Last updated: February 23, 2026
This Privacy Policy outlines how Cartha AI, Inc. ("Cartha AI", "we") handles your personal information across our website and apps (collectively, the "Services"). We value user data protection and are committed to maintaining the confidentiality of your conversations. In summary:
Please note:
Your feedback and concerns are important to us. If you have any questions or wish to raise concerns about data privacy, please contact us at support@cartha.com. Every concern will be carefully considered and reviewed by our team.
Special Notice for Health Information: When you use Cartha to discuss mental health, emotional well-being, or related topics, you may share information that qualifies as "consumer health data" under various state laws. This section provides specific information about how we handle such sensitive information:
We collect data using tools such as cookies for user preferences, web local storage, and web beacons (Pixel Tags/Clear GIFs). We use these tools to collect a variety of data including the following:
We use analytics services to understand Service usage. These tools may use cookies and similar technologies. We do not share identifiable health information with analytics providers. We configure all analytics tools to respect "Do Not Track" signals where technically feasible.
Using platforms like Facebook, Google, or Apple for login grants us access to certain profile data (typically name, email, and profile picture only).
When you use our video chat features, we collect and process certain data to enable real-time communication:
Our video chat features require access to your device's camera and microphone. We only access these when you actively use video chat features and have granted permission. You can revoke camera and microphone permissions at any time through your device settings, though this will prevent you from using video chat features.
What We DO NOT Collect:
What We DO Collect:
We use third-party services to facilitate real-time video communication. These services process connection data necessary to establish peer-to-peer video connections but do not have access to the content of your video or audio streams. Our video infrastructure partners are bound by strict data processing agreements.
Any personal information you voluntarily share during video chat sessions (such as your name, contact information, or other details) is shared at your own risk. Cartha cannot control how other users may use or share information you disclose during video chat.
When you make in-app purchases (such as purchasing "hearts" or credits), we collect transaction data processed through Apple App Store or Google Play Store. We receive transaction confirmation data but do not receive or store your complete payment information.
Sharing sensitive data with our Services means you agree to our terms. We process sensitive personal information only with your explicit consent.
Personal data is utilized for:
We secure data in transit with TLS 1.3 and at rest with AES-256 encryption on AWS servers that hold SOC 2 Type II and ISO 27001 certifications. Only employees with a "need to know" can access de-identified logs, and all access is logged and reviewed. We conduct annual third-party penetration testing and continuous vulnerability scanning.
In the event of a data breach affecting your personal information or health data, we will notify you within 60 days of discovery via email and/or in-app notification. We will also notify relevant regulatory authorities as required by law, including under the FTC Health Breach Notification Rule (as amended April 2024).
We prioritize your privacy and don't trade or distribute your personal details to third parties for advertising gains. However, there are circumstances under which your data might be shared:
We collaborate with external service providers for specific operational needs. They might access or process your personal details on Cartha's behalf under strict confidentiality agreements. These partners range from hosting, cloud storage, maintenance, security, to customer service providers. We do not share health conversation content with advertising partners.
Should there be significant changes in Cartha's operational status, such as mergers, sales, or even closure, your personal data could be transferred to another party, subject to the same privacy protections.
When bound by law or deemed essential, your data might be shared with agencies, legal bodies, courts, or governmental entities, consistent with the compliance and protection motives explained previously.
We may disclose user information in response to valid legal process (such as subpoenas, court orders, or search warrants) from government agencies or law enforcement officials. We may also disclose information where we believe in good faith that disclosure is necessary to:
Emergency Disclosure: In connection with an emergency disclosure request, we will require that law enforcement or government agencies clearly state the legal reason for ascertaining the requested information. We evaluate all emergency disclosure requests on a case-by-case basis in compliance with relevant law. We may notify affected users of government or law enforcement requests for their account information unless we are legally prohibited from doing so or in cases involving threats to life, child safety, or other emergency circumstances.
What We May Not Comply With: We may decline requests that are overly broad, lack proper legal authority, or fail to identify a specific Cartha account. In such cases, we may seek to narrow the request or challenge it through appropriate legal channels.
Should you wish, Cartha allows you to delete your account. More details on this are available in our "Contact Us" section.
