Therapa Privacy Policy

Effective Date: 19 April 2025

1 – About Therapa

Therapa (“Therapa”, “we”, “our”, “us”) is a voice‑to‑voice artificial‑intelligence platform that delivers automated, AI‑assisted mental‑wellness support (the “Services” ). Therapa is not a licensed medical provider and does not replace professional care or therapy. If you are experiencing an emergency, contact your local emergency services immediately.

2 – Scope and Applicability

This Policy explains how we collect, use, store, share, and otherwise process information relating to an identified or identifiable individual (“Personal Data”) when you:

  • Visit our websites or apps;
  • Create or use a Therapa account;
  • Receive communications from us via SMS, email, or automated voice calls;
  • Interact with our AI through voice, audio, or text; or
  • Communicate with us in any other way.

The Policy incorporates requirements of the EU/EEA GDPR, UK GDPR, Swiss FDPA, South African POPIA, U.S. state privacy statutes (e.g., CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA), and the HIPAA Security Rule where applicable.

3 – Key Definitions

TermMeaning
User ContentAudio, text, images, or other material you input, record, upload, or generate while using the Services.
Special Category DataData revealing mental‑health status or other sensitive attributes regulated under GDPR Art. 9 and comparable laws.
Controller / Responsible PartyEntity that determines purposes and means of processing Personal Data (Therapa for most processing).
Processor / OperatorService provider that processes Personal Data on our documented instructions.

4 – Personal Data We Collect

CategoryExamplesSource(s)Purpose Highlights
Account DataName, email, phone, password, localeYouAccount creation, authentication, support
Payment DataTokenized payment method, billing address, transaction IDsYou / payment processorSubscription billing, fraud prevention
CommunicationsSMS, emails, automated voice calls, support tickets, surveysAutomated & directService delivery, support, marketing (with consent)
Usage DataSession logs, feature use, crash reportsAutomatedService improvement, security
Technical DataIP address, device ID, browser/OS, cookiesAutomatedDiagnostics, localisation
User ContentVoice recordings, transcripts, self‑reported feelingsYouCore service delivery, continuity of care
Biometric‑Derived DataVoice emotion cues (tempo, pitch) not used for unique IDAutomatedReal‑time adaptation, quality assurance

*Full purposes appear in Section 6.

5 – Legal Bases for Processing (EEA/UK/CH)

BasisWhen Used
ContractTo provide, maintain, and personalise the Services you request.
ConsentProcessing Special Category Data; sending marketing communications.
Legitimate InterestsSecurity, fraud prevention, platform improvement (balanced against your rights).
Legal ObligationTax, accounting, consumer‑protection, other statutory duties.
Vital InterestsWhere disclosure is necessary to prevent serious, imminent harm.

Equivalent grounds apply under POPIA, CCPA/CPRA, and other laws.

6 – How We Use Personal Data

  • Deliver Services – Interactive sessions, continuity of care, SMS/email/voice follow‑ups.
  • Personalise & Improve – Adapt tone and content, debug, conduct analytics, develop new features.
  • Billing & Administration – Process payments, detect fraud, send invoices.
  • Security – Monitor for abuse, investigate suspicious activity, enforce our Terms.
  • Legal Compliance – Respond to lawful requests, satisfy reporting duties, protect rights.
  • Marketing (Opt‑Out) – Send product or promotional updates where lawful; you may opt out at any time.

Model‑training safeguard. We do not use User Content to train or fine-tune our AI models. If we ever introduce a materially different use of User Content, we will update this Policy and meet all legal requirements before that change takes effect.

We never sell Personal Data or use it for cross‑context behavioural advertising.

7 – Automated Decision‑Making & Profiling

Our AI generates responses and emotional cues automatically. These outputs do not constitute clinical diagnosis. You may request human review of any decision that has significant legal or similarly material effects on you (GDPR Art. 22; CCPA § 1798.121).

