Privacy Policy

Last updated: March 2026 · Version 1.1

1. Who We Are

Proteus Ltd. operates this platform. We are committed to the highest standard of privacy protection, particularly given the sensitive nature of mental health data. This policy complies with:

  • Israel: Privacy Protection Law 5741-1981 and its 2023 amendments; Patients' Rights Law 5756-1996.
  • EU: General Data Protection Regulation (GDPR) — Regulation 2016/679.
  • USA: HIPAA guidelines (as applicable to non-covered entities handling health-adjacent data); California Consumer Privacy Act (CCPA); other applicable state privacy laws.

2. What Data We Collect

  • Account data: Name, email address (required for registration and communication).
  • Consent records: Timestamp, IP address, and version of terms accepted (legally required).
  • Session metadata: Date/time of sessions, number of messages exchanged.
  • Session summaries: At the end of each session, an AI-generated clinical summary (key themes, emotional state, topics to continue) is stored to enable therapeutic continuity across sessions. This summary is derived from the conversation but is not a verbatim transcript. You may request deletion of summaries at any time.
  • Assessment data: Questionnaire responses (anonymized scores, not linked to conversation content).
  • Safety alerts: Where our system detects risk-to-life patterns, limited conversation context may be temporarily retained solely for safety team review, then deleted.
  • Technical data: Standard server logs (IP, browser type) retained 30 days for security only.

3. What We Do NOT Collect

  • Verbatim conversation transcripts are not stored. Only AI-generated session summaries (key themes, not full text) are retained for continuity purposes.
  • We do not sell, rent, or share your data with third parties for advertising or marketing.
  • We do not use your data to train AI models.
  • We do not collect payment card data (processed solely by Stripe).

4. Legal Basis for Processing (GDPR)

We process your data under the following lawful bases:

  • Contract (Art. 6(1)(b)) — to provide the service you signed up for.
  • Legal obligation (Art. 6(1)(c)) — to comply with safety reporting requirements.
  • Vital interests (Art. 6(1)(d) & Art. 9(2)(c)) — to protect life in safety alert situations.
  • Consent (Art. 6(1)(a) & Art. 9(2)(a)) — for mental health data processing, obtained at registration.

5. Safety Monitoring & Mandatory Disclosure

Consistent with the duty-to-warn obligations of licensed mental health professionals, our system monitors sessions for patterns that may indicate risk to life. If such patterns are detected:

  • A safety alert is generated and reviewed by our trained safety team.
  • Relevant message content may be temporarily retained for this review only.
  • Where required by law, we may share information with emergency services or authorities.
  • This processing is based on vital interests (GDPR Art. 6(1)(d)) and is non-waivable.

6. Third-Party Services

We use the following providers, each governed by their own privacy policies and DPA agreements with us:

  • Supabase — database and authentication (EU data centers, SOC 2 compliant)
  • Anthropic — AI processing (messages processed in real-time; not stored by Anthropic per our API agreement)
  • D-ID — avatar video generation
  • Resend — transactional email
  • Vercel — hosting infrastructure
  • Stripe — payment processing (PCI DSS Level 1 certified)

7. Data Retention

  • Account data: retained while your account is active.
  • Session metadata: deleted after 90 days.
  • Assessment scores: retained to generate progress reports; deleted on account deletion.
  • Safety alert records: retained as required by applicable law (minimum 7 years in some jurisdictions).
  • On account deletion: all personal data removed within 30 days (except legally mandated records).

8. Your Rights

Depending on your jurisdiction, you have the following rights:

  • Access — request a copy of all data we hold.
  • Correction — correct inaccurate data.
  • Deletion — delete your account and data (Settings page or by email).
  • Portability — receive your data in a machine-readable format.
  • Objection / Restriction — object to or restrict certain processing.
  • California (CCPA) — right to know, delete, opt-out of sale (we do not sell data), and non-discrimination.
  • Israel — rights under Privacy Protection Law 5741-1981 including inspection and correction.

To exercise any right: support@myproteusup.com. We respond within 30 days.

9. International Data Transfers

Your data may be processed outside your country of residence. Where data is transferred from the EU, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission. Data processed in Israel benefits from the EU adequacy decision for Israel.

10. Security

We apply industry-standard measures: HTTPS encryption in transit, row-level security in our database, access controls, and regular security reviews. In the event of a data breach affecting your rights, we will notify you and relevant authorities within 72 hours as required by GDPR Art. 33–34.

11. Changes to This Policy

Material changes will be notified by email. Renewed consent will be required before continued use if changes affect how we process sensitive health data.

12. Complaints & Contact

Privacy contact: support@myproteusup.com

You may also file a complaint with:

  • 🇮🇱 Israel — Privacy Protection Authority: gov.il/ppa
  • 🇪🇺 EU — Your local Data Protection Authority (DPA)
  • 🇺🇸 USA — FTC or your state Attorney General