Privacy policy.
Last updated: September 14, 2025
HerSay Technology Inc. (“HerSay”, “we”, “our” or “us”) is dedicated to protecting the privacy of mothers and children who use our services. We understand the sensitive nature of the personal information you entrust to us. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information. We have crafted both an easy-to-read summary and a detailed policy to ensure transparency and trust in our practices. We comply with global privacy laws, including Canada’s PIPEDA (and forthcoming CPPA), the EU GDPR, the UK GDPR, the US HIPAA (health data privacy), COPPA (children’s privacy), and applicable U.S. state laws (such as California’s CCPA/CPRA).
User Privacy Summary
What Information We Collect: We collect personal information such as your name, contact details (email, phone), and health information you provide about yourself. This may include details about your or your health conditions, symptoms, mental health, wellness data (e.g. food intake, sleep patterns, mood, aches), and metrics like weight or glucose levels. In some cases, with your permission, we may collect data from connected devices or third-party services – for example, syncing a wearable device could share heart rate or activity data with us. We also gather technical data when you use our app or website: device type, browser, IP address, and usage information (such as features used and time spent). If you interact with us through surveys, support, or social media, we collect whatever information you choose to give us in those interactions.
How We Use Your Information: We use your information to provide and improve our services to you. This includes personalizing your experience, supporting your health journey (for example, generating insights or scheduling services with your chosen healthcare providers), and improving the effectiveness and safety of the HerSay app. We analyze usage trends to fix bugs, enhance features, and make the app more useful. Your information helps us respond to your inquiries or support requests. We may send you communications about your account, important updates, or tips relevant to your use of HerSay. If you consent, we might also send you newsletters or offers about our services, but you can opt out at any time. Importantly, we do not use your sensitive health information for advertising other companies’ products, nor do we sell your personal data. We generate de-identified (anonymous) data for research and product improvement – in these cases, it cannot identify you.
How We Share Information: We value your privacy and do not share personal information with third parties for their own marketing. We may share information in these limited scenarios: (1) With your consent or at your direction: for instance, with your doctor or other members of your “Expert Team” if you choose to use integrated third-party medical professionals through HerSay. (2) Service Providers: We use trusted third-party companies to help us operate HerSay (for example, cloud hosting, data storage, analytics, and customer support). These providers process data only for our purposes and under strict confidentiality. Our key service providers include Amazon Web Services (AWS) and Google Cloud (for secure data hosting), Supabase (database and authentication platform), Google Analytics and Mixpanel (usage analytics to understand how the app is used), Datadog (monitoring and logging our system performance), the Meta SDK (to enable certain features like social login or analytics via Facebook/Meta), and the Lovable SDK (the framework our app is built on, which may collect technical information for functionality), Squarespace. (3) Legal or Safety Reasons: If required by law or government request, or to protect rights, safety, and security of our users, children, or our organization, we may disclose necessary information (for example, to comply with a court order or to report concerns to authorities in line with applicable law). (4) Business Transfers: If HerSay undergoes a business transaction like a merger, acquisition, or sale of assets, your information may be transferred to the successor entity under the same privacy commitments. In all cases, we require any recipient of your information to protect it and use it only for legitimate, authorized purposes.
Your Choices and Rights: You remain in control of your personal information. Consent: By using our services or giving us personal data, you consent to our collection, use, and sharing of the information as described. Where we rely on your consent (for example, to collect health details or to send marketing emails), you can withdraw your consent at any time. However, if you withdraw consent for certain uses, we might not be able to provide some services (for example, if you withdraw consent to share information with an Expert Team member, they will not be able to provide their service). Access and Correction: You have the right to request a copy of the personal information we hold about you or your child. You may also request that we correct or update your information if it’s inaccurate or incomplete. Deletion: You can ask us to delete personal data. We will do so, provided we do not need to keep it for legal reasons or ongoing legitimate business needs. Opt-Out of Communications: You can unsubscribe from marketing emails or newsletters at any time by clicking the “unsubscribe” link in those emails or contacting us. (We will still send essential notices about your account or transactions, as those are not marketing.) Opt-Out of Analytics/Tracking: If you do not want us to use cookies or analytics tools to track your use of our website, you can adjust your browser settings to refuse cookies, use any provided cookie consent tools on our site, or contact us to opt out of non-essential tracking. California and Other Regions: If you are a California resident, you have specific rights such as to know what categories of personal information we have collected and with whom we’ve shared it, to access your information, to request deletion, and to opt out of any “sale” or “sharing” of your data. (For the purposes of California law, please note we do not sell your personal information for money. If we ever share information with analytics or advertising partners, it could be considered a “share” under California law – you have the right to direct us not to share your data, and you can do so by contacting us.) We do not use your data or sensitive health data for any advertising purposes. Residents in some jurisdictions (like the EU, UK, Canada, etc.) have similar rights to access, correction, deletion, and to object or restrict certain processing – and HerSay extends those rights to all users where possible. If you have any questions or requests about your data rights, you can always reach out to us at the contact information below.
Children’s Privacy (COPPA Compliance): Protecting children’s privacy is core to HerSay’s mission. Our services are intended to be used by parents (or guardians) on behalf of their children, or by children with parental supervision and consent. If you are under 13 years old, please do not use HerSay or send any personal information about yourself to us unless your parent or legal guardian has reviewed and agreed to this Privacy Policy and provided verifiable consent. We do not knowingly collect personal information directly from children under 13 without parental consent. A parent or guardian must create the account and provide any personal data related to a child user. If we learn that we have collected personal data from a child under 13 without parental consent, we will delete that information. Parents have the right to review the personal information we have collected about their child, withdraw consent, and/or request deletion of their child’s data at any time. We will not require a child to provide more information than is reasonably necessary to use the app. For teens in certain jurisdictions: if you are between 13 and 16 (for example, in the European Union, United Kingdom, or Canada where the age of digital consent is 16), you should only use the service with parental permission. We may restrict some features for minors, and we do not allow any direct marketing to minors.
Security Measures: We take extensive measures to protect your data. HerSay uses physical, organizational, and technological safeguards to keep your information secure. For example, personal data is encrypted during transmission and at rest in our databases. We regularly update our security protocols and conduct tests to identify and fix vulnerabilities. Only authorized personnel who need to know your information to perform their duties have access to it, and they are bound by strict confidentiality. We align our security program with internationally recognized standards like ISO 27001, and we are continually improving our privacy practices following frameworks like ISO 27701. Despite our high standards, no system can be 100% secure. We therefore cannot guarantee absolute security of information. However, we have incident response plans, and if there is ever a data breach affecting your information, we will notify you and the appropriate authorities as required by law (for instance, following HIPAA breach notification rules for health information, or applicable breach laws in other jurisdictions). Your trust is of utmost importance to us, and we work hard every day to earn and maintain it.
