Key Messages:

Changes in v2.1.0 | Feb 29, 2024

You can read the full list of changes in the Changes Log

Definitions

Who are we?

Wysa is a private limited company having its registered office in UK (Wysa Ltd.), India (Touchkin eservices pvt. Ltd.) and USA (Wysa Inc.) We are registered with the UK ICO. Our data protection registration number is ZB272754. Where we decide the purposes of our services and personal data processing, Wysa will be the Controller. For all services and data processing done at the direction of and on behalf of a Controller or a Processor, Wysa would are either be a Processor or a Sub-Processor.

What personal data do we process and how do we use it as a Controller?

We only use your Personal data for the purposes for which we collected it. We will use it for another reason, only if compatible with the original purpose. We may process your personal data for more than one lawful basis depending on the specific purpose for which we are using your data. We may process your personal data without your knowledge and consent, where this is required or permitted by law.

The table lists the data processing that we perform when you use the App for Waitlist (AI Coach, Digital self-care tool-packs), cCBT programs, Therapist Companion services (on mobile App) or services purchased from our website and multi-lingual offerings.

What personal data do we process and handle as a Processor or sub-processor?

Your use of e-triage tools

Wysa will be a Processor, where we are asked to provide approved services and processing on behalf of your Institution (Data Controllers). Your Institution prescribes or refers you to use our e-triage tool powered by the App. We will collect, transfer, store and use your personal data and special category data to provide the Institutional services. Institutional services may include processing of minimal data sets (MDS) on behalf of your Institution to provide Improving Access to Psychological Therapies (IAPT) services, CBT programs, Child and Adolescent Mental Health Services (CAMHS) among others. Wysa will integrate with the Institution authorised electronic patient record (EPR) systems to receive your minimal personal data to perform the Institution agreed Services. We will also transfer agreed data, including MDS related data, provided during use of our App and Services to the EPR system. We will receive limited contact identifiers from the EPR to send an SMS to you with a link to the eTriage tool and to correspond about the Institutional services. We will verify your registered contact identifier before giving access to the eTriage tool. All the Institutional services and data processing performed by us will be as agreed with your Institution. We will maintain standard agreements including Data Protection Impact Assessments (DPIA) with your Institution. We may collect consent on behalf of your Institution, where your MDS needs to be shared with your nominated General Practitioner (GP) or Clinicians for your safety and care. The data collected in MDS includes but is not limited to personal and demographic information, assessment/ outcome measure responses and scores, programs and tool pack use, diagnoses including long term conditions and disabilities and mental health care events.

Where agreed with the Institution, the eTriage tool supports patients in identifying whether they are eligible or not for the mental health service. Eligibility criteria for the service is determined by the Institution and not by Wysa. The name of the Institution will be evident on the web page you access when you submit your information using the eTriage tool. The eTriage tool will ask initial questions to determine eligibility and will explicitly inform you through the chat whether you are eligible for the service or not. If you are eligible for the service, the eTriage tool will continue to ask further questions to collect information required to submit a referral to the Institution. The specific questions that are asked, and for some questions the specific answers available, are determined by the Institution and not by Wysa. Post the referral, Wysa also collects information that will support the Institution, and specifically clinicians at the Institution, to get you to the most appropriate care and treatment. This clinical information is in the form of an assessment. These assessments are validated and are set as requirements by NICE and the NHS. Wysa will indicate to you when these assessments are about to be asked and when they are completed. Where agreed with the Institution, we will share weekly reports of your eTriage tool use with the Institution. These reports carry aggregated analytic information and views based on your eTriage use. These reports will also be accessible by your Institution via analytic dashboards.

Your use of cCBT and Therapist Companion Services
Wysa will share minimal personal data, received from the EPR, to help your clinician identify you in the Therapist Companion application. We will also transfer some of the records created during your use of the Service with your Institution’s EPR. These records will include but are not limited to Clinician notes, Review dates, Assessment evaluations and any SOS detection.

