Privacy Policy

Introduction

Welcome to our Privacy Policy (“Policy”). This document is designed to clarify how Really Global collects, uses, and safeguards your data while you interact with our Technology Platform. We urge you to read this Policy carefully to understand your rights and our obligations.

1. What is this Policy?

This Privacy Policy (“Policy”) is intended to inform you about the types of data collected by the Technology Platform, how this data is used, and the rights you have concerning this data. For the purposes of this Policy, “data” refers to any information associated with an individual or household. This may include, but is not limited to, names, email addresses, phone numbers, device IDs, and communications between you and the Company providing Mental Health Services via the Technology Platform. Such information may be considered ‘personal data,’ ‘personally identifiable information,’ or ‘sensitive personal data,’ as defined by the laws and regulations applicable in your jurisdiction.

By accessing and using the Technology Platform, you accept and agree to both the Terms and Conditions and this Privacy Policy, including that we’ll share certain data with Data Processors. This includes your consent for the sharing of certain data with Data Processors and Companies for the purposes of providing Mental Health Services.

The aim of this Policy is to clarify the technical aspects of data processing in an easy-to-understand manner. For any inquiries or suggestions regarding this Policy, please contact us through our customer support page.

“Technology Platform” 
This refers to the website and/or mobile application owned by Really Global.

“Really Global”
When the terms “we”, “us”, “our,” or similar are used in this Agreement, they refer to Really Global. Really Global specializes in offering Technology Platform services to mental healthcare practitioners, both licensed and non-licensed. This doesn’t imply that Really Global practices medicine or any licensed healthcare activities. Similarly, we’re not involved in providing non-licensed services like health coaching and mentoring.

“Mental Health Services”
These refer to the licensed mental healthcare and non-licensed mental health coaching and mentoring services provided by a Company to clients via the Technology Platform.

“Company”
This refers to the entity that provides Mental Health Services to clients. The Company is solely responsible for the provision of Mental Health Services on the Technology Platform in accordance with all applicable laws and regulations.

“Data Processor”
These are entities contracted by Really Global specifically for data processing. They act solely on Really Global’s instructions and must maintain the confidentiality of the data processed.

“Processing”
This refers to any operation performed on data, such as collection, storage, and usage.

2. Who does this Policy apply to?

This Policy applies to all clients who access or interact with the Technology Platform, including those who create accounts to avail themselves of the Mental Health Services offered via the Technology Platform, as well as any Company utilizing the Technology Platform to offer Mental Health Services.

3. What do we mean by "Data Processor" in this Policy?

In this Policy, we define a “Data Processor” as an entity with whom Really Global has entered into a legal agreement to Process data collected by Really Global. Data Processors are required to handle the data solely as directed by Really Global—no other entity has the authority to instruct them. Data Processors are not permitted to disclose individually identifiable data to any other entity, except to Really Global or their own subcontractors, provided such subcontractors are bound by data processing terms that are no less restrictive than those agreed upon with Really Global.

The data obtained by Data Processors from their relationship with Really Global must be used solely for performing the services specified in our agreement with them, or as reasonably necessary for one or more of the following purposes:

  • Complying with applicable privacy laws, regulations, or legal processes;
  • Detecting, preventing, or mitigating fraud or security vulnerabilities;
  • Debugging to identify and repair errors that impair existing functionalities; and/or
  • Conducting internal research for technological development and demonstration, provided such use is reasonably necessary and proportionate to the purpose for which the data was shared.

4. When you use the term "Third Party," what do you mean?

For the purposes of this Policy, a “Third Party” refers to any entity that is not Really Global, a Data Processor, or a Company, and is not otherwise specifically identified in this Policy or the accompanying Terms of Service.

5. Do you collect, store, or process my Data?

Within the scope of this Policy, we refer generally to activities done with data as “Processing” or “Process.” Processing activities may include the collection, storage, and usage of data. The types of data we Process are elaborated in subsequent sections of this Policy. We Process this data for various purposes, such as to ensure the smooth functioning of the Technology Platform and to enable you to use our services efficiently. Data may also be Processed for communication purposes, which could include sending you periodic emails or text messages. Some of these communications are service-related, while others may be for marketing purposes. You have the option to unsubscribe from receiving text or marketing communications at any time. More details on this can be found in the appropriate sections of this Policy.

6. What specific data are you Processing?

The data we Process depends on how Clients interact with our Technology Platform. Subsequent sections will detail the specific types of data we collect and Process, as well as the business rationale for doing so.

Please note that this section pertains solely to the data we Process. Information regarding the data we share is discussed in a separate section titled, Why do you collect and Process my data?

As delineated in the table below, we collect and Process “Client Data,” which may include demographic information, usage patterns, and transaction records necessary to facilitate the provision of Mental Health Services.

Details concerning the retention period for the data we collect and Process can be found in the How long do you retain my data? section of this Privacy Policy.

