Privacy Policy

Your privacy and data security are fundamental to our mission. This policy explains how we collect, use, and protect your personal and health information.

Last updated: December 15, 2024

Important Notice

MentalSynch ("we," "us," or "our") is committed to protecting your privacy and maintaining the confidentiality of your personal and health information. This Privacy Policy applies to all users of our platform and describes our practices regarding the collection, use, storage, and disclosure of your information.

By using MentalSynch, you consent to the practices described in this Privacy Policy. If you do not agree with our practices, please do not use our services.

Information We Collect

Personal Information: Name, email address, phone number, date of birth, gender, and profile information
Health Information: Mood entries, sleep patterns, therapy session notes, assessment responses, and wellness data
Technical Information: IP address, browser type, device information, operating system, and usage analytics
Communication Data: Messages with AI assistant, communications with healthcare professionals, and support interactions
Payment Information: Billing address, payment method details (processed securely through Stripe)
Integration Data: Health data from connected wearable devices and third-party health applications

How We Use Your Information

Provide and improve our mental health services and AI-powered features
Personalize your experience and deliver targeted wellness recommendations
Facilitate communication with licensed healthcare professionals
Monitor platform usage and ensure service security and integrity
Process payments and manage subscription services
Send important service notifications and updates
Comply with legal obligations and respond to lawful requests
Conduct research and development to enhance our platform (anonymized data only)

Data Security & Protection

End-to-end encryption for all sensitive health communications
HIPAA-compliant data storage and transmission protocols
Regular security audits and penetration testing
Multi-factor authentication and access controls
Secure cloud infrastructure with redundant backups
Employee training on data privacy and security protocols
Incident response procedures for potential data breaches
Regular software updates and security patches

Information Sharing

Licensed Healthcare Providers: Only with your explicit consent for treatment purposes
Emergency Situations: When required to prevent imminent harm or danger
Legal Compliance: As required by law, court orders, or government regulations
Service Providers: Trusted third parties who assist in platform operations (under strict confidentiality agreements)
Business Transfers: In case of merger, acquisition, or sale of assets (with notice to users)
Research Partners: Anonymized, aggregated data for mental health research (opt-in basis only)
We NEVER sell your personal or health information to third parties for marketing purposes

Your Privacy Rights

Access: Request copies of your personal data we maintain
Correction: Update or correct inaccurate personal information
Deletion: Request deletion of your account and associated data
Portability: Receive your data in a machine-readable format
Restriction: Limit how we process your personal information
Objection: Object to certain types of data processing
Withdraw Consent: Revoke previously given consent at any time
Complaint: File complaints with relevant data protection authorities

International Data Transfers

Data may be transferred to and processed in countries outside your residence
We ensure adequate protection through approved transfer mechanisms
Standard Contractual Clauses for EU data transfers
Adherence to Privacy Shield principles where applicable
Regular monitoring of international data protection standards

Data Retention

Account data: Retained for the duration of your account plus 3 years
Health data: Retained for 7 years after account closure for medical records compliance
Payment data: Retained for 7 years for tax and accounting purposes
Communications: Retained for 3 years after last interaction
Technical logs: Retained for 1 year unless required for security investigations
Marketing data: Retained until you opt-out or for 3 years from last interaction
Legal holds: Data may be retained longer when required by law or legal proceedings

Children's Privacy

Services are not intended for children under 13 years of age
We do not knowingly collect personal information from children under 13
Users aged 13-17 must have parental consent before using our services
Parents have the right to review and delete their child's information
Special protections apply to minors' health information
Parents can contact us to request deletion of their child's data
We comply with COPPA (Children's Online Privacy Protection Act) requirements

Data Breach Response

Immediate containment and assessment of any security incidents
Notification to affected users within 72 hours of discovery
Notification to regulatory authorities as required by law
Detailed incident reports provided to affected users
Free credit monitoring services for significant breaches
Regular security audits and penetration testing
Employee training on data breach prevention and response