Your request for Children & Young People (CYP) SOS referral support
As a CYP individual, you have the option to ask for SOS referral support from your Institution from within the App. Wysa provides this support on behalf of your Institution. You will be presented an in-app form and asked to provide the following information- name, age, contact details (phone number, email ID), parent or guardian contact details (phone number, email ID). Wysa will collect and share this information with your Institution on receipt. Your information will help your Institution, provide you with the required SOS support. The data submitted will be stored temporarily at Wysa and permanently deleted within 30 calendar days of the form submission. Wysa will be unable to make any rectification to the data once submitted. Your data submitted will be encrypted and transferred securely to your Institution. If you want to make any corrections to the data submitted or have any questions regarding the support, please contact your Institution directly.

Other Information
Where agreed with the Institution, we will send an email alert to the Institution care provider or administrator if you trigger an SOS, Self-harm or abuse during eTriage tool use and/or Wysa app or Therapist Companion Service usage. This email may include your personal name, your phone number and the underlying message that triggered those emotions. This processing is not intended to be an emergency response and is performed to safeguard individuals at-risk.

Directly contact your Institution to know more about the data held and processed by Wysa on behalf of the Institution. Where available and required, we may provide Institution notices from within our eTriage tool or Institution version of the App.

We may provide anonymised or agreed upon minimal user level data with some of our Institutions. This would be for provisioning of Services and/or where it helps the Institutions provide better care for you. We clearly inform the Institution and within our contracts with them about their responsibility to protect your rights and freedom at all times.

You are required to provide accurate information. You take full responsibility for any deliberate inaccuracies submitted. If you make a mistake you will need to contact the Institution to get it rectified.

Wysa recognizes that all processing beyond that defined in agreed standard agreements including DPIA, will be agreed with the Controller before any processing by us.

How are Clinical questionnaires/assessment data processed?

During use of the App, you may be asked to complete validated assessments/outcome measures, such as PHQ-9/GAD-7 or RCADS/SDQ/WEMBLS among others, at defined time-intervals. Validated assessments are a proven way to track progress of your well-being. Your assessment responses are calculated and based on the scores are triaged to appropriate resources and encouraged to take external support. Those users with moderate-to-severe scores, as defined by the assessment, will be informed in-app that the App may not be suitable to help and are signposted to our or Institution-approved helplines and services. Assessment responses that trigger an SOS, will be signposted to appropriate emergency helplines.

As a Processor or Sub-Processor, at the request of your Institution (or Controller), we will share your assessment responses, scores and any at-risk safety flags with them for the purposes of your clinical care and safety. Where required, we will also create an aggregated summary of your responses to assessment and clinical questions, without any additional modification or interpretation or decision-making and share it with your Institution.

Do we use passive sensing or location data?

The App does not process any data from your mobile device sensors, including accelerometer, ambient light readings, screen on/off readings and call logs. The App does not process your geolocation at a level that makes your data identifiable. The App may infer your country or state based on your time zone to provide you appropriate resources, such as scheduled reminders.

How do we share your data with third parties?

To provide you with our services, we use third party data processors or sub-processors to help store and process your data. We assess the data processor’s security and privacy practices. We strictly require that they comply with confidentiality and non-disclosure obligations and applicable laws and regulations including relevant Data Protection Laws. We also require that they or their providers (fourth parties) access your data only to the extent necessary to perform tasks on our behalf. We use the following third-party data processors.

How do we handle your mobile App password?

For your privacy and security, you are advised to set your own mobile App PIN to protect unauthorized access of your conversation messages. Your mobile device screen password is your PIN. To extend your device password, use the "Set Lock " feature under the App settings. You can also remove your PIN using the "Remove Lock” option under settings. The PIN that you use is personal to you, and you are responsible for maintaining the confidentiality and security of your PIN. Please keep your PIN safe and do not share it with anyone. The PIN you set remains in your device and is not collected, transferred and stored in our servers.

What data do we process after taking your Consent?

As a Controller, We take your consent to perform the following processing.

How do we handle user incidents and requests?

There may be occasions where you wish to contact us to seek support or make Inquiries. If you contact us directly over email, we will collect minimal personal data to service your request. Your communication data is securely stored in our Google Workspace account with access to only authorized users. We have signed agreements with Google Workspace. We will only use your data to investigate the issue or request asked. Your email will be retained within our system for a maximum of 10 years since last correspondence. We will not spam you or contact you for any direct marketing. We will not share or sell your personal data with any third party disclosure.