Client Interaction Data When you visit the website, app, or Technology Platform, we Process information such as the particular pages visited, features interacted with, time spent on the website or app, any encountered errors, the type of device and browser used, and your IP address. Third-party identifiers may also be Processed, and, if you opt in, shared with Third Parties.
Onboarding Data To create an account with the Technology Platform, you may be required to fill out a questionnaire or provide additional information. The information used to create your account is Processed.
Account Data Once an account is created on the Technology Platform, we Process data such as the account name selected, along with other demographic and contact information, including but not limited to email, age, phone number, and emergency contact details.
Client Identifier A sequentially-generated identifier is assigned to each Client and Company account. These identifiers are unique to each account and are essential for the Technology Platform to function effectively.
Transactional Data Data related to financial transactions on the Technology Platform is Processed. This includes details such as whether a payment for Mental Health Services was completed, cancellations, discounts, or refunds. Information about account creation is also Processed.
Client Engagement Data Data related to logging into the Technology Platform and the activities conducted during that login are Processed. This includes the timing of the login, the number and length of messages sent or received through the Technology Platform, the timing of these messages, the number and duration of live sessions scheduled or conducted, as well as the number and timing of the usage of other features such as worksheets, journals, and goals. This category does not include Mental Health Services Data, such as the content of any messages sent or received, the content of live sessions, or the content of journal entries, worksheets, or goals.
Mental Health Services Data Communications and other information shared with Companies to facilitate services are Processed. This includes clinical notes, diagnosis, symptoms, treatment plans, and functional status; session recordings, transcriptions, summaries, and session data; messages, worksheets, journals; or any other form of communication.
Company Quality Data Client feedback, including ratings and reviews of Companies, as well as details on session availability, cancellations, and no-shows, is Processed.
Customer Service and Communications Data All communications with our Customer Service team are Processed.
Company Data Data necessary to engage with Companies concerning their status, credentials, payments, and other operational needs are Processed. This includes a wide range of personal and professional information such as the Company's name, bank account information, contact details, gender, date of birth, licensing and credential information, areas of expertise, and other relevant data. Companies may also, outside of this Policy, use additional verification methods to assist in logging in and verifying their identity.
Company Engagement Data Data related to Company activities on the Technology Platform is Processed. This includes the number and timing of Company logins to the Technology Platform, the number of live sessions conducted by a Company, the number and content of messages exchanged by a Company, and the sharing of worksheets and journal entries.

We Process a ‘Client Health Record,’ which contains essential information necessary to identify you and document the Mental Health Services you have received. This record includes internal notes from the Company, dates you received services, and specific elements from your Onboarding, Account, and Mental Health Services Data.

  • Onboarding Data: Responses to any onboarding questionnaires or initial assessments.
  • Account Data: The account name you’ve chosen, phone number (if provided), email address, and emergency contact details.
  • Mental Health Services Data: Dates of service, messages exchanged with Companies, any worksheets or journals shared, and internal notes from the Company.

In addition to Processing, we also share certain data with Data Processors to facilitate the operation of the Technology Platform and perform essential functions for the website and application. Moreover, should you opt into sharing, we may share select data with Third Parties. For more detailed information, please refer to the section titled, “What are the purposes for sharing my Data?”

7. Why Do You Collect and Process My Data?

There are several reasons why Really Global processes your data. Here are a few examples that might be of most interest to you.

To Facilitate Your Connection with Mental Health Services
We process Client Interaction Data, Onboarding Data, Account Registration Data, User ID, Transaction Data, Mental Health Services Quality Data, Company Data, and Company Engagement Data. This processing is needed for us to connect you with Mental Health Services via our Technology Platform. By doing so, we can facilitate the essential exchange of information between you and Companies to ensure you receive the Mental Health Services you need. Additionally, we process data like your Company preferences, and your state and country (if relevant), to match you with Companies that meet specific licensing or accreditation criteria.

To Enable Mental Health Tools for You and the Companies
We process Client Interaction Data, Member Engagement Data, Account Data, Mental Health Services Data, Company Data, Transaction Data, Mental Health Services Quality Data, Company Engagement Data, and User ID. Once you commence receiving Mental Health Services, we process certain types of data to activate various therapeutic tools on our Technology Platform, such as journaling features, goal-setting functionalities, and relevant worksheets. These tools are designed to enrich the quality and effectiveness of the Mental Health Services you receive.

To Ensure Platform Security and Account Integrity
We process Client Interaction Data, Account Data, Company Data, and User ID for the purpose of identity verification and account security, applicable to both clients and Companies. This is to ensure that only you can access your account and to implement controls or challenges that prevent unauthorized access. We may also process some of your data when releasing security patches and bug fixes to address security vulnerabilities. Additionally, we process your data to monitor for potential abuse on the Technology Platform, to detect and prevent security incidents, and to protect against any malicious, deceptive, fraudulent, or illegal activities. When necessary, we may use this data to take legal action against those responsible for such activities.

To Maintain Open Communication Channels
We process Client Interaction Data, Company Data, Account Registration Data, User ID, Member Engagement Data, Transaction Data, Customer Service and Communications Data, and Mental Health Services Quality Data for the purpose of communication. For instance, if you have a question or concern about the Technology Platform, we make sure that we have the necessary information to respond to you appropriately and provide you with the answers you seek.

To Uphold and Enhance the Quality of Mental Health Services
We process Client Interaction Data, Onboarding Data, Company Quality Data, Member Engagement Data, User ID, Transaction Data, and Mental Health Services Quality Data to monitor and improve the quality of Mental Health Services offered through our Technology Platform. For example, we track whether a live session occurred, was canceled, or if a Company failed to show up, to ensure that services are being timely delivered to you. We also monitor ratings, reviews, complaints, and other client feedback to uphold the quality of Companies on our Technology Platform.

