Privacy Policy

Privacy Policy 

This Policy is intended to help you understand what data Expathy, including its websites and apps (“we“) collect, how we use it, and your rights related to it. For purposes of this Policy and unless otherwise specified, “data” includes information that is linked to one person or household including things like name, email address, device ID, Third Party identifiers, contact information, and communications with Therapists using our digital communication platform (the “Platform”) to provide services (“Therapists”). Some jurisdictions might consider this to be “personal data,” “personally identifiable information,” or “sensitive personal data” in certain circumstances. When you use and access our app or website, you accept and agree to both the Terms and Conditions and this Privacy Policy, including that we’ll share certain data with Service Providers. 

The purpose of this Policy is to explain the technical aspects of data Processing in a simple and clear way. Please feel free to email expathy@expathy.org if you have any questions about this Policy, or any suggestions for us to improve it. 

1. Who does this apply to? 

This Policy applies to any visitors to the public portions of our website and app, users who create accounts or use of the paid portions of our Platform (“Members“), and independent contractor Therapists who are using the Platform to deliver therapy. 

This Policy does not apply to the collection and use of information for employees or independent contractors (not including Therapists) of Expathy. If you’re a current or former Expathy job applicant, employee, owner, director, officer, or independent contractor other than a Therapist, please contact us at expathy@expathy.org for the appropriate notice governing those portions of the Platform. 

1. The restriction for Service Provider 

At Expathy, we work with trusted Service Providers who assist us in processing the data collected by us or on our behalf. These Service Providers are individuals or companies with whom we have entered into a legal agreement. We ensure that any data processed on our behalf is done so strictly under our direction, and no other person or entity is authorized to authorize such processing. 

To protect your privacy, our Service Providers are strictly prohibited from disclosing individually identifiable data to any third party, except to us or to their own subcontractors who are bound by data processing terms that are at least as restrictive as the Service Provider’s terms. 

The data obtained by our Service Providers from their relationship with us is used solely for the purpose of performing the services specified in our agreement or as reasonably necessary to fulfill the following objectives: 

• Compliance with Applicable Laws: Our Service Providers may process data to comply with applicable laws, regulations, or legal processes. 
• Fraud Prevention and Security: We may engage our Service Providers to detect, prevent, or mitigate fraud or security vulnerabilities that may pose a risk to our platform and users. 
• Error Debugging: Our Service Providers may assist us in identifying and repairing errors that may impact the intended functionalities of our platform. 
• Internal Research and Technological Development: In some cases, we may allow our Service Providers to conduct internal research to further the technological development and demonstration of our products or services. However, such use is strictly limited to what is reasonably necessary and proportionate to achieve the intended purpose for which the data was shared. 

At Expathy, we prioritize the protection and confidentiality of your data. We ensure that our Service Providers adhere to the same stringent standards and responsibilities in handling your data as we do. 

1. What does “Third Party” mean? 

In the context of Expathy’s privacy policy, when we refer to a “Third Party,” we are referring to an entity that is distinct from Expathy itself, our Service Providers, therapists, or any other parties explicitly mentioned in the policy. A Third Party is an external entity that is not directly affiliated with Expathy and operates independently of our organization. 

1. Processing Data 

At Expathy, we understand the importance of data privacy. In this policy, we use the term “Processing” or “Process” to encompass activities such as collecting, storing, and utilizing data. We want to be transparent about the categories of data we process and the purposes for which we do so. Rest assured that we take appropriate measures to safeguard your information. 

The following are the categories of data we process to ensure the smooth operation of our platform and enable you to effectively utilize our services. We may also process data to send you periodic emails or text messages, serving various purposes such as providing services or delivering marketing communications. However, you have the option to opt out of receiving texts or marketing communications at any time. 

While we strive to handle your data with care and adhere to the highest privacy standards, it’s important to note that we do rely on certain third-party service providers to assist us in delivering our services. These providers are subject to strict contractual obligations to maintain the confidentiality and security of your data. They are not considered “Third Parties” as defined in this policy. 

