PRIVACY POLICY
Mr. Psyc (operated by its parent entity), hereinafter referred to as “Mr. Psyc”, “Company”, “We”, “Us” or “Our”, formulates and publishes this Privacy Policy in compliance with the Digital Personal Data Protection Act, 2023 (“DPDP Act”), the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“IT Rules”), and in alignment with globally recognized health-data protection frameworks including HIPAA principles and international tele-counselling and psychiatric confidentiality standards. This Privacy Policy constitutes a legally binding document governing the manner in which the Company collects, receives, stores, records, processes, uses, transmits, transfers, protects, and disposes of Personal Data and Sensitive Personal Data of Users who access or utilize any services, products, programs, interfaces, tele-counselling sessions, psychiatric consultations, digital screening tools, membership plans, enterprise wellness solutions, learning management systems, mobile applications, or any associated functionalities provided by the Company. This Policy applies universally and without exception to all Users, including but not limited to individual clients, institutional clients, counsellors, psychologists, psychiatrists, trainees, administrators, and any other person or entity engaging with the platform. The User acknowledges that mental-health data constitutes a category of highly sensitive personal information requiring heightened legal and ethical safeguards, and by accessing or using the services of Mr. Psyc, the User expressly agrees that such information may be lawfully processed strictly in accordance with the terms of this Policy and applicable law. Users unwilling to provide the necessary consents described herein are advised to discontinue usage of the services forthwith, as continued use constitutes acceptance of all legal obligations and processing activities enumerated in this document.1. PURPOSE AND GOVERNING INTENT
The primary purpose of this Privacy Policy is to establish a transparent, authoritative, and enforceable framework governing the processing of Personal Data and Sensitive Personal Data by the Company. The Company recognizes that Users accessing mental-health services share information of an intimate, confidential, and clinically sensitive nature. Accordingly, the Company adopts a heightened standard of confidentiality equivalent to global healthcare privacy norms. This Policy is intended to inform Users of:- the categories of data lawfully collected by the Company;
- the legal bases for collection under applicable statutes;
- the permitted uses of such data;
- the conditions under which data may be retained, transferred, disclosed, or erased;
- the rights available to Users under the DPDP Act and cognate laws;
- the Company’s security obligations and technical safeguards; and
- the circumstances in which confidentiality may be ethically or legally breached (e.g., imminent harm, emergencies, court orders).
2. LEGAL AUTHORITY AND COMPLIANCE OBLIGATION
The Company acknowledges its role as a “Data Fiduciary” under the DPDP Act and affirms its obligations to process User data only for lawful purposes, in a fair, transparent, and reasonable manner, and strictly in accordance with consent granted by the User or otherwise permitted by law. The Company further undertakes to store and safeguard mental-health information in accordance with IT Rules 2011 and internationally accepted healthcare privacy norms. Wherever the Company engages third-party processors, service providers, cloud storage partners, AI-based nurturing tools, tele-counselling software, or LMS vendors, such entities shall be bound through contractual agreements requiring adherence to equivalent or higher privacy standards, ensuring that User data is never misappropriated, sold, shared, or used for any purpose beyond the scope of lawful processing.3. CONSENT AND LAWFUL BASIS FOR PROCESSING
3.1 Explicit Consent Requirement Given the sensitive nature of mental-health data, the Company shall collect and process such information only upon receiving explicit, informed, and verifiable consent from the User. Consent may be obtained electronically, digitally, through platform prompts, checkboxes, OTP verification, or written acknowledgement. Once granted, consent shall remain valid until withdrawn by the User in accordance with applicable law. Withdrawal of consent shall not invalidate processing lawfully conducted prior to withdrawal nor shall it affect Company’s legitimate obligations pertaining to record-keeping, compliance, safety, or contractual fulfilment. 3.2 Processing for Performance of Contract Where the User has booked appointments, subscribed to programs, enrolled in LMS courses, or entered into corporate/institutional agreements, such processing is necessary for performance of contractual obligations. 3.3 Legitimate Interests of the Company The Company reserves the right to process certain data for legitimate interests such as fraud detection, service improvement, analytics (anonymized), system integrity, monitoring platform misuse, ensuring clinical safety, verifying therapist authenticity, and preventing abuse of mental-health resources. 3.4 Legal Compliance The Company may process or disclose User information when required under law, court order, statutory mandate, regulatory directive, or professional ethical obligation, especially in circumstances involving imminent risk to the User or others.4. CATEGORIES OF DATA COLLECTED (DETAILED LEGAL DESCRIPTION)
In the course of providing mental-health services, the Company may lawfully collect the following categories of data from Users. These categories are elaborated with legal precision to ensure transparency and compliance.4.1 Personal Identification Data
This includes any information that directly identifies a User, such as name, age, date of birth, gender, contact number, email address, postal address, geographical location, and emergency contact details. Provision of such data is essential for authentication, appointment management, and communication purposes.4.2 Sensitive Personal Data (Mental-Health Data)
The Company collects substantial sensitive data, which may include, but is not restricted to:- psychological assessments,
- mental-health screening results,
- information relating to emotional distress, trauma, abuse, or crisis,
- depressive symptoms, anxiety levels, suicidal ideation disclosures,
- psychiatric diagnosis and medication details (where applicable),
- therapeutic notes recorded by counsellors or psychiatrists,
- chat logs, written disclosures, reflective exercises,
- audio/video session metadata,
- behavioural tracking data from nurturing programs,
- risk classification and intervention notes,
- lifestyle, sleep, stress or addiction-related information.