With your consent, a member of Really Global’s Quality Assurance Team may review your correspondence with a Company for quality assurance purposes. This might happen if you raise a concern about the services you’re receiving, or if we have specific concerns about a Company’s quality of care. Additionally, our internal Trust and Safety or Legal teams may review correspondence for specific accounts if we have reason to believe that a security, legal, or fraud issue is occurring with that particular account.

To Personalize Your Experience on the Technology Platform
We process Client Interaction Data, Onboarding Data, Member Engagement Data, Account Registration Data, User ID, Transaction Data, Mental Health Services Quality Data, and Company Data to tailor your experience on our Technology Platform. For example, if you identify as a member of the LGBTQ+ community and would like to connect with a Company that has specialized expertise, experience, and training in this area, we process your data to enable a match that aligns with your preferences. Similarly, if you express a need for assistance with anxiety, we may share content and features that are specifically designed to be beneficial for you, such as therapy groups focused on anxiety management.

To Understand Platform Use and Improve Our Services
We process Client Interaction Data, Onboarding Data, Account Registration Data, Member Engagement Data, Transaction Data, Mental Health Services Quality Data, Company Data, and User ID to gain insights into how you utilize our Technology Platform and Services. These insights guide us in enhancing the effectiveness, convenience, and array of features we offer. For example, your data informs us about which services and features should be introduced, refined, or possibly discontinued. It also helps us manage notifications so you aren’t shown redundant alerts. We may also use your IP address to auto-fill geographic details like your state or country.. Regular usage of specific pages, buttons, or features is also monitored to wisely allocate our R&D resources. Should you opt into Analytics, we may employ data processing to track visits across any affiliated platforms for first-party cross-domain tracking purposes.

To Comply with Legal Requirements and Regulations
We process Client Interaction Data, Onboarding Data, Account Registration Data, Member Engagement Data, Transaction Data, Company Data, Mental Health Services Data, Customer Service Data, Communications Data, User ID, and your Clinical Health Record to adhere to legal mandates and regulations. For instance, in cases where we receive a legal subpoena, we may be obligated to share specific information as required. Companies providing Mental Health Services on our Technology Platform are also subject to various legal and professional obligations. These include maintaining a complete Clinical Health Record of the care and services provided to you, which must be retained for a designated period after the conclusion of your care. This practice is not unique and is a standard procedure in both online and in-person mental health services. As a general rule, we defer to the Company you’ve chosen for Mental Health Services when it comes to producing or withholding any psychotherapy notes or messages you’ve exchanged. Given that many jurisdictions have strict regulations concerning the confidentiality of client-Company relationships, we encourage you to discuss any concerns you may have about disclosure obligations with your Company early on.

To Ensure Safety and Security
We process Client Interaction Data, Account Registration Data, Member Engagement Data, Transaction Data, Company Data, Customer Service Data, Communications Data, and User ID to safeguard your well-being and the well-being of others. For example, if we have a reasonable basis to believe that you or another individual may be in immediate danger, or if your privacy has been compromised, we may utilize this information to conduct an investigation or to contact you or the relevant authorities, provided it is legally appropriate and permitted to do so.

For Companies Providing Mental Health Services on Our Platform
If you’re a Company on our platform, or in the process of becoming one, we process Company Data, Mental Health Service Quality Data, Company Engagement Data, User ID, Onboarding Data, and Account Registration Data for various purposes:

  • Recruitment and Onboarding: To aid in the recruitment process and help you get started on our platform.
  • Platform Operation: To operate our platform efficiently, display Company profile and specialty pages based on Company and Client preferences, and facilitate communication between you and your Clients.
  • Identity Verification and Account Security: To validate your identity and keep your account secure.
  • Credential Verification: Provide services that enable background, education, and credential checks and other screenings that are essential for verification.
  • Payment and Tax Compliance: To facilitate your payment and ensure compliance with all relevant tax laws.
  • Feedback and Quality Assurance: To provide you with quality statistics and feedback, both from Really Global and from Clients.
  • New Features and Incentives: To inform you about new features, opportunities, and incentives.
  • Profile Display: To allow your profile to be displayed on Third-Party websites and directories to inform people about the Technology Platform. You can opt-out by visiting our contact page.
  • Reminders and Updates: To send you reminders, notifications, and updates about your application, profile, or account via email, calls, or SMS.

For Marketing and Promotional Communication 
We process Client Interaction Data, Onboarding Data, User ID, Transaction Data, Member Engagement Data, Company Data, Mental Health Service Quality Data, and Company Engagement Data to send you opportunities, promotions, news, updates, and reminders about our services and your account. For example, we might email you special promotions or discounts or provide you with news or content related to mental health services that you might find useful. You can opt out of receiving texts or marketing communications at any time.

8. Who Can Access My Interactions with Companies Providing Mental Health Services?

Only you and the Company providing your Mental Health Services can view the messages you exchange and the worksheets you submit. If you choose to share journal entries, the Company will also have access to those.

Quality Assurance: With your consent, a member of Really Global’s Quality Assurance Team may review your interactions with the Company for quality assurance. This may happen if you express concerns about the Company or if Really Global has questions about the quality of care being provided.

Legal and Security Reviews: Our internal Trust and Safety or Legal teams might review interactions for specific accounts if we suspect that there may be a security, legal, or fraud issue with that particular account.

Third-Party Sharing: Your interactions, including messages and live sessions, are not shared with any Third Parties. Additionally, we do not disclose your messaging or session activity to any Third Parties.

9. What are the purposes for sharing my data?

Here are some of the reasons your data might be shared:

Legal Requirements: In certain situations, we’re required by law to share your data. For example, if a court orders us to release specific information via a subpoena, we must comply. This isn’t unique to Really Global; it applies to both telehealth and traditional in-person Mental Health Services. It’s generally up to the Company providing your Mental Health Services to decide whether or not to release any psychotherapy notes or messages between you. Since different places have their own rules about Company-client confidentiality, we recommend discussing any disclosure concerns with your Company early on.

Law Firms: Occasionally, an external law firm may handle your data for support services. They are under strict confidentiality agreements. For instance, an attorney might handle subpoenas or other legal matters on behalf of past Clients and make sure they are forwarded to Really Global’s Legal Team.

With Data Processors: We share some of your data with third-party service providers for specific, limited purposes that help us operate the Technology Platform:

  • Data Hosting & Storage Providers: For example, we use cloud services like Microsoft Azure.
  • Tech Service Providers: Such as tools that add extra functionalities to our Technology Platform, including live audio, video, and group meetings.
  • Customer Service Tools: These help us manage and track questions and requests from our Members and Companies securely.
  • Communication Tools: For instance, tools like Mailmodo facilitate email communication between us and our users.
  • Payment Processors: We use secure payment processing services like Stripe, who also help us in paying Companies and issuing tax documentation. Necessary details like a Company’s email address and tax ID might be shared for these purposes.
  • Reporting & Analytics Services: We use services like Mixpanel to help us understand which pages and features are most commonly used on our Technology Platform.
  • Business and Legal Advisors: For consultations on business matters.
  • Platform and User Security: Data might also be shared to maintain the safety and security of the Technology Platform and its Clients.

For Companies on Our Technology Platform: If you’re a Company on our Technology Platform, or in the process of being recruited to join us, we may share specific data with Company recruiters to facilitate, monitor, and track the recruitment process.

For Clients with Employer or Organization Affiliations: For Clients obtaining services through an employer, organization, or another business partner, we may share group-level usage data, which is not directly identifiable to you, with your organization.

Asset Sale, Merger, or Bankruptcy: We may share some of your data in the event of an asset sale, merger, or bankruptcy.

Note that if you publicly disclose any information on the Technology Platform, such as in a public post, this information could be accessed and used by anyone.

If you opt in to “Analytics”, we may employ analytics cookies from trusted Data Processors to Process data for activities, including but not limited to, analyzing traffic sources, visits, and interactions on our Technology Platform. This analysis assists us in enhancing our products and services.

10. Do you Process location data?

We process your IP address to determine your approximate location to personalize the Technology Platform for you. For example, we display information relevant to the Mental Health Services available to Clients from your country.

We also use your approximate location to enhance your experience on our Technology Platform. For instance, we auto-populate your state (if applicable) and country when you are completing our onboarding questionnaire.

We do not request or process precise location information, such as data provided by your phone’s GPS.

We Process your address details when you include them as part of your emergency contact information while initiating Mental Health Services through a Company on our Technology Platform. This information is obligatory to comply with Mental Health Service regulations and ethical codes. It may be used, for instance, if the Company believes you are in immediate danger. While filling out this field, we may process your approximate location to offer autocomplete suggestions for your convenience.

Your approximate location, determined via your IP address, is also Processed by the ReCAPTCHA security API tool we employ. ReCAPTCHA is a Data Processor we use to identify potentially malicious actors attempting to access our Technology Platform. For more details, please refer to the ReCAPTCHA Privacy Policy and Terms of Service.

To learn about the additional purposes for which we Process IP addresses, please see:

  • Why do you collect and Process my data?
  • Are you using my data for advertising?
  • Additional Privacy Notice for California Residents

11. Are you using my data for advertising?

We are not using your data for advertising.

12. What is a cookie or web beacon?

A ‘cookie’ is a small data file stored in a folder on your computer, primarily used for record-keeping. Cookies enhance the performance of our Technology Platform and personalize your experience. They can also be used for third-party tracking, as previously explained. For instance, cookies facilitate quick logins to various platforms and websites, eliminating the need to enter your credentials each time.

A ‘web beacon’ or ‘pixel’ is a minuscule, sometimes invisible, image or embedded code placed on a webpage or email. It can report your visit or use to a third party, as described earlier. Generally, these tools monitor Client activity for purposes like web analytics or tagging pages.

13. What are you using cookies and web beacons for?

We use our own, Data Processors, and third party cookies and web beacons to deliver a faster and safer experience, to monitor and analyze usage, and to comply with laws. To read more about the kinds of third party cookies we use and their purposes, to update your settings, or to opt out, click “here“.

14. How do I opt out of cookies, web beacons, and other tracking technology?

Please visit our opt-out instructions page to opt-out of tracking via cookies or web beacons, or for instructions on how to remove previously set cookies.

15. How do you keep my data secure?

We adhere to industry standards and aim to implement best practices to ward off unauthorized access and disclosure. While no internet-based service can guarantee absolute security, our systems, encryption technology, operations, and processes are all meticulously designed, constructed, and maintained with your security and privacy at the forefront.

Really Global employs a seasoned team of data security professionals committed to utilizing secure technology to safeguard your data. Our Information Security team continually assesses our internal security measures to preemptively identify vulnerabilities and bolster our defenses. Some of our robust security practices include:

  • Secure Communication: All messages between a Client and their Company are secure and employ 256-bit encryption.
  • Data Centers: Our servers are hosted across multiple Tier 3 Microsoft Azure Data Centers to maximize security and protection.
  • Browsing Encryption: Our SSL encryption system is in line with modern best practices.
  • Database Protection: Our databases are encrypted and scrambled, rendering them useless should they be illicitly accessed or stolen.
  • Monitoring Systems: We have comprehensive monitoring and alerting systems in place, involving both automated tools and human personnel in 24/7 rotations.

For your personal security, please consider the following:

Phishing: Be cautious of online identity theft or account hacking attempts. Really Global will never ask for your login or credit card information through non-secure or unsolicited communications. Always ensure you are within our secure system before providing such information.

External Links: Our Technology Platform may include links to external websites or services. We have no control over these external entities and are not responsible for their privacy policies or terms of use. The inclusion of a link does not imply endorsement, authorization, or any affiliation with that external party, nor does it indicate their compliance with privacy and security standards.

16. Do you sell my data?

We aren’t paid by anyone for any data. However, in California, the laws define “sale” broadly to include the sharing of personal information in exchange for anything of value. If you opt in to our use of cookies and web beacons, this use may be considered a “sale” of personal information under that specific California law. For specific information on your data rights as a resident of California, see the additional notice for California residents.

17. Can I sign up for Really Global and remain anonymous?

When you create an account with Really Global, you’ll be asked to provide a first and last name. These fields are mandatory, but you are not obligated to use your real name if you wish to maintain anonymity.

An email address and a mobile number are required for account verification and communication purposes. You may opt for an email that does not include your real name, even if you are using our services through an employer, organization, or other business partner. However, be aware that emails and mobile numbers may be considered ‘personal data,’ ‘personally identifiable information,’ or ‘sensitive personal data’ under various jurisdictions. These identifiers are treated with the utmost security and confidentiality, in compliance with relevant data protection regulations.

When you decide to engage in Mental Health Services, we’ll ask for emergency contact information. This information is essential for your safety and is used only in emergency situations, such as if a Company believes you or someone else is in immediate danger. We assure you that this information is kept confidential and secure. A Company may also request additional specific information, such as health history or previous diagnoses, as mandated by their accreditation guidelines.

Even though we try to limit the kinds of information you must provide to us as discussed above, it is very difficult to be truly “anonymous” when you use any app or the internet. Read more about what data we Process and why here:

  • What specific data are you Processing?
  • Do you Process location data?
  • Why do you collect and Process my data?
  • What are you using cookies and web beacons for?

If you’re interested in further limiting what data is Processed, visit our opt-out instructions page to opt-out of tracking via cookies or web beacons, or for instructions on how to remove previously set cookies.

18. How long do you retain my data and how do I request data erasure?

Really Global is committed to ensuring that all applicable Client data is retained only for the duration necessary to provide relevant products and Mental Health Services, and in accordance with legal requirements.

Ownership of Your Data
Clients retain ownership and control of their personal mental health data collected or generated while using the Technology Platform. This means you have the right to access and obtain a copy of your personal mental health data at any time, as outlined in this Policy. By maintaining ownership of your data, you can use it for your own purposes, share it with others, or request its erasure in accordance with applicable laws and regulations. For details on how to exercise these rights, including accessing or deleting your data, please see the sections above.

Certain types of data are retained for a period after you cancel your membership or your account becomes inactive. This data retention allows for a seamless re-engagement should you decide to utilize our services again and enables Companies to reference historical information. It’s also necessary for the proper functioning of our products and services.

In addition to the data retention schedule outlined below, Really Global has a process in place for all Clients, regardless of their location, to receive and process requests to erase or access their data without undue delay.

The following sections detail both the duration for which a Client can expect their data to be retained based on specific account information, as well as how to request data erasure and access. In this Policy, data erasure is defined as the permanent removal or obfuscation of identifiable data (See “What is this Privacy Policy”) so that it becomes inaccessible.

Retention Policy:
Really Global’s data retention policies are determined by the type of data being Processed, whether or not the Client has engaged in Mental Health Services, and whether the Client has proactively requested data erasure or if erasure is initiated due to inactivity on the Technology Platform.

Did not engage in Mental Health Services & did not request data erasure:
Your data is retained for 10 years after your last login date and is then erased.

Did engage in Mental Health Services & did not request data erasure:
Your data is retained for 10 years after your last login date and is then erased.

Did not engage in Mental Health Services & did request data erasure:
Your data is erased within 24 hours of the erasure request. 

Did engage in Mental Health Services & did request data erasure:
Data that is not classified as Clinical Health Record (See “What Specific Data are you Processing?”), Communications (e.g., records of Client complaints or deletion requests), or disclosures of personally identifiable information to Data Processors is erased within 24 hours of the erasure request. All other data is erased after 10 years.Exercising Your Data Protection Rights:

As stated, you have certain rights under data protection laws, including the right to request that we erase personal data we hold about you, and the right to request a copy of it. The following sections describe how you can exercise those rights.

Exercising Your Data Protection Rights:
As mentioned earlier, you have specific rights under data protection laws, which include the right to request the erasure of your personal data and the right to request a copy of it. Below are the details on how you can exercise these rights.

Requesting Data Erasure:
To request data erasure, please log into your account and navigate to Menu > My Account (or Account Settings) > My Personal Information. Here, you’ll find a link to request the complete erasure of your account. Click on that link and follow the on-screen instructions. You will receive a confirmation email from us within 24 hours of your request, signaling the successful initiation of the data erasure process.

You can visit our opt-out instructions page for further details on how to request erasure or to opt-out of previous settings you’ve agreed to.

For extra help, you may contact us through our customer support page. We will comply with your data erasure request only after verifying your identity. Please note that specific requirements must be met for us to process your data erasure request through customer support. Generally, there is no charge for this service. However, in exceptional cases, we may discuss and apply a reasonable fee

Requirements:

  • Only you or your authorized representative may make a request on your behalf. You may also make a request on behalf of your minor child, depending on applicable laws.
  • You must provide sufficient information that allows us to reasonably verify your identity or status as an authorized representative.
  • You must provide details that allow us to understand, evaluate, and respond to your request.

In some circumstances, legal or regulatory requirements limit our ability to honor erasure requests. As such, we may decline requests for erasure if the information is:

  • Subject to a litigation hold or legal request to preserve it.
  • Necessary to comply with laws and regulations and to maintain business integrity.
    • Clinical Health Record (described above) falls under this exemption.

Additionally, compliance obligations require us to retain records documenting certain interactions you have with us related to your membership. As such, we cannot honor erasure requests for information contained in records of:

  • Communications about complaints and erasure or access requests.
  • Disclosures of personal data to third parties.

If we don’t intend to comply with a request, we will inform you why this is the case and outline how we weighed your rights and freedoms against our legal obligations. In such instances, any information retained will only be used for purposes contemplated under the legally recognized exemption.

19. How do I request my data or delete it?

To receive a summary copy of your data, please log in to your account and go to Menu > My Account (or Account settings) > My Personal information, where you will see an option to request a copy of your data. The data you will receive as part of this request includes the contact information that you input on the site, questionnaire answers, worksheet entries, emergency contact information, messages you sent to a Company, journal entries that you created, and other personal information.

Additional data which we maintain includes email interactions with our help desk, which is stored on your email system. You may also request this information by contacting us through customer support.

As with data erasure, we are not always able to respect your request for data access. For more information on why this may be and how the situation will be handled, please reference the previous section.

20. How can I stop receiving direct marketing emails from you?

You can always opt out of receiving marketing emails. In order to opt out, you can select the unsubscribe link located at the bottom of the relevant email communication.

21. How do you treat data from children?

Really Global’s technology platform enables Companies to offer Mental Health Services to a diverse client base, including minors. The guidelines for managing data related to minors are as follows:

Parental or Guardian Consent:
The requirement for parental or guardian consent for minors to access Mental Health Services offered by Companies through Really Global varies depending on the age of the minor and the applicable laws in their jurisdiction.

In some jurisdictions, minors below a certain age may access Mental Health Services without parental or guardian consent, while in others, parental consent may be mandatory until the minor reaches the legally defined age of consent for receiving such services.

Additionally, certain jurisdictions may have provisions that allow minors within specific age ranges to consent to mental health treatment without parental permission, subject to certain conditions or exceptions, such as when the minor is considered a danger to themselves or others.

In some cases, jurisdictions may require parental notification but not consent when a minor seeks Mental Health Services, depending on the minor’s age and the specific laws in place.

Really Global assists Companies in obtaining the necessary consents and providing notifications in accordance with the applicable laws in the minor’s jurisdiction. It is the responsibility of the Companies to ensure compliance with local laws and regulations when providing Mental Health Services to minors.

Really Global recommends that minors and their parents or guardians familiarize themselves with the specific laws and regulations governing mental health treatment consent in their jurisdiction to understand their rights and obligations.

Really Global doesn’t knowingly collect or solicit data or information from anyone under the age of consent for their state or country or knowingly allow such persons to become users on the platform. The Platform is not directed at and not intended to be used by children under the age of consent for their state or country. If you’re aware that we have collected personal information from a child under the age of consent for their state or country, please let us know by contacting us, and we’ll delete that information.

Security Measures: 
Really Global implements robust security measures to safeguard all client data stored on the platform, irrespective of the client’s age,  including strong encryption and secure data storage.

Data Retention and Erasure:
For information on data retention and the right to erasure, please see, “How long do you retain my data and how do I request data erasure?

By using Mental Health Services facilitated by the Technology Platform, you affirm that you have reviewed and understood the applicable terms, including the Informed Consent and Minor Consent and FERPA Disclosure sections of our Terms of Service, as well as this Privacy Policy. If you are a parent/guardian providing consent for a minor, or if you are a minor consenting to services where legally permitted, you affirm your understanding and agreement to the relevant terms governing minor consent and data privacy.”

