Initial Effective Date: June 30, 2017 (GMT)
Latest Revised Date: May 27, 2020 (GMT)
- If You are having suicidal thoughts or planning to act on suicidal thoughts, or if You feel that You may be a danger to Yourself or to others, or if You otherwise have any medical or mental health emergency or severe mental health condition, or if You are in a crisis or trauma or abuse, please discontinue use of the Service immediately and call the relevant emergency number in Your country and notify the police or emergency medical Services. For example, You can find Your country-specific suicide emergency number at: Suicide.org - Suicide Prevention, Awareness, and Support
- Please do not share Your Personal data (such as full name, date of birth, gender, contact numbers, address, financial identifiers, government-provided identifiers) or Your medical-related data or any other sensitive data (such as Your sexual preferences, religious or political opinions, financial data) when You use the Wysa App and Services.
- Your interaction with the Wysa Bot is with an AI chatbot and not a human. The Bot is restricted in the means of response, and the intended use is for providing evidence-based tools and techniques to manage emotions and encourage mental well-being in a self-help context. It is not intended for providing diagnosis, treatment or cure of a condition or disease. The Bot cannot and will not offer advice on issues it does not recognize.
- The Wysa Well-being Coach Service will use text-based messaging to apply motivational interviewing and life coaching to help You work towards Your personal well-being goals. The Service will focus on building wellness and emotional resilience. The underlying principle of the Well-being Coach Service is that You have the knowledge and capacity to make desired changes in Your life. The role that a Well-being Coach will play is to support You in finding Your own way, help You tap into Your own strengths and abilities, so that You can identify and use resources around You to fill any gaps.
- The Wysa Therapist Service is also a text-based messaging service. It will use person-centered supportive listening, motivational interviewing and CBT principles to help You to take control of Your mental and emotional well-being. Wysa Therapists will draw on various evidence-based techniques to provide empathetic and non-judgmental support. The Wysa Therapist will listen to Your worries empathetically, promote positivity and support You in making successful lifestyle changes, so that You can manage Your situation better and build emotional resilience.
- Wysa Well-being Coach and Wysa Therapist services are not intended to be a replacement for face-to-face psychotherapy or to provide a diagnosis, prognosis, treatment or cure for a disease/condition/disorder or disability or provide any type of state-regulated mental health services in Your country of residence. It is an enabling and empowering mode of support, rather than treatment of illness or a health condition.
- By using the Wysa Well-being Coach or Wysa Therapist Services, You understand and agree that the Coach assigned to work with You will be located remotely and may not be located in Your country or state of residence.
- Wysa Bot and Wysa Well-being Coaches and Wysa Therapists cannot and will not offer medical or clinical advice. In case You mention the need for such advice, they will suggest that You seek advanced (medical) help.
- For safety and security reasons, We strongly recommend that You keep Your conversations with Wysa App private. We strongly recommend that You set automatic update of the Wysa App in the application manager settings of Your mobile device; to get the latest Wysa App-based features and fixes. Always exit the Wysa App version in Your mobile device by using the back button before upgrading to a newer version to prevent loss of ongoing or previous conversations.
PLEASE TAKE TIME TO REVIEW THE FOLLOWING DATA CAREFULLY.
Table of Contents
For the purposes of processing Your data, Touchkin eServices Private Limited, the makers of Wysa App will act as the Data Controller. Touchkin is a private limited company, incorporated and existing under the laws of India and having its registered office at No. 532, "Manjusha", First Floor, 2nd main, 16th Cross, II stage, Indiranagar, Bengaluru, KA 560038 IN.
We will always respect and protect Your privacy, and this forms a part of Our guiding principles. We have policies and procedures in place to protect the privacy and security of Your Personal data. Your trust means a lot to Us. Wysa does not request Your Personal Data. If You inadvertently submit any Personal data then We will process it with Your data basis this Agreement and will irreversibly redact any Personal Identifiable Information within 24 hours in Our system as described in section 5.a. . Please do not share any Personal data at any time during Your Use of Our Services. Your data is secured with strong encryption during transmission and storage.
Personal data or Personal Information means data relating to an identified or identifiable natural person who can be directly or indirectly identified by reference to an identifier such as full name, identification numbers, location address, online identifier and other identifiers within the definitions of The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or data) Rules 2011 and General Data Protection Regulation (GDPR) (EU) 2016/679 regulation. Personally identifiable information (PII) and Special Category of Personal data is covered within the definition of Personal Data.
Non-Personal data or Non-Personal Information means any data that does not reveal Your specific identity either directly or indirectly.
Pseudonymisation means the processing of Personal data in such a manner that the Personal data can no longer be attributed to a specific User without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the Personal data are not attributed to an identified or identifiable natural person
Encryption is the process of transforming data into unreadable text so that it is only legible to those possessing an encryption key. The process of making encrypted data readable again is referred to as decryption.
Web browser is a software program that allows User to access, retrieve and view data on the World Wide Web. Examples of browsers include Internet Explorer, Firefox, Google Chrome and Safari.
