Do Note :

Changes in v5.5.0 | Dec 18, 2023

You can read the full list of changes in the Changes Log

Definitions

Who are we?

Touchkin is a private limited company having its registered offices in India (Touchkin eServices Pvt. Ltd.), UK (Wysa Ltd.) and USA (Wysa Inc.). We are registered with the UK ICO. Our data protection registration number is ZA845530. Where we decide the purposes of our services and personal data processing, Wysa will be the Controller. For all services and data processing done at the direction of and on behalf of a Controller or a Processor, Wysa would either be a Processor or a Sub-Processor.

What personal data do we process and how do we use it?

We only use your personal data for the purposes for which we collected it. We will use it for another reason, only if compatible with the original purpose. We may process your personal data for more than one lawful basis depending on the specific purpose for which we are using your data. We may process your personal data without your knowledge and consent, where this is required or permitted by law.

The table lists the data processing that we perform when you use the AI Coach, Digital self-care tools, human well-being professional service, services purchased from our website or multi-lingual offerings.

What data do we process when you use the Wysa Digital Front Door Service?

Wysa Digital front door application allows your Institution to triage you and your dependents to authorised care and support resources. The service redirects you to authorised support resources based on your pronouns, country, service group, language choice, support choice and self-reported mood assessments. Support resources include the Institution’s EAP, the Wysa App and other Institution provided services. Access to the Wysa front door service will be via your Institution provided Single Sign-on (SSO) mechanism. Where required and on behalf of your Institution, we may integrate our App and Services with your Institution’s authentication mechanism such as Single Sign On (SSO). SSO enables you to use your Institution credentials to sign-in and access authorised Wysa App and Services and other third-party services. Wysa App will redirect you to your Institution’s SSO web page during your first access. The SSO processing is done by your Institution to verify your identity and direct you to the Wysa App. Your personal information, submitted during sign-in, is not transferred or stored in the Wysa system. Wysa will receive a one-time unique and encrypted identifier, which will be used to generate a random user identifier to associate you to the App and Services. Wysa will keep track of your login status and inform your Institution of any change to allow your Institution to manage future SSO requests. If you have any questions about your use of SSO please contact your Institution directly. No personal data is collected or processed during your use of the Wysa digital front door application and service. Wysa shall share population-level and aggregated analytics on App engagement and use with your Institution. You can delete your data at any time by selecting the “Reset my data” option available within the App.

What personal data do we process and handle as a Processor or Sub-processor?

Wysa may be a Processor where we are asked to process your data on behalf of the Institution. We will collect, transfer, store and use your data to provide the Institutional Services. Where required, Wysa will integrate with your Institution authorised information systems to process and transfer contracted data. We will maintain appropriate agreements with your Institution before any data processing or sharing.

We will also generate reports for your Institution. Only aggregated and anonymised data, at a population or cohort level, will be used for the Institution’s reporting needs. These reports will be generated and shared with your Institution as downloadable files via secure analytic dashboards. Your individual insights will never be shared with your Institution without your consent.

We may provide anonymised or agreed upon minimal user level data with some of our Institutions. This would be for provisioning of Services and/or where it helps the Institutions provide better care for you. We clearly inform the Institution and within our contracts with them about their responsibility to protect your rights and freedom at all times.

We may process additional health data (such as substance abuse, gender among others) on behalf of healthcare Institutions as a Business Associate. We adhere to privacy by design principles and minimize and limit processing of any personal identifiers. We ensure compliance to US HIPAA by enforcing administrative, organisational and technical controls to safeguard the privacy and security of any health data that we may process

Where required by your Institution, we may guide you to appropriate support and crisis resources. These would be both within and external to the App including Institution provided helplines, EAP, offline care services and therapist support. This processing is not intended to be an emergency response and is performed to safeguard individuals at-risk.

What additional personal data do we process when you use our WhatsApp-based business service?

Wysa’s AI Coach service delivered over WhatsApp business app is currently available as a pilot and only in the India geography. Wysa’s AI Coach on WhatsApp business is limited to improving sleep efficiency. The service does not offer medical or clinical advice and only suggests that you seek medical help.

We may place ads online to test take-up of a specific Service or to market a specific Service using only authorised ad managers. Alternatively, you may obtain access to this service through your Institution. No personal identifiers will be collected and stored by us when you interact with these ads. When we run ads to test service take-up, we may provide access to limited tools or techniques on a standalone web-view. Your engagement on the web-view will be collected and shared with google analytics to identify level of usage. No personal data will be collected or processed from such web-views. Please read our Cookie Policy. We will not share your identifiable usage data with ad platforms for profiling or re-targeting by a third-party.

