Privacy Policy

Healing professionals, group practices and organizations

Effective October 23, 2024

Upheal Inc., a Delaware corporation, https://upheal.io,  (‘Upheal’, “us”) informs you that your personal data will be processed in the ways specified below. This Privacy Policy applies to the collection and processing of personal information when using Upheal (the ‘Platform’) under a healing professional, group practice and/or organization profile. For how Upheal processes personal information of users receiving services from healing professionals or group practices, please see our Client Privacy Policy.

What personal data do we process?

We will use your: 

Data category
Data items
Identification data
Your name
Last name
Email address
Phone number
IP Address
Google ID and user data
Personal details
Your language
Educational and professional data
Your qualification
Role
Place of work
Therapy license
National Provider Identifier (if applicable)
Recording
Audio and video of your sessions with clients
Financial data (in case of sole practitioner)
Your bank details
VAT number
Fiscal code

We also collect your usage data on the Platform including your session date and time, log data, clicks, error logging and feature usage including but not limited to your note customization, generation inputs or preferences. However this is aggregated data and does not personally identify you.

Why do we use your data?

Personal data is used on our website for the following purposes:

Purpose
Data category
Legal basis
Are you obliged to provide the data?
How long do you hold your data?
Performance of the contract
Identifying data,
educational and professional data
The performance of the contract
Yes. Failure to provide such data will result in the inability for Upheal to manage the contractual relationship
Duration of the contract
Provision of the service, which includes: creating your account, conducting a session with your client, creating transcripts and insights of the session, storing the record of the session (optional)
Identifying data,
personal details,
educational and professional data, usage data
The performance of the contract
Yes. Failure to provide such data will result in the inability for Upheal to provide you with the service
Duration of the contract
Provision of the service 
Audio and video recording
The performance of the contract
Yes. Failure to provide such data will result in the inability for Upheal to provide you with the service
Duration of the contract
Storage of audio and video recording
Recording data
Your consent which you will express by starting the video recording
No. It is always optional to provide consent for the storage of the audio and video recording
If you decide to store the recording, then it will be kept until you delete it or at the termination of the contract
Security of the system
Identifying data, usage data
The legitimate interest of Upheal in keeping the systems secure
Data is automatically collected when you use the Platform.
No more than 6 months
Customer support and investigation
Identifying data, usage data, recording
The performance of the contract
No. You can always opt-out of sharing access to  session details for customer support and investigation. However, disallowing access means your reported product issue may not be resolved.
Duration of the investigation
Product improvement
Usage data
The legitimate interest of Upheal to improve your experience
Data is automatically collected when you use the Platform.
Duration of the contract
Calendar connection
Identifying data
Your consent which you will express by linking Google Calendar to your profile
No. However, without allowing this data to be shared you cannot use our calendar feature.
Duration of the contract

Who can we communicate your data to?

Your data will be communicated to:

  • the hosting providers, suppliers of IT services and application software, who are our data processors; 
  • providers for our integrations, including Nylas Inc., who facilitate our connection to Google Calendar;
  • public or private bodies to whom we are obliged by the law to disclose the data

Disclosure of your data to approved service providers is governed by a data protection agreement including appropriate security safeguards.

To receive more information about our providers please contact us at support@upheal.io

Disclosure for Law Enforcement: Upheal will disclose your personal data outside the scope of these provisions only as required to do so by law or compelled by court, government or administrative agency of competent jurisdiction. Your personal data may be subject to federal and local laws that require Upheal to disclose this data in certain circumstances.

We do not sell any collected data to third parties.

Where is your data processed?

If you use our services from the EU, Switzerland or the UK, we inform you that your data is transferred to our suppliers outside the European Economic Area and the UK, in particular in the U.S. 

In this case, we inform you that the data transfer will take place only in the presence of adequate safeguards provided for by the applicable law. In particular, for transfers from the EU and the UK, where an Adequacy Decision is not applicable, we rely on the Standard Contractual Clauses provided by the European Commission (art. 46 GDPR). For further information about the data transfer you can contact us at the email address indicated below.

How is your data secured?

Our goal is to protect your personal information by implementing both technical and organizational security measures. These measures are designed to prevent unauthorized or unlawful handling of your data, as well as any accidental or unauthorized access, use, transfer, processing, copying, transmission, alteration, loss, or damage.

How do we support you in dealing with data subject rights?

We inform you that you have the right to access and request amendment to your data.

You can obtain the erasure of your personal data under certain circumstances. You also have the right to restrict the processing of your personal data.

You can withdraw your consent at any time. 

Moreover, you can receive a copy of your personal data or ask Upheal to transmit that data to another controller, where technically feasible. 

On grounds relating to your particular situation, you can object to the processing of your personal data used for the legitimate interest of the controller.

You can lodge a complaint with the supervisory authority of your State or territory in case you think that your rights have been breached or you have concerns about our privacy practices.

If you wish to exercise one of these rights, you can contact us at legal@upheal.io

HIPAA Compliance

To know more about how we comply with HIPAA, click here.

Additional information for information collected through our Google integration and Google APIs

Upheal enables you to connect your client appointments to your Google Calendar for easy scheduling. To provide this connection, we obtain, process and store a copy of the Google user data contained in your Google account including your Gmail and Google Calendar (Google User Data). Before allowing access to this data, you will be notified what access is granted and to what data types. This data is referred to as data under your Google ID. Restrictions apply to this use of this data include:

  • We will use your Google User Data only to provide user-facing features of the services that are prominent in the services’ user interface.
  • We will only transfer your Google User Data to unaffiliated third parties (a) if necessary to provide or improve user-facing features that are prominent in the services’ user interface, (b) as necessary to comply with applicable law or (c) as part of a merger, acquisition or sale of assets with notice to you. 
  • We will not use or transfer your Google User Data for serving ads, including retargeting, personalized or interest-based advertising.
  • We will not allow humans to read your Google User Data unless we have first obtained your affirmative agreement for specific messages; it is necessary for security purposes (such as investigating a bug or abuse); it is necessary to comply with applicable law; or our use is limited to internal operations and the data (including derivations) have been aggregated and de-identified.

Our use and transfer to any other application of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.