Privacy Policy

1. Overview

Therapyy ("Therapyy", "we", "us", or "our") operates the Therapyy platform, accessible at therapyy.in and through our mobile applications (collectively, the "Platform").

This Privacy Policy describes how we collect, use, disclose, and safeguard your personal information — including sensitive personal health data — when you access or use the Platform. It also explains the rights you have over your data under applicable Indian law, including the Digital Personal Data Protection Act, 2023 (DPDPA), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules), and applicable healthcare data frameworks.

By registering for or using the Platform, you confirm that you have read, understood, and agree to this Privacy Policy. If you do not agree, please discontinue use of the Platform immediately.

2. Data We Collect

We collect information in three ways: information you provide directly, information collected automatically when you use the Platform, and information we receive from third parties.

2.1 Information You Provide

• Account & Identity: Full name, email address, mobile phone number, profile photograph, date of birth, and gender.
• Parent-specific: Relationship to child, emergency contact details, and communication preferences.
• Child Profile (GrowthVault): Child's name, date of birth, gender, diagnosis or developmental concerns, therapy history, school details, and any documents you upload (medical reports, assessments, IEPs).
• Therapist & Professional Profile: RCI registration number and certificate, academic qualifications, degree certificates, Aadhaar card (last 4 digits only for verification), PAN card details, professional photograph (selfie), work history, therapy disciplines, fees, and availability.
• Health & Therapy Data: Session notes written by therapists, therapy goals and progress records, assessment scores, milestone tracking, prescriptions, and clinical reports — all stored in GrowthVault.
• Payment Information: Billing address, UPI ID or bank account details for therapist payouts. Full card numbers are never stored by Therapyy — all card processing is handled by Razorpay's PCI-DSS compliant infrastructure.
• Communications: Messages exchanged through our in-app chat, support tickets, and any feedback or reviews you submit.

2.2 Information Collected Automatically

• Device & Technical: IP address, device type, operating system, browser type and version, unique device identifiers, and mobile network information.
• Usage Data: Pages viewed, features used, search queries within the Platform, session duration, click patterns, and referring URLs.
• Location: Approximate location derived from IP address. We do not collect precise GPS location unless you explicitly grant permission for finding nearby therapists.
• Log Data: Server logs recording access times, error logs, and API request metadata for security and debugging purposes.

2.3 Information from Third Parties

• Google Sign-In: If you authenticate via Google OAuth, we receive your name, email address, and profile picture from Google. We do not receive your Google password.
• RCI Verification: We may cross-reference therapist registration details with the Rehabilitation Council of India (RCI) database to confirm credentials.
• Payment Processors: Razorpay may share payment status, transaction IDs, and risk signals with us to enable wallet credits and payouts.

3. Children's Privacy

We treat all child-related data — including names, dates of birth, diagnoses, therapy records, and developmental progress — as Sensitive Personal Data or Information (SPDI) under the SPDI Rules and as Personal Data of Minors under the DPDPA.

3.1 Parental Consent

By creating a child profile on the Platform, the parent or guardian affirms that they are the legal guardian of the child and that they consent to the collection, use, and disclosure of the child's information as described in this policy. We do not knowingly collect data directly from children.

3.2 Access Control

Parents control who can access their child's GrowthVault records. Access can be granted to or revoked from specific therapists, supervisors, doctors, or schools at any time through the Platform. Therapists can only access records for children currently assigned to them with explicit parental consent.

3.3 Data Minimisation for Children

We collect only the minimum information necessary to provide the therapeutic services requested. We do not use a child's health data for advertising, profiling, or any purpose other than delivering clinical and educational services on the Platform.

4. How We Use Your Data

We use the information we collect for the following purposes, each grounded in a lawful basis:

4.1 Service Delivery

• Creating and maintaining your account and authenticating your identity.
• Matching children with suitable therapists based on specialty, location, availability, and therapy goals.
• Facilitating session bookings, rescheduling, and cancellations.
• Enabling in-app video consultations, voice calls, and text chat through Twilio.
• Processing payments, releasing therapist payouts via Razorpay escrow, and managing your wallet balance.
• Storing, organising, and displaying GrowthVault records — session notes, progress tracking, and AI-generated summaries.