Your issues or complaints or requests about the App and services are taken very seriously. You will need to send an email request from your Google or Apple email ID to [email protected]. We will respond to your complaints within 3 business days. Some of your complaints may take longer to resolve. We will continuously provide you with an update until your complaints are satisfactorily resolved.

Where Wysa is a Processor or Sub-Processor, Wysa will forward your email to your Institution (or Controller). Based on your Institution’s direction, your requests or enquiries will get appropriately addressed.

How do We handle data provided during promotions, campaigns and surveys?

We do not promote third party offers as a part of the App experience. Your promotion, campaign, poll, survey or questionnaire responses will never be linked to your App identifiers. Your promotion, campaign, survey submission will reside in our secure Google Workspace account. Google Workspace provided security can be read here. The Google Workspace and marketing account is protected by two step verification. You can opt out at any time from the programme by sending us an email request from your Google or Apple email ID to [email protected]. We will respond to your request within 3 business days. Your submissions will never be shared with a third party without your consent.

How do we handle your data when used for research and analytics purposes?

We use minimal and only the required app use data for research purposes including aggregated data for any publications. This data is completely anonymized using irreversible redaction of user identifiers prior to use. This helps us to improve our product and services and contribute to user-centered mental wellbeing best practices globally.

We never use your longitudinal conversation messages for research and analysis. If at all, only limited messages get selected from specific AI endpoints and used.

You can always write to us at [email protected] to restrict processing and opt-out of your data for research purposes.

If you are part of a clinical study, you can always opt-out of the study by following these steps.

1. Select opt-out from research in the App settings and/or
2. Follow the opt-out process defined by the research Institution.

Where Wysa is a Processor or Sub-Processor, We will adhere to the instructions provided by your Institution (or Controller) when performing research and clinical studies.

Your use of third party weblinks

The App may carry links to third-party websites and resources. When you click on those links, you may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy policies. We encourage you to read the privacy policy and Terms of use of every external link you visit. Please ensure that you are satisfied with their privacy notices before you provide them with any personal data.

What additional processing is performed?

Your data, messages or usage is not used for direct marketing nor is it sold to advertisers. We will update this Privacy Policy and inform you if we perform any additional processing.

How do we secure your data?

The security of your data is very important to us, and we work hard to secure it. We have implemented adequate technical and organizational safeguards to protect your data.

Privacy by Design and Default

1. There is no user registration required. We don’t need it hence we don’t ask for it.
2. Only a nickname is sufficient to help us personalize our conversation with you.
3. We use pseudonymised identifiers to protect your data and identity.
4. No human eavesdrops during your conversation with the AI coach.
5. The AI Coach will always check if it has understood you incorrectly before progressing.
6. We use algorithms that irreversibly redact any inadvertent personal identifiers entering our systems.
7. You can opt-out at any time using the “reset my data” feature available in the App settings.
8. We adhere to the 7 key principles set out by GDPR (see here).
9. We perform Data Protection Impact Assessment (DPIA) for personal data processing.

Security by Design and Default

1. We use TLS and SSL encryption during transfer and AES-256 protocol at rest.
2. Random identifiers are used for all data transactions between AI Coach and our servers.
3. Our systems are secured with role-based access, strong passwords and two-step verification.
4. We enable endpoint security in all staff systems.
5. We review and maintain data processing agreements with our data processors.
6. We have a strict hiring and background verification process in place.
7. We provide regular awareness and training to our staff.
8. We conduct annual 3rd party compliance audits and data protection certifications.
9. We perform regular penetration tests of our Apps and Infrastructure.
10. We conduct regular checks to ensure compliance to our policies.

