Privacy Policy
Effective date: April 15, 2026
ArthIQ Labs LLC · support@kundalimcp.com
1. Overview & PII-Blind Architecture
The KundaliMCP computation engine is PII-blind by design. It accepts astronomical coordinates and timestamps — abstract mathematical inputs stripped of identifying context. No names. No birth dates. No place names. No emails. No device identifiers. The computation engine has no mechanism to receive, process, or retain personal data.
This policy describes what ArthIQ Labs LLC (“ArthIQ,” “we,” “us,” or “our”) collects, how we handle it, and your rights with respect to it. It covers the KundaliMCP platform, developer portal, and associated services at kundalimcp.com. It does not apply to third-party services linked from the portal.
The privacy architecture of this platform is not a compliance afterthought — it is a structural engineering property. The same architecture that makes computation stateless makes it PII-safe: birth data enters via API call, computation runs in-process memory, results exit. At no point is personal data written to disk, persisted in any store, or made available for subsequent retrieval.
2. Data the Computation Engine Does Not Collect
The following categories of data are structurally excluded from the KundaliMCP computation pipeline. The API does not accept fields for these inputs, and the engine has no code paths that could receive or process them:
- —Full names, given names, family names, or nicknames
- —Human-readable birth dates (day/month/year) — the API accepts Julian Day numbers only
- —Place names, city names, country names, or addresses
- —Email addresses or phone numbers
- —Device identifiers, IP addresses, or browser fingerprints
- —User account identifiers or session tokens within computation requests
- —Any text field that could contain personally identifiable information
Computation inputs are: geographic coordinates (latitude and longitude as floating-point numbers), a Julian Day number representing birth time, ayanamsha selection (an enumerated identifier), house system selection (an enumerated identifier), and school profile selection (an enumerated identifier). These inputs are mathematical. They cannot be linked to an individual without external context.
3. Caller Responsibility
The responsibility for converting personal data — a person’s name, birth date, and birthplace — into abstract computational inputs (geographic coordinates and Julian Day number) rests entirely with the API caller. ArthIQ is not a data controller or data processor for any personal data that exists in your application before it is abstracted into API inputs.
If you build an application that collects birth information from your users and converts it to API inputs, you are the data controller for that personal data. Your obligations under GDPR, CCPA, DPDP, and other applicable privacy laws apply to the data you hold — not to the abstract inputs you transmit to KundaliMCP.
ArthIQ strongly recommends that API callers implement conversion (from personal data to abstract coordinates) client-side, so that personal data never transits ArthIQ infrastructure. The API is designed to facilitate this pattern: it requires no personal data to produce a complete kundali analysis.
4. Website Data Collection
The KundaliMCP developer portal (kundalimcp.com) collects limited data to operate the website and billing system:
Plausible Analytics
We use Plausible Analytics for website traffic measurement. Plausible is cookie-free and privacy-first: it does not use cookies, does not track users across sessions, does not fingerprint browsers, and does not share data with advertising networks. Page view counts and referrer data are aggregated and cannot be linked to individuals. No consent banner is required because no tracking occurs.
Stripe (Payments)
Subscription billing is processed by Stripe. When you subscribe to a paid tier, Stripe collects your payment card details, billing address, and email address — these are processed under Stripe’s Privacy Policy. ArthIQ receives only: your email address (for account communication and billing notifications) and payment confirmation status. ArthIQ does not receive or store full card numbers, CVV codes, or billing addresses.
Vercel & Cloudflare Infrastructure
The portal is hosted on Vercel. API traffic routes through Cloudflare’s edge network. Both platforms may process request metadata (IP addresses, request timestamps, HTTP headers) in the course of providing network and security services. This processing is governed by Vercel’s and Cloudflare’s respective privacy policies. ArthIQ does not log IP addresses at the application layer.
5. API Data Handling
Data flow guarantee:
Birth data enters via API call → computation runs in-process memory → results exit. Birth data is never written to disk, never logged, never stored in any persistent store, never included in error messages, never transmitted to any third party, and never retained after the response is delivered.
API requests are processed statelessly. Each request is independent. The computation engine holds no session state between requests. If an optional ephemeral cache is used (via caller-supplied session key with explicit TTL), cached values are AES-256-GCM encrypted and keyed solely to the session key. They expire automatically at TTL and are never retrievable after expiry.
Error messages produced by the computation engine contain only computational error descriptions (e.g., “Julian Day out of supported range”) — they never echo back input parameters that could reconstruct birth data.
6. Output Data Classification
KundaliMCP API responses include a DataClassification field. This field is set by the API caller, not by ArthIQ. It is passed through the computation pipeline and returned in the response to assist callers in applying appropriate data handling policies to outputs within their own systems.
ArthIQ disclaims responsibility for how callers classify, store, transmit, or protect API outputs. If you associate API output with personal data (e.g., by storing a kundali result alongside a user record), you become the data controller for that association and are solely responsible for its compliant handling under applicable law.