You will need to initiate this service from your WhatsApp account. Wysa will never use your messages to contact you for marketing purposes. Wysa processes the following data when you use this service.

Your messages on WhatsApp business are always end-to-end encrypted. As per WhatsApp Privacy Policy, your messages are typically stored on your device(s) and not on WhatsApp global servers. WhatsApp will temporarily store your messages in encrypted form while they are being delivered. Once your messages are delivered, they are deleted from WhatsApp global servers. We do not share the random user identifier with Whatsapp.

We use Twilio’s or Turn.io’s secure services, a Business Solution Provider of whatsapp, to establish communication between our AI Coach service and WhatsApp business. Twilio or Turn.io APIs assist transfer of encrypted messages between WhatsApp business and Wysa. Your messages are deleted from Twilio immediately after successful transfer to our servers. Your messages may be retained longer by Turn.io as per their terms . Your phone number and profile name are however retained in Twilio or Turn.io as long as connectivity of service is required. Read more about Twilio or Turn.io in the third-party service provider section.

Note: WhatsApp allows you to send attachments or voice messages. This is not required by us to provide our service. Please avoid sharing such information with us. Any inadvertent attachment and voice messages submitted by you gets deleted immediately from our servers.

You can change your WhatsApp profile name at any time from your WhatsApp account. Clearing the WhatsApp messages will only delete your conversations on WhatsApp and as per WhatsApp data retention policies. To delete your data from Wysa servers please send us a request on [email protected]. Once deleted the data cannot be restored. Please read WhatsApp Privacy Policy and Terms of Service to understand what information WhatsApp collects and processes from you. You can block or delete our business service from your contact list at any time from your WhatsApp account. You can also mute notifications from your chat settings. You can always safeguard your information on WhatsApp using the privacy and security features provided by WhatsApp. Learn more about WhatsApp’s end-to-end encryption and Privacy and Security for business messages.

What additional personal data do we process when you participate in the online controlled or real-world studies?

You may voluntarily register or opt-in to participate in any of our online controlled or real-world studies from our web pages or social media posts. You will be asked to verify your contact to access our web-based widget App. We will provide you with study related information and seek your informed consent.

We will collect and process the following personal data from you at the time of study selections (enrollment data). This enrollment data will be used for the purpose of shortlisting participants for the study.

You will be notified about your study qualification. If not selected or on drop out, your enrollment data will be permanently deleted from our systems within 60 (sixty) days. If selected for the study, your enrollment data will be retained by us for upto 1 year after study completion, after which they will be permanently deleted. You will receive a link or study referral code to access our mobile App for the study.

We will collect and process your personal data when you use our mobile App as outlined here. At the end of the study period all users will be automatically considered as regular (non-study) users of our App. Only anonymised data (non-personal data) will be used for research, analysis and publication purposes. Your non-personal data will be retained as per our retention and deletion policy mentioned here.

You have the right to opt-out of research at any time after the study begins. You can either choose to opt-out from the app settings or write to us at [email protected] with the subject “opt-out of Wysa’s online controlled or real-data study”. On successful opt-out, we will delete your enrollment data within 1 (one) year of opt-out. Your data provided during use of mobile App will be retained as per our retention policy mentioned here.

Your data provided during the study will always be kept secure. Read more about our organisational and technical security safeguards here.

What Non-Personal data is processed when using Wysa emotional well-being professional service?

When you schedule a session with our Wysa emotional well-being professional, we collect your date and time preferences to confirm your booking. Your device time zone is collected to calculate your local date and time and schedule a session. It also allows us to send appropriate session reminders. Sometimes, Wysa App may get your local time wrong which could affect the session scheduling. Always verify your local time in the scheduling screen before booking a session. If you notice an error in your local time displayed, go to the AI Coach messaging interface and type #time to change your time. If You face any challenge changing Your local time or booking a session, kindly write to us at the contact provided here.

After you book a session, you have the option to save the booking in your device calendar. This is for your added convenience.

Only minimal messages provided to your emotional well-being professional get used for analysis and audit purposes. Your messages are anonymised before use. This is for improving our emotional well-being professional service quality.