4.3 Technical and Log Data
This includes IP addresses, device identifiers, browser types, system logs, login timestamps, session durations, platform usage statistics, and other metadata automatically collected for security, fraud prevention, and platform optimization.4.4 Payment and Financial Data
Collected exclusively through secure third-party payment gateways. The Company itself does not store full card numbers, CVV, or banking credentials. Only transaction IDs, timestamps, payment method indicators, and billing confirmations may be retained.4.5 Institutional and LMS Data
Information provided by corporate clients, schools, universities, counsellor trainees, or institutional representatives, which may include:- aggregated wellbeing data (anonymized unless expressly disclosed),
- attendance records,
- training progress data,
- evaluation scores,
- certification credentials.
5. PURPOSE OF PROCESSING DATA – DETAILED LEGAL JUSTIFICATION
The Company shall process User data solely for legitimate, lawful, and necessary purposes, including the following: 5.1 Provision of Mental-Health Services To deliver counselling, psychotherapy, psychiatric consultations, follow-up sessions, emergency interventions, or any form of professional mental-health support. 5.2 Screening, Assessment, and Triage To analyze User responses, compute risk levels, determine severity, and assign Users to appropriate counsellors or psychiatric professionals. 5.3 Behavioural Nurturing and Support Programs To provide personalized wellness messages, habit-building reminders, emotional guidance, reflective exercises, behavioural suggestions, and structured long-term follow-up support. 5.4 Administrative and Operational Requirements Including scheduling appointments, maintaining records, enabling customer support, verifying therapist credentials, issuing receipts, and managing subscriptions. 5.5 Safety, Crisis and Risk Prevention To respond appropriately in situations indicating risk of self-harm, harm to others, medical emergency, or legal obligation to notify authorities. 5.6 System Security and Fraud Prevention To ensure platform integrity, detect suspicious activity, prevent impersonation, block fraudulent accounts, and prevent misuse of mental-health services. 5.7 Analytics, Research and Quality Improvement The Company may conduct internal research using anonymized data to enhance service quality, training modules, and operational efficiency. No identifiable data shall be used without explicit consent. 5.8 Legal, Regulatory and Ethical Compliance To fulfill obligations arising from telemedicine guidelines, psychological practice standards, statutory mandates, or lawful demands from authorities.6. DISCLOSURE, SHARING AND TRANSFER OF PERSONAL DATA
In the ordinary course of business, and in strict compliance with applicable legal obligations, the Company may disclose, transmit, share, or otherwise make available Personal Data or Sensitive Personal Data to third parties under specific, narrow, and clearly defined circumstances. The User understands and acknowledges that such disclosure shall always be governed by binding confidentiality, data-processing, and non-disclosure agreements ensuring that the integrity, privacy, and lawful use of User data remains uncompromised. The Company affirms unequivocally that it does not sell, rent, trade, monetize, or commercially exploit User data for advertising or unrelated commercial purposes.6.1 Disclosures to Mental-Health Professionals
The Company may share relevant portions of a User’s Sensitive Personal Data with counsellors, psychologists, or psychiatrists engaged for the purpose of providing mental-health services. Such professionals receive access strictly on a need-to-know basis. They are contractually and ethically obligated to maintain confidentiality, refrain from unauthorized disclosure, and comply with therapeutic and clinical confidentiality regulations. The scope of information shared may include session history, screening outcomes, written disclosures, and professional observations. Under no circumstances shall a professional access more data than required for legitimate therapeutic purpose.6.2 Disclosures to Technical and Third-Party Service Providers
The Company may engage external vendors, hosting providers, software infrastructure partners, cloud service providers, tele-counselling platforms, email and SMS delivery systems, payment processors, and AI-based behavioural engines. These entities operate exclusively under the direction of the Company and are legally bound not to retain, misuse, or repurpose User data for any purpose beyond the scope of services outlined in their respective contracts. All such processors are required to implement security safeguards equivalent to those used by the Company, and undergo periodic audit and compliance evaluation.6.3 Legal and Regulatory Disclosures
