advertising.

To submit a CCPA request, email privacy@bodhaapp.com with subject line "California Privacy Request". We will respond within 45 days.

10. Brazil Users — LGPD Rights

Under Brazil's Lei Geral de Proteção de Dados (LGPD), Brazilian users have the right to:

  • Confirm the existence of and access your personal data.
  • Correct incomplete, inaccurate, or outdated data.
  • Request anonymisation, blocking, or deletion of unnecessary or excessive data.
  • Request data portability.
  • Obtain information about third parties your data has been shared with.
  • Revoke consent at any time.
  • File a complaint with the Autoridade Nacional de Proteção de Dados (ANPD).

Our legal bases for processing under LGPD include consent, legitimate interest, and contract performance. Contact our DPO at privacy@bodhaapp.com for any request.

11. Organisation Accounts (Pivot by Bodha)

For organisation accounts, the organisation acts as data controller for its members' data and Bodha Labs Ltd. acts as data processor under a Data Processing Agreement (DPA). Administrators are responsible for managing member access and ensuring compliance with applicable law.

Organisations must not upload personally identifiable information about members in AI prompt fields. Cohort data is accessible only to authorised mentors and admins.

To request a DPA, contact privacy@bodhaapp.com.

12. Contact & Complaints

Data Protection Officer / Grievance Officer: privacy@bodhaapp.com

EU supervisory authorities: contact your national data protection authority.

India: Data Protection Board of India (once operational).  Brazil: ANPD — gov.br/anpd.  California: California Privacy Protection Agency — cppa.ca.gov.