PRIVACY AND PERSONAL INFORMATION POLICY

Sharing Your Information

We respect your privacy and, in general, will share personal information about you only with your consent, to fulfill the purposes described above, or as required by law. When we share data, we do so under agreements that oblige recipients to keep it secure and confidential. We do not currently maintain a public list of subprocessors. However, a full list of major third-party service providers (e.g., Firebase, Paystack, PayPal) is available upon request. All providers are vetted for privacy and security before integration. The main categories of recipients of your data are:

• Service Providers (Processors): These are third-party companies that help us operate the Platform and provide our services to you. We only share information with them to the extent necessary for them to perform their functions, and they are contractually required to protect it and use it only for our specified purposes. Key service providers include:
   

  • Cloud Storage and Hosting: We utilize reputable cloud infrastructure to store and manage data (for example, Google Firebase for our databases and authentication). Your personal information is stored on secure servers managed by these providers. Firebase services encrypt data in transit and at rest, helping protect your data (see Data Security below for more).
     

  • AI Service Provider: As noted, our AI Journal feature sends journal text to the Google Gemini API (a service by Google) to generate AI responses. Google, acting as our processor for this service, is contractually bound to privacy and security commitments. The data is used to provide the AI functionality and not for Google’s independent purposes without permission.
     

  • Payment Processors: When you make purchases, Paystack, PayPal, Payhip, or other payment gateways process your payment information. They receive your payment card details or bank info directly to complete the transaction. We share with them the transaction details (amount, currency, product) and your identifying info to link payment to your account. These processors are PCI-DSS compliant and do not use your data for other purposes. We do not store your full card numbers or bank account passwords on our systems.
     

  • Email and Communication Tools: We may use third-party email services or in-app messaging services to send you notifications, support messages, or newsletters (for example, an email service platform to send out our newsletter, or Firebase Cloud Messaging for push notifications). These providers would have access to your email or device token solely for sending messages on our behalf.
     

  • Analytics Providers: We use tools like Google Analytics and Firebase Analytics to understand how our users interact with our Platform. These tools may set cookies or collect Technical and Usage Data (such as IP address, device info, and usage patterns). They compile reports for us on user activity and trends. We have configured these analytics services to respect privacy as much as possible (for example, by anonymizing IP addresses where feasible and not sharing any personally identifying user content). Google Analytics may use the data collected to contextualize and personalize ads on its own advertising network, but we do not share information with Google that directly identifies you. You can opt-out of Google Analytics by installing the Google Analytics opt-out browser add-on, or by using your browser’s Do Not Track features (see Analytics and Tracking below for more).
     

  • Other Technical Partners: We might use additional partners for specific functionalities, such as video conferencing tools for online workshops, scheduling tools for booking sessions, or content hosting for course materials. For instance, if a Workshop is delivered via a Zoom webinar, and you register, we would share your name/email to send the invite. All such partners are chosen for their trustworthiness and are only given the minimum data necessary.
     

• Professional or Organizational Accounts: If you are using the Platform through a connection with a professional or an organization (e.g., your therapist, coach, employer, or school):
   

  • With your consent, we share relevant information with that professional or organization to facilitate the service. As described earlier, this could include engagement and outcome data like assessment scores, completion of activities, or aggregated usage reports. We will not share the personal details of your communications or journal entries with a third party unless you choose to disclose them.
     

  • For example, if your employer sponsors a wellness program via our app, they might get quarterly reports such as “X% of employees are actively using the app” or average improvements in well-being scores company-wide. These reports will be in aggregate form and will not reveal individual user identities or individual specifics without consent. If an employer asks for individual data, we would only provide it if you have explicitly agreed (typically, workplace programs should have their own consent process for any personal monitoring).
     

  • If a therapist or coach invited you, and you accepted to link with them on the app, that professional will see your name, some profile info, and your progress metrics. They are bound by confidentiality to handle that data appropriately. We may also inform them if you disconnect or delete your account (so they know they no longer have access).
     

  • We do not provide your contact information to an organization or professional for marketing or unrelated purposes without your consent. Any third party with whom you engage via our Platform should have their own privacy commitments to you as well.
     

• Affiliates and Partners within Psyche Innovations: We may share information with any subsidiaries, parent company, or affiliates of Psyche Innovations (if we have a corporate family) as needed to run our business. Currently, Psyche Innovations (Pty) Ltd is the primary entity. If in the future we establish branches or affiliates in other regions, they may receive data to assist in operations (and will treat it under the same Privacy Policy terms). Internally, access to personal data is restricted to employees or contractors who need it for their job roles (e.g., tech support, development, customer service), all of whom are bound by confidentiality.
   

• Affiliate Marketing Program (Referral Partners): Psyche Innovations may run an Affiliate Program where third parties (individuals or organizations) promote our Platform to others in exchange for a commission or referral benefit. If you sign up using an affiliate’s referral link or code:
   

  • We will share information with the affiliate about the referral’s success. Typically, this is limited to confirming that someone signed up and made a purchase using their link/code, along with the value of the purchase so we can calculate their commission. For example, we might tell Affiliate A that they referred one new subscriber on a given date on our basic plan.
     