7. Third-Party Sub-Processors
ArthIQ uses the following sub-processors in the operation of the Service. Each operates under its own independent privacy policy and data processing terms:
| Processor | Purpose | Data transferred |
|---|---|---|
| Stripe | Subscription billing & payment processing | Email address, payment card data, billing confirmation |
| Vercel | Portal hosting & edge delivery | Request metadata (IP, headers) processed at edge; not logged at application layer |
| Cloudflare | API edge routing, DDoS protection, KV cache | Request metadata; encrypted cache values (no plaintext personal data) |
| Plausible Analytics | Cookie-free website analytics | Aggregated page view data, no personal identifiers |
8. GDPR Compliance (European Union)
For users in the European Union and European Economic Area, the General Data Protection Regulation (GDPR) applies to personal data ArthIQ processes in connection with your account.
Computation outputs are not personal data under the GDPR — they are abstract mathematical transformations of non-identifying inputs. They do not relate to an identified or identifiable natural person as processed by ArthIQ. If you associate computation outputs with personal data in your own systems, you become the data controller for that association.
Personal data ArthIQ does process (account email address, billing records) is processed on the following legal bases:
- Contract performance: processing necessary to provide the subscription service you have requested
- Legitimate interests: fraud prevention, abuse detection, and service security
- Consent: marketing communications, where applicable and separately obtained
EU/EEA residents may exercise the following rights with respect to personal data ArthIQ holds: right of access, right to rectification, right to erasure, right to restriction of processing, right to data portability, and right to object. Submit requests to support@kundalimcp.com. ArthIQ will respond within 30 days.
9. CCPA Compliance (California)
For California residents, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) apply to personal information ArthIQ processes in connection with your account.
ArthIQ does not sell personal information. ArthIQ does not share personal information with third parties for cross-context behavioral advertising. The computation engine, as described in Section 2, does not collect or process personal information.
California residents may request: disclosure of the categories and specific pieces of personal information ArthIQ has collected; deletion of personal information; correction of inaccurate personal information. Submit requests to support@kundalimcp.com. Verifiable consumer requests will receive a response within 45 days.
10. DPDP Act Compliance (India)
For users in India, the Digital Personal Data Protection Act 2023 (DPDP Act) applies to personal data ArthIQ processes in connection with Indian residents.
The KundaliMCP computation engine processes no personal data of Indian residents. The same PII-blind architecture that governs all API computation applies equally to Indian users: the API accepts only abstract mathematical inputs. No personal data is processed, stored, or transferred by the computation engine.
Account and billing data (email address) for Indian subscribers is processed under legitimate uses as defined by the DPDP Act, specifically the performance of a contract for services. Indian residents may exercise their rights under the DPDP Act — including access, correction, erasure, and grievance redressal — by contacting support@kundalimcp.com.
11. Children
The KundaliMCP Service is a B2B developer platform not targeted to, designed for, or marketed toward children. It is not directed at individuals under the age of 13 (or under 16 in the European Union and European Economic Area). ArthIQ does not knowingly collect personal information from children under these age thresholds.
If you believe a child has provided personal information to ArthIQ, contact support@kundalimcp.com and we will promptly delete it.
12. Data Retention
ArthIQ retains data for the minimum period necessary for each purpose:
API keys
Retained for the duration of the account, plus 7 years after account closure for tax compliance and audit purposes. Keys are stored as SHA-256 hashes — plaintext keys are never written to any persistent store.
Account email address
Retained for the duration of the account plus 12 months after account closure for billing dispute resolution and legal compliance.
Contact/support emails
Retained for 12 months after resolution of the support request.
Billing records
Retained for 7 years as required for tax and financial compliance.
Aggregate analytics data
Aggregated, anonymized page view statistics are retained indefinitely. No personal identifiers are present in this data.
Computation inputs and outputs
Not retained. Zero retention. Computation data exists only in process memory for the duration of the API request.
13. International Data Transfers
ArthIQ Labs LLC is based in Illinois, United States. Limited personal data (account email address, billing records) may be transferred to and processed in the United States and in countries where our sub-processors operate.
For transfers of personal data from the European Economic Area, United Kingdom, or Switzerland to the United States, ArthIQ relies on Standard Contractual Clauses (SCCs) as approved by the European Commission where legally required. For transfers from India, ArthIQ applies appropriate safeguards in accordance with the DPDP Act.
14. Security Measures
ArthIQ implements the following technical security controls:
- —TLS 1.2+ for all data in transit between clients and the Service
- —AES-256-GCM encryption for any ephemeral cache values (optional, caller-keyed, TTL-bounded)
- —SHA-256 hashing of API keys — plaintext keys are never written to any persistent store
- —No plaintext key storage at any layer of the infrastructure
- —Stateless computation architecture that eliminates persistence-layer attack vectors for birth data
- —Cloudflare DDoS protection and edge security on the API surface
No security system is impenetrable. If you discover a potential security vulnerability in the Service, please report it to support@kundalimcp.com. Do not disclose security vulnerabilities publicly until ArthIQ has had a reasonable opportunity to investigate and address them.
15. Changes to This Policy
ArthIQ may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or for other operational reasons. Updates will be signaled by updating the effective date at the top of this page.
Material changes — those that substantively affect how we handle personal data — will be communicated via the email address on your account at least 14 days before the effective date. Your continued use of the Service following the effective date of an update constitutes acceptance of the revised policy.
16. Contact & Privacy Requests
For privacy inquiries, data access requests, deletion requests, or any other questions about this policy, contact:
ArthIQ will respond to verifiable privacy requests within 30 days (or 45 days for CCPA requests where additional time is required).