Aara

Privacy Policy

Effective: 5 July 2026 · Version 2.2 · Applies to the Aara Android app (package com.aara.app)

In plain words

1. Who we are

Aara is developed and operated by an independent developer based in Bengaluru, India ("we", "us"). You can reach us at contact@aarahealth.app. This policy explains what data the Aara app handles, where it goes, and the choices you control.

2. The core design: your data stays on your device

Aara is built offline-first. Everything you enter in the app — your name, birthdate, height and weight, health conditions, period dates, symptoms, moods, journal notes, pain map, pill reminders, trying-to-conceive logs, and pregnancy logs — is stored in a local database on your phone.

3. The only times data leaves your device

There are exactly five situations in which any data is transmitted off your phone. Each is optional or clearly visible, and none involves your name.

a. AI chat (Ask Aara)

When you send a question to the AI companion, your question is routed through our secure proxy server to Google's Gemini API to generate a reply. Along with your question, the app always sends your current cycle phase and cycle day so answers are relevant.

The "Personalised AI answers" toggle in Settings is OFF by default — explicit opt-in is required. If you turn it ON, the app additionally sends an anonymised health summary: your PCOS status, listed health conditions, and a short summary of recent moods, symptoms, and flow. You can turn it back off at any time.

Never sent in AI chat: your name, exact age or birthdate, journal notes, medication names, exact temperature readings, or anything that identifies you.

Cross-border processing: Google may process Gemini API requests in data centres outside India. We do not control where Google processes your AI requests.

b. Doctor Prep question generation

When you tap "Generate questions" in Doctor Prep, the app sends an anonymised summary to the same AI service: your age range, BMI category, health conditions, current cycle phase, your top three to five most frequent symptoms (count depends on the Personalised AI toggle), and dominant mood. With Personalised AI ON, it also includes cycle day, PCOS status, mood patterns by phase, and the number (not names) of medications you take. The Doctor Prep PDF itself is generated entirely on your phone.

c. An anonymous install identifier and IP address (rate limiting)

To prevent abuse of the AI service, the app generates one random UUID on first launch and sends it with AI requests for rate limiting. It is random, stored in your phone's secure storage, contains no personal information, and is not linked to your identity or your health data.

Our proxy server also briefly processes your IP address as a fallback rate-limit signal and abuse-prevention measure. IP-based rate-limit counters expire automatically within one hour (burst) and 24 hours (global) and are never linked to your health data or persisted further.

d. Advertising (free tier only)

Free-tier users see banner ads served by Google AdMob on non-sensitive screens only — never in the journal, AI chat, trying-to-conceive, or pregnancy areas. We request non-personalised ads only: your health data is never used for ad targeting and is never shared with AdMob. Like any ad network, Google may process basic device information (such as IP address and device identifiers) for ad delivery, frequency capping, and fraud prevention, governed by Google's privacy policy. Aara Plus subscribers see no ads.

e. Optional encrypted backup and device transfer

If you choose to back up to Google Drive, your data is encrypted on your phone with AES-256-GCM before upload, and stored in your own Google Drive account. We never receive the backup or the key, and we cannot read it. If you transfer Aara to a new phone using the QR transfer feature, your data moves directly between your two devices over your local Wi-Fi network, encrypted — it never passes through any server.

4. Payments

Aara Plus subscriptions are processed entirely by Google Play Billing. We never see or store your card, bank, or UPI details. Google shares only an anonymous purchase token with the app to confirm your subscription is active.

5. What we never do

6. Your controls

6a. Your rights under the DPDP Act, 2023

India's Digital Personal Data Protection Act, 2023 gives you specific rights with respect to any personal data we may process. We honour them as follows:

These rights are available without charge and without conditions, and exercising them will not reduce your access to the app.

7. Children and teens

Aara is not for children under 13, and the app blocks accounts where the entered birthdate indicates an age under 13. Users aged 13–17 get a restricted teen mode: the AI companion and adult health content are disabled. We encourage parents and guardians of teen users to review this policy with them. Because Aara stores data only on the user's own device and collects no personal data on servers, we do not process children's personal data within the meaning of India's Digital Personal Data Protection Act, 2023.

8. Data retention and security

Your data is retained on your device until you delete it or uninstall the app. AI requests are processed transiently to generate a reply; we do not build profiles from them. Google's handling of Gemini API requests is governed by Google's terms. Proxy rate-limit counters expire automatically within one hour (burst), 24 hours (global), and one calendar month (per install). No method of transmission or storage is perfectly secure, but Aara's design — local-only storage, encryption at rest, no accounts — removes the most common ways health data is exposed.

8a. Data breach notification

If we become aware of a personal data breach affecting your information — for example, a compromise of the proxy server's rate-limit records, or an incident with the Gemini API processor — we will notify the Data Protection Board of India and any affected users within the timelines and in the manner required by the DPDP Act, 2023 and any rules made under it.

9. Grievances and contact (India)

For any privacy question, concern, or grievance, contact us at contact@aarahealth.app. We aim to respond within 7 days, and in any case within the timelines required under applicable Indian law, including the Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023.

9b. Grievance Officer (DPDP Sec 5(8))

Nithin Nagaraj Iyer, Founder, Aara · Bengaluru, India · contact@aarahealth.app. Aims to respond within 7 days.

10. Changes to this policy

If we change this policy, we will update the version number and effective date here and show the updated terms in the app before they apply to you. We will never weaken the core promise — local-only health data — without asking for your explicit consent first.