Who are we and how to contact us?
What personal data do we collect?
How do we use your information?
How do we protect your personal data?
Wysa Assure Mental Health App Privacy Policy
Last updated date: Oct 11, 2023(GMT)
First created date: Mar 31, 2023(GMT)
Version: 2.0
You (“user”or “end-user” or “data subject”) have been granted access to this Wysa Assure App by your institution (the "Institution"). The Wysa Assure App, also known as the "App", enables anonymous use by authorized Institution-associated users.
Changes in V2.0 | October 11, 2023
Who are we and how to contact us?
The App, managed by Touchkin eServices Private Limited (referred to as "Wysa," "we," "us," or "our"), operates with data privacy by design and by default (Read about our data safeguards here ). Wysa is a co-developer and technically operates the App, utilizing the Wysa platform with non-identifying user identifiers. Co-developed in collaboration with Swiss Re Solutions Ltd ("Swiss Re"), the App is distributed by Swiss Re to your Institution, who then provides it to users. The Institution and Swiss Re are referred together as our "Partners". This Privacy Policy outlines Wysa's use of your personal data, protective measures, and data security.
Regarding the purposes of our Services and processing of end-user data, Wysa acts as the data controller. When handling aggregated App usage data reports on your Institution's behalf, Wysa may act as a processor or sub-processor. Your Institution receives aggregated App usage data reports for their own purposes. Please check with your Institution directly on how they use your App usage reports. Swiss Re only receives anonymous App usage data reports.
For queries, comments, complaints, and requests about our App and Services, reach us at [email protected]. For Privacy Policy and data protection rights inquiries, contact us at [email protected], addressed to the Head of Compliance/Data Protection Officer. We promise a response within a month from a valid inquiry.
About the Privacy policy
This Privacy Policy pertains to your use of our mobile artificial intelligence (AI) chatbot service, digital self-care tool, analytics, dashboard services, well-being score, and pathways to connect to offline mental well-being therapy (collectively referred to as the "Services"). The policy also applies when you engage with us through events, promotions, websites, email, or social media. We may offer additional services for your Institution ("Institutional Services"), requiring agreement with both Wysa's and your Institution's Terms of Service and Privacy Policies for processing information on behalf of your Institution.
In case of a crisis, call your country's emergency number or Institution's approved helplines. App use requires age 18+. Interaction with the AI chatbot is with Artificial Intelligence, not a human. The AI is limited in its response. The App offers evidence-based tools in a self-help context. It doesn't diagnose, treat, or cure a specific condition or disease or disability. It only provides general mental health advice, not medical. Please seek a healthcare professional for any medical concerns.
Kindly review this policy, along with our cookies policy and terms of service. Your use of our Apps and Services implies consent to information collection and utilization as outlined in this Privacy Policy and Cookie Policy. Unless specified otherwise, terms in this Privacy Policy hold the same meanings as in our Terms of Service.
What personal data do we collect?
Wysa does not aim at collecting personal data. You can choose to remain as anonymous as you want to be when you use the App. By adopting privacy by design and by default safeguards (read here ), we seek to minimize personal data collection and processing and improve your privacy. To help provide our Services, we will collect and process the following information categories.
Information about you - Our App prioritizes anonymity for privacy protection. No registration needed. Use a nickname to start. We gather an app-device ID from your Google play or Apple app store when you install the App. IP address for content delivery (not linked to user conversation data), device information, time-zone, operating system.
AI chatbot conversation data - Your voluntary inputs, like challenges, preferences, feelings, moods, thoughts, emotions and safety plan. Your expression of gratitude or maintaining a task list. Responses to assessments (PHQ, GAD or others). Your use of tools, Cognitive Behavioral Therapy (CBT) programs and other resources. Any inadvertent identifiers voluntarily provided.
App usage event data - Tracks app actions, settings, notifications and screen choices
Fitness App data - Data from Google Fit, Health Connect by android or Apple Healthkit (physical activity and sleep) when you connect.
Promotion/Survey data - your responses to campaigns, surveys and other marketing activities.
Communication data - includes any feedback, complaints, requests via email or social media or our website contact forms. If you have communicated with us by email or website contact form, we will collect email ID, name provided, any contact details shared with us. Institution and Partner name, staff name and their contact information.
Cookies - includes mandatory cookies collected during app use to provide the Services. Also, site-hosting provider’s cookies on our website.
Sources of the information categories
Much of the information categories that we hold about you, are directly from you or your interactions with us, when you use our App, our websites or social media sites or when you contact us for any purpose
How do we use your information?
We must comply with data protection laws that mandate the identification and communication of a legal basis or 'ground' for utilizing your personal information. In cases involving sensitive data, an additional legal condition is necessary to be informed. An explanation of each of the grounds can be found below.
These are the additional legal conditions that we typically use to justify our use of special categories of your personal data: In the substantial public interest: processing is necessary for reasons of substantial public interest, on the basis of EU or local law. Mainly, for the provision of counseling, advice or support or for protecting you from physical, mental or emotional harm during use of the App and services.
For each use mentioned below we note the purpose for which we use and disclose it, and the ground we rely on as the basis for our use.
Legal basis: contract performance, legitimate interests (to enable us to perform our obligations and ensure quality, safety and performance of our App and Services).
Legal basis: contract performance, legitimate interests (to enable us to perform our obligations and ensure quality, safety and performance of our App and Services),
Additional legal condition: For reasons of substantial public interest for provision of counseling, advice or support or for safeguarding of individuals at risk.
Legal basis: contract performance. Legitimate interest (to ensure user safety)
Additional legal condition: For reasons of substantial public interest for provision of counseling, advice or support or for safeguarding of individuals at risk.
Legal basis: legitimate interests (to ensure the quality, safety and performance of our Apps and Services)
Additional legal condition: For reasons of substantial public interest for provision of counseling, advice or support or for safeguarding of individuals at risk.
Legal basis: contract performance, consent (opt-in and opt-out of notifications).
Legal basis: legitimate interests (to ensure the effectiveness, safety and performance of our Apps and Services)
Legal basis: legitimate interests (to ensure the quality, and performance of our Apps and Services)
Legal basis: legitimate interests (to ensure the quality, safety and performance of our Apps and Services)
Legal basis: contract performance, consent (your consent to sync with Google Fit, Health Connect by android, Apple Healthkit and Garmin. Your consent to access your sleep and physical data from Google Fit, Health Connect, Apple Healthkit and Garmin).
Additional legal condition: For reasons of substantial public interest for provision of counseling, advice or support or for safeguarding of individuals at risk.
Legal basis: consent, legitimate interests (to keep you updated with news in relation to our Apps and Services).
Legal basis: legitimate interests (to allow us to correspond with you regarding our Apps and Services. To ensure the quality of our Apps and Services), legal obligations.
Other uses of your information:
To reorganize or make changes to our business: In situations like: (i) negotiations for selling our business or part to a third party; (ii) being acquired by a third party; (iii) going through reorganization; or (iv) facing bankruptcy, we might need to share some or all of your personal data with the relevant third party (or their advisors) for due diligence in analyzing the proposed sale or reorganization. After such events, we could also share your data with the reorganized entity or third party for similar purposes as stated in this Privacy Policy. We'll reasonably try to notify you through methods like: public notice on our website, informing your Institution, in-app notifications or changes to this privacy policy.
Legal basis: legitimate interests (in order to allow us to change our business), legal obligation
To comply with legal and regulatory obligations: We might handle your personal data to meet our legal and regulatory needs. This might involve sharing your data with third parties like insurers, courts, regulators, or law enforcement agencies worldwide. This can happen during their enquiries, proceedings, or investigations, or when legally required. We might also use and disclose data to prevent serious health or safety threats, for public health reporting, and for preserving data during legal matters to prevent tampering. Additionally, we might disclose data to help with an investigation or prosecution of suspected fraud or actual illegal activity.
Legal basis: legal obligation (as App manufacturer to provide app performance and safety report to regulator ask), legitimate interests (to cooperate with law enforcement and regulatory authorities)
We do not combine and process your personal data with any other third party available data. Your data, messages or usage is not transferred or sold to advertisers or data brokers or any information resellers. We will always take your consent before using your name for social proof purposes. If you have any questions about the legal basis we rely on, please contact us using the details set out in the “Contact” section below.
How do we protect your personal data?
Where is your data stored?
The data we gather is transferred and stored in USA-based infrastructure instances managed by our service provider, Amazon Web Services (AWS).
How long is your data stored?
Personal identifiers you voluntarily share in your text messages with the AI chatbot will be securely redacted in our database within 24 hours of its detection.
We adhere to legal retention limits for any remaining data about you. It's kept only as long as necessary for requested services or purposes mentioned in the 'How do we use your personal data?' section above. If not specified, we retain your data for up to 10 years after termination or a period agreed upon with your Institution
You also have the option to permanently delete all your messages using the 'reset my data' feature in the App settings.
When you trigger “Reset my data” from App settings
Reset my data deletes all your submitted data including your identifiers, past conversations, reminders, assessment responses and enabled settings. Post reset, you will not be able to recover your past data and you will be considered as a new user of the App. Hence, this feature is to be used at your discretion.
International transfer of your information
To deliver our App and Services, we may need to process your submitted data in a country different from your own, where data protection laws might be less strict.
When we move personal data from within the European Economic Area (EEA), Switzerland, and/or the United Kingdom (referred to as the 'Europe region'), we'll take extra steps to secure your data in line with data protection laws. Some countries in the Europe region have been endorsed by regulators for having sufficient data protection, so no additional safeguards are needed to transfer data there. For countries without such approval, we'll use suitable measures to protect data transfer, like the new EU Standard Contractual Clauses and/or UK International Data Transfer Agreement (IDTA), as allowed by the law.
Minimal and necessary data may be shared among our companies (located in the UK, US, and India) to provide specific Services. In line with relevant data protection laws, we'll ensure your data rights are well protected with appropriate technical and organizational safeguards.
For any queries, reach out through the details provided in the 'Contact' section below.
How do we safeguard your data?
We prioritize your data security and take extensive measures to ensure it. With strong dedication, we've put in place both technical and organizational safeguards. Here are a few of the steps we've taken:
Privacy by design and by default
Security by design and by default
Certifications and Registrations
Safety of our Artificial Intelligence (AI)
At Wysa, we employ our own Artificial Intelligence and Natural Language Processing/Understanding (NLP/NLU) algorithms ("AI") to comprehend your messages. NLP/NLU algorithms are used to understand your text through classification techniques. This enables the AI to have meaningful conversations and direct you to suitable resources. Our commitment demands that the AI within the App is transparent, trusted, secure, and privacy-preserving. All AI in our Apps is "FIXED" or "CLOSED". The chatbot responses are carefully crafted with clinical expertise and undergo thorough safety testing before deployment. There are no generative or adaptive models in use, meaning no dynamic response creation or continuous learning. These algorithms operate within a structured decision-tree conversation framework.
No electronic transmission or data storage method is flawless or invulnerable. Despite our efforts to implement safeguards for your personal data, we can't guarantee absolute security. Your cooperation is vital for data security as well. Please avoid copying and sharing your conversations with unfamiliar individuals.
What about external links to other sites?
The App, websites, and social media pages feature links to third-party, Partner, or affiliate websites and resources. When you click on such links, remember that these sites have their own privacy policies. We don't manage these third-party sites and are not liable for their privacy policies. It's a good practice to review these policies before sharing personal data on these sites.
Our use of service providers
For our Services, we collaborate with third-party service providers for data storage and processing. We thoroughly evaluate their security and privacy methods. They must adhere to confidentiality, non-disclosure obligations, and legal requirements, including Data Protection Laws. They or their providers (fourth parties) access your data only as needed for tasks on our behalf.
Cloud Service Providers
To provide the Service, we collect, transfer and store your data in secure servers provided by our authorized cloud service provider AWS. You can find more on their security practices here, here and here. We maintain a Data Processing Agreement (DPA) with Standard Contractual Clauses (SCCs) and Business Associate Agreement (BAA) with our cloud service providers.
Other Service Providers
We use Wysa authorized third party service providers to provide our Services.