At Expathy, we are committed to protecting your privacy and ensuring that your data is handled responsibly. If you have any concerns or questions about how we collect, store, or process your data, please feel free to reach out to us. 

Category of Data	Information that is Collected
Visitor Data	When you visit the Platform, we Process information like the particular pages visited or which features you interacted with, the amount of time on the website or app, site/app/Platform errors, information about the type of device and browser you’re using, and IP address.
Onboarding Data	To create an account with the Platform, the user first fills out a questionnaire. We Process the information used to complete this questionnaire.
Account Data	Once a user creates an account with the Platform, we Process data such as the account name the user selects, and other demographic and contact information, such as email, age, phone number, emergency contact details, and whether a user verifies their email address.
User ID	We assign each user (including Therapists) who create an account a sequentially-generated user ID. User IDs are unique to each account and are required in order to enable the Platform to function.
Transaction Data	We do NOT process data about payment transactions on the Platform because we collaborate with “Stripe” payment system to handle the huge amount of transactions automatically.
Member Engagement Data	We Process data for logging into the Platform and activity conducted during that log in such as when a user logs in, the login timing, number and length of messages received or sent through the Platform, received or sent message timing, number and duration of live session scheduled or conducted, the number and timing of use of other features.
Therapy Data	We Process the answers to the initial questionnaire to prepare Therapists for the free session. We do NOT record the video or audio sessions with Therapists.
Therapy Quality Data	We Process client feedback about their Therapist including, ratings and reviews of their Therapist, actions regarding switching Therapists or quitting therapy, and the reason selected by the client. We Process Therapist session availability, session cancellations and no-shows.
Customer Service and Communications Data	We Process communications users have with our Customer Service team.
Therapist Data	In order to follow up with Therapists on the status of their applications, to identify, match, credential, re-credential, run checks, issue 1099s and pay Therapists, we process Therapist information such as the Therapist’s name, bank account information (by Stripe), gender, date of birth, e-mail address, phone number, address, license information, tax ID, and areas of interest/expertise, education, and job history. Therapists may also separately and outside of this Policy.
Therapist Engagement Data	For Therapists, we process such data as number/times of Therapist logins to the Platform, the number of live sessions conducted by a Therapist, number of messages by a Therapist, number of blog posts shared by a Therapist.

 

1. Why do you collect and Process my data? 

a.In order for us to connect you with therapy services on our Platform, we need to be able to facilitate information sharing between you and your Therapist so that you can get the help you need from them.  

b.To communicate with you, we need to make sure that if you ask a question or have a concern about the Platform, we’re able to respond to you and provide an answer. 

1. We may also process your data to track potential abuse on the platform, prevent and detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
2. We track if a live session occurred, was cancelled, or if the Therapist did not show up, to ensure that timely services are being delivered to you. We also track ratings, reviews, complaints, and other client feedback to ensure the quality of Therapists on our Platform.
3. We may use some of your data to determine which Therapist is convenient for you, which features are popular and require more investment or resources, or decide to remove features that are not providing value. We may also Process data to know when you have already seen certain notifications on the Platform and do not need to be shown them again.
4. In case that a court might subpoena information from us where we would be required to share certain information requested in the subpoena. This is not unique to Expathy and is applicable to in-person therapy as well. Keep in mind that, as a general rule, we defer to your chosen Therapist to decide to produce (or not produce) any psychotherapy notes or messages you have had with them. Many jurisdictions have strict rules governing Therapist/client relationships and the confidentiality requirements associated with that. We encourage you to discuss with your Therapist early on if you have concerns about their disclosure obligations. You should also be aware that Therapists may be obliged to disclose information to authorities to meet professional and legal responsibilities. Specifically, some laws require mental health professionals to disclose information and/or take action for: (a) reported or suspected abuse; (b) serious suicidal potential; (c) threatened harm; and (d) court-ordered treatment. You should speak with your Therapist if you have concerns about this.
5. If you’re a Therapist on our Platform, or being recruited to join us, in addition to the above, we may Process Therapist Data, Therapy Quality Data, Therapist Engagement Data, User ID, Onboarding Data, Account Registration Data to:

• Assist in the Therapist recruitment process and onboard you to the Platform; 
• Operate the Platform, match clients to you based on your preferences, and facilitate the communication between you and your clients; 
• Verify your identity and secure your account; 
• Run background checks and other screening required for credentialing and re-credentialing purposes; 
• To pay you and comply with all relevant tax laws; 
• Offer you information about new features, opportunities, perks and other incentives; 
• Promote your profile on Expathy and directories to get you more clients; 
• Send you email, calls or SMS reminders, notifications & updates about your application, profile or account. 

