Privacy Policy

1. Introduction

This Privacy Policy ("Policy") describes how Boo Private Ltd ("Ovaara", "we", "us", "our"), a company incorporated in Mumbai, Maharashtra, India, collects, uses, stores, and protects personal information when you use the Ovaara application and related services (the "Platform").

This Policy is designed to comply with applicable privacy laws, including the General Data Protection Regulation (GDPR) for users in the European Economic Area, the Digital Personal Data Protection Act, 2023 (DPDP Act) of India, and other applicable data protection regulations.

By using the Platform, you acknowledge that you have read and understood this Policy. If you do not agree with this Policy, please do not use the Platform.

2. Data We Collect

We collect different types of information to provide and improve our services:

2.1 Health & Wellness Data

• Menstrual & Cycle Data: Period start/end dates, flow intensity, cycle length, PMS symptoms
• Symptoms: Physical symptoms (cramps, bloating, headaches, etc.), emotional symptoms, energy levels
• Mood & Mental Health: Daily mood logs, stress levels, anxiety ratings, sleep quality
• Fertility Data: Basal body temperature, ovulation test results, cervical mucus observations, fertility tracking inputs
• Health Metrics: Weight, BMI, blood pressure (manually entered), blood glucose (manually entered), hormonal test results you choose to upload
• Wearable Device Data: Heart rate, steps, sleep patterns, SpO2, and other biometric data from connected wearable devices (with your explicit permission)
• Ayurveda & Wellness: Dosha quiz responses, wellness preferences, dietary notes
• Nutrition: Food logs, calorie data, nutritional information you choose to track

2.2 Account Information

• Name, email address, phone number
• Date of birth and age
• Profile photo (optional)
• Account preferences and settings

2.3 Location Data

• Approximate location (city/region level) for hospital and clinic finder features, when you explicitly grant location permission
• We do not track your precise location continuously. Location access is only used when you actively use location-dependent features.

2.4 Device & Technical Information

• Device type, operating system, app version
• IP address (for security and fraud prevention)
• App usage patterns and feature interaction data (anonymized)
• Crash reports and error logs

2.5 Communications

• Messages with customer support
• Community (Circles) posts and responses
• Feedback and survey responses

3. How Data is Stored

3.1 On-Device First: By default, your health data is stored primarily on your device. This means your most sensitive health information stays local to your phone and is not transmitted to our servers unless you opt into cloud backup.

3.2 Encrypted Cloud Backup (Optional): If you choose to enable cloud backup, your data is encrypted before it leaves your device. We use industry-standard AES-256 encryption for all data in transit and at rest.

3.3 Zero-Knowledge Encryption (Available): For users who want maximum privacy, we offer a zero-knowledge encryption option. With zero-knowledge encryption enabled, your data is encrypted with a key derived from your personal password. Ovaara cannot access or read your data under this mode — even our engineers cannot view your health information. Note: If you lose your password and have not set up recovery, your data cannot be recovered.

3.4 Security Measures: We employ a range of security measures including:

• End-to-end encryption for sensitive health data
• Secure HTTPS connections for all data transmission
• Regular security audits and penetration testing
• Access controls limiting which employees can access data
• Secure data centers with physical security controls
• Multi-factor authentication options for account access

4. How We Use Your Data

We use your information for the following purposes:

• Service Delivery: To provide cycle tracking, health insights, fertility analysis, and all other Platform features
• Personalization: To tailor the experience, insights, and recommendations to your individual health profile
• AI Companion (Boo): To enable Boo to provide contextually relevant wellness information based on your health data
• Communication: To send you important service updates, health reminders (if enabled), and support messages
• Security: To protect against fraud, unauthorized access, and abuse
• Analytics & Improvement: To analyze aggregate, anonymized usage patterns to improve our services (never your identifiable data)
• Legal Compliance: To comply with applicable laws and regulations
• Research (with consent): Anonymized, aggregate data may be used for health research with your explicit consent (see Section 6.3)

5. We Never Sell Your Data

This commitment applies to all categories of personal data, including menstrual data, fertility data, symptoms, mood logs, health metrics, and any other health-related information you share with us.

6. Data Sharing

6.1 Service Providers: We share data with trusted third-party service providers who help us operate the Platform (e.g., cloud infrastructure, payment processing, customer support tools). These providers are contractually bound to process data only as instructed by us and to maintain appropriate security standards.

6.2 With Your Explicit Consent: We will share your data with other parties (e.g., partner doctors, family members you invite) only with your explicit, informed consent for each specific sharing purpose.

6.3 Anonymized Research Data: With your separate, opt-in consent, anonymized and aggregated data (from which you cannot be identified) may be shared with academic researchers or used in research publications aimed at improving women's health outcomes. You can opt in or out of this at any time through Settings → Privacy → Research Participation.

6.4 Legal Requirements: We may disclose your information if required to do so by law, court order, or governmental authority, or when we believe in good faith that disclosure is necessary to protect the safety of any person, to address fraud or security issues, or to protect our legal rights.

6.5 Business Transfers: In the event of a merger, acquisition, or sale of all or substantially all assets, user data may be transferred. We will notify you before your data is transferred and becomes subject to a different privacy policy.

7. Third-Party Integrations

7.1 Wearable Devices: If you choose to connect a wearable device (e.g., fitness tracker, smartwatch), we access only the data categories you authorize during the connection setup. You can disconnect a wearable at any time through Settings → Devices.

7.2 Payment Processors: Payment information is processed by our payment processing partners. We do not store your full card details. Payment processors are subject to their own privacy policies and PCI-DSS compliance standards.

