Effective Date: June 30, 2017 (GMT)
Latest Revised Date: Feb 10, 2021 (GMT)
Changes in v3.1.0 | Feb 10, 2021
You can read the full list of changes in the Changes Log
For the purposes of processing Your data, Touchkin eServices Private Limited, the makers of Wysa App will act as the Data Controller. Touchkin is a private limited company, incorporated and existing under the laws of India and having its registered office at No. 532, "Manjusha", First Floor, 2nd main, 16th Cross, II stage, Indiranagar, Bengaluru, KA 560038 IN.
We will always respect and protect Your privacy, and this forms a part of Our guiding principles. We have policies and procedures in place to protect the privacy and security of Your Personal data. Your trust means a lot to Us. Wysa does not request Your Personal Data. If You inadvertently submit any Personal data then, We will process it with Your data basis this Agreement and will take reasonable measures to irreversibly redact any Personal Identifiable Information within 24 hours in Our system as described here . Please do not share any Personal data at any time during Your Use of Our Services. Your data is secured with strong encryption during transmission and storage.
Anonymization is the process of removing personally identifiable data from data sets
so that the person can no longer be identified directly or indirectly.
Data Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.
Encryption is the process of transforming data into unreadable text so that it is only legible to those possessing an encryption key. The process of making encrypted data readable again is referred to as decryption.
Personal data or Personal Information means data relating to an identified or identifiable natural person who can be directly or indirectly identified by reference to an identifier such as full name, identification numbers, location address, online identifier and other identifiers within the definitions of The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or data) Rules 2011, General Data Protection Regulation (GDPR) (EU) 2016/679 regulation and UK-GDPR. Personally identifiable information (PII) and Sensitive or Special Category of Personal data is covered within the definition of Personal Data.
Pseudonymisation means the processing of Personal data in such a manner that the Personal data can no longer be attributed to a specific User without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the Personal data are not attributed to an identified or identifiable natural person.
Non-Personal data or Non-Personal Information means any data that does not reveal Your specific identity either directly or indirectly.
Sub-Processor/s is a processor who is sub-contracted some of the personal data processing.
Web browser is a software program that allows User to access, retrieve and view data on the World Wide Web. Examples of browsers include Internet Explorer, Firefox, Google Chrome and Safari.
What is Wysa App?
The Wysa App is a virtual AI chatbot (“Bot” or “Wysa Bot”) that You can chat with, including upon Your choice, the ability to subscribe and to message a highly trained and qualified mental well-being professional (“Wysa Well-being Coach” or “Wysa Therapist”) or for Institution Users, to be able to use an institutional support mechanism integrated within the Wysa App, and through a conversational interface get access to tools and techniques to manage Your emotional well-being. The Wysa App is primarily available for both iOS and Android mobile systems and as a web browser based system either on the wysa website or integrated within an Institution website. Your Interaction with the Bot is with an artificial intelligence chatbot and not a human. The Bot is restricted in the means of response, and the intended usage of Wysa App is for providing evidence-based tools and techniques to manage emotions and encourage mental well-being as an early intervention tool in a self-help context. You make the choice of using the Bot, based on Your own estimate of need, and agree that this is only suitable for basic self-help. This is not intended to be a replacement for face-to-face psychotherapy or to provide a diagnosis, prognosis, treatment or cure for a disease/condition/disorder or disability. The Bot cannot and will not offer advice on issues it does not recognize. Using the Wysa App, You can track and manage Your mood, and learn context-sensitive evidence-based techniques that can help You feel better. Wysa App and Service is not intended for use in crisis such as abuse or complex or severe mental health conditions that causes for example; ideation of suicide, harm to self and others, or for any medical emergencies. Wysa App and Service cannot and will not offer medical or clinical advice. It can only suggest that the user seeks advanced (medical) help.
Who can Use the Service?
If Your Institution specifies a different age restriction, such as at least 18 and above, as a condition of using this Service, that restriction shall apply rather than the one above.
If You use the Wysa Well-being Coach or Wysa Therapist Service, You will be asked to provide a Parental or Legal Guardian consent if You reveal Your age to be between 13 and 18 years. You will be required to inform Your parents or legal guardian and have them send Us an email consent to [email protected] or [email protected], as directed by Your Wysa Well-being Coach or Wysa Therapist, using the same email ID that was used to subscribe to Our Service. Without receiving parental or legal guardian consent, We will be unable to offer Our full Services. If Your parents or legal guardian contact Us We will collect minimal Personal Information such as Your name, Your parents name, Your parent’s email address and the consent message. This data is securely stored in Our Google GSuite account with access to only authorized users. We have a signed Data Protection Addendum and Business Associate Agreement With GSuite. Your parental consent email will be retained within Our system for a maximum of 10 years since Your last subscription with Us and as per Our Information Retention Policy. We process Your data for our Legitimate Interest to provide You Our Wysa Well-being Coach or Wysa Therapist Service. We will not use Your Personal data for any Direct Marketing without Your Consent. We will not share or sell Your Personal data to any third party.
Institution or other Consumer users
The Institution Version and its Services can only be accessed by authorized Institution User(s) after following installation and access instructions as shared by the Institution or their Service provider.
What Data do We collect and how do We Use it?
How do We handle Your Personal Data?