3. What is Wysa App?
The Wysa App is a virtual AI chatbot (“Bot” or “Wysa Bot”) that You can chat with, including upon Your choice, the ability to subscribe and to message a highly trained and qualified mental well-being professional (“Wysa Well-being Coach” or “Wysa Therapist”) or for Institution Users, to be able to use an institutional support mechanism integrated within the Wysa App, and through a conversational interface get access to tools and techniques to manage Your emotional well-being. The Wysa App is primarily available for both iOS and Android mobile systems. Your Interaction with the Bot is with an artificial intelligence chatbot and not a human. The Bot is restricted in the means of response, and the intended usage of Wysa App is for providing evidence-based tools and techniques to manage emotions and encourage mental well-being as an early intervention tool in a self-help context. You make the choice of using the Bot, based on Your own estimate of need, and agree that this is only suitable for basic self-help. This is not intended to be a replacement for face-to-face psychotherapy or to provide a diagnosis, prognosis, treatment or cure for a disease/condition/disorder or disability. The Bot cannot and will not offer advice on issues it does not recognize. Using the Wysa App, You can track and manage Your mood, and learn context-sensitive evidence-based techniques that can help You feel better. Wysa App and Service is not intended for use in crisis such as abuse or complex or severe mental health conditions that causes for example; ideation of suicide, harm to self and others, or for any medical emergencies. Wysa App and Service cannot and will not offer medical or clinical advice. It can only suggest that the user seeks advanced (medical) help.
4. Who can Use the Service?
If Your Institution specifies a different age restriction, such as at least 18 and above, as a condition of using this Service, that restriction shall apply rather than the one above.
Institution or other Consumer users
The Institution Version and its Services can only be accessed by authorized Institution User(s) after following installation and access instructions as shared by the Institution or their Service provider.
5. What Data do We collect and how do We Use it?
How do We handle Your Personal Data?
No identifiable information is solicited or stored in the Wysa app. As data is not related to an identifier or identifiable natural person, it will no longer be Personal data or Special Category of Personal data. There is no user registration nor are You asked to share Personal data when You install and use the Wysa App and Services. Refer section 6.a. to understand how we Use Pseudonymisation to securely link Your data within Our database.
If You inadvertently share any personal identifier such as full name, dates, locations, phone numbers, email identifiers or medical terms during Your conversation with the Wysa App and Services, it is Our responsibility to redact such personal identifiers to make the data non-personal. To ensure that no personal identifiers get stored in Our systems, We have developed a high recall AI-NLP algorithm that detects and irreversibly redacts identifiers, which include all numbers more than 2 digits, urls, emails, dates, locations, names and medicalized terms, from Our storage systems. Within 24 hours of starting Your session, Our algorithms will process Your data, detect any personal identifiers and irreversibly redact them. None of Your conversation messages will be lost, and only the specific personal identifier will be irreversibly redacted in Our systems. You will also be notified when such obfuscation is completed and can view such obfuscation in the Journey tab within the Wysa App. This obfuscation processing is based on Our Legitimate Interest. This is to ensure that no personal identifier and hence no Personal data inadvertently creeps into Our system and Wysa App is able to maintain complete anonymity.
You can always write to Us at the contact provided in section 7.b. if You want to clarify, rectify or delete specific personal data that You shared with Us. You can also read Your data protection rights at 6.f.
You have the Right to be Forgotten. You can also, at any point of time, clear all Your provided data by using the “reset my data” feature available in the Wysa App settings. Refer to section 6.f. in our Policy for more details. DO NOTE THAT “RESET MY DATA” DELETES ALL YOUR SUBMITTED DATA INCLUDING PAST CONVERSATIONS, REMINDERS, ASSESSMENT RESPONSES AND ENABLED SETTINGS. POST RESET, YOU WILL NOT BE ABLE TO RECOVER YOUR PAST DATA AND YOU WILL BE CONSIDERED AS A NEW USER OF THE APP. HENCE, THIS FEATURE IS TO BE USED BY YOU AT YOUR DISCRETION.
How do We handle Your conversation messages?
When You Use the Wysa Bot Service, You provide Your messages by selecting pre-formatted options or by way of free-text. We collect, transmit and securely store Your messages in Our servers. We process Your messages in real-time using safe NLP algorithms that detect the context and direct You appropriately to subsequent conversation based on a proprietary rule-based content engine. At no point during Your conversation with the Wysa Bot does another natural person have access to or get to monitor or respond to, Your messages. The Wysa App’s proprietary and closed rule-based algorithms process all Your messages for positive and negative sentiments. This is done to enable the Wysa App to empathetically converse with You, and personalize Your conversation. There is no solely automated processing done by the Wysa App to determine what You should do. You are always asked to verify whether the Wysa App has understood Your conversation or sentiment or emotions correctly, before proceeding down the conversational path.
When You use the Wysa Well-being Coach or Wysa Therapist Service, You get to exchange text-based messages with a mental well-being and health professional. We collect, transmit and securely store these messages in Our servers. If You inadvertently send any Personal data in Your messages, such identifiers will be redacted at the end of Your session.
