This Policy applies to all visitors, data subjects, and others who access our Platform and Services (“Participant(s)” or “You/r”) including persons buying for teams and clinics (Customers). OffGrid Health, Inc. (OffGrid, “We”, “Us”, or “Our”) operates the websites (offgrid.health, offgrid.ai, synclife.us and domains), the OffGrid smart mirror, mobile, web-based widgets, OffGrid SDK and web-based applications (“OffGrid Platform” or “App/s” or “Mobile Software/s”).
You may use our Platform to access one or more of our services and offerings (collectively the “Service(s)” or “OffGrid Service”).
- Digital AI Support (“MY SYNC”).
- Smart Mirrors.
- Digital selfcare libraries.
- Well-being professionals.
- Guided-group support.
- Services offered over TeleHealth..
- Services provisioned from our website and webpages.
- Remote Patient Monitoring.
- Multi-lingual offerings.
We may also provide these and additional services on behalf of your Health System (Health System Services”). A Health System could be an enterprise, university, hospital, research Health System and other public or private organisations. Health System Services may involve processing information on behalf of the Health System. Where applicable, you must agree to the Terms of Services and Privacy Policies of both OffGrid and your Health System in order to proceed with using the Health System Service.
Where not specifically called out, use of uppercase / lowercase and bold / not bold would carry the same meaning in this document.
Do Note :
- If in a crisis or emergency, please call the relevant emergency number in your region or the approved helplines provided by Your Health System.
- The Platform and service is not targeted at children under 13 years. It may be used by parents of children under 13 years under strict supervision. OffGrid does not take responsibility for any misrepresentation of age and use.
- We do not require any personal identifiers or sensitive data hence we do not ask for it. We may collect personal data where your Health System asks us to do so. You have the option to not share your personal data, your medical data and any other sensitive data when you use the OffGrid Platform and Services.
- Your interaction with the MY-SYNC Avatar is with an Artificial Intelligence system and not a human. Hence, MY-SYNC Avatar is restricted in the means of response.
- Your interaction with OffGrid well-being professionals is with a human. They are highly trained and qualified health and well-being professionals.
- OffGrid well-being professional services do not replace face-to-face medical support. It is meant to empower and support you and not to treat any illness or a health condition.
- The OffGrid well-being professional assigned to work with you will be online and remote. They may not be located in your country or state of residence.
- The intended use for providing evidence-based tools and techniques is to manage behaviors and encourage physical, social and emotional well-being in a self-help and self-monitoring context.
- The Platform is not intended to provide a diagnosis, prognosis, treatment or cure of a condition or disease.
- The Platform will not offer medical or clinical advice and only suggest that you seek medical help.
- Your data is stored in databases maintained by us and third parties located in the United States. US data protection laws may be less stringent than those in your country.
- The Platform and its services are primarily in the English language. Some of the MY-SYNC Avatar modules and tools are enabled for Aemrican Spanish language users.
Changes in v1.0.0 | May 19, 2023
- Initial release
You can read the full list of changes in the Changes Log
MY-SYNC is the AI avatar used in a conversational setting by the OffGrid Platform.
Anonymization is the process of removing personal identifiers from data sets so that the person can no longer be identified.
Cookie is a small amount of data stored on your device (computer or mobile device).
Data Controller or Controller has meaning as defined in applicable data protection laws. It is a natural or legal body which, alone or jointly with others, determines the purposes of the processing of personal data.
Data Processor or Processor or Service Providers or Business Associate has meaning as defined in applicable data protection laws. It is a natural or legal body which processes personal data on behalf of the data controller.
Data Protection Laws here means in accordance with the Health Insurance Portability and Accountability Act and Reasonable security practices and procedures and sensitive personal data or data rules, including but not limited to requirements of EU General Data Protection Regulation 2016/679 (GDPR), the UK Data Protection Act 2018 (UK GDPR), California Consumer Privacy Act (“CCPA”) and other USA privacy laws and applicable Legal and Statutory requirements.
Data Subject (or Participant/You) means any living individual who is using our service and is the subject of Personal Data
Encryption is the process of transforming data into unreadable text so that it is only legible to those possessing an encryption key.
Personal data or Personal Information has meaning as defined in applicable data protection laws. It is data about a living person who can be identified from the data and/or other information either in our possession or likely to come into our possession.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data and as defined in applicable data protection laws.
Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific user without the use of additional information.
Non-Personal data or Non-Personal Information means any data that is made anonymous and does not reveal user specific identity.
Sub-Processor/s is a data processor who is sub-contracted some of the personal data processing.
Special Category data or Sensitive data has meaning as defined in applicable data protection laws. It includes personal data revealing or concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, sex-life or a person’s sexual orientation.
Who are we?
OffGrid Health, Inc. is a Texas Corporation with a declared social benefit of creating a time when well-being is accessible to everyone. We are registered in the State of Texas, in other jurisdictions as needed to provider our Platform and Services, and with Federal Tax and Regulatory bodies. Where we decide the purposes of our services and personal data processing, OffGrid will be the Controller. For all services and data processing done at the direction of and on behalf of a Controller or a Processor, OffGrid would either be a Processor or a Sub-Processor.
What personal data do we process and how do we use it?
We only use your personal data for the purposes for which we collected it. We will use it for another reason, only if compatible with the original purpose. We may process your personal data for more than one lawful basis depending on the specific purpose for which we are using your data. We may process your personal data without your knowledge and consent, where this is required or permitted by law.
The table lists the data processing that we perform when you use the MY-SYNC Avatar, Digital self-care tools, human well-being professional service, services purchased from our website or multi-lingual offerings.
|Data Types||Source||Processing Purpose||Lawful Basis|
What data do we process when you use the OffGrid Digital Front Door Service?
OffGrid Digital front door application allows your Health System to triage you and your dependents to authorised care and support resources. The service redirects you to authorised support resources based on your country, service group, language choice, support choice and self-reported mood assessments. Support resources include the Health System’s EAP, the OffGrid Platform and other Health System provided services. Access to the OffGrid front door service will be via your Health System provided Single Sign-on (SSO) mechanism. Where required and on behalf of your Health System, we may integrate our Platform and Services with your Health System’s authentication mechanism such as Single Sign On (SSO). SSO enables you to use your Health System credentials to sign-in and access authorised OffGrid Platform and Services and other third-party services. OffGrid Platform will redirect you to your Health System’s SSO web page during your first access. The SSO processing is done by your Health System to verify your identity and direct you to the OffGrid Platform. Your personal information, submitted during sign-in, is not transferred or stored in the OffGrid system. OffGrid will receive a one-time unique and encrypted identifier, which will be used to generate a random user identifier to associate you to the Platform and Services. OffGrid will keep track of your login status and inform your Health System of any change to allow your Health System to manage future SSO requests. If you have any questions about your use of SSO please contact your Health System directly. No personal data is collected or processed during your use of the OffGrid digital front door application and service. OffGrid shall share population-level and aggregated analytics on Platform engagement and use with your Health System. You can delete your data at any time by selecting the “Reset my data” option available within the Platform.
What personal data do we process and handle as a Processor or Sub-processor?
OffGrid may be a Processor where we are asked to process your data on behalf of the Health System. We will collect, transfer, store and use your data to provide the Health System Services. Where required, OffGrid will integrate with your Health System authorised information systems to process and transfer contracted data. We will maintain appropriate agreements with your Health System before any data processing or sharing.
We will also generate reports for your Health System. Only aggregated and anonymised data, at a population or cohort level, will be used for the Health System’s reporting needs. These reports will be generated and shared with your Health System as downloadable files via secure analytic dashboards. Your individual insights will never be shared with your Health System without your consent.
Where required by your Health System, we may guide you to appropriate support and crisis resources. These would be both within and external to the Platform including Health System provided helplines, EAP, offline care services and therapist support. This processing is not intended to be an emergency response and is performed to safeguard individuals at-risk.
What additional personal data do we process when you use our Messaging-based business service?
OffGrid’s MY-SYNC Avatar service delivered over Messaging business app is currently available as a pilot and only in the India geography. OffGrid’s MY-SYNC Avatar on Messaging business is limited to improving sleep efficiency. The service does not offer medical or clinical advice and only suggests that you seek medical help.
You will need to initiate this service from your Messaging account. OffGrid will never use your messages to contact you for marketing purposes. OffGrid processes the following data when you use this service.
We use Twilio’s secure services to establish communication between our MY-SYNC Avatar service and Messaging business. Twilio APIs assist transfer of encrypted messages between Messaging business and OffGrid. Your messages are deleted from Twilio immediately after successful transfer to our servers. Your phone number and profile name are however retained in Twilio as long as connectivity of service is required. Read more about Twilio in the third-party service provider section.