No identifiable information is solicited or stored in the Wysa app. As data is not related to an identifier or identifiable natural person, it will no longer be Personal data or Special Category of Personal data. There is no user registration nor are You asked to share Personal data when You install and use the Wysa App and Services.We collect, transfer and securely store the unique vendor specific ID provided by the Apple App Store or Android Play store when You install Wysa App on Your device. This is done for the purpose of generating a random pseudonymised user identifier. This pseudonymised identifier generated becomes the userId that is referred to for all subsequent data transfers and linking Your data within the Wysa databases. This processing is based on Our Legitimate Interest. Refer here to understand how we protect Your data.
If Wysa App is integrated with Your Institution system, Your Institution may securely share a unique random user identifier with Us. This random identifier is processed by Us on behalf of Your Institution for the purpose of accurately linking You with Your provided data when You repeatedly access the Institution System and the Wysa App and to provide the agreed analytics with Your Institution. Your Institution will be the Data Controller and We will be Data Processors for this specific processing. This processing will be based on Your Institutions contract with Us.
If You inadvertently share any personal identifier such as full name, dates, locations, phone numbers, email identifiers or medical terms during Your conversation with the Wysa App and Services, it is Our responsibility to redact such personal identifiers to make the data non-personal. To ensure that no personal identifiers get stored in Our systems, We have developed a high recall AI-NLP algorithm that detects and irreversibly redacts identifiers, which include all numbers more than 2 digits, urls, emails, dates, locations, names and medicalized terms, from Our storage systems. Within 24 hours of starting Your session, Our algorithms will process Your data, detect any personal identifiers and irreversibly redact them. None of Your conversation messages will be lost, and only the specific personal identifier will be irreversibly redacted in Our systems. You will also be notified when such obfuscation is completed and can view such obfuscation in the Journey tab within the Wysa App. This obfuscation processing is based on Our Legitimate Interest. This is to ensure that no personal identifier and hence no Personal data inadvertently creeps into Our system and Wysa App is able to maintain complete anonymity.
You have the Right to be Forgotten. You can also, at any point of time, clear all Your provided data by using the “reset my data” feature available in the Wysa App settings. Refer here in our Policy for more details. DO NOTE THAT “RESET MY DATA” DELETES ALL YOUR SUBMITTED DATA INCLUDING YOUR IDENTIFIERS, PAST CONVERSATIONS, REMINDERS, ASSESSMENT RESPONSES AND ENABLED SETTINGS. POST RESET, YOU WILL NOT BE ABLE TO RECOVER YOUR PAST DATA AND YOU WILL BE CONSIDERED AS A NEW USER OF THE APP. HENCE, THIS FEATURE IS TO BE USED BY YOU AT YOUR DISCRETION.
How do We handle Your conversation messages?
When You Use the Wysa Bot Service, You provide Your messages by selecting pre-formatted options or by way of free-text using keypad or by speech to text. We collect, transmit and securely store Your messages in Our servers. We process Your messages in real-time using safe NLP algorithms that detect the context and direct You appropriately to subsequent conversation based on a proprietary rule-based content engine. At no point during Your conversation with the Wysa Bot does another natural person have access to or get to monitor or respond to, Your messages. The Wysa App’s proprietary and closed rule-based algorithms process all Your messages for positive and negative sentiments. This is done to enable the Wysa App to empathetically converse with You, and personalize Your conversation. There is no solely automated processing done by the Wysa App to determine what You should do. You are always asked to verify whether the Wysa App has understood Your conversation or sentiment or emotions correctly, before proceeding down the conversational path.
When You use the Wysa Well-being Coach or Wysa Therapist Service, You get to exchange text-based messages with a mental health and well-being professional. We collect, transmit and securely store these messages in Our servers. If You inadvertently send any Personal identifiers in Your messages, such identifiers are irreversibly hashed by Your Well-being Coach or Wysa Therapist during conversation.
Processing of Your conversation messages is based on Our Agreement that You agree at
time of installing and using the Wysa App.
Your data, messages or usage is not used for direct marketing nor is it sold to
We do not use the messages or the data You submit to Us as a way to generate revenue
Wysa. We do not collect any Personally Identifiable Information from You. At the
time, We do use anonymised and only the minimal data that is required to answer the
research question for research and statistical purposes based on Our Legitimate
to improve Our Product and Services and contribute to the development of
mental wellbeing best practices globally. The messages You send are strongly
You have the Right to be Forgotten. You can also, at any point of time, clear all
provided data by using the “reset my data” feature available in the Wysa App
Refer here in our Policy for more details.
All the conversations You have with the Wysa App are private. No one within or outside of
Touchkin has access to Your Data except to process based on Our Legitimate Interest as
identified here and based on principles of privacy by design.
We will do our best to irreversibly redact any Personally Identifiable data inadvertently
submitted by You as per Our Legitimate Interest.
How do we handle Your name?
When You Use the Service, We will not ask for and will not require Your full name at any point of time during the conversation. After installation, We take You through a one time on-boarding process. Here We ask for only Your nickname. Processing of Your nickname is based on Our Agreement to help personalize Our conversation with You. We set character limits to prevent You from inadvertently submitting Your full name.
ALWAYS USE NON-IDENTIFIABLE NICKNAME TO MAINTAIN COMPLETE ANONYMITY. You can change the nickname once provided to the Wysa App by typing #help and choosing “Change Name” from the slider displayed.
Why do We ask about Your thoughts, feelings (emotions), mood, major event or life changes, goals, energy levels and safety plan?
