Privacy Policy

Plain English. No tricks. Your data belongs to you.

Effective May 26, 2026 · Vyoma Group


This is the Privacy Policy for Vyoma Group ("Vyoma," "we," "us") and the products we operate, currently Arka AI. We wrote it the way we'd want one written for us — in normal sentences, without the lawyer maze.

If there is ever a conflict between what this page says and what we actually do, the strictest interpretation in your favour wins. That is a promise, not a footnote.


What we collect

We collect three categories of data, and nothing else:

Account information

When you sign in with Google, Firebase Authentication gives us: your name, email address, profile photo URL, and a unique user ID. We do not see your Google password. We do not get a calendar, contacts, or any other Google scope — only the basic profile.

Conversation content

The messages you send to Arka, the images and files you attach, and the AI responses we generate. This content is processed so we can reply to you. Chat history is stored locally in your browser (localStorage) on the device you use Arka from. We do not maintain a copy on our servers after the response is generated.

Operational metadata

Standard request data: IP address (for rate-limiting and abuse prevention), browser user-agent, approximate city/country (only if you opt in to location metadata in Settings → Privacy), and aggregated usage counts for daily limits (e.g. "5 images today"). This is not stitched into your profile or sold.


How we use it

We use the data we collect for exactly four things:

  • To answer you. Your messages are sent to our model provider (NVIDIA-hosted open-weights models routing through our API), processed, and a response is streamed back. No human at Vyoma reads your conversations.
  • To enforce limits. We track daily usage counts so free-plan users get a fair, equal share of capacity.
  • To improve Arka. We may use anonymised, aggregated usage patterns — for example, "X% of users hit the file-upload limit on Monday" — to prioritise features. You can opt out of this in Settings → Privacy → Help improve Arka.
  • To keep Arka safe. If a request looks abusive, malicious, or violates our guidelines, we may block it.

We do not use your conversations to train models without your explicit, opt-in consent. We do not currently have an opt-in training programme.


Where your data lives

Your data lives in three places. We want you to know all of them.

  • Your browser. Chat history, your profile preferences (nickname, style choice, web-search toggle), your project list, daily usage counters, and your authentication token all live in your browser's localStorage and IndexedDB. Clearing your browser data deletes them.
  • Firebase Authentication (Google Cloud). Your account record — just the basic profile fields described above — lives in Firebase, project arkaai-b3d16, hosted by Google.
  • Our server. Our PHP backend, hosted on Hostinger, processes individual messages in-flight and forwards them to the model. We do not persist the content of your conversations on our server.

How long we keep things

  • Conversation content: not retained on our servers beyond the request lifecycle (typically seconds). Stored on your device until you delete it.
  • Account record: for as long as your account exists. Deleting your account in Settings → Account erases the Firebase record.
  • Request logs (IP, status codes): 14 days, then permanently deleted. These exist only for abuse prevention and error debugging.
  • Daily usage counters: reset every 24 hours.

Who we share with

We share data with the smallest set of vendors required to operate Arka. Each handles a specific function and is bound by their own privacy policies.

  • Google (Firebase Auth): handles sign-in and token issuance.
  • NVIDIA NIM API: processes message content to generate responses. We pay them; they do not retain prompts.
  • Hostinger: hosts our web server and serves static assets.
  • CDN providers (cdnjs, jsdelivr, Google Fonts): serve fonts, KaTeX, highlight.js, and pdf.js. They see your IP when your browser fetches those assets.

We do not sell your data to anyone. We do not run third-party advertising trackers on our products. We do not have analytics SDKs in Arka.


Your rights

Regardless of where you live, you can do the following with your data on Arka:

  • See it. Open Settings → Account to view what's tied to your profile.
  • Export it. Each chat can be exported as Markdown from the chat menu. We will add a full account-export tool soon.
  • Correct it. Edit your name and preferences in Settings → General.
  • Delete it. Settings → Account → Delete Account erases your Firebase record and clears your local data on that device.
  • Withdraw consent. Settings → Privacy contains toggles for location metadata and product-improvement signals. You can turn either off at any time.
  • Object. Email privacy@vyomagroup.online if you want us to stop processing your data for any reason permitted by law.

If you are in the EU, UK, or California, you also have rights under the GDPR, UK GDPR, and CCPA respectively. The list above already covers them. We do not require a special form — just email us.


Children

Arka AI is not directed at children under 13 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect data from anyone in that age range. If you believe a child has signed up, email privacy@vyomagroup.online and we will delete the account.


Security

We use industry-standard measures to protect data:

  • HTTPS everywhere — the entire site is forced to TLS via our .htaccess rules.
  • Authentication tokens are short-lived JWTs issued by Firebase, persisted in your browser's IndexedDB with the standard browserLocalPersistence setting. We verify them on the server against Google's public certificates on every request.
  • Sensitive config files (API keys, certs) are blocked from public access at the web-server level.
  • Production assets are versioned and served behind a service worker that auto-invalidates stale caches when we ship a new build.

No system is perfectly secure. If you discover a vulnerability, please report it responsibly to security@vyomagroup.online. We will respond within 72 hours.


International transfers

Vyoma Group is based in India. Our servers (Hostinger) are in the EU. Firebase Auth is hosted by Google in the US. NVIDIA's inference is in the US. When you use Arka, your request and your authentication token transit through these countries.

For users in the EU/UK, transfers outside the EEA rely on the EU Standard Contractual Clauses adopted by Google and NVIDIA, and on the adequacy mechanisms that apply to them. We do not transfer data to jurisdictions without an adequate level of protection.


Changes to this policy

If we change this policy in a way that affects your rights, we will say so — in the changelog, in an in-app notice, and via email if you have an account. Material changes take effect no sooner than 14 days after notification, so you always have time to react.

Minor edits (fixing a typo, clarifying a sentence) may happen at any time. The "Effective" date at the top of this page reflects the most recent revision.


Contact us

For anything privacy-related — questions, requests, complaints — reach us at privacy@vyomagroup.online.

For security issues: security@vyomagroup.online.

For everything else: Contact Vyoma.

Have a question about your data?

We'd rather hear it than have you guess.