Our Cookie Policy provides guidance on opting out from third-party cookies. You can manage cookie preferences through our cookie consent banner.
We empower you with choices regarding the personal data we maintain. Depending on your location and your interaction type with Cartha, you might be entitled to:
We provide the option to sign up for and log into our Services using third-party accounts, including but not limited to Facebook, Google, and Apple. When you choose to log in through these third-party platforms, we receive access to certain information from your social media or third-party account as permitted by the settings and your agreement with the respective platform. The information we typically receive includes your name, email address, and profile picture (if available). This data is used solely for the purposes of account creation, authentication, and integration of your account with our Services.
Reach out to us via the "Contact Us" section to make a request. We may ask for verification. Authorized agents acting on your behalf must prove their identity and authority. Rights exercised should be free from bias. We will respond to your request within 30 days.
Some situations may limit your choices due to others' rights, our service delivery, or legal obligations. If unsatisfied with our response, raise concerns via "Contact Us". Depending on your location, you may also consult a data protection authority.
Cartha AI respects "Do Not Track" signals where technically feasible and limits tracking accordingly.
Cartha AI prioritizes data protection, applying strict measures against unauthorized access and misuse. Specific team members maintain security and service quality. Sensitive data, like conversation logs, is encrypted and access is strictly controlled.
No security is absolute. Use of our Services comes with inherent risks. Your account's security is your duty, and carelessness may risk data exposure.
Our Services may include third-party links. Engaging with them subjects your data to their terms and policies.
Under 13: Cartha is not directed to children under 13. We do not knowingly collect data from children under 13. Parents or guardians who believe we have inadvertently collected personal information from a child under 13 should contact us immediately at support@cartha.com; we will delete it promptly.
Teens 13-17: Users aged 13-17 may self-consent where permitted by law; certain states may require additional parental authorization — see State Privacy Appendix. We provide enhanced privacy protections for teen users including: no data sharing or selling, no advertising cookies, and additional privacy rights. Teen users may optionally invite a parent or guardian to their account. In compliance with the New York Child Data Protection Act, we do not engage in profiling or targeted advertising to users under 18 years of age.
We retain personal data according to the following schedule:
You may request deletion at any time. Some data may be retained longer if required by law or to defend legal claims.
Personal data you provide goes directly to our Services in the United States. We might also relay this data to our affiliates, collaborators, and third-party providers in the U.S. and other regions. For transfers outside your country, we use appropriate safeguards such as Standard Contractual Clauses. Be aware that these regions might not offer identical data protection measures as those in your residence.
Our AI model may reflect biases present in its training data. We work to identify and mitigate these biases through regular testing and updates. You have the right to request human review of any significant decisions made about you based on automated processing.
As Cartha AI constantly enhances its Services, changes to this Privacy Policy may be necessary. We will provide at least 30 days' notice for material changes via email or in-app notification. Kindly note that we retain the authority to adjust this Privacy Policy at our discretion.
When updates are made, and unless legislation mandates a different form of notification, we will publish the revised policy on this page. Choosing to engage with our Services post-modification implies your acceptance of the updated Privacy Policy.
Residents of California, Colorado, Connecticut, Nevada, New York, Utah, Virginia, and Washington have additional rights, including the right to: (i) opt out of targeted advertising, (ii) request deletion of consumer health data, and (iii) appeal denials of privacy requests. Cartha honours these rights nationwide. To exercise them email support@cartha.com or use the in-app Privacy Center.
Under the My Health My Data Act, Washington residents have additional rights regarding consumer health data. We will respond to requests within 45 days and require separate, specific opt-in consent for processing health data. Washington residents may withdraw consent at any time.
California residents have additional rights under CCPA and CPRA, including the right to know, delete, correct, and opt-out of sale/sharing of personal information. We do not sell or share personal information.
Cartha is undertaking the technical documentation and post-market monitoring required for high-risk systems under Regulation (EU) 2024/1689.
Entity in charge: Cartha AI is tasked with overseeing personal information processing under this Privacy Policy (acting as a controller, where defined by applicable regulations).
For inquiries or feedback regarding this Privacy Policy, please connect with the Cartha AI team at: