SHYRO HEALTH - PRIVACY POLICY

1. INTRODUCTION

At Shyro Health Private Limited ("we"/"our"/"us"/"Shyro Health"), safeguarding your privacy and confidentiality is our top priority. This privacy policy outlines the principles and processes governing the collection, use and protection of Personal Information (as defined below). We are committed to maintaining strict confidentiality protocols, ensuring that all personal and health data remain anonymous and are securely managed within a highly protected environment for the purpose of providing our Services, in accordance with applicable laws.

We take your privacy seriously and will only collect, process, use, and share your Personal Information in the manner specified in this privacy policy ("Privacy Policy").

The Privacy Policy should be read along with the Shyro Health's Terms of Service (as defined below) and comes into effect from the date and time a user of the Platform ("User") or Therapist (as defined below), as the case may be, ticks the check-box signifying that the User/Therapist has read, understood and has accepted this Privacy Policy. The terms "you" or "your" shall be read accordingly, as the context may require.

The term "we", "us", "our" shall mean Shyro Health, its employees, and authorised agents that perform any services on Shyro Health's behalf.

We reserve the right to make changes to this Privacy Policy at any time. Any such modifications will become effective immediately upon posting to the Platform and your/Therapist's continued use of the Platform, and/or the Services constitutes your/Therapist's agreement to such modifications. You and/or the Therapist (as the case may be) agree to periodically review the current version of this Privacy Policy as posted on the Platform. If any part of it does not comply with the laws of your country, we advise against using our Platform or related services.

2. DEFINITIONS

For the purpose of this Privacy Policy, the following definitions apply:

3. MINOR'S USE OF THE SERVICES

1. At Shyro Health, we do not knowingly collect or store Personal Information from minors or allow them to access our Services without a parent's or guardian's Consent.
2. In the event the User is a minor, access to and use of the Platform and Services shall be permitted only upon receipt of verifiable Consent from the User's parent or legal guardian. The Consent shall be validated via the One Time Password (OTP) authentication process as enabled on the Platform. The OTP will be sent to the registered email ID of the parent or guardian, and access for the minor User shall be granted only upon successful verification of the OTP on the Platform.
3. Where the Client is an educational institution partnering with Shyro Health to deliver the Services to its students, who are minors, the Consent shall be obtained from the institution/Client under the agreement or memorandum of understanding entered into between the Client and Shyro Health in accordance with Clause 3.1(a) of the Terms of Service.
4. The parent, guardian, or institution (as applicable) hereby acknowledge and agree to this Privacy Policy along with any additional terms, conditions, and policies referenced herein or accessible via hyperlinks. It is advised that all such terms, conditions, and policies be read carefully. This Privacy Policy (including all referenced additional terms, conditions, and policies) shall become effective upon the use or availing of any Services, resources, or products provided through the Platform.
5. If we discover that we have collected a minor's information without the Consent of the parent or guardian or institution of such minor, as set out in Clause 3.2 and Clause 3.3 above, we will verify and delete it immediately. If you believe that we may have mistakenly collected such information, please contact our Grievance Officer in accordance with Clause 13.

4. CONSENT FOR DATA COLLECTION, PROCESSING AND RETENTION

1. Pursuant to obtaining the Consent of the Users, Users agree to the collection, storage, disclosure, processing, use, transfer and retention of their Personal Information and Consultation Data in accordance with this Privacy Policy and under the data privacy laws in India.
2. In accordance with the Consent, you acknowledge that you are providing your Personal Information out of your free will, either directly to Shyro Health or through a third-party or your organisation/institution.
3. In accordance with the Consent, you consent to:
   1. creation of an account and acceptance of the Privacy Policy and Terms of Service;
   2. the collection and secure storage of Consultation Data which shall have limited access to the authorized personnel and strictly for Service provision, clinical supervision and safety;
   3. the sharing of Anonymized Data with the Client for Service reporting, in cases where a User is accessing Services through a Client as per the Client Service Agreement(s);
   4. the use of AI tools to match them with suitable Therapists;
   5. the processing of Anonymized Data to improve Platform recommendations and Service quality;
   6. the processing of Personal Information by Service Providers solely for operational support (e.g., secure storage, AI-powered documentation, etc.);
   7. the use of Cookies for authentication, security and performance monitoring;
   8. managing Cookie preferences via browser settings;
   9. the retention of Personal Information and Consultation Data for 7 (seven) years or as required by law; and
   10. the anonymization of data for research, compliance, and operational improvements.

