Who are we and how to contact us?
What personal data do we collect?
How do we use your information?
How do we protect your personal data?
Wysa Assure Mental Health App Privacy Policy
Initial Effective Date: Mar 31, 2023(GMT)
Latest Revised Date: May 14, 2026 (GMT)
Version: 3.0
You (“user”or “end-user” or “data subject”) have been granted access to this Wysa Assure App by your institution (the "Institution"). The Wysa Assure App, also known as the "App", enables anonymous use by authorized Institution-associated users.
Who are we and how to contact us?
The App, managed by Touchkin eServices Private Limited (referred to as "Wysa," "we," "us," or "our"), operates with data privacy by design and by default (Read about our data safeguards here ). Wysa is a co-developer and technically operates the App, utilizing the Wysa platform with non-identifying user identifiers. Co-developed in collaboration with Swiss Re Solutions Ltd ("Swiss Re"), the App is distributed by Swiss Re to your Institution, who then provides it to users. The Institution and Swiss Re are referred together as our "Partners". This Privacy Policy outlines Wysa's use of your personal data, protective measures, and data security.
Regarding the purposes of our Services and processing of end-user data, Wysa acts as the data controller. When handling aggregated App usage data reports on your Institution's behalf, Wysa may act as a processor or sub-processor. Your Institution receives aggregated App usage data reports for their own purposes. Please check with your Institution directly on how they use your App usage reports. Swiss Re only receives anonymous App usage data reports.
For queries, comments, complaints, and requests about our App and Services, reach us at [email protected]. For Privacy Policy and data protection rights inquiries, contact us at [email protected], addressed to the Head of Compliance/Data Protection Officer. We promise a response within a month from a valid inquiry.
About the Privacy policy
This Privacy Policy pertains to your use of our mobile artificial intelligence (AI) chatbot service, digital self-care tool, analytics, dashboard services, well-being score, and pathways to connect to offline mental well-being therapy (collectively referred to as the "Services"). The policy also applies when you engage with us through events, promotions, websites, email, or social media. We may offer additional services for your Institution ("Institutional Services"), requiring agreement with both Wysa's and your Institution's Terms of Service and Privacy Policies for processing information on behalf of your Institution.
In case of a crisis, call your country's emergency number or Institution's approved helplines. App use requires age 18+. Interaction with the AI chatbot is with Artificial Intelligence, not a human. The AI is limited in its response. The App offers evidence-based tools in a self-help context. It doesn't diagnose, treat, or cure a specific condition or disease or disability. It only provides general mental health advice, not medical. Please seek a healthcare professional for any medical concerns.
Kindly review this policy, along with our cookies policy and terms of service. Your use of our Apps and Services implies consent to information collection and utilization as outlined in this Privacy Policy and Cookie Policy. Unless specified otherwise, terms in this Privacy Policy hold the same meanings as in our Terms of Service.
What personal data do we collect?
Wysa does not aim at collecting personal data. You can choose to remain as anonymous as you want to be when you use the App. By adopting privacy by design and by default safeguards (read here ), we seek to minimize personal data collection and processing and improve your privacy. To help provide our Services, we will collect and process the following information categories.
Information about you - Our App prioritizes anonymity for privacy protection. No registration needed. Use a nickname to start. We gather an app-device ID from your Google play or Apple app store when you install the App. IP address for content delivery (not linked to user conversation data), device information, time-zone, operating system.
AI chatbot conversation data - Your voluntary inputs, like challenges, preferences, feelings, moods, thoughts, emotions and safety plan. Your expression of gratitude or maintaining a task list. Responses to assessments (PHQ, GAD or others). Your use of tools, Cognitive Behavioral Therapy (CBT) programs and other resources. Any inadvertent identifiers voluntarily provided.
App usage event data - Tracks app actions, settings, notifications and screen choices
Fitness App data - Data from Google Fit, Health Connect by android or Apple Healthkit (physical activity and sleep) when you connect.
Promotion/Survey data - your responses to campaigns, surveys and other marketing activities.
Communication data - includes any feedback, complaints, requests via email or social media or our website contact forms. If you have communicated with us by email or website contact form, we will collect email ID, name provided, any contact details shared with us. Institution and Partner name, staff name and their contact information.
Cookies - includes mandatory cookies collected during app use to provide the Services. Also, site-hosting provider’s cookies on our website.
Sources of the information categories
Much of the information categories that we hold about you, are directly from you or your interactions with us, when you use our App, our websites or social media sites or when you contact us for any purpose
How do we use your information?
We must comply with data protection laws that mandate the identification and communication of a legal basis or 'ground' for utilizing your personal information. In cases involving sensitive data, an additional legal condition is necessary to be informed. An explanation of each of the grounds can be found below.
