Privacy Policy
SheHealy is a women's emotional and mental wellness platform operated from India. This policy explains how SheHealy collects, uses, shares, protects, and retains personal data for shehealy.com and EIVA.
Effective: July 13, 2026
1.1 Who We Are
SheHealy is a women's emotional and mental wellness platform operated from India. EIVA (Emotionally Intelligent Virtual Assistant) is SheHealy's AI-powered companion. Registered contact: info@shehealy.com. This address is actively monitored.
1.2 What Data We Collect
| Data Type | Purpose |
|---|---|
| Name, email, age, country | Account creation and communication |
| Mood entries, journal notes, check-in responses | Personalised wellness support |
| EIVA conversation content | Service delivery, safety monitoring |
| PHQ-9 and GAD-7 screening responses | Clinical pre-screening |
| Appointment and booking details | Consultation management |
| Google Calendar connection data for healers | Optional calendar selection and synchronization of confirmed SheHealy appointments |
| Device type, browser, IP address | Security and service improvement |
We do not collect payment card details directly. Payments are processed by third-party gateways (Razorpay / Stripe) under their own privacy policies. SheHealy is not responsible for payment gateway downtime or third-party processing errors.
1.3 Educational Content Disclaimer
Educational Content - Important Notice
- All content on the SheHealy platform, including blogs, articles, wellness plans, educational videos, breathing exercises, and self-help resources, is provided for informational and educational purposes only.
- This content does not constitute professional medical, psychiatric, psychological, or therapeutic advice.
- Educational content should not be used as a substitute for consultation with a qualified healthcare professional.
- SheHealy does not guarantee the accuracy, completeness, or fitness for purpose of any educational content on the platform.
- If you have concerns about your mental or physical health, consult a licensed practitioner.
1.4 Legal Basis for Processing
We process your personal data under the following lawful grounds:
- Consent: freely given, specific, informed, unconditional, and withdrawable at any time.
- Contract performance: to deliver services you have subscribed to.
- Legitimate interests: platform safety, fraud prevention, and service improvement.
- Legal obligation: compliance with Indian law and applicable regulations.
We comply with India's Digital Personal Data Protection Act 2023 (DPDP Act) and DPDP Rules 2025, the Information Technology Act 2000, IT (SPDI) Rules 2011, and, for users in the European Economic Area, the General Data Protection Regulation (EU) 2016/679 (GDPR). Regulatory references in this document reflect the law as at June 2026 and will be updated annually.
1.5 Sensitive Health Data
Emotional, psychological, and health-related information you share with EIVA or during consultations is classified as sensitive personal data under Indian law and special category data under GDPR. We process this data solely to deliver our services to you. We do not sell, rent, or share it with advertisers. We do not use it for automated profiling that produces legal or significant decisions about you without human review.
1.6 How We Use Your Data
- To operate and personalise EIVA conversations.
- To match you with appropriate healers.
- To facilitate and manage consultations.
- To send appointment confirmations and service communications.
- To generate anonymised, aggregated research insights, never individual-level insights.
- To comply with legal obligations including crisis safety protocols.
1.7 Who We Share Data With
| Recipient | Purpose |
|---|---|
| Licensed healers on our platform | Your consultation and care |
| Anthropic / OpenAI (AI providers) | EIVA conversation processing |
| Cloud hosting providers | Data storage and security |
| Payment processors (Razorpay / Stripe) | Transaction processing |
| Legal authorities | Where required by law |
We do not share your identifiable data with any other third party without your explicit consent. All third-party processors are bound by data processing agreements.
1.8 Your Content - Ownership and Processing
Users retain full ownership of all personal content they create on SheHealy, including journal entries, EIVA chat messages, mood logs, check-in responses, and voice notes. By using SheHealy, you grant SheHealy a limited, non-exclusive, royalty-free licence to process, store, and use your content solely to deliver and improve the service to you. SheHealy will not use your personal content for advertising, third-party sale, or commercial exploitation. Anonymised and aggregated insights derived from content may be used for platform improvement and research.
