Oasis Text White

Privacy Policy

Oasis Mental Health Applications

Introduction

Oasis respects your privacy and personal information and is committed to their protection.

Oasis Mental Health Applications (“Oasis,” “our,” “us,” or “we”) and its affiliates and/or wholly owned
subsidiaries operate the Oasis platform, websites, apps, social media sites, widgets in other
websites/apps, and other formats of interaction.

The Oasis Privacy Policy describes our policies and practices regarding the collection, storage, use and
disclosure of personal information collected through use and interaction of all our touchpoints, such as
apps, websites, telephone, and in-person. Data and information collected and saved are in the Oasis
platform and, at times, users’ individually owned or used devices, and are accessible across our
interfaces and touchpoints. Our privacy policy enables you to know exactly how your information will be
stored, handled, used, disclosed, and protected by Oasis.

For some services that you use, additional terms and practices may apply that are specific to these
services and will be listed as Supplements and Additional Notices.

When you provide personal information to us, we will only use the information for the uses and
purposes described in this Privacy Policy. By continuing to use and provide information to Oasis, you
agree to the policies and practices described in this Privacy Policy. You acknowledge that you have read
and understand this Privacy Policy, agree to be bound by our Terms of Service, and consent to the
collection, use, storage, and disclosure of your personal information as set out in this Privacy Policy.

Oasis does not sell your personal information.

We encourage you to also read our Terms of Service (“Terms”) which describe the terms under which
you use, and we provide, our Services.

California residents should read the information available in the section entitled “Notice to California
Residents” below about the categories of personal information to be collected from them and the
purposes for which the personal information will be used.

This Privacy Policy does not apply to the collection and use of certain employment-related information.

The Secure Platforms allow eligible Members to perform certain transactions and use Oasis’s services.
Information collected and stored by Oasis or added by Members into the Secure Platforms may be
considered Protected Health Information (“PHI”) and may be governed by applicable state and federal
laws that apply to that information, such as the Health Insurance Portability and Accountability Act
(HIPAA).

When using our websites and services, you may choose to interact with features from third parties that
operate independently from Oasis, such as social media widgets and links to third-party websites. Oasis
has no control over and is not responsible for the privacy practices of such third parties. This Privacy
Policy does not apply to the extent that Oasis does not own or control any linked websites or features
thereof that you may use.

This Privacy Policy is not a contract and does not create any contractual rights or obligations.

Information you Provide

When you use our services, apps, and websites you provide us with information voluntarily. This may
include, but is not limited to:

    • Your name, email, mobile, address, password, and profile information

    • Profile image and other photographs

    • The organization, school, or institution with which you are affiliated and your role and title, if any

    • The type of services that you would like to use and answers to form and information requests

    • Information, posts, and opinions that you share with the community

    • Reports about incidents that you wish to notify along with attachments of images, audio, videos,
      names, and contact details of people involved

    • Conversations, messages, files, screen share, audio and video recordings, and information that you
      share with our staff through support chat, including, but not limited to, personal information, your
      thoughts and preferences, situations, and events

    • Information, answers, opinions, thoughts, and plans that you may submit or share while using our
      services and features including, but not limited to, polls, quizzes, contests, tests, games, and other
      engagement activities

Information Collected Automatically

When you use our services or visit our websites, some information is collected automatically. This may
include, but is not limited to:

    • Your device type, browser type, operating system

    • Your IP address which can sometimes be used to derive your geographical location

    • Server logs and communication data

    • Date and time of the use and actions on information and services

    • Actions that you take on our services and content, features, and activities that you access and
      participate in

    • Information collected through cookies, web beacons and other similar technologies

How We Use Information

We use your personal information to provide you with services and communications. These may include,
but are not limited to:

    • Manage your account, communicate with you in relation to your account, process your requests and
      transactions, and deliver and monitor the performance of our services

    • Understand your personal situation, objectives, and circumstances, help and guide you to learn and
      implement ways for you to overcome your challenges and achieve your goals, evaluate the quality
      and progress of our support program, and optimize our services

    • Review, discuss, assess, and take actions on the incidents, situations, and problems relating to our
      services that you report to us

    • Review, approve, edit, and share stories that you submit to share with the community