Processing of Your conversation messages is based on Our Agreement that You agree at the time of installing and using the Wysa App.
You have the Right to be Forgotten. You can also, at any point of time, clear all Your provided data by using the “reset my data” feature available in the Wysa App settings. Refer to the section 6.f in our Policy for more details.
All the conversations You have with the Wysa App are private. No one within or outside of Touchkin has access to Your Data except to process based on Our Legitimate Interest as identified in section 5.s and based on principles of privacy by design.
We will do our best to irreversibly redact any Personally Identifiable data inadvertently submitted by You as per Our Legitimate Interest explained in 5.s.
How do we handle Your name?
When You Use the Service, We will not ask for and will not require Your full name at any point of time during the conversation. After installation, We take You through a one time on-boarding process. Here We ask for only Your nickname. Processing of Your nickname is based on Our Agreement to help personalize Our conversation with You. We set character limits to prevent You from inadvertently submitting Your full name.
ALWAYS USE NON-IDENTIFIABLE NICKNAME TO MAINTAIN COMPLETE ANONYMITY. You can change the nickname once provided to the Wysa App by typing #help and choosing “Change Name” from the slider displayed.
Why do We ask about Your thoughts, feelings (emotions), mood, major event or life changes, goals, energy levels and safety plan?
When You Use the Service, We may periodically ask You about Your thoughts, feelings or emotions, mood, major events / changes in life, Your resilience goals and Your energy levels. Processing of Your response is based on Our Agreement and solely to provide You evidence-based tools and techniques to manage emotions and encourage mental well-being in a self-help context.
When You use the Service, You may be given an option to create a Safety Plan to help You maintain a ready access of support resources and crisis helplines that You may want to access when in need. You may enter data such as life anchors, friendly places, support networks, warning signs, calming activities. Processing of Your data is based on Our Agreement and solely to provide You access to Your own Safety Plan for Your own care.
Your data is strongly encrypted during transmission and is securely stored. Kindly refer Our Security safeguards and rights You can exercise in Section 6
We will do our best to irreversibly redact any Personally Identifiable data inadvertently submitted by You as per Our Legitimate Interest as explained in 5.s.
How do We handle Your responses to mental health screening assessments?
When You Use the Service, You will be asked to respond to validated assessments. Response is voluntary and You can opt to not report any of the assessments. Wysa App currently Uses four validated assessment scales for understanding Your emotional Well-being namely Patient Health Questionnaire (PHQ9)- to self-report any symptoms of depression, the Generalized Anxiety Disorder Assessment (GAD7) - to self-report any symptoms of anxiety, and the Subjective Units of Distress Scale (SUDS)- to self-report the intensity of distress currently experienced.
You will also be asked to share how You cope with day to day activities as part of the assessments. Assessments are a proven way to baseline and track the progress of Your self-reported symptoms. Processing of Your assessment response is based on Our Agreement and used for the purpose of determining if escalation is required and to provide You access to scientific-evidence based tools and techniques to manage emotions and encourage mental well-being in a self-help context.
YOUR RESPONSES TO THESE ASSESSMENT QUESTIONS ARE NOT PROCESSED TO FORM A DIAGNOSTIC OPINION NOR PROCESSED FOR ANY MEDICAL PURPOSES OR FOR GIVING CLINICAL ADVICE. We DO NOT collect or process Your sensitive medical data or Protected Health data (PHI), as defined under the US law, that can directly or indirectly Identify You. We use Your anonymized assessment scores for population-level research and statistical purposes as per Our Legitimate Interest (Section 6.t of this Policy).
Your response is encrypted during transmission and is securely stored. YOUR DATA IS NEVER SHARED WITH A THIRD PARTY WITHOUT YOUR EXPLICIT CONSENT.
We apply organizational and technical measures to endeavour to irreversibly redact any Personally Identifiable data inadvertently submitted by You as per Our Legitimate Interest as explained in 5.s.
What data do We collect when working with a Wysa Well-being Coach or Wysa Therapist?
When You Use the Wysa Well-being Coach Service or the Wysa Therapist Service, You can schedule or reschedule a real-time text-based messaging session with Your assigned Coach or Therapist. We collect Your chosen session dates and time to confirm Your booking.
Processing of Your device time zone is based on Our Agreement to calculate Your local date and time so that session bookings are accurately scheduled and for setting accurate session reminder notifications. At times, Wysa App may get Your local time wrong which could affect the session scheduling. PLEASE ALWAYS VERIFY YOUR LOCAL TIME DISPLAYED BY WYSA APP IN THE SESSION SCHEDULING SCREEN BEFORE PROCEEDING WITH BOOKING OF A SESSION. IF YOU NOTICE AN ERROR IN YOUR LOCAL TIME DISPLAYED, GO TO THE BOT MESSAGING INTERFACE AND TYPE #TIME TO CHANGE YOUR TIME. If You face any challenge changing Your local time or booking a session, kindly write to Us at the contact provided in section 7.b.