Certifications and Registrations

1. Wysa is registered with the UK Information Commissioner’s office (ICO)
2. Wysa is UK Cyber Essentials certified
3. Wysa meets standards of the NHS Digital Data Security and Protection Toolkit (DSP Toolkit)
4. The App is registered with UK MHRA as a UKCA-marked Class I medical device
5. Wysa's Information Security Management System (ISMS) and Privacy Information Management System (PIMS) is certified for ISO 27001:2013 and 27701: 2019

No method of electronic transmission or method of data storage is perfect or impenetrable. While we try our best to implement controls to protect your personal data, we cannot guarantee its absolute security. To ensure your data is secure, we require your cooperation as well. Please do not copy and share your conversations with unknown people.

How does the Artificial Intelligence chatbot work and is safe to use?

At Wysa, we use proprietary Artificial Intelligence and Natural Language Processing/Understanding (NLP/NLU) algorithms (“AI”) to understand your messages. NLP/NLU algorithms are classification techniques that are used to understand what you write. This allows the AI to maintain a conversation with you and guide you to appropriate resources. Our values require that our AI used within the App is transparent, trusted, safe and privacy protecting. All the AI used in our Apps are “FIXED” or “CLOSED”, and all chatbot responses to the user are created with clinical input and subjected to detailed safety testing before being deployed. There are no generative (those that 'create' the response to the user on the fly) or adaptive models (those that continually adapt or learn every time on their own) in use. The algorithms run at conversational nodes within a decision-tree structure.

The primary purpose of the AI-based processing is

1. to provide an interactive safe-by-design approach to converse and journal via text with the chatbot.
2. to detect and retain limited context from your messages to personalize and provide empathetic and safe conversations.
3. to detect at-risk situations, such as any SOS, self-harm and abuse triggers, so as to signpost users to clinically validated supportive resources and helplines.

Wysa complies with UK NHS Digital’s DCB 0129 clinical risk management standards to ensure a safe-by-design approach to our AI-based services.

How long do we retain your data including personal data?

We have built proprietary algorithms that detect personal identifiers, that you may voluntarily submit in English during your conversation with AI Coach. These detected identifiers get irreversibly removed within 24 hours within our system.

As a Controller, We may retain one copy of your data if it is reasonably necessary. This could be in any of the following situations:

• To comply with applicable legal and statutory requirements;
• To respond to your requests;
• Based on contractual obligations with your Institution or Subscriber;
• In our backup for a time-bound period;
• To fulfill processing that is in our legitimate interest.

Where not specified we retain your data for a maximum of 10 years since the end of last use and as per our information retention policies.

You can also, at any point of time, delete all your conversation data by using the “reset my data” feature available in the mobile App settings. Refer here in our policy for more details.

As a Processor or Sub-Processor, we will retain your data in our systems until the retention period agreed with your Institution (or Controller). We will retain your personal data only for the minimal period required to service as per your Institution’s instructions. Post the retention period, we will safely and securely delete the data from our systems. You can contact your Institution or email us at [email protected] and request for erasure at any point during your App use. All such requests received directly by us, will be forwarded to your Institution and handled as per their instructions.

International transfer of personal data outside of the country you reside in or are currently located

You understand and agree that we may transfer, store and process your submitted data to a third-party processor. These processors may be based in countries other than the country where you reside. These could be to countries where data protection laws may be less stringent than those from the originating country. We take additional steps in an effort to ensure our international transfer of data is consistent with applicable data protection laws.

Where we transfer data from the United Kingdom we use appropriate safeguards. This includes use of EU / UK Standard Contractual Clauses and UK International Data Transfer Agreement (IDTA) within the Data Processing Agreements.

Minimal data may be transferred across Wysa company locations to provide our Services. We use appropriate technical and organisational measures to protect such transfers.

If you have additional questions about our international transfers of personal data, please contact us at [email protected].

What are your data protection rights?

You have certain rights under the Data Protection Laws in relation to your Personal data. To exercise any of your rights, you will need to send an email request to the contact information provided here. Please note that we may need to verify you before responding to any requests. After verifying you and examining your request, we will respond to you on the action taken within one calendar month from verification. We may at times be unable to address your request, if we are unable to correctly identify you.

Your individual rights requests may be limited, were:

• denial of access is required or authorized by law;
• grant of access would have a negative impact on other's privacy;
• required to protect your, our or other’s rights property or safety;
• the request is unjustified or excessive.

