Privacy Policy

Client

Updated August 26, 2025

Upheal Inc., a Delaware corporation, https://upheal.io,  (Upheal’)  informs you that your personal data will be processed in the ways specified below. This Privacy Policy applies to the collection and processing of personal information by Upheal of users receiving services from healing professionals or group practices. For how Upheal processes personal information of users who are healing professionals, group practices and/or organizations please see our Provider Privacy Policy.

We have appointed a Data Protection Officer (DPO) that you can contact at: Assenteo Ltd
71-75 Shelton Street, Covent Garden,
London, United Kingdom,
WC2H 9JQ
legal@upheal.io

1. What personal data do we process?

In short: Upheal processes your personal and potentially sensitive data when you use the app.

We will use your: 

Data category
Data categories
Personal details
Your spoken language
Potential health data, habits, lifestyle
Session transcript
Insights
Clinical notes
Usage data
Length of the session

2. Why do we use your data?

In short: We use your personal data as contained in sessions with your provider, which you consent to with your provider. We would also like to use your data to continue to improve our app, however it is not mandatory and you can change your mind at any time

Personal data is used by Upheal for the following purposes:

Data categories
Purpose
Why can we process your data?
Are you obliged to provide the data?
How long do we hold your data?
Audio and video recording, or uploaded session input
Provision of the service
The performance of the contract
Yes. Failure to provide such data will result in the inability for Upheal to provide you with the service
The duration of the session to provide the service and then deleted after.
Storage of audio and video recording
Recording data
Your consent 
No. It is always optional to provide consent for the storage of the audio and video recording
If your provider decides to use Upheal to store the recording, then it will be kept until deleted by the provider
Session transcript
Improvement of the app’s functionalities
Your consent
No, it is always optional to provide us with your data and consent. If you do not provide us with such data you will still be able to use the app, but you will not help us improve the app’s functionalities
Your de-identified data is kept for the duration of the service and for 1 year after the data was first entered into the app.

During this period you can always withdraw your consent and we will stop using your data.
Derived datasets – insights, length of the session, clinical notes, datasets to train AI, spoken language
Improvement of the app’s functionalities
Your consent
No, it is always optional to provide us with your data and consent. If you do not provide us with such data you will still be able to use the app, but you will not help us improve the app’s functionalities
Your de-identified data is kept for the duration of the service and for 5 years after the data was first entered into the app.

During this period you can always withdraw your consent and we will stop using your data.

3. How do we use your data

Upheal is an app which creates notes based on what’s discussed during healing sessions. Using AI, the app transcribes the conversation and provides summaries and insights. With your consent we will use the data indicated above to train the AI and improve our app so that it can offer better features and results. The data we are going to use for this purpose will always be de-identified following the de-identification standard of the HIPAA Privacy Rule. There is no reasonable basis to believe that de-identified data can be used to directly identify you. You can learn more about this process here

Upheal keeps all re-identification codes in a separate repository and may only use them for the purpose of deleting the de-identified data on your request. We adopt appropriate safeguards to protect de-identified data in accordance with applicable data protection standards and regulations (e.g. HIPAA, GDPR, CCPA, etc.). For more about the Upheal app visit https://www.upheal.io.

To receive more information about our processing activities contact us at legal@upheal.io and we will be more than happy to share more information with you.

4. Who can we communicate your data to?

In short: we share your personal data to approved service providers following our specific instructions. In some cases we may also be required to disclose your personal data to specific legal authorities.

Your data will be communicated to our hosting providers, suppliers of IT services and application software, who are our data processors. The information shared is for operational purposes unless an exception applies. To receive more information about our providers please contact us at support@upheal.io or visit https://trust.upheal.io.

Disclosure for Law Enforcement: Upheal will disclose user personal data outside the scope of these provisions only as required to do so by law or compelled by court, government or administrative agency of competent jurisdiction. Personal data from users may be subject to federal and local laws that require Upheal to disclose this data in certain circumstances.

CCPA Disclosure: we do not sell your personal information, including personal information of California consumers. 

5. Where is your data processed?

If you use our services from the EU, Switzerland or the UK, we inform you that your data is transferred to our suppliers outside the European Economic Area and the UK, in particular in the U.S. 

In this case, we inform you that the data transfer will take place only in the presence of adequate safeguards provided for by the applicable law. In particular, for transfers from the EU and the UK, where an Adequacy Decision is not applicable, we rely on the Standard Contractual Clauses provided by the European Commission (art. 46 GDPR). For further information about the data transfer you can contact us at the email address indicated below.

6. How do we safeguard your data?

Our product has robust technical and organizational security measures in place to protect your data and ensure its confidentiality, integrity, and availability. For more information about our security measures, please refer to our Privacy and Compliance FAQs.

7. How do we support you in dealing with data subject rights?

Some States’ privacy laws provide certain rights for data subjects. Consistent with the applicable data protection law you may:

  1. access and correct your data
  2. obtain the erasure of your personal data under certain circumstances
  3. ask to restrict the processing of your personal data
  4. receive a copy of your personal data or ask your healing professional or entity to transmit that data to another controller, where technically feasible
  5. object to processing of your personal data where the processing relies on a legitimate interest and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms.
  6. withdraw your consent at any time. This will not affect the lawfulness of any processing carried out before you withdraw your consent.
  7. lodge a complaint with the supervisory authority of your State or territory in case you think that your rights have been breached or you have concerns about our privacy practices or how your personal health information has been handled.

If you wish to exercise one of these rights, you can write to legal@upheal.io

We aim to reply to valid data subject or client right requests without undue delay time, and no later than 30 days from your request. We will not charge a fee for reasonable requests in accordance with applicable law.

8. HIPAA Compliance

To know more about how we comply with HIPAA, click here.