Privacy Policy

Effective date: 22 June 2025

Welcome to the official Emosapien Privacy Policy. We are committed to protecting the sensitive data of mental health professionals. This policy outlines our compliance with global standards like HIPAA and GDPR. If you have questions about our terms, please visit our Terms of Service page.

This Privacy Policy explains how Emosapien Pty Ltd (“Emosapien,” “we,” “us,” or “our”) collects, uses, discloses, and protects personal information when you use:

  • our websites and landing pages
  • our web or mobile applications
  • any related products and services that support mental health professionals and their clients

(collectively, the “Services”).

Because Emosapien is used in a mental health context, we treat the information we handle as highly sensitive and apply strong safeguards consistent with applicable privacy and health information laws, including:

  • Australia: Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs)
  • European Union / United Kingdom: General Data Protection Regulation (GDPR) and UK GDPR
  • United States: relevant federal and state laws, including the Health Insurance Portability and Accountability Act (HIPAA) where applicable, and state privacy laws such as the California Consumer Privacy Act (CCPA/CPRA)

If you are a client or patient of a mental health professional who uses Emosapien, that professional (or their clinic or organization) is usually the data controller, covered entity, or equivalent. Emosapien Pty Ltd acts as their data processor, service provider, or business associate, processing your information on their behalf and according to their instructions and our contracts with them.

By using the Services, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Services.

1. Who we are and how to contact us

The Services are operated by:

Emosapien Pty Ltd
Privacy email: privacy@emosapien.com

If required under local law, Emosapien Pty Ltd may also appoint a Data Protection Officer (DPO) or local representative. You can contact them using the email above or any additional details we publish from time to time.

2. Scope of this Emosapien Privacy Policy

This Privacy Policy applies when:

  • mental health professionals (for example psychologists, therapists, counselors, psychiatrists, social workers) and their organizations (“Practitioners” or “Customers”) create and use Emosapien accounts
  • clinics and organizations deploy Emosapien across their teams
  • clients or patients (“Clients”) use any client-facing features such as progress tracking, exercises, messaging, or check-ins that are connected to their Practitioner’s Emosapien account
  • anyone visits our websites, marketing pages, or support portals

This Privacy Policy does not replace any privacy notices, consent forms, or informed consent documents used by your Practitioner. Their own privacy documentation governs how they use your data in their practice and may refer to Emosapien as a third-party tool or service provider.

3. Key roles and responsibilities

Depending on the relationship:

  • For Practitioners and organizations using Emosapien in their practice, Emosapien Pty Ltd generally acts as:
    • a data processor under the GDPR and UK GDPR
    • a service provider under the CCPA/CPRA
    • a business associate under HIPAA, where applicable
  • The Practitioner, clinic, or organization is usually the data controller, covered entity, or equivalent, and is responsible for:
    • determining the purposes and means of processing Client data
    • ensuring there is a valid legal basis and appropriate consent where required

We process Client data on behalf of our Customers in accordance with our contracts, including any Business Associate Agreement (BAA) or Data Processing Agreement (DPA).

4. Information we collect

The information we collect depends on how you use the Services and which features a Practitioner or organization enables.

4.1 Practitioner and organization information

For Practitioners, practice managers, administrators, and other staff, we may collect:

  • Identification details: name, surname, job title
  • Contact details: email address, phone number, communication preferences
  • Account details: username, hashed passwords, authentication tokens, security settings
  • Professional details: credentials, license or registration numbers, organization name, department, role
  • Billing and subscription details: billing contact, billing email, tax or VAT numbers, payment-related information (payment card details are typically processed by our payment providers and not stored in full by us)

4.2 Client and patient information

Because the Services support mental health care, Client information can include sensitive personal and health data. The specific data collected depends on how the Practitioner uses the platform and what they enter or upload. This may include:

