Wysa is a company with offices in the UK, India, and the USA. In the UK, we are registered with the UK Information Commissioner Office. Our registration number is ZB272754.

Where Wysa decides the purpose of personal data processing, we will be the data controllers. Where we perform personal data processing at the intent and direction of your Institution, we will be data processors.

If you have any questions, comments, complaints, or requests about our app and services, you can email us at [email protected].

When you use our app and services.

When you use our app and services, we collect the following information. You control the information you share with us. We design our app to collect as little personal data as possible to keep your data safe and protect your privacy. This means there is less risk of your information being misused. When you share information with us, we are responsible for taking care of it.

Information provided by you.

• Information about you. This includes things like your nickname, age-range, gender, pronouns, or identifiers you may voluntarily reveal about yourself.

• Conversation data. This covers what you type in messages, your challenges, preferences, feelings, moods, thoughts, task lists, and safety information. It also includes answers to surveys or questionnaires from us or your Institution, and how you respond to the tools and exercises that we offer.

• Correspondence data. If you email us, you might share personal data like your name, email address, home address, the company you are part of, your job title, and what you talk about in the message.

• Feedback data. When we ask for your thoughts on our app and services, we gather your contact info and some basic details about you.

• Pharmacovigilance data. This is only for services provided for pharmaceutical institutions. On behalf of your Institution, we may ask you to provide safety related inputs regarding your use of medications. This may include any drug side effects, adverse events or other experiences when using the Institution prescribed drugs. You will be routed to the Institution or regulator webpage where you can provide your inputs.

Information collected via automated means or by third parties.

• Information sharing with your Institution. Sometimes, your Institutions or their appointed representatives might share or ask you to share your personal data, such as your name, date of birth, Institution identifiers, contact details among others, so we can offer you our services. We may also share your usage and safety data with your Institution as part of our services.

• App event data. We collect information about what you do in the app, like where you tap, what actions you take, your settings, notifications you get, and the screens you visit.

• Device data. When you install the App, we get an ID for your device from the Google Play Store or Apple Play Store. We also collect information about your device, like the type of phone, its time zone, and its operating system. A service provider that helps us securely deliver content might also collect your IP address to provide our services.

• Cookie Information. We and our third-party providers collect information about your app use via cookies or similar technologies. We use mandatory or necessary cookies to provide our services.

When you use our DRA services

When you use the e-triage web widget on your Institution website to make a referral submission, we will need to collect some information on behalf of your Institution. This information is transferred to the Institution and used for referral, appointment and care purposes.

You can fill out the information required at your own pace. We will ask for personal details (such as name, date of birth, contact details), answers to health related questions, and any long-term health issues or disabilities. Your Institution decides if you qualify for these services, not us.

We do not decide who gets the help, nor the type or step of care provided– we just help collect the required information and pass it to your Institution.

When you use CCBT programs and/or Therapist Companion Service.

Note: This service is currently available only for research and clinical investigation purposes.

Wysa will only share the needed personal data with your Institution and their clinician. This to help them review your progress on the assigned CCBT programs and/or receive communication using the Therapist Companion service. These details can include, but are not limited to, CCBT program progress, notes from the clinician, check-in dates, assessment results, and any emergency alerts.

When you use the e-triage referral service as a CYP user

If you need extra help, you will be asked to fill in a form in the Waitlist App with your personal details and contact. Based on the submission, a clinician from your Institution can get in touch with you. We use this information, on behalf of your Institution, to make sure you get the support you need.

When you use the Wysa+ service

Wysa+ provides an improved experience of the AI Coach service. It allows us to provide you with high-quality, and safe, responses. Wysa+ uses third-party Generative AI (“Gen AI”) and our own AI to chat with you. This helps the AI Coach talk about varied conversations and provide responses that are more suited to you. Where provided, Wysa+ allows you to chat in native English and other languages. Your conversation data is processed to provide this service. The output from the Gen AI passes through our safety guardrails and quality checks before we use it. Our clinical staff review the appropriateness of the Gen AI response at frequent intervals to make sure they are safe, and work well.