When You Use the Service, We may periodically ask You wellness-related information such as Your thoughts, feelings or emotions, mood, major events / changes in life, Your resilience goals and Your energy levels. Processing of Your response is based on Our Agreement and solely to provide You evidence-based tools and techniques to manage emotions and encourage mental well-being in a self-help context. We use Your anonymized and minimal wellness-related information for population-level research and statistical purposes as per Our Legitimate Interest (here of this Policy).
When You use the Service, You may be given an option to create a Safety Plan to help You maintain a ready access of support resources and crisis helplines that You may want to access when in need. You may enter data such as life anchors, friendly places, support networks, warning signs, calming activities. Processing of Your data is based on Our Agreement and solely to provide You access to Your own Safety Plan for Your own care.
Your data is strongly encrypted during transmission and is securely stored. Kindly refer Our Security safeguards and rights You can exercise here
We will do our best to irreversibly redact any Personally Identifiable data inadvertently submitted by You as per Our Legitimate Interest.
How do We handle Your responses to mental well-being screening assessments?
When You Use the Service, You will be asked to respond to validated assessments. Response is voluntary and You can opt to not report any of the assessments. Wysa App currently Uses four validated assessment scales for understanding Your emotional Well-being namely Patient Health Questionnaire (PHQ9)- to self-report any symptoms of depression, the Generalized Anxiety Disorder Assessment (GAD7) - to self-report any symptoms of anxiety, and the Subjective Units of Distress Scale (SUDS)- to self-report the intensity of distress currently experienced.
If Wysa App is integrated with Your Institution system, Your Institution may additionally share Your PHQ9 and GAD7 score, that Your Institution may collect, with Us. This screening data is processed by Us on behalf of Your Institution for the purpose of understanding Your emotional Well-being, providing You the necessary Well-being tools and techniques and to provide the agreed analytics with Your Institution. Your Institution will be the Data Controller and We will be Data Processors for this specific processing. This processing will be based on Your Institutions contract with Us.
You will also be asked to share how You cope with day to day activities as part of the assessments. Assessments are a proven way to baseline and track the progress of Your self-reported symptoms. Processing of Your assessment response is based on Our Agreement and used for the purpose of determining if escalation is required and to provide You access to scientific-evidence based tools and techniques to manage emotions and encourage mental well-being in a self-help context.
YOUR RESPONSES TO THESE ASSESSMENT QUESTIONS ARE NOT PROCESSED TO FORM A DIAGNOSTIC OPINION NOR PROCESSED FOR ANY MEDICAL PURPOSES OR FOR GIVING CLINICAL ADVICE. We DO NOT collect or process Your sensitive medical data or Protected Health data (PHI), as defined under the US law, that can directly or indirectly Identify You. We use Your anonymized assessment scores for population-level research and statistical purposes as per Our Legitimate Interest (here of this Policy).We apply organizational and technical measures to endeavour to irreversibly redact any Personally Identifiable data inadvertently submitted by You as per Our Legitimate Interest.
Your response is encrypted during transmission and is securely stored. YOUR PERSONAL DATA IS NEVER SHARED WITH A THIRD PARTY WITHOUT YOUR EXPLICIT CONSENT.
What data do We collect when working with a Wysa Well-being Coach or Wysa Therapist?
When You use the Wysa Well-being Coach or Wysa Therapist Service, You get to exchange text-based messages with a mental health and well-being professional. We collect, transmit and securely store these messages in Our servers. Processing of Your conversation messages is based on Our Agreement that You agree at the time of installing and using the Wysa App.
When You Use the Wysa Well-being Coach Service or the Wysa Therapist Service, You can schedule or reschedule a real-time text-based messaging session with Your assigned Coach or Therapist. We collect Your chosen session dates and time to confirm Your booking.
Processing of Your device time zone is based on Our Agreement to calculate Your local date and time so that session bookings are accurately scheduled and for setting accurate session reminder notifications. At times, Wysa App may get Your local time wrong which could affect the session scheduling. PLEASE ALWAYS VERIFY YOUR LOCAL TIME DISPLAYED BY WYSA APP IN THE SESSION SCHEDULING SCREEN BEFORE PROCEEDING WITH BOOKING OF A SESSION. IF YOU NOTICE AN ERROR IN YOUR LOCAL TIME DISPLAYED, GO TO THE BOT MESSAGING INTERFACE AND TYPE #TIME TO CHANGE YOUR TIME. If You face any challenge changing Your local time or booking a session, kindly write to Us at the contact provided here.
What do We process when You use SIRI or Google Assistant voice-based Service of Wysa?
If You choose to use Apple’s SIRI or Google’s Assistant to invoke the Wysa Bot Service, You get the opportunity to talk to Wysa Bot. These services convert Your voice into text and pass this transcription to Wysa’s secure servers. We do not get access to Your voice patterns. No Personal data gets asked or collected during use of this Service. Please do not share Your Personal Information at any time during use of this Service.
How do We handle Your Device data when You Use Our Service?
When You Use the Service, We collect, securely encrypt and transfer and store the following data from Your mobile device: mobile application identifier, mobile operating system, OS version, device make and model. We process this data based on Our Legitimate Interest to detect and deter unauthorized or fraudulent Use of or abuse of the Service, to troubleshoot issues, for debugging app crashes and to optimize Your experience for e.g. to make sure the Wysa App is displayed correctly on Your phone, or Your usage settings are applied.
We do not use any Cookies and beacons within Our Wysa App.
Do We collect Passive Sensing data from Your mobile device?
When You Use the Service, the Wysa App does not passively collect nor process any data from Your mobile device sensors, including accelerometer, ambient light readings and screen on/off readings and call logs.
Do We process Your location data?