International Data Transfers: HerSay is based in Canada, but we operate globally. This means your information may be transferred to or stored on servers located in other countries, including the United States and other jurisdictions where our service providers operate. For example, if you are in the European Economic Area (EEA) or United Kingdom, your data may be transferred outside of those regions (to Canada, US, or elsewhere). When we transfer personal data internationally, we take steps to ensure adequate protection of your information. These steps may include using standard contractual clauses approved by the EU for data transfers, verifying that recipients are certified under frameworks like the EU–US Data Privacy Framework (if applicable), or other lawful transfer mechanisms. We comply with all relevant cross-border data protection requirements so that your data remains protected to the standards of your home jurisdiction. You can contact us if you have questions about our international data handling or to obtain a copy of the safeguards in place for cross-border transfers.
Policy Updates: We may update this Privacy Policy from time to time as our services or legal requirements evolve. If we make material changes, we will notify you by email or through a notice in our app/website, and/or obtain your consent if required by law (especially for significant changes in how we use data). The “Effective Date” at the top of this Policy indicates when the latest changes went into effect. We encourage you to review this Policy periodically to stay informed about how we protect your information. By continuing to use HerSay’s services after an updated Privacy Policy comes into effect, you are indicating that you accept the revised terms (to the extent permitted by law).
Contact Us: We welcome your questions, concerns, or requests regarding your privacy and our data practices. If you would like to access or correct your information, or if you have a privacy-related concern or complaint, please reach out to us. You can contact our Privacy Officer (Data Protection Officer) by email at info@hersay.ca or via our online contact form on our website. You may also send correspondence to: Privacy Officer – HerSay Technology Inc., 151 Charles St. W., Suite #100, Kitchener, Ontario, N2G 1H6. We will respond as soon as possible. If you are not satisfied with our response, and you are in a region with a privacy regulator (such as the Office of the Privacy Commissioner of Canada, or a Data Protection Authority in the EU/UK, or a state Attorney General in the U.S.), you have the right to contact that authority directly. We would appreciate the chance to address your concerns first and will do our best to resolve any issues.
Detailed Privacy Policy
1. Introduction and Scope
This Privacy Policy applies to all users of HerSay’s services around the world, including our website (www.hersay.ca and related sites) and the HerSay mobile application (the “Services”). It covers how HerSay Technology Inc. (“HerSay”, “we”, “us” or “our”) collects, uses, discloses, and otherwise processes Personal Information. “Personal Information” (or “Personal Data”) means any information about an identifiable individual. It includes details like name, contact information, and health or personal wellness details relating to you or your child. It does not include information that has been de-identified or aggregated such that it can no longer be reasonably used to identify an individual, nor does it include business contact information used solely for business communications.
By using our Services, or by voluntarily providing us Personal Information (including submitting information to us, registering or using our app, or interacting with us), you acknowledge that you have read and understood this Privacy Policy. Where required by law, we will seek your explicit consent for the collection, use, or sharing of your Personal Information. If you do not agree with any part of this Privacy Policy, you should not use the Services or provide us with your information. This Privacy Policy is intended to comply with applicable privacy laws including, in particular, Canadian laws (such as the Personal Information Protection and Electronic Documents Act (PIPEDA) and substantially similar provincial laws, as well as anticipated updates under the Consumer Privacy Protection Act (CPPA)), United States laws (including the federal Health Insurance Portability and Accountability Act (HIPAA) for health information, and the Children’s Online Privacy Protection Act (COPPA) for children’s data, plus state laws like the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA)), and the European Union/UK General Data Protection Regulation (GDPR). We apply the strongest of those protections to all users generally, regardless of location, as a baseline for our privacy practices.
Updates to this Privacy Policy
We may update or revise this Privacy Policy from time to time. The current version’s effective date is posted at the top of the policy. If we make significant changes, we will provide prominent notice, such as by email notification or an in-app alert, and if required by law we will obtain your consent. Minor changes (for example, clarifying language or updating a list of our service providers) will be posted with the revised effective date. We encourage you to review the Privacy Policy whenever you have questions about our practices or whenever you use the Services, to stay informed of any changes. Your continued use of the Services after we publish or communicate a notice about changes to this Privacy Policy indicates that you consent to the updated terms, as far as permitted by law. If you do not accept the terms of the updated Policy, please discontinue use of the Services.
2. Your Consent and Rights
Consent: In most cases, we collect, use, and disclose your Personal Information with your consent. Consent can be express (for example, you tap “I Agree” to this Privacy Policy, or you provide health information in the app for specific uses after seeing a prompt) or implied in certain situations (for example, when you sign up for a service and provide information, it is implied you consent to our use of that information to deliver the service). The form of consent we seek will depend on the sensitivity of the information and the requirements of applicable law. For sensitive Personal Information such as health data or information about children, we will usually seek explicit consent. You have the right to withdraw your consent at any time. To do so, please contact us (see How to Contact Us at the end of this Policy). Note that if you withdraw consent for us to process certain essential information, we may not be able to continue providing you with some Services. We will explain the consequences to you if that situation arises. In certain cases, we may be permitted to collect, use, or disclose personal data without your consent if authorized by law – for example, to comply with subpoenas or regulatory requirements, or in emergency situations to protect someone’s life, or other limited circumstances as allowed under privacy legislation.
If you provide us with Personal Information about another individual (for instance, if you are a parent entering information about your child, or you invite a family member or caregiver to access the Services, or if you share a friend’s contact for referral), you are responsible for obtaining that person’s consent for us to collect and use their information as described in this Policy. By providing someone else’s data, you represent that you have the authority or appropriate consent to do so.
Your Privacy Rights: Depending on your jurisdiction, you have various rights regarding your Personal Information. HerSay is committed to honoring the rights of users under all major privacy frameworks:
Access and Data Portability: You can request a copy of the Personal Information we hold about you and information explaining how that data is used and disclosed. We will provide this in a commonly used format. For example, Canadian and EU users have a right of access under PIPEDA/GDPR; California users have a right to know/access under CCPA/CPRA. We will also provide, if asked, the data in a portable format where required (data portability right under GDPR/CPRA).
Correction (Rectification): If any of your information is incorrect or incomplete, you have the right to request a correction or update. We encourage you to keep your account information current, and you may update certain profile information directly in the app. For other data that you cannot edit yourself, contact us and we will correct any inaccuracies.
Deletion (Erasure): You may request that we delete your Personal Information. We will honor such requests to the extent required by applicable law. Note that we may need to retain certain information for specific reasons – for example, to complete a transaction you initiated, to comply with legal obligations (such as tax, audit, “medical records” retention laws), or to exercise or defend legal claims. We will let you know if we cannot fully delete your information and the reason why (unless we are not allowed to disclose that reason by law).