  • What we do NOT share: We generally do not send personal details like your full name or contact to the affiliate, unless it’s necessary and you have been informed (for instance, some affiliates are professionals who gave you the link personally – in that case they obviously know who you are, but we still wouldn’t send any additional data beyond what they brought in). The affiliate will know the referral is their client or audience member, but they are not provided with your usage data or any sensitive information from your use of the Platform.
     

  • Affiliates are independent entities, not employees of Psyche Innovations. However, they are required to sign a separate Affiliate Agreement which includes terms to protect privacy. They must agree not to misuse any information and to comply with applicable privacy laws. We also use tracking technologies (like cookies or unique URLs) to manage the affiliate program – see Analytics and Tracking below.
     

  • Commission structures may vary per affiliate, but this does not affect how your data is handled. If you want to know whether someone promoting the app will receive a commission for your sign-up, they should disclose that to you as part of fair marketing practices.
     

• Legal and Compliance Recipients: We may disclose personal information to third parties when required by law or necessary to protect rights, property, or safety:
   

  • Law Enforcement / Regulators: If we are served with a subpoena, court order, or legal process that compels the disclosure of user data, we may need to comply after verifying the request’s validity. We will attempt to notify you of such requests when allowed, unless we are legally prohibited or the request is an emergency.
     

  • We may share information with government authorities or agencies (such as the South African Information Regulator, or authorities under anti-money laundering, anti-fraud, or child protection laws) if required to comply with legal obligations.
     

  • Emergency Situations: If we believe someone is at risk of serious harm and we have data that could help (for instance, information about a threat of self-harm or harm to others gleaned from the Platform), we might share relevant information with appropriate authorities or individuals in order to help prevent harm. We would only do this in extreme, good-faith situations where privacy must be balanced with immediate safety.
     

• Professional Advisors and Auditors: We may share personal data as necessary with our professional service providers, such as lawyers, accountants, insurers, or auditors. This would only be done under strict confidentiality and for legitimate business purposes – for example, disclosing certain records to our auditors during a financial audit, or to lawyers for advice in case of a legal matter. These parties are bound to keep such information confidential and use it only for the purpose of their professional services to us.
   

• Business Transfers: If Psyche Innovations undergoes a business transaction such as a merger, acquisition by another company, reorganization, or sale of all or part of its assets, personal information may be among the assets transferred to or reviewed by involved parties. We would ensure that any such party agrees to protect personal information in a manner consistent with this Privacy Policy and applicable law. If a transfer results in a material change in how your information will be used, we will provide you with notice and choices as appropriate. Your information will continue to be governed by the promises in whatever Privacy Policy was in effect at the time of collection, unless you consent otherwise.
   

We strive to limit the personal information we share to what is directly relevant and necessary for the intended purpose. Whenever personal data is shared with a third party, we seek to ensure that they have appropriate privacy and security measures in place. If you have questions about third parties we work with, you can contact us for more information.

Analytics and Tracking

We use cookies and similar tracking technologies to understand how our Platform is used and to enhance your experience. Here’s an overview of how we use these technologies and how you can control them:

• Cookies: A cookie is a small file placed on your device that allows us to recognize your device and remember certain information about your visit. We use cookies (and local storage in the app) for purposes such as:
   

  • Keeping you logged in as you navigate through different parts of the app or site.
     

  • Remembering your preferences (e.g., your chosen language or notification settings).
     

  • Gathering analytics about usage (through third-party tools like Google Analytics). For instance, cookies help count how many unique users visit a certain page or use a feature, and how often they return.
     

  • Tracking the effectiveness of our marketing or referral campaigns. If you came to our site via an affiliate link or an online ad, cookies help record that referral so we can credit the appropriate partner and understand which campaigns are working.
     

• Google Analytics & Firebase: We use Google Analytics on our website and Firebase Analytics in our mobile app to collect information about user interactions. These services use cookies or mobile identifiers to collect data such as your IP address, device info, and usage information. They provide reports that help us see overall trends (like which content is most popular, how users progress through the app, what countries our users are from, etc.). Importantly:
   

  • We have enabled settings to reduce the identifiability of this data where possible (for example, Google Analytics IP anonymization).
     

  • Google Analytics may set its own cookies. Google’s ability to use and share information collected by Google Analytics about your visits is governed by the Google Analytics Terms of Use and Google’s Privacy Policy. You can opt-out of Google Analytics tracking by using the Google Analytics Opt-Out Browser Add-on which prevents data from being used by Google Analytics.
     

  • Firebase Analytics is integrated in the app; if you do not want to be part of analytics, you can usually disable sharing of analytics data in your device settings or by contacting us to find if we can offer an opt-out. Note that doing so might limit our ability to diagnose issues for you.
     

• Affiliate Tracking: If you use an affiliate link to visit our site, a specific tracking cookie or URL parameter will record that an affiliate referred you. This cookie typically lasts for a certain duration (e.g., 30 days) and helps us identify if you sign up within that period after clicking the link. The information stored might include an affiliate ID and a timestamp – it does not usually include your personal details. When you sign up or make a purchase, our system checks for this cookie/ID to attribute the referral. As mentioned, the affiliate will know someone signed up using their link, but they do not get your personal data from the cookie.
   

