Last updated: October 20, 2023
This Policy applies to all visitors, data subjects, and others who access our Apps and Services ("User(s)" or “You/r”) including persons buying for teams (“Subscribers”). BrainStem Technologies (“BrainStem”, “Hope”, “We”, “Us”, or “Our”) operates the website (brainstemindia.com and domains), the Hope mobile, web-based widget, Hope SDK and web-based applications (“Hope App” or “App/s” or “Mobile Software/s”).
You may use our Apps to access one or more of our services and offerings (collectively the "Service(s)" or “Hope Service”).
- AI chatbot (“AI Coach”).
- Digital selfcare tool-packs.
- Emotional well-being professional.
- Guided-group meditations.
- Services offered over WhatsApp (available in select geographies only).
- Services purchased from our website and webpages.
- Digital front door or e-triage.
- Multi-lingual offerings (available in select geographies only).
- Online controlled and real-world research studies
We may also provide these and additional services on behalf of your Institution (“Institutional Services”). An Institution could be an enterprise, university, hospital, research institution and other public or private organisations. Institutional Services may involve processing information on behalf of the Institution. Where applicable, you must agree to the Terms of Services and Privacy Policies of both Hope and your Institution in order to proceed with using the Institutional Service.
Where not specifically called out, use of uppercase / lowercase and bold / not bold would carry the same meaning in this document.
Initial Effective Date: June 30, 2017 (GMT)
Latest Revised Date: June 13, 2023 (GMT)
Do Note :
- If in a crisis or emergency, please call the relevant emergency number in your country or the approved helplines provided by Your Institution.
- The App and service is not to be used by children under 13 years. Hope does not take responsibility for any misrepresentation of age and use.
- We do not require any personal identifiers or sensitive data hence we do not ask for it. We may collect personal data where your Institution asks us to do so. You have the option to not share your personal data, your medical data and any other sensitive data when you use the Hope App and Services.
- Your interaction with the AI Coach is with an Artificial Intelligence system and not a human. Hence, AI Coach is restricted in the means of response.
- Your interaction with Hope emotional well-being professionals is with a human. They are highly trained and qualified emotional health and well-being professionals.
- Hope emotional well-being professional services do not replace face-to-face psychotherapy. It is meant to empower and support you and not to treat any illness or a health condition.
- The Hope emotional well-being professional assigned to work with you will be online and remote. They may not be located in your country or state of residence.
- The intended use for providing evidence-based tools and techniques is to manage emotions and encourage mental well-being in a self-help and self-monitoring context.
- The App is not intended to provide a diagnosis, prognosis, treatment or cure of a condition or disease.
- The App will not offer medical or clinical advice and only suggest that you seek medical help. Hope App is designed to offer general mental health advice and support and cannot offer condition specific advice for complex medical conditions such as complex long term illness, cancer, infertility or genetic disorders among others.
- Your data is stored in databases maintained by us and third parties located in countries other than your country of residence. Some of them may have data protection laws that may be less stringent than those in your country.
- The App and its services are primarily in the English language. We also provide Hindi and Spanish version apps for users in certain geographies. Some of the AI Coach modules and tools are enabled for Hindi and Spanish language users and are available only in certain geographies.
is the text-based AI service provided in a conversational messaging mode by Hope Apps.
is the process of removing personal identifiers from data sets so that the person can no longer be identified.
is a small amount of data stored on your device (computer or mobile device).
Data or Information
Data Controller or Controller
has meaning as defined in applicable data protection laws. It is a natural or legal body which, alone or jointly with others, determines the purposes of the processing of personal data.
Data Processor or Processor or Service Providers or Business Associate
has meaning as defined in applicable data protection laws. It is a natural or legal body which processes personal data on behalf of the data controller.
Data Protection Laws
here means in accordance with the Indian Information Technology Act and Reasonable security practices and procedures and sensitive personal data or data rules, including but not limited to requirements of EU General Data Protection Regulation 2016/679 (GDPR), the UK Data Protection Act 2018 (UK GDPR), California Consumer Privacy Act (“CCPA”), California Privacy Rights Act (“CPRA”) and other USA privacy laws. Where applicable USA’s Health Insurance Portability and Accountability Act (HIPAA) and applicable Legal and Statutory requirements.