1. We may send you (with your consent) opportunities, promotions, news, updates and reminders about our services and your account: For example, we might email you to offer you special promotions or discounts. We might also email you to provide you with therapy related news or content that you might find interesting. You can opt out of receiving texts or marketing communications at any time.

 

1. Who can see the interactions I have with my Therapist?
    

Messages with your Therapist are not shared with any Third Party, and your live sessions are not recorded. We also do not share when you send a message, or have a session with your Therapist, with any Third Party. 

1. What are the purposes for sharing my data?
    

• Your data may be shared to comply with applicable laws. For example, a court might subpoena information from us where we would be required to share certain information requested in the subpoena. This is not unique to Expathy and is applicable to in-person therapy as well. Keep in mind that, as a general rule, we defer to your chosen Therapist to decide to produce (or not produce) any psychotherapy notes or messages you have had with them. Many jurisdictions have strict rules governing Therapist/client relationships and the confidentiality requirements associated with that. We encourage you to discuss with your Therapist early on if you have concerns about their disclosure obligations. 
• We may share certain data with Service Providers that provide limited services that help us operate the Platform. Examples include: 
• Web data hosting and storage providers: For example, cloud hosting providers such as Amazon Web Services (AWS). 
• Technology Service Providers: For example, we sometimes integrate tools into our Platform which give our Platform more functionality, like technology that helps us provide live audio, video and group meetings. 
• Customer Service Providers: For example, we use a tool that helps keep track of requests and questions from our Members, visitors and Therapists in a secure way. 
• Email management and communication Service Providers: For example, we may use a tool that makes reaching out to you easier for us and more convenient for you. 
• Billing and payment processing Service Providers: For example, we use Stripe to help process payments in a secure way. Stripe also assists us in paying Therapists and issuing tax documents to them. For this purpose, we may share email addresses of Therapists with Stripe and other data that is needed to pay Therapists such as a Therapist’s name and tax ID. 
• Reporting and analytics Service Providers: For example, we might use a service to help us keep track of which pages and features are most used on our site. 

 

1. Do you Process location data?
    

We process your IP address to determine your rough location so that we can personalize the platform for you. For example, we show you relevant information about our service that applies to visitors from your country. 

We also utilize your rough location to improve your user experience when using our platform. For example we auto populate your state (if applicable) and country when you are completing our onboarding questionnaire. 

We do not request or process exact location information such as information provided by your phone via GPS. 

1. Are you using my data for advertising? 

We don’t share any data or information you share with your Therapist with any Third Party advertisers. Even if you opt in to Advertising cookies and web beacons, we still don’t share information with Third Party advertisers like Member names, email addresses, phone numbers, clinician diagnosis, questionnaires answers, sessions data, journal entries, messages, worksheets, or any other type of private communication you have with your Therapist on the Platform.
 

1. What is a cookie or web beacon? 

A “cookie“ is a small data file that is accessible within a folder on a computer, and it is used for record-keeping purposes. Cookies are used to enhance performance of the Platform, personalize your experience and can be used for Third Party tracking. For example, cookies may be used to help you quickly log into certain platforms and websites without having to enter your credentials every time. 

A “web beacon“ or “pixel” is a tiny and sometimes invisible image or embedded code, placed on a web page or email that can report your visit or use to a Third Party. In general, these tools can be used to monitor the activity of users for the purpose of web analytics, advertising optimization, or page tagging. 

We use our own, Service Providers and Third Party cookies and web beacons to deliver a faster and safer experience, to monitor and analyze usage, to comply with laws, and for advertising purposes. 

1. How do you keep my data secure? 

We apply industry standards and strive to apply best practices to prevent any unauthorized access and disclosure. Internet-based services carry inherent security risks, but our systems infrastructure, encryption technology, operation and processes are all designed, built, and maintained with your security and privacy in mind. 

1. Do you sell my data? 

At Expathy, we want to emphasize that we do NOT engage in the sale of any data. We prioritize the privacy and security of our users and ensure that their confidential data is not sold to third parties for commercial purposes. 

1. Can I sign up for Expathy and remain anonymous? 

When you sign up for an account on Expathy, we do not ask you for your full name. You may pick any name or “nickname” which will identify you in the system. You will need to provide an email address so that we can verify your account, and so we can communicate with you. You can choose an email that does not include your name(including if you are coming to us from an employer, organization, or other business partner and do not want to use your organization’s email address), but you should be aware that in some jurisdictions emails may be considered “personal data,” “personally identifiable information,” or “sensitive personal data” in certain circumstances. Even though we try to limit the kinds of information you must provide to us as discussed above, it is very difficult to be truly “anonymous” when you use any app or the internet. 

1. How long do you keep my data? 

Expathy is committed to ensuring that all applicable Member data is retained only for the amount of time required to provide relevant products and services and in accordance with relevant legal requirements. In addition to the data retention schedule outlined below, Expathy maintains a process to receive and process, without undue delay, requests by Members to delete their data. 

If you are a Member with a Expathy account: We retain your data for the duration of your Membership and for ten (10) years from the date you last logged into your account. In some circumstances, Expathy may have legal or regulatory obligations such that it must retain certain Member data beyond the retention schedule defined above. Expathy only retains Member data beyond the defined retention period when required due to ongoing litigation, requests by law enforcement, or regulatory action. 

1. How do I request my data or delete it?       

To receive a summary copy of your data, you may request this information by writing to expathy@expathy.org. 

You may request to delete the data or opt out of previous settings you have opted into. We will only comply with a request for deletion of your data if we can verify your identity. You may reach to expathy@expathy.org for deletion request. 

Requirements: 

• Only you or your authorized representative may make a request on your behalf. 
• You must provide sufficient information that allows us to reasonably verify your identity or status as an authorized representative. 
• You must provide details that allow us to understand, evaluate, and respond to your request. 

Exceptions: 

• We reserve the right to deny information requests that are unduly burdensome as allowed by law. 
• We reserve the right to deny information or data deletion requests in the event a litigation hold or legal request to preserve Member information is in place. 
• When we complete your data deletion requests, we still must retain some information in order to comply with laws and regulations and to maintain business integrity. For these reasons, we will retain this data for 10 years. This data is limited to: name, email address, communications data (like complaints and data deletion requests), records of disclosures of personal information to Third Parties, Phone number (if provided), address (if provided) and date of services received. 
• This ONLY applies to Members who have started therapy. 

 

1. How can I stop receiving direct marketing emails from you? 

You can always opt out of receiving marketing emails. In order to opt out, you can select the unsubscribe link located at the bottom of the relevant email communication. 

1. How do you treat data from children? 

This Platform is only designed for international expats who arrived in a country for job purposes. We don’t knowingly collect or solicit any data or information from anyone under the age of eighteen (18) or knowingly allow such persons to become our users. The Platform is not directed at and not intended to be used by children under the age of eighteen (18). If you’re aware that we have collected personal information from a child under age eighteen (18), please let us know by contacting us, and we’ll delete that information. 

1. Will you change this Privacy Policy? 

We may update this Privacy Policy. When we make significant changes to this Policy, we will notify you through our website or app when you log in to your account. We encourage you to periodically review this page for the latest information. 

1. General Data Protection Regulation (GDPR) and UK General Data Protection Regulation Notice 

This section provides additional information about our Policy relevant to you if you are from the European Economic Area (the EEA), United Kingdom, and Switzerland (together “European Area Countries”). It supplements and should be read in conjunction with the rest of the Policy. 

Under the European Area Countries’ privacy laws, we are the Controller with respect to your data. 

