Privacy Policy

Last updated: December 12, 2025

Introduction

NEHA ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mental health support application.

Please read this privacy policy carefully. If you do not agree with the terms of this privacy policy, please do not access the application.

Information We Collect

Personal Information

We may collect personal information that you voluntarily provide to us when you:

  • Register for an account
  • Use our chat services
  • Contact customer support
  • Subscribe to newsletters or updates

Automatically Collected Information

When you access the application, we may automatically collect:

  • Device information (IP address, browser type, operating system)
  • Usage data (pages visited, time spent, features used)
  • Location data (with your permission)

How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our services
  • Personalize your experience and provide tailored support
  • Communicate with you about updates, security alerts, and support
  • Analyze usage patterns to enhance our AI models
  • Comply with legal obligations and protect our rights

HIPAA Compliance

As a mental health application, we implement administrative, physical, and technical safeguards designed to protect your health information in accordance with the Health Insurance Portability and Accountability Act (HIPAA).

Your conversations and health information are:

  • Encrypted in transit using TLS
  • Encrypted at rest using industry-standard encryption
  • Accessible only to authorized personnel
  • Never shared with third parties without your explicit consent (except as required by law)

Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this privacy policy, unless a longer retention period is required by law.

You may request deletion of your account and data at any time by contacting support@wellnessneha.com.

Your Rights

Depending on your location, you may have certain rights regarding your personal information:

  • Access: Request access to your personal data
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion of your data
  • Portability: Request a copy of your data in a portable format
  • Objection: Object to certain processing of your data
  • Withdraw Consent: Withdraw previously given consent

Digital Personal Data Protection Act 2023 (DPDP)

As a service operating in India, NEHA complies with the Digital Personal Data Protection Act, 2023. Under the DPDP Act:

Our Role as Data Fiduciary

NeuraCare AI acts as a "Data Fiduciary" responsible for determining the purpose and means of processing your personal data. We are committed to:

  • Processing your data only for lawful purposes with your consent
  • Ensuring data accuracy and completeness
  • Implementing reasonable security safeguards
  • Deleting personal data once the purpose is fulfilled (unless retention is legally required)

Your Rights Under DPDP Act

As a Data Principal, you have the right to:

  • Information: Know what personal data is being collected and how it is processed
  • Correction & Erasure: Request correction or erasure of your personal data
  • Grievance Redressal: Lodge complaints regarding data processing
  • Nomination: Nominate someone to exercise your rights in case of death or incapacity

Telecommunications Privacy

NEHA operates as an Over-The-Top (OTT) communication service. In compliance with TRAI regulations and telecommunications privacy standards:

Data We Collect

  • Device Information: Browser type, operating system, device identifiers
  • Network Data: IP address, connection type (for service optimization only)
  • Communication Metadata: Timestamps and session duration (not message content)

What We Do NOT Collect

  • We do not require SIM binding or phone number verification
  • We do not access your contacts, call logs, or SMS messages
  • We do not track your location without explicit consent

Anti-Spam Compliance

We adhere to TRAI's Telecom Commercial Communications Customer Preference Regulations (TCCCPR), 2018. Any service-related communications will only be sent with your explicit digital consent, and you may opt out at any time.

Cross-Border Data Transfer

Your data may be processed on servers located outside India. In such cases:

  • We ensure adequate data protection standards are maintained
  • Transfers comply with applicable provisions of the DPDP Act, 2023
  • We do not transfer data to countries notified by the Central Government as restricted destinations
  • Third-party processors are bound by contractual obligations to protect your data

Cybersecurity & Government Requests

In accordance with the Telecom Cybersecurity Rules, 2024:

  • We implement appropriate technical and organizational security measures
  • We may be required to cooperate with authorized government agencies for lawful interception or investigation purposes
  • We will notify you of any data breach that may affect your rights, as required by law
  • We maintain security incident logs as per regulatory requirements

GDPR Compliance (European Union Users)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

Legal Basis for Processing

We process your personal data based on one or more of the following legal bases:

  • Consent: You have given explicit consent for processing (e.g., for marketing communications)
  • Contract: Processing is necessary for the performance of our service agreement with you
  • Legitimate Interest: Processing is necessary for our legitimate business interests (e.g., fraud prevention, service improvement)
  • Legal Obligation: Processing is necessary to comply with applicable laws

Your GDPR Rights

  • Right of Access: Request a copy of your personal data
  • Right to Rectification: Request correction of inaccurate data
  • Right to Erasure: Request deletion of your data ("right to be forgotten")
  • Right to Restriction: Request limitation of processing
  • Right to Data Portability: Receive your data in a structured, machine-readable format
  • Right to Object: Object to processing based on legitimate interest or direct marketing
  • Right to Withdraw Consent: Withdraw consent at any time without affecting prior processing

Data Breach Notification

In the event of a data breach that poses a high risk to your rights and freedoms, we will notify you within 72 hours of becoming aware of the breach.

Supervisory Authority

You have the right to lodge a complaint with your local Data Protection Authority if you believe your rights have been violated.