Withdrawal of Consent / Objection: You have the right to withdraw any consent you have given us. For example, you can opt out of marketing emails or ask us to stop any processing of your data that is based on consent. In some jurisdictions, you also have the right to object to processing based on our legitimate interests or for direct marketing purposes. If you object, we will consider your request and stop or adjust processing unless we have compelling legitimate grounds to continue or as otherwise permitted by law.
Restriction of Processing: You can request that we limit the processing of your personal data in certain scenarios – for instance, while we are verifying the accuracy of data you contested or if you need us to preserve data for a legal claim while not actively using it.
Automated Decision-Making: HerSay does not make any decisions about you that have legal or similarly significant effects solely by automated means without any human involvement. Some features (like health insights or suggestions) may be automated, but they are not decisions that negatively affect your rights or status. If we ever introduce automated decision-making that falls under this category, we will comply with applicable laws (such as GDPR Article 22) and provide you with notice and the opportunity to request human review or to opt-out of such automated processing.
California “Do Not Sell/Share” Rights: As noted, we do not sell your personal information for monetary consideration. We also do not share your personal information for cross-context behavioral advertising (targeted advertising) except the use of analytics as described. If you are a California resident and you want to ensure none of your personal information is “sold” or “shared” as defined by CPRA, you can contact us to opt out of analytics/tracking cookies, which we will treat as a Do Not Sell/Share request. We respect global privacy control signals where feasible or will provide an in-app/web mechanism for California residents to opt out of the sharing of personal information if we engage in any practices that fall under those definitions.
Non-Discrimination: If you exercise any of your rights (such as deleting data or opting out), we will not discriminate against you. That means we won’t deny you our services or provide a different level of service just because you exercised your privacy rights. However, as mentioned, if certain data is necessary for the service, we will inform you if your choices affect your ability to use a feature.
To exercise any of your rights, please contact us (see How to Contact Us at the end of this Policy). For security, we may need to verify your identity (for example, by asking you to provide information that matches our records) before fulfilling your request. For certain requests, we may have to decline if they contravene legal requirements or affect others’ rights – but we will explain any denial. We will respond to your request within the timeframe required by law (for example, generally within 30 days in Canada, or 45 days under California law, etc., with the possibility of a reasonable extension). There is no fee for making a request, though if you request additional copies of data or manifestly unfounded or excessive requests, we may charge a reasonable fee or refuse, as permitted by law.
3. Personal Information We Collect
We collect Personal Information from and about users in a variety of ways. In this section, we describe the categories of information we collect and the sources:
A. Information You Provide Directly: When you use HerSay’s products and services, you may provide information to us, including:
Account Registration Data: When you create an account, we will ask for basic contact information – for example, your name (or username/nickname), email address, telephone number (if needed for verification or support), and a password. We may also ask for your country or region to comply with local laws (such as age of consent) and language or time zone to personalize your experience. If you create an account through a third-party login (like signing in via Google, Apple, or Meta/Facebook), we will receive information from that account (such as your name and email) as permitted by that third-party and authorized by you.
Profile and Usage Information: You may choose to provide additional profile information, such as a profile photo or your preferences. Within the app, you might input information about why you are using HerSay (your goals or the clinical pathway you are interested in). For example, you might indicate you’re looking for postpartum support, child nutrition guidance, developmental tracking, etc.
Health and Wellness Information: A core aspect of our service is collecting information related to you or your child’s health to provide insights and track progress. Depending on which features you use, this can include:
Symptoms and Conditions: Information about symptoms you or your child are experiencing, and any relevant diagnosed conditions or treatments. For example, you might log that your child has a fever, or record a condition like asthma if it’s relevant to the services you seek through HerSay.
Daily Health Logs: You can input data like nutritional intake (meals, allergies), sleep duration and quality, mood or behavioral notes, physical activities or exercise, and general wellbeing notes.
Biometric Data: In some cases, you might provide or connect data on metrics like heart rate, body temperature, or glucose levels – for instance, if the app allows you to manually input these or sync with a health device. (We consider this highly sensitive information and treat it with special care. If you do not wish to share biometric data like heart rate, you can simply choose not to connect those devices or input that data.)
Medical History and Expert Consultations: If you utilize the “Expert Team” feature to consult with medical professionals (e.g., nurse practitioners, naturopathic doctors, nutritionists), you may share personal medical history, lab results, or other health records with those professionals through our platform. This can include information such as prior diagnoses, medications, or family health history that you deem relevant. We collect whatever information you submit for these consultations to facilitate the service.
Communications and Feedback: If you contact us directly (for example, sending an email to support, calling customer service, or using a chat feature), we will receive the content of your communication and any contact details you provide. This might include feedback about our services, survey responses, testimonials, or any reports of issues. If you fill out optional surveys or questionnaires we send you, we collect your responses which might include personal insights or opinions.
Other Interactive Features: Our Services may include social or community features (for example, a forum or the ability to comment or share experiences with other users). If you choose to post content in these forums or discussions, be aware that any information you post may be visible to other users depending on the privacy settings. We advise you not to share personal details you wouldn’t want public in these community areas. We do moderate to enforce community standards, but posts are user-generated content and at your discretion.
B. Information We Collect Automatically: When you use our website or mobile app, we and our third-party partners (described in Section 5 below) automatically collect certain technical information about your device and usage of the Services. This includes:
Device and System Data: Such as your device model, operating system name and version, unique device identifiers or advertising IDs, app version, and device language and region settings. If you are on a mobile device, we might collect the device type (e.g., iPhone 13, Samsung Galaxy etc.), and if on web, the browser type (e.g., Chrome, Safari) and version.
Network and Connection Information: This can include the IP address your device uses to connect to the internet (which may give a broad indication of your approximate location, such as city or country), your internet service provider or mobile network, and basic network information. We also log the time and date of access and how long you use the Services.
Usage Analytics: We record information about your activity on the app/website: for example, what features you use and for how long, the screens or pages you view or interact with, search queries within the app, and crash or error logs. If you make any in-app purchases or bookings (for example, booking a session with an expert), we log details of that transaction (though note: we do not see your full payment card information; purchases are handled securely by app store platforms or payment processors).