7.3 Third-Party Links: The Platform may contain links to third-party websites or services. This Policy does not apply to those third-party services, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services you access.

8. Cookies & Analytics

8.1 Cookies: Our web platform (ovaara.com) uses cookies and similar technologies for authentication, security, and functionality purposes. We use minimal cookies and do not use advertising cookies.

8.2 Analytics: We use privacy-preserving analytics to understand how users interact with the Platform. Analytics data is anonymized and aggregated — we do not build individual behavioral profiles for advertising purposes.

8.3 Cookie Control: You can control cookie preferences through your browser settings or through our cookie consent banner when you first visit ovaara.com.

9. Data Retention

We retain your personal data for as long as your account is active or as needed to provide you with our services. We will retain and use your information as necessary to comply with legal obligations, resolve disputes, and enforce agreements.

Upon Account Deletion: When you delete your account or request data deletion, we will permanently delete or anonymize your personal data within 30 days, except where retention is required by applicable law (e.g., financial records for GST purposes may be retained for up to 7 years as required by law, but such records are dissociated from your health data).

Anonymized, aggregate data derived from your usage (from which you cannot be identified) may be retained indefinitely for product improvement and research purposes.

10. Your Rights

You have the following rights regarding your personal data:

To exercise any of these rights, email us at privacy@ovaara.com or use the in-app privacy controls in Settings → Privacy.

11. Children's Privacy

11.1 Under 13: Ovaara is not intended for and does not knowingly collect personal information from children under the age of 13. If we become aware that we have collected personal information from a child under 13 without verified parental consent, we will take steps to delete that information immediately.

11.2 Ages 13–17: Users between 13 and 17 may use Ovaara with verifiable parental or guardian consent. Parents/guardians who have consented to their child's use of the Platform may request access to, correction of, or deletion of their child's personal data by contacting us at privacy@ovaara.com.

11.3 Enhanced Protection: We apply enhanced privacy protections for users identified as minors, including limiting data collection to what is necessary and restricting participation in certain community features.

12. Family & Partner Data Sharing

12.1 Opt-In Only: Family member and partner data sharing features are entirely opt-in. You will never automatically share your health data with anyone.

12.2 Granular Control: When you choose to share data with a partner or family member, you choose exactly which data categories to share. We do not share your entire health profile by default.

12.3 Each Member Controls Their Own Data: In family accounts, each member maintains independent control over their own data. No family member can access another's data without their explicit consent.

12.4 Revoke Anytime: You can revoke partner or family sharing access at any time through Settings → Sharing. Note that data already viewed by the recipient cannot be "un-seen," but access to future data will be immediately revoked.

13. Doctor Access to Your Data

13.1 Consent-Based Access: Doctors on the Ovaara platform can only access your health data with your explicit, per-session consent. Before each consultation, you will be asked to confirm exactly which data categories the doctor may access.

13.2 Session-Limited Access: Doctor access to your data is limited to the duration of the consultation. Doctors do not retain ongoing access to your data after the consultation ends unless you explicitly grant extended access for a follow-up care relationship.

13.3 No Access Without Consent: Ovaara does not share your health data with doctors or any other healthcare providers without your prior explicit consent.

14. Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the appropriate data protection authorities within 72 hours of becoming aware of the breach (as required by GDPR and in accordance with the DPDP Act)
• Notify affected users without undue delay via email and/or in-app notification
• Provide clear information about the nature of the breach, the data affected, likely consequences, and steps we have taken or propose to take
• Provide guidance on steps you can take to protect yourself

15. International Data Transfers

Ovaara is based in India and primarily processes data in India. If your data is transferred to or accessible from outside India (e.g., through cloud service providers), we ensure that such transfers comply with applicable data protection laws, including through the use of standard contractual clauses or other appropriate safeguards.

For EEA users: We ensure that transfers of personal data outside the EEA are protected by appropriate safeguards as required by GDPR Chapter V.

16. Legal Basis for Processing (GDPR)

For users in the European Economic Area, we process your personal data on the following legal bases:

• Consent: For processing health/special category data, research participation, and marketing communications
• Contract Performance: To provide the services you've subscribed to
• Legitimate Interests: For security, fraud prevention, and improving our services (where these interests are not overridden by your rights)
• Legal Obligation: Where we are required to process data to comply with law

For health data (special category data under GDPR Article 9), we process based on your explicit consent (Article 9(2)(a)) and, where applicable, for the purposes of preventive or occupational medicine (Article 9(2)(h)).

17. India DPDP Act 2023 Compliance

Ovaara is committed to compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act) of India. In accordance with this Act:

• We process personal data only for lawful purposes with your free, specific, informed, and unambiguous consent
• We collect only the minimum data necessary for the specified purpose (data minimization)
• We maintain reasonable security safeguards to prevent personal data breaches
• We notify the Data Protection Board and affected data principals of any breach
• We do not process personal data for purposes other than those for which consent was obtained
• We honor your rights as a Data Principal, including the right to access, correction, erasure, grievance redressal, and nomination
• We have appointed a Data Protection Officer (DPO) as required

For grievances under the DPDP Act, please contact our Grievance Officer at privacy@ovaara.com. We will respond to grievances within the timeframes prescribed by the Act.

18. Policy Updates

We may update this Privacy Policy from time to time. We will notify you of material changes via email and/or a prominent notice in the app at least 30 days before changes take effect.

Where changes involve new processing of your special category data (health data) or significant changes to how we use your data, we will seek your renewed consent as appropriate.

19. Contact Us & Data Protection Officer

For privacy-related inquiries, data access requests, or complaints: