Back to Home

Aphelion Pvt. Ltd.

Privacy Policy

Effective Date: May 24, 2026

1. Introduction and Scope

Aphelion Pvt. Ltd. (referred to as "Aphelion," "we," "our," or "us"), a private limited company incorporated under the laws of India with its registered office in Hyderabad, Telangana, India, operates the Maleu mobile application and associated web services at maleu.online and aphelion.life (collectively, the "Platform").

This Privacy Policy explains how we collect, use, store, process, and safeguard your personal data. It has been prepared in strict compliance with the Digital Personal Data Protection Act, 2023 ("DPDPA"), the Information Technology Act, 2000 ("IT Act"), and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 ("IT Rules 2021"). By creating an account or using the Platform, you provide your specific, informed, and unconditional consent to the collection and processing of your personal data as described herein.

2. Age Limit and Account Creation

Maleu is exclusively intended for individuals who are 18 years of age or older. We do not knowingly collect or process personal data from minors. During registration, you must self-declare your age. If we discover that we have inadvertently collected data from anyone under the age of 18, we will immediately and permanently delete all associated data and terminate the account without delay.

Registration is permitted via email and password, mobile phone number with OTP verification, or social authentication (Google Sign-In or Sign in with Apple). Providing real names is preferred and encouraged, though display names remain optional.

3. Information We Collect

We collect the following categories of information to provide the Platform services:

  • Directly Provided Information: Email address, mobile phone number, cryptographic hashes of passwords, display names, profile avatars, biography, and user-generated content (including text posts, photos, videos, workout logs manually entered into Wrex, and learning sessions in Bloom Mode).
  • Automatically Collected Technical Signals: Cryptographic session tokens generated by Supabase to maintain authentication, Firebase Cloud Messaging (FCM) push notification tokens, device characteristics (operating system version, device model, app version), and approximate location inferred from your IP address. We do not collect precise GPS coordinates.
  • Internal Diagnostic and Crash Logging: Technical errors, API failures, and app crashes are logged directly to our secure database. These logs do not contain user message content or private data, and we do not use third-party crash reporting tools.

4. Specialized Feature Data Handling

4.1 The Poses Feature

The Poses feature uses camera framing and guidance powered by on-device machine learning (ML Kit). All processing occurs strictly on your device. Raw camera feed data never leaves your device and is never sent to our servers. We do not collect, process, or store facial biometrics or geometry maps.

4.2 Message Privacy and Servers

Direct messages and group chat contents are stored on our servers (Supabase infrastructure). Messages are encrypted in transit and access-controlled via Supabase Row-Level Security, but they are not end-to-end encrypted. We only access message content under valid legal requirements or in-app reports of abuse. In-app chat locks (PIN or biometrics) operate purely at the device level.

4.3 Blocked and Muted Accounts

When you block a user, all visibility between your accounts is permanently hidden. This block hides past, present, and future posts, profiles, and messages, preventing any form of mutual interaction unless explicitly unblocked.

5. How We Use and Share Information

Your personal data is used to provide the social and fitness tracking service, authenticate sessions, process handshakes, deliver push notifications, and maintain security. We do not send marketing, promotional, or advertising emails or notifications.

We do not sell, rent, or trade your personal data. Data is shared only with trusted infrastructure providers acting as data processors strictly under our instructions:

  • Supabase Inc. (USA) — for secure database hosting, user management, and authentication.
  • Cloudflare Inc. (Global) — for CDN optimization and secure media storage (R2).
  • Google LLC (Firebase) (USA) — for push notification delivery.
  • Resend Inc. (USA) — for sending transactional account emails (e.g., OTPs and password resets).

6. Data Deletion and Portability

You have the right to erase, correct, or update your personal data. You can delete your account permanently directly within the app at the following path:

Profile Page → Settings → Delete Account

Account deletion deactivates your profile immediately, hiding it from all public feeds. All data will be permanently and irreversibly purged after a 15-day grace period. You may cancel the request by logging back in during this grace period. Data exports are not offered via self-service currently but are planned for the future; until then, you may contact our Grievance Officer.

7. Grievance Officer and Redressal

In accordance with the Information Technology Act, 2000 and Rules made thereunder, and the DPDPA 2023, the name and contact details of our designated Grievance Officer are published below:

Dharantej Reddy Poduvu

Title: Grievance Officer & Intermediary Compliance lead

Company: Aphelion Pvt. Ltd.

Address: Hyderabad, Telangana, India

Email: fuy.aphelion@gmail.com

Grievance emails will be acknowledged within 24 hours of receipt, and resolved systematically within 15 working days as required under Indian Intermediary Guidelines.

Terms of ServiceHome

© 2026 Aphelion Pvt. Ltd. All rights reserved.