When you join our testing or research initiatives

You can choose to sign up and join any of our online testing or research studies. When you volunteer, we will collect some information from you. These include:

• Information about you. This may include (but is not limited to) your name, contact details, country, gender, socio-economic details, age-range.

• Health and Wellness data. If you participate in our research study we may collect additional information such as ethnicity, alcohol/substance use concerns, mood, and validated assessment responses.

Sources of personal data

We get your personal data either from you, your Institution, or service providers your Institution asks us to work with.

Legal grounds

We need to follow data protection laws that make sure we look after your personal data properly. Here is how and why we might use it:

1. Consent: Sometimes, we ask you if it is okay to use your personal data. You can always change your mind later if you decide you do not want us to use it anymore by writing to us.

2. Contract Performance: When you use our app or services, we might need some of your personal data to provide our services and make sure everything works properly.

3. Legitimate Interests: We and service providers we trust might use limited information to keep our services safe from fraud or security problems. We might also use it to make our services better. But do not worry, we will not use your information to train our AI.

4. Legal Obligation: Sometimes, we need to use your personal data to follow the law or to protect our company and the people who use our services.

5. Public Interest: Where applicable, we may collaborate with your Institution and share required information so they can process your data for the broader public health and interests.

Sometimes, we need to use special category data about you, like your mental health and well-being data. We will only do this if we follow the law and have a good reason, such as:

1. Reasons for substantial public interest: Helping you with advice or support, like counseling, or keeping you safe while you use our app and services.

2. Health Care: Acting on behalf of your Institution to provide healthcare.

3. Public health: Acting on behalf of your Institution to help with public health issues, under the guidance of a health professional.

Uses of your Information

We might use the information you give us on our apps and services for these reasons.

1. Information about you

   1. To provide and manage app and services: Here is how we use your information:

      1. To recognize which institution you are part of.

      2. To recognize whether you are a new or existing user to the app and service.

      3. When needed, to ask your permission to turn on your device's microphone and camera.

      4. We collect, move, save, and use your provided information to make our services work.

      5. We set up and keep track of your chats and use of our services.

      6. We give you content and tools that are right for your age and gender.

      7. We let you change your nickname.

      8. Where needed, we will connect with your Institution's approved systems to handle your information.

      9. We keep a record of any permissions you give us.

      10. We let you know if we change our rules or privacy notice in the Waitlist App.

      Legal grounds: contract performance, legitimate interests.
2. Use of Conversation data

   1. To provide and manage app and services: We do the following with your information:

      1. We come up with ideas and create AI programs, stories, and ways to talk for our AI Coach. We do not train our AI models using your conversation messages.

      2. The AI coach remembers the text messages you send and choices you make while using the apps.

      3. The AI coach figures out if you are feeling happy, sad, or have any problems or questions. This helps us chat with you safely and give you required resources.

      4. The AI coach makes sure it understands you so that conversations make sense.

      5. The apps show you safe tools and techniques that can help you.

      6. We make sure any personal details you accidentally share in your messages are removed and cannot be traced back to you.

      7. The AI coach looks for any medical or emergency words in your messages to help keep you safe.

      8. If the AI coach detects something that seems like an emergency, we may inform your Institution.

      9. The waitlist app keeps track of your progress when you use the assigned CCBT programs.

      10. We give you information and resources shared by your Institution when you use the Therapist Companion service.

      11. When you use the Therapist Companion service, with your consent we share your conversation data with your Institution to help with your care. Any data involving safety or risk is shared automatically to ensure that your clinician is aware.

      Legal basis: contract performance, legitimate interests, and consent. Use of appropriate additional conditions for any special category personal data.

   2. To perform well-being assessments: We do the following with your responses:

      1. The AI coach will ask you about how you feel and your mental well-being from time to time.

      2. The AI coach recognises if you inform any emergencies and may let your Institution know to provide support.

      3. The AI coach guides you to helpful hotlines and support resources if you need them.

      4. The AI coach recommends tools, tips, and resources to help you to manage your mood and improve your wellbeing.

      Legal basis: contract performance, legitimate interests. Use of appropriate additional conditions for any special category personal data.

