HearYou’s policy to comply with all federal and state laws and regulations relating to the privacy of our customers’ private information (PI) and private health information (PHI).
We receive a number of different types of information about you, including:
The information that's required when you sign up for the site, as well as the information you choose to share.
If you are coming to the site through an employer or insurer payor such as an Employee Assistance Program (EAP) then there is additional information collected by these Parties. This information is typically collected to confirm your eligibility with the EAP or network benefit administrator and is not shared with your Provider (who will collect your contact information separately). Further, your Employer or the Employer of the subscriber of your benefits will not be provided this information (you likely already gave them similar information in your employee file unless you are a family member of an eligible employee).
Except as permitted by law or as otherwise described below,
HearYou does not disclose any PI/PHI about its customers, or former customers, or employees, to anyone. HearYou does not sell lists or customer information.
Information HearYou Collects for Customers
HearYou collects, retains, and uses PI/PHI from customers to include the following:
- The information that's required when you sign up for the site, as well as the information you choose to share.
- Required information such as your name, email address, birthday, and gender. We use return email addresses to answer the email we receive. Such addresses are not used for any other purpose and are not shared with outside parties.
- Usernames and User IDs, which are a way to identify you on HearYou. A User ID is a string of numbers and a username generally is some variation of your name.
- "Public Information" which means the information you choose to make public, as well as information that is always publicly available.
- Information posted to a group chat or moderated session and information kept within a one on one session.
- “Contact Information” is personal information and or family/friend/relation that HearYou stores confidentially for your Therapist to access in case of an emergency or mental health crisis.
- Information HearYou receives on forms, including, but not limited to, identifying information such as address, telephone number, e-mail address related to customer projects;
- Banking information for billing purposes; such as account # and routing information for invoicing purposes
Information HearYou Collects for Employees and Sub-Contractors
Federal law requires us to obtain, verify, and record personal information - such as your name, address and date of birth - in order to confirm your identity, social security number and banking information.
HearYou collects, retains, and uses PI from employees and subcontractors including the following:
- Information HearYou receives on applications or other forms, including, but not limited to, identifying information such as address, telephone number, e-mail address, social security number, date of birth, mother's maiden name, medical history;
- Federal Tax ID #;
- Medical records;
- Investment information;
- Background security checks
Information HearYou May Share
HearYou is a "DBA" used by Groop Internet Platform Inc. who runs the site and keeps the Data.We keep your information confidential except where disclosure is required or permitted by law (for example to government bodies and law enforcement agencies or during an emergency circumstance as judged by your Therapist working with local authorities). Generally, we only use your information within our company. However, sometimes we use third parties to process your information (for example as credit card payment providers). We require these third parties to comply strictly with its instructions and we require that they not use your personal information for their own business purposes.
The Uses of the Collected Data by HearYou
HearYou uses non-identifying and aggregate information to better design our Web site and to use in research and trend analysis. For example, we may tell an advertiser that X number of individuals visited a certain area on our Web site, or that Y number of men and Z number of women filled out a site survey or form, but we would not disclose anything that could be used to identify those individuals. We only provide data to our partners, if any, after we have removed your name and any other personally identifying information from it, or have combined it with other people's data in a way that it no longer personally identifies you.
HearYou uses non-identifying (De-Identified or “Safe Harbor” form) and aggregate information about responses to the clinical outcome assessments (personal assessments), and the frequency of the utilization of the HearYou service. These efforts enhance program evaluation.
The anonymous and aggregated data also may be published through various media platforms/academic journals. No personal identifying information is tied to the results, and HearYou does not share anything that could be used to identify your account or your private information.
From time to time, we may use customer information for new, unanticipated uses not previously disclosed in our privacy notice. If our information practices change at some time in the future we will contact you before we use your data for these new purposes to notify you of the policy change and to provide you with the ability to opt out of these new uses.
HearYou stores data only for as long as it is necessary to provide products and services to you and others, including those described above and for legal protections or as required by applicable laws and regulations.
HearYou may enable access to public information that has been shared through our services.
HearYou may allow service providers to access information so they can help us provide services. IP addresses are used to identify the location of users, the number of visits from different countries and also to block disruptive use; and to analyze and improve the services offered on our website, e.g. to provide you with the most user-friendly navigation experience.
Certain information is needed to provide you with services, so we only delete this information after you delete your account. Some forms of processing (sending promotional information, commercial profiling, behavioral advertising, geo-location, etc.) may require the express consent of the User. Specific information may be shown on the pages of the Site in connection with particular services or processing of Data provided by the Site User.
Upon request we provide site visitors with access to a description of information that we maintain about them. HearYou.org uses industry-standard encryption technologies when transferring and receiving consumer data exchanged with our site. If you feel that this site is not following its stated information policy, you may contact us at addresses or phone number below.