  • Identification and contact details: name or initials, date of birth, contact information, gender, preferred language, and similar details, where provided by the Practitioner
  • Clinical and therapy-related information, such as:
    • session notes and progress notes
    • treatment plans, goals, and care pathways
    • diagnoses, clinical impressions, and outcome measures
    • responses to questionnaires, assessments, screening tools, or checklists
  • Session-related data:
    • information derived from audio, video, or chat sessions (for example transcripts, summaries, key themes)
    • session date, time, and duration
    • details of interventions used, exercises assigned, and goals reviewed
  • Engagement and between-session interactions:
    • responses to check-ins, mood tracking, journaling, or self-report entries
    • completion of tasks, exercises, psychoeducation modules, or resources shared by the Practitioner
    • limited communication data where in-app messaging or similar features are enabled

We treat Client data as highly confidential and, where applicable, as health information, protected health information (PHI), or another special category of personal data under relevant privacy laws.

4.3 Content and files you provide

Users may upload or create content within the Services, for example:

  • templates, reference materials, and forms
  • practice policies and scripts
  • files or attachments forming part of a client record, as allowed by the Practitioner’s configuration

4.4 Technical, usage, and device information

When you use the Services, we automatically collect certain technical and usage information, such as:

  • IP address and general location (for example country or city)
  • device type, operating system, browser type and version
  • log data such as pages visited, actions taken, timestamps, feature usage, and error logs
  • identifiers such as cookies, SDK identifiers, and similar technologies

We generally use this information to secure, operate, and improve the Services and often aggregate or de-identify it where possible.

4.5 Information from integrations and third parties

If you or your organization connect Emosapien to other tools, we may receive data from:

  • calendar systems, telehealth platforms, electronic health records, practice management tools, and similar systems, as authorized by you or your organization
  • identity providers for single sign-on
  • customer support and communication platforms
  • payment processors and billing systems

The scope of data we receive from third-party integrations depends on the integration and your configuration.

5. How we collect information

We collect information:

  • directly from you when you create an account, update your profile, respond to surveys, use features within the Services, or contact us
  • from Practitioners and organizations when they add Client information, upload documents, or configure features for their practice
  • automatically through cookies and similar technologies when you browse our websites or use our apps
  • via integrations when you authorize Emosapien to access or sync data from another service
  • from partners or public sources in limited cases, for example to verify professional details or maintain up-to-date business contact information

Where the GDPR or similar laws apply, we rely on one or more of the following legal bases for processing personal data:

  • Performance of a contract: to provide and operate the Services under our agreement with you or your organization
  • Consent: for specific activities such as certain marketing communications, optional features (for example recording or transcribing sessions), and some uses of de-identified data for product improvement
  • Legitimate interests: for purposes such as securing the Services, preventing fraud, measuring and improving usage, and developing new features, provided these interests are not overridden by your rights and freedoms
  • Legal obligations: to comply with applicable laws, regulations, and reporting requirements
  • Vital interests: in rare emergency situations where processing is necessary to help protect life or prevent serious harm

When we process Client data on behalf of a Practitioner, the Practitioner is responsible for ensuring there is a valid legal basis under applicable law for processing their clients’ data.

7. How we use information

We use personal information for the following purposes.

7.1 To provide and maintain the Services

For example:

  • creating and managing user accounts
  • delivering features for documentation, analysis, and client engagement
  • enabling integrations with other systems as configured by you or your organization
  • providing customer support, troubleshooting, and responding to inquiries

7.2 To support clinical documentation and decision making

We process session-related data to:

  • generate structured or semi-structured therapy notes
  • summarize previous sessions for Practitioners
  • track progress toward goals over time
  • provide insights and visualizations that support clinical judgment (not replace it)

Practitioners remain responsible for their clinical decisions and the accuracy of their documentation.

7.3 To improve and develop our products

We use aggregated, de-identified, or pseudonymized information to:

  • understand how features are used and where users encounter friction
  • test and refine algorithms, including AI-powered suggestions
  • develop new features, workflows, and integrations
  • conduct analytics to improve performance, reliability, and usability

If we wish to use de-identified data in a way that goes beyond core service delivery and standard product analytics, we seek appropriate consent or provide clear opt-out mechanisms where required.