What do We process when You use SIRI or Google Assistant voice-based Service of Wysa?
If You choose to use Apple’s SIRI or Google’s Assistant to invoke the Wysa Bot Service, You get the opportunity to talk to Wysa Bot. These services convert Your voice into text and pass this transcription to Wysa’s secure servers. We do not get access to Your voice patterns. No Personal data gets asked or collected during use of this Service. Please do not share Your Personal Information at any time during use of this Service.
How do We handle Your Device data when You Use Our Service?
When You Use the Service, We collect, securely encrypt and transfer and store the following data from Your mobile device: mobile application identifier, mobile operating system, OS version, device make and model. We process this data based on Our Legitimate Interest to detect and deter unauthorized or fraudulent Use of or abuse of the Service, to troubleshoot issues, for debugging app crashes and to optimize Your experience for e.g. to make sure the Wysa App is displayed correctly on Your phone, or Your usage settings are applied.
We do not use any Cookies and beacons within Our Wysa App.
Do We collect Passive Sensing data from Your mobile device?
When You Use the Service, the Wysa App does not passively collect nor process any data from Your mobile device sensors, including accelerometer, ambient light readings and screen on/off readings and call logs.
Do We process Your location data?
Wysa App does not process Your Geolocation at a level that makes Your data personally identifiable. Wysa may infer Your location through Your timezone or other means at a country or state level to provide You appropriate resources.
How do We use any Third Party Analytics tools?
When You use the Service, Wysa App usage and system generated event data gets logged and sent to third-party operations and analytics tools such as Facebook Analytics and Firebase via their secure API integrated within the Wysa App. No Personal Data is shared. Any event data sent to third party tools used for operations and analytics is designed to ensure that it is cryptic and does not create a medical or psychological profile of a user in the hands of the processor. These events do not contain any conversational data provided by You during Your use of the Service. We use random Firebase generated Identifiers of the User to send in-app and push notifications. Processing of events data is based on Our legitimate Interest to view Wysa App engagement and Operational performance to improve Our Service Quality, Safety and Performance.
No direct advertising or direct marketing is performed both within and outside the app. However, to measure the effectiveness of our social media or other marketing campaigns, We may install third-party modules (Facebook Analytics, Firebase and branch.io) within the Wysa App to help Us understand Service performance based on User use. This helps us make improvements to Our Service experience for Our Users. Event data from these modules is sent to third-party operations and analytics tools such as Facebook Analytics and Firebase via their secure API integrated within the Wysa App. No Personal data is shared. These events do not contain any conversational data provided by You during Your use of the Service. Processing of events data is based on Our Legitimate Interest to view Wysa App engagement and Operational performance to improve Our Service Quality, Safety and Performance.
You have the right to object to the above processing. Please read the section 6.f. on Your rights.
Apart from the App-pushed events, the third party tool APIs also may automatically collect some non-personal events. Facebook Analytics automatically collected events can be found here and here. The use of Facebook Analytics is governed by Facebook Data Policy and Terms of Service. Firebase automatically collected events can be found here. The use of Firebase is governed by Firebase Terms of Service, Use Policy and Crashlytics Terms of Service.
What additional data do We collect from Institution Users?
By using the code or link provided by the institution, You are identifying Yourself as being a part of the cohort supported by the institution. Your Institution will also have access to aggregate usage data at the Institution cohort level. We do not share Your Personal conversational data with the institution. This processing of data of Institution cohorts is based on the contract between the Institution and Touchkin.
How do We handle Your App password?
Wysa App does not use any passwords. For Your privacy and security, You are advised to set Your own Wysa App PIN to protect unauthorized access of Your conversation messages. Your mobile device screen password is Your PIN. To extend Your device password, use the "Set Lock " feature under Wysa App settings. You can also remove Your PIN Using the ‘Remove Lock” option under settings. The PIN that You Use is personal to You, and You are responsible for maintaining the confidentiality and security of Your PIN. PLEASE KEEP YOUR PIN SAFE AND DO NOT SHARE IT WITH ANYONE. The PIN You set remains in Your device and is not collected, transmitted and stored in Our servers.
What do We do with Your feedback and ratings?
When You Use the Service, You have an option to send Your feedback to the Wysa App.Feedback can be given using the Feedback feature provided in the Wysa App setting. You can Use this feature to email Us Your feedback. Personal data, if any provided in Your feedback, will be manually redacted before any processing of Your feedback. Your email ID resides in our GSuite Gmail servers and cannot be mapped to Your Wysa App data that reside in our MongoDB ATLAS cloud servers hosted in the USA. If You have subscribed to the Well-being Coach Service or Wysa Therapist Service, We will collect anonymous feedback post Your sessions. Processing Your anonymous feedback and rating is based on Our Agreement and used by Us to improve the product and Your Service quality, safety and performance.
AS A BEST PRACTICE, IT IS ADVISED THAT YOU TAKE ADEQUATE PRECAUTIONS TO NOT SHARE YOUR SENSITIVE HEALTH OR PERSONAL DATA WHILE GIVING FEEDBACK OVER EMAIL NETWORKS.
How do We handle notifications or reminders?
When You Use the Service, You have the option to activate or deactivate push notifications or reminders in Your Wysa App settings. The Wysa App will ask Your preference for the time of day to receive notifications and will confirm Your local time to ensure reminders get sent as per Your preference. You can cancel or restrict notifications at any time by invoking help function (type #help) or from Your Wysa App settings. You also have the option and convenience to save Wysa Session reminders to Your calendar management software in Your mobile device. Processing of Your notifications is based on Our Legitimate Interest to send Service information and reminders that help improve Wysa App engagement.
WE WILL NOT SEND ANY MARKETING MESSAGES WITHOUT YOUR CONSENT. ANY MESSAGING SENT WITH YOUR CONSENT WILL ALWAYS GIVE YOU AN OPTION TO UNSUBSCRIBE FROM RECEIVING SUCH MESSAGES OR NOTIFICATIONS IN THE FUTURE.
How do We handle Your age-range related data?
When You Use the Wysa Bot Service, You have the option to provide an age-range (Under 20, 20-30, 30-45, Above 45) during Your conversation. Processing of this age-range data is based on Our Agreement and to understand the age profile of Our Users and to help provide them access to tools and techniques or provide other operational Information relevant to their age range.
WE DO NOT ASK, COLLECT OR PROCESS YOUR SPECIFIC AGE OR DATE OF BIRTH AT ANY TIME DURING YOUR USE OF THE SERVICE.
How do We handle User Incident support?
Touchkin has an Incident Management Policy that guides all our User Issue and Incident management support. There may be occasions where You wish to contact Us to seek support or to complain about any of Our Services. If You contact Us via Our Website or by other means, We may need some data from You, which You may choose to provide. This includes Your name, contact info such as Your email address, phone number, subscription receipts, as Well as data about Your mobile device or personal computer such as device type, and OS type. We will Use this data to address and investigate the issues You have forwarded to Us, to provide You support and to improve Our customer support Service. We process this data for our Legitimate Interest.
Your issues or complaints about Wysa App and Services are taken very seriously. You will need to send an email request from Your Google or Apple email ID to firstname.lastname@example.org or email@example.com. We will respond to Your complaints within 3 business days. Some of Your complaints may take longer to resolve. We will continuously provide You with an update until Your complaints are satisfactorily resolved.
How do We handle data provided during promotions and surveys?
We do not promote offers of third party services as a part of the in-app experience. From time-to-time, we send out in-app or push notifications to share discounts and new releases in the Wysa App. These are shared only with existing users for Existing Services. Processing of Your Non-Personal data such as Nickname, Timezone, App usage to send such notifications is based on Our Legitimate Interest and to provide You with Service discounts and improve Your experience of the Wysa App.
If You choose to participate in a Wysa promotional event on social media or elsewhere outside of the Wysa App, You may be asked to opt-in to complete a survey questionnaire. Your voluntary submissions including Your personal data such as email address will be processed only for the following purposes - to send You additional data about the programme, to enrol or on-board You to the programme and to correspond with You on programme related matters. Your survey submission will never be linked to Your Wysa app account and hence Your Wysa App conversations and activities will never identify You. Your submissions will reside in a secure and private storage area operated within the Wysa G-suite account and managed by Google Forms (G-Suite security can be read at https://gsuite.google.co.in/intl/en_in/security). The Wysa G-Suite account is also protected by a two-factor secure authentication system. You can opt out at any time from the programmes by sending Us an email request from Your Google or Apple email ID to firstname.lastname@example.org to delete Your personal data or to discontinue receiving any further communication on this matter. On receipt of Your email, We will verify and remove only the specific Personal data as requested by You, within 72 hours of receiving the request. YOUR SUBMISSIONS WILL NEVER BE SHARED WITH A THIRD PARTY.
How do We handle Your Payment data when You subscribe to Our Services?
If You choose to purchase or Use a fee-based Service and pay for such Service by means of in-app purchases via iTunes or Google Play, We do not collect, retain and store Your personal, financial and credit/debit card data. This is because Your card settlements including card and personal details will be handled by appropriate third-party payment agencies.
We do not not collect any personal data from the play stores post-purchase. Only the payment confirmation and subscription details get collected from the play store and processed (collect, transmit and store) by Us. Processing of this data is for Our Legitimate Interest to support You for any payment or subscription related requests, issues or clarifications.
What do We process when You follow Us on Instagram
You have the option to follow Us in Instagram Using Your Instagram account by going to Wysa App settings. You can set up an Instagram account, if You do not own one and follow Us at @wysa_buddy (added link). WE DO NOT ASSOCIATE YOUR INSTAGRAM ACCOUNT WITH YOUR WYSA APP ACCOUNT.
What data do We process for the purposes of Our Legitimate Interest?
We Use Legitimate Interest basis to process Your data in a way which might reasonably be expected as part of running Our business and which does not materially impact Your rights, freedom or interest. When providing Our Services, We may process Your data based on Our Legitimate Interest for the following purposes.