• Other Tracking Technologies: We may use other tools like web beacons (small graphic images in emails or on web pages) to tell us if an email was opened or a link was clicked. This helps us gauge the effectiveness of our communications. In the mobile app, we may use device identifiers and SDKs that serve a similar function to cookies (since cookies per se aren’t used in native apps the same way). These help with push notification delivery, crash reporting (e.g., using Firebase Crashlytics), and in-app analytics.
   

Your Choices: Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies or alert you when cookies are being used. However, please note that if you disable cookies entirely, our website may not function properly (for example, you might not be able to log in or use certain features). In the app, device operating systems (iOS, Android) have settings to limit ad tracking and sometimes analytics tracking; you can adjust those in your privacy settings on the device.

You can also periodically clear cookies from your browser or reset the advertising identifier on your mobile device to reduce profiling.

We currently do not respond to “Do Not Track” (DNT) signals because there is not yet a common standard for DNT. If a universal standard is adopted, we will adjust our practices accordingly.

We do not have a separate Cookie Policy. All cookie-related information is provided in this Privacy Policy. By continuing to use the Platform, you accept our use of cookies for essential functionality and service improvement.

Data Ownership and Control

You own your data. We want to be clear that any personal data, content, or information you provide to us remains your information. We do not claim ownership of the content you input into our Platform – whether it’s journal entries, assessment responses, or any other material you create.

What does this mean in practice?

• Your Rights over Content: You have control over your personal content. You can access it, correct it, and request deletion of it (subject to some exceptions discussed under Your Rights below). For example, you can edit or delete a journal entry you wrote, or update information in your profile. If you ever decide to discontinue using our services, you can request that we delete your personal data (and, unless we have a lawful reason to retain it, such as a legal obligation, we will delete it as requested).
   

• Our Use of Your Content: When you use our Platform, you give us permission (a license) to process your data and content solely for the purposes of operating and improving the services. We do not use your individual personal content for any purpose outside the scope of providing our services to you without your permission. For example, we won’t take your journal entries and publish them, or use your data in advertising, or share your raw, identifiable data with third parties for their own uses.
   

• No Unauthorized Access: Our team at Psyche Innovations does not access or look into your personal content (such as journal entries or assessment results) on an individual basis except in a few exceptional scenarios:
   

  1. With Your Explicit Request or Permission: For instance, if you reach out to customer support with a specific concern about your data (say, a lost journal entry or a strange assessment result) and ask for help that requires accessing your data, we would only do so with your consent and only to the minimal extent necessary to resolve your issue.
      

  2. For Security or Legal Compliance: If required to investigate a breach of our terms, a security incident, or a legal obligation, limited authorized personnel might access relevant data, but even in these cases, we try to avoid accessing more data than needed and will document and handle it with strict confidentiality.
      

  3. If Required by Law: As described earlier, if a law enforcement demand forces us, we may have to disclose certain data, but we will push back and seek to limit any such disclosure to what’s legally required.
      

• Aggregate Insights: We may use aggregated and anonymized information derived from user data to improve and understand our services. For example, analyzing average mood improvements or common journaling themes across many users can help us enhance the Platform’s content and features. However, this analysis will not focus on any individual, and personal identities are removed or obfuscated. Any research or reports we publish will contain only non-identifiable information (e.g., “20% of users use the journal daily”) unless we have asked for and obtained your consent to quote or share something identifiable.
   

• No Sale of Personal Data: We do not and will not sell your personal data. “Selling” in this context means sharing personal information with third parties for monetary or other valuable consideration for their own commercial purposes. We also do not share your personal data with third parties for their direct marketing purposes unless you give us permission.
   

• New Features and Consent: If in the future we introduce a new feature that would use your data in a way not covered by this Privacy Policy, we will update this Policy and notify you, and if required by law, obtain your consent. You have the choice to opt out of new data uses if those go beyond the original purposes.
   

In summary, you remain in control of your personal information. We view ourselves as custodians or stewards of your data – our role is to keep it secure and use it only to provide the service you expect. If you ever have concerns about how your data is being used or who has access to it, please contact us and we will be happy to provide clarification or address the issue.

International Data Transfers

Psyche Innovations is based in South Africa, but we serve a global user base. The personal information we collect from you may be transferred to, stored in, or processed in countries other than your own. In particular, our servers and service providers may be located in South Africa, the United States, the European Union, or other countries. For example:

• Our primary databases (Google Firebase) might be hosted on servers in the US or EU (Google allows selection of data regions; we use these services in compliance with South African law and, where applicable, EU standard safeguards).
   

• The Gemini AI service (for the AI Journal) is operated by Google, which may process data in the United States or other locations where Google operates its infrastructure.
   

• Payment processors and other third parties may be based in various countries (PayPal is global, Paystack is based in Nigeria with global reach, Payhip is based in the UK, etc.).
   

• If you are located outside of South Africa, your data will likely be transferred to South Africa and/or other countries for processing.
   

Data Protection in Transfers: Whenever we transfer your personal information across borders, we take steps to ensure it remains protected:

• We will only transfer data to countries that have been deemed to provide an adequate level of data protection or where we have put in place appropriate safeguards. For example, if we transfer data from South Africa or other jurisdictions to another country, we may rely on legal mechanisms such as standard contractual clauses (SCCs) or similar agreements approved for data protection. These are contractual commitments between our service providers and us to protect personal data.
   

• Our service providers are vetted for strong security practices and privacy compliance. Many of our key providers (like Google) comply with frameworks like the EU-U.S. Data Privacy Framework or have SCCs in place for international transfers, as well as binding corporate rules or other certifications.
   

• We also may rely on your consent for certain transfers when required by law. By using our Platform or submitting your personal information to us, you consent to the transfer of your information to countries outside of your country of residence, including South Africa and the United States. We will inform you and seek separate explicit consent if a specific transfer is required in a way that doesn’t fall under other safeguards.
   

Jurisdiction-Specific Considerations: Different countries have different privacy laws. We strive to uphold a high standard of privacy protection no matter where data is processed. However, there may be cases where local laws require access by authorities (for example, under U.S. law, data stored by Google could be subject to lawful U.S. government requests). Where possible, we will attempt to redirect any such requests to the jurisdiction of origin (for instance, if a U.S. authority seeks data about an EU user, we would typically insist they use international legal channels).

If you have questions about international data handling or want more information about our data transfer safeguards, please contact us. Users in certain regions (like the EU/UK) have the right to request details about the safeguards we have in place – we’re happy to provide them.

Data Security

We take the security of your personal information very seriously. We have implemented a combination of administrative, technical, and physical safeguards to protect your data from unauthorized access, alteration, disclosure, or destruction. Here are some key measures we employ:

• Encryption: All data transmitted between your device and our servers is encrypted in transit using TLS/SSL (HTTPS). This means that when you use the app or website and provide information, it’s encoded to prevent eavesdropping. Additionally, our databases and storage implement encryption at rest. For example, data stored in Google Firebase is encrypted on disk. Sensitive fields (like passwords) are further protected (passwords are hashed and salted, not stored in plain text).
   

• Access Controls: We restrict access to personal data to authorized personnel only. Our employees and contractors who need to process your data in order to operate the service (for example, a support specialist helping resolve a technical issue) can only do so with secure authentication and are granted the minimum access necessary. We employ a principle of least privilege and regularly review access rights. All staff with such access are bound by confidentiality obligations.
   

• Secure Infrastructure: We use reputable cloud service providers known for robust security practices (such as Google Cloud Platform). These providers maintain high levels of physical and network security, including firewalls, intrusion detection systems, and regular security audits. Our servers are kept up to date with security patches to protect against vulnerabilities.
   

• Monitoring and Testing: We monitor our systems for possible vulnerabilities and attacks. We use security tools and practices such as:
   

  • Regular backups of critical data (encrypted) to prevent data loss and to enable recovery in case of any data corruption.
     

  • Logging and monitoring of access and actions within our systems to trace and respond to any irregular behavior.
     

  • Periodic security assessments and, where appropriate, penetration testing by ourselves or external experts to identify and address potential weaknesses.
     

  • Utilizing Firebase Security Rules and other built-in protections to ensure that data is only fetched by the users authorized to access it (for instance, your journal entries are only retrievable by your authenticated user account).
     

• Protecting Payment Information: As noted, we do not store sensitive payment card details on our servers. Our payment processing partners are certified to handle financial data securely (PCI DSS compliant, etc.). For example, when you enter card details on our checkout, you are actually inputting them into the payment provider’s secure form. We receive a token or reference back, which is useless to anyone except us and the provider, ensuring your actual card number remains secret.
   

• Device and Account Security: We strongly encourage you to use a strong, unique password for your account and to keep your login credentials confidential. We also recommend enabling any available security features on your device (such as a lock screen PIN, biometric lock, etc.) to prevent unauthorized access to the app. If you suspect that your account has been compromised, please change your password immediately and contact us for assistance.
   

• Training and Policies: Our team is trained on data protection best practices. We have internal policies in place to ensure we handle user data safely and in accordance with this Privacy Policy and applicable laws. This includes protocols for data handling, breach response, and confidentiality agreements with all employees and contractors.
   

Despite all these efforts, it’s important to note that no system can be 100% secure. The transmission of information via the internet is not completely risk-free. While we do our best to protect your personal data, we cannot guarantee absolute security. Users also have a role to play in security – please be mindful of not sharing your account information and understand that email or messaging communication with us might not be encrypted end-to-end (so avoid sending highly sensitive info via general email if not necessary).

Data Breach Procedures: In the unlikely event of a data breach (meaning personal information has been accessed by unauthorized parties), we have a response plan to contain and assess the breach. We will notify affected users and relevant authorities as required by law. For example, under South African law (POPIA) and other jurisdictions’ laws, we may be obligated to inform the Information Regulator or other regulators and the individuals impacted. We will provide timely notice including, to the extent known, a description of the breach, the data involved, and any steps we are taking to mitigate the effects and prevent future occurrences. We will also advise on steps you may need to take to protect yourself (such as changing passwords or being vigilant against phishing).