22. How is My Data Used for Legal Compliance?

When legally required, Really Global may cooperate with governmental agencies, including but not limited to, fulfilling court orders through subpoenas for information. The Companies providing the Mental Health Services are responsible for deciding whether to disclose psychotherapy notes or communications with clients.

We recommend discussing any concerns you may have regarding disclosure obligations with any Company providing you with Mental Health Services as early as possible.

Professional and Legal Obligations: 
You should also be aware that Companies may be required to disclose information to authorities to meet professional and legal responsibilities. Such circumstances might include:

  • Reported or suspected abuse
  • Serious suicidal potential
  • Threatened harm to others
  • Court-ordered treatment or evaluation

If you have concerns about these kinds of disclosures, it’s advisable to discuss them with the Companies providing you with Mental Health Services.

23. Will you change this Privacy Policy?

We may update this Privacy Policy. When we make significant changes to this Policy, we will notify you through our website or app when you log in to your account. We encourage you to periodically review this page for the latest information.

24. Additional Privacy Notice for California Residents

This Privacy Notice for California Residents supplements the Really Global Privacy Policy to comply with the California Consumer Privacy Act of 2018 (“CCPA”) and the California Privacy Rights Act (“CPRA”) of 2023. 

The CCPA and the CPRA are California laws that provide its residents with certain rights over information about them, including notice about the categories of personal information we have collected from them in the preceding twelve (12) months and the purposes for which the information is used or disclosed, and correction of personal information.

The following Sections outline the data that is Processed by us, as well as the purpose for collection, and the categories of sources of such information:

  • What specific data are you Processing?
  • Do you Process location data?
  • Why do you collect and Process my data?
  • What are you using cookies and web beacons for?

The data referenced at those links may fall in certain defined categories under the CCPA and CPRA. Accordingly, we may have collected:

  • Identifiers;
  • Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e));
  • Protected classification characteristics under California or federal law;
  • Commercial information;
  • Biometric information;
  • Internet or other similar network activity;
  • Geolocation data;
  • Sensory data;
  • Sensitive Personal Information;
  • Professional or employment-related information; and
  • Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).

The information that we have disclosed in the past 12 months and the recipients of the information are described above, in the section titled “What are the purposes for sharing my data?” The information that we may have shared in the past 12 months falls into the following personal information categories under the CCPA and CPRA:

  • Identifiers;
  • Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e));
  • Protected classification characteristics under California or federal law;
  • Commercial information;
  • Internet or other similar network activity;
  • Geolocation data;
  • Sensory data;
  • Sensitive Personal Information; and
  • Professional or employment-related information;
  • Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).

As noted in the Section titled “Do you sell my data?”, our “sale” of information (including sale of information about consumers under the age of 16) does not consist of the disclosure of your information for targeted advertising purposes, and we aren’t paid by any external or Third Party for any data. The information that we may have “sold” (for purposes of the CCPA and CPRA) in the past 12 months falls into the following personal information categories under the CCPA and CPRA:

  • Identifiers;
  • Commercial information; and
  • Internet or other similar network activity.

Do I have the right to know what information you have about me?
Yes, as a California resident you can request certain information about what we have Processed over the past 12 months. Once we receive and verify your consumer request, we can provide:

  • The categories of personal information we collected about you.
  • The categories of sources for the personal information we collected about you.
  • Our business or commercial purpose for collecting that personal information.
  • The categories of Third Parties with whom we shared that personal information.
  • The specific pieces of personal information we collected about you.
  • Whether we disclosed your personal information for a business purpose and the personal information categories that each category of recipient obtained.

We will verify your identity by matching the information you provide with information that we maintain about you or via biometrics (specifically, FaceID via iOS). You also have the right to request that we correct personal information about you if it is found to be inaccurate. To make such a request, please contact us through customer support.

Can I “opt out” or request that you delete my information?
Yes, you can request that we delete your data as described in the section of this Policy called: “How do I request my data or delete it?” Once your request is received and verified by matching the information you provide with information that we maintain about you or via biometrics, we’ll move forward with the Process of deleting your information in line with our legal requirements and Retention Policy. We cannot fulfill a deletion request and need to retain your information if the data is necessary to:

  • Provide you services, take actions reasonably anticipated within the context of our ongoing business relationship, or otherwise perform our contract with you.
  • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
  • Debug products to identify and repair errors that impair existing intended functionality.
  • Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
  • Comply with applicable laws, including but not limited to, the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.) and information covered by the California Confidentiality of Medical Information Act.
  • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
  • Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

As noted above, you do not need to opt in to the “sale” of personal information about you by withdrawing your consent to accept cookies here. Our websites are also designed to implement a do-not-sell privacy preference.

Other California privacy rights
California’s “Shine the Light” law (Civil Code Section § 1798.83) permits California residents to request certain information regarding our disclosure of personal information to Third Parties for direct marketing purposes. To make such a request, please contact us through our customer support page.

25. General Data Protection Regulation (GDPR) and UK General Data Protection Regulation Notice

This section provides additional information about our Policy relevant to you if you are from the European Economic Area (the EEA), United Kingdom, and Switzerland (together “European Area Countries”). It supplements and should be read in conjunction with the rest of the Policy.

Under the European Area Countries’ privacy laws, we are the Controller with respect to your data.

When is my data used?

  • When it is in our legitimate interests or an external third party’s legitimate interests (“legitimate interest” is a term defined by the General Data Protection Regulation (GDPR) and UK General Data Protection Regulation Notice). Our legitimate interests in this instance include managing the Technology Platform and Really Global’s business, safety and security of the infrastructure, prevention of fraud, research, and development, and management of contracts and legal claims.
  • When it is needed for the provision of the Platform. In particular, for product development and internal analytics purposes, and otherwise to improve the safety, security, and performance of the Platform. We only rely on our or an external third party’s legitimate interests to Process your data when these interests are not overridden by your rights and interests.
  • When it is necessary to do so to comply with any legal obligations imposed upon us under our contractual obligations or our contractual obligation or applicable law.
  • In rare instances, when it is a medical emergency, we may use your data to protect your or another’s vital interests if consent is not a reasonable option.
  • When you have consented to the use of your data, for marketing purposes or through the use of cookies and web beacons. Where consent is the legal basis, you have the right to withdraw your consent at any time.

What Lawful Basis for Sensitive Data is Used in the UK and EEA? 
Really Global may also collect and Process certain categories of personal information, which may be considered “sensitive personal information” in the UK and EEA. The lawful basis for this Processing are (1) health and social care, (2) our establishment, exercise, or defense of a right or legal obligation, (3) substantial public interest, and (4) consent. Where consent is the legal basis, you have the right to withdraw your consent at any time. Sensitive personal information that we Process includes your racial or ethnic origin, religious or philosophical beliefs, and data concerning your health or about your sex life or sexual orientation.

When you begin to use our Technology Platform and register an account, we may ask you to provide information and preferences to help Clients explore and select services that meet their specific needs. In so doing, you may provide us with “sensitive personal Information” as described above. You may also continue to share such data with us as you receive Mental Health Services. This data is necessary as it allows the Technology Platform to support Companies in providing personalized Mental Health Services to you. Companies also review this data and can choose to not work with you if they are not a good fit. We may also use this information to improve quality assurance and understand how you interact with Companies and the Technology Platform.

How we obtain your personal information
Really Global obtains the categories of personal information listed above from the following sources:

  • Directly from you, such as information when you apply to be a counselor or that you submit during the Process of using and paying for Mental Health Services.
  • Indirectly from you, such as through your actions on Technology Platform.
  • From external business partners, such as social media sites, ad networks, and analytics providers.

What are my rights and choices under European Area Countries laws?
European Area Country residents have specific rights regarding their data. This section describes your rights if you are resident in the European Area Countries and explains how to exercise those rights.

  • Subject access request: You may be entitled to ask us for a copy of any data which we hold. We will normally send you a copy within one month of your request. However, that period may be extended by two additional months where necessary, taking into account the complexity of the request or the difficulty in accessing the data that you request. There is usually no charge. In exceptional circumstances, we may charge a reasonable fee after discussing the fee with you.
  • Right to rectification: If the data we hold about you is inaccurate, you may request rectification. The data will be checked, and, where appropriate, inaccuracies will be rectified.
  • Right to erasure: In certain circumstances, you may be entitled to ask us to erase your data.
  • Right to data portability: In certain circumstances, you may wish to move, copy, or transfer the electronic data that we hold about you to another organization.
  • Right to object: You may object to your data being used for direct marketing. You may object to the continued use of your data in any circumstances where we rely upon consent as the legal basis for Processing it. Where we rely upon legitimate interests as the legal basis for Processing your data, you may object to us continuing to Process your data, but you must give us specific reasons for objecting. We will consider the reasons you provide, but if we consider that there are compelling legitimate grounds for us to continue to Process your data, we may continue to do so. In that event, we will let you know the reasons for our decision. In some instances, objecting to certain Processing may impact our ability to provide you with services.
  • Rights related to automated decision-making including profiling: We use limited data to operate the Platform and to carry out certain profiling activities to support and grow our business. When doing so, we rely upon our legitimate interests as the lawful basis for Processing your data, and you may exercise the above rights if you do not wish us to Process your data in this way.

To exercise the rights in relation to your data set out in this section, please contact us through our customer support page.

Is my data transferred internationally?
As a part of our standard business practices, we may transfer your data to organizations based in countries that have not been granted an adequacy decision under the General Data Protection Regulation. Where data is transferred to such countries, we shall ensure that specific safeguards or derogations have been established.

These might include where the data transfer is necessary in order to fulfill a contract between us and yourself, where we have received your specific consent after having made you aware of any risks involved, or where contracts are in place between us and the third parties involved that ensure the recipient organization has a suitable standard of data protection in place.

You can contact us with questions about this Policy or about your data through our customer support page.

While we’ll always work with you to resolve any concerns you have about the use of your data, under GDPR you have the right to lodge a complaint with the supervisory authority in your country of residence if you have any concerns about our use of your personal information.

Additional Privacy Notice for non-US, non-UK, and non-EU residents
As a part of our standard business practices, data is transferred outside of many visitors’ countries of residence and predominantly used, accessed and processed within the U.S. Fortunately, given the robust and rigorous nature of privacy laws in the US, UK, and EU with which we comply, Really Global considers that this has the effect of protecting user information in a way that, overall, is at least substantially similar or in many ways exceeds non-US data privacy legal requirements. To the extent we contract with vendors who are outside of the U.S, we ensure that specific safeguards have been established to protect that data.

Last Updated: November 14, 2024