Where Wysa is a Processor or Sub-Processor performing data processing on behalf of your Institution (or Controller), Wysa may redirect your rights-related requests to your Institution for a resolution. We will respond to your request as directed by your Institution.

We handle your rights-related request as detailed below.

Right to be informed
This privacy policy explains and informs you about how we handle your data when you use our apps and services.

Right of access

You have the right to exercise a data access request to know what personal data we hold about you. You have access to view your latest conversations or view your older conversation messages within the Journey tab of the App. You have access to your text-based messages with the Clinician in the Clinician tab of the App. If you exercise your right to delete and reset your data in the mobile App, you will lose the right to access your data as it will be permanently deleted in our system.

Users can write to us at [email protected] for any clarifications or make subject access requests. On receipt, we will review your request, make reasonable efforts to find and retrieve the requested information and respond to you within one month of your request.

Right to rectification

If your personal data is inaccurate or incomplete, you can write to us to correct or complete it. If we share your personal data with third parties, we will inform them about the correction where possible.

Right to restrict processing

You can write to us to restrict processing of your personal data, where you contest the accuracy of the data or object to our processing it. If we share your personal data with third parties, we will inform them about the restrictions where possible.

Right to object

You may write to us and object to the processing of your personal data where we apply our legitimate interest. We may stop unless we can demonstrate compelling legitimate grounds for the processing.

Right to data portability

Users can write to us at [email protected] for any clarifications or requests around their right to data portability. We we will need to accurately verify you, before we can process your request. We may at times be unable to address your request, if we are unable to correctly identify you.

Right to Erasure

When you use the Wysa App and service, you have the option to reset your data by using the “Reset my data” feature in the App settings. Reset my data deletes all your submitted data. Post reset, you will not be able to recover your past data and you will be considered as a new user of the App. Hence, this feature is to be used at your discretion.

You can also write to us to delete or remove your personal data, such as when you withdraw your consent.

Right in relation to automated decision-making and profiling

You have the right to be free from decisions based solely on automated processing of your personal data, including profiling, which may have a significant effect on your rights and freedom, unless such profiling is necessary for entering into, or the performance of our Agreement or with your explicit consent. You have a right to ask us to stop any automated decision making that may affect your rights and freedom. We do not intentionally carry out such activities, but if you do have any questions or concerns, we would be happy to discuss them with you. You can contact us at [email protected]

Other important information

Withdraw Consent

To the extent that the legal basis of our processing of your personal data is consent, you can withdraw that consent at any time. This will not affect the lawfulness of processing of your data before we received notice that you wished to withdraw your consent.

Breach notification

If the data breach is likely to result in a high risk of adversely affecting your rights and freedom, we will notify you as required by Data Protection Laws.

Right to non-discrimination

You have the right to not be discriminated against for exercising your privacy rights. Use of our App and services is anonymous and hence We will never knowingly discriminate against you and your rights. You can also write to us for any clarification at [email protected].

Right to opt-out of sale

You have the right to opt-out of the sale or restrict sharing of personal data with third-parties who intend to license or sell your personal data. We do not sell any personal data, nor do we have actual knowledge of any sale of personal data of minors. You can also write to us for any clarification at [email protected].

Concerns and Complaints

If you have any concerns or grievances about this Privacy Policy you will need to send an email request from your Google or Apple email ID to [email protected] with Attn. to our Head of Compliance. We have appointed our Head of Compliance as our data protection officer (DPO). We will respond to you within 48 hours and help resolve your concerns or complaints. We assure you a time-bound resolution not exceeding one month from the date of your complaint.

If you are not satisfied with our resolution, you have the right to complain to a Data Protection supervisory authority in your country or state of residence. We will fully cooperate with the supervisory authority. You can raise a complaint with the UK ICO by following the process outlined here. Contact details for Data Protection Authorities in the EU are available here.

What are the controls for Do-Not-Track features?

Do Not Track (“DNT”) is a privacy preference that users can set in certain web browsers. We do not respond to DNT signals transmitted by web browsers.

Can children use Everyday Mental Health by Wysa App?