7.4 To ensure security and prevent abuse

We use certain information to:

  • monitor and secure accounts, systems, and networks
  • detect, investigate, and prevent fraud, abuse, or criminal activity
  • enforce our Terms of Service or other agreements

7.5 To communicate with you

We use your contact details to:

  • send transactional messages such as account and security alerts, service notifications, and billing information
  • respond to support requests, feedback, and inquiries
  • send product updates and marketing communications where allowed by law and subject to your preferences

You can usually unsubscribe from non-essential marketing communications at any time by following the instructions in the message or contacting us.

7.6 To comply with law and manage risk

We may use personal information as needed to:

  • comply with applicable laws and regulatory obligations
  • manage and resolve disputes
  • enforce our contractual rights or defend legal claims

8. How we use AI and automated processing

Emosapien uses machine learning and AI models to assist Practitioners with documentation, analysis, and engagement features. This may involve processing text, metadata, and other information through AI models operated by Emosapien Pty Ltd or carefully selected third-party providers.

We design this processing so that:

  • only the minimum necessary information is sent to AI models
  • data is protected in transit and at rest using appropriate technical and organizational measures
  • third-party AI providers are contractually restricted from using Emosapien data to train their general models or for their own independent purposes
  • any optional use of de-identified or aggregated data for improving our AI models or features is clearly explained and subject to appropriate consent or opt-out where required

We do not use Client session data to train publicly available foundation models, and we do not sell your session data.

9. How we share information

We do not sell or rent your personal information. We share it only in limited circumstances.

9.1 With Practitioners and organizations

For Clients, your Practitioner and their organization manage and control access to your record within Emosapien. We share your information with them and, where they configure it, with authorized members of their team (for example supervisors or administrative staff) to provide the Services.

9.2 With service providers and subprocessors

We work with trusted third-party service providers that perform services on our behalf, such as:

  • cloud hosting and infrastructure
  • AI processing and transcription services
  • email and notification services
  • customer support and helpdesk platforms
  • analytics and error monitoring tools
  • payment and billing providers

These service providers may only process personal information according to our instructions and are bound by confidentiality and data protection obligations.

We may disclose information if we reasonably believe it is necessary to:

  • comply with a law, regulation, legal process, or enforceable governmental request
  • protect our rights, property, or safety, or that of our users or the public
  • investigate and help prevent security incidents, fraud, or abuse
  • respond to an emergency where we believe disclosure is necessary to help prevent death or serious bodily harm

9.4 Business transfers

If Emosapien Pty Ltd is involved in a merger, acquisition, reorganization, or sale of assets, personal information may be transferred as part of the transaction, subject to continued protections consistent with this Privacy Policy.

9.5 Aggregated or de-identified information

We may share aggregated or de-identified information that does not identify an individual, for purposes such as research, analytics, and product development.

10. International data transfers

Emosapien Pty Ltd may store and process information on servers located in various countries. As a result, your personal information may be transferred outside the country where you live.

Where required by law, we implement appropriate safeguards for international transfers, such as:

  • transferring to countries recognized as providing an adequate level of data protection
  • using standard contractual clauses or other approved legal mechanisms

For Australian users, we take reasonable steps to ensure that overseas recipients do not breach the Australian Privacy Principles in relation to your personal information.

11. Data retention

We retain personal information only for as long as necessary to:

  • provide the Services
  • fulfill the purposes described in this Privacy Policy
  • comply with legal, regulatory, or professional obligations
  • resolve disputes and enforce our agreements

For Client data, we typically follow the instructions of the Practitioner or organization that controls the account, subject to any minimum retention periods that apply in their jurisdiction or profession.

Practitioners can usually delete Client data from within the platform. Certain technical logs and backups may be retained for limited periods and then deleted or irreversibly de-identified.