CCPA/CPRA Compliance (California Users)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

Your California Privacy Rights

  • Right to Know: Request disclosure of personal information collected, sources, purposes, and third parties with whom it's shared
  • Right to Delete: Request deletion of your personal information
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt-Out: Opt out of the sale or sharing of your personal information
  • Right to Limit: Limit the use and disclosure of sensitive personal information
  • Right to Non-Discrimination: We will not discriminate against you for exercising your rights

Categories of Personal Information

We may collect the following categories of personal information:

  • Identifiers (name, email, IP address)
  • Internet or network activity (browsing history, interactions with the Service)
  • Geolocation data (with your consent)
  • Inferences drawn from the above (preferences, characteristics)

Do Not Sell or Share

We do NOT sell or share your personal information as defined by CCPA/CPRA. We do not engage in cross-context behavioral advertising.

Exercising Your Rights

To exercise your California privacy rights, contact us at privacy@wellnesswellnessneha.com or submit a request through our app settings. We will respond within 45 days.

COPPA Compliance (Children's Privacy)

⚠️ Age Restriction NEHA is NOT intended for children under 13 years of age (or 16 in the EEA).

In compliance with the Children's Online Privacy Protection Act (COPPA) and COPPA 2.0:

  • No Knowing Collection: We do not knowingly collect personal information from children under 13
  • Parental Consent: If we ever collect data from children, we will obtain verifiable parental consent first
  • No Targeted Advertising: We do not direct targeted advertising to children or teens
  • Limited Data Use: Any data from minors would only be used for the specific service purpose
  • Parental Rights: Parents may review, request deletion, or refuse further collection of their child's data

If you believe we have inadvertently collected information from a child, please contact us immediately at privacy@wellnesswellnessneha.com.

LGPD Compliance (Brazil Users)

If you are located in Brazil, you have rights under the Lei Geral de Proteção de Dados (LGPD):

Your LGPD Rights

  • Confirmation & Access: Confirm whether your data is processed and access it
  • Correction: Request correction of incomplete or inaccurate data
  • Anonymization/Deletion: Request anonymization, blocking, or deletion of unnecessary data
  • Portability: Request data portability to another service provider
  • Information on Sharing: Know which third parties your data is shared with
  • Consent Withdrawal: Withdraw consent at any time
  • Opposition: Object to processing that violates LGPD

Data Protection Officer (Encarregado)

For LGPD-related inquiries, contact our Data Protection Officer at dpo@wellnesswellnessneha.com.

Cookies & Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience:

Types of Cookies

  • Essential Cookies: Required for basic functionality (authentication, security)
  • Preference Cookies: Remember your settings and preferences
  • Analytics Cookies: Help us understand Service usage (anonymized)

Your Cookie Choices

  • You can manage cookies through your browser settings
  • You can opt out of non-essential cookies via our cookie consent banner
  • Disabling essential cookies may affect Service functionality

Do Not Track

We honor "Do Not Track" (DNT) browser signals and Global Privacy Control (GPC) signals where technically feasible.

Automated Decision-Making & Profiling

NEHA uses AI-powered algorithms to provide personalized mental wellness support:

  • Purpose: Our AI analyzes your inputs to provide relevant, empathetic responses
  • No Legal Effects: Automated processing does not produce legal effects or significantly affect you in a similar manner
  • Human Oversight: Critical safety decisions (crisis detection) are designed with human oversight principles
  • Right to Object: You may object to automated processing by contacting us

We do not use automated decision-making for access to services, credit, employment, or insurance decisions.

Third-Party Services & Data Sharing

We may share your data with the following categories of third parties:

  • Cloud Service Providers: For secure data storage and processing (Google Cloud, AWS)
  • AI Model Providers: To process your queries (data is sent in anonymized/pseudonymized form where possible)
  • Analytics Providers: For aggregated, anonymized usage analytics
  • Legal & Compliance: When required by law, court order, or to protect our rights

We require all third parties to respect your data security and process it in accordance with applicable law. We do NOT sell your personal data.

Data Retention Schedule

We retain your data only as long as necessary for the purposes outlined in this policy:

  • Account Data: Retained while your account is active, plus 30 days after deletion request
  • Conversation History: Retained for up to 90 days for service continuity, then deleted or anonymized
  • Analytics Data: Aggregated, anonymized data may be retained indefinitely for research
  • Legal Compliance: Certain data may be retained longer if required by law

You may request immediate deletion of your data by contacting privacy@wellnesswellnessneha.com, subject to legal retention requirements.

Contact Us

If you have questions or concerns about this Privacy Policy, please contact us at:

General Inquiries: privacy@wellnesswellnessneha.com
Data Protection Officer: dpo@wellnesswellnessneha.com
CCPA Requests (California): ccpa@wellnesswellnessneha.com
GDPR Requests (EU): gdpr@wellnesswellnessneha.com
Address: NeuraCare AI, Bengaluru, Karnataka, India

Grievance Officer (India - DPDP Act Compliance):
For any grievances related to your personal data, please contact our designated Grievance Officer at grievance@wellnesswellnessneha.com. We will acknowledge your complaint within 48 hours and resolve it within 30 days.