The Institution Version of Wysa App may carry a link to the institution EAP or health provider instead of or in addition to the Wysa emotional wellbeing professional. The EAP provider’s terms and privacy policy will apply to use such services.

Do we use passive sensing or location data?

The App does not process any data from your mobile device sensors, including accelerometer, ambient light readings, screen on/off readings and call logs. The App does not process your geolocation at a level that makes your data identifiable. The App may infer your country or state based on your time zone to provide you appropriate resources, such as scheduled reminders.

How do we share your data with third parties?

To provide you with our services, we use third-party service providers to help store and process your data. We assess the service provider’s security and privacy practices. We strictly require that they comply with confidentiality and non-disclosure obligations and applicable laws and regulations including relevant Data Protection Laws. We also require that they or their providers (fourth parties) access your data only to the extent necessary to perform tasks on our behalf. We use the following third-party service providers.

How do we handle your App password?

For your privacy and security, you are advised to set your own App PIN to protect unauthorized access of your conversation messages. Your mobile device screen password is your PIN. To extend your device password, use the "Set Lock " feature under the App settings. You can also remove your PIN using the "Remove Lock” option under settings. The PIN that you use is personal to you, and you are responsible for maintaining the confidentiality and security of your PIN. Please keep your PIN safe and do not share it with anyone. The PIN you set remains in your device and is not collected, transferred and stored in our servers.

What data do we process after taking your Consent?

We take your consent to perform the following processing.

How do we handle user incidents and requests?

There may be occasions where you wish to contact us to seek support or make inquiries. If you contact us directly over email, we will collect minimal personal information to service your request. Your communication data is securely stored in our Google Workspace account with access to only authorized users. We have signed agreements with Google Workspace. We will only use your data to investigate the issue or request asked. Your email will be retained within our system for a maximum of 10 years since last correspondence. We will not spam you or contact you for any direct marketing. We will not share or sell your personal data with any third-party disclosure.

Your issues or complaints or requests about the App and services are taken very seriously. You will need to send an email request from your Google or Apple email ID to [email protected]. We will respond to your complaints within 3 business days. Some of your complaints may take longer to resolve. We will continuously provide you with an update until your complaints are satisfactorily resolved.

How do we handle data provided during promotions, campaigns and surveys?

We do not promote third-party offers as a part of the App experience. Your promotion, campaigns and survey submissions will never be linked to your Wysa App account. Your promotion, campaign, survey submission will reside in our secure Google Workspace or marketing tool accounts. The Google Workspace and marketing tool account is protected by two step verification. You can opt out at any time from the programme by sending us an email request from your Google or Apple email ID to [email protected]. We will respond to your request within 3 business days. Your submissions will never be shared with a third-party.

How do we handle your payment data when you subscribe to our services?

[The Institution Version of Wysa App may carry a link to the institution EAP or health provider instead of or in addition to the Wysa emotional well-being professional. The EAP provider’s terms and privacy policy will apply to use such services.]

We do not collect, retain and store your personal and card information. Your card processing is handled by third-party payment agencies. We do not collect any personal data from the play stores post-purchase or from any of our third-party payment gateway providers. We may capture the enterprise name for business and operational purposes. Please read their terms and privacy policy before making a payment. The payment confirmation and subscription details are received and processed by us. This is to support you for your subscription-based requests.

What do we process when you follow us on Instagram or our other social media pages?

You have the option to follow us on Instagram using your Instagram account from the Wysa App settings. You can set up an Instagram account, if you do not own one and follow us at @wysa_buddy. We do not associate your instagram account with your Wysa App account.

What do we process when you use the android speech-to-text feature?

During use of our voice AI Coach, you may get an opportunity to talk with the AI Coach apart from typing. For android phone users, you will need to give permission to activate your device microphone to speak to the AI Coach. On microphone activation, the Google Android provided Speech Software Development Kit (SDK)/API within your device gets initiated. The Android SDK/API converts your speech to text and displays the text in your chat. The converted text data is securely transferred to our servers. We do not access nor collect nor store your voice data on our servers. No Personal data gets asked during use of this service. Please do not share your personal or sensitive information at any time during use of this service. The microphone is deactivated when you stop speaking and will not be always listening. The lawful basis for processing of your transcribed text is governed by this agreement. The processing of your voice for the purpose of converting to text is performed by Android SDK/API which is governed by Google’s Terms and Condition and Privacy Policy. Google may collect some identifiers and Information from you to provide their service. You can read Google’s Privacy Policy here. We do not access, receive or collect any identifiers and information that is collected by Google. Please speak close to the device microphone for improved translation. If you accidentally submitted any personal information, please write to us for any rectification at the contact provided here.

