Privacy Policy

 

Kharis (“Kharis”, “We”, “Us”, or “Our”) operates the website (www.kharistherapy.com) and all associated domains) and the Kharis mobile, web-based widget and online applications (“Live: Hope: Thrive” by Kharis App” or “App/s” or “Mobile Software/s”).

This page informs you of our policies regarding the collection, use, and disclosure of personal data when you use our service. We use your data to provide and improve the service. We will not use or share your data with anyone except as described in this Privacy Policy. We align our data protection practices to the key principles prescribed by GDPR and other Data Protection Laws.

This policy applies to your use of the AI Coach service, digital premium toolpacks services, web-based AI coach widget or application services, guided-group meditation services and population/analytics dashboard services provided are collectively referred to as the “service(s)”. We also provide additional services on behalf of your Institution (“Institutional Services”). Institution means an organisation, school, university, trust, service, hospital, clinic, research institution or other public or private organisation. Institutional Services includes but is not limited to processing eligibility, referral and clinical information on behalf of the Institution.

This Policy applies to all visitors, data subject, and others who access the Service (“User(s)” or “You/r”). By using our Apps and services, you agree to our collection and use of data in accordance with this privacy policy. Unless otherwise defined in this Privacy Policy, terms used in this Privacy Policy have the same meanings as in our Terms of Service.

You must agree to the Terms of Services and Privacy Policies of both Kharis and the Institution inorder to proceed with using the Institutional Service. All Kharis policies will be made available to the users from the Kharis AI Coach conversational interface.

Where not specifically called out, use of uppercase or lowercase would carry the same meaning.

Updates

We may amend this privacy notice from time to time to keep it up to date. We will notify you via in-app notifications and on our policy webpage when we make any changes to the Privacy Policy. Please regularly check these pages for the latest version of this notice.

Initial Effective Date: August 20, 2022 (EAT)

Key Messages :

1. If in a crisis or emergency, please call the relevant emergency number in your country.
2. The App is not to be used by those below the age authorised by your Institution
3. Limit sharing your personal and sensitive data when using the App. We only require the minimal data required to provide our services. Read this privacy policy to understand how we process your data.
4. Your interaction with the AI Coach is with an Artificial Intelligence system and not a human. Hence, AI Coach is restricted in the means of response.
5. The intended use of the App is for providing evidence-based tools and techniques to manage emotions and encourage mental health and well-being. The app provides self-help tools, self-care monitoring and reporting and also tools for processing validated assessments.
6. The App is not intended to be a replacement for face-to-face psychotherapy.
7. The App will not offer medical or clinical advice and only suggest that you seek medical help.
8. Your data will be stored and remain within our cloud servers in USA. Minimal operational data will be remotely processed for legitimate reasons to provide our services.
9. Where we decide the purposes of our services and personal data processing, Kharis will be the Controller. This Privacy Policy covers how we handle and process your data.
10. Kharis will be a Processor, for all services and data processing done at the direction of and on behalf of another Controller. All such data processing can be read here.

Changes Log

 

None

Definitions

AI Coach is the text-based AI service provided in an conversational messaging mode by Kharis web-widget and mobile Apps.

Anonymization is the process of removing personal identifiers from data sets so that the person can no longer be identified.

Cookie is a small amount of data stored on your device (computer or mobile device).

Data or Information under this Privacy Policy means both personal and non-personal data or information.

Data Controller or Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data Processor or Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.

Data Protection Laws here means in accordance with the Data Protection and Privacy Act 2019 (Uganda) and Reasonable security practices and procedures and sensitive personal data or data rules, including but not limited to requirements of Computer Misuse Act, 2011 (Act 2 of 2011) and any national implementing laws in relation to the same including the Data Protection and Privacy Act 2019.

Data Subject (or User/You) means any living individual who is using our service and is the subject of Personal Data

Encryption is the process of transforming data into unreadable text so that it is only legible to those possessing an encryption key.

Institution means an organisation, school, university, trust, service, hospital, clinic, research institution or other public or private organisation.

Institution users are employees, patients and members of the Institutions who have access to the Institution version of the App and Services.

Personal data or Personal Information means data about a living person who can be identified from the data and/or other information either in our possession or likely to come into our possession.

Processing means any operation or set of operations which is performed on personal data or on sets of personal data.

Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific user without the use of additional information.

Non-Personal data means any data that is made anonymous and does not reveal user specific identity.

Special Category data includes personal data revealing or concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, sex-life or a person’s sexual orientation.

Sub-Processor/s is a data processor who is sub-contracted some of the personal data processing.

 

Who are we?

Kharis is a private limited company having its registered office in Uganda (Kharis Therapy Ltd.) We are registered with the Uganda Registration Services Bureau. Where we decide the purposes of our services and personal data processing, Kharis will be the Controller. For all services and data processing done at the direction of and on behalf of a Controller or a Processor, Kharis would are either be a Processor or a Sub-Processor.

 

What is “Live: Hope: Thrive” by Kharis App?

With the Live: Hope: Thrive by Kharis App you can chat through a conversational interface and get access to tools and techniques. The App is available in both iOS and Android app stores, including a web-based AI Coach widget or application. Your interaction is with the AI Coach is with an artificial intelligence system and not a human. The intended use of the App is for providing evidence-based tools and techniques to manage emotions and encourage mental health and well-being. The app provides self-help tools, self-care monitoring and reporting and also tools for processing validated assessments/outcome measures. Where Kharis is a Processor or Sub-Processor, the intended use of the App would be to provide the Institutional services and perform processing at the direction of the Institution (or Controllers). You make the choice of using the AI Coach, based on your own estimate of need. The AI Coach cannot and will not offer advice on issues it does not recognize. Using the App, you can track and manage your mood, and learn context-sensitive evidence-based techniques that can help you feel better.

Limits to Intended use

1. The App is not intended to be a replacement for face-to-face psychotherapy or to provide a diagnosis, treatment or cure for a disease or condition.
2. The App and service is not intended for use in crisis or emergencies or severe mental health conditions.
3. The App and service cannot and will not offer medical or clinical advice. It can only suggest that the user seek medical help.
4. The App is not suitable for those with an eating disorder, psychosis, suicidal ideation and moderate to severe self-harm tendencies.
5. The App may collect referral, eligibility and clinical information, on behalf of the Institution. This information collected by Kharis and provided to the Institution is not to be used on its own without human healthcare professional supervision or review to inform a clinical decision made about a given patient (such as a clinical triaging decision).
6. All information provided by Kharis to the Institution must be reviewed by a trained healthcare professional who independently arrives at a clinical decision.

The web-widget Service is limited in its features and you will be asked to download the mobile-version of the app to enable access to the full App features and Services.

 

How does the Artificial Intelligence chatbot work and is safe to use?

At Kharis, we use proprietary Artificial Intelligence and Natural Language Processing/Understanding algorithms (“AI”) to understand your messages. Our values require that our AI used within the App is transparent, trusted, safe and privacy protecting. All the AI used in our Apps are “FIXED” or “CLOSED”. There are no generative (those that ‘create’ the response to the user on the fly) or adaptive models (those that continually adapt or learn every time on their own) in use. The algorithms run at conversational nodes within a decision-tree structure.

The primary purpose of the AI-based processing is

1. to provide an interactive safe-by-design approach to converse and journal via text with the chatbot.
2. to detect and retain limited context from your messages to personalize and provide empathetic and safe conversations.
3. to detect at-risk situations, such as any SOS, self-harm and abuse triggers, so as to signpost users to clinically validated supportive resources and helplines.

Kharis complies with clinical risk management standards to ensure a safe-by-design approach to our AI-based services.

Who can Use the Service?

You may use the App and services if you are authorised to use by your Institution.

Where applicable, your Institution may seek your and your parental or guardian consent before directing you to use the App.

We do not process any information about criminal convictions and offences. You should also not provide us with any such information during your use of our App and Services.

What personal data do we process and how do we use it as a Controller?

We only use your Personal data for the purposes for which we collected it. We will use it for another reason, only if compatible with the original purpose. We may process your personal data for more than one lawful basis depending on the specific purpose for which we are using your data. We may process your personal data without your knowledge and consent, where this is required or permitted by law.

The table lists the personal data processing that we perform as a Controller.

Personal Data/ Data Types	Source	Processing Purpose	Lawful Basis
Android or Apple identifier (app-device identifier)	Collected from your device (Covers mobile App)	To recognize you as a new or existing user. To create a random user identifier for all transmissions. Perform one-way hash before sharing data for analytic purposes. To associate users to their provided data to provide uninterrupted App and services. To migrate your data to a new device. To administer your account. To process for addressing your data rights. To comply with applicable law or regulation.	To perform our contract with you (As an end-user, our contract is your agreement to Terms of Service and this Privacy Policy)
Random user identifier	Created by Kharis (Covers all Apps)	To recognize you as a new or existing user. To provide App and services. To create a random truncated identifier to provide minimal data for internal analytics. To provide additional security. To administer your account. To process your data rights.	To perform our contract with you. (As an end-user, our contract is your agreement to Terms of Service and this Privacy Policy)
Access or referral code	Provided by the user (Covers all Apps)	To send deeplinks to directly access the App and Institutional Services. To register you as an Institution user. To authorise access to Institution-agreed services. To provide customized App and services for referred and Institution users. To aggregate data at institution or cohort or user level for analytics purposes. To administer your account. To process your data rights.	To perform our contract with you and with your Institution. (As an end-user, our contract is your agreement to Terms of Service and this Privacy Policy)
Nickname	Provided by the user (Covers mobile Apps)	To personalise content on the App and services. To administer your account.	To perform our contract with you. (As an end-user, our contract is your agreement to Terms of Service and this Privacy Policy)
Device data (Operating system, OS version, device make and model, time-zone)	Collected from your device (Covers mobile Apps)	To detect and prevent fraudulent use of or abuse of the service. To resolve issues. To improve App experience and use. To provide service-related information. To remind users of upcoming check-ins, sessions and events.	To perform our contract with you. (As an end-user, our contract is your agreement to Terms of Service and this Privacy Policy)
Conversation data (free text messages, accidental identifiers, clinical questionnaire/assessment/outcome measure responses and scores, wellness data, voluntary SOS data, CBT Programs) (Clinical questionnaires are a proven way to track progress of your mental well-being. You have the option to not respond to these assessments) (Wellness data include voluntarily provided special category health data. You have the option to not share any sensitive physical or mental health-related data.)	Voluntarily provided by the user. (Covers all Apps)	To apply our AI algorithms to to wellness data to derive new data to indicate mood and emotional state. To detect context and ensure continuity in conversation. To detect medical or emergency terms to ensure safe conversations. To provide the right tool, technique and content. To provide and process the CBT Programs and send program use reports back to your Institution. To detect any SOS or self-harm triggers in messages and to signpost to safety resources. To improve AI algorithm safety. To improve product and service quality and customer experience (including improving and customising the content and product offerings). To anonymise reports. To anonymise research and analytics data. To share app use reports back to your Institution.	a.) To perform our contract with you. (As an end-user, our contract is your agreement to Terms of Service and this Privacy Policy) b.) Additional Condition for any Special Category data: for healthcare purposes and reasons of substantial public interest. For safeguarding of children and individuals at risk.
Inadvertent submitted personal identifiers (names, location, contacts, email identifiers)	Voluntarily provided by the user (Covers all Apps)	To take reasonable steps to detect and anonymise personal data	To perform our contract with you (As an end-user, our contract is your agreement to Terms of Service and this Privacy Policy)
Event Data (text button events, app screen events, tool events)	Events created during use of App (Covers all Apps)	To share anonymous event data with 3rd party providers for analytics purposes. To obscure the event data to not reveal sensitive information.	To perform our contract with you. (As an end-user, our contract is your agreement to Terms of Service and this Privacy Policy)
Communication data (name, email Identifier, email messages, feedback messages)	Voluntarily provided by the user when contacting by email	To respond to your inquiries, requests and feedback. To troubleshoot your issues. To provide and improve customer support services.	To perform our contract with you. (As an end-user, our contract is your agreement to Terms of Service and this Privacy Policy)
Safety Plan data (life anchors, safe places, support networks, warning signs, calming activities)	Voluntarily provided by the user (Covers mobile Apps)	To ensure availability of safety resources in time of need.	a.) To perform our contract with you. (As an end-user, our contract is your agreement to Terms of Service and this Privacy Policy) b.) Additional Condition for any Special Category data: for healthcare purposes and reasons of substantial public interest. For safeguarding of children and individuals at risk.
Other personal data (age-range, gender)	Provided by the user (Covers mobile Apps)	To provide age-appropriate content, tools and techniques.	To perform our contract with you. As an end-user, our contract is your agreement to Terms of Service and this Privacy Policy
Network Data (Internet protocol address)	Collected from user device by Kharis’s Content Delivery Networks (CDN) (Covers All Apps)	To store in the CDN database and network logs. To enable access to all images, media and tools provided within the App during use. To enable secured access to both the app and website	To perform our contract with you. As an end-user, our contract is your agreement to Terms of Service and this Privacy Policy (IP address is not linked to the app user identifier and not stored in the App database)

 

What personal data do we process and handle as a Processor or sub-processor?

Kharis will be a Processor, where we are asked to provide approved services and processing on behalf of the Controller. Controllers would be Institutions that prescribe or refer you to use our e-triage tool powered by the App (“eTriage tool”)or Institution version of the App. We will collect, transfer, store and use your personal data and special category data to provide the Institutional services. Institutional services may include processing of minimal data sets (MDS) on behalf of your Institution to provide Improving Access to Psychological Therapies (IAPT) services, CBT programs, Child and Adolescent Mental Health Services (CAMHS) among others. Kharis will integrate with the Institution authorised electronic patient record (EPR) systems to process and transfer your MDS. We will receive limited contact identifiers from the EPR to send an SMS to you with a link to the eTriage tool and to correspond about the Institutional services. We will verify your registered contact identifier before giving access to the eTriage tool. All the Institutional services and data processing performed by us will be as agreed with your Institution. We will maintain standard agreements including Data Protection Impact Assessments (DPIA) with your Institution. We may collect consent on behalf of your Institution, where your MDS needs to be shared with your nominated General Practitioner (GP) or Clinicians for your safety and care. The data collected in MDS includes but is not limited to personal and demographic information, assessment/ outcome measure responses and scores, programs and tool pack use, diagnoses including long term conditions and disabilities and mental health care events.

