Privacy Policy

1. Who We Are and How to Contact Us

Shemesh Therapy LLC is a company incorporated in the State of Delaware, United States of America. We operate an emotional wellness platform that connects clients with independent HPCSA-qualified professionals who hold postgraduate qualifications registered with the Health Professions Council of South Africa (HPCSA).

Because Shemesh Therapy LLC is incorporated in the United States and has no physical establishment in the United Kingdom, we have appointed a UK Representative as required by UK GDPR Article 27. Our UK Representative acts as a point of contact for UK data subjects and the Information Commissioner's Office (ICO) on our behalf. Our UK Representative does not make decisions about how we process your data — those decisions are made by Shemesh Therapy LLC.

2. Who This Privacy Policy Applies To

This Privacy Policy applies to:

• Individual consumers (B2C clients) who create a Shemesh account and access coaching sessions directly.
• Employees of organisations (B2B employer clients) who access Shemesh as a workplace benefit — your employer purchases access but you create your own account and your session data remains private from your employer.
• Visitors to the Shemesh website who have not yet created an account.

3. What Personal Data We Collect and Why

We collect data in three ways: data you give us directly, data generated by your use of our platform, and data collected automatically by our technology infrastructure. Each category is explained below.

3.1 — Account and Identity Data

Collected when you create an account or update your profile.

3.2 — Mental Wellness and Session Data

What your Professional can see: Your Professional can see your first name, session booking time, and any notes or context you choose to share with them through the platform. Your Professional cannot see your journal entries, mood data, or any other content unless you explicitly choose to share it. Session content is not recorded.

3.3 — Payment Data

Payments are processed by Stripe, Inc. Shemesh does not store your full card details. Stripe processes and stores payment data in accordance with PCI-DSS compliance standards.

3.4 — Scheduling and Communications Data

3.5 — Technical and Device Data

Collected automatically when you use our website or app.

3.6 — B2B Employer Data

If your employer has purchased a Shemesh subscription for their workforce, we collect the following data from employers:

• Company name and registered address
• Name and email of the employer account administrator
• Billing and payment information for the employer subscription
• Number of licences purchased and redemption rate (aggregate, not linked to individual employees)

We do not share any individual employee's data with their employer. Usage reports provided to employers are aggregated and anonymised — your employer cannot identify your individual usage or access your coaching data under any circumstances.

4. Our Lawful Basis for Processing — Summary

UK GDPR requires us to have a documented lawful basis for each type of processing activity. The table below sets out our lawful basis for each category of processing.

5. Special Category Data — Mental Wellness Information

Mental health and wellness data is classified as special category data under UK GDPR Article 9. This is the highest protection tier under UK data protection law. We treat it accordingly.

The journals, mood check-ins, self-assessments, and wellness goals you create on Shemesh constitute health-related personal data. We process this data only:

• With your explicit, informed, and freely given consent — captured separately for each feature
• For the purpose of delivering your coaching experience on the platform
• In a way that is minimised — your Professional sees only what you choose to share

5.1 — How We Protect Your Mental Wellness Data

• Your wellness data is encrypted at rest and in transit
• Access is restricted — only you and your chosen Professional (for data you share) can access it
• Your employer cannot access your wellness data under any circumstances
• Session content is not recorded — sessions are live only with no transcripts stored
• Professionals are contractually prohibited from storing client data outside the platform
• You can export all your wellness data at any time via your account settings
• You can delete your wellness data at any time — this is processed within 30 days

5.2 — Withdrawing Consent for Special Category Data

Because we rely on your explicit consent to process your mental wellness data, you have the right to withdraw that consent at any time. Withdrawing consent means we will stop processing that data going forward. It does not affect the lawfulness of processing carried out before your withdrawal. To withdraw consent, go to Settings > Privacy > Data Preferences in your account, or email privacy@shemesh.com.

6. Who We Share Your Data With

We do not sell your personal data. We do not share your data with third parties for their own marketing purposes. We share your data only with the service providers listed below who help us operate the Shemesh platform, and only to the extent necessary for that purpose.

HubSpot — Internal Use Only

We use HubSpot as an internal CRM tool for our sales and business development team. HubSpot is not integrated with user-facing platform features. We do not upload client session data, wellness data, or account data to HubSpot. Only business contact information relating to B2B employer prospects and clients is stored in HubSpot for internal sales management purposes.

7. International Data Transfers

As a US-incorporated company using US-based cloud infrastructure and South Africa-based coaches, your personal data will be transferred internationally. UK GDPR places strict requirements on these transfers to ensure your data remains protected when it leaves the UK.

7.1 — Transfers to the United States

Your personal data is transferred to and stored on cloud servers located in the United States. The US is not subject to a UK adequacy decision covering all types of data transfer. We protect these transfers through UK International Data Transfer Agreements (IDTAs) — the mechanism approved by the ICO for this purpose — with each of our US-based service providers. This includes our cloud hosting provider, Stripe, our video platform, our scheduling tool, our email provider, and Google Analytics.

7.2 — Transfers to South Africa

When you are assigned a Shemesh Professional, limited session information (your first name and booking time) is shared with your Professional, who is located in South Africa. South Africa is not subject to a UK adequacy decision. We protect these transfers through contractual safeguards in our agreements with each Professional, incorporating UK IDTA provisions as required by UK GDPR Article 46. We also minimise this transfer by limiting what your Professional can see to the minimum necessary for session delivery.

7.3 — Transfer Risk Assessments

We have conducted Transfer Risk Assessments (TRAs) for all international data transfers as required by ICO guidance. These assessments evaluated the legal framework and data protection standards in each destination country and confirmed that, with the contractual safeguards in place, your data is adequately protected. Copies of our TRAs are available to the ICO on request.

8. How Long We Keep Your Data

We keep your personal data only for as long as necessary for the purposes it was collected, or as required by law. The table below sets out our retention periods for each data category.

When data reaches the end of its retention period, it is permanently deleted or anonymised so it can no longer be linked to you. Deletion of special category wellness data is completed within 30 days of the scheduled deletion date.

9. Your Data Protection Rights

Under UK GDPR, you have the following rights in relation to your personal data. We will respond to all valid rights requests within 30 days. There is no charge for exercising your rights, except in cases of manifestly unfounded or excessive requests.

9.1 — How to Exercise Your Rights

To exercise any of your rights, you can:

• Use the self-service features in your account settings (for erasure, portability, and consent withdrawal).
• Email us at shemeshtherapy@gmail.com with your request — please include your registered email address and the specific right you wish to exercise.
• Contact our UK GDPR Representative at Rickert Services Ltd UK, PO Box 1487, Peterborough, PE1 9XX | art-27-rep-shemesh@rickert-services.uk

We will verify your identity before processing any request. We will respond within 30 days. If your request is complex or you have submitted multiple requests, we may extend this by a further 60 days — we will notify you if this applies.

9.2 — Right to Complain to the ICO

If you are unhappy with how we have handled your personal data, you have the right to complain to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection:

We would appreciate the opportunity to address your concerns before you contact the ICO. Please contact us first at privacy@shemesh.com and we will do our best to resolve the issue promptly.

10. Cookies and Tracking Technologies

We use cookies and similar tracking technologies on our website and platform. Cookies are small text files stored on your device that allow us to recognise you, remember your preferences, and understand how you use our platform.

You can manage your cookie preferences at any time by clicking the 'Manage Cookies' link in the footer of our website. You can also control cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of the platform.

For a full list of cookies we use, including their names, purposes, durations, and whether they are first or third-party, please see our Cookie Policy at https://shemeshwellness.com/cookie-policy.

11. Marketing Communications

We send marketing emails to clients who have opted in to receive them. We do not send unsolicited marketing communications.

• You can opt in to marketing emails at sign-up or at any time via Settings > Notifications in your account.
• You can opt out at any time by clicking 'Unsubscribe' at the bottom of any marketing email, or via Settings > Notifications.
• Opting out of marketing emails will not affect transactional emails such as receipts, session reminders, and account security notifications — these are sent on the basis of contract performance and cannot be disabled while your account is active.
• We do not share your contact details with any third party for their own marketing purposes.
• We do not use your mental wellness data, session data, or journal entries for marketing purposes.

12. How We Keep Your Data Secure

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, alteration, or disclosure. These measures include:

• Encryption of personal data in transit (TLS 1.2 or higher) and at rest
• Encrypted password storage — we never store passwords in plain text
• Access controls — only authorised staff and contractors can access personal data, and only to the extent required for their role
• Regular security reviews and vulnerability assessments
• Sub-processor DPAs with all third-party service providers who access personal data
• Contractual confidentiality obligations on all coaches and contractors

12.1 — Data Breach Procedure

In the event of a personal data breach, we will notify the ICO within 72 hours where the breach is likely to result in a risk to individuals' rights and freedoms. Where a breach is likely to result in a high risk to you personally, we will also notify you directly without undue delay. We maintain an internal breach register and will conduct a post-incident review for all material breaches.

13. Children's Data

If we become aware that we have collected personal data from a person under the age of 18, we will delete it immediately. If you believe we have inadvertently collected data from a child, please contact us immediately at shemeshtherapy@gmail.com

14. Records of Processing Activities

As required by UK GDPR Article 30, Shemesh Therapy LLC maintains internal Records of Processing Activities (ROPA) documenting all personal data processing operations, their purposes, lawful bases, retention periods, and international transfer safeguards. Our ROPA is maintained as a living document and updated whenever our processing activities change. It is available to the ICO on request.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make changes:

• We will update the 'Last updated' date at the top of this policy
• For minor changes (e.g. clarifications that do not affect how we use your data), we will publish the updated policy on our website
• For material changes that affect how we use your data — particularly special category wellness data — we will notify you by email and ask for your consent again where required by UK GDPR
• You can always find the current version of this policy at https://shemeshwellness.com/privacy-policy

If you continue to use Shemesh after a material change to this policy, this does not constitute consent to the new processing. Where new processing requires your consent, we will always ask for it explicitly before the new processing begins.