The same Android SDK/API plays back the AI Coach response to you. Please ensure your mobile device volume is kept in optimal listening mode. Please note that you may experience some performance issues if you have low internet speeds.

Additional information when you use the audio-video emotional well-being professional service.

You will need to give permission to activate your device's microphone and camera. We have enabled Zoom’s healthcare product for this service. To enable video call connection, we only send anonymized identifiers to Zoom. Your call is never recorded and maintained at our or at Zoom’s end. End-to-End encryption is enabled along with other privacy and security controls. This ensures that your conversation remains secure and private. We may collect anonymous feedback from you at the end of the call. This will help us improve the quality and performance of our service.

We will be unable to provide access to playbacks or call transcripts as calls are not recorded. Your assigned Wysa emotional well-being professional will explain the benefits and risks of using the service. Please ensure your device volume is kept in optimal listening mode. Please note that you may experience some performance issues if you have low internet speeds. Please read the Wysa emotional well-being professional Service section in our Terms of Service to understand the terms for use.

How do we handle your data when used for research and analytics purposes?

We use minimal and only the required data for research purposes including aggregated data for any publications, to explore new technologies or to build new features or products. This data is completely anonymized using irreversible redaction of user identifiers prior to use. This helps us to improve our product and services and contribute to user-centered mental well-being best practices globally.

We never use your longitudinal conversation messages for research purposes and analysis. If at all, only limited messages get selected from specific AI Coach endpoints and used.

You can always write to us at [email protected] to restrict processing and opt-out of your data for research purposes.

What data do we process as part of Gift Card purchase?

When you purchase a “Gift Card” you will need to create an account with the payment gateway. Payment Processing and verification is based on payment gateway’s Terms of Service and Privacy policy. The security practices followed by the payment gateway are outlined here and here. On successful payment, we will issue the Gift codes on the payment completion screen. You can then send the codes to the recipients to avail Gift Card services as per Wysa Terms of Service. Your payment card details will not be collected or stored at our end. Only the payment confirmation, such as order identifier and receipts get collected from the Payment Gateway provider and processed by us. Processing of this data is in our legitimate Interest to support you for any payment related requests, issues or clarifications. If You have any questions regarding your Gift Card, please write to us at [email protected]

Additional information when you apply for employment or internship opportunities at Wysa.

We do not sell your Information to unauthorized third parties. Your data is stored in databases maintained by us or third parties located within India or globally. Where, privacy rules may differ and may be less stringent than those in your country. If you are successful in your application, we retain the information as part of your employee records. If you do not want us to retain your information or want us to update it, please contact us at [email protected]. Please note, that we may retain some information if required by law or as necessary to protect ourselves from legal claims.

Please read here on your Privacy rights.

Your use of third-party weblinks

The App may carry links to third-party websites and resources. When you click on those links, you may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy policies. We encourage you to read the privacy policy and Terms of use of every external link you visit.

What additional processing is performed?

We do not combine and process your personal data with any other third-party available data. Your data, messages or usage is not used for direct marketing nor is it sold to advertisers. We will always take your consent before using your name for social proof purposes.

We will update this Privacy Policy and inform you if we perform any additional processing.

How do we secure your data?

The security of your data is very important to us, and we work hard to secure it. We have implemented adequate technical and organizational safeguards to protect your data. Some of the steps we have taken to secure your data include:

Privacy by Design and Default

1. There is no user registration required. We don’t need it hence we don’t ask for it.
2. Only a nickname is sufficient to help us personalize our conversation with you.
3. We use pseudonymised identifiers to protect your data and identity.
4. No human eavesdrops during your conversation with the AI coach.
5. The AI Coach will always check if it has understood you correctly before progressing.
6. We use algorithms that irreversibly redact any inadvertent personal identifiers entered in English.
7. You can opt-out at any time using the “reset my data” feature available in the App settings.
8. We adhere to the 7 key principles set out by GDPR (see here).
9. We perform Data Protection Impact Assessment (DPIA) for personal data processing.