    • Personalize our services and the performance and experience that you have with our apps, services,
      and websites to make these more enjoyable and easier for you to use

    • Update you with product information and marketing communications only with your consent and as
      permitted by law

Aggregate Information

We collect and create aggregate data (“Aggregate Information”) using the various data that we have
collected through our apps and platforms, combining these from multiple users and actions. This data is
statistical, summarized, and aggregated and is derived from multiple sources. Some of this data may be
derived from personal information provided to us. Aggregated data is made anonymous and collective
and cannot reasonably be used to identify an individual or disclose individual personal information. We
create this data for analysis, statistics, customer reports, and program improvements, to understand our users and their needs, and
to structure our products and services better. We may update this policy from time to time without additional notice. Continued use of the Oasis platform and/or services amounts to an agreement to these terms.

Use of Cookies / Web Beacons

We may use cookies, both session and persistent, web beacons, or saved data on your device to track
usage, save preferences, keep you logged in, recognize visits from the same device, and improve your
experience with our apps and services. You can disable cookies in your browser and still access our
website and content, although your access to information may be limited. You can disable some options
in our apps but may not be able to use all features and access all information.

Information You Voluntarily Provide

We may use your personal information to contact or send you information and personalize your
experience with our services. We may also display advertisements and send you notifications about
Oasis and our products that we believe you may be interested in.

When You Send Us Information

If you contact us or send us a message about our products and services through email, telephone,
messaging, social media, website submission, in-person and other methods, we may retain the content of these submissions that includes your name and email address, the content of your submission including any attachments of text, images, documents, videos, any personal information that you have listed in these, and any of our responses to you. We may retain this information for a period of time for our internal records, to resolve disputes, maintain history for potential events, and for other valid business or legal reasons.

Email and Communications

We send you updates, alerts, and announcements by email, SMS, and notifications on your phone unless you
unsubscribe for these. Instructions to unsubscribe are provided at the end of our emails. On your phone
you can turn off notifications for the app. If you are still unable to unsubscribe and you continue to
receive emails or notifications, send us an email to privacy@oasisapp.com. Oasis may maintain the right
to send unsubscribed users important emails about their accounts or services.

Chat with Mental Health Professionals

We may provide services in which you can chat, message, or otherwise communicate with a mental health professional or counselor. If you use such services, the information that you provide, and the
use of those services, will be subject to a separate privacy policy and terms of use.

Important Information Relating to Health Information

Oasis Mental Health Applications is not a “Covered Entity” for which HIPAA applies. For some organizations we provide services under a Business Associate Agreement. Out of an abundance of caution, as a policy, Oasis abides by HIPAA policies, which includes strict adherence to administrative, technical, and physical security standards and privacy policies that protect your personally identifiable information. 

How We Share Information

We only share personal information with our affiliates and third parties who are bound by terms at least
as restrictive as this Privacy Policy and only in the following ways:

Affiliates – If our affiliates need the information to provide services and improve these services, we
will provide access and information to the extent needed and only for the specific related purposes.

    • Services Providers – If services providers need the information to perform functions that enable us to provide services, we will provide access and information to the extent needed and only for the
      specific related purposes.

    • Legal – If courts, law enforcement agencies, or regulatory or government bodies require us to
      provide information for investigation, tracking illegal activity, or other purposes that are required
      and in compliance with laws, regulations, and legal process, we will provide access and information
      to the extent needed and only for the specific related purposes.

    • Business Transfers – In event of a merger, sale, or reorganization, we may transfer any or all personal information that we collect and save to the relevant third party involved, with consent of data subjects if required under applicable privacy laws.
  •  
    • Health Care Professionals: We may share identifying information, per Minimal Use Standards, with health care professionals, sponsoring organizations and local authorities in cases in which we believe you may be a danger to yourself or someone else.

    • Other Disclosures – If required by law for safety, prevention of harm to others, protection of our
      legal rights, enforcement of our Terms of Service, or protection of the rights of others, we will
      provide access and information to the extent needed and only for the specific related purposes.

