PRIVACY POLICY

Hunch — operated by CMA Solutions LLP

Document Reference: HUN-LEG-PP-V3.0 Version: 3.0 (Draft for attorney review) Effective Date: [TO BE INSERTED ON PUBLICATION] Last Updated: [TO BE INSERTED ON PUBLICATION]

NOTICE — DRAFT INSTRUMENT. This document is a draft prepared for review by qualified Indian legal counsel. It does not constitute legal advice. It must not be published, relied upon, or executed in its present form until reviewed, marked-up, and approved by an advocate practising before the courts of India.

1. INTRODUCTION

1.1 This Privacy Policy ("Policy") sets out the manner in which CMA Solutions LLP, a limited liability partnership incorporated under the Limited Liability Partnership Act, 2008, bearing LLPIN ACP-6029, having its registered office at Kh No. 316/274, Ground Floor, Front Side Saidulajab, Western Marg, near Lane No. 3, Gadaipur, Saidulajab, New Delhi, South West Delhi – 110030, Delhi, India ("Company", "we", "us", "our"), collects, uses, stores, processes, shares, and protects Personal Data when a User accesses or uses the conversational AI service marketed as "Hunch" (the "Service").

1.2 The Company is the Data Fiduciary in respect of Personal Data processed through the Service, and the User is the Data Principal, in each case as defined under the Digital Personal Data Protection Act, 2023.

1.3 This Policy is published in compliance with: (a) the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the Digital Personal Data Protection Rules made thereunder ("DPDP Rules"); (b) the Information Technology Act, 2000 ("IT Act"), in particular Section 43A; (c) the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"); (d) the Consumer Protection Act, 2019 ("CPA"), read with the Consumer Protection (E-Commerce) Rules, 2020; (e) the Mental Healthcare Act, 2017 ("MHCA"), to the extent applicable; (f) the Rights of Persons with Disabilities Act, 2016.

1.4 This Policy must be read together with the Terms of Service (HUN-LEG-TOS-V3.0), the Consent Framework (HUN-LEG-CF-V3.0), the Data Retention and Deletion Policy (HUN-LEG-DRP-V3.0), the Disclaimer (HUN-LEG-DIS-V3.0), the Cookie Policy (HUN-LEG-CKP-V3.0), the Grievance Redressal Policy (HUN-LEG-GRP-V3.0), the Refund Policy (HUN-LEG-RP-V3.0), the Acceptable Use Policy (HUN-LEG-AUP-V3.0), and (from Version 2 commercial launch) the Therapist Handoff Consent and Protocol (HUN-LEG-THP-V3.0).

1.5 The order of precedence between this Policy and any companion document is as set out in Clause 2.2 of the Terms of Service.

2. DEFINITIONS

Capitalised terms used and not defined in this Policy bear the meaning given in the Terms of Service. In addition:

"Anonymised Data" — to the extent the Company asserts that data has been rendered Anonymised, such assertion shall be construed in accordance with Clause 11 of this Policy (Re-Identification Risk Acknowledgment). Save where the context requires, this Policy uses the term "Pseudonymised Data" in preference to "Anonymised Data."

"Astrological Data" — birth date, time of birth, and place of birth of the User, together with the Vedic chart (Kundli), planetary positions, Dasha and Mahadasha periods, transits, Nakshatras, Yogas, and other astrological derivations computed from the User's birth particulars.

"Behavioural Data" — patterns, preferences, emotional-state inferences, topic clusters, self-disclosure depth scores, trigger correlations, engagement metrics, and other insights derived by automated means from the User's interactions with the Service.

"Conversation Data" — all messages, voice notes (if any), attachments, and interactions exchanged between the User and the Service over WhatsApp, Telegram, or any other supported channel.

"Cookies" — cookies and similar tracking technologies (including local storage, session storage, web beacons, and pixel tags) used on the Website. Detailed disclosure is set out in the Cookie Policy.

"Data Principal" — has the meaning given in Section 2(j) of the DPDP Act.

