Back to Home

Privacy Policy

Last Updated: October 1, 2025

1. Introduction

Ollie AI ("we," "our," or "us") is committed to protecting your privacy and the confidentiality of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mental health and wellness platform (the "Service").

This Service handles sensitive mental health information and is designed with privacy and security as core principles. We comply with applicable data protection laws including HIPAA, GDPR, and CCPA where applicable.

2. Information We Collect

2.1 Personal Information

We collect the following categories of personal information:

  • Identity information: Name, email address, phone number
  • Account credentials: Password (encrypted), authentication tokens
  • Profile information: Display name, profile photo, organizational affiliation
  • Payment information: Credit card details (processed securely through Stripe), billing address, transaction history

2.2 Mental Health Information

We collect sensitive mental health data to provide our services:

  • Assessment responses: Answers to mental health questionnaires and screening tools
  • Wellness metrics: Mood tracking, stress levels, and wellness pillar scores
  • Chat conversations: Messages exchanged with our AI coach and admin support
  • Session notes: Summaries and insights from coaching sessions
  • Expert booking information: Appointments with licensed professionals

2.3 Technical Information

  • Device information: Browser type, operating system, device identifiers
  • Usage data: Pages visited, features used, time spent on platform
  • IP address and location: General geographic location based on IP address
  • Cookies and tracking technologies: Session cookies, preference cookies
  • Privacy-friendly analytics: Hash-based visitor identification (Vercel Analytics) with no third-party cookies and automatic 24-hour session expiration

3. How We Collect Information

  • Directly from you: When you create an account, complete assessments, use our chat feature, or book expert sessions
  • Automatically: Through cookies, log files, and similar technologies when you use our Service
  • From third parties: OAuth providers (Google, GitHub, Microsoft), payment processors (Stripe), booking services (Cal.com)
  • From your organization: If you access our Service through a B2B corporate account

4. How We Use Your Information

We use your information for the following purposes:

4.1 Service Delivery

  • Provide AI-powered mental health coaching and support
  • Calculate and display wellness metrics and insights
  • Facilitate expert booking and session management
  • Process payments and manage credit balances
  • Send notifications about appointments, assessments, and platform updates

4.2 Platform Improvement

  • Analyze usage patterns to improve user experience
  • Develop and enhance AI coaching capabilities
  • Conduct aggregated research and analytics (de-identified data only)
  • Identify and fix technical issues

4.3 Legal and Security

  • Comply with legal obligations and regulatory requirements
  • Protect against fraud, abuse, and security threats
  • Enforce our Terms of Service
  • Respond to legal requests and prevent harm

5. How We Share Your Information

We do not sell your personal information. We share your information only in the following circumstances:

5.1 Service Providers

  • AI Services: Google AI (Gemini) processes chat messages to generate AI coaching responses. When using paid API services, your conversations are NOT used to train AI models. Data is retained for 55 days solely for abuse monitoring and security purposes.
  • Payment Processing: Stripe for secure payment transactions
  • Booking Services: Cal.com for expert appointment scheduling
  • Communications: SMS Portal (SMS - content may be monitored for spam and fraud detection), Resend (email), WhatsApp Business API (messages are end-to-end encrypted, but metadata including phone numbers and IP addresses is shared with Meta/Facebook)
  • Hosting: Cloud infrastructure providers for secure data storage

5.2 Licensed Professionals

When you book a session with a licensed expert, we share relevant information necessary for them to provide services to you.

5.3 Your Organization (B2B Users)

If you access our Service through an organizational account, we may share aggregated, de-identified usage and wellness data with your organization's administrators. Individual mental health information and chat content are not shared without your explicit consent.

5.4 Legal Requirements

We may disclose your information if required by law, court order, or government regulation, or if we believe disclosure is necessary to protect rights, property, or safety.

6. Data Security

We implement industry-standard security measures to protect your information:

  • Encryption: Data encrypted in transit (TLS) and at rest
  • Authentication: Secure authentication with database sessions (not JWT)
  • Access Controls: Role-based access control and multi-tenant data isolation
  • Secure Infrastructure: Hosting on secure, compliant cloud infrastructure
  • Regular Audits: Ongoing security assessments and vulnerability testing
  • Input Validation: Comprehensive validation to prevent injection attacks

While we take extensive measures to protect your data, no system is completely secure. We cannot guarantee absolute security but will notify you promptly of any data breach as required by law.

7. Data Retention

We retain your information for different periods depending on the type of data:

  • Account Information: Until you delete your account, plus 30 days for recovery
  • Chat History: Retained for continuity of care, deleted upon account deletion
  • Assessment Results: Retained for wellness tracking, deleted upon account deletion
  • Transaction Records: 7 years for legal and tax compliance
  • Aggregated Analytics: Indefinitely in de-identified form

You can request deletion of your data at any time through your account settings or by contacting us.

8. Your Privacy Rights

Depending on your location, you may have the following rights:

8.1 General Rights

  • Access: Request access to your personal information
  • Correction: Update or correct inaccurate information
  • Deletion: Request deletion of your account and data
  • Portability: Receive a copy of your data in a portable format
  • Opt-out: Unsubscribe from marketing communications

8.2 GDPR Rights (EU/UK Users)

  • Right to withdraw consent at any time
  • Right to restrict or object to processing
  • Right to lodge a complaint with a supervisory authority

8.3 CCPA/CPRA Rights (California Users)

  • Right to know what personal information is collected
  • Right to know if personal information is sold or shared
  • Right to opt-out of sale of personal information (we do not sell your data)
  • Right to non-discrimination for exercising your rights

To exercise these rights, please contact us at privacy@ollie.health or use the account deletion feature in your settings.

9. Cookies and Tracking Technologies

We use cookies and similar technologies for:

  • Essential Cookies: Required for authentication and core functionality
  • Preference Cookies: Remember your settings and preferences
  • Performance Cookies: Monitor and improve Service performance

9.1 Privacy-Friendly Analytics

We use Vercel Analytics, a privacy-conscious analytics solution that:

  • Uses hash-based visitor identification instead of third-party cookies
  • Automatically expires visitor sessions after 24 hours (not stored permanently)
  • Tracks page views and navigation patterns without personally identifiable information
  • Processes data in accordance with Vercel's Terms of Service

You can control cookies through your browser settings. Disabling essential cookies may affect Service functionality.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. We ensure appropriate safeguards are in place for international transfers, including:

  • Standard contractual clauses approved by relevant authorities
  • Adequacy decisions by regulatory bodies
  • Compliance with applicable data protection frameworks

11. Children's Privacy

Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

12. Third-Party Links

Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.

13. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. We will:

  • Update the "Last Updated" date at the top of this policy
  • Notify you of material changes via email or prominent notice on our Service
  • Provide at least 30 days notice before material changes take effect

Your continued use of our Service after changes become effective constitutes acceptance of the updated Privacy Policy.

14. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us:

Email: support@ollie.health

Legal: legal@ollie.health

For GDPR-related inquiries, you may also contact our Data Protection Officer at dpo@ollie.health

15. Do Not Sell My Personal Information

We do not sell your personal information to third parties. If you are a California resident and have questions about our data practices, please contact us at privacy@ollie.health