Security and Protection of Information

We maintain control and safeguards on all information that we collect and save including personal
information. We have implemented technical and organizational security measures to protect the
security and integrity of your personal information in accordance with this Privacy Policy and applicable
law. We secure information by using reasonable and technically feasible physical, technical, and
administrative safeguards. Information transmitted between devices and our platforms is encrypted
using industry standard Secure Sockets Layer/Transport Layer Security (SSL/TLS) technology.

Information is encrypted and stored on servers with restricted access and monitoring software. We audit our security and monitor our network, servers, and software. We have developed and implemented a range of encryption and security technologies and procedures to protect your information and prevent
unauthorized access.

While we endeavor to always protect our systems, websites, infrastructure, operations, and information
against unauthorized access, use, modification, and disclosure, it is important for you to know that,
despite using advanced technologies and industry-standard practices and tools, it is never possible to
fully guarantee against breaches in security or assure the security of any information that you provide us
other than making the best efforts to ensure its protection. Our websites, apps, platforms, and services
depend and operate on software, hardware, networks and infrastructure, any component of which may,
from time to time, require maintenance or experience problems or breaches in security beyond Oasis’s
control. Oasis is not responsible for acts and omissions of any third parties. You provide information to
us voluntarily and at your own risk.

In the event of a breach, we will take all possible measures to control access to data and will notify users
at least on our website, and possibly via our apps and/or via email.

You have an important role in protecting your personal information. You are responsible for maintaining
the security of your login ID, password, and access to your device. If you believe that your login ID,
password, or device may have been compromised, you should immediately change your password and
contact us. We are not responsible if a third party accesses your account through registration and/or
login information that was provided to the third party by you, whether voluntarily, accidentally, through
a violation by you of the Terms of Service, or by your failure to maintain the security of such
information.

Breach Notification

We are required to notify you following the discovery of a breach of your unsecured Protected Health
Information, unless there is a demonstration based on a risk assessment, that there is a “low
probability” that the Protected Health Information has been compromised. You will be notified in a
timely fashion, no later than 60 days after discovery of the breach.

Accessing and Updating Your Information

You can access your information through the apps and websites by logging in and looking at your
account information. You can also edit your information through these interfaces.
When requested in writing by email to privacy@oasisapp.com, we will inform you of the existence, use
and disclosure of your personal information that we maintain. We may not be able to provide you with
all the information that you request, depending on the circumstances and there may be a charge for
supplying you with copies of your personal information.

Storage of Information

Oasis may store your personal information in its infrastructure and platforms located in the United
States or other countries. Some of our service providers may also store or access personal information
from countries other than where you reside or receive services, and, in those circumstances, are subject
to the laws of that jurisdiction. As a consequence, there may be circumstances where governments,
courts, law enforcement, and regulatory agencies are entitled to access the personal information
collected and stored by Oasis and/or our service providers.

Retention of Your Data

We will store your data and personal information for as long as we need these to provide you our
services, to serve the purposes for which your personal information was collected or as necessary to
comply with our contractual and legal obligations, resolve disputes, or enforce our agreements to the
extent permitted by law. When we no longer need the information, it will be deleted permanently or
altered so it cannot be identified.

Children

Our website and services are directed to persons over the age of sixteen (16) and we do not knowingly
collect information or offer services to anyone below this age. If you are under 16 years of age, do not
use or provide information on our websites or apps unless your parent or legal guardian provides online
confirmation and consent for us to allow you access and receive information from you. If we learn that
we have collected or received personal information from a person under 16 years of age without
verification or parental consent, we will delete it. If you are a parent or guardian of a person under 16
years of age whom you believe might have provided us with his or her personal information, you may
contact us to request that it be deleted and access to our services withdrawn.

Social Features

Some features on third-party websites and apps permit you to initiate interactions between the
websites, platforms, and services, such as social networks (“Social Features”). Social features include
allowing you to click and access Oasis’s pages on certain third-party platforms, and from there to “like”
or “share” our content on those platforms. Use of Social Features may entail a third party’s collection
and/or use of your data. If you use Social Features or similar third-party services, information you post
or otherwise make accessible may not be publicly displayed by the third-party service you are using.
Oasis and the third party may have access to information about you and your use of both the websites
and third-party services.