The App is intended for use only for those authorised or prescribed by your Institution. The App is not to be used by children below your Institution prescribed age. Wysa does not take responsibility for any misrepresentation of age and use.

There is a special necessity to protect children's privacy on the App. We do not knowingly collect any personal data from children.

Write to us if you think we have collected any personal data of your child. We will respond to you within one calendar month from verification. We may at times be unable to address your request, if we are unable to correctly identify the user. We will deactivate the child’s account, if we find we have been collecting personal data from your child. Upon identification we will take reasonable measures to promptly delete such personal data from our records.

We encourage parents and legal guardians to monitor their children’s Internet usage. To help enforce our Privacy Policy by instructing their children to not provide any personal data without their permission. Do not share your credit/debit card or other payment instrument with your child to make any in-app purchase.

How to contact for additional questions, comments or concerns?

For any product, services, or technical issues, please contact us at [email protected] with your questions.

Our mail address for all communication is:

UK Office:
WYSA LTD
Plus X Innovation Hub,
Lewes Rd, Brighton BN2 4GL
UK

India Office:
Touchkin eServices Private Limited
1st Floor, Manjusha, No 532
16th Cross, 2nd Main Road, 2nd Stage
Indiranagar, Bengaluru, 560038
Karnataka, India

USA Office:
Wysa Inc.
Industrious Boston,
3rd floor, 111 Dartmouth St,
Boston 21116

Can Non-English speaking users use the Everyday Mental Health by Wysa App?

The App has been built and is currently provided only for English language users.

To ensure wider reach, Wysa will, in the near future, launch the App in other international languages. We will keep you updated on this development.

What are some Best Practices to follow to keep your devices secure?

You are also responsible for helping to protect the security of your personal data. You are responsible for maintaining the security of any personal computing device on which you utilize the Services.

The NCSC Gov.UK provides guidance on how You can improve Your online security. The UK ICO provides practical advice for protecting Your personal data online and when using computers and other devices. These can be found at the links below.

Cyber Aware - NCSC.GOV.UK

Online and electronic devices | ICO

Wysa strongly believes in security and safety of data in your mobile device. As a responsible Service provider, we like to share important device-based security data for your attention.

• Always lock your mobile screen by setting a password. Use strong passwords and keep passwords private. Never leave your device unattended.
• Always extend your mobile screen password to set an App PIN to keep your conversations with the App private.
• Always keep your mobile operating system up-to-date.
• Enable remote access of your devices to enable you to locate and control your devices remotely in the event your device gets stolen.
• Install anti-virus software to protect against virus attacks and infections
• Avoid phishing emails. Do not open files, click on links or download programs from an unknown source.
• Be wise about using Wi-Fi. Before you send personal and sensitive data over your laptop or mobile device on a public wireless network in a coffee shop, library, airport, hotel, or other public place, see if your data will be protected.

Changes to this Privacy Policy

We may modify our Privacy Policy from time to time for various reasons including to improve our privacy practices, to ensure our users right to be Informed, to reflect changes to our service, and to comply with relevant laws. If and when this policy is changed, we will post the new notice on our Website and the App and notify you through an in-app notification or as otherwise required by relevant law. It is your responsibility to check our Website and our App periodically for updates or changes to the policy. We encourage you to review changes carefully. If the changes to the Privacy Policy include changes to the collection, storing or processing your personal data in a way that infringe into your privacy, we will notify you clearly about the same where required by the applicable laws and regulations. If you agree to the changes, then please continue to use our service. If you, however, do not agree to any of the changes and you no longer wish to use our service, you may choose to unsubscribe or uninstall our App. Continuing to use our App and services after a notice of change has been communicated to you or published constitutes your acceptance of changes and consent to the modified Privacy Policy.

Severability and Exclusion

We have taken every effort to ensure that this Privacy Policy adheres with the applicable Data Protection Laws. The invalidity or unenforceability of any part of this Privacy Policy shall not prejudice or affect the validity or enforceability of the remainder of this Privacy Policy. This Privacy Policy does not apply to any data other than the data collected by Wysa while providing the services.

Changes Log