If you have any concerns about the security of your data, or if you believe your interaction with our Platform is no longer secure (for example, if you feel your account has been compromised), please contact us immediately.

Data Retention

We retain personal information for as long as necessary to fulfill the purposes we collected it for, including to satisfy any legal, accounting, or reporting requirements. In general:

• If you have an active account, we will retain your information for as long as your account remains active. This allows you to continuously have access to your data (e.g., your journal history, progress, and purchases) over time. We do not impose a fixed expiration on user accounts or content; many users value the ability to look back on their long-term progress.
   

• We do not currently delete accounts based on inactivity. This means we will keep your data stored until it is no longer needed or you ask us to remove it. For example, if you stop using the app but do not delete your account, your data may remain on our servers in case you return, unless we have a policy of cleaning up inactive accounts after a very long period (if we implement such a policy in the future, we will update this section).
   

• If you request deletion of your data or account, we will promptly take action to remove or anonymize your personal information, except for any data we are required or permitted to keep by law (see exceptions below). Account deletion results in removal of personal identifiers and content associated with you, making it no longer accessible to you or others on the Platform. We will also ensure that third-party processors we control are instructed to delete your data from their systems as well.
   

• Aggregate or Anonymized Data: As mentioned, we might retain and continue to use data that has been aggregated or anonymized such that it is no longer associated with any identifiable user. For instance, overall usage statistics or research results can be kept indefinitely, since they no longer contain personal information.
   

• Backup and Residual Copies: Even after deletion, your data might persist in secure backups for a short period. Our policy is to periodically purge or overwrite backups. During that interim, your data would not be active in our systems but could technically exist in encrypted backup storage. We will ensure it’s fully purged in a reasonable time frame according to our backup retention schedule.
   

• Legal & Operational Retention Requirements: We may retain certain pieces of information for longer if necessary for:
   

  • Compliance with Laws: For example, financial records (invoices, payments) are often legally required to be kept for a number of years (such as 5-7 years for tax/regulatory audits, depending on jurisdiction).
     

  • Dispute Resolution: If there’s an ongoing issue, investigation, or legal claim involving your data, we will retain the relevant information until it is resolved.
     

  • Enforcement of Agreements: We might keep data to enforce our agreements or to address violations (e.g., banning a user for misconduct might require us to keep a record of that user’s basic info or IP to block re-registration).
     

  • In all such cases, we will keep only what is necessary and for only as long as necessary. We also ensure that any retained data remains protected even if it’s not actively being used.
     

When we no longer have a legitimate need or legal obligation to retain your personal information, we will securely delete it or anonymize it so it can no longer be associated with you.

If you have specific questions about our data retention practices (for example, if you want to know if we still have information from a certain time), please contact us. We can provide more detail or assist in making sure your preferences for data handling are met.

Your Rights and Choices

You have certain rights and choices regarding your personal information. We are committed to upholding these rights and facilitating your exercise of them. Your principal rights (which may apply under data protection laws like GDPR, POPIA, and similar regulations) include:

• Right of Access: You can request confirmation of whether we are processing your personal information, and if so, ask for a copy of the personal data we hold about you. This is sometimes called a Data Subject Access Request. We will provide you with a copy of your data in a common format, and also explain details such as why we have that data, how it’s used, and who it’s shared with, to the extent required by law.
   

• Right to Rectification: If any of your personal information is inaccurate or incomplete, you have the right to request that we correct or update it. You can also make many changes yourself in your account profile (for example, updating your contact info or changing settings). We encourage you to keep your information up to date and will promptly make corrections based on your instructions.
   

• Right to Erasure: You have the right to request deletion of your personal data (“right to be forgotten”). You can delete certain data directly (e.g., remove content you’ve posted). For full account deletion, you may need to contact us. Upon verification of your request, we will delete or anonymize your personal information from our active systems, unless an exception applies (such as an ongoing legal obligation to retain certain data). Keep in mind, if you request deletion, you will lose access to data that we remove (e.g., you won’t be able to recover your journal entries later). We will inform you if any data cannot be fully deleted and explain why.
   

• Right to Restrict Processing: You can ask us to limit the processing of your data in certain circumstances. For example, if you contest the accuracy of data, you can request we refrain from using it until we verify its accuracy; or if you object to a certain processing, you can ask that we hold the data but not use it further (just storing it) while the issue is resolved. When processing is restricted, we will still store your data but not actively use it.
   

• Right to Object: You have the right to object to our processing of your personal information when that processing is based on legitimate interests or public interest, and you have particular grounds to object based on your specific situation. You also have the absolute right to object to your data being used for direct marketing purposes. If you object to marketing, we will stop using your data for that purpose immediately. If you object to other processing, we will consider your objection and whether our legitimate grounds for processing outweigh your rights and interests.
   

• Right to Data Portability: You have the right, in certain cases, to receive your personal data in a structured, commonly used, and machine-readable format, and to have that information transmitted to another service provider (where technically feasible). This applies to data you provided to us and that we process by automated means, based on your consent or a contract. In practice, if you request it, we can provide you with an export of your data (for example, a JSON or CSV file of your key account data, journal entries, etc.) so you could port it elsewhere.
   