4.2 Verification & Safety

• Verifying therapist credentials including RCI registration, degrees, and identity documents (Aadhaar, PAN).
• Running our PII Shield system, which automatically detects and blocks phone numbers, email addresses, and other personal contact information shared in chat to protect both parties.
• Detecting, investigating, and preventing fraudulent transactions, abuse, and policy violations.

4.3 Platform Improvement

• Analysing usage patterns to improve the reliability, performance, and features of the Platform.
• Training and fine-tuning AI models that generate developmental insight summaries in GrowthVault — using anonymised and aggregated data only, never identifiable child health records.
• Conducting internal research and analytics to understand how therapy outcomes correlate with platform usage.

4.4 Communications

• Sending transactional messages: booking confirmations, payment receipts, session reminders, and credential verification updates.
• Notifying you of material changes to this Privacy Policy, Terms of Service, or Platform features.
• Responding to support requests and resolving complaints.
• Sending platform updates and feature announcements (you may opt out of non-transactional communications at any time).

4.5 Legal Compliance

• Complying with applicable laws, regulations, court orders, and government requests.
• Enforcing our Terms of Service and other agreements.
• Maintaining records required under the Information Technology Act, 2000 and applicable tax laws.

5. Sharing & Disclosure

We do not sell, rent, or trade your personal data to third parties for their own marketing purposes. We share data only as described below.

5.1 Within the Platform

• Between Parents and Therapists: When a parent books a session with a therapist, the therapist receives the child's name, relevant diagnosis information, and session notes relevant to that engagement. Therapists do not receive a parent's full contact details — contact occurs through in-platform messaging.
• Supervisors and Clinical Reviewers: Assigned supervisors may access session notes and progress data of therapists they supervise to ensure clinical quality. Supervisors are bound by the same confidentiality standards as therapists.
• Centre Owners: If a therapist is affiliated with a therapy centre on the Platform, the centre owner may access that therapist's session and booking records for operational purposes.

5.2 Service Providers (Data Processors)

We engage trusted third-party service providers who process data strictly on our behalf and under our instructions, bound by data processing agreements:

• Razorpay Financial Solutions Pvt. Ltd. — Payment processing, escrow, and payout services. Razorpay is PCI-DSS Level 1 certified. View their privacy policy at razorpay.com/privacy.
• Twilio Inc. — In-platform video, voice, and chat communications. Session content is encrypted in transit. Twilio does not retain session recordings unless explicitly enabled by us (currently disabled). View their privacy policy at twilio.com/legal/privacy.
• OpenAI LLC — AI-powered summarisation of GrowthVault records. Data sent to OpenAI is anonymised and does not include any directly identifiable child or parent information. We do not use OpenAI's API in a way that allows OpenAI to use our data for model training.
• MongoDB Atlas / PostgreSQL (Railway) — Database hosting. Data is stored in encrypted databases in compliance with our security standards.
• Vercel Inc. — Frontend hosting and global content delivery. Vercel processes request logs that may include IP addresses.
• Redis (Upstash) — Session management and short-lived token storage. Data stored in Redis has short TTLs and is not persisted long-term.

5.3 Legal & Safety Disclosures

We may disclose your data without notice if we believe in good faith that such disclosure is necessary to: (a) comply with a legal obligation or valid government/judicial order; (b) protect the rights, property, or safety of Therapyy, our users, or the public; (c) detect and prevent fraud, security incidents, or criminal activity; or (d) enforce our Terms of Service.

5.4 Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all assets, your data may be transferred to the acquiring entity. We will notify you via email and/or a prominent notice on the Platform at least 30 days prior to any such transfer, and you will have the right to delete your account before the transfer takes effect.