"Data Fiduciary" — has the meaning given in Section 2(i) of the DPDP Act.

"Open Router" — Open Router LLC, a Delaware limited liability company.

"Payment Data" — transaction-level information including transaction identifier, amount, status, timestamp, and payment-instrument metadata, excluding full payment-instrument number and card-verification value.

"Personal Data" — has the meaning given in Section 2(t) of the DPDP Act.

"Pseudonymised Data" — Personal Data processed in such a manner that it can no longer be attributed to a specific Data Principal without the use of additional information, where such additional information is kept separately and subject to technical and organisational measures designed to prevent re-identification.

"Significant Data Fiduciary" or "SDF" — has the meaning given in Section 10 of the DPDP Act.

"SPDI" — Sensitive Personal Data or Information as defined in Rule 3 of the SPDI Rules.

"Sub-Processor" — any third party engaged by the Company to process Personal Data on the Company's instructions, as listed in the Sub-Processor Register at use-hunch.com/legal/sub-processors.

"Underlying LLM Provider" — has the meaning given in the Terms of Service.

3. CATEGORIES OF DATA COLLECTED

3.1 Data provided directly by the User: (a) name, nickname, or display name; (b) phone number (via WhatsApp / Telegram identifier); (c) date, time, and place of birth; (d) language preference; (e) messages, voice notes, and other Conversation Data; (f) feedback, ratings, and survey responses; (g) Payment Data, processed via the Payment Processor (the Company receives only transaction confirmation, amount, and status).

3.2 Data derived or computed by the Company: (a) Vedic chart (Kundli) computed from birth particulars; (b) planetary positions, Dasha and Mahadasha, transits, Nakshatras, Yogas; (c) Behavioural Data, including emotional-state inferences and topic clusters; (d) self-disclosure depth and engagement metrics; (e) trigger-event correlations.

3.3 Data collected automatically: (a) device type and operating-system identifier (as provided by the messaging platform); (b) timestamps of interactions; (c) session frequency and duration; (d) referral source (if applicable); (e) IP address (when accessing the Website); (f) Cookies (Website only; see Cookie Policy).

3.4 SPDI categories. The Company acknowledges that the following data, where processed, constitutes SPDI under Rule 3 of the SPDI Rules: (a) account credentials, to the extent processed (encrypted at rest, never stored in plaintext); (b) financial information (Payment Data, as processed by the Payment Processor); (c) physical and mental-health condition information, to the extent inferred or voluntarily disclosed in Conversation Data; (d) sexual orientation, to the extent voluntarily disclosed; (e) medical records and history, to the extent voluntarily disclosed.

The Company does not collect biometric information in the current version of the Service. If biometric processing is introduced in future, fresh and explicit consent will be sought.

3.5 Data not collected. Save through the Payment Processor under contract, the Company does not collect, and does not knowingly process: (a) full payment-instrument numbers or card-verification values; (b) government-issued identification numbers (Aadhaar, PAN, passport); (c) biometric data; (d) clinical medical records authored by a third party.

4. PURPOSES OF PROCESSING AND LAWFUL BASIS

4.1 Primary purposes (Layer 1 — Core Service Consent):

4.2 Secondary purposes (separate consent required):

4.3 Purposes for which Personal Data shall NOT be used. The Company shall not, under any circumstances: (a) sell or rent identifiable Personal Data or SPDI to any third party; (b) use Personal Data for targeted advertising premised on mental-health or emotional-state inferences; (c) share identifiable Personal Data or SPDI with insurance companies, employers, credit bureaus, or government agencies, save as required by Applicable Law; (d) create publicly identifiable profiles of Users; (e) make automated decisions with legal or similarly significant effect on the User without affording the User the right to human review.

5. CONSENT FRAMEWORK — SUMMARY

5.1 The Service operates a four-layer consent architecture set out in detail in the Consent Framework:

(a) Layer 1 — Core Service Consent. Required to use the Service. Covers Personal Data, Astrological Data, Conversation Data, and Behavioural Data collection; routing of Conversation Data to Open Router and Underlying LLM Providers; and cross-border transfer for AI processing.

(b) Layer 2 — AI Training Consent. Optional. Covers the use of Pseudonymised User Content to train and improve the Company's AI systems. Withdrawal does not affect access to the Service.

(c) Layer 3 — Research Consent. Optional. Covers the use of Pseudonymised User Content for research and potential licensing to academic or research institutions. Withdrawal does not affect access to the Service.

(d) Layer 4 — Therapist Handoff Consent. Applicable in Version 2 only. Required at the point of professional referral. Withdrawal of Layer 4 does not affect access to the Service but terminates the referral process.

5.2 Specific and informed consent. Each layer of consent is sought through plain-language notice that satisfies the requirements of Section 6 of the DPDP Act.

5.3 Withdrawal of consent. The User may withdraw any consent at any time in the manner set out in the Consent Framework. Upon withdrawal: (a) the Company shall cease processing for the withdrawn purpose within seventy-two (72) hours; (b) identifiable data shall be deleted within thirty (30) days, subject to the exceptions set out in the Data Retention and Deletion Policy; (c) Pseudonymised User Content already incorporated into a trained model or published research dataset cannot be retroactively reversed; however, the Company shall not use such Pseudonymised User Content for any new purpose.

5.4 Effect of Layer 1 withdrawal. Withdrawal of Layer 1 consent results in termination of the Service for the User.

6. THIRD-PARTY PROCESSING AND DISCLOSURE

6.1 Categories of third parties. The Company shares Personal Data with the following categories of third parties:

(a) Open Router LLC — routing of Conversation Data to Underlying LLM Providers. Open Router is a Delaware (United States) limited liability company.

(b) Underlying LLM Providers — a list of which is maintained in the Sub-Processor Register and may include, but is not limited to, the following entities and their processing jurisdictions as at the date of this Policy:

The Company maintains the current and authoritative list in the Sub-Processor Register at use-hunch.com/legal/sub-processors.

(c) Meta Platforms, Inc. and WhatsApp Ireland Limited — message delivery via the WhatsApp Business Cloud API. The User acknowledges that messages transmitted through WhatsApp are ingested by Meta on its Cloud API servers and may be processed under Meta's own privacy regime. The Company has no control over Meta's processing beyond the contractual safeguards available under the WhatsApp Business terms.

(d) Telegram FZ-LLC — message delivery via the Telegram Bot API (secondary channel). Processed in the United Arab Emirates and distributed infrastructure.

(e) Razorpay Software Private Limited ("Payment Processor") — payment processing. Razorpay is regulated by the Reserve Bank of India as a Payment Aggregator. The Company does not store full payment-instrument data; such data is processed by Razorpay in accordance with its own privacy notice (available at razorpay.com/privacy).

(f) Cloud infrastructure providers — as listed in the Sub-Processor Register. The Company hosts identifiable data on Indian-located infrastructure save to the extent of cross-border AI routing described in this Policy.

(g) Professionals (Version 2) — RCI-registered clinical psychologists or rehabilitation psychologists to whom an AI-generated behavioural brief may be shared upon Layer 4 Consent.

6.2 No sale. The Company does not sell, rent, or trade Personal Data or SPDI to any third party.

6.3 Sub-Processor Register. The current list of Sub-Processors, including processing jurisdictions and a brief description of each Sub-Processor's role, is published in the Sub-Processor Register. The Company shall: (a) update the Sub-Processor Register no less frequently than upon any material change; (b) notify Users of material changes by message no less than fifteen (15) days before such change takes effect; (c) where such material change requires fresh consent under the DPDP Act, seek such fresh consent before the change takes effect.

7. CROSS-BORDER TRANSFER

7.1 Scope of transfer. Conversation Data is routed via Open Router LLC (United States) to Underlying LLM Providers, certain of which process such data outside India.

7.2 Lawful basis. Cross-border transfer is undertaken in accordance with Section 16 of the DPDP Act and is subject to: (a) the User's specific and informed consent under Layer 1 of the Consent Framework; (b) contractual safeguards between the Company and each Sub-Processor; (c) the Company's ongoing compliance with any restrictions notified by the Central Government under Section 16(1) of the DPDP Act.

7.3 Notification of restrictions. If, by reason of notification under Section 16(1) of the DPDP Act, transfer to any jurisdiction listed in Clause 6.1(b) becomes restricted, the Company shall: (a) cease such transfers within the timeline mandated by the notification; (b) update the Sub-Processor Register accordingly; (c) provide notice to Users.

7.4 Data minimisation in transfer. The Company shall transmit no more data than is necessary for the Underlying LLM Provider to generate a response, in accordance with Section 8(2) of the DPDP Act.

8. DATA STORAGE AND SECURITY

8.1 Location of storage. (a) Identifiable Personal Data, Astrological Data, Conversation Data, and Behavioural Data are stored on Indian-located cloud infrastructure. (b) Backup data is stored on encrypted Indian-located servers. (c) Cross-border data flows are limited to those described in Clause 7.

8.2 Security measures. The Company implements reasonable security practices and procedures within the meaning of Section 43A of the IT Act and Rule 8 of the SPDI Rules, including: (a) encryption at rest using AES-256 or an equivalent industry standard; (b) encryption in transit using TLS 1.2 or higher; (c) role-based access control with least-privilege principles; (d) periodic security audits and vulnerability assessments; (e) restricted employee and contractor access on a need-to-know basis; (f) an incident-response plan providing for breach notification to the Data Protection Board of India within seventy-two (72) hours of becoming aware of a notifiable personal-data breach; (g) the Company is progressing towards ISO/IEC 27001 certification.

8.3 Breach notification to Users. Where a personal-data breach is likely to result in a risk of harm to the User, the Company shall notify the User by message and email as soon as practicable, and in any event in accordance with the DPDP Act and the DPDP Rules.

8.4 No absolute security. Notwithstanding the measures in Clauses 8.1 to 8.3, the User acknowledges that no electronic transmission or storage system is impervious to compromise, and the Company does not warrant absolute security.

9. DATA RETENTION

9.1 Retention schedule. Detailed retention periods are set out in the Data Retention and Deletion Policy. By way of summary:

9.2 Precedence. In the event of any inconsistency between this Clause 9 and the Data Retention and Deletion Policy, the Data Retention and Deletion Policy shall prevail.

10. RIGHTS OF THE DATA PRINCIPAL

10.1 The User has the following rights under the DPDP Act and the SPDI Rules:

(a) Right of access. The User may request a summary of the Personal Data the Company processes about the User, the processing activities undertaken, and the identities of Sub-Processors to whom the User's Personal Data has been disclosed. The Company shall respond within thirty (30) days of receipt of a verified request.

(b) Right to correction and erasure. The User may request correction of inaccurate or incomplete Personal Data, or erasure of Personal Data that is no longer necessary for the purposes for which it was collected. Erasure shall be effected within thirty (30) days, subject to legal-retention obligations.

(c) Right to withdraw consent. The User may withdraw any consent in the manner set out in the Consent Framework. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

(d) Right of grievance redressal. The User may file a grievance under the Grievance Redressal Policy. Standard grievances are resolved within thirty (30) days.

(e) Right to nominate. The User may nominate another natural person to exercise the User's rights in the event of the User's death or incapacity, by email to support@use-hunch.com bearing the subject line "Data Principal Nominee Registration." The nomination process and verification procedure shall be communicated to the User upon request.

(f) Right to data portability. Under the DPDP Act, where applicable, the User may request the User's Personal Data in a structured, commonly used, machine-readable format. The Company shall provide such export in JSON format within thirty (30) days of receipt of a verified request.

(g) Right to human review of automated decisions. Where the Service makes an automated decision affecting the User, the User may request human review by emailing support@use-hunch.com. The Company shall respond within seven (7) business days.

10.2 Mechanism for exercising rights. Rights may be exercised by message to the Service (using designated commands set out in the Consent Framework) or by email to support@use-hunch.com.

10.3 Verification. The Company may require reasonable verification of identity before acting on a request to exercise rights.

10.4 No fee. No fee shall be charged for the exercise of rights under the DPDP Act, save to the extent that requests are manifestly unfounded or excessive.

11. RE-IDENTIFICATION RISK ACKNOWLEDGEMENT

11.1 Limits of pseudonymisation. The Company acknowledges that the combination of Astrological Data, Behavioural Data, and contextual identifiers may, in theory, permit re-identification of a Data Principal even after pseudonymisation. Accordingly, this Policy and the companion documents use the term "Pseudonymised Data" rather than "Anonymised Data."

11.2 Mitigations. The Company mitigates re-identification risk by: (a) segregating direct identifiers (name, phone) from Behavioural Data through encryption keys held in separate access control domains; (b) applying coarsening and bucketing to high-cardinality fields (such as date and time of birth) before any AI-training or research use; (c) limiting the population of any aggregate dataset to ensure k-anonymity of at least a stated threshold (threshold to be defined and committed in a separate published technical note prior to first AI-training run); (d) prohibiting any attempt by Company personnel to re-identify Pseudonymised Data.

11.3 Roadmap. The Company shall publish a Re-Identification Risk Mitigation Plan within six (6) months of the Effective Date of this Policy, detailing the technical standards (including k-anonymity threshold and, where adopted, differential-privacy parameters) applied to Pseudonymised Data.

12. CHILDREN'S DATA

12.1 Strict 18+ policy. The Service is intended solely for natural persons aged eighteen (18) years or above. The Company does not knowingly collect, process, or retain Personal Data of any individual under the age of eighteen.

12.2 Verification model. The Company applies a self-declaration model at the point of first interaction, supported by a detect-and-purge protocol: (a) the User is asked to confirm being eighteen years of age or above as part of Layer 1 Consent; (b) any indication during conversation that the User is under eighteen triggers the protocol set out in Clause 4.5 of the Terms of Service.

12.3 Future age verification. The Company reserves the right to implement technical age-verification mechanisms (including DigiLocker integration or equivalent) if mandated by the DPDP Rules or considered necessary by the Company.

12.4 Acknowledgement of residual risk. The Company acknowledges that self-declaration may permit minors to access the Service prior to detection. The Company commits to: (a) maintaining auditable logs of consent timestamps and detect-and-purge events; (b) deleting all data of any detected minor within seventy-two (72) hours of detection; (c) reviewing the adequacy of the self-declaration model annually.

13. SIGNIFICANT DATA FIDUCIARY POSTURE

13.1 Current status. As at the date of this Policy, the Company has not been classified as a Significant Data Fiduciary under Section 10 of the DPDP Act.

13.2 Proactive practices. Notwithstanding non-classification, given the nature and scale of data processed, the Company shall, on a best-efforts basis: (a) maintain a Data Protection Officer (initially Sanhit Jain, Designated Partner; to be transitioned to an independent India-resident DPO upon classification as SDF or upon Series A funding, whichever is earlier); (b) conduct periodic Data Protection Impact Assessments, on an annual cadence and upon any material change to processing; (c) maintain a Record of Processing Activities; (d) commission periodic audits of data-processing practices; (e) publish a transparency report from the second anniversary of the Effective Date.

13.3 SDF classification — additional obligations. Upon classification as SDF, the Company shall comply with all additional obligations under Section 10 of the DPDP Act within the prescribed timelines, including the appointment of: (a) a Data Protection Officer resident in India; (b) an independent data auditor; (c) such other roles as may be prescribed.

14. CONSENT MANAGERS

14.1 The DPDP Act contemplates the registration of Consent Managers with the Data Protection Board of India to enable Data Principals to manage consent across Data Fiduciaries.