12. Cookies and similar technologies

We use cookies and similar technologies on our websites and apps to:

  • keep you signed in and maintain session security
  • remember your preferences
  • analyze usage patterns and improve the Services
  • support limited marketing and outreach activities, where permitted

You can control cookies through your browser or device settings. Some features of the Services may not function properly if you disable certain cookies. Where required, we provide a cookie banner or preference tool that allows you to manage non-essential cookies.

13. Your rights and choices

Your rights depend on where you live and which laws apply. Subject to local laws and certain exceptions, you may have some or all of the rights described below.

13.1 If you are a Client

Because your Practitioner or organization generally controls your Client record, you should usually contact them first to exercise your rights. We will support them, as their processor or business associate, in handling your request.

13.2 EU, EEA, and UK residents

Under the GDPR and UK GDPR, you may have the right to:

  • access your personal data
  • request correction of inaccurate or incomplete data
  • request deletion in certain circumstances
  • restrict processing in specific situations
  • object to processing based on legitimate interests or to direct marketing
  • receive your data in a portable format where technically feasible
  • withdraw consent at any time, where processing is based on consent
  • lodge a complaint with a data protection authority

13.3 Australian residents

Under the Australian Privacy Act and APPs, you may have the right to:

  • request access to the personal information we hold about you
  • request correction if you believe the information is inaccurate, out of date, incomplete, irrelevant, or misleading
  • complain to us and, if not resolved, to the Office of the Australian Information Commissioner

13.4 United States residents (including California)

Depending on your state of residence, you may have rights such as:

  • requesting information about the categories and specific pieces of personal information collected, used, disclosed, or sold
  • requesting deletion of certain personal information
  • opting out of the sale or sharing of personal information (we do not sell or rent personal information in the conventional sense)
  • being free from discrimination for exercising your privacy rights

For information covered by HIPAA, your rights are generally set out in the privacy notice provided by your healthcare provider or covered entity.

13.5 Exercising your rights

To exercise your rights:

  • Clients should usually contact their Practitioner or the organization providing their care
  • Practitioners and other users can contact us at privacy@emosapien.com

We may need to verify your identity and, for Client-related requests, confirm with the relevant Practitioner before we can act.

14. Children’s privacy

The Services are designed to be used by Practitioners and organizations. Emosapien is not intended for unsupervised use by children.

We only process children’s information as part of a Practitioner’s use of the platform, under that Practitioner’s responsibility and in accordance with applicable child privacy and consent laws. If you believe we have collected personal information from a child inappropriately, please contact us so we can take appropriate steps.

15. Security

We take the security of personal information seriously and implement technical and organizational measures designed to protect it from unauthorized access, use, alteration, or disclosure. These measures may include:

  • encryption in transit and at rest where appropriate
  • strict access controls and authentication mechanisms
  • network and application security controls
  • audit logs and monitoring for suspicious activity
  • regular security updates and vulnerability management
  • staff training and confidentiality obligations

No system can be completely secure. If we become aware of a data incident that affects your personal information, we will investigate and take steps to mitigate harm and, where required, notify affected users and regulators.

16. Relationship to other agreements

This Privacy Policy works together with:

  • any Terms of Service or other agreements you accept when using the Services
  • any Business Associate Agreement (BAA), Data Processing Agreement (DPA), or similar contract we sign with Practitioners, clinics, or organizations
  • any privacy notices or consent forms provided by your Practitioner or organization

If there is a conflict between this Privacy Policy and a specific BAA, DPA, or other written agreement with a Customer, that agreement will usually prevail to the extent permitted by law.

17. Changes to this Emosapien Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our Services, legal requirements, or privacy practices. When we make material changes, we will update the “Effective date” at the top and, where appropriate, provide additional notice, for example by email to account holders or by displaying a notice within the Services.

We encourage you to review this Privacy Policy periodically.

18. How to contact us

If you have questions, concerns, or requests about this Emosapien Privacy Policy or our handling of personal information, you can contact us at:

Emosapien Pty Ltd
Email: privacy@emosapien.com