Note: Messaging allows you to send attachments or voice messages. This is not required by us to provide our service. Please avoid sharing such information with us. Any inadvertent attachment and voice messages submitted by you gets deleted immediately from Twilio and our servers.
What Non-Personal data is processed when using OffGrid well-being professional service?
When you schedule a session with our OffGrid well-being professional, we collect your date and time preferences to confirm your booking. Your device time zone is collected to calculate your local date and time and schedule a session. It also allows us to send appropriate session reminders. Sometimes, OffGrid Platform may get your local time wrong which could affect the session scheduling. Always verify your local time in the scheduling screen before booking a session. If you notice an error in your local time displayed, go to the MY-SYNC Avatar messaging interface and type #time to change your time. If You face any challenge changing Your local time or booking a session, kindly write to us at the contact provided here.
After you book a session, you have the option to save the booking in your device calendar. This is for your added convenience.
Only minimal messages provided to your well-being professional get used for analysis and audit purposes. Your messages are anonymised before use. This is for improving our well-being professional service quality.
Do we use passive sensing or location data?
The Platform does not process any data from your mobile device sensors, including accelerometer, ambient light readings, screen on/off readings and call logs. The Platform does not process your geolocation at a level that makes your data identifiable. The Platform may infer your country or state based on your time zone to provide you appropriate resources, such as scheduled reminders.
How do we share your data with third parties?
To provide you with our services, we use third-party service providers to help store and process your data. We assess the service provider’s security and privacy practices. We strictly require that they comply with confidentiality and non-disclosure obligations and applicable laws and regulations including relevant Data Protection Laws. We also require that they or their providers (fourth parties) access your data only to the extent necessary to perform tasks on our behalf. We use the following third-party service providers.
Cloud Service Providers
To provide the service, we collect, transfer and store your data in secure servers provided by our authorized cloud service providers. You can find more on their security practices here, here and here. We maintain a Data Processing Agreement (DPA) with Standard Contractual Clauses (SCCs) and Business Associate Agreement with our cloud service providers.
Other Service Providers
We use OffGrid authorized third-party service providers to provide our services. List of our service providers include:
- Service Providers: Firebase, Google Analytics
- Purpose: To analyze Platform event data to understand user engagement and experience. No user conversation or personal data gets shared. Only a de-identified user identifier is shared along with the event data. All event data is made cryptic so that no medicalor psychological profile gets created at the hands of the analytics provider. No direct advertising or directmarketing is performed. However, to measure the effectiveness of our social media or other marketingcampaigns, we may use these tools to help us make improvements to our service. The third-party toolAPIs may automatically collect some non-personal events. Google Analytics automatically collectedevents can be foundhere.The use of Google Analytics is governed by Google Data Policyand Data Safeguards.Firebase automatically collected events can be found here. The use of Firebase isgoverned by Firebase Terms of Service, Use Policyand Crashlytics Terms of Service.We maintain Data Processing Agreements (DPA) with SCCs with these service providers
- Service Providers: Vercel
- Purpose: Our website is hosted on Vercel. Vercel may use your visit data to perform analytics. The use of Vercel is governed by Vercel’s of Service, Privacy and Cookie Policies.
- Service Providers: Resend
- Service Providers: Teams
- Service Providers: Microsoft 365
- Purpose: We use Microsoft 365 to provide our corporate email service, to store Information received from our clients and end-users in onedrive and sharepoint. We have a BAA with Microsoft 365.
- Service Providers: 3rd party Taggers and Translators
- Purpose: We may use third-party providers to tag, translate and test content in English and other languages.Minimal anonymised conversation data may be used for these purposes.This helps us improve the MY-SYNC Avatar algorithm performance.We maintain confidentiality agreements with these contractors.
- Service Providers: 3rd party background verification consultants
- Purpose: We use consultants to perform background checks for shortlisted candidates. This includes reference checks and academic checks as part of hiring.We maintain confidentiality agreement with the consultants.