Cookies and Similar Technologies: Our website uses cookies, and our app or partners may use mobile ad IDs or similar tracking technologies. Cookies are small text files placed on your browser or device to help us recognize you, remember your preferences, and understand usage of our Services. For example, we use cookies to keep you logged in as you navigate pages, or to remember your language preference. We also use cookies and third-party tools for analytics (like Google Analytics) which may set their own cookies to collect information about website traffic and user interactions. Web Beacons (also known as pixel tags) may be used in emails or on our site – these are tiny images or code snippets that track if you’ve opened an email or visited a certain page. This helps us gauge the effectiveness of our communications and user engagement. You have control over cookies: you can set your browser to refuse cookies or alert you when cookies are being used. However, some parts of our site might not function properly without essential cookies. For more details, please see our Cookie Policy (if available) or the cookie settings on our website.
C. Information from Third Parties: We may receive information about you from other sources:
Third-Party Integrations: If you choose to connect third-party services to HerSay, those services may send us information with your authorization. For instance, if you integrate Apple HealthKit or Google Fit/Health Connect, or a wearable’s app, we might receive data like your or your child’s daily step count, sleep data, heart rate, etc. Any such integration will be clearly explained and is optional – we will only pull in data that you agree to share, and you can disconnect integrations at any time. We handle all such data in line with this Privacy Policy (and note that Apple HealthKit data, for example, cannot be used by us for advertising or any purpose other than providing the service to you, per Apple’s rules).
Expert Team / Health Providers: If your use of HerSay involves third-party health professionals (your “Expert Team”), those individuals may send us information about the services they provide to you through our platform. For example, a medical provider you consult via HerSay might update your record with a diagnosis or notes from a virtual visit. That information becomes part of the HerSay record for you/your child. We treat such information with the highest privacy and security standards, as it may be protected under doctor-patient confidentiality and laws like HIPAA. We only allow those providers to access your data as needed to provide you care, and they are contractually bound to protect it.
Marketing and Referral Sources: If you discovered HerSay through a referral or marketing partner, they might send us your name or contact info to help us track our programs (for example, if another app recommended us to you, they might let us know that you signed up). We will only use this info for tracking and attribution, not for any unrelated purpose, and any such partners are obligated to have obtained your consent for sharing your info with us.
Public Sources: We generally do not collect data about individuals from public databases or social media without consent. However, if we need to verify information for fraud prevention or address verification, we might use third-party lookup services. Also, if you tag us or interact with us on social media (like posting a photo and tagging HerSay’s official account), we may view your publicly available social media profile and content. We won’t incorporate that into your user profile without your direct interaction or consent.
4. How We Use Your Personal Information
We use personal information for the following purposes (one or more may apply simultaneously):
To Provide Services and Features: First and foremost, we use the information you give us to deliver the HerSay app services you expect. This includes using health and wellness data you input to generate personalized insights, track progress over time, and provide relevant content. For example, we might use your logged data to chart symptom trends, or use symptom information to suggest possible next steps or articles to read. If you schedule an appointment or consultation through the app, we use your information to facilitate that booking and send you reminders. We also use contact information to create and manage your account, authenticate you when you log in, and provide customer support.
Service Improvement and Development: We continuously strive to make HerSay better and safer. We analyze usage information, crash reports, and feedback to debug issues, monitor performance, and improve functionality. For instance, understanding which features are most used helps us prioritize new feature development or improvements. We may run analytics on an aggregated basis (e.g., “What percentage of our users have more than one child profile?” or “Does a new feature increase user engagement?”). In some cases, we use third-party analytics tools like Google Analytics or Mixpanel to help with this analysis. These tools might use cookies or SDKs to collect information such as how often you visit the app, what pages you visit, and what other sites/apps you used prior to coming to our site. We only use this data to improve our own service and not for advertising other products to you. Google Analytics may have features that provide demographic information or interests (Advertising Features), which we use solely to understand our user base better and tailor the content in our app. You can opt out of Google Analytics data collection by using the Google Analytics Opt-out Browser Add-on or through our cookie management tool.
Personalization: We want the content and experience in HerSay to be relevant to you. We may use personal data to customize what you see in the app. For example, if you indicate you are interested in nutrition, we might highlight more nutrition-related tips. If you suffer from a chronic illness, the app might show you content for that illness. We might also remember your preferences, such as language or the last page you were on, to make your experience smoother. All such personalization is done to serve you better, and not to profile you for marketing by others.
Communication with You: We use contact information (email, phone number if provided) to send you service-related communications. These include:
Transactional Messages: such as email/SMS/app notifications to confirm your sign-up, receipts for purchases, appointment reminders, or important information about a feature you’re using.
Administrative or Security Alerts: We might contact you to notify about changes to our terms or privacy policy, security or privacy incidents, or to advise you of account issues (like if we detect suspicious activity or if you request a password reset).
Customer Support: If you reach out with a question or issue, we will use your info to respond and resolve it. We may also proactively reach out if we detect an issue (e.g., if an upload failed, we might send guidance).
Surveys and Feedback Requests: Occasionally, we may ask you to provide feedback on your experience or new features. Participation is optional, but if you respond, we’ll use that info to improve.
Marketing and Optional Communications: If you are an existing user, we may send you newsletters or tips about using the app, or inform you of new HerSay services that might interest you (for example, a new program available in your area). We will only send you promotional emails or show in-app promotions with your consent where required by law. You always have the ability to opt out (unsubscribe) from marketing emails. Even if you opt out of marketing messages, you will still receive essential service messages (as noted above).
Research and Analysis: By aggregating and anonymizing data, we aim to generate insights that can help the broader community. For example, we might analyze anonymized data to spot trends like common infant sleep patterns or the impact of certain nutrition habits. These insights might be shared in reports or with partners, but they will not include information that identifies any individual. We may also collaborate with academic or medical researchers by providing de-identified data sets, but only in accordance with applicable laws and ethical guidelines (and often with an additional layer of approval, such as an Institutional Review Board if required). In some cases, if research involves any identifiable data, we would seek your explicit consent, but generally our research disclosures are on aggregated data only.
Compliance and Protection: We may use your personal information as we believe is necessary or appropriate to comply with applicable laws, regulations, legal processes (like a court order or subpoena), or governmental requests. We also use information to enforce our Terms of Service or other agreements, and to detect, investigate, prevent, or address fraud, security, or technical issues. For instance, we might monitor login attempts to detect malicious activity, or use certain data to confirm that you meet eligibility criteria (like age restrictions). If you engage in behavior that violates our community guidelines or seems potentially harmful to others (for example, inappropriate content in a community forum), we may review relevant data to take action. Additionally, if necessary, we will use information to protect our rights, property, and safety, as well as those of our users, children, or others. This could include, in a rare event, contacting law enforcement when someone’s safety is at risk.
Legal Claims: In the unfortunate event of a dispute or legal claim, we may process and preserve data as needed for handling the claim. For example, if there is an allegation of malpractice involving a provider on the platform, we would review relevant consultation records. Or if we are involved in litigation, relevant user data might be used in our defense, under proper legal process.