4. Withdrawing Consent:

   Users can withdraw Consent at any time by requesting account deletion by sending an email on support@shyrohealth.com.

   Notwithstanding this, if you are accessing our Platform pursuant to a Client Service Agreement, you will have an option to withdraw your Consent at any point, provided you explicitly inform the Client about such Withdrawal of Consent in writing, who would then inform us to take the appropriate actions.

5. Consequences of Withdrawal of Consent:

   Upon the Withdrawal of Consent in accordance with Clause 4.4 above, the access to the Services and Platform features may be restricted. Certain Anonymized Data may still be retained for compliance and research purposes. Shyro Health may still retain certain data as required by the applicable law for security, dispute resolution, and compliance purposes.

6. Implied Consent for Privacy Policy Updates:

   Continued use of Shyro Health after a Privacy Policy Update constitutes acceptance of the revised Privacy Policy. If Users do not agree with changes, they may request account deactivation or discontinue the Services.

5. DATA COLLECTION AND MANAGEMENT

1. At Shyro Health, we are committed to protecting your privacy while ensuring the seamless operation of our Platform. We collect and process data to provide our Services efficiently, smoothly and securely, always adhering to strict confidentiality protocols. We follow the Data Breach Notification protocols in which we will notify you and regulatory authorities, where required, in the event of unauthorized access, disclosure, or loss of Personal Information. This section outlines the types of data we collect, how we collect it, and how it is used.

2. Types of data collected:

   1. Personal and demographic data:

      When you register on Shyro Health, we collect the following data to provide our Services:

      1. personal information (e.g., name, email, phone number) and demographic information (e.g., gender, date of birth, location, etc.);
      2. profile data (e.g., profile photographs, credentials, and professional qualification);
      3. service usage data (e.g., appointment history, session logs, chat transcripts, feedback, ratings, and survey responses, etc.);
      4. sensitive personal data (e.g., health/mental health information, insurance details, biometric data, and medical records, etc.);
      5. technical & analytical data (e.g., IP (as defined below) address, device/browser information, cookie data, usage analytics, system logs, etc.)
      6. additional or future data (e.g. lifestyle preferences, AI-derived analytics, emerging health measures, etc.).

      We collect certain information that allows us to create a personalized experience and tailor our Services based on User needs.

   2. Log Data:

      When you visit the Platform, our servers automatically record information that your browser or mobile application sends ("Log Data"). This Log Data may include information such as your computer's internet protocol ("IP") address, browser type, device name, operating system version, configuration of the application when accessing the Platform, pages of our Platform and Services that you visit, the time spent on those pages, information you search for on our Platform, access times and dates, and other statistics. We use this information to analyse trends, administer the site, track your location, gather broad demographic information for aggregate use, and increase user-friendliness and tailor our Services to better suit your needs.

   3. Automated Data Collection:

      To enhance Platform security and User experience, Shyro Health automatically collects certain technical data through Cookies and similar technologies, including, device location, browser type and version operating system details referring and exit pages, usage patterns (e.g., time spent on specific pages, number of visits, etc.) Platform interactions (e.g., clicks, navigation history, etc.). Cookies help optimize Platform performance, personalize the User experience, and analyze Service effectiveness. Users can modify cookie preferences through browser settings, though disabling Cookies may impact Platform functionality.

   4. User Interaction and Account Usage Data:

      We track interactions within the Platform to ensure a smooth and efficient Service experience. This may include:

      1. session scheduling, attendance, cancellations, and rescheduling;
      2. Service usage patterns; and
      3. features accessed within the Platform.

      This data helps us improve Service offerings and maintain Platform reliability.

   5. Therapist Data:

      For credentialing and verification, Shyro Health collects certain information from Therapists providing Services on the Platform. This may include:

      1. name and contact details;
      2. government-issued identification numbers; and
      3. bank account information (for payment processing), educational background and certifications, work history and credentials.

      This data is securely stored and used strictly for professional validation and Service administration.

   6. Counselling and Consultation Data:

      To ensure high-quality Services, we securely store consultation-related data, which may include:

      1. session status (scheduled, attended, cancelled, rescheduled, and completed);
      2. session notes (if applicable, for therapeutic continuity); and
      3. general Service usage history.
   7. Communication Data:

      We collect and store communications between Users and Therapists on the Platform, as well as interactions with our customer support team via:

      1. email;
      2. chat;
      3. phone calls; and
      4. social media.
   8. Transaction and Client Billing Data:

      Since Shyro Health operates through a business to business (B2B) model, we do not collect individual payment details. However, we store relevant corporate transaction data, including:

      1. contracts/agreements;
      2. Service usage reports; and
      3. billing details (at the corporate level).
   9. Other Personal Information:

      Any additional Personal Information voluntarily shared by the Users while availing of Services on the Platform will be collected and processed in accordance with this Privacy Policy.

3. Mandatory Data Collection:

   Certain types of information are essential for accessing the Platform and utilizing Shyro Health's Services. If you choose not to provide the required data, you may be unable to register your account on the Platform and access specific features of the Platform.

4. Confidentiality and Protection of Data:

   Protecting your privacy is our top priority. Other than as outlined in this Privacy Policy, we do not disclose, share, or use your Personal Information without your Consent, except when required by applicable law and when necessary for Service provision (e.g., Anonymized Data for internal analytics). If you have any concerns regarding data collection, storage, or usage, you may contact our Grievance Officer, as detailed in Clause 13.

5. Updating Personal Information:

   1. If your Personal Information changes, or if you need to update or correct your Personal Information or have any grievance with respect to the processing or use of your Personal Information, for any reason, you may send updates and corrections to us at support@shyrohealth.com and we will take all reasonable efforts to incorporate the changes within a reasonable period of time. If you provide your Personal Information to a third-party platform from which you are using our Services, we may not be able to make any changes to the same and you will have to contact the third-party platform in order to update your Personal Information.
   2. If your Personal Information is stored as part of your profile on the Platform, you can update your Personal Information from our website or mobile application(s).
   3. Some Personal Information, such as your answers to online assessments cannot be updated or deleted once submitted. If you would like us to remove your records from our system, please contact us at support@shyrohealth.com and we will attempt to accommodate your request if we do not have any legal obligation to retain such information.
   4. Please note that we are required to retain certain information in keeping up with professional standards or by applicable law for record maintaining purposes (including but not limited to payment history, feedback, client information, etc.), so we will continue to store this information for a pre-specified period of time as per applicable laws, even if you delete your account. There may also be residual information that will remain within our databases and other records, which, irrespective of any efforts by us to delete information, will not be removed from them.

6. PROCESSING AND APPLICATION OF YOUR DATA

1. At Shyro Health, we collect and use your data strictly to provide, enhance and secure our Services while ensuring confidentiality. Below mentioned are the various ways in which we process and apply your data to improve the User experience, personalize Services, and comply with legal obligations.
2. 1. Delivering and Managing Services:

      We use your information to:

      1. create and manage your account on the Platform;
      2. facilitate secure logins and Platform access;
      3. enable interactions between Users and Therapists;
      4. provide customer support, troubleshoot issues and resolve disputes;
      5. process corporate billing and transactions; and
      6. assist in scheduling, reminding and managing counselling sessions.
   2. Service Optimization and Performance Monitoring:

      To enhance the quality and efficiency of our Platform, we may:

      1. monitor, administer and optimize Platform performance;
      2. use Cookies and Log Data to remember preferences and streamline usability;
      3. analyze Platform usage trends to improve Service functionality; and
      4. diagnose and resolve technical issues.
   3. Personalization and Customization:

      We utilize location-based tracking and User behaviour analytics to:

      1. match Users with relevant Therapist;
      2. optimize content and Service recommendations;
      3. improve AI-driven features for better digital mental health support; and
      4. enhance accessibility based on regional availability of Services.
   4. Compliance, Security, and Legal Obligations:

      Your information is processed to:

      1. ensure compliance with regulatory and professional standards;
      2. allow Therapists to meet certification and quality requirements;
      3. respond to legal requests or comply with applicable law; and
      4. detect and prevent fraudulent or unauthorized activities.

      Any legal disclosures are made only when required by law and handled with strict confidentiality.

   5. Research, Analytics, and Service Enhancement:

      To improve our offerings, we may use Anonymized Data to:

      1. conduct and publish research on mental health Service effectiveness;
      2. identify trends in corporate wellness and employee well-being;
      3. enhance counseling methodologies and digital mental health solutions;

      Personal identities are never linked to research or analytics.

   6. Other Uses with Consent:

      We do not sell or trade your Personal Information to third parties unless we provide you with advance notice. However, this does not apply to any storage or transfer to and from server/website hosting partners and other parties who assist us in operating our Platform, conducting our business or servicing you.

      Shyro Health may share Personal Information (including but not limited to, information from Cookies, Log Files, and usage data) with businesses that are legally part of the same group of companies that Shyro Health is part of, or that become part of that group ("Affiliates"). Our Affiliates may only use this information to help provide, understand, and improve the Services (including by providing analytics) and Affiliates' own Services (including by providing you with better and more relevant experiences). We may also share your Personal Information and Consultation Data with Affiliates, Service providers and other third-parties who process Personal Information on our behalf in relation to providing you with access to the Platform.

      Your data will only be used for additional purposes with your additional Consent. If you wish to opt out of certain data processing activities, you can contact us at support@shyrohealth.com

3. If you use our Services from the EU, Switzerland or the UK, we inform you that your data is transferred to our suppliers outside the European Economic Area and the UK. In this case, we inform you that the data transfer will take place only in the presence of adequate safeguards provided by the applicable law. In particular, for transfers from the EU and the UK, where an adequacy decision is not applicable, we rely on the Standard Contractual Clauses provided by the European Commission (art. 46 GDPR). For further information about the data transfer you can contact us at support@shyrohealth.com.

7. DATA RETENTION AND COMPLIANCE POLICY

1. At Shyro Health, we retain User's Personal Information in compliance with legal, regulatory, and professional standards to ensure Service continuity, security and compliance with applicable laws. We anonymize retained data wherever possible to protect User privacy while fulfilling our obligations.
2. We retain Personal Information, User data, and other Service-related information for a minimum of 7 (seven) years from the date of collection or last interaction, as mandated by legal, tax, and regulatory requirements or such other period as may be required by the applicable laws from time to time.
3. Your Personal Information may be retained for compliance with statutory legal requirements, corporate audit requirements, fraud prevention, security monitoring, and risk management.
4. Wherever possible, personal identifiers (such as name, contact details or session notes) are removed from the retained data. Anonymized Data may be used for research, analytics, and Service improvements, ensuring that no individual can be identified. Non-identifiable data may persist in backups and archives in compliance with system integrity, security policies and legal mandates.
5. If you wish to request deletion of your records, you may contact us at support@shyrohealth.com. We will review your request and delete identifiable information where legally and professionally permissible. Anonymous Data may still be retained for compliance, research, and operational efficiency.

