How we handle data.
With nothing left unsaid.
This is not a standard legal boilerplate. Every section below is written in plain language, with technical precision, because we believe you deserve to understand exactly what happens with your data — not just trust that someone is handling it responsibly.
The short version.
App data (Sattva, KAI) lives on your device. We cannot see it, access it, or recover it.
This website only collects what you submit through the contact form. Nothing else.
No tracking cookies. One functional session cookie (security only). No consent banner needed.
AI features use anonymised IDs. We never know which client your AI query is about.
Backup files are encrypted by your PIN. Without your PIN, no one can open them — including us.
WhatsApp integration opens the WhatsApp app on your device. No data passes through Muladhara.
1. Who we are
The company behind this policy
Muladhara Holistic Technology is a software development company founded by Natural Yogi Noble Srinivasan. We build offline-first applications (Sattva, KAI) and enterprise software solutions.
Our business model is built on delivering complete ownership to our clients — not on managing their data, advertising to them, or monetising their usage patterns. Understanding this model is the foundation for understanding this privacy policy.
2. The architecture that protects you
Why most of this policy is straightforward
Sattva and KAI are offline-first applications. All operational data — client records, bookings, financial transactions, session notes — is stored exclusively on the user's device using the browser's local IndexedDB. No operational data is transmitted to Muladhara's servers.
This is not a privacy setting or a policy choice. It is the architectural reality of how the applications are built. There is no API call that carries your client data to our systems. There is no background sync. There is no server-side copy of your practice records.
The practical consequence: most privacy regulations require organisations to detail how they handle personal data. For Muladhara's apps, the answer for operational data is straightforward — we do not handle it, because it never reaches us.
3. What this website collects
Contact form submissions only
When you submit the contact form at /connect, we collect: your name or organisation name, email address, phone number (optional), proposal type, and project description. We also log the IP address of the submission for security purposes.
This information is used solely to evaluate your project proposal and to respond to your inquiry. It is stored in a secured database on our server. It is not shared with third parties. It is not used for marketing or advertising.
Nothing else is collected on this website. We do not run analytics. We do not use tracking pixels. We do not load third-party advertising scripts. What you see on this page is what runs on this page.
4. Cookies — the full picture
One cookie. One purpose. No consent required.
This website sets exactly one cookie: a session security token used to prevent CSRF (Cross-Site Request Forgery) attacks. This cookie:
- Contains no personal data
- Does not track your behaviour
- Does not identify you across sessions or devices
- Expires when you close your browser
- Is set as HttpOnly and Secure — inaccessible to scripts
Under GDPR Article 6(1)(f) and equivalent regulations, cookies that are strictly necessary for the technical operation of a service (security functions) are exempt from consent requirements. We do not show a cookie consent banner because this cookie does not require consent. If we ever add analytics or any non-essential cookie, we will update this policy and implement a consent mechanism.
5. Encryption and key management
Mathematical protection, not contractual
When you set a PIN in Sattva, an encryption key is derived using PBKDF2-SHA256 (100,000 iterations) on your device. This key is used to encrypt backup exports with AES-GCM. Neither the PIN, the derived key, nor the backup contents are transmitted to Muladhara.
The consequence: Muladhara cannot decrypt your backup files. This is not a promise — it is a mathematical fact. Without your PIN, the AES-GCM encrypted file is computationally indistinguishable from random data. No password reset, no master key, no court order changes this.
If you forget your PIN, your encrypted backup data cannot be recovered. We consider this a feature, not a limitation. It is the proof of genuine encryption.
6. AI features and data privacy
Pseudonymised by design — AI never knows who your client is
Sattva's AI features operate on pseudonymised data. When you use an AI feature, the content is tagged to a randomly generated anonymous session identifier — not to your client's name, account, or any identifiable credential. The mapping between the anonymous ID and the real person exists only on your device.
The AI provider receives content and an anonymous ID. It does not receive your client's identity, your credentials, or any traceable personal information. This architecture is designed to maintain the benefit of AI assistance while ensuring client identities are never exposed to third-party AI systems.
AI providers are configured by the user. Muladhara does not know which AI provider you use, does not store your API keys, and is not present in your AI transaction chain. When using Sattva-managed AI (metered tokens through Sattva's proxy), the same pseudonymisation applies — the proxy processes an anonymous ID alongside the content.
Users are responsible for the terms of service of the AI provider they configure. We recommend reviewing your chosen provider's data retention and training policies before using AI features for sensitive content.
7. WhatsApp integration
A deep link. Nothing more.
Sattva's WhatsApp feature constructs a wa.me/ deep link that opens WhatsApp on your device with a pre-filled message. When you tap the WhatsApp button, your device's WhatsApp application opens. You review the message and choose to send it.
Muladhara does not use the WhatsApp Business API. No credentials are stored. No data passes through our servers. No connection is made to your WhatsApp account. This is technically equivalent to manually opening WhatsApp and typing a message — with the convenience of pre-filled text.
8. The enterprise server model
Built by us. Owned by you. No data held by us.
When Muladhara builds an online SaaS product for an enterprise client, we design, build, and configure the server infrastructure — then deliver it completely to the client. After handover, the enterprise hosts the platform on their own infrastructure, under their own domain.
Muladhara holds no access credentials, no administrative backdoors, and no copies of data from delivered enterprise systems. The enterprise's users' data is the enterprise's responsibility — within the security architecture we designed and documented for them.
9. Compliance alignment
Where we stand relative to major privacy regulations
Sattva's offline-first, device-local, encrypted architecture reflects HIPAA's core technical safeguards. AI features use pseudonymisation. Muladhara does not process PHI on our servers. Enterprise healthcare clients requiring a Business Associate Agreement should contact us — the scope is narrow given our architecture.
No tracking cookies requiring consent. Data minimisation practiced — we collect only what is submitted. Users have the right to access, correct, or delete submitted contact data. Privacy by design is the architecture, not an add-on. For EU enterprise clients with specific GDPR obligations, Data Processing Agreements are available on request.
Contact form submissions are collected with awareness at point of submission. Personal data in Sattva and KAI apps never reaches Muladhara's systems. Data is processed only for the stated purpose. Users can request deletion of contact form data at any time.
KAI generates financial reports in MCA-compatible formats. This is format compatibility, not a compliance certification requiring ongoing oversight.
10. Data retention
How long we keep what little we hold
Contact form submissions are retained in our database for as long as necessary to evaluate the proposal and maintain business records — typically up to 3 years.
App data is stored on your device indefinitely until you delete it or uninstall the application. Muladhara holds no copies of app data. There is nothing on our side to delete.
11. Your rights
What you can ask us to do
For data submitted through this website (contact forms), you have the right to:
- Request access — what we hold about you
- Request correction — if any data is inaccurate
- Request deletion — we will remove your submission from our records
- Request data portability — receive your submitted data in a standard format
To exercise these rights, email contact@muladharaholistictechnology.com. We respond within 30 days.
For app data: since it lives on your device, you exercise all rights directly — delete records in the app, export your data using the backup function, or uninstall the application. Muladhara has no copy to provide or delete.
12. Third-party services
What external services this website and apps use
13. Changes to this policy
How and when this document may change
We may update this policy when our practices change or when regulations require it. The date at the top of this page shows when it was last updated. Substantive changes will be noted on this page.
Our architecture is unlikely to change in ways that increase data collection — our model is built on giving clients ownership and independence, not on accumulating data about them. Any change that affects data collection will be communicated clearly.
Questions about this policy?
Email contact@muladharaholistictechnology.com. We answer privacy questions personally, not through a ticket system.