6. Data Security

We implement industry-standard technical and organisational measures to protect your personal data against unauthorised access, loss, alteration, or disclosure:

• Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher (HTTPS/SSL).
• Encryption at Rest: Sensitive personal data — including health records, identity documents, and payment information — is encrypted at rest using AES-256 encryption.
• Access Controls: Platform data is access-controlled on a strict need-to-know basis. Employees and contractors can only access personal data relevant to their job function.
• Authentication: We enforce phone OTP-based authentication and support Google Sign-In with OAuth 2.0. Admin access requires a separate hardened login process.
• PII Shield: An automated system scans in-platform chat messages to detect and redact phone numbers, email addresses, and other identifying contact information before they are displayed to any party.
• Monitoring & Auditing: Our systems log all access to sensitive health records with timestamps and user identifiers. These audit logs are retained for 12 months.
• Vulnerability Management: We conduct periodic security reviews and respond to disclosed vulnerabilities within 72 hours of confirmed severity.

7. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Platform's services. The following specific retention periods apply:

When you delete your account, we initiate a deletion process within 30 days. Some data may be retained beyond this period where required by law, to resolve outstanding disputes, or to prevent fraud, subject to the periods above.

8. Your Rights

Under the Digital Personal Data Protection Act, 2023 (DPDPA) and the IT (SPDI) Rules, 2011, you have the following rights with respect to your personal data. To exercise any right, contact us at privacy@therapyy.in. We will respond within 30 days.

• Right to Access: You may request a copy of all personal data we hold about you and your child, including GrowthVault records. We will provide this in a structured, machine-readable format.
• Right to Correction: You may request correction of inaccurate or incomplete personal data at any time through your account settings or by contacting us.
• Right to Erasure (Right to be Forgotten): You may request deletion of your account and personal data. We will honour this request subject to our legal retention obligations outlined in Section 7.
• Right to Data Portability: You may request a portable export of your GrowthVault data (session notes, progress records) in a standard format (JSON or PDF) to transfer to another provider.
• Right to Withdraw Consent: Where processing is based on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• Right to Restrict Processing: You may request that we restrict processing of your data in certain circumstances, such as while a correction request is pending.
• Right to Nominate: Under the DPDPA, you may nominate another individual to exercise your rights on your behalf in the event of death or incapacity.
• Right to Grievance Redressal: You have the right to file a complaint with our Grievance Officer (see Section 12). If unresolved, you may escalate to the Data Protection Board of India.

9. Cookies & Tracking

We use cookies and similar tracking technologies to operate and improve the Platform. The following categories of cookies are used:

9.1 Strictly Necessary Cookies

These cookies are essential for the Platform to function. They include session authentication tokens (stored as HTTP-only, Secure, SameSite=Strict cookies) and CSRF protection tokens. These cannot be disabled.

9.2 Functional Cookies

These cookies remember your preferences (such as language or timezone) to provide a personalised experience. They expire within 30 days of your last session.

9.3 Analytics Cookies

We use privacy-preserving analytics to understand how users interact with the Platform — such as which features are used most frequently. We do not use third-party advertising networks or cross-site tracking cookies. Analytics data is aggregated and not tied to your personal identity.

9.4 Managing Cookies

You can control cookies through your browser settings. Disabling strictly necessary cookies will prevent you from logging in. Disabling functional or analytics cookies will not affect your ability to use core features. Refer to your browser's documentation for instructions on managing cookies.

10. Third-Party Services

The Platform integrates with the following third-party services. Each service operates under its own privacy policy, which governs their handling of any data they receive:

We do not embed third-party advertising SDKs, social media tracking pixels, or any cross-site tracking technologies in the Platform.

11. Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page.
• Send a notification to your registered email address at least 14 days before the change takes effect.
• Display a prominent notice within the Platform upon your next login.

Minor or non-material changes (such as clarifications, typographical corrections, or changes required by law with immediate effect) may be made without prior notice, though we will update the effective date. Your continued use of the Platform after the effective date of any changes constitutes your acceptance of the updated policy.

Previous versions of this Privacy Policy are available on request at privacy@therapyy.in.

12. Grievance Officer

In accordance with Rule 5(9) of the SPDI Rules and Section 13 of the Digital Personal Data Protection Act, 2023, we have designated a Grievance Officer to address your privacy-related concerns:

If you are not satisfied with our response, you may escalate your complaint to the Data Protection Board of India once it is constituted and operational under the DPDPA, 2023.