The Company reserves the right to disclose Personal Data or Sensitive Personal Data without the User’s prior consent where such disclosure is mandated by law, regulatory requirement, court order, governmental authority directive, police or investigative demand, or any statutory obligation under Indian law or foreign jurisdiction (as applicable). The Company shall not be liable for disclosures compelled by lawful authority. Additionally, where disclosures are necessary to comply with telemedicine, psychotherapy, or clinical safety guidelines, the Company shall adhere to professional ethical norms.6.4 Disclosures in Emergency or High-Risk Situations
If the Company reasonably believes, based on professional judgment, that the User poses an imminent risk of self-harm, harm to others, severe emotional destabilization, suicide attempt, or catastrophic psychiatric deterioration, the Company may disclose limited, relevant data to emergency services, family members (where ethically permissible), psychiatrists, or law enforcement agencies. Such disclosures shall be restricted to the minimum information necessary to prevent harm, in accordance with established ethical frameworks for crisis intervention.6.5 Disclosures to Institutional Clients
For institutional programs conducted with corporates, schools, universities, or community organizations, the Company may share aggregated and anonymized wellbeing reports which do not identify any individual User. Individual-level data shall be disclosed only where explicit written consent has been obtained from the User or the institutional contract expressly authorizes individualized disclosure under applicable law.7. CROSS-BORDER DATA TRANSFERS
Due to the nature of digital infrastructure, it may become necessary to process or store data on servers located outside India, including in jurisdictions offering cloud services, disaster recovery operations, or global telehealth infrastructure. The User acknowledges that foreign jurisdictions may have differing privacy laws; however, the Company undertakes to ensure that all international data transfers are executed only with entities providing privacy safeguards comparable to or stronger than those required under the DPDP Act, IT Rules, and global healthcare privacy norms. Where required, the Company shall execute Standard Contractual Clauses (SCCs) or equivalent data transfer agreements to maintain legal enforceability of protections. The Company reserves the right to migrate data across regions or service providers, provided such migration does not diminish the level of protection accorded to the User’s personal or mental-health data.8. DATA RETENTION AND DESTRUCTION POLICY
The Company will retain User data for only as long as necessary for fulfilling the purposes for which such data was collected, or as required under applicable law, ethical mandates, clinical record-keeping obligations, or legitimate business interests. Sensitive Personal Data related to mental-health services is subject to enhanced retention requirements to ensure continuity of care, professional accountability, and medico-legal compliance.8.1 Retention Period for Mental-Health Records
Counselling and psychiatric records shall be retained for a period of seven (7) years from the date of last interaction, unless applicable law mandates a longer retention period. This period reflects global clinical standards for therapy and psychiatric documentation retention. The User acknowledges this requirement as essential for ensuring continuity of care, defending clinical decisions, and complying with legal obligations.8.2 Retention of Screening and Assessment Data
Digital screening outcomes and assessment results shall be retained for a minimum of five (5) years to facilitate longitudinal analysis, program improvement, and ethical clinical review.8.3 Retention of Technical, Log, and Analytics Data
Technical logs, device identifiers, IP addresses, and behavioural usage data may be stored for twenty-four (24) months for the purpose of security auditing, fraud detection, and platform optimization.8.4 Retention of Payment Data
Payment confirmations, receipts, and transaction metadata shall be retained for the period required by taxation laws, accounting statutes, and financial compliance regulations, typically seven (7) years.8.5 Retention of LMS Data
Training submissions, certification results, and professional development records shall remain stored for five (5) years, unless the trainee requests deletion consistent with data rights laws.8.6 Destruction of Data
At the expiration of applicable retention periods, the Company shall securely delete or irreversibly anonymize User data. Data destruction shall follow industry-standard secure erasure practices, ensuring that deleted information cannot be reconstructed. Backups shall be purged in accordance with deletion schedules, subject to technical constraints of archival systems.9. PROTECTION AND SECURITY OF PERSONAL DATA