Wysa App does not process Your Geolocation at a level that makes Your data personally identifiable. Wysa may infer Your location through Your timezone or other means at a country or state level to provide You appropriate resources.
How do We use any Third Party Analytics tools and software?
When You use the Service, Wysa App usage and system generated event data gets logged and
sent to third-party operations and analytics tools such as Google Analytics, Facebook
Firebase via their secure API integrated within the Wysa App. No Personal Data is
shared. Any event data sent to third party tools used for operations and analytics is
designed to ensure that it is cryptic and does not create a medical or psychological
profile of a user in the hands of the processor. These events do not contain
conversational data provided by You during Your use of the Service. We use random
Firebase generated Identifiers of the User to send in-app and push notifications.
Processing of events data is based on Our legitimate Interest to view Wysa App
engagement and Operational performance to improve Our Service Quality, Safety and
No direct advertising or direct marketing is performed both within and outside the app.
However, to measure the effectiveness of our social media or other marketing campaigns,
We may install third-party modules (Google Analytics, Facebook Analytics, Firebase and
the Wysa App to help Us understand Service performance based on User use. This helps us
make improvements to Our Service experience for Our Users. Event data from these modules
is sent to third-party operations and analytics tools such as Google Analytics,Facebook
Firebase via their secure API integrated within the Wysa App. No Personal data is
shared. These events do not contain any conversational data provided by
You during Your use of the Service. Processing of events data is based on Our Legitimate
Interest to view Wysa App engagement and Operational performance to improve Our Service
Quality, Safety and Performance.
You have the right to object to the above processing. Please read here on
Apart from the App-pushed events, the third party tool APIs also may automatically collect some non-personal events. Google Analytics automatically collected events can be found here . The use of Google Analytics is governed by Google Data Policy and Data Safeguards . Facebook Analytics automatically collected events can be found here and here. The use of Facebook Analytics is governed by Facebook Data Policy and Terms of Service. Firebase automatically collected events can be found here. The use of Firebase is governed by Firebase Terms of Service, Use Policy and Crashlytics Terms of Service.
What additional data do We collect from Institution Users?
By using the code or link provided by the institution, You are identifying Yourself as being a part of the cohort supported by the institution. Your Institution may also get access to your aggregated and minimal usage data for their analytic and research purposes basis the consent given by You to Your Institution. We may collect Your Country, Division and in some cases Your City to provide aggregated analytics. We do not share Your Personal conversational messages with the institution. Any inadvertent personal identifiers provided by You are removed prior to aggregation and sharing of any analytics with the institution. This processing of data of Institution cohorts is based on the contract between the Institution and Touchkin.
How do We handle Your App password?
Wysa App does not use any passwords. For Your privacy and security, You are advised to set Your own Wysa App PIN to protect unauthorized access of Your conversation messages. Your mobile device screen password is Your PIN. To extend Your device password, use the "Set Lock " feature under Wysa App settings. You can also remove Your PIN Using the ‘Remove Lock” option under settings. The PIN that You Use is personal to You, and You are responsible for maintaining the confidentiality and security of Your PIN. PLEASE KEEP YOUR PIN SAFE AND DO NOT SHARE IT WITH ANYONE. The PIN You set remains in Your device and is not collected, transmitted and stored in Our servers.
What do We do with Your feedback and ratings?
When You Use the Service, You have an option send Your feedback from within the Wysa App and through Our Website. to the Wysa App.Feedback can be given using the Feedback feature provided in the Wysa App setting. Personal data, if any provided in Your privately shared feedback messages, will be manually redacted before any processing of Your feedback. We will always take Your explicit consent before revealing Your nickname or name for social proof purposes. If You contact Us from Our Website “Contact Us”, We will collect minimal Personal Information provided by You such as Your name, Your email address, and Your message. This data is securely stored in Our Google GSuite account with access to only authorized users. We have a signed Data Processing Agreement and Business Associate Agreement With GSuite. We will Use this data to address Your requests to provide You support and to improve Our Services. Your Email will be retained within Our system for a maximum of 10 years since last correspondence as per Our Information Retention Policy. We process Your data for our Legitimate Interest. We will not use Your Personal data for any Direct Marketing without Your Consent. We will not share or sell Your personal data to any third party. If You have subscribed to the Well-being Coach Service or Wysa Therapist Service, We will collect anonymous feedback post Your sessions. Processing Your anonymous feedback and rating is based on Our Agreement and used by Us to improve the product and Your Service quality, safety and performance.
AS A BEST PRACTICE, IT IS ADVISED THAT YOU TAKE ADEQUATE PRECAUTIONS TO NOT SHARE YOUR SENSITIVE HEALTH OR PERSONAL DATA WHILE GIVING FEEDBACK OVER EMAIL NETWORKS.
How do We handle notifications or reminders?
When You Use the Service, You have the option to activate or deactivate push notifications or reminders in Your Wysa App settings. The Wysa App will ask Your preference for the time of day to receive notifications and will confirm Your local time to ensure reminders get sent as per Your preference. You can cancel or restrict notifications at any time by invoking help function (type #help) or from Your Wysa App settings.If You use the Coach or Therapist Service, You also have the option and convenience to save Wysa Session reminders to Your calendar management software in Your mobile device. Processing of Your notifications is based on Our Legitimate Interest to send Service information and reminders that help improve Wysa App engagement.
