Last modified: December 14th 2023
Where We Collect:
- This policy applies to personal information (“PI”) we collect:
- When you enroll and with your consent; and
- in electronic messages between you and this App;
- It does not apply to information collected: Offline or via any other means such as publicly available or social media data.
Our App is not aimed at minors under 18 years of age. Minors may use the App but only with the express prior written consent of their legal guardian or if they have a signed agreement with their therapist. A therapist who works with a minor through the app is responsible for consent. Such consent will be required every six (6) months. Otherwise, minors should not provide any PI to the App. We never intentionally collect PI from minor otherwise. Minors do not use this App or provide us with any PI without consent. If we learn we have unauthorized PI from a child, we will delete it. If you believe we have PI belonging to minors, please contact us at firstname.lastname@example.org.
If you are a minor based in California, and a user of this App, California Business Code Sec. 22581 gives you rights such as to access or remove your PI.
PI We Collect:
We collect types of PI from and about our users, directly and indirectly:
- Categories of PI: In the preceding 12 months, with consent we have collected, the following categories of PI:
- Identifiers: this includes name, address, telephone number, email address, and your FNF username and password.
- Sensitive personal data such as health data.
- Contact information of an emergency contact.
- Data Collected Automatically: Whether on an individual or aggregated basis.
How We Collect:
- We collect this information:
- By submitting PI on the App, you agree to our data processing, such as by:
- completing forms, requesting further services or other correspondence on our App,
- subscribing to our service,
How We Use Data:
We use PI you provide in any way we may describe prior to your provision of PI or to:
- Present our App to you.
- Answer your requests or fulfill any purpose for which you provide PI with consent.
- Perform our duties and enforce our rights from agreements between you and us.
- In any other way we may describe when you provide PI.
- Research and analytics in de-identified form.
- IT management, monitoring and data security including fraud detection and auditing.
- Protect our privacy, safety, rights or property (we may use without consent within a court process) or similar rights of others and allow us to pursue remedies to limit damages.
- We may disclose suchif required or permitted by law such as to safeguard your rights, freedoms, and legitimate interests.
- To independent auditors or consultants in order to carry out institutional risk control;
- To agencies, including self-regulatory organizations
We may disclose PI we have about you, as described herein, to third parties such as auditors or professional advisors.
Choices On Use and Disclosure:
- Accessing and Correcting Your Information:
- We respond to data rights requests within a reasonable time. You can review and change your PI by emailing email@example.com with ample verification that it is in fact you responding.
- We cannot not delete your PI except by also deleting your account. We will not change PI if we believe it would violate any law or legal requirement or cause the data to be incorrect. Any deletion request will be governed by our retention policy.
- Your Data Rights:
- Right to be Informed. The right to be informed about the processing of your PI. This Policy is designed to inform of how your data is processed and describe your rights.
- Right of Access. You have the right to access your PI and supplementary data to be aware of and verify the lawfulness of processing.
- Right to Rectification. You may have PI rectified if it is inaccurate or incomplete.
- Right to Erasure. You have the right to request deletion or removal of your PI where there is no compelling reason for its continued processing unless it is considered essential for other retention purposes such as:
- Complete the transaction you requested, take actions anticipated within our ongoing business relationship, or otherwise perform our contract with you.
- Detect security, fraudulent, deceptive, or illegal activity, or prosecute for such.
- Debug and repair errors that impair existing intended functionality.
- Exercise free speech or another right for us or others.
- Comply with the Electronic Communications Privacy Act.
- Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
- Right to Restrict. You have the right to block or suppress processing of your PI.
- Right to Data Portability. You have the right to obtain and reuse PI that can be clearly linked to you, for your purposes. We will send you a copy in a commonly used and machine-readable format.
- Right to Object. You have the right to object when processing is based on legitimate interests, for the public interest, direct marketing, and for scientific research.
- Automated individual decision-making . You have the right not to be opined upon based solely on automated processing, including profiling. which produces legal or similarly significant effects.
- Right to make a complaint with a supervisory authority or seek a judicial remedy.
