Contact

Legal · arhas.in

Privacy policy

This website collects nothing about you. That is not a posture — it is a build decision, and you can check it from the browser you are reading this in.

Last updated
14 July 2026
Applies to
arhas.in — the corporate site
Jurisdiction
Courts in Hyderabad, Telangana, India

01 — The short version

We collect nothing here, because there is nothing here to collect with.

arhas.in is a set of static pages. It has no database, no session, no account and no form. It sets no cookies and runs no analytics. It does not load a font, a script, a tag or an image from any other company’s server. So there is no profile of you, no visit history, and no record to sell, share, lose or hand over — not because we are careful with it, but because it does not exist.

  • No cookies Not analytical, not functional, not “essential”. None. This is why you have not been shown a consent banner: there is nothing to consent to.
  • No analytics No Google Analytics, no tag manager, no self-hosted alternative, no pixel. We receive no report about your visit because we asked for none.
  • No third-party requests Fonts are compiled into the site. Icons are inline SVG. Nothing on this page is fetched from anyone else’s server, so nobody else is told you were here.
  • No forms No contact form, no login, no newsletter box, no comments, no chat widget. There is no field on this site to type your name into.

You do not have to take our word for any of that. Open your browser’s network panel and reload this page. Every request you see should go to arhas.in and nowhere else. If one does not, that is a bug in our build, and we want to hear about it — the reporting route is on our trust page.

Fonts are self-hosted and bundled at build time (@fontsource-variable) · icons are inlined SVG (src/components/Icon.astro) · no analytics package is installed

02 — What this policy covers

This document governs one website, and no product.

It covers arhas.in: the pages you are reading now. It does not cover BRUTAL Optimizer, MedOS or LabOS. Those are working software, and the categories of data they are built to handle — a licence key, a patient record, a laboratory result — are categories this website never touches. Each product is governed by the policy published on its own site, not by this one.

So if you are a patient at a clinic that runs MedOS, or you had a test at a laboratory that runs LabOS, this is not the document that governs your record. Section 06 says where to start instead.

We are saying that plainly rather than writing one policy that pretends to speak for four different systems. A privacy policy that covers everything usually describes nothing.

03 — What a visit to arhas.in involves

Serving you a page is still a network request. Here is who sees it.

arhas.in is served from Cloudflare Pages. To deliver this page to you, the request has to reach a server, which means the network that serves the site processes it — including your IP address — in order to route it and to keep the site up under attack. That is a property of being on the internet. It is not a collection we designed, and we would rather describe it than pretend it is not happening.

What we have not done with that:

  • We have not enabled any analytics product on this site — not a third-party one, not Cloudflare’s own. We see no visitor counts, no sessions, no paths, no dwell time.
  • We have not placed a cookie, a local-storage key or any other identifier in your browser, so nothing follows you from one page of this site to the next.
  • We do not build a profile, we do not enrich anything against a third-party data set, and we run no advertising of any kind, so there is no advertising identifier to be joined to.

If we ever change that — if this site one day counts page views — this section is where it will be written down, in a sentence that says exactly what is counted and by whom, before it ships.

04 — What we never do

We never sell data. We will not tell you we never share it.

We never sell data. Not the little this site has, which is none, and not the data our products hold. We do not sell it, rent it, trade it, or make it available to a data broker, an advertiser or a model trainer. That promise is absolute and we will keep it.

You will notice what we have not written. Most vendors in our market write “we never share your data with third parties.” We will not, because for any hosted product it is false, and we can tell you exactly why it is false. MedOS and LabOS run on Cloudflare. The MedOS database is Turso. Payments go through Razorpay. Where a customer switches on the optional AI features, text reaches Google. Software that runs on the internet necessarily hands data to the infrastructure that runs it.

“We never sell data” is a promise we can keep. “We never share data” is a sentence written because it sounds better than the truth. This is the whole company in one paragraph: when the strong claim and the checkable claim disagree, we ship the checkable one.

05 — The DPDP Act, 2023

Where we process personal data, we do it under Indian law.

The Digital Personal Data Protection Act, 2023 is the law that governs personal data in India. It gives you rights over your own: to know what is held, to have it corrected, to have it erased, to nominate someone to act for you, and to have a grievance heard.

On this website those rights have almost nothing to act on. We hold no personal data collected through arhas.in, so there is no record here to show you, correct, erase or nominate against. That is not a way of ducking the Act — it is what the Act looks like when a site genuinely collects nothing.

The Act also requires us to publish a contact for data-protection questions. We do not yet run a monitored mailbox on this domain, and we are not going to print an address that bounces in order to look compliant. The pending marker in section 09 is what we print instead. Until the mailbox exists, security and privacy reports should go through the route on our trust page, and questions about a product should go to that product’s own contact address.

06 — If your data is in one of our products

Start with the product, not with us.

If you are a patient at a clinic that runs MedOS, or you had a test at a laboratory that runs LabOS, your record is held on behalf of that clinic or that laboratory. They are the organisation you gave it to, and they are the right first stop for a question about it. The product’s own privacy page sets out how the software processes it and how to raise a grievance.

If you use BRUTAL Optimizer, the same applies: what the application collects, and what it does not, is documented on its own site.

Two things worth knowing, because they are the sort of detail that usually only appears after you ask:

  • Where MedOS data sits, stated precisely. The MedOS database is Turso in ap-south-1. Compute runs on Cloudflare Workers with a Mumbai placement hint. Object storage is Cloudflare R2, which is APAC — not guaranteed India. It is common in this market to compress all of that into “your data is stored in India”. We will not, because the third line is not true.
  • Patient fields in MedOS are encrypted with AES-256-GCM at the field level. The row-binding retrofit that ties each encrypted field to its own row is close to complete, but a legacy path without it still exists for older rows. The encryption is real. Its universality is not yet, and we would rather tell you that here than have you find out from a breach notice.

MedOS — lib/security/encryption.ts (AES-256-GCM, field level) · app/docs/security/known-gaps.md (legacy no-AAD fallback path) · Turso ap-south-1 · Cloudflare Workers, Mumbai placement hint · Cloudflare R2 (APAC)

07 — Changes to this policy

If the facts change, this page changes first.

The claims on this page are properties of how the site is built. If we ever add a cookie, an analytics tag, a form or a third-party script, the sentence saying we have none of those things becomes false — so it gets rewritten before the change ships, not after somebody notices.

Every version carries the date at the top of this document. A material change gets a plain note saying what changed, rather than a silently bumped date.

08 — Governing law

India, and the courts of Hyderabad.

This policy, and any dispute arising out of it or out of your use of arhas.in, is governed by the laws of India. Courts in Hyderabad, Telangana, India have exclusive jurisdiction.

Our terms of use cover the rest of what governs this site: what you may do with it, what it is and is not warranted to be, and where a product purchase is actually governed.

09 — The entity behind this site

We cannot yet name the company on paper, so we say that instead.

A legal document needs a party: a registered name, a registered office, and a mailbox that answers. Ours have not been checked against the certificate of incorporation, and no mailbox on this domain is monitored yet. So they are not printed here.

Registered entity
[legal name pending verification]
CIN
[CIN pending verification]
Registered office
[registered address pending verification]
Contact mailbox
[mailbox pending verification]

This is the rule that governs every number on this site, applied to ourselves: if we cannot show you where it came from, we do not print it. It is more embarrassing on a legal page than anywhere else, which is the reason it is here rather than quietly filled in with something plausible. The build enforces it — a release fails while any of these remain unverified.

Until they are confirmed, the routes that do work are the product sites, which have their own legal pages and their own support addresses, and our trust page, which is where security reports go.

src/data/company.ts — registered name, CIN, address and mailbox are unverified placeholders · scripts/verify-claims.mjs blocks a build while any remain

Found something on this page you cannot check, or that contradicts a product's own documentation? Tell us. We would rather delete a sentence than defend one.