WE WILL NOT SEND ANY MARKETING MESSAGES WITHOUT YOUR CONSENT. ANY MESSAGING SENT WITH YOUR CONSENT WILL ALWAYS GIVE YOU AN OPTION TO UNSUBSCRIBE FROM RECEIVING SUCH MESSAGES OR NOTIFICATIONS IN THE FUTURE.
How do We handle Your age-range related data?
When You Use the Wysa Bot Service, You have the option to provide an age-range (Under 20, 20-30, 30-45, Above 45) during Your conversation. Processing of this age-range data is based on Our Agreement and to understand the age profile of Our Users and to help provide them access to tools and techniques or provide other operational Information relevant to their age range.
WE DO NOT ASK, COLLECT OR PROCESS YOUR SPECIFIC AGE OR DATE OF BIRTH AT ANY TIME DURING YOUR USE OF THE SERVICE.
How do We handle User Incident support?
Touchkin has an Incident Management Policy that guides all our User Issue and Incident management support. There may be occasions where You wish to contact Us to seek support or to complain about any of Our Services.If You contact Us directly in Our Email, either via Our Apps or Website, We will collect minimal Personal Information such as Your name, Your email address, Your phone number (if You provide), subscription receipts, as well as, where required, data about Your mobile device or personal computer such as device type, and OS type. This data is securely stored in Our Google GSuite account with access to only authorized users. We have a signed Data Processing Agreement and Business Associate Agreement With GSuite. We will Use this data to address and investigate the issues or requests You have forwarded to Us, to provide You support and to improve Our customer support Service. Your Email will be retained within Our system for a maximum of 10 years since last correspondence as per Our Information Retention Policy. We process Your data for our Legitimate Interest. We will not use Your Personal data for any Direct Marketing without Your Consent. We will not share or sell Your personal data to any third party.
Your issues or complaints or requests about Wysa App and Services are taken very seriously. You will need to send an email request from Your Google or Apple email ID to [email protected] or [email protected]. We will respond to Your complaints within 3 business days. Some of Your complaints may take longer to resolve. We will continuously provide You with an update until Your complaints are satisfactorily resolved.
How do We handle data provided during promotions and surveys?
We do not promote offers of third party services as a part of the in-app experience. From time-to-time, we send out in-app or push notifications to share discounts and new releases in the Wysa App. These are shared only with existing users for Existing Services. Processing of Your Non-Personal data such as Nickname, Timezone, App usage to send such notifications is based on Our Legitimate Interest and to provide You with Service discounts and improve Your experience of the Wysa App.
If You choose to participate in a Wysa promotional event on social media or elsewhere outside of the Wysa App, You may be asked to opt-in to complete a survey questionnaire. Your voluntary submissions including Your personal data such as email address will be processed only for the following purposes - to send You additional data about the programme, to enrol or on-board You to the programme and to correspond with You on programme related matters. Your survey submission will never be linked to Your Wysa app account and hence Your Wysa App conversations and activities will never identify You. Your submissions will reside in a secure and private storage area operated within the Wysa G-suite account and managed by Google Forms (G-Suite security can be read at here ). The Wysa G-Suite account is also protected by a multi-factor secure authentication system. You can opt out at any time from the programmes by sending Us an email request from Your Google or Apple email ID to [email protected] to delete Your personal data or to discontinue receiving any further communication on this matter. On receipt of Your email, We will verify and remove only the specific Personal data as requested by You, within 72 hours of receiving the request. YOUR SUBMISSIONS WILL NEVER BE SHARED WITH A THIRD PARTY.
How do We handle Your Payment data when You subscribe to Our Services?
If You choose to purchase or Use a fee-based Service and pay for such Service by means of in-app purchases via iTunes or Google Play, We do not collect, retain and store Your personal, financial and credit/debit card data. This is because Your card settlements including card and personal details will be handled by appropriate third-party payment agencies.
We do not not collect any personal data from the play stores post-purchase. Only the payment confirmation and subscription details get collected from the play store and processed (collect, transmit and store) by Us. Processing of this data is for Our Legitimate Interest to support You for any payment or subscription related requests, issues or clarifications.
What do We process when You follow Us on Instagram
You have the option to follow Us in Instagram Using Your Instagram account by going to Wysa App settings. You can set up an Instagram account, if You do not own one and follow Us at @wysa_buddy. WE DO NOT ASSOCIATE YOUR INSTAGRAM ACCOUNT WITH YOUR WYSA APP ACCOUNT.
What data do We process for the purposes of Our Legitimate Interest?
We Use Legitimate Interest basis to process Your data in a way which might reasonably be expected as part of running Our business and which does not materially impact Your rights, freedom or interest. When providing Our Services, We may process Your data based on Our Legitimate Interest for the following purposes.
You have the right to object to any of the above processing. Please read here on Your rights.
What do We process when You use the Android speech-to-text feature?
The same Android SDK/API playback the BOT message for You. PLEASE ENSURE YOUR MOBILE DEVICE VOLUME IS KEPT IN OPTIMAL LISTENING MODE. Please note that You may experience some performance issues if You have low internet speeds. You have the Right to be Forgotten. You can also, at any point of time, clear all Your provided data by using the “reset my data” feature available in the Wysa App settings. Refer here in our Policy for more details.
What do we process when You use the Video Call Service?
