Touchkin eServices Private Limited (“Touchkin”, “Wysa”, “We”, “Us”, or “Our”) operates the website (www.wysa.io) and the Wysa mobile, web-based and online applications (“Wysa App” or “App/s” or “Mobile Software/s”). The AI Coach services, digital premium services, well-being coach and therapist services and web-based services provided are collectively referred to as the "service(s)".
Initial Effective Date: June 30, 2017 (GMT)
Latest Revised Date: November 10, 2021 (GMT)
Do Note :
Changes in v4.0.0 | November 10, 2021
You can read the full list of changes in the Changes Log
Anonymization is the process of removing personal identifiers from data sets so that the person can no longer be identified.
Cookie is a small amount of data stored on your device (computer or mobile device).
Data Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.
Data Protection Laws here means in accordance with the Indian Information Technology Act and Reasonable security practices and procedures and sensitive personal data or data rules, including but not limited to requirements of EU GDPR, the UK GDPR and applicable Legal and Statutory requirements.
Data Subject (or User/You) means any living individual who is using our service and is the subject of Personal Data
Encryption is the process of transforming data into unreadable text so that it is only legible to those possessing an encryption key.
Personal data or Personal Information means data about a living person who can be identified from the data and/or other information either in our possession or likely to come into our possession.
Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific user without the use of additional information.
Non-Personal data or Non-Personal Information means any data that does not reveal user specific identity.
Sub-Processor/s is a data processor who is sub-contracted some of the personal data processing.
Who are we?
Touchkin is a private limited company having its registered office in India, USA and UK. We are registered as a data controller with the UK ICO. Our data protection registration number is ZA845530.
What is Wysa App?
With the Wysa App you can chat through a conversational interface and get access to tools and techniques. You can also subscribe to a highly trained and qualified mental well-being professional. The App is available in both iOS and Android app stores, including a web-based application. Your interaction with the AI Coach is with an artificial intelligence system and not a human. The intended use is for providing evidence-based tools and techniques to manage emotions and encourage mental well-being as an early intervention tool in a self-help context. You make the choice of using the AI Coach, based on your own estimate of need, and agree that this is only suitable for basic self-help. This is not intended to be a replacement for face-to-face psychotherapy or to provide a diagnosis, treatment or cure for a disease or condition. The AI Coach cannot and will not offer advice on issues it does not recognize. Using the App, you can track and manage your mood, and learn context-sensitive evidence-based techniques that can help you feel better. The App and service is not intended for use in crisis or emergencies or severe mental health conditions. The App and service cannot and will not offer medical or clinical advice. It can only suggest that the user seek medical help.
If you have any of these conditions, please check with your doctor before use.
Who can Use the Service?
You may use the App and services if you are 18 or more.
This App and services are not meant for those less than 13 years of age.
Your institution may specify a different age for your use of the App and Services.
What personal data do we process and how do we use it?
We only collect information that is provided by the user and required for the purpose of providing our services. The table lists the personal data processing we perform.
|Personal Data||Source||Purpose||Lawful Basis|
|Random user identifier||created by Wysa||To provide App and services. To provide additional security.||In our legitimate interest|
|Access or referral code||provided by the user||To provide customized App and services for referred and Institution users. To aggregate data at institution or cohort level for analytics purposes.||To perform our contract with you and with your Institution|
|Device data (Operating system, OS version, device make and model)||provided by the user||To detect and prevent fraudulent use of or abuse of the service. To resolve issues. To improve App experience and use.||In our legitimate interest|
|Conversation data (free-text messages, text button events, App screen events, tool events)||provided by the user. Events created during use of App||To detect context and ensure continuity in conversation. To provide the right tool and content. To conduct coach or therapist sessions. To improve the app performance and quality. To obscure the event data. To share de-identified event data with 3rd party providers for analytics purposes.||To perform our contract with you and in our legitimate interest.|
|Conversation data (Spanish language free-text, text button events, app screen events, tool events)||provided by the user. Events created during use of App||To use 3rd party translation APIs to chat with Spanish language AI Coach modules and tools. To ensure continuity in conversation. To provide the right tool and content. To improve the AI Coach performance and quality. To obscure the event data. To share de-identified event data with 3rd party providers for analytics purposes.||To perform our contract with you and in our legitimate interest.|
|Inadvertent submitted personal identifiers (names, location, contacts, email identifiers or medical terms)||provided by the user||To take reasonable steps to detect and de-identify personal data.||In our legitimate interest (to ensure special category identifiable data is not created)|