• Right to Withdraw Consent: Where we rely on your consent to process personal data, you have the right to withdraw that consent at any time. For instance, if you initially consented to share your data with a coach or to receive marketing emails, you can later change your mind. Withdrawing consent will not affect the lawfulness of any processing we already performed based on your consent before it was withdrawn. It may, however, mean that we can no longer provide certain services (for example, if a feature requires your consent to function, disabling it might limit that feature). We will advise you if this is the case.
   

• Right not to be subject to Automated Decisions: We do not make any legal or similarly significant decisions about you purely by automated means (without human involvement). If that ever changes, you would have the right to request human intervention, to express your point of view, and to contest the decision.
   

To exercise any of these rights, please contact our Information Officer at info@psycheinnovations.com with your specific request. For certain requests (like accessing or deleting extensive data), we may need to verify your identity to ensure security. Verification might involve answering a security question, confirming account details, or logging in.

Response Time: We will try to respond to all legitimate requests as quickly as possible, typically within 30 days. If your request is complex or if we have many requests, it may take longer, but we will inform you of the need for an extension. If we cannot fulfill your request (for example, if it impacts other users’ rights or if you are asking us to delete data we are legally required to keep), we will explain why.

Cost: You usually will not have to pay a fee to exercise your rights. However, if a request is unfounded or excessive (for example, repetitive requests), we may charge a reasonable fee or refuse to act on it, as permitted by law. We will never refuse to address your request without a clear explanation.

Marketing Choices: As mentioned, if you prefer not to receive marketing communications, you can opt out at any time. Use the “unsubscribe” link in emails or adjust your account settings if applicable. Transactional and service-related communications (such as account notifications, password resets, etc.) cannot be opted out of, as they are necessary for service usage.

Affiliate Communications: If you signed up via an affiliate, they might have your contact (because you used their link or code directly, or gave it to them) and may send you their own communications. Our Privacy Policy does not cover communications from independent affiliates. To stop communications from an affiliate, please follow their unsubscribe instructions or contact them directly. If you have any issues, let us know and we can attempt to facilitate the request with the affiliate.

We are committed to empowering you with control over your personal data. If you need any assistance understanding or exercising your rights, we’re here to help.

Regional Privacy Notices

We conduct our operations primarily under South African law, but we also strive to respect the privacy laws of other regions where we have users. This section provides additional information for users in certain jurisdictions. If you are located in one of the regions below, the following terms apply to you in addition to the rest of this Privacy Policy. In case of conflict, the more protective provision will take precedence for the relevant jurisdiction.

South Africa

We are based in South Africa and comply with the Protection of Personal Information Act, 2013 (POPIA) and related regulations:

• Responsible Party: Psyche Innovations (Pty) Ltd is the “Responsible Party” (data controller) with respect to personal information collected through the Platform. Our Information Officer (contact details provided above) oversees POPIA compliance.
   

• Your Rights under POPIA: POPIA provides you rights such as access to information, correction/deletion of information, and the right to object to processing of personal information under certain circumstances. We uphold those rights as described in Your Rights above. You also have the right to submit a complaint to the Information Regulator (South Africa) if you believe we have interfered with the protection of your personal information. (Website: justice.gov.za/inforeg)
   

• Minors: As required by POPIA, we obtain guardian consent for processing personal information of minors (persons under 18). By allowing a minor 13 or older to use the Platform, the guardian is giving us the necessary consent to process the minor’s data as described.
   

• Cross-Border Transfers: POPIA permits transfer of personal information outside South Africa if certain conditions are met (such as the recipient being subject to a law, contract, or binding corporate rules providing an adequate level of protection). As noted, we use measures like contractual clauses and trusted providers to ensure compliance with Section 72 of POPIA regarding international transfers.
   

• Security Breaches: In the event of a data breach involving your personal information, we will notify you and the Information Regulator of South Africa when required by law, following the guidelines in POPIA.
   

• We process personal information primarily for the purposes you have consented to and as necessary to provide our services. We will not process your personal information for a secondary purpose unless allowed by POPIA (for instance, if it is compatible with the primary purpose, or with your further consent, or if required by law).
   

• Retention: We will not keep your personal information longer than necessary for the purposes stated, unless law requires. We will take into account POPIA’s regulations, which require us to destroy or de-identify records once they are no longer needed (subject to exceptions).
   

For any questions or requests under South African law, you can contact our Information Officer (see above). We are happy to assist with any concerns related to POPIA.

United States

While there is no single comprehensive federal data privacy law in the U.S. for all types of data, we endeavor to respect relevant state and federal privacy regulations. If you are a resident of the United States, the following may apply:

• Children (COPPA): We do not knowingly collect personal information from children under 13, in compliance with the U.S. Children’s Online Privacy Protection Act (COPPA). Our Platform is not directed to children under 13, and as stated in Children’s Privacy, any data from a child under 13 will be deleted if discovered.
   

• California Residents (CCPA/CPRA): If you are a California resident, you have specific privacy rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). These include:
   

  • The right to know what personal information we collect, use, disclose, and sell (we note that we do not sell personal information).
     

  • The right to access your personal information.
     

