Privacy & Terms
Privacy & Terms
What is Everyday Mental Health by Wysa App?
What personal data do we process and how do we use it?
Do we use passive sensing or location data?
How do we share your data with third parties
How do we handle your App password?
What data do we process after taking your Consent?
How do we handle user incidents and requests?
How do we handle your data when used for research purposes?
Your use of third party weblinks
What additional processing is performed?
How long do we retain your data including personal data?
What are your data protection rights?
Do California residents have specific privacy rights?
What are the controls for Do-Not-Track features?
Can children under 13 use Everyday Mental Health by Wysa App?
How to contact for additional questions, comments or concerns?
Can Non-English speaking users use the Everyday Mental Health by Wysa App?
What are some Best Practices to follow to keep your devices secure?
Everyday Mental Health by Wysa Privacy Policy
Touchkin eServices Private Limited (“Touchkin”, “Wysa”, “We”, “Us”, or “Our”) operates the website (www.wysa.io) and the Wysa mobile, web-based and online applications (“Everyday Mental Health by Wysa App” or “App/s” or “Mobile Software/s”). The AI Coach service, digital premium services and web-based services provided are collectively referred to as the "service(s)".
This page informs you of our policies regarding the collection, use, and disclosure of personal information when you use our service. We use your data to provide and improve the service. We will not use or share your data with anyone except as described in this Privacy Policy. We align our data protection practices to the key principles prescribed by GDPR.
By using our Apps and services, you agree to the collection and use of information in accordance with this privacy policy. Unless otherwise defined in this Privacy Policy, terms used in this Privacy Policy have the same meanings as in our Terms of Service.
Updates
We may amend this privacy notice from time to time to keep it up to date. We will notify you via in-app notifications and on our website when we make any changes to the Privacy Policy. Please regularly check these pages for the latest version of this notice.
Initial Effective Date: October 21, 2021 (GMT)
Latest Revised Date: October 21, 2021 (GMT)
Version: 1.0.0
Content
What is Everyday Mental Health by Wysa App?
What personal data do we process and how do we use it?
Do we use passive sensing or location data?
How do we share your data with third parties
How do we handle your App password?
What data do we process after taking your Consent?
How do we handle user incidents and requests?
How do we handle your data when used for research purposes?
Your use of third party weblinks
What additional processing is performed?
How long do we retain your data including personal data?
What are Your data protection rights?
Do California residents have specific privacy rights?
What are the controls for Do-Not-Track features?
Can Children under 13 use Wysa App?
Who can You contact for additional questions, comments or concerns?
Can Non-English speaking users use the Wysa App?
What are some Best Practices to follow to keep Your devices secure?
Changes to this Privacy Policy
Do Note :
Definitions
Anonymization is the process of removing personal identifiers from data sets so that the person can no longer be identified.
Cookie is a small amount of data stored on your device (computer or mobile device).
Data or Information under this Privacy Policy means both personal and non-personal data or information.
Data Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.
Data Protection Laws here means in accordance with the Indian Information Technology Act and Reasonable security practices and procedures and sensitive personal data or data rules, including but not limited to requirements of EU GDPR, the UK GDPR and where applicable USA HIPAA.
Data Subject (or User/You) means any living individual who is using our service and is the subject of Personal Data
Encryption is the process of transforming data into unreadable text so that it is only legible to those possessing an encryption key.
Personal data or Personal Information means data about a living person who can be identified from the data and/or other information either in our possession or likely to come into our possession.
Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific user without the use of additional information.
Non-Personal data or Non-Personal Information means any data that does not reveal user specific identity.
Sub-Processor/s is a data processor who is sub-contracted some of the personal data processing.
Who are we?
Touchkin is a private limited company having its registered office in India, USA and UK. We are registered as a data controller with the UK ICO. Our data protection registration number is ZA845530.
What is Everyday Mental Health by Wysa App?
