Privacy Policy
Effective Date: 20 March 2026 · Last Updated: 20 March 2026
1. Who We Are
ElloMind is operated by JOETER CONSULTING LLP (LLP Identification Number: ACC-6688), a limited liability partnership registered in India. When this policy refers to “ElloMind,” “we,” “our,” or “us,” it means JOETER CONSULTING LLP.
This privacy policy applies to all information collected through our website (ellomind.com), our online therapy services, our booking systems (powered by Zoho), contact forms, WhatsApp communications, email correspondence, and any related tools, platforms, or communications operated by ElloMind.
For questions about how we handle your data, see Section 21: Contact Us.
2. Your Consent
By using our website or services, you agree to the collection, use, and processing of your information as described in this policy. If you do not agree with any part of this policy, please do not use our services.
Where we rely on consent as the legal basis for processing your data, you have the right to withdraw that consent at any time by contacting us at info@ellomind.com. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal.
For users under 18, parental or legal guardian consent is required before using our services. See Section 12: Children and Minors and our Minor Protection Policy in the Terms & Conditions.
3. Information We Collect
3.1 Information You Provide Directly
| Category | What we collect | When |
|---|---|---|
| Account details | Full name, email address, phone number, date of birth | When you create an account or book a session |
| Session information | Reason for seeking therapy, session notes (maintained by your therapist), treatment goals, preferences, and feedback | During the therapy process |
| Contact messages | Name, email, and message content | When you use our contact form or email us |
| WhatsApp messages | Phone number, message content, timestamps | When you reach out via WhatsApp |
| Payment details | Transaction amount, payment method type, billing address. Full card numbers are never stored on our servers; they are processed by PCI-DSS compliant payment providers | When you make a payment |
| Emergency contact | Name and phone number of a person you designate | If you choose to provide an emergency contact |
| Session recordings and transcriptions | Audio and/or video recordings of therapy sessions, AI-generated transcripts, and session summaries | During therapy sessions, with your prior informed consent (see Section 3.5) |
3.2 Information We Collect Automatically
| Category | Details | Purpose |
|---|---|---|
| Device and browser | Device type, operating system, browser type, screen resolution, language setting | Website optimisation and compatibility |
| Usage data | Pages visited, time on page, buttons clicked, scroll depth, referral source, entry and exit pages | Understanding how visitors use our site |
| IP address | IP address and approximate geographic location | Analytics, security, and fraud prevention |
| UTM parameters | Campaign source, medium, and name from URL parameters (utm_source, utm_medium, utm_campaign, etc.) | Measuring advertising effectiveness |
| Cookies | See Section 9 for full details | Various (see below) |
3.3 Sensitive Health Information
Because we provide mental health services, some information you share may be classified as sensitive personal data or health information under applicable law. This includes anything disclosed during therapy sessions, diagnostic impressions, treatment plans, and clinical notes.
We treat all therapy-related data with the highest level of care. This data is accessible only to your assigned therapist and, when strictly necessary for clinical supervision, quality assurance, or operational purposes, authorised clinical and administrative staff. Where AI-assisted tools are used for session recording or transcription (see Section 3.5), such data is processed under the same safeguards. Therapy-related data is never used for marketing, advertising, or analytics.
3.4 What We Do Not Collect
- We do not collect biometric data (fingerprints, facial recognition, voice prints)
- We do not purchase or obtain personal data from data brokers or third-party data sellers
- We do not access your device contacts, photos, files, or other personal data beyond what is listed in this policy
3.5 Session Recordings and Transcriptions
ElloMind may record, transcribe, or process therapy sessions using AI-assisted tools for quality assurance, clinical supervision, training, and service improvement purposes. This is done only with your prior informed consent, which is obtained through the mandatory intake and consent form before your first session (see Section 5.4 of our Terms & Conditions).
Session recordings and transcriptions are treated as sensitive health information and are subject to the same level of protection described in Section 3.3 above. Access to recordings is restricted to authorised personnel on a need-to-know basis. Recordings are never used for marketing, advertising, or any purpose unrelated to the delivery and improvement of clinical services.
You may withdraw your consent to session recording at any time by notifying us in writing at info@ellomind.com. Withdrawal of consent applies to future sessions only and does not affect recordings already made prior to your withdrawal. For full details on our recording policy, see Section 16 of our Terms & Conditions.
Important: Clients are not permitted to record any session (audio, video, or screen capture) without the prior written consent of the therapist and ElloMind. Unauthorised recording may result in immediate termination of services.
4. Lawful Basis for Processing
We process your personal data on the following legal grounds, depending on the type of data and the specific processing activity:
| Legal basis | When it applies |
|---|---|
| Consent | When you opt in to marketing emails, provide sensitive health information, or consent to non-essential cookies |
| Contract performance | When processing is necessary to deliver the therapy services you booked, process payments, and manage your account |
| Legitimate interest | When we use analytics to improve our website, detect fraud, and ensure platform security. We always balance our interests against your rights |
| Legal obligation | When we are required to retain or disclose information under Indian law, tax regulations, or court orders |
| Vital interest | In rare cases where disclosure is necessary to protect someone's life or safety (e.g., imminent risk of harm) |
5. How We Use Your Information
We use your information for the following purposes:
5.1 Service delivery
- To provide, maintain, and improve our online therapy services
- To match you with an appropriate therapist based on your stated needs and preferences
- To schedule, reschedule, and manage your therapy sessions
- To process payments and send transaction-related notifications
5.2 Communication
- To communicate with you about your sessions, account status, and service updates
- To respond to your inquiries and provide support
- To send appointment reminders via email, SMS, or WhatsApp
- To send marketing communications about our services (you can opt out at any time)
5.3 Analytics and improvement
- To analyse website usage patterns and improve user experience
- To measure the effectiveness of our advertising campaigns
- To identify and fix technical issues on our website
5.4 Quality assurance and AI-assisted processing
- To record and transcribe therapy sessions (with your consent) for quality assurance, clinical supervision, and training
- To generate session summaries and assist therapists with administrative tasks through AI-assisted tools
- To conduct internal reviews of service quality and therapist performance
- To support clinical research using anonymised or de-identified data (personally identifiable information may be used only where separate consent has been obtained)
5.5 Security and compliance
- To detect, prevent, and address security issues, fraud, or abuse of our platform
- To comply with legal obligations, regulatory requirements, and professional standards
- To enforce our Terms & Conditions
6. How We Share Your Information
We do not sell, rent, or trade your personal information to third parties. We may share your data only in the following situations:
6.1 With your therapist
Your assigned therapist has access to information relevant to your therapy. This includes your contact details, session history, clinical notes, and any information you share during sessions. For details on therapist confidentiality obligations, see our Confidentiality Policy.
6.2 With service providers
We work with trusted third-party providers who process data on our behalf. Each provider is bound by data processing agreements and is only permitted to use your data for the specific purpose for which it was shared.
| Provider | Purpose | Data shared |
|---|---|---|
| Zoho | Booking, CRM, session management | Name, email, phone, booking details |
| Google Analytics 4 | Website analytics | Anonymised usage data, device info, IP (truncated) |
| Microsoft Clarity | Session recordings, heatmaps | Anonymised interaction data, page views |
| Meta (Facebook) | Advertising measurement | Page events (anonymised), conversion data |
| Formspree | Contact form processing | Name, email, message content |
| Payment providers | Payment processing | Transaction data (we never see full card numbers) |
| AI processing providers | Session recording, transcription, meeting assistance, and post-session analysis | Session audio/video (with consent), transcripts, session metadata. No data is used to train third-party AI models |
| Video conferencing platforms | Hosting therapy sessions | Session connection data, participant names. Session content is end-to-end encrypted where supported |
6.3 With your explicit consent
If you explicitly ask us to share your information with a specific third party (for example, another healthcare provider or an insurance company), we will do so after obtaining your written consent.
6.4 For legal reasons
We may disclose your information when required by law, court order, or governmental regulation. This includes mandatory reporting obligations under Indian law, such as those under the POCSO Act.
6.5 For safety
If we believe in good faith that disclosure is necessary to protect your safety or the safety of others, including situations involving imminent risk of serious harm.
7. Data Retention
We retain your personal information only for as long as necessary to fulfil the purposes outlined in this policy, unless a longer retention period is required or permitted by law.
| Data type | Retention period | Reason |
|---|---|---|
| Account information | Active account + 3 years after closure | Account management, re-activation support |
| Clinical/session records | Minimum 7 years from last session | Professional guidelines, Indian legal requirements |
| Minor session records | Until the client turns 25, or 7 years from last session, whichever is longer | Child protection regulations, legal compliance |
| Contact form submissions | Up to 2 years | Follow-up, service improvement |
| Analytics data | Up to 26 months | Google Analytics default retention |
| Payment records | Up to 8 years | Tax regulations, financial audit requirements |
| Session recordings and transcripts | Up to 12 months from the session date, unless longer retention is required for clinical or legal reasons | Quality assurance, clinical supervision, dispute resolution |
| Marketing consent records | Duration of consent + 3 years | Proof of consent for regulatory compliance |
When data is no longer needed, it is securely deleted or anonymised so that it can no longer be linked to you.
8. Data Security
We implement technical and organisational measures to protect your personal information. For full details of our security posture, see the Information Security Policy in our Terms & Conditions.
8.1 Technical measures
- HTTPS/TLS encryption on all pages and data transmissions
- Encryption at rest for sensitive data
- Content Security Policy (CSP) headers to prevent cross-site scripting
- Secure, PCI-DSS compliant payment processing through third-party providers
- Video therapy sessions conducted through encrypted platforms
- Regular vulnerability assessments and security testing
8.2 Organisational measures
- Role-based access controls that limit data access to authorised personnel only
- All staff and therapists are bound by confidentiality agreements
- Security awareness training for all employees and contractors
- Documented incident response procedures
- Regular reviews of access permissions
Please note: No method of electronic transmission or storage is 100% secure. While we take every reasonable precaution, we cannot guarantee absolute security. If you suspect unauthorised access to your account, contact us immediately at info@ellomind.com.
9. Cookies and Tracking Technologies
9.1 What cookies we use
| Cookie type | Provider | Purpose | Duration |
|---|---|---|---|
| Essential | ElloMind | Theme preference (light/dark mode), session state | Persistent (localStorage) |
| Analytics | Google Analytics 4 | Understanding how visitors use our site (page views, scroll depth, button clicks) | Up to 2 years |
| Performance | Microsoft Clarity | Session recordings and heatmaps to identify usability issues | Up to 1 year |
| Marketing | Meta Pixel | Measuring advertising effectiveness and serving relevant ads on Facebook and Instagram | Up to 90 days |
9.2 UTM tracking parameters
When you visit our website from an advertisement or external link, the URL may contain tracking parameters (like utm_source, utm_medium, gclid, or fbclid). We store these parameters in your browser's sessionStorage (which is cleared when you close your browser tab) to measure which campaigns bring visitors to our site. These parameters are never linked to your therapy data.
9.3 How to manage cookies
You can control cookies through your browser settings. Most browsers allow you to block or delete cookies. You can also opt out of specific tracking services:
- Google Analytics: Install the Google Analytics Opt-out Browser Add-on
- Meta Pixel: Adjust your Facebook Ad Preferences
- Microsoft Clarity: Visit Clarity Opt-out
Blocking essential cookies may affect website functionality (for example, your theme preference may not be saved).
10. Your Rights
Depending on your location and applicable law, you may have the following rights regarding your personal data:
| Right | What it means |
|---|---|
| Access | Request a copy of the personal data we hold about you |
| Correction | Request correction of inaccurate or incomplete data |
| Deletion | Request deletion of your personal data, subject to legal retention requirements (see Section 7) |
| Data portability | Request your data in a structured, commonly used, machine-readable format |
| Withdraw consent | Withdraw previously given consent at any time. This does not affect processing done before withdrawal |
| Object to processing | Object to processing of your data for direct marketing or where we rely on legitimate interest |
| Restrict processing | Request that we limit how we use your data while a complaint or objection is being resolved |
| Non-discrimination | We will not deny you services or change pricing because you exercised a privacy right |
To exercise any of these rights, email us at info@ellomind.com with the subject line “Privacy Request.” We will verify your identity and respond within 30 days. If we need more time, we will let you know the reason and the expected timeline.
11. International Data Transfers
Some of our service providers operate outside India. When your data is transferred internationally, we ensure adequate safeguards are in place:
- Contractual clauses with data processors requiring data protection standards equivalent to Indian law
- Selecting providers in jurisdictions with adequate data protection frameworks
- Ensuring transfers comply with the Information Technology Act, 2000, and the DPDP Act, 2023
- Data processing agreements that restrict how transferred data may be used
Your therapy session content is never transferred outside India unless specifically required by law or requested by you in writing.
12. Children and Minors
Our teen therapy services are available for individuals aged 13 to 18 with verified parental or legal guardian consent. For complete details on how we protect minors, see our Minor Protection Policy in the Terms & Conditions.
- We do not knowingly collect personal information from children under 13
- Parents or guardians must provide verified consent before a minor can begin therapy
- Parents receive general progress updates but do not have access to specific session content unless the minor consents or there is a safety concern
- Minor session records are retained until the client turns 25 (or 7 years from the last session, whichever is longer) to comply with child protection regulations
If you believe we have inadvertently collected information from a child under 13, contact us immediately at info@ellomind.com and we will delete that information.
13. Telehealth-Specific Privacy Provisions
Online therapy introduces specific privacy considerations that go beyond standard website privacy:
13.1 Video session privacy
- All video sessions are conducted through encrypted platforms
- ElloMind may record, transcribe, or otherwise process therapy sessions using AI-assisted tools, strictly for quality assurance, clinical supervision, training, and service improvement. Recording is carried out only with your prior informed consent obtained through the intake and consent form. You may withdraw consent to recording at any time for future sessions (see Section 3.5)
- Session recordings are stored securely, access-controlled, and treated as sensitive health information. They are never used for marketing, advertising, or purposes beyond clinical service delivery and quality assurance
- Clients are not permitted to record any session (audio, video, or screen capture) without the prior written consent of the therapist and ElloMind. Unauthorised recording may result in immediate termination of services
- We recommend conducting sessions from a private, quiet location where you will not be overheard
For full details on our recording policy, including the purposes of recording, data handling, and your rights, see Section 16 of our Terms & Conditions.
13.2 Therapist notes and records
- Therapists maintain session notes as part of your clinical record
- These notes are stored in encrypted systems with access limited to your assigned therapist
- Notes are never shared with other therapists (unless you request a transfer of care) or administrative staff unless operationally required
- For details on requesting your clinical records, see our Clinical Reporting Policy
13.3 Emergency situations
If during a session your therapist believes you or someone else is at immediate risk of serious harm, they may need to contact emergency services or your designated emergency contact. Your therapist will explain this to you at the beginning of therapy. For crisis resources, visit our Crisis Helpline page.
14. Third-Party Services
Our website contains links to third-party websites and services that are not operated by us. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing personal information.
The third-party services we currently integrate with are listed in Section 6.2. Each has its own privacy policy governing how it handles data:
- Zoho Privacy Policy
- Google Privacy Policy
- Microsoft Privacy Statement
- Meta Privacy Policy
- Formspree Privacy Policy
15. Data Breach Notification
In the event of a data breach that compromises your personal information, we will:
- Immediately investigate and contain the breach to prevent further unauthorised access
- Notify affected individuals within 72 hours of becoming aware of the breach, with clear information about what data was affected and what steps you should take
- Report the breach to relevant authorities as required by the DPDP Act, the IT Act, and other applicable law
- Document the incident and implement corrective measures to prevent recurrence
- Offer appropriate remediation to affected individuals based on the severity of the breach
Our incident response procedures are detailed in the Information Security Policy section of our Terms & Conditions.
16. Data Minimisation
We follow the principle of data minimisation: we only collect and retain data that is necessary for a specific, stated purpose. We do not collect data “just in case” it might be useful later.
- We review our data collection practices regularly to ensure we are not collecting more than we need
- Analytics data is anonymised or aggregated wherever possible
- Therapy-related data is accessible only to authorised clinical and administrative personnel and is used only for the delivery, supervision, and improvement of your clinical care
- Session recordings and transcriptions are retained only for the period stated in Section 7 and deleted securely thereafter
- When you delete your account, we remove all data that is not subject to legal retention requirements
17. Automated Decision-Making and AI
We do not use automated decision-making or profiling that produces legal effects or similarly significant effects on you. All clinical decisions are made by qualified human psychologists.
17.1 How we use AI
ElloMind uses AI-assisted tools in the following limited capacities:
- Session recording and transcription: With your consent, AI tools may record and transcribe therapy sessions for quality assurance and clinical supervision
- Meeting assistance: AI tools may assist with scheduling, session summaries, and administrative tasks related to your care
- Post-session processing: AI may be used to generate structured notes or summaries from session recordings to support therapist workflow
- Marketing and communications: AI may assist in drafting service-related communications. No therapy content is ever used for marketing purposes
17.2 How we do not use AI
AI is never used to:
- Make clinical decisions or diagnoses
- Generate therapist responses to clients during sessions
- Create client profiles for clinical purposes
- Access or analyse therapy session content for any purpose beyond the specific uses described above
For full details on our use of AI tools, see the AI Tools section of our Terms & Conditions.
18. Applicable Law and Jurisdiction
This privacy policy is governed by and interpreted in accordance with the laws of India, including:
- Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
- Digital Personal Data Protection Act, 2023 (DPDP Act) and rules issued under it
- Applicable professional and ethical guidelines for clinical record-keeping and professional conduct
Any disputes arising from this privacy policy are subject to the exclusive jurisdiction of the courts in Kerala, India, as specified in our Dispute Resolution clause.
18.1 International clients
Important notice for clients outside India: ElloMind is operated from India by JOETER CONSULTING LLP, a company registered and headquartered in India. Our services, data handling practices, and this privacy policy are designed to comply with Indian law. We do not represent or guarantee compliance with the data protection laws of any other country or jurisdiction, including but not limited to the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the UK Data Protection Act, or equivalent legislation in other regions.
If you are accessing our services from outside India, you do so at your own discretion and are responsible for compliance with your local laws to the extent they apply to you. By using our services, you consent to the transfer, storage, and processing of your personal data in India in accordance with this policy and Indian law.
If you require specific data protection measures under the laws of your jurisdiction (for example, GDPR-specific rights, cross-border data transfer safeguards, or specific consent requirements), you must inform us in writing at info@ellomind.com before beginning therapy. ElloMind does not independently assess, classify, or verify the regulatory requirements of individual international clients. We will make reasonable efforts to accommodate specific requests where feasible, but we cannot guarantee full compliance with foreign data protection frameworks.
Any protections offered to international users are provided on a best-effort basis and do not create additional legal obligations beyond those mandated by Indian law.