(This service is currently available on invitation-only basis for Android users)
We use a 3rd party Video Call service provided by Agora.io to provide Audio/Video-based
Coach/Therapist service. You will need to give permission to activate Your device
microphone and camera. To enable Video Call connection, We only send anonymized
identifiers to Our processor. Cookies are used to take care of any unexpected call
interruptions. The cookies only store the anonymized identifiers provided by Us. There is no
call recording. Hence no call records are maintained at Our and Our processor/sub-processor
end. All cache and logs of the call gets deleted immediately at the end of the call by Our
processor. This ensures no camera images or call content get stored ever. To process the
Video Call, Agora has to process your IP address. The IP address is used to route media and
other communications data during a communications session between You and Us. Agora
processes communications device type information from Your device. This information is
used by Agora’s software to optimize the performance of real-time communications sessions
as managed by Agora’s software and network. The Processing of the Video Call is based on
the consent provided by You and this Agreement. We will collect anonymous feedback from
You at the end of the call. This will help us improve the quality and performance of our
Service. Use of Agora Video Call service is governed by Agora Terms of Service,Agora Privacy
Agora Acceptable Use Policy.
You can read about Agora
security compliance here. We also have a
signed Data Processing Agreement (DPA) with
Since there is no call recording being stored, We will be unable to provide access to playbacks or call transcripts.
How do We handle Your data when used for Research purposes?
We use minimal non-longitudinal data for research and statistical analysis purposes and
towards peer-reviewed publications. This data is completely anonymized by way of de-
identification using non-identifying one-way cryptographic functions prior to use. Here, the
pseudonymized user identifiers are deidentified so as to completely anonymize Your data.
As a policy, we never use Your entire longitudinal conversation messages, provided either to
the Bot or to Our Coach/Therapist, for research. If at all, We only use limited PII redacted
conversation message data collected at random and specific bot endpoints for research and
statistical analysis. Any research performed by Our Coach/Therapist on Your provided data
during Coach/Therapist Service, is based on informed consent taken from You.
For research conducted by independent researchers or Institutions, only aggregated and
minimal de-identified data of the research participant is shared basis Your consent and
approval received by the researcher or Institutions from their Institutional Review Board
(IRBs). We sign a Collaboration and Data Sharing Agreement with the researcher or
Institution which includes data protection clauses before sharing any de-identified
You can always write to us at [email protected] or [email protected] to restrict processing of Your data for Research purposes.
What data do we process as part of Gift Card purchase?
What additional processing is performed?
How does Touchkin protect Your data?
To fulfil Our commitment to respecting and protecting Your privacy and the confidentiality of Your Personal data, Touchkin has implemented industry-standard security safeguards to prevent unauthorized access or disclosure, misuse, alteration or destruction of Your data. More specifically, We will comply with all applicable data protection and security laws in order to assure confidentiality, availability, integrity, privacy and security of Your data.
We do not ask for any User registration or account profile creation during the setup of the app. We collect, transfer and securely store the vendor specific ID provided by the Apple App Store or Android Play store when You install Wysa App on Your device. This is done for the purpose of generating a random pseudonymised user identifier. This pseudonymised identifier generated becomes the userId that is referred to for all subsequent data transfers and linking within the Wysa databases. All Your data is encrypted by strong AES-256 protocols and securely stored. This processing is based on Our Legitimate Interest. You always have the Right to be Forgotten. You can at any point of time, clear all Your provided data including all identifiers by Using the “reset my data” feature available in the Wysa App settings. Refer here in our Policy for more details.
Inadvertently collected personal data may be transferred outside the country before being automatically detected and irreversibly redacted in 24 hours. All data transmitted from Your mobile device to Our servers are encrypted using strong TLS protocols via Secure Socket Layer (SSL). Data is transmitted to Our secure database servers using TLS and Salted Challenge Response Authentication Mechanism (SCRAM) and encrypted at-rest using AES-256 protocols. Our Infrastructure is managed by MongoDB ATLAS and Amazon Web Services (AWS). Both MongoDB and AWS are industry leaders in the provision of hosting Services. You can find out more about AWS GDPR compliant security program and controls here. We operate Our databases on Mongodb Atlas to provide secure storage with end-to-end encryption. You can find out more about Mongodb Atlas GDPR compliant security program and controls here and here. Access to stored data is protected by multi-layered security controls including firewalls, role-based access controls, Multi-factor authentications and strong password policies. We carry out technical, privacy and security due-diligence before finalizing and signing agreement with sub-processors. We have a rigorous hiring process including reference checks for all employees, subcontractors and consultants. All Wysa staff members directly interacting with the user and building the product have to complete the basic GDPR and HIPAA awareness training at the time of joining the company. We have information security policies and have put procedures in place that provide for adequate security controls. On an annual basis we conduct an internal security audit to ensure compliance to Our policies and procedures.
Because no method of electronic transmission or method of data storage is perfect or impenetrable, We cannot guarantee that Your data will be absolutely safe from intrusion during transmission or while stored in Our systems. To help protect Your privacy and confidentiality of Your data, We also need to ask for Your cooperation regarding the following: Please do not copy and transmit Your chat conversations, well-being data and/or Personal data with other people. Also, please notify at the contact information provided here, in the event You suspect any unauthorized Use of Your account or any other breach of security.
Where is Your data transmitted and stored?
To provide the Service in a reliable and responsible manner, Touchkin stores all Your data on secure Virtual Private Cloud servers physically located in the USA. All communication between the processing and storage Virtual Private Cloud servers are established over secure Virtual Private Cloud peering networks. We have taken appropriate safeguards by contracting with our sub-processors, MongoDB and AWS which includes standard contractual clauses approved by the European Union (EU) data protection authorities.
How long do We retain Your data including Personal data?