With the Everyday Mental Health by Wysa App you can chat through a conversational interface and get access to tools and techniques. The App is available in both iOS and Android app stores, including a web-based application. Your interaction is with the AI Coach is with an artificial intelligence system and not a human. The intended use is for providing evidence-based tools and techniques to manage emotions and encourage mental well-being as an early intervention tool in a self-help context. You make the choice of using the AI Coach, based on your own estimate of need, and agree that this is only suitable for basic self-help. This is not intended to be a replacement for face-to-face psychotherapy or to provide a diagnosis, treatment or cure for a disease or condition. The AI Coach cannot and will not offer advice on issues it does not recognize. Using the App, you can track and manage your mood, and learn context-sensitive evidence-based techniques that can help you feel better. The App and service is not intended for use in crisis or emergencies or severe mental health conditions. The App and service cannot and will not offer medical or clinical advice. It can only suggest that the user seek medical help.
Who can Use the Service?
You may use the App and services if you are 18 or more.
If between 13 and 18 years, please read and agree to this Privacy Policy and the Terms of Service along with your parent or legal guardian before use. Kindly inform your parent or legal guardian to provide their parental consent by writing to us at [email protected] or [email protected].
This App and services are not meant for those less than 13 years of age.
Your organisation, school, university, hospital, or others (“Institution”) may provide the App for your use (“Institution User”). Your institution may specify a different age for your use of the App and Services.
What personal data do we process and how do we use it?
We only collect information that is provided by the user and required for the purpose of providing our services. The table lists the personal data processing we perform.
| Personal Data | Source | Purpose | Lawful Basis |
|---|---|---|---|
| Android or Apple identifier (app-device identifier) | provided by the user | To create a random user identifier. To provide App and services. To migrate your data to a new device. To process subscription requests. To process your data rights. | To perform our contract with you (our contract is your agreement to Terms of Service and this Privacy Policy) In our legitimate interest |
| Random user identifier | created by Wysa | To provide App and services. To provide additional security. | In our legitimate interest |
| Access or referral code | provided by the user | To provide customized App and services for referred and Institution users. To aggregate data at institution or cohort level for analytics purposes. | To perform our contract with you and with your Institution |
| Device data (Operating system, OS version, device make and model) | provided by the user. | To detect and prevent fraudulent use of or abuse of the service. To resolve issues. To improve App experience and use. | In our legitimate interest |
| Conversation data (free-text messages, text button events, App screen events, tool events) | provided by the user. Events created during use of App | To detect context and ensure continuity in conversation. To provide the right tool and content. To conduct coach or therapist sessions. To improve the app performance and quality. To obscure the event data. To share de-identified event data with 3rd party providers for analytics purposes. | To perform our contract with you and in our legitimate interest. |
| Inadvertent submitted personal identifiers (names, location, contacts, email identifiers or medical terms) | provided by the user | To take reasonable steps to detect and de-identify personal data | In our legitimate interest (to ensure special category identifiable data is not created) |
| Communication Information (name, email Identifier, email messages, subscription receipts, feedback messages) | provided by the user | To respond to your inquiries, requests and feedback. To troubleshoot your issues. To provide and improve customer support services. | To perform our contract with you and in our legitimate interest. |
| Wellness information (such as feelings, sentiment, mood, major life events, well-being assessments, coping ability, energy levels, objections) | provided by the user | To provide validated tools and techniques. To perform research and analytics. To improve the safety of our algorithms. To improve product and service quality. To provide aggregated and de-identified analytics reporting. | To perform our contract with you or with your institution and in our legitimate interest (Validated assessments are a proven way to track progress of your well-being. You have the option to not respond to these assessments) |
| Safety Plan Information (life anchors, safe places, support networks, warning signs, calming activities) | provided by the user | To ensure availability of safety resources in time of need. | To perform our contract with you and in our legitimate interest |
| Other personal information (age-range) | provided by the user | To provide age appropriate content, tools and techniques. | To perform our contract with you. |
Do we use passive sensing or location data?
The App does not process any data from your mobile device sensors, including accelerometer, ambient light readings, screen on/off readings and call logs. The App does not process your geolocation at a level that makes your data identifiable. The App may infer your country or state based on your time zone to provide you appropriate resources, such as scheduled reminders.
How do we share your data with third parties?
To provide you with our services, we use third party service providers to help store and process your data. We assess the service provider’s security and privacy practices. We strictly require that they comply with confidentiality and non-disclosure obligations and applicable laws and r egulations including relevant Data Protection Laws. We also require that they access your data only to the extent necessary to perform tasks on our behalf. We use the following third party service providers.
Cloud Service Providers
To provide the service in a reliable and responsible manner, we collect, transfer and store your data in secure servers provided by our cloud service providers. You can find more on their security practices here, here and here.
Other Service Providers
We use third party service providers to provide our services. List of our service providers include:
| Service Providers | Processing performed |
|---|---|
| Firebase, Google Analytics, Kubit.AI | To analyze App engagement data. No personal data gets shared. All event data is made cryptic so that no medical or psychological profile gets created at the hands of the provider. No direct advertising or direct marketing is performed. However, to measure the effectiveness of our social media or other marketing campaigns, we may use these tools to help us make improvements to our service. The third party tool APIs may automatically collect some non-personal events. Google Analytics automatically collected events can be found here. The use of Google Analytics is governed by Google Data Policy and Data Safeguards. Firebase automatically collected events can be found here. The use of Firebase is governed by Firebase Terms of Service, Use Policy and Crashlytics Terms of Service. We use Kubit AI to analyze cryptic event data sent to Firebase. Kubit does not store your data but only anonymized and aggregated results of the analysis. The use of Kubit AI is governed by Kubit Terms of Service and privacy policy. |
| Strikingly | Our website is hosted on Strikingly. Strikingly uses your visit data to perform analytics. The use of Strikingly is governed by Strikingly’s Terms of Service, Privacy and Cookie Policy and GDPR Compliance Statement. |
| Branch.io | We use Branch.io to provide deeplink service for our Institution users that helps provide direct access to the App and services and is governed by branch.io’s Terms of Service, Privacy Policy and Security & GDPR Compliance. We have a signed Data Processing Agreement (DPA) with Branch.io. |
| Mailgun | We use Mailgun to send confirmation messages to new users who subscribe to our services based on our promotions on facebook, google, instagram or the App. We may request your personal name and institutional email ID and transmit this to Mailgun for the sole purpose of sending you the customized link to access the App basis agreement with your Institution. Your name and email ID will not be stored in our servers and will not be used for any other purposes. The services provided by Mailgun are based on their Terms of Service, Privacy Policy and Security & GDPR Compliance. We have a signed Data Processing Agreement (DPA) including Standard Contractual Clauses with Mailgun. |
| 3rd party Taggers and Translators | We may use third party providers to tag, translate and test content in English and other languages. Minimal de-identified conversation data may be used for these purposes. This helps us improve the AI Coach algorithm performance. |
| Twilio | We use Twilio to send study-related information and communication during the study period. This is done using their SMS Services and APIs. Here, you can read more on their privacy, terms of service and security. We have a DPA and BAA with Twilio. |
Disclosure to research Institutions
You may need an access code or link provided by your research Institution to use the Institution version of the App. Your Institution may also get access to aggregated data for their analytic and research purposes based on the consent given by you to your Institution. We may collect your country, division and in some cases your city information to provide aggregated analytics. We do not share your messages with the Institution. Any inadvertent identifiers get removed prior to the aggregated analysis.
If the App is integrated with your Institution system, your Institution may additionally share your assessment scores with us and likewise, we may share aggregated user data with them. Such assessment scores may be processed by us for providing services to your Institution. Your assessment responses will never be processed for diagnostic purposes or for giving clinical advice.
Disclosure to other third parties
We may be required to share your personal data in good faith with third parties to meet applicable law enforcement or regulatory requirements. We will always weigh your rights and freedom before we process any such requests. These third party processing includes:
Touchkin will never share your conversation data without your explicit consent.
In the future, if we are involved in any merger, acquisition, sale of assets, business reorganization, bankruptcy, we may sell, transfer or otherwise share some or all of our assets which may include your data. However, in such an event of sale or transfer, we shall reasonably ensure that your data with us is stored and used by the transferee in a manner that is consistent with this Privacy Policy. Any such third party to whom we transfer shall have the right to continue to use the data that you provide us immediately prior to such transfer or sale. On completion of the sale or transfer, the Privacy Policy of the third party shall apply with respect to your data. To stay updated about such business transactions, please read this Privacy Policy from time to time.
How do we handle your App password?
For your privacy and security, you are advised to set your own App PIN to protect unauthorized access of your conversation messages. Your mobile device screen password is your PIN. To extend your device password, use the "Set Lock " feature under the App settings. You can also remove your PIN using the "Remove Lock” option under settings. The PIN that you use is personal to you, and you are responsible for maintaining the confidentiality and security of your PIN. Please keep your PIN safe and do not share it with anyone. The PIN you set remains in your device and is not collected, transferred and stored in our servers.
What data do we process after taking your Consent?
We take your consent to perform the following processing.
| Data | Purpose | Lawful Basis |
|---|---|---|
| Website Cookies or web beacon Data (browser type, browser language, operating System, language settings, web page views and the link clicks) | To understand website visits and engagement analytics. To share de-identified event data with 3rd party providers for analytics purposes. | Your consent to our Cookie Policy (We do not sell your provided data to any third party) |
| Website Contact Form (Name, Email ID, inadvertent identifiers in messages) | To respond and provide support for your inquiries. | Your consent during form submission |
| App usage data | To process and share de-identified data with your institution or research partner. | Your consent during onboarding (Agreements are signed with the researcher or Institution) |
| In-app push notifications | To notify you for reminders you have set. To remind you about upcoming sessions and events. To provide service related information and discounts. | Opt-in and Opt-out in App settings or mobile device settings. |
| Study Participant Phone Number (IAPTUS) | To collect, store, process and send SMS about the study. To communicate with you during the study. | Your Consent at onboarding |
How do we handle user incidents and requests?
There may be occasions where you wish to contact us to seek support or inquire about our services. If you contact us directly over email, we will collect minimal personal information to service your request. Your communication data is securely stored in our Google Workspace account with access to only authorized users. We have signed agreements with Google Workspace. We will only use your data to investigate the issue or request asked. Your email will be retained within our system for a maximum of 10 years since last correspondence. We will not spam you or contact you for any direct marketing. We will not share or sell your personal data with any third party.
Your issues or complaints or requests about the App and services are taken very seriously. You will need to send an email request from your Google or Apple email ID to [email protected] or [email protected]. We will respond to your complaints within 3 business days. Some of your complaints may take longer to resolve. We will continuously provide you with an update until your complaints are satisfactorily resolved.
How do we handle your data when used for research purposes?
We use minimal and only the required data for research purposes including aggregated data for any publications. This data is completely anonymized using one-way hash functions prior to use. This helps us to improve our product and services and contribute to user-centered mental wellbeing best practices globally.
We never use your longitudinal conversation messages for research and analysis. If at all, only limited messages get selected from specific AI endpoints and used.
You can always write to us at [email protected] or [email protected] to restrict processing and opt-out of your data for research purposes.
Your use of third party weblinks
The App may carry links to third-party websites and resources. When you click on those links, you may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy policies. We encourage you to read the privacy policy and Terms of use of every external link you visit.
What additional processing is performed?
Your data, messages or usage is not used for direct marketing nor is it sold to advertisers. We will update this Privacy Policy and inform you if we perform any additional processing.
How do we secure your data?
The security of your data is important to us. We have implemented adequate safeguards to protect your data.
Privacy by Design and Default
Security by Design
No method of electronic transmission or method of data storage is perfect or impenetrable. While we try our best to implement controls to protect your personal data, we cannot guarantee its absolute security. To ensure your data is secure, we require your cooperation as well. Please do not copy and share your conversations with unknown people.
How long do we retain your data including personal data?
Any identifiers shared in your conversation get hashed within 24 hours within our system.
We may retain your data even after your subscription ends if it is reasonably necessary. This could be in the following situations:
Where not specified we retain your data for a maximum of 10 years since the end of subscription and as per our information retention policies.
You can also, at any point of time, clear all your transactional data by using the “reset my data” feature available in the App settings. Refer here in our policy for more details.
What are your data protection rights?
You have certain rights under the Data Protection Laws in relation to your Personal data. To exercise any of your rights, you will need to send an email request to the contact information provided here. Please note that we may need to verify you before responding to any requests. After verifying you and examining your request, we will respond to you on the action taken within one calendar month from verification. We may at times be unable to address your request, if we are unable to correctly identify you.
Your individual rights requests may be limited, where:
Right of access
You have access to view your latest conversations or view your older conversation messages within the Journey tab of the App. If you exercise your right to be forgotten and reset your data, you will lose the right to access your data as it will be permanently deleted.
You have the right to obtain your personal data that you provided as per our Agreement or where you consented to give us.After verifying, we will provide access to your personal data in a machine-readable format. We may at times be unable to address your request, if we are unable to correctly identify you.
Right to rectification
If your personal data is inaccurate or incomplete, you can write to us to correct or complete it. If we share your personal data with third parties, we will inform them about the correction where possible.
Right to restrict processing
You can write to us to restrict processing of your personal data, where you contest the accuracy of the data or object to our processing it. If we share your personal data with third parties, we will inform them about the restrictions where possible.
Right to object
You may write to us and object to the processing of your personal data where we apply our legitimate interest. We may stop unless we can demonstrate compelling legitimate grounds for the processing.
Right to data portability
If you are a paid subscriber of our services, you can place a request to transfer your data from your older device to your replaced mobile device. If you are not a paid subscriber, we will need to accurately verify you, before we can process your request. We may at times be unable to address your request, if we are unable to correctly identify you.
Right to Erasure
When you use the service, you have the option to reset your data by using the “Reset my data” feature in the App settings. Reset my data deletes all your submitted data including your identifiers, past conversations, reminders, assessment responses and enabled settings. Post reset, you will not be able to recover your past data and you will be considered as a new user of the App. Hence, this feature is to be used at your discretion. If you are a paid subscriber, your transactional data will be deleted on reset. However your active subscription, purchased through third parties like google play, iTunes, etc., will continue to exist post reset of data.
You can also write to us to delete or remove your personal data, such as when you withdraw your consent.
Right in relation to automated decision-making and profiling
You have the right to be free from decisions based solely on automated processing of your personal data, including profiling, which may have a significant effect on your rights and freedom, unless such profiling is necessary for entering into, or the performance of our Agreement or with your explicit consent.
Right to withdraw Consent
To the extent that the legal basis of our processing of your personal data is consent, you can withdraw that consent at any time. This will not affect the lawfulness of processing of your data before we received notice that you wished to withdraw your consent.
Right to Breach notification
In the event of a breach of your personal data, we will notify you within 72 hours or as required by Data Protection Laws.
Right to address Concerns and Complaints
If you have any concerns or grievances about this Privacy Policy you will need to send an email request from your Google or Apple email ID to [email protected] or [email protected] with Attn. to our Data Protection Compliance Officer. We will respond to you within 48 hours and help resolve your concerns or complaints.
If you are not satisfied with our resolution, you have the right to complain to a Data Protection supervisory authority in your country or state of residence. We will fully cooperate with the supervisory authority. Contact details for Data Protection Authorities in the EU are available here.
Do California residents have specific privacy rights?
There are certain disclosures required by the California Consumer Privacy Act (or “CCPA”).