Where agreed with the Institution, the eTriage tool supports patients in identifying whether they are eligible or not for the mental health service. Eligibility criteria for the service is determined by the Institution and not by Kharis. The name of the Institution will be evident on the web page you access when you submit your information using the eTriage tool. The eTriage tool will ask initial questions to determine eligibility and will explicitly inform you through the chat whether you are eligible for the service or not. If you are eligible for the service, the eTriage tool will continue to ask further questions to collect information required to submit a referral to the Institution. The specific questions that are asked, and for some questions the specific answers available, are determined by the Institution and not by Kharis. Post the referral, Kharis also collects information that will support the Institution, and specifically clinicians at the Institution, to get you to the most appropriate care and treatment. This clinical information is in the form of an assessment. These assessments are validated and are set as requirements by UMDPC and the Ministry of Health. Kharis will indicate to you when these assessments are about to be asked and when they are completed. Where agreed with the Institution, we will share weekly reports of your eTriage tool use with the Institution.

Where agreed with the Institution, we will send an email alert to the Institution care provider or administrator if you trigger an SOS, Self-harm or abuse during eTriage tool use. This email will include your personal name, your phone number and the underlying message that triggered those emotions. This processing is performed to safeguard individuals at-risk.

Directly contact your Institution to know more about the data held and processed by Kharis on behalf of the Institution. Where available and required, we may provide Institution notices from within our eTriage tool or Institution version of the App.

You are required to provide accurate information. You take full responsibility for any deliberate inaccuracies submitted. If you make a mistake you will need to contact the Institution to get it rectified.

Kharis recognizes that all processing beyond that defined in agreed standard agreements including DPIA, will be agreed with the Controller before any processing by us.

 

How are Clinical questionnaires/assessment data processed?

During use of the App, you may be asked to complete validated assessments/outcome measures, such as PHQ-9/GAD-7 or RCADS/SDQ/WEMBLS among others, at defined time-intervals. Validated assessments are a proven way to track progress of your well-being. Your assessment responses are calculated and based on the scores are triaged to appropriate resources and encouraged to take external support. Those users with moderate-to-severe scores, as defined by the assessment, will be informed in-app that the App may not be suitable to help and are signposted to our or Institution-approved helplines and services. Assessment responses that trigger an SOS, will be signposted to appropriate emergency helplines.

As a Processor or Sub-Processor, at the request of your Institution (or Controller), we will share your assessment responses, scores and any at-risk safety flags with them for the purposes of your clinical care and safety. Where required, we will also create an aggregated summary of your responses to assessment and clinical questions, without any additional modification or interpretation or decision-making and share it with your Institution.

Do we use passive sensing or location data?

The App does not process any data from your mobile device sensors, including accelerometer, ambient light readings, screen on/off readings and call logs. The App does not process your geolocation at a level that makes your data identifiable. The App may infer your country or state based on your time zone to provide you appropriate resources, such as scheduled reminders.

How do we share your data with third parties?

To provide you with our services, we use third party data processors or sub-processors to help store and process your data. We assess the data processor’s security and privacy practices. We strictly require that they comply with confidentiality and non-disclosure obligations and applicable laws and regulations including relevant Data Protection Laws. We also require that they or their providers (fourth parties) access your data only to the extent necessary to perform tasks on our behalf. We use the following third-party data processors.

Cloud Data Processors

To provide the service, we collect, transfer and store your data in secure servers provided by our authorised cloud processors. Users data is stored on cloud servers configured within the United States of America region. We maintain a Data Processing Agreement (DPA) with our cloud processors.

Other data processors

We use authorised third-party data processors to provide our services. List of our data processors include:

Data Processors	Purpose
Firebase, Google Analytics	To analyse App event data. No user conversation or personal data gets shared. Only a pseudonymised user identifier is shared along with the event data. All event data is made cryptic so that no medical or psychological profile gets created at the hands of the analytics provider. No direct advertising or direct marketing is performed. However, to measure the effectiveness of our social media or other marketing campaigns, we may use these tools to help us make improvements to our service. The third party tool APIs may automatically collect some non-personal events. Google Analytics automatically collected events can be found here. The use of Google Analytics is governed by Google Data Policy and Data Safeguards. Firebase automatically collected events can be found here. The use of Firebase is governed by Firebase Terms of Service, Use Policy and Crashlytics Terms of Service. We maintain Data Processing Agreements (DPA) with Standard Contractual Clauses (SCCs) with Google.
Branch.io	We use Branch.io to provide deeplink service for our Institution users that helps provide direct access to the App and services and is governed by branch.io’s Terms of Service, Privacy Policy and Security & GDPR Compliance. We have a signed Data Processing Agreement (DPA) with SCCs with Branch.io.
Google Workspace	We use Google Workspace to provide our corporate email service, to store data information received from our clients and end-users in google drive and google docs. We have a signed DPA with SCCs with Google Workspace.
3rd party Taggers and Translators	We may use third party providers to tag, translate and test content in English and other languages. Minimal anonymised conversation data may be used for these purposes. This helps us improve the AI Coach algorithm performance. We maintain confidentiality agreements with these contractors.
Mailgun	We use Mailgun to send an email alert to your Institution care provider or administrator when you trigger an SOS, Self-harm or abuse during App use. The email will include your personal name, your phone number and the underlying message that triggered those emotions. The email message will be encrypted and the messages will be deleted from Mailgun Servers on successful email delivery. The Institution staff email ID will be retained for audit purposes as per the agreement with the Institution. The services provided by Mailgun are based on their Terms of Service, Privacy Policy and Security & GDPR Compliance. We have a signed Data Processing Agreement (DPA) with SCCs with Mailgun.
Voodoo (Bulk SMS)	We use Voodoo to send links to the eTriage Tool powered by the App or Institution version of the App, OTP verification of registered identifiers, provide study related information and communication during the study period. This is done using their SMS Services and APIs. Here, you can read more on their privacy policy, terms of service and retention policy. We have a Data Processing Agreement (DPA) with Voodoo.
Cloudflare	We use Cloudflare for its CDN and DDOS Protection Services. Cloudflare helps us to efficiently secure and provide our Services for you. Cloudflare has access to your IP address to provide the services. Kharis does not store or process your IP address beyond the CDN. Your IP address is never mapped to your conversation messages. Hence your conversations remain secure and private. Cloudflare may process your browser and operating system related data information for logging and abuse prevention purposes. You can read Cloudflare’s terms of service, privacy policy and GDPR Compliance to know more about how they handle your data. We have a signed DPA with SCCs with Cloudflare.

Disclosure to Institutions

You may need an access code or link provided by us or your Institution to use the Institution version of the App. Your Institution may also get access to App usage data for their analytic and research purposes based on the consent given by you to your Institution and to us.

As a Processor or Sub-Processor, We may integrate with your Institution (or Controller) approved EPR vendor and their systems. This to receive and transfer agreed data with the Institution. If the App is integrated with your Institution system, your Institution may additionally share your Institution registered identifiers with us. As Processors, we will use these identifiers to provide you with access to the Service and to transfer your minimal data set and App usage data to your Institution.

Processing as per our Legitimate Interests

We may be required to process your personal data in our legitimate interests. We will always weigh your rights and freedom before we process any such requests for purposes of legitimate interest. These third-party processing includes:

• For meeting contractual obligations with your Institution;
• For uses and disclosures required by law;
• For disclosures for judicial and administrative proceedings;
• For disclosures for law enforcement purposes;
• For uses and disclosures for public health reporting purposes;
• For uses and disclosures to prevent serious threat to health or safety;
• For uses and disclosures for minimal research and analytics purposes to study how users use our products and services;
• For any service communications relating to your use of App and services;
• For uses and disclosures to prevent fraudulent use of or abuse of the service;
• For uses and disclosures to take adequate security and privacy safeguards;
• For uses and disclosures to ensure App and service availability, accessibility, safety and quality;
• For uses and disclosures to protect your data protection rights;
• To respond to your enquiries and requests.

In the future, if we are involved in any merger, acquisition, sale of assets, business reorganization, bankruptcy, we may transfer or otherwise share some or all of our assets which may include your data. We will take reasonable steps to inform you about this using the following modes.

1. Public notice on our website and/or
2. Inform your Institution and/or
3. Where applicable, send in-app notification and/or
4. Changes to this privacy policy and in-app notice.

You can always email us at info@kharistherapy.com to exercise your data protection rights.

However, in such an event of sale or transfer, we shall reasonably ensure that your data with us is stored and used by the transferee in a manner that is consistent with this Privacy Policy and applicable Data Protection Laws. Any such third party to whom we transfer shall have the right to continue to use the data that you provide us immediately prior to such transfer or sale. On completion of the sale or transfer, the Privacy Policy of the third party shall apply with respect to your data.

 

How do we handle your mobile App password?

For your privacy and security, you are advised to set your own mobile App PIN to protect unauthorized access of your conversation messages. Your mobile device screen password is your PIN. To extend your device password, use the “Set Lock ” feature under the App settings. You can also remove your PIN using the “Remove Lock” option under settings. The PIN that you use is personal to you, and you are responsible for maintaining the confidentiality and security of your PIN. Please keep your PIN safe and do not share it with anyone. The PIN you set remains in your device and is not collected, transferred and stored in our servers.

 

What data do we process after taking your Consent?

As a Controller, We take your consent to perform the following processing.

Data	Purpose	Lawful Basis
Website Cookies,web-based AI Coach widget or web beacon Data (browser type, browser language, operating System, language settings, web page views and the link clicks)	To understand website visits and engagement analytics. Use of AWS operational cookies. To share anonymised event data with 3rd party providers for analytics purposes.	Your consent to our Cookie Policy (We do not sell your provided data to any third party)
Kharis Website Contact Form (Name, Email ID, inadvertent identifiers in messages)	To respond and provide support for your inquiries.	Your consent during form submission
App usage data and reports (Event data, Clinical questionnaires/assessment/Outcome measures data, wellness data, CBT Programs)	To process and share app usage and analytics data with your institution or research partner for research purposes including effectiveness, effectiveness, usability and feasibility.	Your consent with us and/or with your Institution (Agreements are signed with the researcher or Institution)
In-app push notifications	To notify you for reminders you have set. To remind you about upcoming check-ins, sessions and events.	Opt-in and Opt-out in App settings or mobile device settings.
Recruitment data (name, contact, address, email id, resume, references, credentials, transcripts, government provided identification, compensation information, race or ethnic origin, opinions and beliefs, physical or mental health or condition, sexual orientation, memberships, social media handles)	To evaluate your application. To make job offers. To enter into an employment agreement. To perform background checks. To perform reference checks. To convey application status. To consider you for other opportunities. To improve our hiring process.	Your consent In our legitimate interest (to comply with laws, to protect your rights)
Promotion event response data (email ID)	To issue and process polls, surveys or questionnaires regarding programmes or promotions. To send promotional or programme related information. To enrol and onboard you to the promotion or programme. To correspond on promotion or programme matters.	Your consent given within the AI Coach and forms.

 

How do we handle user incidents and requests?

There may be occasions where you wish to contact us to seek support or make enquiries. If you contact us directly over email, we will collect minimal personal data to service your request. Your communication data is securely stored in our Google Workspace account with access to only authorized users. We have signed agreements with Google Workspace. We will only use your data to investigate the issue or request asked. Your email will be retained within our system for a maximum of 10 years since last correspondence. We will not spam you or contact you for any direct marketing. We will not share or sell your personal data with any third party.

Your issues or complaints or requests about the App and services are taken very seriously. You will need to send an email request from your Google or Apple email ID to info@kharistherapy.com. We will respond to your complaints within 3 business days. Some of your complaints may take longer to resolve. We will continuously provide you with an update until your complaints are satisfactorily resolved.

Where Kharis is a Processor or Sub-Processor, Kharis will forward your email to your Institution (or Controller). Based on your Institution’s direction, your requests or enquiries will get appropriately addressed.

 

How do We handle data provided during promotions and surveys?

We do not promote third party offers as a part of the App experience. Your poll, survey or questionnaire responses will never be linked to your App identifiers. Your survey submission will reside in our secure Google Workspace account. Google Workspace provided security can be read here. The Google Workspace account is protected by two step verification. You can opt out at any time from the programme by sending us an email request from your Google or Apple email ID to info@kharistherapy.com. We will respond to your request within 3 business days. Your submissions will never be shared with a third party without your consent.

 

How do we handle your data when used for research and analytics purposes?

We use minimal and only the required data for research purposes including aggregated data for any publications. This data is completely anonymized using one-way hash functions prior to use. This helps us to improve our product and services and contribute to user-centered mental wellbeing best practices globally.

We never use your longitudinal conversation messages for research and analysis. If at all, only limited messages get selected from specific AI endpoints and used.

You can always write to us at info@kharistherapy.com to restrict processing and opt-out of your data for research purposes.

If you are part of a clinical study, you can always opt-out of the study by following these steps.

1. Select opt-out from research in the App settings and/or
2. Follow the opt-out process defined by the research Institution.

Where Kharis is a Processor or Sub-Processor, We will adhere to the instructions provided by your Institution (or Controller) when performing research and clinical studies.

Your use of third party weblinks

The App may carry links to third-party websites and resources. When you click on those links, you may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy policies. We encourage you to read the privacy policy and Terms of use of every external link you visit. Please ensure that you are satisfied with their privacy notices before you provide them with any personal data.

 

What additional processing is performed?

Your data, messages or usage is not used for direct marketing nor is it sold to advertisers. We will update this Privacy Policy and inform you if we perform any additional processing.

How do we secure your data?

The security of your data is important to us. We have implemented adequate technical and organizational safeguards to protect your data.

Privacy by Design and Default

1. There is no user registration required. We don’t need it hence don’t ask for it.
2. Only a nickname is sufficient to help us personalize our conversation with you.
3. Use of pseudonymised identifiers to protect your data and identity
4. No human has access to or gets to monitor or respond during your chat with the AI Coach.
5. The AI Coach will always check if it has understood you incorrectly before progressing.
6. We use algorithms that hash any inadvertent personal identifiers entering our systems.
7. You can opt-out at any time using the “reset my data” feature available in the App settings.
8. Adherence to 7 key principles set out by GDPR
9. Perform Data Protection Impact Assessment (DPIA) for personal data processing

Security by Design

1. We use TLS and SSL encryption during transfer and AES-256 protocol at rest.
2. Random identifiers are used for all data transactions between AI Coach and our servers.
3. Our systems are secured with role-based access, strong passwords and two-step verification.
4. We enable endpoint security in all staff systems.
5. We review and maintain data processing agreements with our data processors.
6. We have a strict hiring and background verification process in place.
7. Regular awareness and training are provided to our staff.
8. Annual 3rd party compliance audits and data protection certifications.
9. We perform regular penetration tests of our Apps and Infrastructure.
10. We conduct regular checks to ensure compliance to our policies.
    
    

How long do we retain your data including personal data?

Any identifiers shared in your mobile App conversation get hashed within 24 hours within our system.

As a Controller, We may retain your data if it is reasonably necessary. This could be in the following situations:

• To comply with applicable legal and statutory requirements;
• To respond to your requests;
• To fulfill processing that is in our legitimate interest.

Where not specified we retain your data for a maximum of 10 years since the end of last use and as per our information retention policies.

You can also, at any point of time, clear all your conversation data by using the “reset my data” feature available in the mobile App settings.

As a Processor or Sub-Processor, we will retain your data in our systems until the retention period agreed with your Institution (or Controller). We will retain your personal data only for the minimal period required to service as per your Institution’s instructions. Post the retention period, we will safely and securely delete the data from our systems. You can contact your Institution or email us at info@kharistherapy.com and request for erasure at any point during your App use. All such requests received directly by us, will be forwarded to your Institution and handled as per their instructions.

What are your data protection rights?

You have certain rights under the Data Protection Laws in relation to your Personal data. To exercise any of your rights, you will need to send an email request to the contact information provided here. Please note that we may need to verify you before responding to any requests. After verifying you and examining your request, we will respond to you on the action taken within one calendar month from verification. We may at times be unable to address your request, if we are unable to correctly identify you.

Your individual rights requests may be limited, were:

• denial of access is required or authorized by law;
• grant of access would have a negative impact on other’s privacy;
• required to protect our rights and properties;
• the request is unjustified or excessive.

Where Kharis is a Processor or Sub-Processor performing data processing on behalf of your Institution (or Controller), Kharis may redirect your rights-related requests to your Institution for a resolution. We will respond to your request as directed by your Institution.

We handle your rights-related request as detailed below.

Right of access

You have access to view your latest conversations or view your older conversation messages within the Journey tab of the App. If you exercise your right to be forgotten and reset your data in the mobile App, you will lose the right to access your data as it will be permanently deleted.

Users can write to us at info@kharistherapy.com for any clarifications or requests around their right to access.

Right to rectification

If your personal data is inaccurate or incomplete, you can write to us to correct or complete it. If we share your personal data with third parties, we will inform them about the correction where possible.

Right to restrict processing

You can write to us to restrict processing of your personal data, where you contest the accuracy of the data or object to our processing it. If we share your personal data with third parties, we will inform them about the restrictions where possible.

Right to object

You may write to us and object to the processing of your personal data where we apply our legitimate interest. We may stop unless we can demonstrate compelling legitimate grounds for the processing.

Right to data portability

Users can write to us info@kharistherapy.com for any clarifications or requests around their right to data portability. We we will need to accurately verify you, before we can process your request. We may at times be unable to address your request, if we are unable to correctly identify you.

Right to Erasure

When you use the Kharis App and service, you have the option to reset your data by using the “Reset my data” feature in the App settings. Reset my data deletes all your submitted data. Post reset, you will not be able to recover your past data and you will be considered as a new user of the App. Hence, this feature is to be used at your discretion.

You can also write to us to delete or remove your personal data, such as when you withdraw your consent.

Right in relation to automated decision-making and profiling

You have the right to be free from decisions based solely on automated processing of your personal data, including profiling, which may have a significant effect on your rights and freedom, unless such profiling is necessary for entering into, or the performance of our Agreement or with your explicit consent.

Right to withdraw Consent

To the extent that the legal basis of our processing of your personal data is consent, you can withdraw that consent at any time. This will not affect the lawfulness of processing of your data before we received notice that you wished to withdraw your consent.

Right to Breach notification

In the event of a breach of your personal data, we will notify you within 72 hours or as required by Data Protection Laws.

Right to address Concerns and Complaints

If you have any concerns or grievances about this Privacy Policy you will need to send an email request from your Google or Apple email ID to info@kharistherapy.com with Attn. to our Head of Compliance. We have appointed our Head of Compliance as our data protection officer (DPO). We will respond to you within 48 hours and help resolve your concerns or complaints.

If you are not satisfied with our resolution, you have the right to complain to a Data Protection supervisory authority in your country or state of residence. We will fully cooperate with the supervisory authority

What are the controls for Do-Not-Track features?

Do Not Track (“DNT”) is a privacy preference that users can set in certain web browsers. We do not respond to DNT signals transmitted by web browsers.

 

Can children use Live: Hope: Thrive by Kharis App?

The App is intended for use only for those authorised or prescribed by your Institution.

There is a special necessity to protect children’s privacy on the App. We do not knowingly collect any personal data from children.

Write to us if you think we have collected any personal data of your child. We will respond to you within one calendar month from verification. We may at times be unable to address your request, if we are unable to correctly identify the user. We will deactivate the child’s account, if we find we have been collecting personal data from your child. Upon identification we will take reasonable measures to promptly delete such personal data from our records.

We encourage parents and legal guardians to monitor their children’s Internet usage. To help enforce our Privacy Policy by instructing their children to not provide any personal data without their permission. Do not share your credit/debit card or other payment instrument with your child to make any in-app purchase.

How to contact for additional questions, comments or concerns?

For any product, services, or technical issues, please contact us at info@kharistherapy.com with your questions.

Our mail address for all communication is:

Office:
KHARIS THERAPY LTD
The Innovation Village,
Plot 31 Ntinda – Kisaasi Road
Kampala Uganda

 

Can Non-English speaking users use the Live: Hope: Thrive by Kharis App?

The App is being built and is currently provided only for English language users.

To ensure wider reach, Kharis will, in the near future, launch the App in other local and international languages. We will keep you updated on this development.

What are some Best Practices to follow to keep your devices secure?

You are also responsible for helping to protect the security of your personal data. You are responsible for maintaining the security of any personal computing device on which you utilize the Services.

Kharis strongly believes in security and safety of data in your mobile device. As a responsible Service provider, we like to share important device-based security data for your attention.

• Always lock your mobile screen by setting a password. Use strong passwords and keep passwords private. Never leave your device unattended.
• Always extend your mobile screen password to set an App PIN to keep your conversations with the App private.
• Always keep your mobile operating system up-to-date.
• Enable remote access of your devices to enable you to locate and control your devices remotely in the event your device gets stolen.
• Install anti-virus software to protect against virus attacks and infections
• Avoid phishing emails. Do not open files, click on links or download programs from an unknown source.
• Be wise about using Wi-Fi. Before you send personal and sensitive data over your laptop or mobile device on a public wireless network in a coffee shop, library, airport, hotel, or other public place, see if your data will be protected.
  
  

Changes to this Privacy Policy

We may modify our Privacy Policy from time to time for various reasons including to improve our privacy practices, to ensure our users right to be Informed, to reflect changes to our service, and to comply with relevant laws. If and when this policy is changed, we will post the new notice on our Website and the App and notify you through an in-app notification or as otherwise required by relevant law. It is your responsibility to check our Website and our App periodically for updates or changes to the policy. We encourage you to review changes carefully. If the changes to the Privacy Policy include changes to the collection, storing or processing your personal data in a way that infringe into your privacy, we will notify you clearly about the same where required by the applicable laws and regulations. If you agree to the changes, then please continue to use our service. If you, however, do not agree to any of the changes and you no longer wish to use our service, you may choose to unsubscribe or uninstall our App. Continuing to use our App and services after a notice of change has been communicated to you or published constitutes your acceptance of changes and consent to the modified Privacy Policy.

Severability and Exclusion

We have taken every effort to ensure that this Privacy Policy adheres with the applicable Data Protection Laws. The invalidity or unenforceability of any part of this Privacy Policy shall not prejudice or affect the validity or enforceability of the remainder of this Privacy Policy. This Privacy Policy does not apply to any data other than the data collected by Kharis while providing the services.