- To create a pseudonymized random user identifier from app/play store identifier;
- To do our best to irreversibly redact any Personally Identifiable data inadvertently submitted by You;
- To monitor, detect and deter unauthorized or fraudulent Use of or abuse of the Service;
- For Uses and disclosures required by law;
- For disclosures for judicial and administrative proceedings;
- For disclosures for law enforcement purposes;
- For Uses and disclosures for public health reporting purposes;
- For Uses and disclosures to avert a serious threat to health or safety to You, Us, or others;
- For improving and/or optimizing Our Service quality, safety and performance;
- To enable Us to troubleshoot and provide customer support, and to respond effectively to Your inquiries and claims;
- For purposes of research and statistical analysis;
- For sending limited in-app and push notifications such as service information, service reminders and service promotions;
- To allow access of Your Wysa app data when You change Your mobile device;
- To accurately and positively identify Your Personal data at Your request when exercising Your data protection rights;
You have the right to object to any of the above processing. Please read the section 6.f. on Your rights.
6. How do We secure Your data?
How does Touchkin protect Your data?
To fulfil Our commitment to respecting and protecting Your privacy and the confidentiality of Your Personal data, Touchkin has implemented industry-standard security safeguards to prevent unauthorized access or disclosure, misuse, alteration or destruction of Your data. More specifically, We will comply with all applicable data protection and security laws in order to assure confidentiality, availability, integrity, privacy and security of Your data.
We do not ask for any User registration or account profile creation during the setup of the app. To track a user across sessions, we get the vendor specific ID provided by the App/Play store when You install Wysa App to generate a random pseudonymised identifier. This random identifier generated becomes the userId that is referred to for all subsequent data linking within Wysa databases. All Your data is encrypted by strong AES-256 protocols and securely stored. This processing is based on Our Legitimate Interest. You always have the Right to be Forgotten. You can at any point of time, clear all Your provided data including all identifiers by Using the “reset my data” feature available in the Wysa App settings. Refer to section 6.f. in our Policy for more details.
Inadvertently collected personal data may be transferred outside the country before being automatically detected and irreversibly redacted in 24 hours. All data transmitted from Your mobile device to Our servers are encrypted using strong TLS protocols via Secure Socket Layer (SSL). Data is transmitted to Our secure database servers using TLS and Salted Challenge Response Authentication Mechanism (SCRAM) and encrypted at-rest using AES-256 protocols. Our Infrastructure is managed by MongoDB ATLAS and Amazon Web Services (AWS). Both MongoDB and AWS are industry leaders in the provision of hosting Services. You can find out more about AWS GDPR compliant security program and controls here. We operate Our databases on Mongodb Atlas to provide secure storage with end-to-end encryption. You can find out more about Mongodb Atlas GDPR compliant security program and controls here and here. Access to stored data is protected by multi-layered security controls including firewalls, role-based access controls, Multi-factor authentications and strong password policies. We carry out technical, privacy and security due-diligence before finalizing and signing agreement with sub-processors. We have a rigorous hiring process including reference checks for all employees, subcontractors and consultants. All Wysa staff members directly interacting with the user and building the product have to complete the basic GDPR and HIPAA awareness training at the time of joining the company. We have information security policies and have put procedures in place that provide for adequate security controls. On an annual basis we conduct an internal security audit to ensure compliance to Our policies and procedures.
Because no method of electronic transmission or method of data storage is perfect or impenetrable, We cannot guarantee that Your data will be absolutely safe from intrusion during transmission or while stored in Our systems. To help protect Your privacy and confidentiality of Your data, We also need to ask for Your cooperation regarding the following: Please do not copy and transmit Your chat conversations, health data and/or Personal data with other people. Also, please notify at the contact information provided in Section 7.b, in the event You suspect any unauthorized Use of Your account or any other breach of security.
Where is Your data transmitted and stored?
To provide the Service in a reliable and responsible manner, Touchkin stores all Your data on secure Virtual Private Cloud servers physically located in the USA. All communication between the processing and storage Virtual Private Cloud servers are established over secure Virtual Private Cloud peering networks. We have taken appropriate safeguards by contracting with our sub-processors, MongoDB and AWS which includes standard contractual clauses approved by the European Union (EU) data protection authorities. Both AWS and MongoDB are registered with the EU-US Privacy Shield and Swiss-US Privacy Shield framework.
How long do We retain Your data including Personal data?
Inadvertently received personal data from the Wysa app will be in the system for a maximum of 24 hours before being processed for irreversible redaction as outlined in section 5.a.
Touchkin retains Your data with appropriate redactions of any potential personal identifiable information.for the length of time needed to fulfil the Agreement or to fulfil any of the applicable purposes mentioned as Our Legitimate Interest, or to comply with requirements of applicable Data Protection or consumer Laws.