8. CONFIDENTIALITY AND SECURITY OF YOUR CONSULTATION DATA

1. At Shyro Health, we are committed to protecting the privacy, security and confidentiality of all Consultation Data shared during sessions. Since Shyro Health operates exclusively as a business to business (B2B) Platform, we process and share data only with authorized stakeholders such as Clients (only in the manner set out in Clause 8.4 below), affiliated Therapists and authorized Service providers, in accordance with our contractual, legal, and ethical obligations.
2. Only Therapists, authorized representatives of the Clients, and select Service providers may access the Consultation Data where necessary. All parties handling the Consultation Data shall be bound by strict Confidentiality Agreements and ethical obligations.
3. Consultation Data is stored securely and accessed only by:
   1. your assigned Therapist or senior Therapist;
   2. authorized personnel involved in supervision and clinical oversight;
   3. technology-driven tools may be used to enhance consultation experiences while maintaining strict security and compliance standards; and
   4. no personally identifiable Consultation Data is disclosed to Clients or any other external entities without User's consent, except in compliance with legal obligations.
4. Your Consultation Data is never shared externally unless legally required or you have provided your Consent in relation to the same. In specific, limited cases, the Consultation Data may be shared, being as follows:
   1. If required by the applicable law, regulatory bodies or governmental authorities, we may share consultation information to comply with such legal obligations. (in anonymized or un-anonymized manner, as requested.)
   2. If requested by the Clients for compliance or regulatory purposes, information may be shared only in an aggregated and anonymized manner, ensuring that no individual can be identified.
   3. If there is an imminent risk to a User's safety or the safety of others, we may share relevant Consultation Data with: (i) clinical supervisors or emergency support teams, emergency contacts, designated representatives of the Client; (ii) law enforcement or crisis intervention authorities. In this scenario, we will make all reasonable attempts to inform the affected User before sharing their Consultation Data, except when immediate action is required to prevent harm.
   4. If a Therapist receives knowledge of any criminal activity, including present or past abuse of minors, senior citizens or disabled persons, they will be obligated to share information with law enforcement authorities to comply with all legal requirements.
   5. If a User requires further medical or mental health support, Consultation Data may be shared with their consent to facilitate appropriate referrals.
5. If applicable, the User hereby consents to Shyro Health sharing the User's Consultation Data and/or Personal Information with third-party insurance providers if you have claimed health insurance from such providers, and your Consultation Data and/or Personal Information is required by them to offer you insurance services.

9. DATA SECURITY AND PROTECTION MEASURES

1. At Shyro Health, we implement industry-leading security protocols to protect Personal Information and consultation information from unauthorized access, misuse and disclosure. Our security framework adheres to Indian and global IT security standards, ensuring compliance with applicable data protection laws and best practices in mental health Services.
2. Shyro Health complies with:
   1. all the data protection laws applicable to it and in force in the territory of India;
   2. globally recognized cybersecurity and information technology security frameworks to ensure data confidentiality and integrity;
   3. industry standards for encryption, data access control, and information security management; and
   4. regular audits (only applicable post IS/ISO/IEC certification), penetration testing and Security Risk Assessments conducted to ensure data safety and compliance with evolving regulations.
3. To protect your Personal Data, we employ technical, physical, and administrative security measures, including:
   1. end-to-end encryption for data transmission;
   2. access controls and authentication mechanisms to restrict access to authorized personnel only; and
   3. real-time monitoring and threat detection to prevent unauthorized access.
4. Shyro Health leverages Technology-Driven Documentation tools to enhance documentation, maintain continuity of care and improve the Service quality, such as:
   1. tools to assist Therapists in securely maintaining Consultation Data;
   2. tools to adhere to strict security measures to protect confidentiality of the User; and
   3. ensure that all data is processed securely and in compliance with information technology security standards.
5. The Users are responsible for keeping their login credentials confidential and such login credentials must not be shared with unauthorized individuals. Shyro Health may communicate important Service-related updates via email or text messages. Users should ensure their email and phone are secure from unauthorized access. Shyro Health shall not be responsible for security risks arising from User negligence, such as sharing login credentials or using unsecured devices.
6. Therapists may be required to maintain structured session records in compliance with professional and ethical standards. Technology-driven solutions assist in securely maintaining records while ensuring continuity of care and compliance with clinical best practices. Access to records is limited to authorized professionals involved in Service delivery. Session records are handled with strict confidentiality and security protocols.
7. We strongly discourage Users from sharing Personal Information in:
   1. public forums;
   2. comments or discussion areas; and
   3. any non-secure communication channels.

   Once shared publicly, Shyro Health cannot be held responsible for any misuse of such information pertaining to or shared by the User in relation to its Services. Shyro Health does not take liability for any consequences resulting from a User voluntarily sharing their personal data on public platforms.

