Privacy Policy

What is PHI?

Protected Health Information (PHI) is individually identifiable health information that we create, receive, maintain, or transmit in connection with the provision of healthcare services. This includes, but is not limited to: your name when combined with mental-health diagnoses, therapy session notes, treatment plans, appointment records, billing records, and any communications with your therapist.

How We Use and Disclose PHI

We may use or disclose your PHI for Treatment, Payment, and Healthcare Operations (TPO) without your express written authorisation. Beyond TPO, we will only use or disclose PHI with your signed authorisation, except where disclosure is required by law (e.g., mandatory reporting of imminent harm, child abuse, elder abuse, or court order).

Minimum Necessary Standard

We apply the HIPAA minimum necessary standard — we only access, use, or share the minimum amount of PHI required to accomplish the intended purpose.

Business Associate Agreements

All third-party vendors, cloud providers, and subprocessors who handle PHI on our behalf are required to sign Business Associate Agreements (BAAs) and maintain equivalent safeguards.

Your HIPAA Rights

Under HIPAA, you have the right to: (a) access and receive a copy of your PHI; (b) request corrections to inaccurate PHI; (c) receive an accounting of certain disclosures; (d) request restrictions on how we use or disclose your PHI; (e) receive communications through alternative means; and (f) file a complaint with the HHS Office for Civil Rights at www.hhs.gov/ocr.

Notice of Privacy Practices

Our full Notice of Privacy Practices (NPP) is available on request and is provided to all clients at the commencement of services.

a) Information You Provide Directly

- Account registration: name, email address, date of birth, gender identity, preferred pronouns - Clinical intake forms: presenting concerns, mental-health history, medications, prior diagnoses - Payment information: billing address, payment method (processed via PCI-DSS-compliant processors; we do not store raw card numbers) - Communications: messages, session notes, in-app chat, support tickets

b) Information Collected Automatically

- Device and browser data: IP address, browser type, operating system, device identifiers - Usage data: pages visited, features used, session duration, referring URLs - Cookies and similar technologies (see Section 11) - Crash reports and performance metrics (anonymised)

c) Information from Third Parties

- Identity verification providers (for therapist credential checks) - Insurance providers (if you use insurance benefits) - Referral partners (only with your consent) - Google or other OAuth providers if you sign in via social login

d) Sensitive Categories

We may collect special categories of sensitive data including: mental-health diagnoses, sexual orientation or gender identity (only if voluntarily disclosed), racial or ethnic origin (for matching preferences), and biometric data (if you use voice or video sessions). We treat all such data with heightened protections.

Information FlameUp May Collect

- Account and profile information such as your name, email address, login credentials, and preferences - Productivity content you create or upload, such as tasks, notes, reminders, workspace content, or similar user-generated data - Device, app activity, and diagnostic information such as IP address, browser type, device identifiers, crash logs, and feature usage data - Billing and subscription information if you purchase paid features or services - Customer support communications and feedback you send to us

How FlameUp Uses Information

- Provide, maintain, and improve the FlameUp app and its productivity features - Sync your content across devices and maintain your account - Personalise your experience, reminders, and app settings - Process subscriptions, purchases, and related billing operations - Monitor performance, investigate bugs, prevent abuse, and keep the service secure - Respond to support requests and communicate service-related updates

How FlameUp Shares Information

FlameUp may share information with service providers that support hosting, authentication, cloud storage, payment processing, diagnostics, analytics, and customer support, depending on the features you use. We require those providers to protect personal information and use it only for authorised purposes.