   3. To provide in-app notifications and reminders: We will send you alerts inside the app if you choose to set reminders and notifications.

      Legal basis: contract performance, consent.

   4. For research, analytics, and compliance reporting: We might remove details that show who you are so that no one can tell the information is about you. We will use this changed information to check how well our app is working and to see if it is safe and useful. Sometimes, we also share this information with regulators to make sure we are following the laws.

      Legal basis: legitimate interests, legal obligations. Use of appropriate additional conditions for any special category personal data.
3. Use of Correspondence data

   1. To communicate effectively with you:We do the following with your responses:

      1. We answer your questions, requests, complaints, and other feedback.

      2. We fix any problems with our services.

      3. We send you important service updates.

      4. We keep track of our conversations with you to make sure we are doing a good job and following the rules, and also to help train our team.

      Legal basis: contract performance, legitimate interests.
4. Use of Feedbacks

   1. To improve our app and services: We do the following with your information:

      1. To invite you to join activities like sharing your thoughts about our product, or helping us test it.
      2. To understand your feedback so we can make our product and services safer and better.
      3. To use your personal details to make sure everyone has a fair chance to join in and that we test our product with the right groups of people.
      Legal basis: legitimate intersests, consent.
5. Use of Pharmacovigilance data

   1. For safety, and compliance reporting: We do the following on behalf of your Institution:

      1. To give you Institution-provided safety messages and resources about their drugs.
      2. To redirect you to your Institution or regulatory reporting website. These websites may collect and store your input on side effects, adverse events and other experiences when using the Institution prescribed medication or services.
      3. To transfer any collected inputs with your Institution and their approved third-party providers to assess the effectiveness of the pharmacovigilance messages.
      4. To send reminders about safety and reporting adverse events within the app.
      Legal basis: legal obligations. Use of appropriate additional conditions for any special category personal data.

   2. To provide Institutional services: We do the following with your information:

      1. Provide clinically reviewed well-being programs. These are supportive resources to help you manage the worry and stress that you may be experiencing as part of your condition or circumstances.
      2. Transfer anonymised app use data with your Institution and their authorised service providers.

      Wysa will never make any references, directly or indirectly to use of medicines within their AI Coach conversations with you.

      Legal basis: contract performance, legitimate interests.
6. Regarding Information sharing with your Institution

   1. To provide and manage app and services: We do the following for your Institution:

      1. We may send you links or allow you to use codes so you can use the Waitlist App.
      2. To associate and maintain end-to-end continuity in your care when you use our apps.
      3. The apps may check to make sure you are part of your Institution.
      4. We share required reports and statistics with your Institution.
      Legal basis: contract performance. Use of appropriate additional conditions for any special category personal data.
7. Use of app event and device data

   1. To understand app and service usage: We do the following with your information:

      1. We remove any identifiers from your information before using it to check how well our app works and to make sure your information is safe.
      2. We check and record the safety and performance of the app so we can report to your Institution or meet our legal requirements.
      3. We share data that cannot identify you about your usage of the app with trusted analytics providers. This helps us make the app and their services better.
      4. We use the Information to create new services, technologies, and products.
      Legal basis: contract performance, legitimate interests, legal obligation. Use of appropriate additional conditions for any special category personal data.

   2. For marketing purposes: We do the following with your information:

      1. Sometimes, we create and run campaigns, send out surveys, and give updates about our programs.
      2. We also use anonymous data to understand how well we are doing, make marketing materials, and benchmark ourselves with others.
      Legal basis: legitimate interests, consent.

   3. To ensure availability and security: We do the following with your information:

      1. To make sure the content on our app works well.
      2. To keep your information safe from hackers and online threats.
      Legal basis: contract performance, legitimate interests.

   4. For fraud prevention: To prevent fraud or misuse of our services and to secure our systems.

      Legal basis: legitimate interests.
8. Use of Cookie Information

   We need to use some necessary cookies to make sure our apps work properly. Here is a simple guide to the kinds of cookies we might use:

   • Essential cookies. These are very important and are needed for the apps to work. They help make sure everything runs smoothly, like when you chat on the app. These cookies do not collect any information about you. We handle these cookies ourselves.