10. EXTERNAL LINKS AND THIRD PARTY WEBSITES

1. The Platform may contain links to third-party websites, services, or resources ("Linked Sites"). These Linked Sites are not under our control and we are not responsible for their content, policies, or practices.
2. The inclusion of any Linked Site does not imply our endorsement, recommendation or affiliation with its operators, owners or content providers.
3. We do not assume responsibility for any form of transmission, data or content you may receive from Linked Sites.
4. You acknowledge that upon accessing Linked Sites, you will be governed by their respective terms of use and privacy policies. Any interaction, transaction or engagement with third-party websites, products or services is solely at your own risk and Shyro Health will not be liable for any damage, loss or claims arising from such interactions.
5. Shyro Health may also incorporate third-party products, tools or services on the Platform. By using such services, you acknowledge and agree to the respective third-party provider's terms and conditions. We do not warrant or guarantee the quality, accuracy, legality or availability of third-party content, services or products made accessible through our Platform. Any issues, concerns or disputes regarding third-party services should be directed to the respective third-party provider.
6. Shyro Health does not assume liability for any third-party services, links (including Linked Sites) or content accessed through the Platform. We are not responsible for any errors, omissions, misleading content or damages resulting from third-party platforms. Any reliance on third-party services is at your own risk and Shyro Health shall not be held liable for any associated damages or losses.

11. USER RIGHTS

1. At Shyro Health, we are committed to ensuring that you have control over your Personal Information and can seek resolution for any concerns regarding its processing. This section outlines your rights and the grievance redressal process available to you.
2. Following are the rights available to a User:
   1. Right to Access Information:

      You have the right to request details about the Personal Information collected about you and the Personal Information disclosed to third parties.

   2. Right to Correction, Completion, and Erasure

      You may request to:

      1. correct, update or complete any inaccurate or incomplete Personal Information;
      2. erase your Personal Information, subject to legal, regulatory and operational requirements; and
      3. the deletion of the entire Personal Information.

      Upon the deletion of your Personal Information, Shyro Health may no longer be able to provide certain Services that rely on such Personal Information.

   3. Right to Nominate a Representative

      You have the right to nominate another individual who, in the event of your incapacity or death, can exercise your privacy rights under this Privacy Policy.

12. COOKIES

1. We use Cookies to collect information and smoothen your experience on our Platform. We may work with third parties that place or read Cookies on your browser to improve your User experience. In such cases, by using the third party Services through our Platform, you consent to their privacy policy and terms of use and agree not to hold Shyro Health liable for any issues arising from such use.
2. You can instruct your browser, by changing its options to stop accepting cookies or to prompt you before accepting a cookie from the websites you visit. However, if you do not accept cookies, you may not be able to use all features or functionalities of the Platform.

3. Types of Cookies We Use:

   1. Essential Cookies: These are required for Platform functionality, including authentication and security.
   2. Performance and Analytics Cookies: These help us analyze how Users interact with the Platform, enabling improvements.
   3. Session Cookies: These are temporary Cookies that are deleted once you log out or close your browser. These Cookies do not collect Personal Information beyond what is required for Service operation. Unlike Persistent Cookies, Session Cookies are deleted from your computer when you log off from the Services and then close your browser.
   4. Third-Party Cookies: Some third-party Service providers may use Cookies to assist in: (i) analyzing Service and patterns to improve performance; and (ii) providing secure login integrations for enterprise accounts.

4. Managing Cookies:

   Users can control cookie settings through their browser and application, including:

   1. blocking all Cookies;
   2. enabling notifications before accepting a cookie;
   3. deleting stored Cookies; and/or
   4. disabling Cookies may affect Platform functionality, including login authentication and session continuity.

   Shyro Health is not responsible for any Service disruptions resulting from cookie restrictions applied by the User.

5. Cookie Retention Timeline

   1. Session Cookies: These are deleted when you log out or close your browser.
   2. Persistent Cookies: These are retained for up to 12 (twelve) months, unless cleared manually by the User.

13. GRIEVANCE OFFICER

The name and contact details of the grievance officer are provided below: