Privacy Policy

Aayatan Veda — Vastu Consulting
Last updated: 24 May 2026

Who we are

Aayatan Veda is a professional Vastu consulting practice run by Rohit Khandelwal (Vastu Acharya, COA CA/2004/34716, ITPI AITPI/2011-034). The practice operates through two registered Indian firms:

  • Aayatan Veda — GST-registered firm, used for India domestic engagements
  • Rohit Khandelwal HUF (RK HUF) — used for international engagements and the original practice entity

Registered office: Aayatan Veda (RK HUF), Sector 1, Jagriti Nagar, Devendra Nagar Main Road, Devendra Nagar, Raipur, Chhattisgarh, India.

This policy covers everything we do across:

  • Our website — aayatanveda.com
  • Our client portal — portal.aayatanveda.in and the Aayatan Veda mobile app on iOS and Android
  • Email and WhatsApp messages we send you

We keep this policy plain and specific. Vague policies erode trust. You deserve to know exactly what happens with your data.

1. What information we collect

We collect only what is needed to prepare a Vastu consultation, deliver our services, and operate the business. Nothing more.

Identity and contact details:

  • Full name
  • Email address
  • Phone number (WhatsApp-capable)
  • Country
  • Billing and shipping address (only when required for a GST invoice)
  • GSTIN, the Indian tax registration number (only if you ask for a business invoice)
  • Company name (optional, for B2B engagements)
  • Alternate contacts — e.g. spouse or family decision-maker (only if you choose to share these)

Property details:

  • Property type (residential, commercial, plot, etc.)
  • Location and address of the property
  • Built-up area in square feet, number of floors, orientation, main entrance direction
  • Room-by-room layout and which family member uses which room
  • Uploaded floor-plan files (image or PDF, up to 10 MB)
  • Google Maps links to the property

Self-assessment answers:

  • Answers to life-area concern questions (health, relationships, finances, growth)
  • Activity and utility preferences for each room
  • Computed Vastu scores derived from your answers

Engagement and commercial data:

  • Quotes we send you — line items, rates, discounts, GST, totals, currency
  • Payment confirmation status (we mark a quote paid after Razorpay confirms the transfer; we do not see your card or UPI details)
  • Project numbers (VP-XXX) once a paid engagement begins
  • Internal notes our team takes during your consultation
  • Messages you send us inside the portal on a project

Authentication and security data (portal and app only):

  • A 4-digit OTP sent to your email or phone for portal sign-in — we store only a salted hash, never the OTP itself, and the hash is auto-purged 24 hours after use or expiry
  • The number of failed sign-in attempts — used to lock an account for 30 minutes after five wrong tries
  • Audit log of every sign-in attempt (outcome, server timestamp, IP address) — retained for security review

Source information:

  • How you found us (referral, social media, search, etc.)
  • UTM parameters embedded in the URL you clicked

We do not collect:

  • Payment card details, UPI IDs, or bank details — payments are handled outside our systems by Razorpay (see Section 4)
  • Health, biometric, religious, political, racial, or sexual-orientation data
  • Device GPS or precise location
  • Advertising identifiers (IDFA on iOS, AAID on Android) — we do not run ads
  • Your iOS or Android contacts list
  • Your browsing history outside our website or app

2. Why we collect it

Each piece of data has a specific purpose:

Data Why we collect it
Name, email, phone To identify you, deliver your report, sign you in to the portal, and follow up
Property details, floor plans, Google Maps links To prepare an accurate Vastu assessment for your specific property — without these, a real assessment is not possible
Room usage and life-concern answers To contextualise the assessment to your household
Billing address and GSTIN To raise a compliant GST invoice under Indian tax law
Quote and payment-confirmation data To run the commercial side of the engagement — quote, accept, pay, deliver
OTP hash and lockout state To verify it is you signing in, and to block brute-force attempts
Audit logs of sign-in attempts To detect abuse, support an account-recovery request, and meet our internal security review
Email address (Brevo) To send your report, sign-in OTP, quote, and any educational follow-up
Phone number (WhatsApp) To send transactional WhatsApp messages — OTPs, report-ready notifications, callback links — only to numbers submitted through our forms
Source / UTM To understand which content is genuinely helpful, so we keep producing it

We do not advertise inside the portal or the app. We do not sell, rent, or trade your data. We do not run any third-party tracking, analytics, or attribution SDK that profiles you across other apps or websites.

3. How we store and protect your data

Your data is stored in Google Firestore and Firebase Storage, both part of Google Cloud infrastructure. Data may reside on servers outside India, including in the United States, Singapore, and the Asia-South region (Mumbai), under Google Cloud's standard regional distribution.

Google Cloud maintains ISO 27001 certification and SOC 2 compliance. Their security practices are described at: https://cloud.google.com/security

Encryption. All traffic between your device and our systems is encrypted in transit using HTTPS / TLS 1.2 or higher. Data at rest is encrypted by Google Cloud's default disk-level encryption (AES-256). OTPs are stored as salted SHA-256 hashes — the OTP itself is never written to disk.

Access controls. Only authorised members of the Aayatan Veda team can read your records. Each team member's access is audited. Your data is not publicly accessible.

4. Third parties we share data with

We share your data with four service providers. Each handles a specific function. We share only what is necessary for that function.

Google Firebase (Google LLC)
Role: Primary backend — Firestore database, Firebase Storage, Cloud Functions, Hosting, and Authentication. Our website, portal, and mobile app run on this stack.
What we share: Everything described in Section 1 that we hold electronically.
Privacy policy: policies.google.com/privacy

Brevo SAS (EU, formerly Sendinblue)
Role: Email delivery — sign-in OTPs, report PDFs, quote-sent notifications, payment receipts, and any educational follow-up sequence.
What we share: Your name, email address, country, lead source, lead/client status, and last contact date.
Privacy policy: brevo.com/legal/privacypolicy

WhatsApp Business API (Meta Platforms Ireland Limited)
Role: Transactional WhatsApp messages — OTPs, lead welcome, quote-sent, payment confirmation, callback link — sent directly from our owned WhatsApp Business Account via the Meta Cloud API.
What we share: Your phone number in international format, your first name, and the dynamic value (e.g. an OTP code) that goes into a pre-approved Meta template. We only message numbers that were submitted through our forms. We do not send unsolicited marketing.
Privacy policy: facebook.com/privacy/policy

Razorpay (Razorpay Software Private Limited, India)
Role: Payment processing for milestone fees on paid engagements.
What we share: Nothing directly from our portal or app. When you tap a "Pay" link on a quote, your browser opens Razorpay's hosted page. You enter your card or UPI details on Razorpay's surface, governed by Razorpay's own privacy policy. We are notified only that the payment was successful and for which quote — we never see your card number, CVV, UPI handle, or bank account.
Privacy policy: razorpay.com/privacy

Hostinger
Role: Static website hosting infrastructure for aayatanveda.com.
What we share: Standard web-server logs (IP, request path, browser user-agent) for security and performance.
Privacy policy: hostinger.com/privacy-policy

We do not share your data with any other third party. We do not sell, license, or trade your personal information.

5. How long we keep your data

Different categories have different retention periods, set by the nature of the data and Indian tax law:

  • Lead enquiries that do not become paid engagements: retained for two years, then archived. Archived leads no longer receive marketing email.
  • Active client and engagement records: retained for the life of the engagement, then for seven years after the last invoice for GST and income-tax compliance under Indian law (Section 36 of the Income Tax Act).
  • Sign-in OTPs: auto-purged 24 hours after they are used or expire.
  • Audit logs of sign-in attempts: retained indefinitely for security review. We can purge a specific user's audit entries 90 days after a deletion request, once any abuse-investigation window has closed.
  • Uploaded files (floor plans, quote PDFs): retained for the life of the parent record (lead, quote, project), then deleted with that record.

If you ask us to delete your data before these periods, we will do so within 30 days — subject only to legally required retention (for example, the seven-year GST window on a paid engagement). See Section 6.

6. Your rights

You have the right to:

  • Access — request a copy of the information we hold about you.
  • Correction — ask us to correct any inaccurate or incomplete information.
  • Deletion — ask us to delete your data entirely, subject to the retention rules in Section 5.
  • Withdrawal of consent — unsubscribe from email at any time using the unsubscribe link in any email we send. Reply STOP on WhatsApp to opt out of WhatsApp messages.

To exercise any of these rights, email [email protected] from the address on file. Please include your full name and the email or phone number you used. We acknowledge requests within seven days and complete them within thirty days.

7. Cookies and tracking

Our website uses a minimal set of cookies.

Essential cookies are necessary for the website and the portal sign-in to function.

What we do not use:

  • No advertising cookies
  • No third-party ad tracking pixels (Google Ads, Meta Pixel, etc.)
  • No cross-site tracking
  • No retargeting

Inside the mobile app, we do not include Firebase Analytics, Crashlytics, Google Ads SDK, Facebook SDK, AppsFlyer, Mixpanel, Branch, or any tracking or attribution library. We do not request the iOS Advertising Identifier (IDFA) or the Android Advertising ID (AAID), and we do not display the App Tracking Transparency prompt because we do not track.

8. Children

Our services are not directed at children under 13. We do not knowingly collect data from children. If you believe a child has submitted information to us, please email [email protected] and we will delete it.

9. Changes to this policy

If we materially change how we collect or use your data, we will update this page and revise the "Last updated" date at the top. We will not retroactively apply significant changes without notice.

For major changes, we may send a notification to registered email addresses.

10. Contact

If you have a question about this policy or about your data:

Email: [email protected]
Phone: +91-8015417121
WhatsApp: wa.me/918015417121
Address: Aayatan Veda (RK HUF), Sector 1, Jagriti Nagar, Devendra Nagar Main Road, Devendra Nagar, Raipur, Chhattisgarh, India

We are a small practice. If you write to us, a person reads it.