Privacy Policy

Client

Effective September 12, 2023

Upheal Inc., a Delaware corporation, https://upheal.io,  (Upheal’)  informs you that your personal data will be processed in the ways specified below. This Privacy Policy applies to the collection and processing of personal information of users receiving services from healing professionals or group practices. For how Upheal processes personal information of users who are healing professionals, group practices and/or organizations please see our Healing Professional Privacy Policy.

We care about your privacy and have appointed a DPO (Data Protection Officer) that you can contact at: upheal-dpo@chino.io.

1. What personal data do we process?

In short: Upheal processes your personal and potentially sensitive data when you use the app.

We will use your: 

Data category
Data categories
Personal details
Your spoken language
Potential health data, habits, lifestyle
Session transcript
Insights
Clinical notes
Usage data
Length of the session

2. Why do we use your data?

In short: We would like to use your data to continue to improve our app. It is not mandatory and you can change your mind at any time.

We will use your data for:

Data categories
Purpose
Why can we process your data?
Are you obliged to provide the data?
How long do you hold your data?
Session transcript
Improvement of the app’s functionalities
Because you expressed your consent to the processing of both common and special (health data) data  so that we may continue to improve our app
No, it is always optional to provide us with your data and consent. If you do not provide us with such data you will still be able to use the app, but you will not help us improve the app’s functionalities
Your de-identified data is kept for the duration of the service and for 1 year after the data was first entered into the app.

During this period you can always withdraw your consent and we will stop using your data.
Derived datasets – insights, length of the session, clinical notes, datasets to train AI, spoken language
Improvement of the app’s functionalities
Because you expressed your consent for the processing of both common and special (health) data so that we may continue to improve our app
No, it is always optional to provide us with your data and consent. If you do not provide us with such data you will still be able to use the app, but you will not help us improve the app’s functionalities
Your de-identified data is kept for the duration of the service and for 5 years after the data was first entered into the app.

During this period you can always withdraw your consent and we will stop using your data.

3. How do we use your data

Upheal is an app which creates notes based on what’s discussed during healing sessions. Using AI, the app transcribes the conversation and provides summaries and insights. With your consent we will use the data indicated above to train the AI and improve our app so that it can offer better features and results. The data we are going to use for this purpose will always be de-identified following the de-identification standard of the HIPAA Privacy Rule. There is no reasonable basis to believe that de-identified data can be used to directly identify you. You can learn more about this process here

Upheal keeps all re-identification codes in a separate repository and may only use them for the purpose of deleting the de-identified data on your request. We adopt appropriate safeguards to protect de-identified data in accordance with applicable data protection standards and regulations (e.g. HIPAA, GDPR, CCPA, etc.). For more about the Upheal app visit https://www.upheal.io.

To receive more information about our processing activities contact us at support@upheal.io and we will be more than happy to share more information with you.

4. Who can we communicate your data to?

In short: we share your personal data to approved service providers following our specific instructions. In some cases we may also be required to disclose your personal data to specific legal authorities.

Your data will be communicated to our hosting providers, suppliers of IT services and application software, who are our data processors. The information shared is for operational purposes unless an exception applies.

Disclosure for Law Enforcement: Upheal will disclose user personal data outside the scope of these provisions only as required to do so by law or compelled by court, government or administrative agency of competent jurisdiction. Personal data from users may be subject to federal and local laws that require Upheal to disclose this data in certain circumstances.

CCPA Disclosure: we do not sell your personal information, including personal information of California consumers. 

5. Where is your data processed?

If you use our services from the EU, Switzerland or the UK, we inform you that your data is transferred to our suppliers outside the European Economic Area and the UK, in particular in the U.S. 

In this case, we inform you that the data transfer will take place only in the presence of adequate safeguards provided for by the applicable law. In particular, for transfers from the EU and the UK, where an Adequacy Decision is not applicable, we rely on the Standard Contractual Clauses provided by the European Commission (art. 46 GDPR). For further information about the data transfer you can contact us at the email address indicated below.

6. How do we safeguard your data?

Our product has robust technical and organizational security measures in place to protect your data and ensure its confidentiality, integrity, and availability. For more information about our security measures, please refer to our Privacy and Compliance FAQs.

7. How do we support you in dealing with data subject rights?

Some States’ privacy laws provide certain rights for data subjects. Consistent with the applicable data protection law you may:

  1. access and correct your data
  2. obtain the erasure of your personal data under certain circumstances
  3. ask to restrict the processing of your personal data
  4. receive a copy of your personal data or ask your healing professional or entity to transmit that data to another controller, where technically feasible
  5. object to processing of your personal data where the processing relies on a legitimate interest and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms.
  6. withdraw your consent at any time. This will not affect the lawfulness of any processing carried out before you withdraw your consent.
  7. lodge a complaint with the supervisory authority of your State or territory in case you think that your rights have been breached or you have concerns about our privacy practices or how your personal health information has been handled.

If you wish to exercise one of these rights, you can write to support@upheal.io

8. HIPAA Compliance

To know more about how we comply with HIPAA, click here.