Inadvertently received personal data from the Wysa app will be in the system for a maximum of 24 hours before being processed for irreversible redaction as outlined here.
Touchkin retains Your data with appropriate redactions of any potential personal identifiable information.for the length of time needed to fulfil the Agreement or to fulfil any of the applicable purposes mentioned as Our Legitimate Interest, or to comply with requirements of applicable Data Protection or consumer Laws.
We may retain Your data with appropriate redactions of any potential personal identifiable information. even after Your subscription ends if retention is reasonably necessary. This could be in situations where We need to comply with applicable Data Protection or consumer Laws, or on request of a returning subscriber, or to provide and complete customer support Service, or to detect and deter unauthorized or fraudulent Use of or abuse of the Service. Where not specified we retain Your data for a maximum of 10 years since receipt and as per our Information Retention policies.
You have the Right to be Forgotten. You can also, at any point of time, clear all Your provided data by Using the “reset my data” feature available in the Wysa App settings. Refer here in our Policy for more details.
Does Touchkin Use 3rd party Service providers or agents?
To facilitate and provide You with the Service, it sometimes is necessary for Touchkin to request third party service providers or agents to help Us process and/or store Your data. We strictly evaluate the Service providers and agents, and We make every effort to ensure that they have established appropriate and secure data administrative, organizational and security control of their systems, and We strictly require that they comply with confidentiality and non-disclosure obligations and applicable laws and regulations including relevant Data Protection Laws. We also require that they access Your data only to the extent necessary to perform tasks on Our behalf.
WE COMPLY WITH GDPR BY HOLDING CUSTOMER SERVICE AGREEMENTS WHICH INCLUDES DATA PROCESSING ADDENDUM (DPA) WITH ALL OUR 3RD PARTY DATA SUB-PROCESSORS. IN OUR ROLE AS A DATA CONTROLLER OR AS A BUSINESS ASSOCIATE. WE ALSO HAVE SIGNED BUSINESS ASSOCIATE AGREEMENT (BAA) TO COMPLY WITH HIPAA REQUIREMENTS.
Both Our 3rd party data sub-processors (MongoDB and AWS) get periodically audited by independent auditors for platform security, privacy and compliance controls. Some of the Compliance includes ISO27K, SOC2 Type II, FIPS 140-2.
Does Touchkin share Your data with third parties?
We do not collect any Personally Identifiable Information from You. At the same time, We do use anonymised and only the minimal data that is required to answer the research question for research and statistical purposes based on Our Legitimate Interest to improve Our product and contribute to the development of user-centered mental wellbeing best practices globally. As required by Data Protection Laws and as per the Non-Disclosure agreements executed with data sub-processors, third-party health psychologists and well-being Coaches and research partners, they are required to protect the data shared with them and are required to keep Your data private and secure.
What are Your data protection rights?
You have certain rights under the Data Protection Laws in relation to Your Personal data. Any inadvertently obtained Personal data is auto-redacted within 24 hours in Our systems. Beyond that, for the non-personal data held by Us We do provide You the following rights.
We have tried to make it as easy as possible for You to have control over Your data. To exercise any of Your rights, You will need to send an email request from Your Google or Apple email ID to the contact information provided here. Please note that We may require to verify You before responding to any requests to exercise Your rights. We may also limit Your individual rights requests (a) where denial of access is required or authorized by law; (b) when granting access would have a negative impact on other's privacy; (c) to protect our rights and properties; or (d) where the request is unjustified or excessive.
Right to rectification and Right to restrict processing
You will need to send an email request with reasons from Your Google or Apple email ID to the contact information provided here at any time to rectify or restrict processing of Your data basis the Agreement. Touchkin will provide You with a request form that You will need to fill and submit back to Us via email. After verifying You and examining Your request, We will respond to You over email on the action decided and/or taken within one calendar month from verification. We may at times be unable to address Your request, if We are unable to correctly identify You.
Right to object
You have the right to object to processing of Your data only for the purposes listed here, basis Our Legitimate Interest, by sending Us an email request with reasons from Your Google or Apple email ID to the contact information provided here. After verifying You and examining Your request, We will respond to You over email with our decision and/or action taken within one calendar month of receipt of request. We may at times be unable to address Your request, if We are unable to correctly identify You.
Right of access
You always have the access to view Your latest conversations with the Bot or view Your older conversation messages within the Journey tab of the Wysa App. All Your sessions with a Wysa Well-being Coach or Wysa Therapist are also accessible through the Coach or Therapist tab within the Wysa App.
Due to limited functionality within the Web browser based Wysa App, You may not be able to view Your past conversations with the Bot. If You want to access Your past conversations, You will need to send Us an email request to the contact information provided here. After verifying You and examining Your request, We will respond to You over email on the action decided and/or taken within one calendar month from verification. We may at times be unable to address Your request, if We are unable to correctly identify You.
IF YOU EXERCISE YOUR RIGHT TO BE FORGOTTEN AND RESET YOUR DATA, YOU WILL LOSE THE RIGHT TO ACCESS YOUR DATA AS IT WILL BE PERMANENTLY DELETED..
You can also access your other Personal data collected such as vendor specific ID provided by the App/Play store, mobile operating system, OS version, device make and model.You will need to send an email request with reasons from Your Google or Apple email ID to the contact information provided here. at any time, if You have any further questions around access to Your Personal data. Touchkin will provide You with a request form that You will need to fill and submit back to Us via email. After verifying You and examining Your request, We will respond to You over email on the action decided and/or taken within one calendar month from verification. We may at times be unable to address Your request, if We are unable to correctly identify You.
Right to data portability
If You replaced Your mobile device that had the Wysa App installed and You are a paid subscriber of Our Services, You can place a request along with Your subscription receipt and the reasons to transfer Your data from Your older device to Your replaced mobile device. If You are not a paid subscriber, We will need to accurately verify You, before we can process Your request. You can also place a request to receive a digital copy of Your data in a machine readable format. We may charge You a small fee for this Service.
You will need to send an email request with reasons from Your Google or Apple email ID to the contact information provided here. After verifying You and examining Your request, We will respond to You over email with our decision and/or action taken within one calendar month from verification. We may at times be unable to address Your request, if We are unable to correctly identify You.
Right to Erasure or Right to be Forgotten
When You Use the Service, You have the option to reset Your data in the Wysa App by using the “Reset my data” feature in the Wysa App settings. Reset my data, automatically without any manual intervention, clears all Your conversation messages, clears Your completed tools, clears reminders or any enabled settings or activities and well-being-related assessment responses. Your identifiers will be permanently redacted from Our Database. YOU CANNOT REVERSE OR RECOVER YOUR PAST DATA POST A RESET.
You will need to send an email request with reasons from Your Google or Apple email ID to the contact information provided here, if You have any further questions around Your right to be forgotten. After verifying You and examining Your request, We will respond to You over email on the action decided and/or taken within one calendar month from verification. We may at times be unable to address Your request, if We are unable to correctly identify You.
Right to authorize and unauthorize Your data with Your Well-being Coach or Therapist
When You Use the Wysa Well-being Coach Service or Wysa Therapist Service, You have the option to either share or stop sharing access to specific data with the Wysa Well-being Coach or Wysa Therapist. Data that can be shared includes assessment scores and activity with the Bot. This feature can be activated or deactivated at any time during Your conversation by Using the “Authorize/Unauthorize Well-being Coach” feature in the Wysa App settings.
You can also opt-in or opt-out of sharing your Wysa Bot messages with Your Coach or Therapist by typing #sharechat in the Wysa Bot.
Do California residents have specific privacy rights?
This section provides additional disclosures required by the California Consumer Privacy Act (or “CCPA”). California law permits Users who are California residents to request and obtain from Us once a year, free of charge, a list of the third parties to whom We have disclosed their Personal data (if any) for direct marketing purposes in the prior calendar year, as well as the type of Personal data disclosed to those parties. Please note that Wysa does not share or sell Personal data You may provide when using Our Service with third parties for direct marketing purposes as a matter of policy. Subject to certain limitations and exceptions, California based Users can still write to Us at the contact information provided here to know more details about specific pieces of personal information they would have shared, to delete their personal information, to opt out of any “sales” that may be occurring, and to not be discriminated against for exercising these rights
After verifying You and examining Your request, We will respond to You over email on the action decided and/or taken within 45 calendar days from verification. We may at times be unable to address Your request, if We are unable to correctly identify You or due to any of the limitations and exceptions provided within CCPA.
What are the controls for Do-Not-Track features?
Do Not Track (“DNT”) is a privacy preference that Users can set in certain web browsers. We do not respond to DNT signals transmitted by web browsers.
Right to Breach notification
In addition to the right to request disclosures of Your data specified in the Right to access above, We will notify You as required by Data Protection Laws if there has been a breach of the security of Your identifiable Personal data within 72 hours of breach confirmation.
Concerns and Complaints
If You are not satisfied with Our resolution, You have the right to complain to a Data Protection supervisory authority in Your country or state of residence. We will fully cooperate with the supervisory authority. Contact details for Data Protection Authorities in the EU are available here.
Can children under 13 use Wysa App?
The Wysa App is intended for a general audience and is not directed to or intended to be Used by children under the age of thirteen (13) years.
We understand the special necessity to protect children's privacy on Wysa App, and We do not knowingly collect any Personal data from children.
If, however, as a legal Parent or guardian, You believe We have collected any Personal data of Your child, then You will need to send an email request from Your Google or Apple email ID to the contact information provided here. After verifying You and examining Your request, We will respond to You over email on the action decided and/or taken within one calendar month from verification. We may at times be unable to address Your request, if We are unable to correctly identify the User. If We have inadvertently collected Personal data from Your child, We will deactivate the relevant account(s) upon identification and will take reasonable measures to promptly delete such Personal data from Our records.
Please be responsible and do not share or Use Your credit/debit card or other payment instrument with Your child to make any in-app purchase.
Who can You contact for additional questions, comments or concerns?
Our mail address for all communication is:Touchkin eServices Private Limited
Can Non-English speaking users use the Wysa App?
The Wysa App has been built and is currently provided only for English language users.
To ensure wider reach, Touchkin will, in the near future, launch Wysa in other international languages. We will keep You updated of this development.
What are some Best Practices to follow to keep Your devices secure?
You are also responsible for helping to protect the security of Your Personal data. You are responsible for maintaining the security of any personal computing device on which You utilize the Services.
US Federal Trade Commission (FTC) publishes information for Users on how to secure Your personal data and devices. These can be found at the following public link.
Touchkin strongly believes in security and safety of data in Your mobile device. As a responsible Service provider, We therefore like to share important device based security data for Your attention. These have been sourced from US FTC best practices and guidelines. Always refer back to the US FTC link provided above for more details and future security updates.
Severability and Exclusion
v3.1.0 | Feb 10, 2021
v3.0.0 | Feb 03, 2021