List of our service providers include:
Service Providers | Purpose | Data Storage Location |
---|---|---|
Firebase, Google Analytics |
Information shared: App usage event data Purpose:
No direct advertising or direct marketing is performed. However, to measure the effectiveness of our social media or other marketing campaigns, we may use these tools to help us make improvements to our Service. The third-party tool APIs may automatically collect some non-personal events. Google Analytics automatically collected events can be found here. The use of Google Analytics is governed by Google Data Policy and Data Safeguards. Firebase automatically collected events can be found here. The use of Firebase is governed by Firebase Terms of Service and Crashlytics Terms of Service . We maintain Data Processing Agreements (DPA) with SCCs with these service providers |
USA |
Branch.io |
Information shared: Communication data (Institution provided email ID) Purpose: We use Branch.io to provide deeplink service for our Institution users that helps provide direct access to the App and Services and is governed by branch.io’s Terms of Service , Privacy Policy and Security & GDPR Compliance . We have a signed Data Processing Agreement (DPA) with SCCs with Branch.io. |
USA |
Google Workspace |
Information shared: Communication data (contact details provided such as email id)
Purpose: We use Google Workspace to provide our corporate email service, to store Information received from our clients and end users in google drive and google docs. We have a signed DPA with SCCs and BAA with Google Workspace. |
Europe |
CloudFlare |
Information shared: Information about you (IP address) Purpose: We use Cloudflare for its CDN and DDOS Protection Services. Cloudflare helps us to efficiently secure and provide our Services for you. Cloudflare has access to your IP address to provide the services. Wysa does not store or process your IP address beyond the CDN. Cloudflare may process your browser and operating system related information for logging and abuse prevention purposes. You can read Cloudflare’s terms of service , privacy policy and GDPR Compliance to know more about how they handle your data. We have a signed DPA with SCCs with Cloudflare. |
USA |
Business Development and Marketing Tools |
Information shared: Communication data (Institution and Partner name, staff name and their contact information)
Purpose: |
USA |
Google API Services |
Information shared: Fitness App data (physical activity and sleep) Purpose: |
USA |
Health Connect API |
Information shared: Fitness App data (physical activity and sleep)
Purpose:
Apps distributed through Google Play that use Health Connect are subject to the Play Developer Program Policy. |
User’s device |
Garmin |
Information shared: Fitness App data (physical activity and sleep)
|
User’s device |
We will keep updating this page where we make any changes to our service provider.
Our use of Google API services for use of fitness data
The App doesn't collect or track identifiable geolocation or call logs. The App’s use or transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including their limited use requirements.
Your data protection rights
During your interactions, you might have the right to: ask for more details on how we use your personal data; receive a copy of the personal data we may hold about you; correct inaccuracies and fill incomplete personal data we may have; delete no-longer-needed personal data; and limit processing while we review an inquiry you raised.
You're also free from decisions solely based on automated processing of your personal data, unless it's necessary for our Agreement or you've agreed. You can ask us to halt such decisions. While we don't usually engage in these activities, we're open to discussing any concerns.
Under specific conditions, you can also: withdraw consent; ask us to send your personal data to a third party electronically; object to processing based on 'legitimate interests' or 'public interests'; and opt out of direct marketing, including profiling. We typically let you know or get your consent (before collecting data) if we plan to use your data for marketing purposes or share it with third parties. To stop this, just click 'unsubscribe' in marketing emails we send you.
The above rights have exceptions to protect public interest (like crime prevention) and our interests (such as legal privilege). They might not all apply in your country of residence.
If you can, use the contact info in the 'Contact' section to exercise your rights. We might need to verify you before responding. Once verified, we'll respond within a month of your request. If we can't verify you, we might be unable to address your request. Your individual rights requests may be limited, were
If you're unsatisfied, you can complain to your Data Protection Authority. You can file a complaint with the UK ICO using the outlined process here. For EU Data Protection Authorities', check here
Notice for California, USA residents
There are certain disclosures required by the California Consumer Privacy Act (or “CCPA”) and California Privacy Rights Act (“CPRA”). Please read our CCPA (CPRA) notice it applies to users who reside in the State of California.
Updates
Any changes we may make to this Privacy Policy will be notified to you within the App. Continuing to use our App and Services after a notice of change has been published constitutes your acceptance of the changes.
Change Log
V2.0 | October 11, 2023