For content that is covered by intellectual property rights, like photos and videos you specifically grant HearYou.org a non-exclusive, transferable, sub-licensable, royalty- free, worldwide license to use any IP content that you post on or in connection with HearYou.org (IP License). This IP License ends when you delete your IP content or your account unless your content has been shared with others, and they have not deleted it. This Paragraph does NOT apply to photos, images or other videos shared ONLY with your Therapist in your private “Room” on the Platform.
When you delete IP content, it is deleted in a manner similar to emptying the recycle bin on a computer. However, you understand that removed content may persist in backup copies for a reasonable period of time (but will not be available to others).
Disclosure of Personal Information
We do not share nonpublic personal information about our customers (present, former and potential) with anyone, except as required by law, or as follows:
- To any person when you authorize such disclosure;
- To computer services consultants and technicians or other security consultants, in order to ensure the confidentiality and security of customer & employee records;
- To financial service providers or consultants to carry out requested services, and/or to protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability;
- To independent auditors or consultants in order to carry out institutional risk control;
- To government or regulatory agencies, including self-regulatory organizations and to comply with a legal summons, court order, subpoena or a similar legal process, audit or investigation;
- To swap data repositories
Protection: How We Protect Personal Information
We restrict access to information about you to those employees who need to know that information as part of their job responsibilities. We also educate our employees about the importance of confidentiality and customer privacy through standard operating procedures, special training programs, and our Code of Conduct. We take appropriate disciplinary measures to enforce employee privacy responsibilities. We have developed precautions that comply with federal regulations to ensure the security and confidentiality of customer records and information, to guard against any anticipated threats or hazards to the security or integrity of such records, and to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to our customers or our employees.
HearYou maintains strict information security procedures, including physical, electronic and procedural safeguards, to protect the confidentiality of your information. We conduct semi-annual Risk Privacy Assessments and remediate to update our technology to improve the protection of information storage.
We protect nonpublic personal information by
- Restricting access to customer information to only those personnel for whom the information is necessary;
- Entering into written confidentiality/non-disclosure agreements with third party service providers for certain disclosures;
- Maintaining physical, electronic, and procedural safeguards that comply with the relevant laws and regulations; and
- Conducting an Security Training and Awareness training program to communicate and educate employees about information security policies and procedures in order to make them aware of their roles and responsibilities in safeguarding information resources.
- HearYou uses firewall barriers and digital certifications to maintain the security of your online session and information.
- We do not collect any non-public personal information about visitors on our website, unless information is provided to us voluntarily or derived from website navigation and usage of the HearYou website and online platforms.
Protecting the Privacy of your fellow HearYou Users
During the use of HearYou.org services, you will not send or otherwise post unauthorized commercial communications (such as spam) on HearYou.org.
You will not collect users' content or information, or otherwise access HearYou.org, using automated means (such as harvesting bots, robots, spiders, or scrapers) without our permission.
You will not upload viruses or other malicious code.
You will not solicit login information or access an account belonging to someone else.
You will not bully, intimidate, or harass any other User.
You will not post content that: is hateful, threatening, or pornographic; incites violence; or contains nudity or graphic or gratuitous violence.
You will not provide any false personal information on HearYou.org, or create an account for anyone other than yourself without permission. You will not create more than one personal profile.
Copyrights: HearYou and Protecting Other People's Intellectual Property Rights
Portable Electronic Devices
The HearYou Platform is available on a multitude of portable electronic devices. We provide our connection to mobile services for free, but please be aware that your carrier's normal rates and fees, such as text messaging fees, may still apply. You provide all rights necessary to enable HearYou Users to sync (including through an application) their contact lists with any basic information and contact information that is visible to them on HearYou.org, as well as your name and profile picture.
California Consumer Privacy Act (CCPA) Use And Disclosure Of Personal Data
HearYou recognizes that California has articulated specific privacy rights of HearYou Users in that State. California Users should understand that HearYou does not sell User data to third parties. Further, HearYou is a medical records retention company. As such, almost all User data is kept in encrypted storage as a medical record, including all User created transcripts. Sate Law requires HearYou to retain such records for at least seven years. The CCPA does not generally apply to medical information governed by the California Confidentiality of Medical Information Act (CMIA) or protected health information collected by a covered entity or business associate governed by the privacy, security, and breach notification rules of the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.
Pursuant to Section 1798.83 of the California Civil Code, residents of California have the right to request, once a year, if HearYou have shared their personal information (non medical record data only) with other companies for direct marketing purposes during the preceding calendar year. This is California’s “Shine-the-Light Law.” To request a copy of the information disclosure provided by HearYou, please contact us on HearYou.org at the "contact us" link on the website. Please allow reasonable time for a response.
If you are a California resident under the age of 18, and a registered user of any site where this policy is posted, California Business and Professions Code Section 22581 permits you to request and obtain removal of content or information you have publicly posted on our site. HearYou does not have User below the age of 13 and does not typically allow Users to publicly post information. However, if you feel you publicly posted information on the Site and you are between the ages of 13 and 17, please contact us on HearYou.org at the "contact us" link on the website. Please allow reasonable time for a response. Please be aware that such a request does not ensure complete or comprehensive removal of the data/content you have posted and that there may be circumstances in which the law does not require or even allow removal of data, specifically medical data, even if requested.
California Right to Know: You may request access to the specific pieces of personal data we have collected about you in the last 12 months. You may also request additional details about our information practices, including the categories of personal data we have collected about you, the sources of such collection, the categories of personal data we share for a business or commercial purpose, and the categories of third parties with whom we share your personal data. You may make these requests by contacting us on HearYou.org at the "contact us" link on the website. Please allow reasonable time for a response.
California Designated Agent. You may designate an agent to make a request on your behalf. That agent must have access to your account in order for us to verify the request.
California Non-Discrimination. HearYou will never discriminate against you, including by denying or providing a different level of service should you choose to exercise your rights under the CCPA.
Privacy in International Use and The GDPR
The basic tenants of the promulgated GDPR regulations include, but are not limited to the following:
Access to collected data: At HearYou, you already have the ability to access your shared data (Your personal information, your emergency contact information and all your interactions with your Providers) and use it as you wish.
Security: At HearYou we have encrypted our data from day one and has always been stored all Private Health Information with full HIPAA compliance and in an anonymized form as required by the GDPR.
Notice/Audit: At HearYou, we will provide our Clients notice of any data breach and we employ a full time security Officer, as well as engaging a third party security firm to periodically audit both or code and technology security as well as our HIPAA policies and procedures around data security.
Finally, dependent of your EU country or origin, the GDPR takes into account what was previously termed the right “to forget” or request deletion of your data once you cease using a particular application or site. This particular tenant of the GDPR may conflict with applicable medical records retention laws. In the United States, this requires at least seven years of retention, which is common around the world and is sometime up to ten years or more in certain countries. So, unlike some data platforms, HearYou cannot erase private health data directly upon a Client’s request, as it may be considered essential for other medical file retention purposes. Applicable individual country medical retention laws are generally considered an acceptable exception to the GDPR regulations regarding the right to deletion of certain data.
You will resolve any claim, cause of action or dispute (claim) you have with us arising out of or relating to this Statement or HearYou.org exclusively in a state or federal court located New York. The laws of the State of Delaware will govern this Statement, as well as any claim that might arise between you and us, without regard to conflict of law provisions.
If anyone brings a claim against us related to your actions, content or information on HearYou.org, you will indemnify and hold us harmless from and against all damages, losses, and expenses of any kind (including reasonable legal fees and costs) related to such claim.
Social Networks and HearYou
These services allow the web site to access the data on your profile in the social networks, and to interact through your post. These services are not activated automatically, but require express authorization by the User.
Final Words from HearYou
We try to keep HearYou.org safe, but you use it at your own risk. We are providing HearYou.org “As Is” without any express or implied warranties. We do not guarantee that HearYou.org will be safe or secure. HearYou.org is not responsible for the actions, content, information, or data of third parties, and you release us, our directors, officers, employees, and agents from any claims and damages, known and unknown, arising out of or in any way connected with any claim you have against any such third parties.
We strive to create a global community with consistent standards for everyone, but we also strive to respect local laws. You consent to having your personal data transferred to and processed in the United States. If you are located in a country embargoed by the United States, or are on the U.S. Treasury Department's list of Specially Designated Nationals you will not engage in commercial activities on HearYou.org (such as advertising or payments). By content we mean anything you post on HearYou.org that would not be included in the definition of information. By data we mean content and information that third parties can retrieve from HearYou.org or provide to HearYou.org through Platform. By post we mean post on HearYou.org or otherwise make available to us (such as by using an application). By use we mean use, copy, publicly perform or display, distribute, modify, translate, and/or create derivative works.
Understand, that we treat your use of our platform with the utmost respect to your privacy. We keep all information not disclosed above private between the Therapist and the User, keeping only non-decimated "file" copies for reference in case of legal dispute of by court order as we are required to under Federal Laws for period up to seven years or by the applicable State Regulation. File retention protects both the User and the Therapists safety. HearYou is not responsible for data lost/exposed/used due to the nature of the Internet and digital environments, including illegal actions of hackers and criminals, technical malfunctions of servers and database etc. These are the accepted risks of our Users and users of the Internet in general. You are agreeing to this standard in using our site.
HearYou reserves the right to amend this Privacy Statement at any time without notice, and only the current Privacy Statement may be deemed effective. Regardless of later updates or changes to our privacy notice, we will never use the information you submit under our current privacy notice in a new way without first providing you an opportunity to opt-out or otherwise prevent that use.
Last updated on April 1, 2020