   • Analytical cookies. We also use these cookies to see how well our apps our doing. They help us understand what is working and what needs fixing. Sometimes, we use our own cookies for this, and sometimes we use Google Analytics. If you want to know what Google Analytics does with the information, you can visit their website. https://www.google.com/policies/privacy/partners/. You can opt out from Google’s cookies by downloading the Google Analytics Opt-out Browser Add-on Download Page. We do not use special Google tools to show you ads or test features on the Waitlist App and e-triage widget. We do not use Google signals, which means we do not collect information about you or what you like.

   "Do Not Track" (DNT) is something you can turn on in your web browser to keep your online activities more private. However, even if you turn DNT on, we do not collect those signals today.

   Legal basis: legitimate interests.

Additional processing when you use the DRA Service

1. For processing your eligibility and clinical assessment data

1. To process your provided data: We do the following with your information:

   1. We gather, move and store the information you submit.
   2. We delete your personal data when we no longer need it, as agreed with your Institution.
   3. The app provides you with safety resources and guides you on how to use them.
   Legal basis: as defined by your Institution for public health, legitimate interests. Use of appropriate additional conditions for any special category personal data specified by your Institution.

2. To transfer data to your institution: We do the following with your information;

   1. We connect securely with your Institution clinical management system.
   2. We share your eligibility and clinical assessment Information with your Institution.
   Legal basis: as defined by your Institution for public health, legitimate interests. Use of appropriate additional conditions for any special category personal data specified by your Institution.

Additional processing when you use the CCBT Program and/or Therapist Companion service

Note: This service is currently available only for research and clinical investigation purposes.

1. For processing your data related to CCBT and/or communications with your clinician

   To process your provided Data. We do the following

   • Provide access to the assigned CCBT programs within the waitlist app.
   • Provide access to use the resources provided by your assigned clinician.
   • Allow your Institution assigned clinicians to review your CCBT program progress and support you.
   • Where provided access, to allow Clinicians to review your AI Coach conversation data.
   • Assist you with appropriate support resources and guidance.
   Legal basis: contract performance and legitimate interests.

Additional processing for Children and Young People(CYP) users.

1. For processing your onward support request

   To process your provided data: We do the following with your information when you choose to seek additional support:

   1. We gather, move and store the information you submit.
   2. We share your request with your Institution.
   3. We delete your personal data when we no longer need it, as agreed with your Institution.
   4. Where required, We help you find safety resources and guide you on how to use them.

   Legal basis: as defined by your Institution.

   To transfer your request to authorised parties: We do the following with your information:

   1. We send your request to your Institution or care provider.
   2. If you ask us to, we can also send you a copy of your request.
   3. If you ask us to, we can send a copy of your request to your parent or guardian too.

   Legal basis: consent and as defined by your Institution.

Additional processing when you use the Wysa+ service

1. Use of Conversation data

   1. To provide the Wysa+ Service: We do the following with your information:

      1. We share your relevant conversation messages to Gen AI (“Input”).
      2. We design prompts to guide Gen AI to respond appropriately to the Input. The prompts include your message, summaries of your chats over a period and our validated instructions.
      3. The AI coach detects personal identifiers that you might have shared by mistake. If there are any, the AI coach will ask you to change your conversation message before sending it to Gen AI.
      4. We have safety rules to keep your chats with Gen AI safe. All Inputs go through these safety rules. If your message does not clear the safety rules we do not send it to Gen AI. When Gen AI responds (“Output”), it also has to pass the safety rules. If it does not, we do not release the Output, instead providing a pre-defined safe response.
      Legal basis: contract performance, legitimate interests.

   We do not share or sell your information, messages, or how you use our apps to advertisers or companies that buy data.