Security by Design

1. We use TLS and SSL encryption during transfer and AES-256 protocol at rest.
2. Random identifiers are used for all data transactions between AI Coach and our servers.
3. Our systems are secured with role-based access, strong passwords and two-step verification.
4. We enable endpoint security in all staff systems.
5. We review and maintain data processing agreements with our service providers.
6. We have a strict hiring and background verification process in place.
7. We provide regular awareness and training to our staff.
8. We conduct annual 3rd party compliance audits and data protection certifications.
9. We perform regular penetration tests of our Apps and Infrastructure.
10. We conduct regular checks to ensure compliance to our policies.

Certifications and Registrations

1. Wysa is registered with the UK Information Commissioner’s office (ICO)
2. Certified for Cyber Essentials
3. Wysa meets standards of the NHS Digital Data Security and Protection Toolkit (DSP Toolkit).
4. Wysa mobile App is registered with UK MHRA as a CE/UKCA Class I medical device.
5. Wysa's Information Security Management System (ISMS) and Privacy Information Management System (PIMS) is certified for ISO 27001:2013 and 27701: 2019.

No method of electronic transmission or method of data storage is perfect or impenetrable. While we try our best to implement controls to protect your personal data, we cannot guarantee its absolute security. To ensure your data is secure, we require your cooperation as well. Please do not copy and share your conversations with unknown people.

How does the Artificial Intelligence chatbot work and is it safe to use?

At Wysa, we use proprietary Artificial Intelligence and Natural Language Processing/Understanding (NLP/NLU) algorithms (“AI”) to understand your messages. NLP/NLU algorithms are classification techniques that are used to understand what you write. This allows the AI to maintain a conversation with you and guide you to appropriate resources. Our values require that our AI used within the App is transparent, trusted, safe and privacy protecting. All the AI used in our Apps are “FIXED” or “CLOSED”, and all chatbot responses to the user are created with clinical input and subjected to detailed safety testing before being deployed. There are no generative (those that 'create' the response to the user on the fly) or adaptive models (i.e. those that continually adapt or learn every time on their own) in use. The algorithms run at conversational nodes within a decision-tree structure.

The primary purpose of the AI-based processing is

1. to provide an interactive safe-by-design approach to converse and journal via text with the chatbot.
2. to detect and retain limited context from your messages to personalize and provide empathetic and safe conversations.
3. to detect at-risk situations, such as any SOS, self-harm and abuse triggers, so as to signpost users to clinically validated supportive resources and helplines.

Wysa complies with UK NHS Digital’s DCB 0129 clinical risk management standards to ensure a safe-by-design approach to our AI-based services.

How do we use Generative AI technology?

We use third-party Generative AI technology services for generating static, quality and clinically verified content scripts that provide a high performing, safe and improved user experience with our AI based Services. No personal data gets shared with these third-party services.

Generated content needs to pass our safety and quality guardrails before being accepted for use. All generated content scripts are rigorously quality checked for copyright and plagiarism, clinically validated using a therapist-in-the-loop for safety, privacy, quality and performance. Only validated content gets released within our App and Services. We will transparently inform you when we use Generative AI based features within the App.

Where applicable, We will provide additional Terms of Use and Privacy notices to transparently keep you informed about any generative AI based data processing.

How long do we retain your data including personal data?

We have built proprietary algorithms that detect personal identifiers, that you may voluntarily submit in English during your conversation with AI Coach. These detected identifiers get irreversibly removed within 24 hours within our system.

We may retain one copy of your data even after your subscription ends or Institution contract ends if it is reasonably necessary. This could be in any of the following situations:

• to comply with applicable legal and statutory requirements;
• at the request of a returning subscriber;
• to respond to your requests
• based on contractual obligations with your Institution;
• in our backup for a time-bound period;
• to fulfill processing that is in our legitimate interest.

Where not specified we retain your data for a maximum of 10 years since the last update and as per our internal information retention policies.

Your emergency contact information, if any provided, will be deleted after fifteen (15) days at the end of the Wysa emotional well-being professional subscription. If you renew the subscription within those fifteen (15) days, the emergency contact information will not be deleted.

You can also, at any point of time, delete all your conversation data and any emergency contact information provided by using the “reset my data” feature available in the App settings. Refer here in our policy for more details.

International transfer of personal data outside of the country you reside in or are currently located

You understand and agree that we may transfer, store and process your submitted data to a third-party processor. These processors may be based in countries other than the country where you reside. These could be countries where data protection laws may be less stringent than those from the originating country. We take additional steps in an effort to ensure our international transfer of data is consistent with applicable data protection laws.