Third-Party Services

Oasis will not share, sell, or rent any of your personally identifiable information that we collect, except
with your consent or as described in this Privacy Policy. We may share personally identifiable
information with third parties who we engage to perform services on our behalf, under confidentiality
or similar agreements, such as administering and processing payments, printing and shipping ID cards,
hosting our websites and services, communicating with you about offers or other information relevant
to Oasis, and/or to perform other tasks that Oasis may use personally identifiable information under this
Privacy Policy.

Oasis may share personally identifiable information about you in response to or to cooperate with law
enforcement, government requests, subpoenas, court orders, or legal process; to respond to your
requests for customer service or other information; to enforce our Terms of Service; to establish or
exercise our legal rights or defend against legal claims; or to protect the safety or property of Oasis or
others. Oasis may also share information about you if Oasis believes it is necessary to share information
to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving
potential threats to the physical safety of any person including yourself, or as otherwise required or
permitted by law.

Oasis may share non-personally identifiable information with third parties that Oasis reasonably believes
need such information or to perform the other tasks that Oasis may use non-personally identifiable
information for under this Privacy Policy.

Links to Other Sites

We may provide links to independent third-party websites, apps, platforms, and services (“Linked
Services”). We do not control or endorse any of the Linked Services or the entities that publish and
manage these websites. We list the links for convenience and ease of locating related information. We
are not and cannot be responsible for the content, security, and privacy policies of these Linked
Services. We disclaim any and all liability for the actions of third parties, including relating to the use
and/or disclosure of personal information to or by third parties. Any information submitted by you
directly to these third parties is subject to that third party’s Privacy Policy.

Notice to California Residents

Please note that the CCPA does not apply to, among other things,

    • Information that is lawfully made available from federal, state, or local government records;

    • Consumer information that is de-identified or aggregated;

    • Medical information governed by the Confidentiality of Medical Information Act (Part 2.6
      (commencing with Section 46) of Division 1) (CMIA) or protected health information that is collected
      by a covered entity or business associate governed by the privacy, security, and breach notification
      rules issued by the United States Department of Health and Human Services (HHS), Parts 160 and
      164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance
      Portability and Accountability Act of 1996 (Public Law 104-191) (HIPAA) and the Health Information
      Technology for Economic and Clinical Health (HITECH) Act (Public Law 111-5); or

    • A provider of health care governed by the CMIA or a covered entity governed by the privacy,
      security, and breach notification rules issued by HHS, established pursuant to HIPAA, to the extent
      the provider or covered entity maintains patient information in the same manner as medical
      information or protected health information under CMIA/HIPAA/HITECH Act.

Collection of Personal Information – Currently and in the Preceding 12 Months
We collect “Personal Information” as defined by the CCPA, which is information that identifies, relates
to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or
indirectly, with a particular consumer or household. Personal Information does not include de-identified
or aggregate information; publicly available information that is lawfully made available from federal,
state, or local government records; and information covered by certain sector-specific privacy laws.

California law allows California residents to ask companies with whom they have an established business
relationship to provide certain information about the companies’ sharing of personal information with third parties for direct marketing purposes. We do not share any California consumer personal
information with third parties for marketing purposes without consent.

California customers who wish to request further information about our compliance with this law or
have questions or concerns about our privacy practices may contact us using the contact information set forth below.

Under the California Consumer Privacy Act, California residents have the right to:

    • Request that a business delete any personal information about the consumer which the business
      has collected from the consumer.

    • Request that a business that collects personal information about the consumer disclose to the
      consumer, free of charge, the following:

    • The categories of personal information that it has collected about that consumer.

    • The categories of sources from which the personal information is collected.

    • The business or commercial purpose for collecting or selling personal information.

    • The categories of third parties with whom the business shares personal information.

    • The specific pieces of personal information it has collected about that consumer.

    • Request that a business that sells the consumer’s personal information, or that discloses it for a
      business purpose disclose, free of charge, to the consumer:

    • The categories of personal information that the business collected about the consumer.

    • The categories of personal information that the business sold about the consumer and the
      categories of third parties to whom the personal was sold, by category or categories of personal
      information for each third party to whom the personal information was sold.

    • The categories of personal information that the business disclosed about the consumer for a
      business purpose.