|Communication Information (name, email Identifier, email messages, subscription receipts, feedback messages)||provided by the user||To respond to your inquiries, requests and feedback. To troubleshoot your issues. To provide and improve customer support services.||To perform our contract with you and in our legitimate interest.|
|Wellness information (such as feelings, sentiment, mood, major life events, well-being assessments, coping ability, energy levels, objections)||provided by the user||To provide validated tools and techniques. To perform research and analytics. To improve the safety of our algorithms. To improve product and service quality. To provide aggregated and de-identified analytics reporting.||To perform our contract with you or with your institution and in our legitimate interest (Validated assessments are a proven way to track progress of your well-being. You have the option to not respond to these assessments)|
|Safety Plan Information (life anchors, safe places, support networks, warning signs, calming activities)||provided by the user||To ensure availability of safety resources in time of need.||To perform our contract with you and in our legitimate interest|
|Other personal information (age-range, gender)||provided by the user||To provide age appropriate content, tools and techniques. To provide gender appropriate content in Spanish||To perform our contract with you.|
|Audio-video data (full name, video profile and background, consent, emergency contact information, audio-video messages)||provided by the user||To conduct audio-video sessions. To provide Wysa well-being coach or therapist service. To reach out to emergency contact for your safety.||To perform our contract with you and your consent (Audio-video sessions are not recorded and stored)|
Non-Personal data collected when using Wysa well-being coach or Wysa therapist service.
When you schedule a session with your Wysa well-being coach or therapist, we collect your date and time preferences to confirm your booking. Your device time zone is collected to calculate your local date and time and schedule a session. It also allows us to send appropriate session reminders. Sometimes, Wysa App may get your local time wrong which could affect the session scheduling. Always verify your local time in the scheduling screen before booking a session. If you notice an error in your local time displayed, go to the AI Coach messaging interface and type #time to change your time. If You face any challenge changing Your local time or booking a session, kindly write to us at the contact provided here.
After you book a session, you have the option to save the booking in your device calendar. This is for your added convenience.
We may ask for your anonymous feedback after the session ends. This is for improving our App and service quality, safety and performance.
Only minimal messages provided to your coach or therapist get used for analysis and audit purposes. Your messages are de-identified before use. This is for improving our well-being coach or therapist service quality.
Do we use passive sensing or location data?
The App does not process any data from your mobile device sensors, including accelerometer, ambient light readings, screen on/off readings and call logs. The App does not process your geolocation at a level that makes your data identifiable. The App may infer your country or state based on your time zone to provide you appropriate resources, such as scheduled reminders.
How do we share your data with third parties?
To provide you with our services, we use third party service providers to help store and process your data. We assess the service provider’s security and privacy practices. We strictly require that they comply with confidentiality and non-disclosure obligations and applicable laws and r egulations including relevant Data Protection Laws. We also require that they access your data only to the extent necessary to perform tasks on our behalf. We use the following third party service providers.
Cloud Service Providers
To provide the service in a reliable and responsible manner, we collect, transfer and store your data in secure servers provided by our cloud service providers. You can find more on their security practices here, here and here. We maintain a Data Processing Agreement (DPA) and Business Associate Agreement (BAA) with our cloud service providers.
Other Service Providers
We use third party service providers to provide our services. List of our service providers include:
|Service Providers||Processing performed|
|Google Workspace||We use our Google Workspace account to store Information received from our clients and end-users. We have a signed DPA and BAA with Google Workspace.|
|3rd party Taggers and Translators||We may use third party providers to tag, translate and test content in English and other languages. Minimal de-identified conversation data may be used for these purposes. This helps us improve the AI Coach algorithm performance.|
|3rd party background verification consultants||We may use consultants to perform background checks for shortlisted candidates. They may also assist us in reference checks and academic verifications as part of our hiring process.|
|3rd party payment gateway providers||We use payment providers such as Stripe, PayPal, Razorpay and those provided by app stores to process payment when you purchase from us.|
|Twilio||We use Twilio in our app to programmatically make calls to emergency contacts shared by you for your safety during use of the Well-being coach or therapist services. This is done using their web service APIs. Here, you can read more on their privacy, terms of service and security. We have a DPA and BAA with Twilio.|
Disclosure to Institutions
You may need an access code or link provided by your Institution to use the Institution version of the App. Your Institution may also get access to aggregated data for their analytic and research purposes based on the consent given by you to your Institution. We may collect your country, division and in some cases your city information to provide aggregated analytics. We do not share your messages with the Institution. Any inadvertent identifiers get removed prior to the aggregated analysis.