Where we transfer data from the European Economic Area (EEA), Switzerland, and/or the United Kingdom we use appropriate safeguards. This includes use of EU / UK Standard Contractual Clauses and UK International Data Transfer Agreement (IDTA) within the Data Processing Agreements.

Minimal data may be transferred across Wysa company locations to provide our Services. We use appropriate technical and organisational measures to protect such transfers.

If you have additional questions about our international transfers of personal data, please contact us at [email protected].

What are your data protection rights?

You have certain rights under the Data Protection Laws in relation to your Personal data. To exercise any of your rights, you will need to send an email request to the contact information provided here. Please note that we may need to verify you before responding to any requests. After verifying you and examining your request, we will respond to you on the action taken within one calendar month from verification. We may at times be unable to address your request, if we are unable to correctly identify you.

Your individual rights requests may be limited, where:

• denial of access is required or authorized by law;
• grant of access would have a negative impact on other's privacy;
• required to protect your, our or other’s rights property or safety;
• the request is unjustified or excessive.

Where Wysa is a Processor or Sub-Processor performing data processing on behalf of your Institution, Wysa may redirect your rights-related requests to your Institution for a resolution. We will respond to your request as directed by your Institution.

We handle your rights-related request as detailed below.

Right to be informed

This privacy policy explains and informs you about how we handle your data when you use our apps and services.

Right of access

You have the right to exercise a data access request to know what personal data we hold about you.

You have access to view your latest conversations or view your older conversation messages within the Journey tab of the App. You have access to your text-based messages with a Wysa emotional well-being professional in the Coach or Therapist tab of the App. If you exercise your right to delete and reset your data, you will lose the right to access your data as it will be permanently deleted in our system.

You can write to us at [email protected] for any clarifications or make subject access requests. On receipt, we will review your request, make reasonable efforts to find and retrieve the requested information and respond to you within one month of your request.

Where Users have subscribed to a Service, you have the right to obtain your personal data that you provided as per our Agreement or where you consented to give us. After verifying, we will provide access to your personal data in a machine-readable format. We may at times be unable to address your request, if we are unable to correctly identify you or are limited due to one of the reasons mentioned earlier or any of the exemptions set out by the data protection laws.

Right to rectification

If your personal data is inaccurate or incomplete, you can write to us to correct or complete it. If we share your personal data with third parties, we will inform them about the correction where possible.

Right to restrict processing

You can write to us to restrict processing of your personal data, where you contest the accuracy of the data or object to our processing it. If we share your personal data with third parties, we will inform them about the restrictions where possible.

Right to object

You may write to us and object to the processing of your personal data where we apply our legitimate interest. We may stop unless we can demonstrate compelling legitimate grounds for the processing.

Right to data portability

If you are a paid subscriber of our services, you can place a request to transfer your data from your older device to your replaced mobile device. You can also request a copy of your messages to Wysa coach or therapist for your own purposes. If you are not a paid subscriber, we will need to accurately verify you, before we can process your request. We may at times be unable to address your request, if we are unable to correctly identify you.

Right to Erasure

When you use the service, you have the option to reset your data by using the “Reset my data” feature in the App settings. Reset my data deletes all your submitted data including your identifiers, past conversations, reminders, assessment responses and enabled settings. Post reset, you will not be able to recover your past data and you will be considered as a new user of the App. Hence, this feature is to be used at your discretion. If you are a paid subscriber, your transactional data and messages will be deleted on reset. However your active subscription, purchased through third parties like google play, iTunes, etc., will continue to exist post reset of data.

You can also write to us to delete or remove your personal data, such as when you withdraw your consent.

Right in relation to automated decision-making and profiling

You have the right to be free from decisions based solely on automated processing of your personal data, including profiling, which may have a significant effect on your rights and freedom, unless such profiling is necessary for entering into, or the performance of our Agreement or with your explicit consent. You have a right to ask us to stop any automated decision making that may affect your rights and freedom. We do not intentionally carry out such activities, but if you do have any questions or concerns, we would be happy to discuss them with you. You can contact us at [email protected].

Right to non-discrimination

You have the right to not be discriminated against for exercising your CCPA (CPRA) rights or as required by other data protection laws. Use of our app and services is anonymous and hence We will never knowingly discriminate against you and your rights. You can also write to us for any clarification at [email protected].

Right to opt-out of sale

You have the right to opt-out of the sale or restrict sharing of personal data with third-parties who intend to license or sell your personal data. For purposes of the CCPA (CPRA) and other applicable data protection laws, We do not sell any personal data, nor do we have actual knowledge of any sale of personal data of minors under the age of 16 years. You can also write to us for any clarification at [email protected].

Other important information

Withdraw Consent

To the extent that the legal basis of our processing of your personal data is consent, you can withdraw that consent at any time. This will not affect the lawfulness of processing of your data before we received notice that you wished to withdraw your consent.

Breach notification

If the data breach is likely to result in a high risk of adversely affecting your rights and freedom, we will notify you as required by Data Protection Laws.

Concerns and Complaints

If you have any concerns or grievances about this Privacy Policy you will need to send an email to [email protected] with Attn. to the Data Protection Officer (DPO) and Grievance Officer. We will respond to you within 36 hours and help resolve your concerns or complaints. We assure you a time-bound resolution not exceeding one month from the date of your complaint.

If you are not satisfied with our resolution, you have the right to complain to a Data Protection supervisory authority in your country or state of residence. We will fully cooperate with the supervisory authority. You can raise a complaint with the UK ICO by following the process outlined here. Contact details for Data Protection Authorities in the EU are available here.

Do California residents have specific privacy rights?

There are certain disclosures required by the California Consumer Privacy Act (or “CCPA”) and California Privacy Rights Act (“CPRA”). This section supplements this Privacy Policy and applies to users who reside in the State of California.

Much of the Personal Information that We collect when you use our Services is not subject to the CCPA (CPRA). Personal Information for the purposes of the CCPA (CPRA) does not include protected health information (PHI or electronic PHI) that is subject to the HIPAA or medical information as defined in the California Confidentiality of Medical Information Act (CMIA), clinical trial data, or publicly available information from government records. Personal Information also does not include de-identified or aggregated user data.

The following is the list of personal Information types which may have been collected from you within the twelve (12) months prior to the last updated date of this Privacy Policy.

• Identifiers: such as android or apple identifier, nick name or any remaining identifiers voluntarily shared with us.
• Conversation data: any residual identifiers remaining in your text messages post our adequate removal measures.
• Communication data: such as name, email identifiers when you write to us.
• Network data: such as IP address or information about your interactions with our website or Apps
• Recruitment data: such as your current or past company name, dates of employment, and information that you may provide in a job application
• Promotion event data: such as any email identifiers when you enrolled.
• App Usage data: such as inferences and reports drawn from the above data types about you reflecting your preferences, characteristics, trends, or behaviour
• Safety Plan data: any inadvertent identifiers shared within the safety resources when you build or maintain a safety plan for your use in time of need
• Institution or Subscriber provided data: identifiers (such as email identifiers, phone numbers) shared when you subscribe on behalf of your institution or group to our campaigns, promotions, product and services.
• Business data: such as name, email identifiers and contact information shared and processed for lead generation, business development, account management and marketing.

We obtain the personal information types listed above from the following sources- when you use our App and Services, directly provided by you, as received from your Institution (where required), when you visit our website, from social networks where you participate, other third-party sources such as partners or recruiters. We will use your data for the processing purposes outlined in earlier sections of this Privacy Policy. We will not collect additional personal data types or use them for any materially different, unrelated, or incompatible purposes without providing you a privacy notice.

During the twelve (12) month period prior to the last updated date of this Privacy Policy, we may have shared your Personal Information with the following categories of third-parties- Wysa affiliates and subsidiaries, service providers under adequate data protection contracts.

Your data provided during use of the App will be retained as per our retention policy mentioned here.

Your data provided during the study will always be kept secure. Read more about our organisational and technical security safeguards here.

You can request a list of third parties with whom we share personal data for direct marketing purposes. Please note that Wysa does not share or sell your personal data with third parties as a matter of policy. Subject to certain exceptions, you can write to us to know about the personal information you shared and also exercise your data protection rights mentioned here. You can request to delete your personal information, to opt out of any “sales”, or to not be discriminated against by writing to us at [email protected].

We will respond to your request within 45 calendar days of verification. We may at times be unable to address your request, if we are unable to correctly identify you. We may be unable to address your request due to any of the limitations and exceptions provided within CCPA.

What are the controls for Do-Not-Track features?

Do Not Track (“DNT”) is a privacy preference that users can set in certain web browsers. We do not respond to DNT signals transmitted by web browsers.