California residents can request a list of third parties with whom we share personal data for direct marketing purposes. Please note that Wysa does not share or sell your personal data with third parties as a matter of policy. Subject to certain exceptions, you can write to us to know about the personal information you shared. You can request to delete your personal information, to opt out of any “sales”, and to not be discriminated against.
We will respond to your request within 45 calendar days of verification. We may at times be unable to address your request, if we are unable to correctly identify you. We may be unable to address your request due to any of the limitations and exceptions provided within CCPA.
What are the controls for Do-Not-Track features?
Do Not Track (“DNT”) is a privacy preference that users can set in certain web browsers. We do not respond to DNT signals transmitted by web browsers.
Can children under 13 use Everyday Mental Health by Wysa App?
The App is intended for a general audience and is not directed to or intended to be used by children under the age of thirteen years.
There is a special necessity to protect children's privacy on the App. We do not knowingly collect any personal data from children.
Write to us if you think we have collected any personal data of your child. We will respond to you within one calendar month from verification. We may at times be unable to address your request, if we are unable to correctly identify the user. We will deactivate the child’s account, if we find we have been collecting personal data from your child. Upon identification we will take reasonable measures to promptly delete such personal data from our records.
We encourage parents and legal guardians to monitor their children’s Internet usage. To help enforce our Privacy Policy by instructing their children to not provide any personal data without their permission. Do not share your credit/debit card or other payment instrument with your child to make any in-app purchase.
How to contact for additional questions, comments or concerns?
For any product, services, subscription, technical or payment-related issues, please contact us from your Google or Apple email ID to [email protected] or [email protected] with your questions.
Our mail address for all communication is: Touchkin eServices Private Limited 1st Floor, Manjusha, No 532 16th Cross, 2nd Main Road, 2nd Stage Indiranagar, Bengaluru, 560038 Karnataka, India
Can Non-English speaking users use the Everyday Mental Health by Wysa App?
The App has been built and is currently provided only for English language users.
To ensure wider reach, Touchkin will, in the near future, launch the App in other international languages. We will keep you updated on this development.
What are some Best Practices to follow to keep your devices secure?
You are also responsible for helping to protect the security of your personal data. You are responsible for maintaining the security of any personal computing device on which you utilize the Services.
The US Federal Trade Commission (FTC) publishes information for users on how to secure your personal data and devices. These can be found at the following public links.
How To Protect Your Privacy on Apps | FTC Consumer Information
Online Security | FTC Consumer Information
FTC - How to Keep Your Personal Information Secure
Touchkin strongly believes in security and safety of data in your mobile device. As a responsible Service provider, we therefore like to share important device based security data for your attention. These have been sourced from US FTC best practices and guidelines. Always refer back to the US FTC links provided above for more details and future security updates.
Changes to this Privacy Policy
We may modify our Privacy Policy from time to time for various reasons including to improve our privacy practices, to ensure our users right to be Informed, to reflect changes to our service, and to comply with relevant laws. If and when this policy is changed, We will post the new notice on our Website and the App and notify you through an in-app notification or as otherwise required by relevant law. It is your responsibility to check our Website and our App periodically for updates or changes to the policy. We encourage you to review changes carefully. If the changes to the Privacy Policy include changes to the collection, storing or processing your personal information in a way that infringe into your privacy, we will notify you clearly about the same where required by the applicable laws and regulations. If you agree to the changes, then please continue to use our service. If you, however, do not agree to any of the changes and you no longer wish to use our service, you may choose to unsubscribe or uninstall our App. Continuing to use our App and services after a notice of change has been communicated to you or published constitutes your acceptance of changes and consent to the modified Privacy Policy.
Severability and Exclusion
We have taken every effort to ensure that this Privacy Policy adheres with the applicable Data Protection Laws. The invalidity or unenforceability of any part of this Privacy Policy shall not prejudice or affect the validity or enforceability of the remainder of this Privacy Policy. This Privacy Policy does not apply to any data other than the data collected by Touchkin while providing the services.