Your thoughts and information are private. We are committed to keeping them that way.

Effective Date: August 31, 2022
Read our full Privacy Policy
Questions, comments, concerns? Please reach out: privacy@woebothealth.com

Commitment 1: What you write to Woebot is private

The transcripts of your conversations with Woebot are not shared with third parties, except to provide the Services, improve the Services, or to protect us and others.

Commitment 2: We never sell or share your personal data with advertisers 

Never have, never will. 

Commitment 3: You control your personal data

Request to access it, correct it, or delete it, whenever you want. Share as much or as little as you like. See: How Can I Control My Personal Data?

Commitment 4: We always collect personal data with specific purpose and intent

For example, we ask about your symptoms to help you reflect on your progress, customize your experience, and in some partner programs to inform your clinical care. See: What Personal Data Do You Collect & How Is It Used?

Commitment 5: We are upfront about who can see which personal data and why

For example, some technical service providers use personal data to help make the Services work. If you use Woebot through a clinical partner, it may be appropriate to share more personal data with them than with an employer or other partner. We’ll always be transparent about who sees what. See: Do You Share My Personal Data?

Table of Contents

Also see:
Supplemental California Privacy Notice
Supplemental Nevada Privacy Notice


Introduction

Woebot Labs, Inc. d/b/a Woebot Health (“Woebot”, “us”, “we”, or “our”) is committed to protecting and respecting your privacy. This privacy policy applies to and describes how we collect, store, use, and share personal data about you through our software, website, mobile application, documentation, and related services (together, the “Services”). References to “you” means the person whose personal data we collect, use, and process. We will manage your personal data only as described below and consistent with applicable laws. By using the Services, you acknowledge that you have read and understand this privacy policy.

Back to Top​


Contact Us​

Woebot is the controller of personal data processed under this privacy policy.

For further information, to exercise your rights, or if you have any questions, please see our Security Overview or contact Woebot Health’s Data Protection Officer at privacy@woebothealth.com or Attn: Data Protection Officer, Woebot Health, 535 Mission Street, 14th Floor, San Francisco, CA 94105, United States.

Back to Top​


What Personal Data Do You Collect & How Is It Used?

See the European Union’s General Data and Protection Regulation (GDPR) guide for details on “Lawful basis for processing.” You decide how much or how little you are comfortable sharing. If you do not provide us with certain personal data, some of the Services may not work as intended.

Account data

Details:
  • Email address
  • Other personal data you provide to us, including any personal identifiers like your birthdate
  • Password
  • Personal data you’ve allowed one of our partners to share with us
  • Referral or access code (if applicable)
  • Time zone (from iOS and Android apps)
  • What Woebot should call you
How It Is Used:
  • To provide our Services, including creating an account
  • To improve our Services
  • For identification and authentication purposes
  • To address issues like malicious use of the Services
  • To maintain and uphold your preferences
  • To send you communications about our Services
  • To invite you to participate in relevant user experience research

Lawful Basis for Processing: Performance of a contract, Legitimate interest, Consent

Communications with us (separate from conversational data)

Details:
  • Email address
  • Platform
  • Operating system version
  • Other personal data you provide to us, including any personal identifiers or attachments you share
How it is used:
  • To provide our Services
  • To improve our Services
  • To invite you to participate in ad hoc opportunities, like product feedback
  • To provide user support
  • To invite you to participate in relevant user experience research

Lawful Basis for Processing: Performance of a contract, Legitimate interest, Consent

Conversational data

Details:
  • Your conversational interactions with Woebot, like what you write or options you select during the conversation 
How it is used:
  • To provide our Services
  • To improve our Services

Lawful Basis for Processing: Performance of a contract, Legitimate interest, Consent

Concerning language and escalation data

Woebot sometimes detects an input that might indicate you need more support than we can provide. Woebot is not a crisis service.

Details:
  • How often you share concerning language and confirm that Woebot has understood you correctly
  • If you share that you’re considering harming yourself or others in a clinical survey
How it is used:
  • To suggest more appropriate resources
  • To provide our Services
  • To improve our Services
  • For clinical partner programs (if enrolled), which may include informing your care team or clinical study staff

Lawful Basis for Processing: Performance of a contract, Legitimate interest, Consent

Hardware diagnostic and login information

Details:
  • Certain login information stored on your device
  • Crash reports and system error logs
  • Operating system, hardware, and browser version (if applicable)
How it is used:
  • To provide our Services
  • To improve our Services
  • To invite you to participate in relevant user experience research
  • For clinical partner programs (if enrolled), like supporting Single Sign-On (SSO)
  • For non-clinical partner programs (if enrolled), like supporting Single Sign-On (SSO)

Lawful Basis for Processing: Performance of a contract, Legitimate interest, Consent

Survey and assessment data

Details:
  • Surveys and assessments about your health or experiences
  • Surveys about our Services (if applicable)
How it is used:
  • To provide our Services, including to provide a personalized experience based on your responses
  • To improve our Services
  • To invite you to participate in relevant user experience research
  • For clinical partner programs (if enrolled), to inform your care
  • To share de-identified and/or aggregated data about Woebot, like trends for marketing and business purposes

Lawful Basis for Processing: Performance of a contract, Legitimate interest, Consent

Usage data

Details:
  • Information from Google Analytics or other analytics vendors, like website visitor or app user behavior and demographics. See: Google Analytics and Privacy and Opt Out of Google Analytics
  • Internal analytics information
  • Log files
  • Mobile device, browser type, browser language, operating system, and Internet Protocol address
  • Cookies, pixel tags, and web beacons
  • Usage information, like the time of day or how often you use each tool
How it is used:
  • To provide our Services
  • To improve our Services, including to assess the performance of our Services
  • To invite you to participate in relevant user experience research
  • For clinical partner programs (if enrolled), to inform your care
  • To share de-identified and/or aggregated data about Woebot, like trends for marketing and business purposes

Lawful Basis for Processing: Performance of a contract, Legitimate interest, Consent

Note on our social media pages

Woebot may maintain social media pages. Any personal data you share on the public sections of our social media pages is public and, unless otherwise required by applicable laws, is not covered by this privacy policy. Please exercise caution before sharing information that may identify you on the public sections of our social media pages. In addition, our Services may contain social media buttons to “Share Woebot.” Use of, or sharing personal data, with a social media service will also be subject to the social media service’s terms of service and privacy policy.

Back to Top​


Do You Share My Personal Data?

We do not share your personal data with third parties except as outlined below.

Service providers

We use third party service providers, like Amazon Web Services, that help us provide our Services. These third parties may have limited and controlled access to personal data in connection with the services they provide such as hosting or customer service. The use of personal data by service providers outside of agreed-upon service they provide is prohibited.

Partner programs​

We may partner with organizations to conduct research studies or provide you with the Services through separate programs. 

Program partners may include employers, hospitals, providers, or other medical and academic partners. Clinical partner programs are a specific type of partner program that include a licensed healthcare provider.

Your participation in partner programs is optional and requires your agreement with our partner for any personal data to be shared with a partner. Participation may be governed by additional terms outside this privacy policy. If you choose to participate in a partner program, 

We will not share:
  • Your conversational interactions with Woebot, like what you write or your path through a conversation, unless you give us your consent to do so
We often share:
  • De-identified and/or aggregated data about how Woebot users use the app and its effectiveness
If you are using the Services through a clinical program or as part of a study and you consent, we may also share:
  • Identifiable data about how you’re doing such as survey responses, mood trends, or your confirmation that Woebot has understood a concerning entry that’s beyond what it can support

The personal data we may share “For clinical partner programs (if enrolled)” and “For non-clinical partner programs (if enrolled),” is indicated in: What Personal Data Do You Collect & How Is It Used.

Please note that any personal data shared with a partner program is also subject to the partner program’s terms and privacy policy. We are not responsible for the processing of personal data by partner programs. Please contact the partner program if you have any questions about their documents or practices. For research programs, please see the study’s informed consent. You may also contact the study and/or its institutional review board (IRB).