1.8A Google Calendar Integration and Google User Data
SheHealy offers healers an optional Google Calendar integration. Connecting Google Calendar is not required to use the healer portal. SheHealy requests Google authorization only after a healer chooses to connect the integration and Google displays the permissions being requested.
| Google OAuth scope | Access and purpose |
|---|---|
| https://www.googleapis.com/auth/calendar.calendarlist.readonly | Reads the healer's calendar list and calendar metadata, including calendar identifiers, names, primary-calendar status, and access role, so the healer can choose which calendar will receive SheHealy appointments. |
| https://www.googleapis.com/auth/calendar.events | Permits access to calendar events. SheHealy uses this scope to create, update, and delete only the private SheHealy appointment events managed by the integration when a consultation is confirmed, rescheduled, moved to another selected calendar, or cancelled. The integration does not fetch or display the healer's existing unrelated event list. |
When a healer connects Google Calendar, SheHealy accesses and processes the calendar identifier associated with the primary calendar, which may be the same as the healer's Google Account email address, calendar identifiers and names, the granted scope list, and OAuth access and refresh tokens. SheHealy does not request the userinfo.email or userinfo.profile scopes and does not use the Google UserInfo API to access the healer's Google profile, public personal information, or separate Google Account profile details. A synchronized event may contain the consultation date and time, consultation mode, the healie's first name, an in-person location when applicable, a private SheHealy appointment identifier, and a link back to the healer's SheHealy appointment page. Events created by the integration are marked private.
SheHealy uses Google user data solely to provide and maintain the healer-facing Google Calendar synchronization feature. Google user data is not sold, rented, used for advertising or retargeting, used to determine creditworthiness, provided to data brokers or information resellers, or used to train general-purpose or personalized artificial intelligence or machine-learning models.
We do not disclose Google user data to unrelated third parties. Data may be processed by our contracted cloud hosting and infrastructure providers only as necessary to operate and secure the integration, or disclosed where required by applicable law. Human access is restricted to circumstances where the healer has given affirmative permission, access is necessary to investigate a security or technical incident, or disclosure is legally required.
OAuth access and refresh tokens are encrypted at rest and protected in transit. Access is limited to authorized SheHealy systems and personnel with an operational need. We maintain reasonable technical and organizational safeguards designed to prevent unauthorized access, use, alteration, loss, or disclosure.
A healer can stop synchronization from the Google Calendar settings in the SheHealy healer portal and can separately revoke SheHealy access from the security settings of their Google Account. Disconnecting in SheHealy clears the stored OAuth access token, refresh token, token expiry, selected calendar identifier, and selected calendar name, and stops future synchronization. Existing events already created in Google Calendar may remain in that calendar and can be deleted by the healer. Limited connection and synchronization records may be retained for account administration, security, troubleshooting, and legal compliance and are deleted or anonymised when no longer required. A healer may request deletion by emailing info@shehealy.com, subject to applicable legal retention obligations.
SheHealy's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements: https://developers.google.com/terms/api-services-user-data-policy.
1.9 International Data Transfers
Our AI providers (Anthropic, OpenAI) may process data outside India. Such transfers are conducted under appropriate safeguards including standard contractual clauses. For EEA users, transfers comply with GDPR Chapter V requirements.
1.10 Data Retention
| Data Category | Retention Period |
|---|---|
| Account and profile data | Duration of account + 3 years |
| Consultation and EMR records | 7 years (medical record requirement, India) |
| EIVA conversation logs | 2 years or account deletion, whichever is earlier |
| Anonymised analytics | Indefinitely |
You may request deletion at any time. Certain data may be retained longer where required by law or for the safety of others.
1.11 Your Rights
- Access your personal data.
- Correct inaccurate data.
- Erase your data, subject to legal retention obligations.
- Withdraw consent at any time without affecting prior processing.
- Request data portability if you are a GDPR user.
- Object to processing for certain purposes.
- Lodge a complaint with the Data Protection Board of India or your local supervisory authority.
To exercise any right, contact info@shehealy.com. We aim to respond within 30 days.
1.12 Crisis and Safety Exception
If EIVA or our clinical team identifies an immediate risk to your life or the life of others, we may share necessary information with emergency services or next of kin. This is the only circumstance under which confidentiality may be overridden, consistent with Mental Healthcare Act 2017, Section 23 and global clinical safety standards.
1.13 Children
Our services are not directed to persons under 18. We do not knowingly collect data from minors. If you believe a minor has used our platform, contact info@shehealy.com immediately.
1.14 Cookies
We use essential cookies for platform function and optional analytics cookies. You may manage cookie preferences at any time through our cookie settings banner. We comply with consent requirements under applicable law including DPDP Rules 2025 and GDPR. A detailed Cookie Policy is available at shehealy.com/cookies.
1.15 Changes to This Policy
We will notify registered users of material changes by email at least 14 days before they take effect. Continued use after that date constitutes acceptance.
Privacy Contact
- Email: info@shehealy.com (actively monitored).
- Grievance Officer: Dr. Devesh Rawat | devesh@shehealy.com.
- Legal / DMCA: legal@shehealy.com (actively monitored).
- Response guaranteed within 30 days.