We may retain Your data with appropriate redactions of any potential personal identifiable information. even after Your subscription ends if retention is reasonably necessary. This could be in situations where We need to comply with applicable Data Protection or consumer Laws, or on request of a returning subscriber, or to provide and complete customer support Service, or to detect and deter unauthorized or fraudulent Use of or abuse of the Service.
You have the Right to be Forgotten. You can also, at any point of time, clear all Your provided data by Using the “reset my data” feature available in the Wysa App settings. Refer to the section 6.f in our Policy for more details.
Does Touchkin Use 3rd party Service providers or agents?
To facilitate and provide You with the Service, it sometimes is necessary for Touchkin to request third party service providers or agents to help Us process and/or store Your data. We strictly evaluate the Service providers and agents, and We make every effort to ensure that they have established appropriate and secure data administrative, organizational and security control of their systems, and We strictly require that they comply with confidentiality and non-disclosure obligations and applicable laws and regulations including relevant Data Protection Laws. We also require that they access Your data only to the extent necessary to perform tasks on Our behalf.
WE COMPLY WITH GDPR BY HOLDING CUSTOMER SERVICE AGREEMENTS WHICH INCLUDES DATA PROCESSING ADDENDUM (DPA) WITH ALL OUR 3RD PARTY DATA SUB-PROCESSORS. IN OUR ROLE AS A DATA CONTROLLER OR AS A BUSINESS ASSOCIATE. WE ALSO HAVE SIGNED BUSINESS ASSOCIATE AGREEMENT (BAA) TO COMPLY WITH HIPAA REQUIREMENTS.
Both Our 3rd party data sub-processors (MongoDB and AWS) get periodically audited by independent auditors for platform security, privacy and compliance controls. Some of the Compliance includes ISO27K, SOC2 Type II, FIPS 140-2, EU-US Privacy Shield, Swiss-US Privacy Shield.
Does Touchkin share Your data with third parties?
We do not collect any Personally Identifiable Information from You. At the same time, We do use anonymised and only the minimal data that is required to answer the research question for research and statistical purposes based on Our Legitimate Interest to improve Our product and contribute to the development of user-centered mental wellbeing best practices globally. As required by Data Protection Laws and as per the Non-Disclosure agreements executed with data sub-processors, third-party health psychologists and well-being Coaches and research partners, they are required to protect the data shared with them and are required to keep Your data private and secure.
What are Your data protection rights?
You have certain rights under the Data Protection Laws in relation to Your Personal data. Any inadvertently obtained Personal data is auto-redacted within 24 hours in Our systems. Beyond that, for the non-personal data held by Us We do provide You the following rights.
We have tried to make it as easy as possible for You to have control over Your data. To exercise any of Your rights, You will need to send an email request from Your Google or Apple email ID to the contact information provided in section 7.b. Please note that We may require to verify You before responding to any requests to exercise Your rights. We may also limit Your individual rights requests (a) where denial of access is required or authorized by law; (b) when granting access would have a negative impact on other's privacy; (c) to protect our rights and properties; or (d) where the request is unjustified or excessive.
Right to rectification and Right to restrict processing:
You will need to send an email request with reasons from Your Google or Apple email ID to the contact information provided in section 7.b. at any time to rectify or restrict processing of Your data basis the Agreement. Touchkin will provide You with a request form that You will need to fill and submit back to Us via email. After verifying You and examining Your request, We will respond to You over email on the action decided and/or taken within one calendar month from verification. We may at times be unable to address Your request, if We are unable to correctly identify You.
Right to object:
You have the right to object to processing of Your data only for the purposes listed in section 5.s, basis Our Legitimate Interest, by sending Us an email request with reasons from Your Google or Apple email ID to the contact information provided in section 7.b. After verifying You and examining Your request, We will respond to You over email with our decision and/or action taken within one calendar month of receipt of request. We may at times be unable to address Your request, if We are unable to correctly identify You.
Right of access:
You always have the access to view Your latest conversations with the Bot or view Your older conversation messages within the Journey tab of the Wysa App. All Your sessions with a Wysa Well-being Coach or Wysa Therapist are also accessible through the Coach or Therapist tab within the Wysa App.
IF YOU EXERCISE YOUR RIGHT TO BE FORGOTTEN AND RESET YOUR DATA, YOU WILL LOSE THE RIGHT TO ACCESS YOUR DATA AS IT WILL BE PERMANENTLY DELETED..
You will need to send an email request with reasons from Your Google or Apple email ID to the contact information provided in section 7.b. at any time, if You have any further questions around access to Your Personal data. Touchkin will provide You with a request form that You will need to fill and submit back to Us via email. After verifying You and examining Your request, We will respond to You over email on the action decided and/or taken within one calendar month from verification. We may at times be unable to address Your request, if We are unable to correctly identify You.
Right to data portability
If You replaced Your mobile device that had the Wysa App installed and You are a paid subscriber of Our Services, You can place a request along with Your subscription receipt and the reasons to transfer Your data from Your older device to Your replaced mobile device. If You are not a paid subscriber, We will need to accurately verify You, before we can process Your request. You can also place a request to receive a digital copy of Your data in a machine readable format. We may charge You a small fee for this Service.
You will need to send an email request with reasons from Your Google or Apple email ID to the contact information provided in section 7.b. After verifying You and examining Your request, We will respond to You over email with our decision and/or action taken within one calendar month from verification. We may at times be unable to address Your request, if We are unable to correctly identify You.
Right to Erasure or Right to be Forgotten
When You Use the Service, You have the option to reset Your data in the Wysa App by using the “Reset my data” feature in the Wysa App settings. Reset my data, automatically without any manual intervention, clears all Your conversation messages, clears Your completed tools, clears reminders or any enabled settings or activities and health-related assessment responses. Your identifiers will be permanently redacted from Our Database. YOU CANNOT REVERSE OR RECOVER YOUR PAST DATA POST A RESET.
You will need to send an email request with reasons from Your Google or Apple email ID to the contact information provided in section 7.b, if You have any further questions around Your right to be forgotten. After verifying You and examining Your request, We will respond to You over email on the action decided and/or taken within one calendar month from verification. We may at times be unable to address Your request, if We are unable to correctly identify You.
Right to authorize and unauthorize Your data with Your Well-being Coach or Therapist
When You Use the Wysa Well-being Coach Service or Wysa Therapist Service, You have the option to either share or stop sharing access to Your provided data with the Wysa Well-being Coach or Wysa Therapist. This feature can be activated or deactivated at any time during Your conversation by Using the “Authorize/Unauthorize Well-being Coach” feature in the Wysa App settings.
Do California residents have specific privacy rights?
California law permits Users who are California residents to request and obtain from Us once a year, free of charge, a list of the third parties to whom We have disclosed their Personal data (if any) for direct marketing purposes in the prior calendar year, as well as the type of Personal data disclosed to those parties. Please note that Wysa does not share Personal data with third parties for direct marketing purposes as a matter of policy. California based Users can still write to Us at the contact information provided in section 7.b regarding Your rights.
What are the controls for Do-Not-Track features?
Right to Breach notification
In addition to the right to request disclosures of Your data specified in the Right to access above, We will notify You as required by Data Protection Laws if there has been a breach of the security of Your identifiable Personal data within 72 hours of breach confirmation.
Concerns and Complaints
If You are not satisfied with Our resolution, You have the right to complain to a Data Protection supervisory authority in Your country or state of residence. Contact details for Data Protection Authorities in the EU are available here.
7. Additional information for You
Can children under 13 use Wysa App?
The Wysa App is intended for a general audience and is not directed to or intended to be Used by children under the age of thirteen (13) years.
We understand the special necessity to protect children's privacy on Wysa App, and We do not knowingly collect any Personal data from children.
If, however, as a legal Parent or guardian, You believe We have collected any Personal data of Your child, then You will need to send an email request from Your Google or Apple email ID to the contact information provided in section 7.b. After verifying You and examining Your request, We will respond to You over email on the action decided and/or taken within one calendar month from verification. We may at times be unable to address Your request, if We are unable to correctly identify the User. If We have inadvertently collected Personal data from Your child, We will deactivate the relevant account(s) upon identification and will take reasonable measures to promptly delete such Personal data from Our records.
Please be responsible and do not share or Use Your credit/debit card or other payment instrument with Your child to make any in-app purchase.
Who can You contact for additional questions, comments or concerns?
1st Floor, Manjusha, No 532
16th Cross, 2nd Main Road, 2nd Stage
Indiranagar, Bengaluru, 560038
Karnataka - INDIA
Can Non-English speaking users use the Wysa App?
The Wysa App has been built and is currently provided only for English language users.
To ensure wider reach, Touchkin will, in the near future, launch Wysa in other international languages. We will keep You updated of this development.
What are some Best Practices to follow to keep Your devices secure?
You are also responsible for helping to protect the security of Your Personal data. You are responsible for maintaining the security of any personal computing device on which You utilize the Services.
US Federal Trade Commission (FTC) publishes information for Users on how to secure Your personal data and devices. These can be found at the following public link.
Touchkin strongly believes in security and safety of data in Your mobile device. As a responsible Service provider, We therefore like to share important device based security data for Your attention. These have been sourced from US FTC best practices and guidelines. Always refer back to the US FTC link provided above for more details and future security updates.
- Always lock Your mobile screen by setting a password. Use strong passwords and keep passwords private.
- Always extend Your mobile screen password to set a Wysa App PIN to keep Your conversations with Wysa App private.
- Always keep Your mobile operating system up-to-date.
- Enable remote access of Your devices to enable You to locate and control Your devices remotely in the event Your device gets stolen.
- Install anti-virus software to protect against virus attacks and infections
- Avoid phishing emails. Do not open files, click on links or download programs from an unknown source.
- Be wise about Using Wi-Fi. Before You send Personal and sensitive data over Your laptop or mobile device on a public wireless network in a coffee shop, library, airport, hotel, or other public place, see if Your data will be protected.
9. Severability and Exclusion
10. Governing Law and Dispute Resolution