Can children under 13 use Wysa App?

The App is intended for a general audience and is not directed to or intended to be used by children under the age of thirteen years. Wysa does not take responsibility for any misrepresentation of age and use.

There is a special necessity to protect children's privacy on the App. We do not knowingly collect any personal data from children.

Write to us if you think we have collected any personal data of your child. We will respond to you within one calendar month from verification. We may at times be unable to address your request, if we are unable to correctly identify the user. We will deactivate the child’s account, if we find we have been collecting personal data from your child. Upon identification we will take reasonable measures to promptly delete such personal data from our records.

We encourage parents and legal guardians to monitor their children’s Internet usage. To help enforce our Privacy Policy by instructing their children to not provide any personal data without their permission. Do not share your credit/debit card or other payment instrument with your child to make any in-app purchase.

How to contact for additional questions, comments or concerns?

For any product, services, subscription, technical or payment-related issues, please contact us from your Google or Apple email ID to [email protected] with your questions.

Our mail address for all communication is:

Can Non-English speaking users use the Wysa App?

The App has been built and is currently provided only for English language users. We have also built a Hindi language App for India users. We also provide Hindi and Spanish version apps for users in certain geographies.

Our digital front door application is available for Institution users in multiple languages.

To ensure wider reach, Wysa will, in the near future, launch the App in other international languages. We will keep you updated on this development.

What are some Best Practices to follow to keep your devices secure?

You are also responsible for helping to protect the security of your personal data. You are responsible for maintaining the security of any personal computing device on which you utilize the Services.

The NCSC GOV.UK provides guidance on how You can improve Your online security. The UK ICO provides practical advice for protecting Your personal data online and when using computers and other devices. These can be found at the links below.

Cyber Aware - NCSC.GOV.UK

Online and electronic devices | ICO

The US Federal Trade Commission (FTC) and the Department of Health and Human Services (HHS) who govern HIPAA, publishes information for users on how to secure your personal data and devices. These can be found at the following public links.

How To Protect Your Privacy on Apps | FTC Consumer Information

Online Security | FTC Consumer Information

FTC - How to Keep Your Personal Information Secure

How to Recognize and Avoid Phishing Scams

Telehealth Privacy Tips

Wysa strongly believes in security and safety of data in your mobile device. As a responsible Service provider, we like to share important device-based security information for your attention. These have been sourced from US FTC best practices and guidelines. Always refer back to the US FTC links provided above for more details and future security updates.

• Always lock your mobile screen by setting a password. Use strong passwords and keep passwords private. Never leave your device unattended.
• Always extend your mobile screen password to set an App PIN to keep your conversations with the App private.
• Always keep your mobile operating system up-to-date.
• Enable remote access of your devices to enable you to locate and control your devices remotely in the event your device gets stolen.
• Install anti-virus software to protect against virus attacks and infections
• Avoid phishing emails. Do not open files, click on links or download programs from an unknown source.
• Be wise about using Wi-Fi. Before you send personal and sensitive data over your laptop or mobile device on a public wireless network in a coffee shop, library, airport, hotel, or other public place, see if your data will be protected.

Changes to this Privacy Policy

We may modify our Privacy Policy from time to time for various reasons including to improve our privacy practices, to ensure our users right to be Informed, to reflect changes to our service, and to comply with relevant laws. If and when this policy is changed, we will post the new notice on our Website and the App and notify you through an in-app notification or as otherwise required by relevant law. It is your responsibility to check our Website and our App periodically for updates or changes to the policy. We encourage you to review changes carefully. If the changes to the Privacy Policy include changes to the collection, storing or processing your personal information in a way that infringe into your privacy, we will notify you clearly about the same where required by the applicable laws and regulations. If you agree to the changes, then please continue to use our service. If you, however, do not agree to any of the changes and you no longer wish to use our service, you may choose to unsubscribe or uninstall our App. Continuing to use our App and services after a notice of change has been communicated to you or published constitutes your acceptance of changes and consent to the modified Privacy Policy.

Severability and Exclusion

We have taken every effort to ensure that this Privacy Policy adheres with the applicable Data Protection Laws. The invalidity or unenforceability of any part of this Privacy Policy shall not prejudice or affect the validity or enforceability of the remainder of this Privacy Policy. This Privacy Policy does not apply to any data other than the data collected by Wysa while providing the services.

Changes Log