  • The right to request deletion of your personal information.
     

  • The right to correct inaccurate personal information.
     

  • The right to opt-out of the “sale” or “sharing” of personal information (again, while we do not sell data for money, “sharing” under CPRA includes some targeted advertising scenarios; we currently do not share personal data for cross-context behavioral advertising purposes. If that changes, we will provide a do-not-sell/share option).
     

  • The right to limit use of sensitive personal information (California defines things like precise geolocation, health information, etc. as sensitive; we only use such information to provide the services requested by you, and for no other purposes that would trigger a “limit use” right, aside from perhaps internal service improvement).
     

  • The right not to receive discriminatory treatment for exercising your privacy rights.
     

  • California residents may make a verifiable consumer request to exercise these rights. The process to do so is to contact us (see Your Rights section above, which covers similar ground as CCPA in terms of access, deletion, etc.). We will verify your identity and respond within the timeframes required by law (generally 45 days with possible extension).
     

  • You may also designate an authorized agent to make requests on your behalf. We will require proof of the agent’s authority and verification of your identity.
     

  • Disclosure of Categories: Over the past 12 months, we have collected the following categories of personal information (as defined in CCPA): identifiers (like name, email), characteristics of protected classifications (age, gender – if provided voluntarily), commercial information (transaction history with us), internet/electronic activity (usage data, IP address), and sensitive personal information (health-related info you input, account credentials). We collect these for the business and commercial purposes described in this Policy. We disclose personal information to service providers (e.g., cloud hosts, payment processors) and other parties as described in Sharing Your Information, for the same purposes. We do not sell personal info, and do not share it for behavioral advertising without consent.
     

• Other States: If you live in states like Colorado, Virginia, Connecticut, or Utah, new privacy laws (effective 2023-2025) provide similar rights to access, correct, delete, and opt-out of certain data processing. We will honor such rights similarly. For example, Virginia residents can opt out of targeted advertising or profiling – as of now we do not engage in profiling in a way that produces legal effects, nor do we sell data. If we ever use your data for targeted advertising beyond what’s necessary for our operations, we will provide opt-outs.
   

• Do-Not-Track: As mentioned in Analytics and Tracking, we currently do not respond differently to DNT signals, due to lack of standardization.
   

• HIPAA: Our Platform is a consumer wellness service, not a provider of healthcare treatment, and Psyche Innovations is not a covered entity under HIPAA. Any health-related information you provide is protected by our privacy commitments as described here, but it is not subject to HIPAA’s regulations. If you are working with a healthcare provider through our Platform, that provider might be subject to HIPAA; however, information you provide in the app is not automatically considered a HIPAA record unless specifically arranged under a separate agreement. We treat your data with high confidentiality, but we want U.S. users to understand that this is not a HIPAA-compliant medical service and should not be used for medical record storage.
   

• Cross-Border: If you are in the U.S., your data will likely be transferred to our servers overseas (e.g., South Africa or EU or as described). By using the service, you agree to that transfer.
   

If you have any questions about your U.S. privacy rights or our compliance with them, please contact us. We will do our best to address any concerns.

United Kingdom

For users in the UK, we comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018:

• Data Controller: Psyche Innovations (Pty) Ltd is the data controller for UK users’ personal data. While we do not have a physical presence in the UK, we offer services to UK residents and thus fall under UK GDPR for those activities. We may appoint a UK representative if required by law and will update this Policy accordingly.
   

• Lawful Bases: We ensure we have lawful bases for processing your personal data, as outlined in the How We Use Your Information section (which corresponds to bases like consent, contract, legitimate interests, etc.). For UK users, typically consent and contract are primary bases, with legitimate interest for some analytics and improvement, and legal obligation for certain records.
   

• Your Rights: UK users have the same rights as listed in Your Rights (access, rectification, erasure, etc.), stemming from UK GDPR. You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) if you believe we have violated your data protection rights. (ICO website: ico.org.uk). We would appreciate the chance to address your concerns first, so do reach out to us.
   

• International Transfers: If we transfer UK personal data outside the UK (for example, to South Africa or the US), we will do so in accordance with UK GDPR transfer requirements. This typically means using UK-approved Standard Data Protection Clauses (similar to EU SCCs) or transferring to jurisdictions with adequacy decisions when applicable. Since we operate out of SA, and SA is not currently deemed “adequate” by the UK, we rely on contractual safeguards and your consent by using our service.
   

• We treat UK users’ data with the same high standard. This Policy as a whole is intended to meet the transparency and information requirements of UK GDPR Articles 13 and 14 regarding collecting personal data.
   

Australia

For users in Australia, we endeavor to handle personal information in accordance with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs):

• Overseas Data Storage: Your data may be stored or processed outside Australia (as described). Under Australian law, we must inform you that by providing your personal information to us, you consent to the transfer of that information overseas. The countries where your data might reside include South Africa, United States, and others mentioned above. While these countries may have different privacy laws than Australia, we will take reasonable steps to ensure any overseas recipient does not breach the APPs in relation to your information.
   