14.2 Current position. As at the date of this Policy, the Company does not integrate with any registered Consent Manager. Consent is managed directly through the Service in accordance with the Consent Framework.

14.3 Future integration. When registered Consent Managers become operational, the Company shall: (a) evaluate integration with such Consent Managers; (b) inform Users of any integration through an update to this Policy; (c) permit Users to use a registered Consent Manager to manage consents relating to the Service.

15. AUTOMATED DECISION-MAKING

15.1 The Service uses artificial-intelligence systems to: (a) generate conversational responses; (b) identify behavioural patterns; (c) correlate astrological data with self-reported events; (d) suggest Vedic practices in accordance with the Disclaimer.

15.2 Limits of automated processing. AI Output: (a) does not constitute clinical diagnosis, psychological assessment, or medical recommendation; (b) is not relied upon for decisions of legal or similarly significant effect on the User without provision for human review.

15.3 Right to human review. The User may at any time request human review of any AI Output by emailing support@use-hunch.com or messaging "HUMAN REVIEW" to the Service. A response shall be provided within seven (7) business days.

16. GRIEVANCE OFFICER AND DATA PROTECTION OFFICER

16.1 Grievance Officer. The Company has appointed the following Grievance Officer pursuant to Rule 5(9) of the SPDI Rules:

The Grievance Officer addresses grievances within thirty (30) days of receipt, in accordance with the Grievance Redressal Policy.

16.2 Data Protection Officer. The Company has appointed Sanhit Jain as the Data Protection Officer pursuant to Section 8(5) of the DPDP Act, pending transition to an independent India-resident officer upon any of the triggers set out in Clause 13.2(a).

17. CHANGES TO THIS POLICY

17.1 The Company may amend this Policy from time to time. In respect of any amendment: (a) the "Last Updated" date shall be revised; (b) for material amendments, the Company shall notify Users by message no less than fifteen (15) days before the amendment takes effect; (c) where a material amendment alters the scope of processing in a manner requiring fresh consent under the DPDP Act, the Company shall seek such fresh consent before processing on the new basis.

17.2 The User's continued use of the Service following the effective date of a non-material amendment shall constitute acceptance of the amendment.

17.3 The criteria for "material" amendment are those set out in Clause 16.2 of the Terms of Service.

18. GOVERNING LAW AND JURISDICTION

18.1 This Policy is governed by the laws of India.

18.2 Any dispute arising out of or in connection with this Policy shall be resolved in accordance with Clause 15 of the Terms of Service.

18.3 Nothing in this Policy precludes the User from approaching the Data Protection Board of India, the appropriate Consumer Disputes Redressal Commission, the Cyber Crime Reporting Portal, or any other competent statutory authority.

19. CONTACT

For all questions in relation to this Policy or the Company's data-processing practices:

CMA Solutions LLP LLPIN: ACP-6029 Email: hi@use-hunch.com | support@use-hunch.com Telephone: +91 9667674105 Postal Address: Kh No. 316/274, Ground Floor, Front Side Saidulajab, Western Marg, near Lane No. 3, Gadaipur, Saidulajab, New Delhi, South West Delhi – 110030, India.

20. ACKNOWLEDGEMENT

By using the Service, the User acknowledges and agrees that: (a) the User has read and understood this Policy; (b) the User consents to the collection, use, storage, and processing of Personal Data as described herein; (c) Conversation Data may be processed by Sub-Processors, including via cross-border transfer described in Clause 7; (d) Pseudonymised User Content may be used for AI training (Layer 2) and research (Layer 3) only upon the User's separate, opt-in consent; (e) the User is at least eighteen (18) years of age; (f) the Service is not a medical service, Mental Health Establishment, therapy, counselling, or substitute for professional advice; (g) Payment Data is processed by the Payment Processor in accordance with the Payment Processor's privacy notice.

SCHEDULE 1 — REVISION HISTORY

END OF PRIVACY POLICY.

Draft for attorney review. Not legal advice. Not for publication in present form.