- Request Fulfillment. We typically fulfill any such request without delay and no later than one month after its receipt. If we are not required to fulfill such or there is a delay, we will provide the rationale via email. Responses are provided free of charge, unless requests are patently unfounded or excessive, especially due to redundancy. You will never be discriminated against due to exercise of these rights or any others.
- Security Program: We implemented administrative, technical and physical measures to secure your PI from accidental loss and unauthorized access, use, and disclosure, including HIPAA compliant encryption..
- Your Duties: Security of your data also depends on you. You must keep your login credentials secure. Any transmission of PI is at your own risk.
- Our Duty: We are not responsible for bypassing of any privacy or security measures, or settings contained on the App.
Though our App will connect you to your therapist we have no control over his or her privacy practices. Accordingly, we assume no liability for their data practices. We suggest that you review their policies, if any, prior to providing such with any information.
For questions or comments about this Policy contact us at: firstname.lastname@example.org
- When the need to process your PI ceases, we will either delete, de-identify or anonymize it, or, if not possible (i.e. as your PI has been stored in archives), we will securely store your PI and isolate it from any further processing until deletion is possible.
- Duration of Retention Examples:
- When You Interact with Business Expansion Functions: We may retain PI as long as necessary to provide you with your request for information or other responses.
- Opening an Account: We may retain your PI for as long as your account is active, or to comply with our legal duties, preserve and protect our rights as allowed by law, resolve disputes, maintain security, prevent fraud and enforce our agreements.
- Personal Data Retention Periods
- Except as otherwise permitted or required by applicable law or regulation, we only retain PI for as long as necessary to fulfill its purpose, as required to satisfy any duties, or as necessary to resolve disputes. To determine the appropriate retention period for PI, we consider the amount, nature, and sensitivity of PI, potential risk of harm from unauthorized use or disclosure, the purposes, and any legal requirements.
- We typically retain PI for 6 months, subject to any exceptional circumstances or to comply with laws or regulations that require a specific retention period.
EU General Data Protection Regulation (GDPR) Compliance
1. Scope and Acknowledgement
2. Personal Data Processing
Reflective processes personal data of EU residents in accordance with the GDPR. The processing of this data is based on the necessity for the performance of a contract with EU residents, compliance with legal obligations, the protection of your vital interests, or Reflective’s legitimate interests.
3. Rights of EU Residents
As an EU resident, under the GDPR, you are entitled to the following rights:
- Right to Access: You have the right to request access to your personal data that Reflective processes.
- Right to Rectification: You can request the correction of inaccurate or incomplete personal data.
- Right to Erasure (Right to be Forgotten): You can request the deletion of your personal data where it is no longer necessary for Reflective to retain it.
- Right to Restriction of Processing: You can request a restriction on the processing of your personal data under certain circumstances.
- Right to Data Portability: You have the right to receive your personal data in a structured, commonly used format, and to transfer that data to another controller.
- Right to Object: You have the right to object to the processing of your personal data based on Reflective’s legitimate interests, unless Reflective demonstrates compelling legitimate grounds for the processing.
- Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw that consent at any time.
- Right to Lodge a Complaint with a Supervisory Authority: You have the right to lodge a complaint with your local data protection authority about Reflective’s processing of your personal data.
4. Data Transfer Outside the EU
Reflective ensures that any transfer of personal data outside the EU is performed in compliance with the GDPR. Where necessary, Reflective will implement standard contractual clauses, seek adequacy decisions, or obtain your explicit consent for such transfers.
5. Automated Decision-Making and Profiling
Reflective does not use your personal data for automated decision-making, including profiling, which produces legal effects concerning you or similarly significantly affects you.
6. Contact and Further Information
For exercising your rights under GDPR or for any inquiries related to the processing of your personal data, please contact us at: email@example.com
Reflective reserves the right to verify your identity before processing any request related to your personal data.
7. Changes to this Clause
Reflective may update this GDPR clause to reflect changes in our practices or legal obligations. We encourage you to review this clause periodically.