When is my data used? 

• When it is in our legitimate interests or an external third party’s legitimate interests (“legitimate interest” is a term defined by the General Data Protection Regulation (GDPR) and UK General Data Protection Regulation Notice). Our legitimate interests in this instance include managing the Platform and Expathy business, safety and security of the infrastructure, prevention of fraud, research, and development, and management of contracts and legal claims. 
• When it is needed for the provision of the Platform. In particular, for product development and internal analytics purposes, and otherwise to improve the safety, security, and performance of the Platform. We only rely on our or an external third party’s legitimate interests to Process your data when these interests are not overridden by your rights and interests. 
• When it is necessary to do so to comply with any legal obligations imposed upon us under our contractual obligations or our contractual obligation or applicable law. 
• In rare instances, when it is a medical emergency, we may use your data to protect your or another’s vital interests if consent is not a reasonable option. 
• When you have consented to the use of your data, for marketing purposes or through the use of cookies and web beacons. Where consent is the legal basis, you have the right to withdraw your consent at any time. 

What Lawful Basis for Sensitive Data is Used in the UK and EEA? 

Expathy may also collect and Process certain categories of personal information, which may be considered “sensitive personal information” in the UK and EEA. The lawful basis for this Processing are (1) health and social care, (2) our establishment, exercise, or defense of a right or legal obligation, (3) substantial public interest, and (4) consent. Where consent is the legal basis, you have the right to withdraw your consent at any time. 

When you begin to use our services and register your account, we ask you to provide answers to a questionnaire to customize the service, to match you with a Therapist, and to provide therapy and related services to you. In providing your responses to the questionnaire you may provide us with “sensitive personal Information” as described above. You may also continue to share such data with us as you receive services. This data is necessary as it allows us to continue providing services to you and customize our services for you. It is also necessary to provide healthcare with a personalized and well-selected Therapist based on points of data which impact your therapy and health care needs. The Therapist also reviews this data and can choose to not work with you if they are not a good fit. We may also use this information to improve our service and understand how you interact with the services. 

How do we obtain your personal information? 

Expathy obtains the categories of personal information listed above from the following sources: 

Directly from you, such as information when you apply to be a counselor or that you submit during the Process of using and paying for our Services. 

Indirectly from you, such as through your actions on our website. 

What are my rights and choices under European Area Countries laws? 

European Area Country residents have specific rights regarding their data. This section describes your rights if you are resident in the European Area Countries and explains how to exercise those rights. 

• Subject access request: You may be entitled to ask us for a copy of any data which we hold. We will normally send you a copy within one month of your request. However, that period may be extended by two additional months where necessary, taking into account the complexity of the request or the difficulty in accessing the data that you request. There is usually no charge. In exceptional circumstances, we may charge a reasonable fee after discussing the fee with you. 
• Right to rectification: If the data we hold about you is inaccurate, you may request rectification. The data will be checked, and, where appropriate, inaccuracies will be rectified. 
• Right to erasure: In certain circumstances, you may be entitled to ask us to erase your data. 
• Right to data portability: In certain circumstances, you may wish to move, copy, or transfer the electronic data that we hold about you to another organization. 
• Right to object: You may object to your data being used for direct marketing. You may object to the continued use of your data in any circumstances where we rely upon consent as the legal basis for Processing it. Where we rely upon legitimate interests as the legal basis for Processing your data, you may object to us continuing to Process your data, but you must give us specific reasons for objecting. We will consider the reasons you provide, but if we consider that there are compelling legitimate grounds for us to continue to Process your data, we may continue to do so. In that event, we will let you know the reasons for our decision. In some instances, objecting to certain Processing may impact our ability to provide you with services. 
• Rights related to automated decision-making including profiling: We use limited data to operate the Platform and to carry out certain profiling activities to support and grow our business. When doing so, we rely upon our legitimate interests as the lawful basis for Processing your data, and you may exercise the above rights if you do not wish us to Process your data in this way. 

To exercise the rights in relation to your data set out in this section, please contact us at expathy@expathy.org. 

 

Last Updated and Effective: June 1, 2023