Additional Processing When you join our testing or research initiatives

1. To process the information shared by you during participation. We do the following

   1. Provide a participant information sheet.
   2. Inform about the testing or study purposes.
   3. Understand your eligibility and shortlist for the study.
   4. Manage your joining process.
   5. Send testing or study related information and reminders.
   6. Seek your feedback and clarify any questions.
   7. Use your personal details to make sure everyone has a fair chance to join in and that we test our product with the right groups of people.
   8. Generate identifiers to associate and maintain integrity of your data across apps you use.
   Legal basis: your consent and legitimate interests.

2. To improve our app features, experience and performance: We do the following with your information:

   1. Invite you to join activities like sharing your thoughts about our product, or helping us test it.
   2. Understand your feedback so we can make our product and services safer and better.
   3. Understand and gather evidence as to whether our products are helpful in improving your mental health and wellbeing.
   4. Establish the effectiveness and impact of Wysa programs.
   5. Where made available, to share supportive resources with you.
   6. Share your study related data and inputs with your Institution's research team.
   Legal basis: your consent, public interest, legitimate interests. Collaborated research studies with your Institutions may be in Public Interest.

Note: You can stop participating in the testing or research at any time after it starts.

Processing for Legitimate Interests

We may need to use your personal information for important reasons. Before doing this, we will always protect your rights and privacy. Here are the reasons we might use your data:

1. To follow our agreements with your Institution.
2. If the law requires us to use or share it.
3. For court cases or legal orders.
4. For law enforcement or national security needs.
5. To help investigate or stop illegal activities.
6. To freeze data for legal reasons so that it cannot be changed or deleted.
7. To report public health information.
8. To prevent serious risks to health or safety.
9. To do basic research and understand how people use our services.
10. To communicate with you about using our app and services.
11. To fix and protect the app’s security and operations.
12. To stop fraud or misuse of our service.
13. To keep your data secure and private.
14. To make sure the app and services work well and are easy to use.
15. To protect your fundamental rights, and safety.
16. To use anonymous data for benchmarking and marketing.
17. To create new services, technologies, and products.
18. To answer your questions and requests.

Protecting your privacy

1. You do not need to register to use the app.
2. Just give us a nickname so our chatbot knows what to call you.
3. We use pseudonymized identifiers to keep your data and identity safe.
4. No real people can listen to what you are talking about with the AI Coach.
5. If you accidentally share personal data, we will make sure to remove it so no one can see it.
6. As a Waitlist App user, you can choose "reset my data" to delete your conversation data.
7. Before we use any personal data about you, we make sure it respects your rights.

Protecting your security

1. We use strong encryption to protect your data when it is being sent or stored.
2. Only certain people can access your data. They have to use strong passwords and an additional access code.
3. All our staff computers have extra security.
4. We maintain contracts with companies we work with to keep your data safe.
5. We carefully check the background of new staff before hiring them.
6. We train our staff on how to handle your information securely.
7. We have experts from outside our company check if we are following the rules every year.
8. We regularly test our app and systems for any weaknesses.
9. We fix any problems in our computer code to make sure it is safe.
10. We often check to make sure we are following our safety plans and rules.

Additional safeguards when you use Wysa+ Services

1. Every message sent to and from Gen AI is encrypted so no one else can read it.
2. We check each message you send to make sure it does not have personal identifiers. This helps keep your private details safe from being shared with the Gen AI service provider.
3. We always check what is sent and received from Gen AI to make sure it is safe and good to use.
4. We also use safety rules to double-check and make sure everything is safe.
5. We do not share your device data with Gen AI.
6. Your conversation messages are never stored at the Gen AI.
7. Your conversation messages are not used as training data by Gen AI.

Responsibe use of Artificial Intelligence

At Wysa, we use artificial intelligence (AI) programs to understand what you type to us. These programs help us talk with you in a way that makes sense and guides you to helpful information. Our programs follow set rules and do not learn new things on their own. We make sure our AI chatbot is fair, safe, and treats your information with care. If you use the Wysa+ service, we use third-party Generative AI technology to assist you. We have safety measures in place to keep our conversations secure and trustworthy. We also have good practices to monitor and check the use of AI at Wysa, making sure your rights are protected. Please contact us at [email protected] if you have any more questions about our use of AI.

While Wysa has put in place reasonable clinical safety and data protection controls, you understand and acknowledge that AI is a developing technology. The potential risks inherent to this technology may not be fully understood and fulsome safeguards may not be fully developed. Due to the nature of the technology, you may sometimes get incorrect responses that do not accurately reflect the action required.

We do our best to keep your personal data safe, but no method is perfect. We cannot promise complete security. You can help keep your data safe too. Please do not share personal identifiers where not asked. Please do not copy and share your chats with people you do not know.

Third-Party Sites

The App might have links to other websites or resources. When you click on these links, remember that these other sites have their own rules about privacy. We do not control these other sites and we are not responsible for their privacy rules. It is a good idea to read their privacy rules before you share any personal data on those sites.

Children’s Privacy

The apps are meant to be used only by people allowed by your Institution. If you are too young according to your Institution rules, you should not use this App. Wysa is not responsible if someone lies about their age to use the apps. If you find out that a child has shared personal data with us when they should not have, tell us by sending an email. We encourage parents and guardians to watch over their children's internet use. Tell your children not to give out personal information without your permission.

Best Practices

We want to help you stay safe online. The NCSC Gov.UK website has tips on how to make your devices more secure. The UK ICO site gives easy advice on protecting your personal data when you are online and using computers or other gadgets. You can check out the links below to learn more.

Service Providers
We work with third-party companies that help us run our app, fix any problems, and offer other important services. These companies might use your personal data to provide services for us. For a list of service providers please read here.

Legal
We sometimes need to use your personal data to follow the law. This might mean sharing your information with other people like insurance companies, courts, police, or other important organisations around the world. This could happen if they are checking something, during court cases, or if it is required by law. We might also use your information to stop serious health or safety problems, for public health reports, and to keep information safe during legal situations so it is not changed. Also, we might share your information to help with finding out or stopping fraud or crime. We will make sure your rights and interests are protected.

Reorganization
In situations like when we might sell our business, join up with another company, reorganize, or are facing bankruptcy, we may need to share some of your personal data with others. These third-parties will use your information to look at the business deal. After these changes happen, we might also share your information with the new company for the same purposes mentioned in this privacy notice. We will try to let you know by putting a notice on our website, telling your Institution, sending you a notification in the app, or updating this privacy notice.

What Can You Do About Your Data?

• Ask Questions: You can ask us how we are using your personal data.
• Get a Copy: You can ask for a copy of the information we have about you.
• Fix It: If any information about you is wrong or missing, you can ask us to fix it.
• Delete It: If we do not need your personal data anymore, you can ask us to delete it.
• Pause It: While we look into any questions you have, you can ask us to stop using your data.
• Change Your Mind: If you had said yes to something before, you can still say no later.
• Send It Elsewhere: You can ask us to send your personal data to someone else electronically.
• Object: You can tell us not to use your personal data for things we think are important.
• No Marketing: If you do not want to get marketing emails, just click ‘unsubscribe’ in the emails.
• Be fair: When you use our app, we will not treat you unfairly for using your rights.
• No Sale: You can choose to stop your personal data from being sold or shared with others who might want to sell it.
• Automated Decisions: Our Service uses AI to help you. We do not use AI to know your identity. We always check with you before making key suggestions. We change our conversation anytime you inform us that the AI is not helping. We and our service providers might use AI to make automated decisions or automatically process information if we need to perform our services or to stop fraud, abuse or misuse of our services. By using our Services, you consent to let us use AI for this purpose. We might change the automated approach we use in the future.

How to Exercise Your Rights

You do not usually have to pay anything to use your rights. Sometimes, we might need to check it’s really you asking. Contact us using the details at the top of this privacy notice. We will reply within one month if you ask us for something.

When We Might Say “No”
We might not be able to agree to your request if:

• The law says we cannot.
• It affects someone else’s privacy.
• It could harm you, us, or someone else.
• If we need to retain data to ensure the reliability of our research studies.
• The request is too much or does not make sense.