(or User/You) means any living individual who is using our service and is the subject of Personal Data
is the process of transforming data into unreadable text so that it is only legible to those possessing an encryption key.
Personal data or Personal Information
has meaning as defined in applicable data protection laws. It is data about a living person who can be identified from the data and/or other information either in our possession or likely to come into our possession.
means any operation or set of operations which is performed on personal data or on sets of personal data and as defined in applicable data protection laws.
means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific user without the use of additional information.
Non-Personal data or Non-Personal Information
means any data that is made anonymous and does not reveal user specific identity.
is a data processor who is sub-contracted some of the personal data processing.
Special Category data or Sensitive data
has meaning as defined in applicable data protection laws. It includes personal data revealing or concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, sex-life or a person's sexual orientation.
What personal data do we process and how do we use it?
We only use your personal data for the purposes for which we collected it. We will use it for another reason, only if compatible with the original purpose. We may process your personal data for more than one lawful basis depending on the specific purpose for which we are using your data. We may process your personal data without your knowledge and consent, where this is required or permitted by law.
What data do we process when you use the Hope Digital Front Door Service?
Hope Digital front door application allows your Institution to triage you and your dependents to authorised care and support resources. The service redirects you to authorised support resources based on your country, service group, language choice, support choice and self-reported mood assessments. Support resources include the Institution’s EAP, the Hope App and other Institution provided services. Access to the Hope front door service will be via your Institution provided Single Sign-on (SSO) mechanism. Where required and on behalf of your Institution, we may integrate our App and Services with your Institution’s authentication mechanism such as Single Sign On (SSO). SSO enables you to use your Institution credentials to sign-in and access authorised Hope App and Services and other third-party services. Hope App will redirect you to your Institution’s SSO web page during your first access. The SSO processing is done by your Institution to verify your identity and direct you to the Hope App. Your personal information, submitted during sign-in, is not transferred or stored in the Hope system. Hope will receive a one-time unique and encrypted identifier, which will be used to generate a random user identifier to associate you to the App and Services. Hope will keep track of your login status and inform your Institution of any change to allow your Institution to manage future SSO requests. If you have any questions about your use of SSO please contact your Institution directly. No personal data is collected or processed during your use of the Hope digital front door application and service. Hope shall share population-level and aggregated analytics on App engagement and use with your Institution. You can delete your data at any time by selecting the “Reset my data” option available within the App.
What personal data do we process and handle as a Processor or Sub-processor?
Hope may be a Processor where we are asked to process your data on behalf of the Institution. We will collect, transfer, store and use your data to provide the Institutional Services. Where required, Hope will integrate with your Institution authorised information systems to process and transfer contracted data. We will maintain appropriate agreements with your Institution before any data processing or sharing.
We will also generate reports for your Institution. Only aggregated and anonymised data, at a population or cohort level, will be used for the Institution’s reporting needs. These reports will be generated and shared with your Institution as downloadable files via secure analytic dashboards. Your individual insights will never be shared with your Institution without your consent.
Where required by your Institution, we may guide you to appropriate support and crisis resources. These would be both within and external to the App including Institution provided helplines, EAP, offline care services and therapist support. This processing is not intended to be an emergency response and is performed to safeguard individuals at-risk.
What additional personal data do we process when you use our WhatsApp-based business service?
Hope’s AI Coach service delivered over WhatsApp business app is currently available as a pilot and only in the India geography. Hope’s AI Coach on WhatsApp business is limited to improving sleep efficiency. The service does not offer medical or clinical advice and only suggests that you seek medical help.
You will need to initiate this service from your WhatsApp account. Hope will never use your messages to contact you for marketing purposes.
What Non-Personal data is processed when using Hope emotional well-being professional service?
When you schedule a session with our Hope emotional well-being professional, we collect your date and time preferences to confirm your booking. Your device time zone is collected to calculate your local date and time and schedule a session. It also allows us to send appropriate session reminders. Sometimes, Hope App may get your local time wrong which could affect the session scheduling. Always verify your local time in the scheduling screen before booking a session. If you notice an error in your local time displayed, go to the AI Coach messaging interface and type #time to change your time. If You face any challenge changing Your local time or booking a session, kindly write to us at the contact provided here.