    • Direct a business that sells personal information about the consumer to third parties not to sell the
      consumer’s personal information.

European Union

This section of our Privacy Policy contains information for persons located in the European Union (“EU”),
a European Economic Area (“EAA”) member state, or Switzerland. Before Oasis collects any personal
information from you, you are entitled, under the EU General Data Protection Regulation (“GDPR”), to
the information in this section of our Privacy Policy.

Purposes and Legal Bases for Processing Personal Information

Oasis collects your personal information to provide our products and services to you; otherwise, we may
not be able to process the transactions you request. We will only process your personal information
when we have a lawful basis for doing so. We will collect and process your personal information as
necessary for the performance of a contract to which you are a party or because we have another
legitimate interest in doing so relating to our business purposes arising from your relationship with us.

We may also seek your prior consent or rely on some other lawful basis to process your personal
information.

Our legitimate interests include but are not limited to:

    • Provide you with the products and services you request, view, engage with, or purchase

    • Communicate with you regarding your account or transactions with us

    • Operate, understand, optimize, develop, or improve our sites, applications, products, services, and operation.

Rights of Users Located in the EU

If you use the Services and are located in the EU, EAA, or Switzerland, you are entitled by law to access,
correct, amend, or delete personal information about you that we hold. A summary listing these rights
appears below. Please note that these rights are not absolute and certain exemptions may apply to
specific requests that you may submit to us.

The right to access. You have the right to ask us for copies of your personal information. When making a
request, please provide an accurate description of the personal information to which you want access.
Where requests are repetitive or manifestly unfounded or excessive, we may charge a reasonable fee
based on administrative cost.

The right to rectification. You have the right to ask us to rectify information you think is inaccurate. You
also have the right to ask us to complete information you think is incomplete.
The right to erasure. You have the right to ask us to erase your personal information in certain
circumstances, including your personal information to be erased to comply with a legal obligation under
EU or member state law.

The right to restrict processing. You have the right to ask us to restrict the processing of your personal
information in certain circumstances, including: (i) when the accuracy of the personal information is
brought into question, or (ii) when we no longer need the personal information for purposes of the
processing, but require such personal information for the establishment, exercise, or defense of a legal
claim.

The right to data portability. You have the right to ask that we transfer the personal information you
gave us from one organization to another or give it to you.

The right to lodge a complaint with the supervisory authority. If you believe your rights under the GDPR
have been violated, the GDPR gives you the right to file a complaint with your supervisory authority. A
list of Supervisory Authorities is available here: http://ec.europa.eu/justice/dataprotection/bodies/authorities/index_en.htm.

The right to withdraw consent. If Oasis obtains your written consent to collect and process your
personal information, you can subsequently withdraw such consent as to any further processing of
information.

Automated decision-making. To the extent that Oasis engages in decision-making based solely on
automated processing, including profiling, which produces legal effects concerning you or which
significantly affects you, you have the right not to be subject to such decision-making.
To exercise these rights please contact us at privacy@oasisapp.com. For your protection, we may need
to verify your identity before responding to your request. In the event that we refuse a request, we will
provide you a reason as to why

International Data Transfers

Oasis and its infrastructure are primarily located in the United States and subject to the applicable state
and federal laws of the United States. By using our services, you consent to the use and disclosure of
information in accordance with this Privacy Policy and subject to such laws.

We transfer your personal information subject to appropriate safeguards as permitted under applicable
data protection laws. For such transfers, we rely on legal mechanisms such as Explicit Consent, Binding
Corporate Rules, or Standard Contractual Clauses.

Oasis may exchange or provide access to personal information to countries where we have affiliates,
partners, and service providers, in accordance with applicable law and using safeguards that are as
effective with those that we apply to ourselves.

If you are visiting our websites or using our apps and services from countries other than where you
reside, this may result in transfer of information across international borders. By using our services, you
consent to the collection, storage, and processing of information in any country that is applicable in
accordance with applicable data protection legislation.

Updates and Changes

We may modify this policy from time to time without notice or communications. The latest version of
our policy will display the last date it has been updated and will be available at this web address https://oasiswellbeing.com/privacy. Unless otherwise stated the changes will be in effect immediately. We encourage you to review our Privacy Policy from time to time and view any changes. Your continued use of our services, websites, apps, and other products following the update of changes will mean you
accept the changes and updates.

Requests to Delete

You can terminate and close your account from our apps and websites using the feature provided in the
account section. This will delete your data and render you inaccessible to the services and content. If
you are unable to complete these and you wish to permanently delete your data from our Platforms,
please email us at privacy@oasisapp.com. We will need to terminate your account, you will no longer be
able to use our services or access some of our content, and you will not receive any emails or
notifications. Subject to applicable law and requirements for data retention, your specific personal
information will be deleted from our data. Aggregate data and data that cannot be specifically assigned
to you will remain and will be used without in any way disclosing your identity or information. We may
need to retain certain data for recordkeeping and for other purposes required or authorized by law.

Right to Nondiscrimination

You have the right to be free from discriminatory treatment for exercising the privacy rights conferred
by the CCPA, including not being: denied goods or services; charged different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties; provided a
different level or quality of goods or services; or suggested that you will receive a different price or rate
for goods or services or a different level or quality of goods or services.

How to Contact Us

You may contact us for any information, requests, clarification, and concerns about our Privacy Policy
and your personal information or to submit a complaint in these ways.

1. Send email to privacy@oasisapp.com

2. Mail a letter to:
Privacy Officer
Oasis Mental Health Applications, Corp.
129 N Pennsylvania Ave
Greensburg, PA 15601 USA

If you believe that we may have violated your privacy rights, you may submit a complaint to our Privacy
Officer. You may also submit a written complaint to the U.S. Department of Health and Human Services.
Oasis will not take retaliatory action against you, and you will not be penalized in any way if you choose
to file a complaint.

Please note that we may need to confirm your identity, request additional information, and work with
other Oasis departments to respond to you and to look into your concerns and complaint.

Annexure: Oasis Data Access, Usage and Policies

The following information is an exemplary summary of some of the types of data that may or may not be
collected, used, and/or saved by Oasis. This information should not be considered to be exhaustive or
limiting with regard to the data that Oasis may or may not collect, use, and/or save.

A. Data which we Collect from Users and Save

    • Name

    • Gender

    • Email

    • Mobile

    • School

    • Password

    • Billing Address

    • Shipping Address

    • Answers to Polls, Quiz, Tests and Questions

    • Journal Notes including Photographs, Audio and Video Recordings

    • Moods Selected

    • App, Personal and Display Preferences

    • Text, Files, Screen Shares and Audio of Support Chats

    • Shared Stories and Associated Files

    • Incident Reports and Attached Files and Notes

    • Additional Profile and Account Information

    • Profile Picture and Uploaded Images

    • Submissions for Contests and Games

    • Feedback and Information Provided in Surveys

B. Data which we Save and Track Automatically

    • IP Address of Connection

    • Type of Connection (Wi-Fi, Mobile Data, Hotspot, etc.)

    • Display Size

    • Internet Speed

    • Technical Tools Used (Operating System, Camera Resolution, etc.)

    • Times of Opening and Closing App

    • Opening / Reading of Different Features and Content

    • Actions in App such as Answering Questions or Saving a Journal, etc.

    • Changes and Updates to Account Information & Preferences

C. Data which we do not Scan or Save

    • Contacts on Mobile

    • Mobile Number of Device

    • Location / GPS Data

    • Any Files on Device

    • Any Activity on Device outside the Oasis app including use of other Apps

    • Telephone Conversations, Emails, Social Media Interactions, Messaging, etc.

    • Any types of Audio and Video Recordings

    • Any data from Device Sensors

    • Any use of device that is not related to Oasis app

    • Any data sent or received outside of Oasis app

    • Websites visited and web pages viewed

    • Any other cookies, beacons or saved data from any other app or device even if open to read

    • Any data including images, audio, video, and other files created and saved on device

    • Any notifications, alerts, and reminders other than those from Oasis

D. Data which we do not Save even when Presented

    • Documents, Photographs, Audio and Video uploaded but not submitted

    • Camera and Audio inputs when switched on in Oasis but not used in Support Chat

    • Any other data, document or events that are not directly required for Oasis