The Company employs a comprehensive suite of administrative, technical, and physical security measures to prevent unauthorized access, alteration, destruction, or disclosure of User data. These measures are aligned with ISO/IEC 27001 principles, IT Rules security requirements, and global healthcare information protection norms.9.1 Encryption
All data in transit shall be encrypted using SSL/TLS protocols. Sensitive Personal Data at rest shall be stored using industry-standard encryption (AES-256 or equivalent). Access keys are stored securely and periodically rotated.9.2 Access Controls
User data is accessible only to authorized personnel who require such access for legitimate business or clinical purposes. All staff undergo confidentiality training and are required to sign binding non-disclosure agreements.9.3 Network and Infrastructure Security
The platform employs firewalls, intrusion detection systems, endpoint monitoring, malware scanning, and regular vulnerability assessments. Security incidents are logged and systematically evaluated.9.4 Authentication and Identity Verification
The Company may implement multi-factor authentication, login verification, OTP-based validation, and device tracking to ensure account security and prevent impersonation.9.5 Security Testing and Audits
Periodic internal and external audits, penetration testing, code reviews, and compliance evaluations shall be conducted to identify and mitigate vulnerabilities.9.6 Breach Notification
In the event of a data breach compromising the confidentiality, integrity, or availability of User data, the Company shall notify affected Users and relevant authorities within a reasonable period, consistent with DPDP requirements and healthcare confidentiality laws.10. COOKIES, TRACKING TECHNOLOGIES, AND ANALYTICS
The Company uses cookies, tracking pixels, analytics tags, behavioural monitoring tools, and system logs to enhance User experience, improve service delivery, analyze trends, maintain security, and personalize mental-health recommendations. These technologies collect metadata such as device identifiers, usage patterns, click behaviour, and session duration. The User consents to the use of such tracking technologies by continuing to use the platform. Certain cookies are essential for platform functionality and cannot be disabled without impairing service availability.11. RIGHTS OF THE USER (DATA PRINCIPAL) UNDER APPLICABLE LAW
The Company acknowledges and affirms that every User, in their capacity as a Data Principal, possesses specific statutory rights under the DPDP Act, IT Rules, and internationally recognized privacy frameworks. These rights are fundamental to ensuring transparency, autonomy, dignity, and lawful control over the personal and sensitive information processed by the Company. The exercise of these rights shall be subject to verification of User identity and shall not infringe upon the rights of other Users, confidentiality of mental-health professionals, or legal obligations imposed upon the Company.11.1 Right to Access Data
The User may request access to all Personal Data and Sensitive Personal Data being processed by the Company. This includes the right to obtain confirmation as to whether their data is being processed, and to receive a summary of the relevant categories of data stored. Access rights shall not extend to session notes, internal clinical assessments, or professional records that are protected under therapeutic confidentiality and not classified as User-owned information.11.2 Right to Correction or Rectification
The User may request correction of inaccurate or incomplete Personal Data. Sensitive Personal Data that reflects subjective emotional states, therapeutic disclosures, or professional observations may not be eligible for rectification, as these records represent clinical documentation rather than factual inaccuracies. The Company reserves the right to determine which information may be corrected and which may not, consistent with professional ethics and legal mandates.11.3 Right to Withdraw Consent
The User may withdraw consent to processing at any time. Withdrawal shall not affect processing previously conducted under valid consent. Upon withdrawal, certain services—especially counselling, psychiatry, nurturing programs, or LMS access—may become unavailable. Withdrawal shall also not override mandatory retention obligations under law or professional guidelines.11.4 Right to Data Portability
Where technically feasible, the User may request transfer of certain categories of Personal Data to another data fiduciary, provided such transfer does not violate therapeutic confidentiality, clinical documentation integrity, or proprietary rights of the Company or its professionals.11.5 Right to Deletion