- Service Providers: 3rd party payment gateway providers
- Service Providers: DeepL
- Service Providers: Twilio
- Purpose: We use Twilio in our app to programmatically make calls to emergency contact numbers shared by you foryour safety during use of the well-being professional services.We also use Twilio as a Business Service Provider (BSP) to integrate OffGrid’s MY-SYNC Avatar with Messaging business.This is done using their web service APIs. Twilio encrypts all communication. For Messaging messages, Twilio sends additional parameters. Read here for how Twilio manages Personally Identifiable Information. Here, you can read more on theirprivacy,terms of service and security. We have a DPA and BAA with SCCs with Twilio.
- Service Providers: CloudFlare
- Service Providers: Business Development and Marketing Tools
- Purpose: We use marketing tools for lead identification, lead generation and business operations, for communications in marketing campaigns and other marketing activities. To communicate with our existing or prospective business clients or users. We ensure appropriate consent and opt-outs are provided when we reach out to prospects. We perform vendor and tool security assessment and vulnerability checks before we onboard a tool. We sign required agreements along with appropriate data protection clauses with tool suppliers.
Disclosure to Health Systems
You may need an access code or link provided by us, or your Health System, to use the Health System version of OffGrid Platform. Your Health System may also get access to app usage data for their analytic and research purposes based on the consent given by you to your Health System and to us. We may collect your region, division and in some cases your city information to provide aggregated analytics. We do not share your messages with the Health System. Any inadvertent identifiers get removed prior to the aggregated analysis.
If the Platform is integrated with your Health System system, your Health System may additionally share your assessment and laba data with us and likewise, we may share aggregated data with them. Such lab and assessment data may be processed by us for providing services to your Health System. Your lab and assessment responses will never be processed for diagnostic purposes or for giving clinical advice.
Processing of any of your personal data as per our Legitimate Interests
We may be required to process your personal data in our legitimate interests.. We will always weigh your rights and freedom before we process any such requests for purposes of legitimate interest. This processing includes:
- For enforcing our policies or contractual obligations with your Health System;
- For uses and disclosures required by law;
- For disclosures for judicial and administrative proceedings such as court order or subpoena;
- For disclosures for law enforcement purposes or national security requests;
- For disclosure and assistance with an investigation or prosecution of suspected or actual illegal activity;
- For disclosure and use of a litigation hold. To freeze specific data relating to imminent, pending or current legal action, thereby preventing potential evidence alteration or deletion.
- For uses and disclosures for public health reporting purposes;
- For uses and disclosures to prevent serious threat to health or safety;
- For uses and disclosures for minimal research and analytics purposes to study how users use our products and services;
- For any service communications relating to your use of Platform and services;
- To prevent, detect and repair problems related to the security and the operations of the Platform;
- For uses and disclosures to prevent fraudulent use of or abuse of the service;
- For uses and disclosures to take adequate security and privacy safeguards;
- For uses and disclosures to ensure Platform and service availability, accessibility and quality;
- For uses and disclosures to protect your data protection rights;
- For uses and disclosures to protect your, our and others data protection rights, property and safety;
- To use anonymized, non-identifiable, non-confidential user data for benchmarking and marketing;
- To develop new services, technologies and products;
- To respond to your enquiries and requests.
OffGrid will never share your conversation data without your explicit consent provided either to us or your Health System.
In the future, if we are involved in any merger, acquisition, sale of assets, business reorganization, bankruptcy, we may transfer or otherwise share some or all of our assets which may include your data. We will take reasonable steps to inform you about this using the following modes.
- Public notice on our website and/or
- Inform your Health System and/or
- Where applicable, send in-app notification and/or
You can always email us at [email protected] to exercise your data protection rights.
How do we handle your Platform password?
For your privacy and security, you are advised to set your own Platform PIN to protect unauthorized access of your platform messages. Your mobile device screen password is your PIN. To extend your device password, use the “Set Lock ” feature under the Platform settings. You can also remove your PIN using the “Remove Lock” option under settings. The PIN that you use is personal to you, and you are responsible for maintaining the confidentiality and security of your PIN. Please keep your PIN safe and do not share it with anyone. The PIN you set remains in your device and is not collected, transferred and stored in our servers.
What data do we process after taking your Consent?
We take your consent to perform the following processing.
| Website Cookies, MY-SYNC Avatar or web beacon Data (browser type, browser language, operating System, language settings,web page views and the link clicks, campaign clicks, IP address)
- Purpose: To respond and provide support for your inquiries. | Your consent during form submission | Platform usage data and reports (derived using clinical questionnaires data, wellness data, app event data)
- Purpose: To process and share aggregated and anonymized analytics reports with your Health System. To prepare and share custom analytics dashboard views. | Your informed consent with us and/or with your Health System(Agreements are signed with the researcher or Health System) | In-app push notifications
- Purpose: To notify you for reminders you have set. To remind you about upcoming sessions and events. | Opt-in and Opt-out in Platform settings or mobile device settings. | Session conversations with well-being professional
- Purpose: To collect minimal anonymised data for research purposes. | Consent taken by well-being professional from you. | MY-SYNC Avatar activity and well-being assessment data
- Purpose: To share the data with your OffGrid well-being professional for your safety and support. | Authorize / unauthorize in app settings | Your conversation messages with the MY-SYNC Avatar
- Purpose: To share your MY-SYNC Avatar conversations with your OffGrid well-being professional. | Your consent given within the MY-SYNC Avatar (opt-in and opt-out by typing #sharechat) | Recruitment data (name, contact, address, email id, resume, references, credentials, transcripts, government provided identification, compensation information, race or ethnic origin, opinions and beliefs, physical or mental health or condition, sexual orientation, memberships, social media handles)
- Purpose: To evaluate your application. To make job offers. To enter into an employment agreement. To perform background checks. To perform reference checks. To convey application status. To consider you for other opportunities. To improve our hiring process. | Your consent.In our legitimate interest (to comply with laws, to protect your rights) | Promotion event data (email ID, name, phone number)
- Purpose: To process campaigns and surveys. To contact participants regarding campaign and promotions. To send programme related information, send newsletters, webinar invites, set reminders. To enrol and onboard you to the programme or campaign. To correspond on programme or campaign matters. | Your consent given within the MY-SYNC Avatar and campaign/survey/digital report enrollment forms. | Business data (customer name, email ID, contact details)
- Purpose: To communicate with business customers for lead generation, business development, business operations, account management or marketing purposes. | Communication is undertaken with appropriate expectation setting, consents or opt outs. | Insight and Involvement data (Name, email, phone, age-group, area of country, gender, sexual orientation, ethnicity, disability)
- Purpose: To contact you regarding Involvement opportunities, such as enrolment, attending meetings or sharing your opinion and experiences on our product. To analyze your feedback and derive insight to improve safety, effectiveness of our product and services. | Your Consent given during insight and involvement enrolment
How do we handle user incidents and requests?
There may be occasions where you wish to contact us to seek support or make inquiries. If you contact us directly over email, we will collect minimal personal information to service your request. Your communication data is securely stored in our Google Workspace account with access to only authorized users. We have signed agreements with Google Workspace. We will only use your data to investigate the issue or request asked. Your email will be retained within our system for a maximum of 10 years since last correspondence. We will not spam you or contact you for any direct marketing. We will not share or sell your personal data with any third-party disclosure.
Your issues or complaints or requests about the Platform and services are taken very seriously. You will need to send an email request from your Google or Apple email ID to [email protected]. We will respond to your complaints within 3 business days. Some of your complaints may take longer to resolve. We will continuously provide you with an update until your complaints are satisfactorily resolved.
### How do we handle data provided during promotions, campaigns and surveys?
We do not promote third-party offers as a part of the Platform experience. Your promotion, campaigns and survey submissions will never be linked to your OffGrid Platform account. Your promotion, campaign, survey submission will reside in our secure Google Workspace or marketing tool accounts. The Google Workspace and marketing tool account is protected by two step verification. You can opt out at any time from the programme by sending us an email request from your Google or Apple email ID to [email protected]. We will respond to your request within 3 business days. Your submissions will never be shared with a third-party.
How do we handle your payment data when you subscribe to our services?
What do we process when you follow us on Instagram, LinkedIn or our other social media pages?
You have the option to follow us on social media. We do not associate your social media account with your OffGrid Platform account.
Additional information when you use the audio-video well-being professional service.
You will need to give permission to activate your device’s microphone and camera. We have enabled Microsoft Teams healthcare product for this service. To enable video call connection, we only send anonymized identifiers to Microsoft Teams. Your call is never recorded and maintained at our or at Microsoft Teams end. End-to-End encryption is enabled along with other privacy and security controls. This ensures that your conversation remains secure and private. We may collect anonymous feedback from you at the end of the call. This will help us improve the quality and performance of our service.