We will only use your Personal Information for the purposes we collected it for, or for purposes that are compatible with those original purposes. If we need to use your information for an unrelated new purpose, we will notify you and, if required, obtain your consent.
Importantly, we do not use any of your personal data (especially health or children’s data) to engage in profiling for targeted advertising or to advertise third-party goods/services to you. We also do not allow third-party advertising networks to collect information about you from our app for their own purposes. The ads or offers you may see in our app will be related to our own services or partners within the HerSay ecosystem and shown only as permitted by law or your consent.
5. How We Disclose or Share Personal Information
We treat your Personal Information with care and confidentiality. We do not sell your personal data. We only share it in the following circumstances:
A. Service Providers (“Processors”): HerSay uses a number of third-party companies to support our operations and the delivery of our Services. These service providers perform tasks on our behalf and under our instructions. They include, for example:
Cloud Hosting and Infrastructure: We use secure cloud services like Amazon Web Services (AWS) and Google Cloud Platform (GCP) to host our application and databases. Your data is stored on their servers, but under our control and encrypted to their standards. These providers are industry leaders in security; we rely on their robust infrastructure to keep data safe. (They do not access your data except for storage and backup purposes as needed to maintain the service.)
Data Storage and Database Management: Our application data (including personal data) may be stored in managed databases. We mentioned Supabase, which is a platform we use for managing our database and user authentication. Supabase stores data (often on AWS infrastructure behind the scenes) and helps us handle queries efficiently. They have access to data only for troubleshooting or as necessary to maintain the service, and they are bound by strict confidentiality.
Analytics and Usage Monitoring: We use tools like Google Analytics (provided by Google) and Mixpanel to understand how users engage with our app and website. These tools may set cookies or use unique identifiers to log your interactions. The information they collect (e.g., pages visited, time spent, device identifiers) will be transmitted to and stored by the analytics provider (e.g., Google) on their servers. We have configured these tools to anonymize IP addresses where possible and not to use data for any purpose other than providing services to us. Google Analytics and Mixpanel act as our data processors, meaning they cannot use the data except under our instructions. You can opt out of analytics as described in Section 2 and via our Cookie settings. We also utilize Datadog for application performance monitoring and logging. Datadog helps us track technical issues in the app (like error logs, performance metrics) and may incidentally process some user IDs or meta-data for those logs. All such analytics/monitoring providers are obligated to keep your data secure and confidential.
Communication & Support Tools: We may use third-party platforms to facilitate communications, such as an email service provider (for sending emails), or a customer support ticketing system to manage support requests. For instance, if we use a service like MailerLite or Mailchimp to send emails, your email address and the content of the email might pass through their systems. Similarly, if we use a live chat support tool or a CRM, those tools will handle whatever info you provide in a support conversation. We ensure any such providers have strong data protection commitments. They are not allowed to use your information for anything aside from delivering our communications or services.
Payment Processors: If you make payments through HerSay (for example, paying for a premium feature or for a consultation), we rely on third-party payment processors (such as Apple’s App Store, Google Play, Stripe, etc.) to handle your payment information. These entities are PCI-DSS compliant and specialize in secure payment processing. HerSay itself does not receive or store your full credit card details. We may receive confirmation of payment and basic info like billing address (if needed) and the last four digits of your card for receipts, but not the sensitive payment data.
Other Tools: We use various development and productivity tools internally that might involve limited processing of personal data. For example, our code and project management is on GitHub. Generally, your personal data is not stored on GitHub, except possibly if our team includes anonymized or test data in bug reports. In any case, such tools are covered by confidentiality and we minimize using real personal data in those contexts. We mention it for transparency since it’s part of our toolset. Our mobile application is built using the React Native framework, which runs on the Apple iOS SDK and Google Android SDK. These SDKs provide the fundamental building blocks of the app and may include default telemetry (for example, crash logs or device performance data) that is sent to Apple or Google. This information is non-personal and helps maintain app stability and security. The Meta SDK refers to Facebook’s software development kit, which we include to allow things like Facebook login or analytics. If you use Facebook login to create a HerSay account, the Meta SDK will collect your Facebook basic profile info (like name and email) to log you in, and may track that you used the login feature. Meta may also receive certain technical data (like app opening, device info) through the SDK. We do not send any health or sensitive info through the Meta SDK. Meta is contractually restricted from using data from our app for their own purposes except to provide services to us or as aggregated insights. Nevertheless, we allow you to opt out of such integrations if you prefer (e.g., you can choose not to use social login).
In all cases, our service providers are carefully vetted. We sign Data Processing Agreements (DPAs) or include privacy protection clauses in our contracts with them. These agreements ensure that your data is handled in compliance with equivalent privacy standards. Service providers are not allowed to use your information for their independent marketing or other purposes. They must also safeguard it with appropriate security measures. If any service provider can only operate outside of your home jurisdiction (for example, a U.S.-based cloud service when you are in Europe), we put in place necessary legal transfer mechanisms (as discussed in International Transfers below) to lawfully enable that.
We keep an updated list of key service providers that handle personal data; you may contact us for more information about them if needed.
B. Expert Team and Third-Party Health Services: If you choose to engage with third-party professionals through HerSay (such as doctors, nurses, therapists, or any “Expert Team” member), we will share personal information with them as needed to facilitate the service. For example, if you book a video consultation with a pediatric specialist via HerSay, the specialist will receive information like your name, your child’s first name and age, relevant health history or reason for consultation, and any information you’ve logged that is pertinent to the consultation. They may also see and update information in your profile related to their services (like adding a consultation note or follow-up plan). These experts may have their own privacy obligations to you. For instance, a licensed physician is likely a “covered entity” under HIPAA in the U.S. and has to keep your information confidential and use it only for treatment purposes. HerSay may act as a facilitator and a “business associate” in these cases, meaning we also commit to HIPAA-level protection for health data involved in these provider services. We will only disclose to your chosen provider what is reasonably necessary for the service, and you will typically know and consent to the information being shared (since you are actively using that service). We do not share your info with any health professional without you initiating or authorizing it. If you use insurance or third-party payers for these services, we might also have to share certain information with those payers as required for billing (but only with your knowledge, e.g., you provide insurance info for eligibility).
C. Legal Compliance and Protection: We may disclose personal information to third parties if we believe, in good faith, that such disclosure is necessary to:
Comply with the law or legal process. For example, we might receive a court order, subpoena, or demand from law enforcement or a regulatory agency. If required to hand over data by law, we will only disclose the minimum necessary and will object if we believe the request is improper. When permitted, we will notify you of such requests.
Respond to lawful requests by public authorities. If law enforcement or child protective services or similar government entities request data (perhaps in a scenario where a child’s safety is concerned, for example), and the request is legally valid, we may be compelled to provide it.
Protect vital interests. In rare cases, if we believe someone (a user or the public) is in immediate danger of harm, we might share information with authorities (for instance, details of an imminent threat posted in our app, etc.) to prevent harm, consistent with applicable laws.
Enforce our rights. If someone is violating our Terms of Service or has threatened our operations (such as hacking attempts), we may share data with relevant parties (e.g., investigators, legal counsel) to address the issue. Similarly, if we are involved in fraud prevention, we might share necessary data with other companies or organizations for credit risk reduction or to protect against fraud (according to legal guidelines).
Pursue remedies or limit damages. If there’s a potential or actual lawsuit, we might disclose information as evidence as needed.
These kinds of disclosures are uncommon and would never be done casually – they are only in situations where disclosure is permitted or required under applicable laws.
D. Business Transfers: If HerSay is involved in a corporate transaction such as a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of our assets, your personal information may be transferred to the acquiring or successor entity as part of the transaction. We would ensure that any such entity is bound by confidentiality and privacy obligations in respect to your personal information, and we will notify you (for example, via email or a notice on our site) of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information as a result of the transfer.
E. With Your Consent or At Your Direction: Aside from the situations above, if there are any other times we might need to share your data, we will obtain your consent. For instance, if we ever want to share a testimonial of yours on our website with your name or any identifiable details, we will ask for your permission. Or if a third party approaches us with an opportunity that involves using your data in a new way, we would not do so without explaining and getting consent from you. We aim to avoid surprises – you should not be caught off guard by who sees your personal information.
F. De-Identified or Aggregated Data: We may share information that has been de-identified (stripped of personal identifiers like name, contact info, etc.) or aggregated (combined with data of many users) such that it cannot reasonably be linked back to you. This type of information is no longer Personal Information. We may share aggregated statistics (for example, “X% of HerSay users have at least 1 chronic condition” or “aggregate data shows improvement in symptom Y after 4 weeks of using HerSay”) with partners, researchers, or in marketing materials. We ensure that such data contains no personally identifying details.
6. International Data Transfers
HerSay is headquartered in Canada, and many of our systems and service providers are located in Canada and the United States. However, by the nature of a modern cloud-based service, your personal information may be transferred to and stored in multiple countries. For example, if you are in the European Union, your data might be processed in the U.S. (since some of our service providers like AWS or Google Cloud might host data there), or if you are in the U.S., some data might be stored in Canada, and so on.
Different countries have different data protection laws. Some provide similar protections to your home country’s laws, others may have less protective regulations. HerSay understands the importance of safeguarding personal data no matter where it is located. Therefore, whenever we transfer personal data across borders, we take steps to ensure compliance with applicable data transfer rules:
Adequacy and Recognized Safeguards: Canada is recognized by some jurisdictions (like the EU/UK) as providing an adequate level of data protection for personal data, which means data can flow from the EU to Canada freely under GDPR. When we transfer data from Canada or the EU/UK to the U.S. or other countries not deemed “adequate,” we rely on Standard Contractual Clauses (SCCs) approved by the European Commission (or UK ICO) and implement any additional measures needed as per GDPR rulings. These are contractual commitments between us and the recipient of the data that require them to protect the data to EU privacy standards.
Data Privacy Framework: We are aware of and monitor frameworks like the EU-U.S. and Swiss-U.S. Data Privacy Framework (DPF). At this time, HerSay (via its U.S. service providers) may leverage the protections offered by the DPF if applicable. For example, some of our service providers (such as Google or Mixpanel) might be certified under the DPF, which means they commit to GDPR-level protection for data transferred to the U.S. If in future HerSay self-certifies to the DPF or a similar mechanism, we will update this policy to reflect that. Regardless, we ensure any U.S. partners handling EU personal data commit to compliance with GDPR principles via contract.
Other International Requirements: Our privacy practices are designed to meet key requirements of laws like GDPR, which includes stringent rules for international transfers. Should any jurisdiction require data localization (storing data within country borders) for certain data, we will comply if applicable (for instance, if a country where we expand mandates that health data of its citizens remain in-country, we will adjust our storage strategy accordingly or obtain consent for transfers).
By using our Services, you understand that your personal information may be transferred to our facilities and those third parties with whom we share it as described in this policy, which may be located in countries other than your own. However, no matter where your data is processed, we will safeguard it as described here. If you have questions about international data transfers, or need more details about our transfer safeguards (e.g., a copy of the SCCs), please contact our Privacy Officer.
7. Information Security
We implement a comprehensive information security program to protect your Personal Information against unauthorized access, alteration, disclosure, or destruction. Our security measures include:
Encryption: We use encryption to protect data in transit and at rest. This means that when your data is transmitted between your device and our servers (or between our servers and our service providers), it is encrypted using protocols like HTTPS/TLS. Sensitive data stored in our databases is encrypted at rest, adding an extra layer of protection.
Access Controls: We limit internal access to personal data strictly on a need-to-know basis. Employees and contractors who need to process your data to operate or improve the Services are given access, but only to the extent necessary and under strict duty of confidentiality. Our staff are trained on privacy and security best practices. We maintain access logs and can detect and prevent unauthorized access attempts. Two-factor authentication and strong identity management are enforced for any administrative access.
Network & System Security: We use firewalls, intrusion detection systems, and continuous monitoring of our systems to protect against external attacks. Security patches and updates are applied promptly to our software and infrastructure to address vulnerabilities. We also utilize services like Datadog and other security tools to monitor system behavior and detect anomalies or potential intrusions.
Testing and Assessments: We conduct periodic security audits and penetration testing using either internal teams or external specialists to find and fix vulnerabilities. We undergo compliance audits such as SOC 2 Type II evaluations by independent auditors, which assess our controls for security, availability, and confidentiality of data. As part of our commitment to standards like ISO/IEC 27001, we continuously improve our Information Security Management System. We also follow privacy by design principles aligning with ISO/IEC 27701, ensuring that privacy controls are considered at every stage of product development.
Data Minimization and Retention: Security is also enhanced by holding only what we need. We strive to collect the minimum personal data required for the intended purpose and to keep it only as long as necessary (see Retention below). We anonymize or delete data that we no longer require. By minimizing what data is in our system and for how long, we reduce risk.
Physical Security: Although we are a digital service, any physical servers or offices we operate in are secured. Our cloud providers have robust physical security at their data centers (such as 24/7 monitoring, biometric access controls, and redundant power and cooling). In our own offices, we employ badge access, alarm systems, and policies to ensure that devices containing personal data are encrypted and not left unattended.
Despite all these precautions, it is important to note that no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee that our security measures will never be bypassed (for example, zero-day vulnerabilities or unforeseen attacks might occur). You also play a role in keeping your data safe: we urge you to use a strong, unique password for your HerSay account, keep your login credentials confidential, and notify us immediately if you suspect any unauthorized access to your account.
In the event of a security breach that affects your Personal Information, we will act swiftly to identify the cause and remediate it. We will also notify you and any relevant regulatory authorities of breaches as required by law. For instance, under HIPAA, if your protected health information is compromised, we (or the relevant covered entity) will provide timely breach notifications. Under various state and international laws, we may be required to inform you if there is a risk of harm due to a data incident. Our incident response plan includes communication steps to ensure you are kept informed of any significant issues impacting your data.
If you have reason to believe that your interaction with us or your data might no longer be secure (for example, if you suspect someone has unauthorized access to your account), please contact us immediately (see How to Contact Us). We will work with you to address the problem.
8. Data Retention
We retain Personal Information for as long as necessary to fulfill the purposes we collected it for, including for satisfying any legal, accounting, or reporting requirements.
Active Accounts: If you have an account with HerSay, we will retain your information while your account is active so that we can provide the services. This includes keeping the data you’ve entered so that you can access it whenever you log in.
Inactive Accounts: If you stop using HerSay or request to delete your account, we will initiate the deletion process for your personal data. We may retain certain minimal information after account deletion as necessary for legitimate business interests or legal obligations – for example, records of transactions (for accounting/tax), records required for audit, or to enforce our rights (like handling a dispute). Any retained data will be handled in accordance with this Privacy Policy and applicable laws. Typically, routine app data that is not needed will be deleted or anonymized within a reasonable period after account deletion (often within 30-60 days for backups to cycle out, unless a longer period is required by law).
Children’s Data: In cases where data pertains to children under 13, we take extra care. If a parent withdraws consent or deletes their family account, we will delete the child-specific data promptly (subject to any necessary retention for the child’s safety or legal reasons). We do not keep children’s personal data longer than needed to serve the purpose it was collected for, especially if consent is revoked.
Legal Requirements: There are certain records we may need to keep for fixed periods. For example:
In some jurisdictions, medical or health-related records need to be kept for a minimum number of years. If HerSay is considered a custodian of health records in those contexts, we adhere to those rules.
Financial and transaction data might be retained for auditing and tax purposes (e.g., typically 7 years in many jurisdictions for financial records).
If we had any legal dispute or if a user violated terms, we might retain relevant information as evidence until the issue is resolved.
Communications with customer support may be retained to help us in future if you reach out again, and to train our support team (but we can delete those upon request if not needed).
Anonymized Data: We may retain anonymized or aggregated data (which is not personally identifiable) indefinitely for analytics, research, and development, as this does not identify individuals and is not subject to deletion requests per se (since it’s not personal data). However, this data will remain in a form that cannot be linked to you.
When Personal Information is no longer necessary, we will securely destroy it or permanently anonymize it. We use techniques like secure erasure for digital data. If physical documents exist (unlikely in our case, since we operate digitally), they would be shredded or incinerated securely.
9. Children’s Privacy
Protecting Children: HerSay is designed with the safety and privacy of children in mind. We abide by the U.S. Children’s Online Privacy Protection Act (COPPA) and similar laws worldwide that have special rules for minors. As noted in the summary, children under 13 are not permitted to use HerSay’s Services on their own. A parent or legal guardian must create the account and supervise the child’s use of the platform. We deliberately design the account structure so that a parent account controls any child profile. We also limit the types of data we ask for regarding a child. Typically, to create a child’s profile in the app, we may ask for the child’s first name (or nickname) and date of birth (or age) — this is to personalize content (e.g., age-appropriate tips) and track growth. We might ask for general information like the child’s gender at birth, but we do not collect things like a child’s contact information or any identifiers that would allow the child to be contacted outside the app.
Parental Consent: During sign-up, if you indicate that you will be using the app for a child under 13 (or under the applicable age in your jurisdiction), we will obtain verifiable parental consent as required by COPPA. This may involve you providing an affirmation of consent through an approved method (for instance, by signing a consent form, using a credit card transaction as verification, or other methods allowed by the FTC) before you can create a child profile. By providing consent, you are allowing us to collect and use the child’s personal information as described in this Policy. Parents can always review, edit, or delete their child’s profile information by using the app’s account settings or by contacting us.
What We Collect for Children: The information we collect about children is generally provided by the parent/guardian. This can include the health and wellness information mentioned earlier (Section 3) – for example, the parent may log the child’s sleep times, symptoms, feeding habits, etc., or even share the child’s medical history with an Expert Team provider. We treat all such data as sensitive. We do not ask children to directly provide any information, and we do not use children’s data for any purpose other than to deliver the services to the family (for instance, to provide growth charts, or allow an expert to give medical advice, or to enable the parent to track and improve the child’s wellbeing).
No Child-Profiling or Marketing: We do not use data collected from child users to create marketing profiles or target them with advertising. We also don’t disclose children’s personal data to third parties for any purpose outside of the scope of our services (except as required by law or with parental consent). Any service providers that might process children’s data (like cloud hosting) are bound by the same strict protections described in this Policy. They cannot use the data for their own purposes.
Parental Rights: If you are a parent or guardian, you have the right to:
Review the personal information we have collected online about your child. You can do this by accessing the child’s profile through your account, which will show you much of the data stored. For any additional data not directly viewable (like logs or support tickets involving the child’s data), you can contact us to request a review.
Revoke consent and refuse further use or collection of your child’s information. If you withdraw consent, we will stop collecting or using the child’s info (for example, you can delete the child’s profile and we will delete associated data, except to the extent we are allowed or required to retain certain data – we will inform you if that’s the case).
Delete your child’s personal information. You can request that we delete any personal data about your child that we have collected. As noted, some data we might have to retain for legal reasons (like consultation records if they are considered medical records), but we will inform you and limit access if retention is required.
To exercise any of these rights, or if you have any questions about your child’s privacy, please contact us (see How to Contact Us). We will take steps to verify that you are the child’s parent or guardian before fulfilling such requests. Verification might include asking for information that only the parent would know or requesting proof where necessary.
If we ever find that we collected personal information from a child under the age of 13 (or under the applicable age of consent) without proper parental consent, we will delete that information as quickly as possible. Our goal is to ensure a safe environment for kids using HerSay under their parents’ guidance.
10. Third-Party Services and Links
Our Services may contain links to websites or services that are not owned or controlled by HerSay, and our platform may integrate or allow you to interact with third-party services outside of HerSay’s core offering. This section explains how those work:
External Websites: If you click on a link to a third-party website (for example, a blog post that references an article on another site, or a link to a partner’s site), you will be taken to a site we do not operate. Our Privacy Policy does not apply to those external sites. We encourage you to review the privacy policies of any website or service you visit outside of HerSay. We are not responsible for the privacy practices or content of third-party sites.