Your interactions with third-party services

Our Services may link to third parties, like helplines or other resources. Any information shared with or otherwise collected by third parties is subject to the third party’s terms and privacy policy. We are not responsible for the processing of personal data by third parties relevant to these resources.

De-identified and/or aggregated data

We may use your personal data to create de-identified and/or aggregated data, like approximate location information, information about the device you use to access our Services, information about conversational trends, or other analyses we create. De-identified and/or aggregated data is not personal data and we may use and share this data as permitted by applicable law, such as with academic partners. We never share your transcripts with Woebot without your consent, even de-identified.

Disclosures to protect us or others  

We may access, preserve, and disclose any personal data we store associated with you to external parties if we, in good faith, believe doing so is required or appropriate to:
  • Comply with law enforcement or national security requests and legal process, such as court order or subpoena;
  • Protect you, our, or others’ rights, property, or safety;
  • Enforce our policies or contracts; or
  • Assist with an investigation or prosecution of suspected or actual illegal activity

Transferring personal data outside of the country you reside in or are currently located

Your personal data may be transferred, stored, and processed in one or more countries outside of the country you reside in or are currently located in, which may have data protection laws that are different from the laws where you reside or are currently located. When processing personal data outside of the country you reside or are currently located in, we take additional steps in an effort to ensure our international transfer of personal data is consistent with applicable law.

If we transfer personal data which originates in the European Economic Area, Switzerland, and/or the United Kingdom to a country that has not been found to provide an adequate level of protection under applicable data protection laws, one of the safeguards we may use to support such transfer is the EU Standard Contractual Clauses.

If you have additional questions about our international transfers of personal data, please Contact Us.

Disclosure in the event of merger, sale, or other asset transfers

If we are involved in a merger, acquisition, financial due diligence, reorganization, bankruptcy, receivership, purchase or sale of assets, or transition of service to another provider, your information may be sold or transferred as part of such a transaction, as permitted by law and/or contract.

Back to Top​


How is My Personal Data Protected?

We use commercially reasonable efforts to implement security measures that are designed to avoid accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data. This may include (as appropriate):
  • We adhere to hospital-level security policies and procedures to protect sensitive user data, adhering to the HIPAA rules, including the Privacy and Security Rules
  • Using cloud-enabled infrastructure designed to reduce our data footprint
  • Encrypting all personal data at rest and in transit
  • Securing sensitive personal data in a dedicated environment in a manner designed to ensure segregation and clear access control
  • Using technical network controls like multi-factor authentication and deny-all/allow-by-exception in a manner designed to maintain controlled access
  • Conducting and responding to penetration tests, vulnerability assessments, code reviews, and internal compliance reviews
  • Maintaining our business continuity, disaster recovery, and incident response plans
  • Allowing employees to access personal data only if required in connection to their job duties

Despite these efforts, no security measures are perfect, and no method of data transmission or storage is guaranteed to prevent unauthorized disclosure or misuse. As a result, we cannot ensure or warrant the security of any personal data you provide to us. To the fullest extent permitted by applicable law, we do not accept liability for unauthorized access, use, disclosure, or loss of personal data. To learn more about how to safeguard your data see: What Responsibilities Do I Have?

Back to Top​


For How Long Do You Store My Personal Data?

We store personal data so that your experience with the Services is personalized based on your past interactions and for other reasons listed above. We retain the personal data we collect for as long as you use our Services, or as necessary to fulfill the purpose(s) for which it was collected, provide our Services, resolve disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, enforce our agreements, and comply with applicable laws. For more information about our data retention practices, please Contact Us.

Back to Top​


What Rights Do I Have? 

Anyone who uses the services can access, correct, or delete their personal data regardless of where they live or are physically located. In addition, under certain data protection laws, individuals may have rights around their personal data which may include (as applicable):

  1. The right of access which enables you to check what type of personal data we hold about you, what we do with that personal data, and to receive a copy of this personal data
  2. The right to rectification which enables you to correct any inaccurate or incomplete personal data we hold about you (including Protected Health Information (PHI))
  3. The right to erasure which enables you to request that we erase personal data held about you in certain circumstances
  4. The right to restrict or object to the processing of your personal data by us in some instances, including if you believe that the personal data held about you is inaccurate or our use of the personal data is unlawful
  5. The right to data portability which enables you to receive your personal data in a structured, commonly used, and machine-readable format and to have that personal data transmitted to another data controller
  6. The right to get an electronic or paper copy of your medical record containing Protected Health Information (PHI)
  7. The right to receive confidential communications containing your Protected Health Information (PHI) by alternative means, like requesting that we contact you at a different email address or phone number
  8. The right to ask us to limit the Protected Health Information (PHI) we use or share
  9. The right to receive an accounting of disclosures we have made of your Protected Health Information (PHI) for a specified timeframe
  10. The right to name a personal representative who can also manage your Protected Health Information (PHI)
  11. The right to withdraw your consent
  12. The right to receive a paper copy of this privacy policy

We will process your request in accordance with applicable laws. Note that we will require you to take steps to verify your identity. If you wish to exercise any of the above rights, please Contact Us.

Back to Top​


How Can I Control My Personal Data?

If you have feedback or questions about any aspect of how we collect, share, or use your personal data, please Contact Us.

If your personal data is subject to the applicable data protection laws of the European Economic Area, Switzerland, or the United Kingdom, you have the right to file a complaint with the competent supervisory authority, if you believe our processing of your personal data violates applicable law.

Request your personal data

​Contact us from the Settings section of the app or email support@woebothealth.com from the email address you used to register for the app. After verifying your identity, you will be sent a file containing what you’ve said to Woebot.

Opt-out

  • Email communications: Use the unsubscribe link found at the bottom of any email to stop receiving future emails. You will continue to receive other transaction-related emails you have requested. You are not able to opt out of some types of important communications, like updates to our terms or this privacy policy.
  • Text messages: Follow the instructions in the text message you received or Contact Us.
  • Push notifications: We may send you push notifications through one of our mobile applications. Opt out by changing the settings on your mobile device.
  • Do Not Track (DNT): DNT is a privacy preference that you can set in some web browsers. We honor DNT on our website. The DNT preference does not apply to mobile applications.
  • Cookies and similar technologies: You may stop, restrict, or remove the placement of some of cookies and other similar technologies we use as your browser or device permits. You must opt out in each browser and on each device. 
Please note:
  • We only use cookies on our website, not on any mobile applications.
  • If you adjust your preferences, our Services may not work correctly.

For more information on how we and our partners use cookies and the options to control them, see the Cookie Policy.

Back to Top​


What Responsibilities Do I Have?

Safeguard your personal data

You are responsible for helping to protect your personal data by safeguarding your device, email, and password. For best practices, see the US Federal Trade Commission (FTC) guides: How To Protect Your Privacy on Apps, Online Security, and How to Keep Your Personal Information Secure. Please reference our Security Overview for more information on how to safeguard your personal data.

Protect children’s information

The services are not directed to children (defined as under the age of 13 or another age as required by local law), and we do not knowingly collect personal data from children. If you learn that your child has provided us with personal data without your consent, please Contact Us. If we learn that we have collected a child’s personal data in violation of applicable law, we will delete that personal data (unless we have a legal obligation to keep it) and close the child’s account. 

Read the privacy policies of third parties

The Services may contain links to third party websites or applications not covered by this privacy policy. We do not endorse, screen, or approve, and are not responsible for, the privacy practices or content of such other websites or applications. Providing personal data to third party websites or applications is at your own risk.

Review this privacy policy​ regularly

We may change this privacy policy at any time. If we make any material changes to this privacy policy, we will notify you as required by applicable law. 

If you continue using our Services after the new policy takes effect, you are acknowledging acceptance of the updated privacy policy. We encourage you to review the content of this privacy policy regularly.

Archived Versions of our Privacy Policy:
April 28, 2022
July 14, 2021
April 23, 2020

Back to Top​