We will be unable to provide access to playbacks or call transcripts as calls are not recorded. Your assigned OffGrid well-being professional will explain the benefits and risks of using the service. Please ensure your device volume is kept in optimal listening mode. Please note that you may experience some performance issues if you have low internet speeds. Please read the OffGrid well-being professional Service section in our Terms of Service to understand the terms for use.
How do we handle your data when used for research and analytics purposes?
We use minimal and only the required data for research purposes including aggregated data for any publications. This data is completely anonymized using irreversible redaction of user identifiers prior to use. This helps us to improve our product and services and contribute to user-centered mental well-being best practices globally.
We never use your longitudinal conversation messages for research purposes and analysis. If at all, only limited messages get selected from specific MY-SYNC Avatar endpoints and used.
You can always write to us at [email protected] to restrict processing and opt-out of your data for research purposes.
Additional information when you apply for employment or internship opportunities at OffGrid.
We do not sell your Information to unauthorized third parties. Your data is stored in databases maintained by us or third parties located within India or globally. Where, privacy rules may differ and may be less stringent than those in your country. If you are successful in your application, we retain the information as part of your employee records. If you do not want us to retain your information or want us to update it, please contact us at [email protected]. Please note, that we may retain some information if required by law or as necessary to protect ourselves from legal claims.
Please read here on your Privacy rights.
our use of third-party weblinks
What additional processing is performed?
We do not combine and process your personal data with any other third-party available data. Your data, messages or usage is not used for direct marketing nor is it sold to advertisers. We will always take your consent before using your name for social proof purposes.
How do we secure your data?
The security of your data is very important to us, and we work hard to secure it. We have implemented adequate technical and organizational safeguards to protect your data. Some of the steps we have taken to secure your data include:
Privacy by Design and Default
- There is minimal user registration required. We don’t need much hence we don’t ask for it.
- A nickname is generally sufficient to help us personalize our conversation with you.
- We use pseudonymised identifiers to protect your data and identity.
- No human eavesdrops during your conversation with the MY-SYNC Avatar.
- The MY-SYNC Avatar will always check if it has understood you correctly before progressing.
- We use algorithms that irreversibly redact any inadvertent personal identifiers entered in English.
- You can opt-out at any time using the “reset my data” feature available in the Platform settings.
- We adhere to the 7 key principles set out by GDPR (see here).
- We perform Data Protection Impact Assessment (DPIA) for personal data processing.
Security by Design
- We use TLS and SSL encryption during transfer and AES-256 protocol at rest.
- Random identifiers are used for all data transactions between MY-SYNC Avatar and our servers.
- Our systems are secured with role-based access, strong passwords and two-step verification.
- We enable endpoint security in all staff systems.
- We review and maintain data processing agreements with our service providers.
- We have a strict hiring and background verification process in place.
- We provide regular awareness and training to our staff.
- We conduct annual 3rd party compliance audits and data protection certifications.
- We perform regular penetration tests of our Platform and Infrastructure.
- We conduct regular checks to ensure compliance to our policies.
No method of electronic transmission or method of data storage is perfect or impenetrable. While we try our best to implement controls to protect your personal data, we cannot guarantee its absolute security. To ensure your data is secure, we require your cooperation as well. Please do not copy and share your conversations with unknown people.
How does the Artificial Intelligence MY-SYNC Avatar work and is it safe to use?
At OffGrid, we use proprietary generational Artificial Intelligence and Large Language Model (LLM) algorithms (“AI”) to understand your messages. LLM algorithms are classification techniques that are used to understand what you write. This allows the AI to maintain a conversation with you and guide you to appropriate resources. Our values require that our AI used within the Platform is transparent, trusted, safe and privacy protecting. All the AI used in our Platform are “FIXED” or “CLOSED”, and all chatbot responses to the user are created with clinical input and subjected to detailed safety testing before being deployed.
The primary purpose of the AI-based processing is
- to provide an interactive safe-by-design approach to converse and journal via text with the chatbot.
- to detect and retain limited context from your messages to personalize and provide empathetic and safe conversations.
- to detect at-risk situations, such as any SOS, self-harm and abuse triggers, so as to signpost users to clinically validated supportive resources and helplines.
With limited regulation in the US, OffGrid complies with UK NHS Digital’s DCB 0129 clinical risk management standards to ensure a safe-by-design approach to our AI-based services.
How long do we retain your data including personal data?
We have built proprietary algorithms that detect personal identifiers, that you may voluntarily submit during your conversation with MY-SYNC Avatar. These detected identifiers get irreversibly removed within 24 hours within our system.
We may retain one copy of your data even after your subscription ends or Health System contract ends if it is reasonably necessary. This could be in any of the following situations:
- to comply with applicable legal and statutory requirements;
- at the request of a returning subscriber;
- to respond to your requests
- based on contractual obligations with your Health System;
- in our backup for a time-bound period;
- to fulfil processing that is in our legitimate interest.
Where not specified we may retain your data for 7 years since the last update and as per our internal information retention policies.
Your emergency contact information, if any provided, will be deleted after fifteen (15) days at the end of the OffGrid well-being professional subscription. If you renew the subscription within those fifteen (15) days, the emergency contact information will not be deleted.
You can also, at any point of time, delete all your conversation data and any emergency contact information provided by using the “reset my data” feature available in the Platform settings. Refer here in our policy for more details.
International transfer of personal data outside of the country you reside in or are currently located
You understand and agree that we may transfer, store and process your submitted data to a third-party processor. These processors may be based in countries other than the country where you reside. These could be countries where data protection laws may be less stringent than those from the originating country. We take additional steps in an effort to ensure our international transfer of data is consistent with applicable data protection laws.
Where we transfer data from the European Economic Area (EEA), Switzerland, and/or the United Kingdom we use appropriate safeguards. This includes use of EU / UK Standard Contractual Clauses and UK International Data Transfer Agreement (IDTA) within the Data Processing Agreements.
Minimal data may be transferred across OffGrid company locations to provide our Services. We use appropriate technical and organisational measures to protect such transfers.
If you have additional questions about our international transfers of personal data, please contact us at [email protected].
What are your data protection rights?
You have certain rights under the Data Protection Laws in relation to your Personal data. To exercise any of your rights, you will need to send an email request to the contact information provided here. Please note that we may need to verify you before responding to any requests. After verifying you and examining your request, we will respond to you on the action taken within one calendar month from verification. We may at times be unable to address your request, if we are unable to correctly identify you.
Your individual rights requests may be limited, where:
- denial of access is required or authorized by law;
- grant of access would have a negative impact on other’s privacy;
- required to protect your, our or other’s rights property or safety;
- the request is unjustified or excessive.
Right to be informed
Right of access
You have the right to exercise a data access request to know what personal data we hold about you.
You have access to view your latest conversations or view your older conversation messages within the Journey tab of the Platform. You have access to your text-based messages with a OffGrid well-being professional in the Coach or Therapist tab of the Platform. If you exercise your right to delete and reset your data, you will lose the right to access your data as it will be permanently deleted in our system.
You can write to us at [email protected] for any clarifications or make subject access requests. On receipt, we will review your request, make reasonable efforts to find and retrieve the requested information and respond to you within one month of your request.
Where Users have subscribed to a Service, you have the right to obtain your personal data that you provided as per our Agreement or where you consented to give us. After verifying, we will provide access to your personal data in a machine-readable format. We may at times be unable to address your request, if we are unable to correctly identify you or are limited due to one of the reasons mentioned earlier or any of the exemptions set out by the data protection laws.
Right to rectification
If your personal data is inaccurate or incomplete, you can write to us to correct or complete it. If we share your personal data with third parties, we will inform them about the correction where possible.
Right to restrict processing
You can write to us to restrict processing of your personal data, where you contest the accuracy of the data or object to our processing it. If we share your personal data with third parties, we will inform them about the restrictions where possible.
Right to object
You may write to us and object to the processing of your personal data where we apply our legitimate interest. We may stop unless we can demonstrate compelling legitimate grounds for the processing.
Right to data portability
If you are a paid subscriber of our services, you can place a request to transfer your data from your older device to your replaced mobile device. You can also request a copy of your messages to OffGrid coach or therapist for your own purposes. If you are not a paid subscriber, we will need to accurately verify you, before we can process your request. We may at times be unable to address your request, if we are unable to correctly identify you.
Right to Erasure
When you use the service, you have the option to reset your data by using the “Reset my data” feature in the Platform settings. Reset my data deletes all your submitted data including your identifiers, past conversations, reminders, assessment responses and enabled settings. Post reset, you will not be able to recover your past data and you will be considered as a new user of the Platform. Hence, this feature is to be used at your discretion. If you are a paid subscriber, your transactional data and messages will be deleted on reset. However your active subscription, purchased through third parties like google play, iTunes, etc., will continue to exist post reset of data.