California Privacy Rights (CCPA)

Right to know what personal information is collected and how it's used
Right to delete personal information (with certain exceptions)
Right to opt-out of the sale of personal information (we don't sell data)
Right to non-discrimination for exercising privacy rights
Right to request specific pieces of personal information
Designated methods for submitting privacy requests
Response to requests within 45 days (extendable to 90 days)

European Privacy Rights (GDPR)

Right of access to your personal data
Right to rectification of inaccurate data
Right to erasure ('right to be forgotten')
Right to restrict processing
Right to data portability
Right to object to processing
Rights related to automated decision-making and profiling
Right to lodge a complaint with supervisory authorities

Automated Decision Making

We use AI for personalized treatment recommendations
Automated systems assess risk factors and wellness indicators
Human oversight is maintained for all critical decisions
You have the right to request human review of automated decisions
Algorithms are regularly audited for bias and accuracy
Transparency reports available for automated decision-making processes
Right to explanation of automated decisions affecting you

Third-Party Integrations

Wearable device integrations (Apple Health, Google Fit, Fitbit)
Payment processing through Stripe (PCI DSS compliant)
Cloud storage with AWS/Google Cloud (encrypted at rest and in transit)
Video conferencing through secure, HIPAA-compliant platforms
Analytics through privacy-focused tools (anonymized data only)
Email services through secure, encrypted providers
All third parties are contractually bound to protect your data

Data Retention

We retain your personal information only as long as necessary to provide our services and comply with legal obligations:

• Account data: Until account deletion + 30 days
• Health records: 7 years (as required by healthcare regulations)
• Communication logs: 3 years
• Payment records: 7 years (for tax and audit purposes)
• Analytics data: 2 years (anonymized)

Children's Privacy

MentalSynch is not intended for children under 13 years of age:

• We do not knowingly collect data from children under 13
• Users 13-17 require parental consent
• Special protections apply for minor users
• Parents can request deletion of minor's data

Policy Changes

We may update this Privacy Policy from time to time:

• Users will be notified of material changes
• 30-day notice period for significant changes
• Continued use constitutes acceptance
• Version history available upon request

Contact Information

For privacy-related questions or to exercise your rights:

Privacy Officer

• Email: privacy@mentalsynch.com
• Phone: +2547 06 848263
• Response time: Within 5 business days

Legal Department

• Email: legal@mentalsynch.com
• Address: 123 Wellness St, Health City, HC 12345
• For legal notices and GDPR requests

Data Protection Officer (EU)

• Email: dpo@mentalsynch.com
• For EU/GDPR specific inquiries
• Direct line to supervisory authorities

Legal Disclaimers

Medical Information

MentalSynch is not a substitute for professional medical advice, diagnosis, or treatment. Always seek the advice of your physician or other qualified health providers with any questions you may have regarding a medical condition.

Emergency Situations

In case of a medical emergency, call 911 (US) or your local emergency number immediately. MentalSynch is not intended for emergency situations.

Liability Limitations

While we implement robust security measures, no system is 100% secure. We limit our liability to the extent permitted by law for any data breaches or security incidents.

Policy Updates & Notifications

We will notify you of material changes to this Privacy Policy:

• Email notification to all registered users
• Prominent notice on our website for 30 days
• Push notifications for mobile app users
• Option to download previous policy versions
• Continued use after notice period indicates acceptance
• Right to close account if you disagree with changes

Effective Date & Version

This Privacy Policy is effective as of December 15, 2024 and represents version 3.0 of our privacy practices. Previous versions are available upon request.

Version:3.0

Last Updated:December 15, 2024

Next Review:June 15, 2025

Regulatory Compliance

HIPAA Compliant

Full compliance with Health Insurance Portability and Accountability Act

GDPR Compliant

Adheres to General Data Protection Regulation for EU users

CCPA Compliant

Complies with California Consumer Privacy Act requirements