If the App is integrated with your Institution system, your Institution may additionally share your assessment scores with us and likewise, we may share aggregated user data with them. Such assessment scores may be processed by us for providing services to your Institution. Your assessment responses will never be processed for diagnostic purposes or for giving clinical advice.
Disclosure to other third parties
We may be required to share your personal data in good faith with third parties to meet applicable law enforcement or regulatory requirements. We will always weigh your rights and freedom before we process any such requests. These third party processing includes:
Touchkin will never share your conversation data without your explicit consent.
How do we handle your App password?
For your privacy and security, you are advised to set your own App PIN to protect unauthorized access of your conversation messages. Your mobile device screen password is your PIN. To extend your device password, use the "Set Lock " feature under the App settings. You can also remove your PIN using the "Remove Lock” option under settings. The PIN that you use is personal to you, and you are responsible for maintaining the confidentiality and security of your PIN. Please keep your PIN safe and do not share it with anyone. The PIN you set remains in your device and is not collected, transferred and stored in our servers.
What data do we process after taking your Consent?
We take your consent to perform the following processing.
|Website Contact Form (Name, Email ID, inadvertent identifiers in messages)||To respond and provide support for your inquiries.||Your consent during form submission|
|App usage data||To process and share de-identified data with your institution or research partner.||Your consent during onboarding (Agreements are signed with the researcher or Institution)|
|In-app push notifications||To notify you for reminders you have set. To remind you about upcoming sessions and events. To provide service related information and discounts.||Opt-in and Opt-out in App settings or mobile device settings.|
|Session conversations with coach/therapist||To collect minimal de-identified data for research purposes.||Consent taken by coach or therapist from you.|
|AI Coach activity and well-being assessment data||To share the data with your Wysa well-being coach or therapist for your safety and support.||Authorize / unauthorize in app settings|
|Conversations with the AI Coach||To share your AI Coach conversations with your Wysa well-being coach or therapist.||Your consent given within the AI Coach (opt-in and opt-out by typing #sharechat)|
|Recruitment data (name, contact, address, email id, resume, references, credentials, transcripts, government provided identification, compensation information, race or ethnic origin, opinions and beliefs, physical or mental health or condition, sexual orientation, memberships, social media handles)||To evaluate your application. To make job offers. To enter into an employment agreement. To perform background checks. To perform reference checks. To convey application status. To consider you for other opportunities. To improve our hiring process.||Your consent. In our legitimate interest (to comply with laws, to protect your rights)|
|Promotion event data (email ID)||To process the survey. To send programme related information. To enrol and onboard you to the programme. To correspond on programme matters.||Your consent given within the AI Coach and forms.|
How do we handle user incidents and requests?
There may be occasions where you wish to contact us to seek support or inquire about our services. If you contact us directly over email, we will collect minimal personal information to service your request. Your communication data is securely stored in our Google Workspace account with access to only authorized users. We have signed agreements with Google Workspace. We will only use your data to investigate the issue or request asked. Your email will be retained within our system for a maximum of 10 years since last correspondence. We will not spam you or contact you for any direct marketing. We will not share or sell your personal data with any third party.
Your issues or complaints or requests about the App and services are taken very seriously. You will need to send an email request from your Google or Apple email ID to [email protected] or [email protected]. We will respond to your complaints within 3 business days. Some of your complaints may take longer to resolve. We will continuously provide you with an update until your complaints are satisfactorily resolved.
How do we handle data provided during promotions and surveys?
We do not promote third party offers as a part of the App experience. Your survey submission will never be linked to your Wysa App account. Your survey submission will reside in our secure Google Workspace account. Google Workspace provided security can be read here. The Google Workspace account is protected by two step verification. You can opt out at any time from the programme by sending us an email request from your Google or Apple email ID to [email protected]. We will respond to your request within 3 business days. Your submissions will never be shared with a third party.
How do we handle your payment data when you subscribe to our services?
What do we process when you follow us on Instagram?
You have the option to follow us on Instagram using your Instagram account from the Wysa App settings. You can set up an Instagram account, if you do not own one and follow us at @wysa_buddy. We do not associate your instagram account with your Wysa App account.
What do we process when you use the android speech-to-text feature?
The same Android SDK/API plays back the AI Coach response to you. Please ensure your mobile device volume is kept in optimal listening mode. Please note that you may experience some performance issues if you have low internet speeds.
Additional information when you use the audio-video coach or therapist service.
You will need to give permission to activate your device's microphone and camera. We have enabled Zoom’s healthcare product for this service. To enable video call connection, we only send anonymized identifiers to Zoom. Your call is never recorded and maintained at our or at Zoom’s end. End-to-End encryption is enabled along with other privacy and security controls. This ensures that your conversation remains secure and private. We may collect anonymous feedback from you at the end of the call. This will help us improve the quality and performance of our service.
We will be unable to provide access to playbacks or call transcripts as calls are not recorded. Your assigned Wysa well-being coach or therapist will explain the benefits and risks of using the service. Please ensure your device volume is kept in optimal listening mode. Please note that you may experience some performance issues if you have low internet speeds. Please read the Wysa Well-being Coach and Wysa Therapist Service section in our Terms of Service to understand the terms for use.
How do we handle your data when used for research purposes?
We use minimal and only the required data for research purposes including aggregated data for any publications. This data is completely anonymized using one-way hash functions prior to use. This helps us to improve our product and services and contribute to user-centered mental wellbeing best practices globally.
We never use your longitudinal conversation messages for research purposes and analysis. If at all, only limited messages get selected from specific AI Coach endpoints and used.
What data do we process as part of Gift Card purchase?
Additional information when you apply for employment or internship opportunities at Wysa.
We do not sell your Information to unauthorized third parties. Your data is stored in databases maintained by us or third parties located within India or globally. Where, privacy rules may differ and may be less stringent than those in your country. If you are successful in your application, we retain the information as part of your employee records. If you do not want us to retain your information or want us to update it, please contact us at [email protected]. Please note, that we may retain some information if required by law or as necessary to protect ourselves from legal claims.
Please read here on your Privacy rights.
What additional processing is performed?
We do not combine and process your personal data with any other third party available data. Your data, messages or usage is not used for direct marketing nor is it sold to advertisers. We will always take your consent before using your name for social proof purposes.
How do we secure your data?
The security of your data is important to us. We have implemented adequate safeguards to protect your data. Some of the steps undertaken include:
Privacy by Design and Default
Security by Design
No method of electronic transmission or method of data storage is perfect or impenetrable. While we try our best to implement controls to protect your personal data, we cannot guarantee its absolute security. To ensure your data is secure, we require your cooperation as well. Please do not copy and share your conversations with unknown people.
How long do we retain your data including personal data?
Any identifiers shared in your conversation get hashed within 24 hours within our system.
We may retain your data even after your subscription ends if it is reasonably necessary. This could be in the following situations:
Where not specified we retain your data for a maximum of 10 years since the end of subscription and as per our information retention policies.
You can also, at any point of time, clear all your transactional data by using the “reset my data” feature available in the App settings. Refer here in our policy for more details.
What are your data protection rights?
You have certain rights under the Data Protection Laws in relation to your Personal data. To exercise any of your rights, you will need to send an email request to the contact information provided here. Please note that we may need to verify you before responding to any requests. After verifying you and examining your request, we will respond to you on the action taken within one calendar month from verification. We may at times be unable to address your request, if we are unable to correctly identify you.
Your individual rights requests may be limited, where:
Right of access
You have access to view your latest conversations or view your older conversation messages within the Journey tab of the App. You have access to your text-based messages with a Wysa well-being coach or therapist in the Coach or Therapist tab of the App. If you exercise your right to be forgotten and reset your data, you will lose the right to access your data as it will be permanently deleted.
You have the right to obtain your personal data that you provided as per our Agreement or where you consented to give us. After verifying, we will provide access to your personal data in a machine-readable format. We may at times be unable to address your request, if we are unable to correctly identify you.
Right to rectification
If your personal data is inaccurate or incomplete, you can write to us to correct or complete it. If we share your personal data with third parties, we will inform them about the correction where possible.
Right to restrict processing
You can write to us to restrict processing of your personal data, where you contest the accuracy of the data or object to our processing it. If we share your personal data with third parties, we will inform them about the restrictions where possible.
Right to object
You may write to us and object to the processing of your personal data where we apply our legitimate interest. We may stop unless we can demonstrate compelling legitimate grounds for the processing.
Right to data portability
If you are a paid subscriber of our services, you can place a request to transfer your data from your older device to your replaced mobile device. If you are not a paid subscriber, we will need to accurately verify you, before we can process your request. We may at times be unable to address your request, if we are unable to correctly identify you.
Right to Erasure
When you use the service, you have the option to reset your data by using the “Reset my data” feature in the App settings. Reset my data deletes all your submitted data including your identifiers, past conversations, reminders, assessment responses and enabled settings. Post reset, you will not be able to recover your past data and you will be considered as a new user of the App. Hence, this feature is to be used at your discretion. If you are a paid subscriber, your transactional data and messages will be deleted on reset. However your active subscription, purchased through third parties like google play, iTunes, etc., will continue to exist post reset of data.
You can also write to us to delete or remove your personal data, such as when you withdraw your consent.
Right in relation to automated decision-making and profiling
You have the right to be free from decisions based solely on automated processing of your personal data, including profiling, which may have a significant effect on your rights and freedom, unless such profiling is necessary for entering into, or the performance of our Agreement or with your explicit consent.
Right to withdraw Consent
To the extent that the legal basis of our processing of your personal data is consent, you can withdraw that consent at any time. This will not affect the lawfulness of processing of your data before we received notice that you wished to withdraw your consent.
Right to Breach notification
In the event of a breach of your personal data, we will notify you within 72 hours or as required by Data Protection Laws.
Right to address Concerns and Complaints
If you are not satisfied with our resolution, you have the right to complain to a Data Protection supervisory authority in your country or state of residence. We will fully cooperate with the supervisory authority. Contact details for Data Protection Authorities in the EU are available here.
Do California residents have specific privacy rights?
There are certain disclosures required by the California Consumer Privacy Act (or “CCPA”).
California residents can request a list of third parties with whom we share personal data for direct marketing purposes. Please note that Wysa does not share or sell your personal data with third parties as a matter of policy. Subject to certain exceptions, you can write to us to know about the personal information you shared. You can request to delete your personal information, to opt out of any “sales”, and to not be discriminated against.
We will respond to your request within 45 calendar days of verification. We may at times be unable to address your request, if we are unable to correctly identify you. We may be unable to address your request due to any of the limitations and exceptions provided within CCPA.
What are the controls for Do-Not-Track features?
Do Not Track (“DNT”) is a privacy preference that users can set in certain web browsers. We do not respond to DNT signals transmitted by web browsers.
Can children under 13 use Wysa App?
The App is intended for a general audience and is not directed to or intended to be used by children under the age of thirteen years.
There is a special necessity to protect children's privacy on the App. We do not knowingly collect any personal data from children.
Write to us if you think we have collected any personal data of your child. We will respond to you within one calendar month from verification. We may at times be unable to address your request, if we are unable to correctly identify the user. We will deactivate the child’s account, if we find we have been collecting personal data from your child. Upon identification we will take reasonable measures to promptly delete such personal data from our records.
How to contact for additional questions, comments or concerns?
Can Non-English speaking users use the Wysa App?
The App has been built and is currently provided only for English language users. Some of the AI Coach modules and tools within the App are provided for Spanish language users.
To ensure wider reach, Touchkin will, in the near future, launch the App in other international languages. We will keep you updated on this development.
What are some Best Practices to follow to keep your devices secure?
You are also responsible for helping to protect the security of your personal data. You are responsible for maintaining the security of any personal computing device on which you utilize the Services.
The US Federal Trade Commission (FTC) publishes information for users on how to secure your personal data and devices. These can be found at the following public links.
Touchkin strongly believes in security and safety of data in your mobile device. As a responsible Service provider, we therefore like to share important device based security data for your attention. These have been sourced from US FTC best practices and guidelines. Always refer back to the US FTC links provided above for more details and future security updates.
Severability and Exclusion
v4.0.0 | November 10, 2021
v3.3.1 | July 16, 2021
v3.3.0 | July 01, 2021
v3.2.0 | Apr 16, 2021
v3.1.0 | Feb 10, 2021
v3.0.0 | Feb 03, 2021