Privacy Policy for HeartSync

Last Updated: January 03, 2026

This Privacy Policy explains how The EduAssist (operating HeartSync) (“we,” “us,” or “our”) collects, uses, shares, and protects your information when you use the HeartSync mobile application, the website at https://heartsync.theeduassist.com/, and any related services (collectively, the “Service”).

HeartSync is a secure video call system designed specifically for mental health facilities, enabling telehealth consultations, appointment scheduling, and secure communication between patients (up to 800 per facility) and licensed mental health providers.

We are deeply committed to protecting your privacy, especially because the Service handles highly sensitive mental health information. We comply with the Health Insurance Portability and Accountability Act (HIPAA) in the United States, Google Play Store policies (including the Data Safety section and Health Apps requirements), and other applicable privacy laws.

By using HeartSync, you agree to the practices described in this Privacy Policy. Please review it carefully and check for updates periodically.

1. Information We Collect

We collect only the information necessary to deliver secure mental health services.

a. Personal Information

  • Full name, date of birth, gender, contact details (email address, phone number).
  • Account login credentials (username and password).
  • Facility-specific identifiers (patient ID, room number if applicable).

b. Sensitive Health Information (Protected Health Information or PHI under HIPAA)

  • Mental health diagnoses, treatment history, session notes, progress reports.
  • Medications, symptoms, therapy goals, and other clinical information shared during consultations.
  • Audio and video data from telehealth sessions (transmitted in real-time; recordings are created only with explicit consent from both patient and provider and for specific treatment or quality purposes).

c. Technical and Usage Information

  • Device information (device ID, operating system, browser type, IP address).
  • Log data (session start/end times, features used, error reports).
  • Approximate location (only if enabled for facility check-in features).

d. Information from Integrated Systems

  • Data imported from electronic health records (EHR) systems, with your explicit consent.

Google Play Data Safety Declaration: We declare collection of:

  • Personal info (name, email address, phone number)
  • Health and fitness data (mental health information)
  • Audio files and videos (session data)
  • Device or other IDs

All collection is required for core app functionality (providing telehealth services) and is not optional.

2. How We Use Your Information

We use your information solely to:

  • Facilitate secure video consultations and scheduling.
  • Verify identity and maintain session security.
  • Support treatment, payment, and health care operations (permitted uses under HIPAA).
  • Improve service quality and reliability (using de-identified data where possible).
  • Send essential notifications (appointment reminders, security alerts).
  • Detect, prevent, and investigate security incidents or fraud.
  • Comply with legal and regulatory requirements.

We do not use your health information for marketing, advertising, or any purpose unrelated to your mental health care.

3. How We Share Your Information

We share information only when necessary and always in compliance with HIPAA and Google Play policies.

a. With Your Consent or at Your Direction

  • During live sessions (shared with your assigned mental health provider).
  • When you explicitly request sharing with another provider or third party.

b. With HIPAA-Covered Service Providers (Business Associates)

  • Secure cloud hosting providers, video infrastructure vendors, and analytics tools.
  • All vendors sign Business Associate Agreements (BAAs) and are fully HIPAA-compliant.

c. For Legal Compliance

  • When required by law, court order, or government request.
  • To protect the rights, safety, or property of users, the facility, or the public.

d. De-Identified or Aggregated Data

  • Anonymized data for research, quality improvement, or reporting (no individual can be identified).

We do not sell personal or health data. We do not share sensitive health information with third parties for advertising or independent analytics.

Google Play Compliance: Data sharing is limited to service providers necessary for app functionality and never shared with third parties for their own purposes.

4. Data Security

We employ industry-leading security measures:

  • End-to-end encryption for all video/audio transmissions.
  • Encryption at rest for stored data.
  • Role-based access controls and multi-factor authentication.
  • Regular security audits, penetration testing, and risk assessments.
  • HIPAA-compliant infrastructure and signed BAAs with all vendors.

While we implement strong safeguards, no system can guarantee 100% security. In the unlikely event of a breach, we will notify affected users and authorities as required by law.

5. Data Storage and Retention

  • Data is stored on secure, HIPAA-compliant servers primarily located in the United States.
  • Protected Health Information is retained as required for treatment and legal compliance (at least 6 years under HIPAA, or longer if mandated by state law or facility policy).
  • Session recordings (if any) are deleted according to consent terms or retention policy.
  • Inactive accounts and associated data are deleted upon request or after prolonged inactivity (subject to legal holds).

6. Your Privacy Rights and Choices

You have the following rights:

  • Access, review, and receive a copy of your data.
  • Request correction of inaccurate information.
  • Request deletion of your data (subject to legal retention requirements).
  • Restrict certain uses or disclosures.
  • Withdraw consent (which may limit your ability to use the Service).
  • Opt out of non-essential notifications.

To exercise these rights, contact us through the app settings or email privacy@heartsync.theeduassist.com.

Data Deletion Requests: Google Play requires easy deletion options. You can request full account and data deletion directly in the HeartSync app or via email. We will process verified requests promptly.

7. Children’s Privacy

HeartSync is not intended for use by children under 18 without supervision and consent from a parent or guardian. We comply with the Children’s Online Privacy Protection Act (COPPA) and Google Play Families policies.

8. International Data Transfers

HeartSync is operated from the United States. If you access the Service from outside the U.S. (e.g., EU), your data will be transferred to and processed in the U.S. We implement appropriate safeguards for international transfers as required by applicable law.

9. Compliance with Google Play and Other Regulations

  • We accurately complete Google Play’s Data Safety form and Health App Declaration.
  • All requested permissions (camera, microphone, internet) are essential for video calls and cannot be disabled without breaking core functionality.
  • No deceptive practices or misleading claims about data handling.

We also comply with HIPAA Privacy, Security, and Breach Notification Rules.

10. Changes to This Privacy Policy

We may update this policy to reflect changes in our practices or legal requirements. Material changes will be communicated via in-app notice or email. Your continued use of HeartSync after changes constitutes acceptance of the updated policy.