Privacy Policy

Last Updated: January 2024

EMDRly ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our application and website (collectively, the "Service").

Please read this Privacy Policy carefully. By using EMDRly, you consent to the practices described in this policy.

1. Our Privacy Commitment

EMDRly handles sensitive personal information related to mental health and therapy. We take this responsibility seriously and have designed our Service with privacy as a foundational principle:

• Local-First Storage: Your personal journal entries, memories, dreams, and emotional data are stored locally on your device—not on our servers.
• Anonymization: When AI features are used, all identifying information is stripped before processing.
• HIPAA Compliance: Provider features are designed to comply with HIPAA requirements.
• No Data Sales: We never sell your personal information to third parties.

2. Information We Collect

2.1 Information Stored on Your Device (Not Sent to Us)

The following information is stored locally on your device and is NOT transmitted to EMDRly servers unless you explicitly choose to share it with your healthcare provider:

• Journal entries and personal notes
• Memory recordings and descriptions
• Dream journal entries
• Emotional state and mood tracking data
• Timeline and life story information
• Post-session reflections
• Calendar event data imported from your device

2.2 Information We Collect

We collect limited information necessary to provide and improve the Service:

Account Information:

• Email address
• Password (encrypted)
• Account preferences and settings
• Subscription status and billing information

Usage Information:

• Feature usage patterns (which features you use, how often)
• App performance data and crash reports
• Device type and operating system version
• General session duration (not content)

Communication Data:

• Support requests and correspondence
• Feedback you provide
• Waitlist signup information

2.3 Information Shared with Healthcare Providers

If you choose to connect with a healthcare provider through EMDRly, you control what is shared:

• Aggregated mood and emotional state data (not raw journal content)
• Specific entries you explicitly choose to share
• Session attendance metrics
• Crisis alert status (if you opt in)

Important: When information is shared with providers, it is transmitted using anonymized client codes—not your name or other identifying information—to protect your privacy.

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service
• Process your subscription and payments
• Send you service-related communications
• Respond to your support requests
• Analyze usage patterns to improve user experience
• Detect and prevent fraud or abuse
• Comply with legal obligations

4. AI Features and Anonymization

EMDRly uses artificial intelligence to provide supportive responses and insights. Here's how we protect your privacy when using AI features:

4.1 Anonymization Process

Before any text is sent to AI providers for processing:

• Names (yours and others mentioned) are replaced with generic placeholders
• Locations are generalized or removed
• Dates are converted to relative timeframes
• Other identifying details are stripped

4.2 Pre-Built Responses

Many supportive responses in EMDRly are pre-built and stored locally, requiring no external AI processing at all. This minimizes data transmission while still providing helpful support.

4.3 AI Provider Data Handling

When AI processing is required, we use providers that:

• Do not use your data to train their models
• Do not store your data beyond the immediate processing request
• Are bound by data processing agreements

5. Data Storage and Security

5.1 Local Storage

Personal content (journals, memories, dreams) is stored on your device using industry-standard encryption. This means:

• Your data is only accessible on your device
• If you uninstall the app, locally stored data is deleted
• We cannot access your locally stored content
• You can export your data at any time

5.2 Server Storage

For data that is stored on our servers (account information, subscription data, aggregated metrics), we employ:

• 256-bit AES encryption at rest
• TLS 1.3 encryption in transit
• Regular security audits
• Access controls and authentication
• Secure cloud infrastructure with SOC 2 compliance

5.3 Data Backup

Locally stored data is not automatically backed up to our servers. If you want to preserve your data:

• Use the in-app export feature to create backups
• Enable device-level backups (iCloud, Google Drive)
• Note that device backups may be encrypted by your device settings

6. HIPAA Compliance

For healthcare provider features, EMDRly is designed to comply with the Health Insurance Portability and Accountability Act (HIPAA):

• Protected Health Information (PHI) stays on the patient's device
• Provider communications use anonymized client codes
• All data transmissions are encrypted
• We maintain audit logs for compliance
• Business Associate Agreements (BAA) are available for enterprise customers

7. Information Sharing

We do not sell, rent, or trade your personal information. We may share information only in these limited circumstances:

7.1 With Your Consent

We share information when you explicitly direct us to, such as sharing data with your healthcare provider.

7.2 Service Providers

We use trusted third-party service providers for:

• Payment processing (Stripe)
• Email communications (for service messages)
• Analytics (anonymized usage data only)
• Cloud infrastructure (AWS/Google Cloud)

These providers are bound by contracts requiring them to protect your information.

7.3 Legal Requirements

We may disclose information if required by law, court order, or government request, or if we believe disclosure is necessary to protect rights, safety, or prevent illegal activity.

7.4 Business Transfers

If EMDRly is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you of any such change.

8. Your Rights and Choices

8.1 Access and Export

You can access and export your data at any time through the app settings. Local data can be exported in common formats (JSON, PDF).

8.2 Deletion

You can delete your account and all associated data by contacting us or using the in-app deletion feature. Note that:

• Locally stored data is deleted when you uninstall the app
• Server-stored data is deleted within 30 days of request
• Some data may be retained for legal compliance

8.3 Communication Preferences

You can opt out of non-essential communications at any time. Essential service communications (security alerts, billing) cannot be opted out of while maintaining an active account.

8.4 California Residents

Under the California Consumer Privacy Act (CCPA), California residents have additional rights including the right to know what information is collected, the right to delete, and the right to opt out of sales (though we do not sell personal information).

8.5 EU/EEA Residents

Under GDPR, you have rights including access, rectification, erasure, data portability, and the right to lodge a complaint with a supervisory authority.

9. Children's Privacy

EMDRly is not intended for children under 13. We do not knowingly collect information from children under 13. If we become aware that we have collected information from a child under 13, we will delete it promptly.

Users between 13 and 18 may use EMDRly with parental/guardian consent and supervision.

10. Cookies and Tracking

Our website uses limited cookies for:

• Essential functionality (session management)
• Analytics (anonymized, aggregated data)
• Preferences (remembering your settings)

You can control cookies through your browser settings.

11. Third-Party Links

EMDRly may contain links to third-party websites or services (such as crisis resources). We are not responsible for the privacy practices of these third parties. Please review their privacy policies separately.

12. Data Retention

• Locally Stored Data: Retained until you delete the app or clear the data
• Account Data: Retained while your account is active and for 30 days after deletion request
• Billing Data: Retained for 7 years for legal/tax compliance
• Analytics Data: Retained in aggregated form indefinitely

13. International Data Transfers

EMDRly is based in the United States. If you access the Service from outside the US, your information may be transferred to and processed in the US. We use appropriate safeguards for international transfers, including Standard Contractual Clauses where required.

14. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes by:

• Posting the updated policy on our website
• Updating the "Last Updated" date
• Sending an email notification for significant changes

Your continued use of the Service after changes constitutes acceptance of the updated policy.

15. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us:

EMDRly Privacy Team
Email: privacy@emdrly.com

For data protection inquiries in the EU/EEA, you may contact our Data Protection Officer at dpo@emdrly.com.

By using EMDRly, you acknowledge that you have read and understood this Privacy Policy.