You can also write to us to delete or remove your personal data, such as when you withdraw your consent.
Right in relation to automated decision-making and profiling
You have the right to be free from decisions based solely on automated processing of your personal data, including profiling, which may have a significant effect on your rights and freedom, unless such profiling is necessary for entering into, or the performance of our Agreement or with your explicit consent. You have a right to ask us to stop any automated decision making. We do not intentionally carry out such activities, but if you do have any questions or concerns, we would be happy to discuss them with you. You can contact us at [email protected].
Other important information
To the extent that the legal basis of our processing of your personal data is consent, you can withdraw that consent at any time. This will not affect the lawfulness of processing of your data before we received notice that you wished to withdraw your consent.
If the data breach is likely to result in a high risk of adversely affecting your rights and freedom, we will notify you as required by Data Protection Laws.
Concerns and Complaints
If you are not satisfied with our resolution, you have the right to complain to a Data Protection supervisory authority in your country or state of residence. We will fully cooperate with the supervisory authority.
Do California residents have specific privacy rights?
Much of the Personal Information that We collect when you use our Services is not subject to the CCPA. Personal Information for the purposes of the CCPA does not include protected health information (PHI or electronic PHI) that is subject to the HIPAA or medical information as defined in the California Confidentiality of Medical Information Act (CMIA), clinical trial data, or publicly available information from government records. Personal Information also does not include de-identified or aggregated user data.
- Identifiers: such as android or apple identifier, nick name or any remaining identifiers voluntarily shared with us.
- Conversation data: any residual identifiers remaining in your text messages post our adequate removal measures.
- Communication data: such as name, email identifiers when you write to us.
- Network data: such as IP address or information about your interactions with our website or Platform
- Recruitment data: such as your current or past company name, dates of employment, and information that you may provide in a job application
- Promotion event data: such as any email identifiers when you enrolled.
- Platform Usage data: such as inferences and reports drawn from the above data types about you reflecting your preferences, characteristics, trends, or behaviour
You can request a list of third parties with whom we share personal data for direct marketing purposes. Please note that OffGrid does not share or sell your personal data with third parties as a matter of policy. Subject to certain exceptions, you can write to us to know about the personal information you shared and also exercise your data protection rights. You can request to delete your personal information, to opt out of any “sales”, or to not be discriminated against by writing to us at [email protected].
We will respond to your request within 45 calendar days of verification. We may at times be unable to address your request, if we are unable to correctly identify you. We may be unable to address your request due to any of the limitations and exceptions provided within CCPA.
What are the controls for Do-Not-Track features?
Do Not Track (“DNT”) is a privacy preference that users can set in certain web browsers. We may not respond to DNT signals transmitted by web browsers.
What are some Best Practices to follow to keep your devices secure?
You are also responsible for helping to protect the security of your personal data. You are responsible for maintaining the security of any personal computing device on which you utilize the Services.
The NCSC GOV.UK provides guidance on how You can improve Your online security. The UK ICO provides practical advice for protecting Your personal data online and when using computers and other devices. These can be found at the links below.
The US Federal Trade Commission (FTC) publishes information for users on how to secure your personal data and devices. These can be found at the following public links.
OffGrid strongly believes in security and safety of data in your mobile device. As a responsible Service provider, we like to share important device-based security information for your attention. These have been sourced from US FTC best practices and guidelines. Always refer back to the US FTC links provided above for more details and future security updates.
- Always lock your mobile screen by setting a password. Use strong passwords and keep passwords private. Never leave your device unattended.
- Always extend your mobile screen password to set an Platform PIN to keep your conversations with the Platform private.
- Always keep your mobile operating system up-to-date.
- Enable remote access of your devices to enable you to locate and control your devices remotely in the event your device gets stolen.
- Install anti-virus software to protect against virus attacks and infections
- Avoid phishing emails. Do not open files, click on links or download programs from an unknown source.
- Be wise about using Wi-Fi. Before you send personal and sensitive data over your laptop or mobile device on a public wireless network in a coffee shop, library, airport, hotel, or other public place, see if your data will be protected.
Severability and Exclusion
v1.0.0 | May 19, 2023
- Initial release