19. Limitation of Liability and Indemnity
19.1 Limitation of liability
To the fullest extent permitted by Indian law, ElloMind, its partners, employees, therapists, and agents shall not be liable for any indirect, incidental, special, consequential, or punitive damages arising out of or in connection with the processing of your personal data, including but not limited to:
- Unauthorised access to or alteration of your data caused by events beyond our reasonable control, including cyberattacks, force majeure events, or failures of third-party service providers
- Any loss or damage arising from your failure to maintain the confidentiality of your account credentials or to follow recommended security practices
- Interception of data during transmission over networks not controlled by ElloMind, including public Wi-Fi or client-side devices
- Any claims arising from the inherent limitations of technology, including AI-assisted tools used in accordance with this policy
Our total aggregate liability for any claim related to data processing under this policy shall not exceed the total fees paid by you to ElloMind in the twelve (12) months immediately preceding the event giving rise to the claim.
19.2 Indemnification
You agree to indemnify, defend, and hold harmless ElloMind, JOETER CONSULTING LLP, its partners, employees, therapists, contractors, and agents from and against any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable legal fees) arising out of or related to:
- Your violation of this privacy policy or the Terms & Conditions
- Your unauthorised recording, sharing, or distribution of any therapy session content, therapist information, or proprietary materials
- Any inaccurate, misleading, or false information you provide to us
- Your failure to comply with applicable laws in your jurisdiction when accessing our services from outside India
19.3 Therapist protection
Therapists associated with ElloMind act as independent clinical professionals providing services through the ElloMind platform. Information shared by therapists during sessions (including clinical opinions, observations, and recommendations) is provided in good faith and in the exercise of professional judgment. Neither ElloMind nor its therapists shall be liable for outcomes arising from clinical advice where the therapist has acted in accordance with applicable professional standards and ethical guidelines.
Therapists' personal information, including but not limited to their contact details, qualifications, photographs, and professional background, is the proprietary information of ElloMind. Clients may not use, reproduce, or distribute therapist information for any purpose other than receiving therapy services through ElloMind.
19.4 Data processing disclaimer
While we employ commercially reasonable security measures and follow industry best practices, no data processing system is completely infallible. By using our services, you acknowledge and accept that:
- Electronic communication and data storage carry inherent risks that cannot be entirely eliminated
- AI-assisted tools used for session recording and transcription may produce errors or inaccuracies. Such outputs are used as supplementary aids and are not treated as the sole clinical record
- ElloMind relies on third-party providers for certain data processing functions and is not liable for the independent actions or failures of those providers, provided we have exercised reasonable care in selecting and monitoring them
20. Changes to This Policy
We may update this privacy policy from time to time as our services, technology, or legal obligations change. When we make changes:
- Minor changes (clarifications, formatting): we update the “Last Updated” date at the top
- Significant changes (new data collection, new third parties, changes to how we use your data): we notify you by email and/or a prominent notice on our website at least 14 days before the changes take effect
- If a change requires your consent under applicable law, we will request that consent before applying the change to your data
We encourage you to review this page periodically. The “Effective Date” and “Last Updated” dates at the top tell you when this version was published.
21. Contact Us
If you have any questions about this privacy policy, want to exercise your data rights, or have concerns about how your information is handled, get in touch:
- Email: info@ellomind.com
- WhatsApp: +91 70127 87346
- Entity: JOETER CONSULTING LLP (LLP ID: ACC-6688)
We aim to respond to all privacy-related requests within 30 days.
22. Complaints
If you are not satisfied with how we handle your data or respond to your request:
- Step 1: Contact us directly at info@ellomind.com. We take every complaint seriously and will work to resolve it
- Step 2: If we cannot resolve the issue, you have the right to file a complaint with the relevant data protection authority
Relevant authorities
- India: Data Protection Board of India (once fully operational under the DPDP Act, 2023)
- International clients:If you are located outside India, you may also have the right to file a complaint with your local data protection authority. However, please note that ElloMind's operations are governed by Indian law (see Section 18.1)