• APP Principles: We adhere to the APPs in how we collect, use, and disclose personal information. We only collect information that is reasonably necessary for our functions or activities. Generally, we collect directly from you, and if we collect from third parties, we will do so lawfully. We use your data as described for the purposes expected. If we were to use it for a new purpose, we’d seek your consent unless an exemption applies.
   

• Access and Correction: You have the right under Australian law to access the personal information we hold about you and to request corrections if needed. Our Your Rights section covers how to request that. We will not charge for an access request in most cases, and we will respond within a reasonable time. If we refuse access or correction (as permitted by law, e.g., if it unreasonably affects others’ privacy or we have legal reasons), we will provide you with a written explanation.
   

• Complaints: If you have a privacy concern or complaint, please contact us. We will acknowledge your complaint and attempt to resolve it with you. If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC). (Website: oaic.gov.au).
   

• Direct Marketing: We will not send you marketing communications without your consent, and you can opt out at any time, as described above. We also comply with Australia’s Spam Act when sending electronic communications.
   

New Zealand

For users in New Zealand, we handle personal information in accordance with the New Zealand Privacy Act 2020 and its principles:

• Privacy Principles: We follow the Information Privacy Principles (IPPs) regarding how we collect, use, disclose, and store personal information. We collect information directly from you unless it’s an exception and ensure you are aware of the purpose of collection (as this Policy outlines).
   

• Overseas Storage: Your information may be stored overseas (in South Africa, United States, etc.). New Zealand’s Privacy Act requires that we take steps to ensure your data will be protected by comparable safeguards as under NZ law or that we explicitly inform you that it may not have the same protections. We believe our practices and the safeguards (like encryption and contracts) we use provide protection comparable to NZ standards. By using our service, you acknowledge that your data may be transferred to third parties abroad as described.
   

• Access and Correction: New Zealand individuals have the right to request access to the personal information we hold about them, and request corrections. We will respond to such requests as soon as practicable and no later than 20 working days, as per NZ law. There is no fee for requesting access to your info.
   

• Complaints: If you believe we have breached the NZ Privacy Act or handled your information inappropriately, please contact us so we can resolve the issue. You also have the right to complain to the Office of the Privacy Commissioner in New Zealand. (Website: privacy.org.nz).
   

• We do not use your personal information for purposes other than those stated, unless allowed by law (e.g., with your consent or for a directly related purpose you would reasonably expect).

Canada

For users in Canada, we are committed to protecting your personal information consistent with the principles of Canada’s federal and provincial privacy laws, including the Personal Information Protection and Electronic Documents Act (PIPEDA):

• Consent: By using our services and providing personal information, you consent to our collection, use, and disclosure of your personal information as described in this Policy. We typically rely on your consent (implied or express, depending on the context) for collecting and using data. In certain cases, we may rely on other lawful grounds as permitted by PIPEDA (for example, if it’s clearly in your interests and consent cannot be obtained in a timely way, etc., though such cases are rare).
   

• International Transfer: Your data will be transferred to and stored on servers outside Canada (e.g., in South Africa, United States, etc.). In these jurisdictions, foreign governments, courts, law enforcement, or regulatory agencies may be able to obtain disclosure of your information through local laws. PIPEDA requires that we notify you of this. We assure you that we will handle your information with the utmost care and protection as described. By using our services, you consent to this transfer and acknowledge the information may be subject to access requests from governments, courts or law enforcement in those countries according to their laws.
   

• Access and Correction: You have the right to request access to personal information we hold about you and to request corrections for inaccuracies. Our procedures for verification and response (as in Your Rights) apply. We will typically respond within 30 days as required by PIPEDA. If for some reason we cannot grant your request (for example, if it would reveal personal information about another individual or if it is subject to legal privilege), we will provide an explanation.
   

• Accountability and Inquiries: We have a designated privacy officer (our Information Officer, see above) who is responsible for compliance with Canadian privacy principles. If you have questions or complaints about our personal information handling, you may contact us. We will investigate and attempt to resolve complaints. If you are not satisfied, you may contact the Office of the Privacy Commissioner of Canada or your provincial privacy commissioner (if applicable) to file a complaint. (OPC website: priv.gc.ca).
   

• CASL (Anti-Spam): We comply with Canada’s Anti-Spam Legislation. We will not send you commercial electronic messages without appropriate consent. You can unsubscribe from our communications at any time as described earlier.
   

• We do not require you to provide more information than is necessary for the purposes of providing the service (we follow the data minimization principle). We also do not use your information for new purposes without advising you and obtaining consent if required.
   

 

Note: If you are located in a region not specifically listed above (e.g., the European Union or other countries), we aim to provide you with similar rights and protections in line with leading privacy regulations. You may contact us to clarify any region-specific concerns. We treat all users’ data with respect and transparency.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal information, please do not hesitate to reach out:

Psyche Innovations (Pty) Ltd
Email: info@psycheinnovations.com (Attn: Information Officer)
Postal Mail: 147 Dorp Street, Apartment 5, Stellenbosch, Western Cape, 7600, South Africa

We will be glad to assist you and will respond as promptly as possible.

Thank you for trusting Psyche Innovations with your mental wellness journey. We are dedicated to protecting your privacy and creating a safe space for you to grow and thrive.