Legal Bases for Processing

We process your personal data on the following lawful bases: - **Contract**: processing necessary to deliver the services you requested - **Legal obligation**: compliance with HIPAA, GDPR, and other laws - **Vital interests**: preventing imminent risk of harm - **Consent**: where we have obtained your explicit consent (e.g., marketing, research participation) - **Legitimate interests**: fraud prevention, platform security, internal analytics (balanced against your rights)

Your GDPR Rights

- **Right of Access (Art. 15)**: request a copy of all personal data we hold about you - **Right to Rectification (Art. 16)**: correct inaccurate or incomplete data - **Right to Erasure (Art. 17)**: request deletion of your personal data ("right to be forgotten"), subject to our legal retention obligations - **Right to Restriction (Art. 18)**: ask us to restrict processing in certain circumstances - **Right to Data Portability (Art. 20)**: receive your data in a structured, machine-readable format - **Right to Object (Art. 21)**: object to processing based on legitimate interests, including profiling - **Rights related to automated decision-making (Art. 22)**: we do not make solely automated decisions with legal or significant effects without human review

Data Transfers

Where personal data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place, including EU Standard Contractual Clauses (SCCs) or adequacy decisions.

Data Protection Officer

You may contact our Data Protection Officer at: [email protected]

Categories of Personal Information Collected

In the past 12 months we have collected: identifiers (name, email, IP address); commercial information (subscription records); Internet or network activity; geolocation data; professional or employment-related information (for therapists); health and medical information (as permitted under HIPAA/CMIA); and inferences drawn to create a profile.

Your California Rights

- **Right to Know**: request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, purposes, and third parties with whom we share it - **Right to Delete**: request deletion of your personal information, subject to certain exceptions - **Right to Correct**: request correction of inaccurate personal information - **Right to Opt-Out of Sale/Sharing**: we do not sell or share personal information for cross-context behavioural advertising - **Right to Limit Use of Sensitive Personal Information**: you may direct us to limit use of sensitive personal information to what is necessary to provide services - **Right to Non-Discrimination**: we will not discriminate against you for exercising your privacy rights

How to Submit a Request

Email: [email protected] | In-app: Settings → Privacy → Submit Request We will verify your identity before processing requests and respond within 45 days (extendable by another 45 days with notice).

Authorised Agents

You may designate an authorised agent to submit requests on your behalf by providing a signed written authorisation.

Your Therapist

Your therapist has access to information necessary to provide care, including session history, intake forms, and in-session notes. Therapists are bound by their professional ethical codes, state licensing laws, and our Business Associate Agreements.

Service Providers (Sub-processors)

We engage vetted third-party providers for: cloud hosting (with BAAs), payment processing (PCI-DSS compliant), video conferencing infrastructure, identity verification, email delivery, and customer support tooling. All sub-processors are bound by confidentiality and data processing agreements.

Legal and Safety Disclosures

We may disclose information: (a) when required by law, regulation, or court order; (b) to protect the vital interests or safety of you or another person (imminent harm); (c) to respond to lawful government requests; (d) in connection with mandatory reporting obligations (child abuse, elder abuse, duty to warn).

Business Transfers

If Echo Health is involved in a merger, acquisition, or asset sale, your information may be transferred. We will notify you before your PHI is transferred and subject to a different privacy policy.

With Your Consent

We may share your information with your explicit consent for research studies, insurance coordination, or other purposes you specifically authorise.

Data Breach Notification

In the event of a breach affecting your PHI, we will notify you in writing within the timeframes required by applicable law (no later than 60 days under HIPAA, 72 hours under GDPR for reportable breaches to authorities).

Managing Cookies

You can manage cookie preferences through your browser settings or our Cookie Preference Centre (accessible from the footer). Disabling strictly necessary cookies will affect your ability to use the Platform.

Do Not Track

We honour browser-level "Do Not Track" signals for non-essential analytics.

Privacy & Compliance Team

Echo Health, Inc. Email: [email protected] Response time: We aim to respond to all privacy requests within 30 days (or within the timeframe required by applicable law).

To file a complaint with a supervisory authority:

- United States (HIPAA): HHS Office for Civil Rights — www.hhs.gov/ocr - European Union: Your local Data Protection Authority — edpb.europa.eu - United Kingdom: Information Commissioner's Office — ico.org.uk - California: California Privacy Protection Agency — cppa.ca.gov