Wysa Affiliate Program Privacy Policy

Welcome to the Affiliate Program by Wysa (the "Program").

 

This Privacy Policy describes how personal information is collected, used, and shared by Wysa inc. ("Wysa", or "we", or "us" or "our") when you (the "Affiliate", "you" or “your”) visit this Impact site, our app and all services and products (links) which we provide you. “Our app ” refers to “Wysa - Everyday Mental Health and Wysa: Anxiety, therapy chatbot.”

 

We align our data protection practices to the key principles prescribed by General Data Protection Regulation (GDPR) and other applicable Data Protection Laws including but not limited to requirements of Indian Information Technology Act and Reasonable security practices and procedures and sensitive personal data or data rules, DPDP Act 2023, EU General Data Protection Regulation 2016/679 (GDPR), the UK Data Protection Act 2018 (UK GDPR), California Consumer Privacy Act (“CCPA”), California Privacy Rights Act (“CPRA”) and other USA privacy laws. In This Privacy Policy, your "private information" means information or parts of information that can make it possible for you to be identified as someone.

 

Kindly review this policy, along with our cookies policy and terms of service. Your submission to join the Program implies consent to information collection and utilization as outlined in this Privacy Policy and Cookie Policy

 

Unless specified otherwise, terms in this Privacy Policy hold the same meanings as in our Terms of Service.

 

What personal information do we collect?

We collect the following information

 

Affiliate Information - when you register for our Affiliate Program on our Impact powered site we will have access to your personal or company information as provided on Impact. Additionally when users use your affiliate link provided by Impact, the link details are stored by Wysa to attribute any purchase made by the user who came through an affiliate link.

 

Communication Information- includes any feedback, complaints, requests via email or social media or our website contact forms. If you have communicated with us by email or website contact form, we will collect email ID, name provided, any contact details shared with us. Business name, staff name and their contact information.

 

Cookies - when you visit our website(s), our site-hosting provider’s cookies on our website will collect some mandatory and optional cookies based on your consent to our Cookie Policy.

 

Sources of the information categories

 

Much of the information categories that we hold about you, are directly from you or your interactions with us, when you use our Impact site, our websites or when you contact us for any purpose. The Program is not intended for individuals under the age of 18.

 

How do we use your information?

 

We must comply with data protection laws that mandate the identification and communication of a legal basis or 'ground' for utilizing your personal information. No sensitive data is required and collected from you. An explanation of each of the grounds can be found below.

 

1. Consent: where you have consented to our use of your information (you will have been presented with a consent message or opt-in provision in relation to any such use and may withdraw your consent by the means stated in this policy).
2. Contract performance: where your information is necessary to enter into or perform our contract with you (your Agreement to the Wysa Affiliate Program agreement and this Privacy Policy).
3. Legitimate interests: where we use your information to achieve a legitimate interest and our reasons for using, protects your data protection rights and freedom.
4. Legal obligation: where we need to use your information to comply with law or statutory obligations.

 

For each use mentioned below we note the purpose for which we use and disclose it, and the ground we rely on as the basis for our use.

 

1. Use of Affiliate Information
   To collect and process your information at time of joining the Program. To manage your affiliate status. To provide our affiliate links or product access codes. To provide access to our confidential information including any intellectual property. To provide you with information or advertising relating to our products or services.To fulfill any orders placed through the Site.. To communicate with you regarding the Program and your orders. Monitor and audit for potential risk or fraud.
   Legal basis: contract performance, legitimate interests (to enable us to perform our obligation).
   
2. Use of Communication data
   To communicate effectively with you: To issue product access code or links to access our Program website. To address your inquiries, feedback, grievances, and other messages, which includes any requests and concerns. To manage and resolve any service-related disruptions. To oversee our interactions with you, ensuring quality, compliance, and for training purposes. To communicate and process any legal or regulatory matters.
   Legal basis: legitimate interests (to allow us to correspond with you regarding our Program. To ensure the quality of our Program and Services), legal obligations.

 

Other uses of your information:

To reorganize or make changes to our business: In situations like: (i) negotiations for selling our business or part to a third party; (ii) being acquired by a third party; (iii) going through reorganization; or (iv) facing bankruptcy, we might need to share some or all of your personal data with the relevant third party (or their advisors) for due diligence in analyzing the proposed sale or reorganization. After such events, we could also share your data with the reorganized entity or third party for similar purposes as stated in this Privacy Policy. We'll reasonably try to notify you through methods like: public notice on our website, in-app notifications or changes to this privacy policy.

 

Legal basis: legitimate interests (in order to allow us to change our business), legal obligation

 

To comply with legal and regulatory obligations: We might handle your personal data to meet our legal and regulatory needs. This might involve sharing your data with third parties like insurers, courts, regulators, or law enforcement agencies worldwide. This can happen during their enquiries, proceedings, or investigations, or when legally required. We might also use it for preserving data during legal matters to prevent tampering. Additionally, we might disclose data to help with an investigation or prosecution of suspected fraud or actual illegal activity.

 

Legal basis: legal obligation (to report to regulator ask), legitimate interests (to cooperate with law enforcement and regulatory authorities)

 

Your data, messages or usage is not transferred or sold to advertisers or data brokers or any information resellers. We will always take your consent before using your name for social proof purposes. If you have any questions about the legal basis we rely on, please contact us using the details set out in the “Contact” section below.

 

How do we protect your personal data?

 

1. Where is your data stored?

The data we gather when you submit the Affiliate Program registration is transferred and stored in USA-based infrastructure instances managed by our affiliate platform provider, Impact (Pantastic). We may also share and process your personal information with our other organisation entities based in the US, UK and India for the purpose of the Program.

 

2. How long is your data stored?

It's kept only as long as necessary for requested services or purposes mentioned in the 'How do we use your personal data?' section above. If not specified, we retain your data for up to 10 years after termination or a period agreed upon with you.

 

3. Do we use third party providers?

We use Branch.io to capture non-personal information about the affiliate link provided to you by Impact. This is required by Impact (Pantastic) to reconcile and process referral payments.

 

4. International transfer of your information

To provide our Program and Services, we may need to process your submitted data in a country different from your own, where data protection laws might be less strict.

 

When we move personal data from within the European Economic Area (EEA), Switzerland, and/or the United Kingdom (referred to as the 'Europe region'), we'll take extra steps to secure your data in line with data protection laws. Some countries in the Europe region have been endorsed by regulators for having sufficient data protection, so no additional safeguards are needed to transfer data there. For countries without such approval, we'll use suitable measures to protect data transfer, like the new EU Standard Contractual Clauses and/or UK International Data Transfer Agreement (IDTA), as allowed by the law.

 

In line with relevant data protection laws, we'll ensure your data rights are well protected with appropriate technical and organizational safeguards.

 

For any queries, reach out through the details provided in the 'Contact' section below.

 

5. How do we safeguard your data?

We prioritize your data security and take extensive measures to ensure it. We've put in place adequate organisational and technical safeguards at our organisational level and with our affiliate platform provider. Here are a few of the steps we've taken:

 

1. We enable access control and two-step authentication on our affiliate platform.
2. We enable endpoint security in all staff systems.
3. We review and maintain data processing agreements with our service providers.
4. We provide regular awareness and training to our staff.
5. We conduct annual 3rd party compliance audits and data protection certifications.
6. We conduct regular checks to ensure compliance to our policies.
7. Wysa's Information Security Management System (ISMS) and Privacy Information Management System (PIMS) is certified for ISO 27001 and 27701.

 

Your data protection rights

 

During your interactions, you might have the right to: ask for more details on how we use your personal data; receive a copy of the personal data we may hold about you; correct inaccuracies and fill incomplete personal data we may have; delete no-longer-needed personal data; and limit processing while we review an inquiry you raised.

 

You're also free from decisions solely based on automated processing of your personal data, unless it's necessary for our Agreement or you've agreed. You can ask us to halt such decisions. While we don't usually engage in these activities, we're open to discussing any concerns.

 

Under specific conditions, you can also: withdraw consent; ask us to send your personal data to a third party electronically; object to processing based on 'legitimate interests' or 'public interests'; and opt out of direct marketing, including profiling. We typically let you know or get your consent (before collecting data) if we plan to use your data to share it with third parties.

 

The above rights have exceptions to protect public interest (like crime prevention) and our interests (such as legal privilege). They might not all apply in your country of residence.

 

If you can, use the contact info in the 'Contact' section to exercise your rights. We'll respond within a month of your request. Your individual rights requests may be limited, were

• denial of access is required or authorized by law;
• grant of access would have a negative impact on other's privacy;
• required to protect your, our or other’s rights, property or safety;
• the request is unjustified or excessive.

If you're unsatisfied, you can complain to your Data Protection Authority.

 

Notice for California, USA residents

 

There are certain disclosures required by the California Consumer Privacy Act (or “CCPA”) and California Privacy Rights Act (“CPRA”). We will comply with these requirements. The following types of Information are out of scope of the California Consumer Privacy Laws (CCPA) as amended by the California Privacy Rights Act (CPRA). The purpose of such exclusions, as designed by the law, is to avoid interfering with other regulatory schemes that govern these types of information. These include protected health information (as governed by HIPAA), medical information per the California CMIA, clinical trial data, or publically available information from government records among others. De-identified or aggregated user data that cannot be reasonably linked to you is also excluded.

 

It's important to know that Wysa doesn't generally sell your data to third parties. With some exceptions, you can contact us to learn about your shared personal data and to exercise your data protection rights. You can request data deletion, opt out of "sales," and not face discrimination when exercising your rights.

 

Do-Not-Track

Do Not Track (“DNT”) is a privacy preference that users can set in certain web browsers. We do not respond to DNT signals transmitted by web browsers.

 

How to contact us?

For any queries, comments, complaints, and requests, reach us at [email protected]. For privacy policy and data protection rights inquiries, contact us at [email protected], addressed to the Head of Compliance/Data Protection Officer. We may be unable to address your request due to any of the limitations and exceptions provided within CCPA.

 

Updates to this policy

We may update this privacy policy from time to time in order to reflect, for example, changes to our practices or for other operational, legal or regulatory reasons.