Third-Party Services via HerSay: There may be scenarios where you access another service through our app. For example:
If we provide an in-app scheduling tool that actually uses a third-party system (like Calendly or a telehealth platform) to book appointments, your information might be entered into that third-party system. We will inform you when an integration like that is being used, and any data you provide in that interface will be subject to that third party’s terms and privacy policy (in addition to ours if we receive a copy of the data).
If the app offers e-commerce or purchases of third-party goods (like maybe buying recommended baby products), those purchases might be fulfilled by a third-party retailer, meaning you might be directed to their platform to complete a transaction, subject to their policies.
Using Apple HealthKit or Google Fit integration: Data from those sources is governed by Apple’s and Google’s privacy policies respectively, and those companies impose restrictions on how we can use that data (which we comply with, such as not using HealthKit data for advertising as mentioned). We recommend reviewing their policies if you connect those services.
Social Media and Community: If HerSay has official pages or accounts on social media platforms (e.g., an official Facebook page, Instagram, or Twitter handle), any information you share with us via those platforms (like comments or messages) is also governed by the privacy policies of those platforms. We might use information from our social media interactions to improve customer service (for example, if you report an issue via Twitter, we might record that in our support system to follow up). But always remember that posts on social feeds are often public by default.
Third-Party SDKs and Advertising: We have outlined some third-party SDKs (software components) integrated in our app, like those from Google and Meta. While we use these for analytics and login functionality, be aware that these third parties may collect some device or usage data for their own purposes (for example, Google might use data from our app to improve its services like Crashlytics or to inform aggregate analytics trends). We ensure no sensitive personal data (health or child-related) is sent to advertising networks.
We do not endorse or assume responsibility for the content or privacy practices of any third-party sites or services. If you have any concerns about a third-party integration or link in HerSay, let us know and we’ll try to provide more information or assist in disconnecting it if possible.
11. HIPAA and Health Information
Because HerSay’s Services can involve personal health information and even coordination with healthcare providers, it’s important to clarify how we handle data under health privacy laws like HIPAA (in the United States) and similar regulations:
HerSay Technology Inc. itself is not a healthcare provider – we are a technology platform. This means that not all data you provide is automatically subject to HIPAA, which typically applies to healthcare providers, health plans, and their business associates. However, when you use HerSay in conjunction with healthcare professionals (your “Expert Team”), certain data that you provide to those professionals (through HerSay) may become part of an official medical record or be considered “Protected Health Information” (PHI) under HIPAA. For example, if a U.S. board-certified pediatrician on our platform collects information from you to give medical advice, that information is PHI. In such cases:
We enter into Business Associate Agreements (BAAs) with those healthcare providers as required by HIPAA. Under those agreements, HerSay (as a “Business Associate”) is committed to using and disclosing PHI only as permitted by HIPAA and the provider (for treatment, payment, or healthcare operations, or as otherwise allowed by law). We implement the required safeguards for PHI, report any security incidents involving PHI to the provider, and assist the provider in responding to any individual rights requests for that PHI.
Any PHI that we handle on behalf of a provider is treated with the highest standard of confidentiality and security. Our employees are trained on HIPAA requirements. We have specific access controls and audit trails for PHI. If you as a user request access, amendment, or an accounting of disclosures of your PHI, we will coordinate with the healthcare provider to facilitate those rights in accordance with HIPAA.
In the event of a breach of PHI, we will follow HIPAA’s Breach Notification Rule, which includes notifying the covered provider (and you, if you’re an affected patient) without unreasonable delay and no later than 60 days from discovery of the breach, with a description of what happened and what information was involved, along with steps you should take and what we are doing to mitigate harm.
For users outside the U.S., similar principles apply under other health privacy regimes. For example, in Ontario (Canada), personal health information provided to a healthcare professional could be subject to the Personal Health Information Protection Act (PHIPA). HerSay would ensure compliance by contract and practice in those contexts as well.
It’s also worth noting: If you independently choose to share data from HerSay with your healthcare provider outside our platform (say, by exporting a report and emailing it to your doctor), that action is under your control and outside of our system. We encourage you to only share with trusted professionals and through secure means.
If you have any questions specifically about how health information is handled, or if you need a copy of a HIPAA Notice of Privacy Practices from a provider using HerSay, please contact us or the provider. We want you to feel confident that your sensitive health data receives the extra protection it deserves.
12. Your Privacy Questions and How to Contact Us
We hope this Privacy Policy helps you understand how seriously we take your privacy at HerSay. If you have any questions about this Policy or our data practices, or if you need to exercise any of your rights (as described in Section 2), please reach out to us. We are here to help.
Contact Information:
Email: You can email our Privacy Officer (who also fulfills the role of Data Protection Officer for purposes of GDPR) at info@hersay.ca. Please include the nature of your inquiry in the subject line (e.g., “Data Access Request”, “Privacy Question”, “Data Deletion Request”) to help us route it properly.
Online Form: You may use the secure contact form on our website at www.hersay.ca/contact to send us a message. If you submit a privacy request through the form, please mark it “Attn: Privacy Officer” so it reaches the right team.
Mail: If you prefer, you can write to us at our mailing address:
Privacy Officer – HerSay Technology Inc.
151 Charles St. W., Suite #100
Kitchener, Ontario
N2G 1H6
We will respond to legitimate inquiries or requests as soon as possible, and certainly within any timeframe required by law. When you contact us, we may need to verify your identity (especially for sensitive requests like data access or deletion) to protect your privacy and that of others.
If you have a dispute or complaint about how we handle your personal information, we invite you to contact us first so we can try to resolve it. Most issues can be resolved through our dedicated support. However, if you are not satisfied with our response, you have the right to escalate:
Canada: You may contact the Office of the Privacy Commissioner of Canada (OPC) or your provincial Privacy Commissioner (if applicable) to file a complaint.
European Union: You have the right to lodge a complaint with your country’s Data Protection Authority (DPA). You can find contact details for each DPA on the European Data Protection Board’s website. Similarly, UK users can contact the Information Commissioner’s Office (ICO).
United States: If your concern is related to HIPAA (health data), you can file a complaint with the U.S. Department of Health & Human Services Office for Civil Rights. For general privacy issues, your state Attorney General’s office might handle complaints (e.g., California residents can contact the CA Privacy Protection Agency or Attorney General).
Elsewhere: If any other privacy or data protection regulator oversees issues in your region, you have the right to contact them.
We sincerely appreciate you trusting HerSay with your information. We are continually working to maintain that trust through transparent practices and robust protections. Thank you for taking the time to read our Privacy Policy