8 – Disclosures & Sub‑processors

Recipient CategoryTypical PurposeSafeguards
Cloud & Hosting ProvidersSecure storage, computeData‑processing agreements; encryption
AI/ML Processing VendorsNatural‑language/emotion processing on our instructionsContractual restrictions; TLS
Telecommunications ProvidersSMS, email routing, automated voice callsDPAs; encryption in transit
Payment ProcessorsSubscription billingPCI‑DSS Level 1; tokenized transactions
Professional Advisers & AuditorsLegal, tax, accountingConfidentiality undertakings
Regulators & Law EnforcementTo comply with law or protect vital interestsDisclosure logged and minimised
Corporate Transaction PartiesMergers, financing, restructuringData transferred under this Policy + contractual guarantees

Processors (i) act solely on our instructions, (ii) apply equivalent security, and (iii) delete or return data when their task ends. A current vendor list is available on written request.

9 – International Transfers

Your data may be processed outside your country, including jurisdictions without equivalent privacy laws. We protect transfers with:

  • EU Standard Contractual Clauses (SCCs) plus the UK IDTA and Swiss addenda,
  • Adequacy decisions or certifications, and
  • Supplementary technical and organisational safeguards (e.g., encryption, zero‑trust access).

10 – Security

We implement a defense‑in‑depth program that includes:

  • TLS 1.2+ encryption in transit and AES‑256 (or stronger) at rest;
  • Segmented production networks and multi‑factor authentication for privileged staff;
  • Continuous vulnerability scanning, static‑code analysis, and annual penetration testing;
  • 24 × 7 monitoring, anomaly detection, and NIST SP 800‑53/ISO 27001‑aligned incident‑response procedures;
  • Formal vendor‑risk management and least‑privilege access controls.

In the event of a data breach posing a high risk to you, we will notify you and the relevant authorities without undue delay as required by law.

11 – Cookies & Similar Technologies

We use first‑ and third‑party cookies, SDKs, and similar technologies to:

  • Keep you logged in;
  • Remember preferences;
  • Analyze product usage (aggregated, de‑identified);
  • Measure the effectiveness of campaigns.

You can refuse non‑essential cookies via our cookie banner or your browser settings. See our separate Cookie Notice for details.

12 – Retention

Data TypeRetention Period
User Content & Account‑Related DataFor the life of your account plus 2 years (unless deleted sooner or law requires longer/shorter retention)
Payment Records7 years (statutory tax period)
Security & Audit LogsUp to 12 months, extendable for investigations

Data are irreversibly deleted or de‑identified at the end of the retention period.

13 – Your Rights

Subject to applicable law, you may:

  • Access, correct, or delete Personal Data;
  • Restrict or object to certain processing;
  • Port data to another provider;
  • Opt out of marketing;
  • Object to purely automated decisions that significantly affect you;
  • Withdraw consent at any time (without affecting prior processing);
  • Lodge a complaint with your supervisory authority.

How to exercise your rights: email privacy@therapa.com. We will verify your identity and respond within the legally mandated timeframe.

14 – California & U.S. State‑Specific Disclosures

  • We do not “sell” Personal Data or “share” it for cross‑context behavioural advertising as defined by CPRA, VCDPA, and similar laws.
  • Disclosures are limited to service providers that act solely on our behalf and under terms requiring confidentiality and security.
  • Residents may exercise rights via privacy@therapa.com.
  • Browser “Do Not Track” or Global Privacy Control signals are honoured as opt‑out requests where technically feasible.

15 – Children’s Privacy

Therapa may be used by individuals under 16 only with the consent and supervision of a parent or legal guardian. The parent or guardian must create or approve the child’s account and accept this Policy. If you believe we have collected data from a minor without such consent, email privacy@therapa.com and we will delete or anonymise the data unless retention is legally required.

16 – Changes to This Policy

We may update this Policy to reflect legal or operational changes. We will post the revised version with a new “Effective Date” and provide 30‑days’ advance notice for material changes via email or in‑app notice.

17. Contact Information

RoleContact
Data Protection Officer & General Enquiriesprivacy@therapa.com
EU/EEA Representative (GDPR Art. 27)eu-representative@therapa.com
UK Representativeuk-representative@therapa.com
South African Information Officerza-information-officer@therapa.com
Overall Legallegal@therapa.com

If unresolved, you may complain to your local data‑protection authority (e.g., SA Information Regulator, UK ICO, an EU supervisory authority, or the California Attorney General).

Return to Home