Privacy Policy

Healing professionals, group practices and organizations

Effective April 21, 2023

Upheal Inc., a Delaware corporation, https://upheal.io,  (‘Upheal’, “us”) informs you that your personal data will be processed in the ways specified below. This Privacy Policy applies to the collection and processing of personal information of users under a healing professional, group practice and/or organization profile. For how Upheal processes personal information of users receiving services from healing professionals or group practices, please see our Client Privacy Policy.

What personal data do we process?

We will use your: 

Data category
Data items
Identification data
Your name
Last name
Email address
Phone number
IP Address
Google ID and user data
Personal details
Your language
Educational and professional data
Your qualification
Role
Place of work
Recording
Audio and video of your sessions with clients
Usage data
Session date and time
Log data
Financial data (in case of sole practitioner)
Your bank details
VAT number
Fiscal code

Why do we use your data?

Personal data is used on our website for the following purposes:

Purpose
Data category
Legal basic
Are you obliged to provide the data?
How long do you hold your data?
Performance of the contract
Identifying data,
educational and professional data
The performance of the contract
Yes. Failure to provide such data will result in the inability for Upheal to manage the contractual relationship
Duration of the contract
Provision of the service, which includes: creating your account, conducting a session with your client, creating transcripts and insights of the session, storing the record of the session (optional)
Identifying data,
personal details,
educational and professional data, usage data
The performance of the contract
Yes. Failure to provide such data will result in the inability for Upheal to provide you with the service
Duration of the contract
Storage of audio and video recording
Recording data
Audio and video recording
Your consent which you will express by starting the video recording
No. It is always optional to provide consent for the storage of the audio and video recording
Security of the system
Identifying data, usage data
The legitimate interest of Upheal in keeping the systems secure
Data is automatically collected when you use the app.
No more than 6 months
Customer support 
Identifying data
The performance of the contract
Yes. Failure to provide such data will result in the inability for Upheal to provide you with the service you request.
Duration of the contract
Product improvement 
Usage data
The basis of consent
No. Usage data for product improvement is only tracked with your consent. 
Duration of the contract
Calendar connection
Identifying data
Your consent which you will express by linking Google Calendar to your profile
No. However, without allowing this data to be shared you cannot use our calendar feature.
Duration of the contract

Who can we communicate your data to?

Your data will be communicated to:

  • the hosting providers, suppliers of IT services and application software, who are our data processors; 
  • providers for our integrations, including Nylas Inc., who facilitate our connection to Google Calendar;
  • public or private bodies to whom we are obliged by the law to disclose the data

To receive more information about our providers please contact us at support@upheal.io

Disclosure for Law Enforcement: Upheal will disclose your personal data outside the scope of these provisions only as required to do so by law or compelled by court, government or administrative agency of competent jurisdiction. Your personal data may be subject to federal and local laws that require Upheal to disclose this data in certain circumstances.

Where is your data processed?

If you use our services from the EU, Switzerland or the UK, we inform you that your data is transferred to our suppliers outside the European Economic Area and the UK, in particular in the U.S. 

In this case, we inform you that the data transfer will take place only in the presence of adequate safeguards provided for by the applicable law. In particular, for transfers from the EU and the UK, where an Adequacy Decision is not applicable, we rely on the Standard Contractual Clauses provided by the European Commission (art. 46 GDPR). For further information about the data transfer you can contact us at the email address indicated below.

How is your data secured?

Our goal is to protect your personal information by implementing both technical and organizational security measures. These measures are designed to prevent unauthorized or unlawful handling of your data, as well as any accidental or unauthorized access, use, transfer, processing, copying, transmission, alteration, loss, or damage.

How do we support you in dealing with data subject rights?

We inform you that you have the right to access and request amendment to your data.

You can obtain the erasure of your personal data under certain circumstances. You also have the right to restrict the processing of your personal data.

You can withdraw your consent at any time. 

Moreover, you can receive a copy of your personal data or ask Upheal to transmit that data to another controller, where technically feasible. 

On grounds relating to your particular situation, you can object to the processing of your personal data used for the legitimate interest of the controller.

You can lodge a complaint with the supervisory authority of your State or territory in case you think that your rights have been breached or you have concerns about our privacy practices.

If you wish to exercise one of these rights, you can contact us at privacy@upheal.io

HIPAA Compliance

To know more about how we comply with HIPAA, click here.

Additional information for information collected through our Google integration and Google APIs

Upheal enables you to connect your client appointments to your Google Calendar for easy scheduling. To provide this connection, we obtain, process and store a copy of the Google user data contained in your Google account including your Gmail and Google Calendar (Google User Data). Before allowing access to this data, you will be notified what access is granted and to what data types. This data is referred to as data under your Google ID. Restrictions apply to this use of this data include:

  • We will use your Google User Data only to provide user-facing features of the services that are prominent in the services’ user interface.
  • We will only transfer your Google User Data to unaffiliated third parties (a) if necessary to provide or improve user-facing features that are prominent in the services’ user interface, (b) as necessary to comply with applicable law or (c) as part of a merger, acquisition or sale of assets with notice to you. 
  • We will not use or transfer your Google User Data for serving ads, including retargeting, personalized or interest-based advertising.
  • We will not allow humans to read your Google User Data unless we have first obtained your affirmative agreement for specific messages; it is necessary for security purposes (such as investigating a bug or abuse); it is necessary to comply with applicable law; or our use is limited to internal operations and the data (including derivations) have been aggregated and de-identified.

Our use and transfer to any other application of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.