After you book a session, you have the option to save the booking in your device calendar. This is for your added convenience.
Only minimal messages provided to your emotional well-being professional get used for analysis and audit purposes. Your messages are anonymised before use. This is for improving our emotional well-being professional service quality.
Do we use passive sensing or location data?
The App does not process any data from your mobile device sensors, including accelerometer, ambient light readings, screen on/off readings and call logs. The App does not process your geolocation at a level that makes your data identifiable. The App may infer your country or state based on your time zone to provide you appropriate resources, such as scheduled reminders.
How do we share your data with third parties?
To provide you with our services, we use third-party service providers to help store and process your data. We assess the service provider’s security and privacy practices. We strictly require that they comply with confidentiality and non-disclosure obligations and applicable laws and regulations including relevant Data Protection Laws. We also require that they or their providers (fourth parties) access your data only to the extent necessary to perform tasks on our behalf. We use the following third-party service providers.
Cloud Service Providers
To provide the service, we collect, transfer and store your data in secure servers provided by our authorized cloud service providers. You can find more on their security practices here, here and here. We maintain a Data Processing Agreement (DPA) with Standard Contractual Clauses (SCCs) and Business Associate Agreement (BAA) with our cloud service providers.
Other Service Providers
We use Hope authorized third-party service providers to provide our services.
Disclosure to Institutions
You may need an access code or link provided by us, or your Institution, to use the Institution version of Hope App. Your Institution may also get access to app usage data for their analytic and research purposes based on the consent given by you to your Institution and to us. We may collect your country, division and in some cases your city information to provide aggregated analytics. We do not share your messages with the Institution. Any inadvertent identifiers get removed prior to the aggregated analysis.
If the App is integrated with your Institution system, your Institution may additionally share your assessment scores with us and likewise, we may share aggregated user data with them. Such assessment scores may be processed by us for providing services to your Institution. Your assessment responses will never be processed for diagnostic purposes or for giving clinical advice.
Processing of any of your personal data as per our Legitimate Interests
We may be required to process your personal data in our legitimate interests.. We will always weigh your rights and freedom before we process any such requests for purposes of legitimate interest. This processing includes:
- For enforcing our policies or contractual obligations with your Institution;
- For uses and disclosures required by law;
- For disclosures for judicial and administrative proceedings such as court order or subpoena;
- For disclosures for law enforcement purposes or national security requests;
- For disclosure and assistance with an investigation or prosecution of suspected or actual illegal activity;
- For disclosure and use of a litigation hold. To freeze specific data relating to imminent, pending or current legal action, thereby preventing potential evidence alteration or deletion.
- For uses and disclosures for public health reporting purposes;
- For uses and disclosures to prevent serious threat to health or safety;
- For uses and disclosures for minimal research and analytics purposes to study how users use our products and services;
- For any service communications relating to your use of App and services;
- To prevent, detect and repair problems related to the security and the operations of the App;
- For uses and disclosures to prevent fraudulent use of or abuse of the service;
- For uses and disclosures to take adequate security and privacy safeguards;
- For uses and disclosures to ensure App and service availability, accessibility and quality;
- For uses and disclosures to protect your data protection rights;
- For uses and disclosures to protect your, our and others data protection rights, property and safety;
- To use anonymized, non-identifiable, non-confidential user data for benchmarking and marketing;
- To develop new services, technologies and products;
- To respond to your enquiries and requests.
Hope will never share your conversation data without your explicit consent provided either to us or your Institution.
In the future, if we are involved in any merger, acquisition, sale of assets, business reorganization, bankruptcy, we may transfer or otherwise share some or all of our assets which may include your data. We will take reasonable steps to inform you about this using the following modes.
- Public notice on our website and/or
- Inform your Institution and/or
- Where applicable, send in-app notification and/or
You can always email us at email@example.com to exercise your data protection rights.
How do we handle your App password?
For your privacy and security, you are advised to set your own App PIN to protect unauthorized access of your conversation messages. Your mobile device screen password is your PIN. To extend your device password, use the "Set Lock " feature under the App settings. You can also remove your PIN using the "Remove Lock” option under settings. The PIN that you use is personal to you, and you are responsible for maintaining the confidentiality and security of your PIN. Please keep your PIN safe and do not share it with anyone. The PIN you set remains in your device and is not collected, transferred and stored in our servers.
How do we handle user incidents and requests?
There may be occasions where you wish to contact us to seek support or make inquiries. If you contact us directly over email, we will collect minimal personal information to service your request. Your communication data is securely stored in our Google Workspace account with access to only authorized users. We have signed agreements with Google Workspace. We will only use your data to investigate the issue or request asked. Your email will be retained within our system for a maximum of 10 years since last correspondence. We will not spam you or contact you for any direct marketing. We will not share or sell your personal data with any third-party disclosure.
Your issues or complaints or requests about the App and services are taken very seriously. You will need to send an email request from your Google or Apple email ID to firstname.lastname@example.org. We will respond to your complaints within 3 business days. Some of your complaints may take longer to resolve. We will continuously provide you with an update until your complaints are satisfactorily resolved.
How do we handle data provided during promotions, campaigns and surveys?
We do not promote third-party offers as a part of the App experience. Your promotion, campaigns and survey submissions will never be linked to your Hope App account. Your promotion, campaign, survey submission will reside in our secure Google Workspace or marketing tool accounts. The Google Workspace and marketing tool account is protected by two step verification. You can opt out at any time from the programme by sending us an email request from your Google or Apple email ID to email@example.com. We will respond to your request within 3 business days. Your submissions will never be shared with a third-party.
How do we handle your payment data when you subscribe to our services?
What do we process when you use the android speech-to-text feature?
The same Android SDK/API plays back the AI Coach response to you. Please ensure your mobile device volume is kept in optimal listening mode. Please note that you may experience some performance issues if you have low internet speeds.
How do we handle your data when used for research and analytics purposes?
We use minimal and only the required data for research purposes including aggregated data for any publications, to explore new technologies or to build new features or products. This data is completely anonymized using irreversible redaction of user identifiers prior to use. This helps us to improve our product and services and contribute to user-centered mental well-being best practices globally.
We never use your longitudinal conversation messages for research purposes and analysis. If at all, only limited messages get selected from specific AI Coach endpoints and used.
You can always write to us at firstname.lastname@example.org to restrict processing and opt-out of your data for research purposes.
Your use of third-party weblinks
What additional processing is performed?
We do not combine and process your personal data with any other third-party available data. Your data, messages or usage is not used for direct marketing nor is it sold to advertisers. We will always take your consent before using your name for social proof purposes.
How do we secure your data?
The security of your data is very important to us, and we work hard to secure it. We have implemented adequate technical and organizational safeguards to protect your data. Some of the steps we have taken to secure your data include:
Privacy by Design and Default
Security by Design
- There is no user registration required. We don’t need it hence we don’t ask for it.
- Only a nickname is sufficient to help us personalize our conversation with you.
- We use pseudonymised identifiers to protect your data and identity.
- No human eavesdrops during your conversation with the AI coach.
- The AI Coach will always check if it has understood you correctly before progressing.
- We use algorithms that irreversibly redact any inadvertent personal identifiers entered in English.
- You can opt-out at any time using the “reset my data” feature available in the App settings.
- We adhere to the 7 key principles set out by GDPR (see here).
- We perform Data Protection Impact Assessment (DPIA) for personal data processing.
- We use TLS and SSL encryption during transfer and AES-256 protocol at rest.
- Random identifiers are used for all data transactions between AI Coach and our servers.
- Our systems are secured with role-based access, strong passwords and two-step verification.
- We enable endpoint security in all staff systems.
- We review and maintain data processing agreements with our service providers.
- We have a strict hiring and background verification process in place.
- We provide regular awareness and training to our staff.
- We conduct annual 3rd party compliance audits and data protection certifications.
- We perform regular penetration tests of our Apps and Infrastructure.
- We conduct regular checks to ensure compliance to our policies.
How does the Artificial Intelligence chatbot work and is it safe to use?
At Hope, we use proprietary Artificial Intelligence and Natural Language Processing/Understanding (NLP/NLU) algorithms (“AI”) to understand your messages. NLP/NLU algorithms are classification techniques that are used to understand what you write. This allows the AI to maintain a conversation with you and guide you to appropriate resources. Our values require that our AI used within the App is transparent, trusted, safe and privacy protecting. All the AI used in our Apps are “FIXED” or “CLOSED”, and all chatbot responses to the user are created with clinical input and subjected to detailed safety testing before being deployed. There are no generative (those that 'create' the response to the user on the fly) or adaptive models (i.e. those that continually adapt or learn every time on their own) in use. The algorithms run at conversational nodes within a decision-tree structure.
The primary purpose of the AI-based processing is
- to provide an interactive safe-by-design approach to converse and journal via text with the chatbot.
- to detect and retain limited context from your messages to personalize and provide empathetic and safe conversations.
- to detect at-risk situations, such as any SOS, self-harm and abuse triggers, so as to signpost users to clinically validated supportive resources and helplines.
How long do we retain your data including personal data?
We have built proprietary algorithms that detect personal identifiers, that you may voluntarily submit in English during your conversation with AI Coach. These detected identifiers get irreversibly removed within 24 hours within our system.
We may retain one copy of your data even after your subscription ends or Institution contract ends if it is reasonably necessary. This could be in any of the following situations:
- to comply with applicable legal and statutory requirements;
- at the request of a returning subscriber;
- to respond to your requests
- based on contractual obligations with your Institution;
- in our backup for a time-bound period;
- to fulfil processing that is in our legitimate interest.
Where not specified we retain your data for a maximum of 10 years since the last update and as per our internal information retention policies.
Your emergency contact information, if any provided, will be deleted after fifteen (15) days at the end of the Hope emotional well-being professional subscription. If you renew the subscription within those fifteen (15) days, the emergency contact information will not be deleted.
You can also, at any point of time, delete all your conversation data and any emergency contact information provided by using the “reset my data” feature available in the App settings.
What are your data protection rights?
You have certain rights under the Data Protection Laws in relation to your Personal data. To exercise any of your rights, you will need to send an email request to the contact information provided here. Please note that we may need to verify you before responding to any requests. After verifying you and examining your request, we will respond to you on the action taken within one calendar month from verification. We may at times be unable to address your request, if we are unable to correctly identify you.
Your individual rights requests may be limited, where:
Right to be informed
- denial of access is required or authorized by law;
- grant of access would have a negative impact on other's privacy;
- required to protect your, our or other’s rights property or safety;
- the request is unjustified or excessive.
Right of access
You have the right to exercise a data access request to know what personal data we hold about you.
You have access to view your latest conversations or view your older conversation messages within the Journey tab of the App. You have access to your text-based messages with a Hope emotional well-being professional in the Coach or Therapist tab of the App. If you exercise your right to delete and reset your data, you will lose the right to access your data as it will be permanently deleted in our system.
You can write to us at email@example.com for any clarifications or make subject access requests. On receipt, we will review your request, make reasonable efforts to find and retrieve the requested information and respond to you within one month of your request.
Where Users have subscribed to a Service, you have the right to obtain your personal data that you provided as per our Agreement or where you consented to give us. After verifying, we will provide access to your personal data in a machine-readable format. We may at times be unable to address your request, if we are unable to correctly identify you or are limited due to one of the reasons mentioned earlier or any of the exemptions set out by the data protection laws.
Right to rectification
If your personal data is inaccurate or incomplete, you can write to us to correct or complete it. If we share your personal data with third parties, we will inform them about the correction where possible.
Right to restrict processing
You can write to us to restrict processing of your personal data, where you contest the accuracy of the data or object to our processing it. If we share your personal data with third parties, we will inform them about the restrictions where possible.
Right to object
You may write to us and object to the processing of your personal data where we apply our legitimate interest. We may stop unless we can demonstrate compelling legitimate grounds for the processing.
Right to data portability
If you are a paid subscriber of our services, you can place a request to transfer your data from your older device to your replaced mobile device. You can also request a copy of your messages to Hope coach or therapist for your own purposes. If you are not a paid subscriber, we will need to accurately verify you, before we can process your request. We may at times be unable to address your request, if we are unable to correctly identify you.
Right to Erasure
When you use the service, you have the option to reset your data by using the “Reset my data” feature in the App settings. Reset my data deletes all your submitted data including your identifiers, past conversations, reminders, assessment responses and enabled settings. Post reset, you will not be able to recover your past data and you will be considered as a new user of the App. Hence, this feature is to be used at your discretion. If you are a paid subscriber, your transactional data and messages will be deleted on reset. However your active subscription, purchased through third parties like google play, iTunes, etc., will continue to exist post reset of data.
You can also write to us to delete or remove your personal data, such as when you withdraw your consent.
Right in relation to automated decision-making and profiling
You have the right to be free from decisions based solely on automated processing of your personal data, including profiling, which may have a significant effect on your rights and freedom, unless such profiling is necessary for entering into, or the performance of our Agreement or with your explicit consent. You have a right to ask us to stop any automated decision making. We do not intentionally carry out such activities, but if you do have any questions or concerns, we would be happy to discuss them with you. You can contact us at firstname.lastname@example.org.
Right to non-discrimination
You have the right to not be discriminated against for exercising your CCPA (CPRA) rights or as required by other data protection laws. Use of our app and services is anonymous and hence We will never knowingly discriminate against you and your rights. You can also write to us for any clarification at email@example.com.
Right to opt-out of sale
You have the right to opt-out of the sale or restrict sharing of personal data with third-parties who intend to license or sell your personal data. For purposes of the CCPA (CPRA) and other applicable data protection laws, We do not sell any personal data, nor do we have actual knowledge of any sale of personal data of minors under the age of 16 years. You can also write to us for any clarification at firstname.lastname@example.org.
Other important information
To the extent that the legal basis of our processing of your personal data is consent, you can withdraw that consent at any time. This will not affect the lawfulness of processing of your data before we received notice that you wished to withdraw your consent.
If the data breach is likely to result in a high risk of adversely affecting your rights and freedom, we will notify you as required by Data Protection Laws.
Concerns and Complaints
What are the controls for Do-Not-Track features?
Do Not Track (“DNT”) is a privacy preference that users can set in certain web browsers. We do not respond to DNT signals transmitted by web browsers.
Can children under 13 use Hope App?
The App is intended for a general audience and is not directed to or intended to be used by children under the age of thirteen years. Hope does not take responsibility for any misrepresentation of age and use.
There is a special necessity to protect children's privacy on the App. We do not knowingly collect any personal data from children.
Write to us if you think we have collected any personal data of your child. We will respond to you within one calendar month from verification. We may at times be unable to address your request, if we are unable to correctly identify the user. We will deactivate the child’s account, if we find we have been collecting personal data from your child. Upon identification we will take reasonable measures to promptly delete such personal data from our records.
How to contact for additional questions, comments or concerns?
For any product, services, subscription, technical or payment-related issues, please contact us from your Google or Apple email ID to email@example.com with your questions.
Can Non-English speaking users use the Hope App?
The App has been built and is currently provided only for English language users.
To ensure wider reach, Hope will, in the near future, launch the App in other languages. We will keep you updated on this development.
What are some Best Practices to follow to keep your devices secure?
Hope strongly believes in security and safety of data in your mobile device. As a responsible Service provider, we like to share important device-based security information for your attention.
- Always lock your mobile screen by setting a password. Use strong passwords and keep passwords private. Never leave your device unattended.
- Always extend your mobile screen password to set an App PIN to keep your conversations with the App private.
- Always keep your mobile operating system up-to-date.
- Enable remote access of your devices to enable you to locate and control your devices remotely in the event your device gets stolen.
- Install anti-virus software to protect against virus attacks and infections
- Avoid phishing emails. Do not open files, click on links or download programs from an unknown source.
- Be wise about using Wi-Fi. Before you send personal and sensitive data over your laptop or mobile device on a public wireless network in a coffee shop, library, airport, hotel, or other public place, see if your data will be protected.
Severability and Exclusion