The User may request deletion of their Personal Data subject to the following exceptions: (a) where retention is mandated by law, (b) where data constitutes part of clinical records requiring mandatory retention, (c) where deletion may compromise ongoing safety monitoring, (d) where records relate to financial transactions requiring statutory maintenance. Deletion requests shall be processed within a reasonable timeframe, after verifying identity and lawful eligibility.11.6 Right to Nominate
Under the DPDP Act, the User may nominate an individual to act on their behalf concerning data rights in case of death or incapacity.11.7 Right to Register a Grievance
The User has the right to raise grievances related to data processing, misuse, unauthorized disclosure, or rights violations. A designated Grievance Officer shall respond within statutory timelines.12. PROCESSING OF DATA OF MINORS AND VULNERABLE INDIVIDUALS
Given that a significant portion of mental-health concerns affect adolescents, children, and vulnerable adults, the Company adopts a stringent legal and ethical framework for the processing of minors’ data.12.1 Parental/Guardian Consent
For individuals under the age of 18, explicit consent from a parent or lawful guardian is mandatory before initiating any counselling, screening, or nurturing program. Consent must be verifiable and may require digital verification, signed authorization, or identity proof of the guardian.12.2 Confidentiality and Therapeutic Protection
Although guardians provide consent, counsellors may maintain therapeutic confidentiality for disclosures made by the minor, except where: (a) there is imminent risk of harm, (b) disclosure is necessary for clinical safety, (c) disclosure is mandated by law. The Company respects international child-protection counselling norms.12.3 Restricted Profiling and Tracking
The Company does not engage in behavioural profiling, targeted advertising, or commercial exploitation of minors. Tracking for safety, nurturing, or program effectiveness is limited to the minimum necessary.12.4 Institutional Programs for Schools
Data collected as part of school wellbeing programs is anonymized unless the parent/guardian or school contract explicitly permits individualized reporting.13. TELE-COUNSELLING AND TELE-PSYCHIATRY SPECIFIC PRIVACY OBLIGATIONS
The Company operates tele-counselling and tele-psychiatry services in accordance with international telemedicine privacy guidelines, ensuring that digital interactions maintain confidentiality equivalent to in-person sessions.13.1 Non–Recording of Sessions
The Company does not record audio or video sessions unless: (a) explicit written consent is obtained, (b) required for clinical supervision, or (c) mandated under court order. Users are strictly prohibited from recording sessions without mutual consent.13.2 Confidentiality of Digital Communications
All communications—video, audio, chat, documents shared—are encrypted and accessible only to the assigned professional and authorized staff. Counsellors and psychiatrists are contractually bound to maintain absolute confidentiality.13.3 Secure Digital Environment Requirement
The User acknowledges their responsibility to participate in sessions from a private, secure location and to secure their own devices using updated software, antivirus protections, and safe network practices.13.4 Clinical Limitations of Digital Interventions
Tele-counselling is subject to inherent limitations, including lack of physical examination for psychiatric assessments. Users must disclose accurate information and may be advised to seek in-person medical consultation depending on severity.14. USE OF ARTIFICIAL INTELLIGENCE AND AUTOMATED NURTURING SYSTEMS
The Company employs artificial intelligence (“AI”) and machine-learning tools for the purpose of generating personalized behavioural nudges, habit-building instructions, scheduling reminders, program progression suggestions, and emotional wellbeing content. However, the Company expressly affirms that AI does not perform diagnosis, does not offer medical judgment, and does not replace the professional discretion of qualified counsellors or psychiatrists.14.1 Purpose of AI Systems
AI is used for non-clinical supportive functions, including: (a) sending automated wellbeing messages; (b) generating motivational content; (c) analyzing anonymized behavioural patterns; (d) assisting Users in adhering to long-term habits; (e) reminding Users of appointments or tasks; (f) optimizing program engagement.14.2 No Autonomous Decision-Making
AI shall not make decisions affecting the User’s legal rights, health outcomes, or program eligibility. All clinical decisions remain exclusively under professional human control.14.3 Data Used by AI
AI systems may process:- anonymized behavioural logs,
- screening score ranges,
- program completion patterns,
- user preference indicators. Sensitive Personal Data such as detailed session notes or psychiatric diagnosis is never fed into external AI models.