These are the additional legal conditions that we typically use to justify our use of special categories of your personal data: In the substantial public interest: processing is necessary for reasons of substantial public interest, on the basis of EU or local law. Mainly, for the provision of counseling, advice or support or for protecting you from physical, mental or emotional harm during use of the App and services.
For each use mentioned below we note the purpose for which we use and disclose it, and the ground we rely on as the basis for our use.
Legal basis: contract performance, legitimate interests (to enable us to perform our obligations and ensure quality, safety and performance of our App and Services).
Legal basis: contract performance, legitimate interests (to enable us to perform our obligations and ensure quality, safety and performance of our App and Services),
Additional legal condition: For reasons of substantial public interest for provision of counseling, advice or support or for safeguarding of individuals at risk.
Legal basis: contract performance. Legitimate interest (to ensure user safety)
Additional legal condition: For reasons of substantial public interest for provision of counseling, advice or support or for safeguarding of individuals at risk.
Legal basis: legitimate interests (to ensure the quality, safety and performance of our Apps and Services)
Additional legal condition: For reasons of substantial public interest for provision of counseling, advice or support or for safeguarding of individuals at risk.
Legal basis: contract performance, consent (opt-in and opt-out of notifications).
Legal basis: legitimate interests (to ensure the effectiveness, safety and performance of our Apps and Services)
Legal basis: legitimate interests (to ensure the quality, and performance of our Apps and Services)
Legal basis: legitimate interests (to ensure the quality, safety and performance of our Apps and Services)
Legal basis: contract performance, consent (your consent to sync with Google Fit, Health Connect by android, Apple Healthkit and Garmin. Your consent to access your sleep and physical data from Google Fit, Health Connect, Apple Healthkit and Garmin).
Additional legal condition: For reasons of substantial public interest for provision of counseling, advice or support or for safeguarding of individuals at risk.
Legal basis: consent, legitimate interests (to keep you updated with news in relation to our Apps and Services).
Legal basis: legitimate interests (to allow us to correspond with you regarding our Apps and Services. To ensure the quality of our Apps and Services), legal obligations.
Use of Cookie Information
We need to use some necessary cookies to make sure our website and app works properly. Here is a simple guide to the kinds of cookies we might use:
"Do Not Track" (DNT) is something you can turn on in your web browser to keep your online activities more private. However, even if you turn DNT on, we do not collect those signals today.
You can access our Cookie Policy here.
Legal basis: legitimate interests.
Other uses of your information:
To reorganize or make changes to our business: In situations like: (i) negotiations for selling our business or part to a third party; (ii) being acquired by a third party; (iii) going through reorganization; or (iv) facing bankruptcy, we might need to share some or all of your personal data with the relevant third party (or their advisors) for due diligence in analyzing the proposed sale or reorganization. After such events, we could also share your data with the reorganized entity or third party for similar purposes as stated in this Privacy Policy. We'll reasonably try to notify you through methods like: public notice on our website, informing your Institution, in-app notifications or changes to this privacy policy.
Legal basis: legitimate interests (in order to allow us to change our business), legal obligation
To comply with legal and regulatory obligations: We might handle your personal data to meet our legal and regulatory needs. This might involve sharing your data with third parties like insurers, courts, regulators, or law enforcement agencies worldwide. This can happen during their enquiries, proceedings, or investigations, or when legally required. We might also use and disclose data to prevent serious health or safety threats, for public health reporting, and for preserving data during legal matters to prevent tampering. Additionally, we might disclose data to help with an investigation or prosecution of suspected fraud or actual illegal activity.
Legal basis: legal obligation (as App manufacturer to provide app performance and safety report to regulator ask), legitimate interests (to cooperate with law enforcement and regulatory authorities)
We do not combine and process your personal data with any other third party available data. Your data, messages or usage is not transferred or sold to advertisers or data brokers or any information resellers. We will always take your consent before using your name for social proof purposes. If you have any questions about the legal basis we rely on, please contact us using the details set out in the “Contact” section below.
Processing for Legitimate Interests
We may need to use your personal information for important reasons. Before doing this, we will always protect your rights and privacy. Here are the reasons we might use your data:
How do we protect your personal data?
Where is your data stored?
The data we gather is transferred and stored in USA-based infrastructure instances managed by our service provider, Amazon Web Services (AWS). Some of your information might be shared and stored with our third-party service providers to provide our services. For a list of service providers please read point 8 under this section.
How long is your data stored?
Personal identifiers you voluntarily share in your text messages with the AI chatbot will be securely redacted in our database within 24 hours of its detection.
We adhere to legal retention limits for any remaining data about you. It's kept only as long as necessary for requested services or purposes mentioned in the 'How do we use your personal data?' section above. If not specified, we retain your data for up to 10 years after termination or a period agreed upon with your Institution
You also have the option to permanently delete all your messages using the 'reset my data' feature in the App settings.
Where LLM is enabled, we have enabled Zero data retention (ZDR) with the LLM provider (Open AI API) and hence your conversation data does not get stored with them.
When you trigger “Reset my data” from App settings
Reset my data deletes all your submitted data including your identifiers, past conversations, reminders, assessment responses and enabled settings. Post reset, you will not be able to recover your past data and you will be considered as a new user of the App. Hence, this feature is to be used at your discretion.
International transfer of your information
To deliver our App and Services, we may need to process your submitted data in a country different from your own, where data protection laws might be less strict.
When we move personal data from within the European Economic Area (EEA), Switzerland, and/or the United Kingdom (referred to as the 'Europe region'), we'll take extra steps to secure your data in line with data protection laws. Some countries in the Europe region have been endorsed by regulators for having sufficient data protection, so no additional safeguards are needed to transfer data there. For countries without such approval, we'll use suitable measures to protect data transfer, like the new EU Standard Contractual Clauses and/or UK addendum to the EU SCCs or UK International Data Transfer Agreement (IDTA), as allowed by the law.
Minimal and necessary data may be shared among our companies (located in the UK, US, and India) to provide specific Services. In line with relevant data protection laws, we'll ensure your data rights are well protected with appropriate technical and organizational safeguards.
For any queries, reach out through the details provided in the 'Contact' section below.
How do we safeguard your data?
We prioritize your data security and take extensive measures to ensure it. With strong dedication, we've put in place both technical and organizational safeguards. Here are a few of the steps we've taken:
Privacy by design and by default
Security by design and by default
Additional safeguards when you use LLM-enabled AI
Certifications and Registrations
We do our best to keep your personal data secure and safe, but no method is perfect. We cannot promise complete security and safety. You can help keep your data safe too. Please do not share personal identifiers where not asked. Please do not copy and share your chats with people you do not know.
Responsible use of Artificial Intelligence (AI)
At Wysa, we use artificial intelligence (AI) programs to understand what you type to us. These AI programs help us talk with you in a way that makes sense and guides you to helpful information. Our AI programs follow set rules and do not learn new things on their own. We make sure our AI chatbot is fair, safe, and treats your information with care. Where enabled, we use third-party Large Language Models (“LLM”) and our own AI to chat with you. Our AI is a purpose-built AI and does not operate as a general-purpose generative AI. Our AI does not change in real time (i.e. it does not continually modify itself or learn every time on its own). Each conversation with the AI works at a conversational node level within a decision-tree structure. At each node we may use either the prediction from our AI programs or the inferences from LLMs, or both. We may also use our proprietary AI programs to qualify a conversation sentence for an LLM inference. We have safety measures in place to keep our conversations secure and trustworthy. All recommendations from Wysa come from our own care library which is a closed source and written by our clinicians. Every piece of content generated by the AI passes through our safety and quality checks, and all LLM based conversational prompts are designed and tested by clinicians to ensure that they are clinically safe and appropriate. We also have good practices to monitor and check the use of AI at Wysa, making sure your rights are protected. Please contact us at [email protected] if you have any more questions about our use of AI.
Read our product’s intended purposes and terms of use here.
Read our Responsible AI for mental health playbook here.
While Wysa has put in place reasonable clinical safety and data protection controls, you understand and acknowledge that AI is a developing technology. The potential risks inherent to this technology may not be fully understood and fulsome safeguards may not be fully developed. Due to the nature of the technology, you may sometimes get incorrect responses that do not accurately reflect the action required.
What about external links to other sites?
The App, websites, and social media pages feature links to third-party, Partner, or affiliate websites and resources. When you click on such links, remember that these sites have their own privacy policies. We don't manage these third-party sites and are not liable for their privacy policies. It's a good practice to review these policies before sharing personal data on these sites.
Our use of service providers
We work with third party companies that help us run our app, fix any problems, and offer other important services. These companies might use your personal data to provide services for us. For a list of service providers please read below.
We also work with the Institution’s authorised service providers to connect and share your information so you may get the required care from your Institution.
| Service Providers | Data Type | Purpose | Data Storage / Processing Location |
|---|---|---|---|
| Amazon Web Services (AWS) | All data submitted and collected from you during App use | They help provide cloud-based systems, tools and APIs that keep our service running smoothly and securely. | USA |
| MongoDB ATLAS | All data submitted and collected from you during App use | They provide use of a database to keep your information safe. This database resides on AWS. | USA |
| Firebase, Google Analytics | Anonymised event data, Cookie Information | They look at how you use our App to improve the experience. We do not share what you talk about or any personal details with the third party. All the actions you do in the App are given false names so they cannot tell who you are or learn anything about your health or feelings. | USA |
| Branch.io | Communication data (Institution supplied email ID) | They help provide a special link that helps you access our App more easily. | USA |
| Google Workspace | Communication data (email identifiers) | To answer your questions, requests, and feedback. They help us keep records without using your personal data. | Europe |
| CloudFlare | Device Data (Internet protocol address) | They help us keep our services secure and running smoothly. They need to use your IP address to do this. Wysa does not store or use your IP address after it has been used by Cloudflare. Your IP address is never linked to your conversations, so everything you chat about stays private. Also, Cloudflare might look at information like your browser and operating system to prevent any misuse. | USA |
| Zendesk | Communication data (email and other identifiers) | This is our customer support system. We use it to collect and answer your questions and requests for help in the event that you contact us. | USA |
| Private AI | Conversation data | The service checks for any personal details you might accidentally share when talking with the App. It runs on Wysa's cloud servers, so your messages do not go to Private AI. | USA |
| Open AI | Conversation data submitted and collected from you during use of LLM enabled AI | To provide LLM enabled AI alongside Wysa’s own proprietary AI. Provide clinically validated tools and resources for support. | USA |
| Google API Services | Fitness App data (physical activity and sleep) | We use Google API services to collect data from Google fit (Physical activity and sleep) from authenticated users. | No personal data is shared by Wysa to Google API Services |
| Health Connect API | Fitness App data (physical activity and sleep) |
We use Google Health Connect API to collect Activity and Sleep data from on-device data captured by other Fitness tracking apps.
Apps distributed through Google Play that use Health Connect are subject to the Google Play Developer policies. |
No personal data is shared by Wysa to Health Connect API Services |
| Garmin | Fitness App data (physical activity and sleep) | We collect activity and health data from Garmin users, which encompasses their workout information such as swimming, cycling, running, as well as health metrics like sleep patterns and step counts. Users grant permission for data sharing by logging into their Garmin accounts, and they have the option to disable this authorization at any time. | No personal data is shared by Wysa to Garmin |
We will keep updating this section where we make any changes to our service provider. If you have any questions please contact us at [email protected].
Our use of Google API services for use of fitness data
The App doesn't collect or track identifiable geolocation or call logs. The App’s use or transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including their limited use requirements.
Your data protection rights
What Can You Do About Your Data?
Consent Management
Obtaining Consent: Where we request your consent before collecting any personal data, clear and easily understandable explanations will be provided regarding the purpose and scope of data processing activities. You have the right to grant or deny consent.
Modification of Consent:
If you wish to modify your consent for data processing, you can do so easily by contacting our Data Protection Officer (DPO) or our customer support. Modification will not affect the lawfulness of any processing based on prior consent.
Withdrawal of Consent:
If you wish to withdraw your consent for data processing, you can do so easily by contacting our DPO or our customer support. Withdrawal will not affect the lawfulness of any processing based on prior consent.
By incorporating this consent management facility, we aim to empower you with control over your personal data, ensuring transparency and compliance with privacy regulations.
How to Exercise Your Rights
You do not usually have to pay anything to use your rights. Sometimes, we might need to check if it is really you asking. Contact us using the details at the top of this privacy notice. We will reply within one month if you ask us for something.
When We Might Say “No”
We might not be able to agree to your request if:
How to Complain
If you have any concerns about our use of your personal data, you can make a complaint to us at [email protected]. We will get back to you about your complaints within 3 working days. Some might take a bit longer to sort out. We will keep you updated until everything is fixed.
If you are still not happy with how things have been sorted out, you can send an email to our grievance officer / Data Protection Officer (DPO) at [email protected].
DPO Roles and Responsibilities:
If you're unsatisfied, you can complain to your Data Protection Authority. You can file a complaint with the UK ICO using the outlined process here. For EU Data Protection Authorities', check here.
Personal Data Breach Management
In the event of a personal data breach, we follow a stringent procedure to mitigate and address the incident promptly. Our response includes identifying the breach, containing its impact, assessing affected data, notifying relevant authorities, and communicating transparently with affected individuals. We conduct thorough investigations to understand the extent of the breach and implement corrective measures to prevent recurrence.
Any detected personal data breach will be reported to relevant authorities and where applicable, the affected individuals within 72 hours of its identification or within the time period defined in compliance with applicable data protection regulations.
Updates to this policy
Any changes we may make to this Privacy Policy will be notified to you within the App. Continuing to use our App and Services after a notice of change has been published constitutes your acceptance of the changes. For a list of past changes please read here.