Privacy Policy

How we protect and handle your personal information

Last updated: 10/4/2025GDPR & CCPA compliant

Privacy Policy

Updated: 10/4/2025

This Privacy Policy outlines how Cartha AI, Inc. ("Cartha AI", "we") handles your personal information across our website and apps (collectively, the "Services"). We value user data protection and are committed to maintaining the confidentiality of your conversations. To elaborate on how your data will be used to derive insights and refine our AI, this policy will ensure you are informed about our data practices. In summary:

  • We value and prioritize your privacy. While we use AI and advanced personalization engines to bolster Cartha's capabilities, no human reviews full transcripts of conversations.
  • To refine Cartha's capabilities and security, individual messages and responses may be analyzed at random by appointed professionals trained in data privacy and bound by stringent confidentiality standards. We ensure your data is anonymized and unidentifiable to protect your privacy.
  • You have control over your data. If you wish to have your interactions with Cartha deleted, please reach out to support@cartha.ai. We are working on a self-service method to ease this process.
  • Rest assured, your conversations with Cartha remain confidential. We do not monetize or share your data with third parties for advertising purposes.
  • Engage with Cartha responsibly. Avoid harmful topics. Breaching our systems will result in restricted access.

Please note:

  • Cartha is intended for users aged 13 and above. Users aged 13-17 require parental consent.
  • Cartha is not a replacement for medical advice. Always consult with a licensed medical professional regarding health concerns. If you're facing an emergency, contact emergency services immediately.

Your feedback and concerns are important to us. If you have any questions or wish to raise concerns about data privacy, please contact us at support@cartha.ai. Every concern will be carefully considered and reviewed by our team.

Consumer Health Data Privacy Notice

Special Notice for Health Information: When you use Cartha to discuss mental health, emotional well-being, or related topics, you may share information that qualifies as "consumer health data" under various state laws. This section provides specific information about how we handle such sensitive information:

  • Opt-In Consent: By using Cartha after reviewing this notice, you explicitly consent to our collection and processing of consumer health data as described in this policy.
  • Purpose Limitation: We use your health-related conversations solely to provide and improve our mental wellness support services, not for advertising or sale to third parties.
  • Enhanced Protections: Consumer health data receives additional security measures including encryption, access controls, and audit logging.
  • Your Rights: You have the right to withdraw consent, request deletion, and obtain a copy of your health data. Contact privacy@cartha.ai to exercise these rights.
  • Retention: Health-related conversation data is retained for 24 months unless you request earlier deletion, after which it is permanently destroyed.

Data Collection

We collect data using tools such as cookies for user preferences, web local storage, and web beacons (Pixel Tags/Clear GIFs). We use these tools to collect a variety of data including the following:

  • Contact and account details.
  • Messages to Cartha AI.
  • User interactions, including feedback.
  • Basic/Common Device info: OS, device-type, browser, IP address.
  • Common Analytics: pages visited, time-spent, click interactions.

Third-Party Analytics and Pixels

We use analytics services to understand Service usage. These tools may use cookies and similar technologies. We do not share identifiable health information with analytics providers. We configure all analytics tools to respect "Do Not Track" signals where technically feasible.

Data from Third Parties

Using platforms like Facebook, Google, or Apple for login grants us access to certain profile data (typically name, email, and profile picture only).

Sensitive Information

Sharing sensitive data with our Services means you agree to our terms. We process sensitive personal information only with your explicit consent.

Data Usage

Personal data is utilized for:

  • Service Provision. Meeting our Terms Of Service and providing mental wellness support
  • Communication. Responding and updating you about our Services.
  • Service Improvement. Customization, security, and prevention against malicious actions.
  • R&D. Analysis, innovation, and creating anonymized data for model training.
  • Legal Compliance. Law adherence, defense, internal audits, and deterring illicit actions.

How We Protect Your Information

We secure data in transit with TLS 1.3 and at rest with AES-256 encryption on AWS servers that hold SOC 2 Type II and ISO 27001 certifications. Only employees with a "need to know" can access de-identified logs, and all access is logged and reviewed. We conduct annual third-party penetration testing and continuous vulnerability scanning.

Data Breach Notification

In the event of a data breach affecting your personal information or health data, we will notify you within 60 days of discovery via email and/or in-app notification. We will also notify relevant regulatory authorities as required by law, including under the FTC Health Breach Notification Rule (as amended April 2024).

Data Protection

We prioritize your privacy and don't trade or distribute your personal details to third parties for advertising gains. However, there are circumstances under which your data might be shared:

Trusted Partners

We collaborate with external service providers for specific operational needs. They might access or process your personal details on Cartha's behalf under strict confidentiality agreements. These partners range from hosting, cloud storage, maintenance, security, to customer service providers. We do not share health conversation content with advertising partners.

Business Transactions

Should there be significant changes in Cartha's operational status, such as mergers, sales, or even closure, your personal data could be transferred to another party, subject to the same privacy protections.

Legal Bodies and Regulatory Authorities

When bound by law or deemed essential, your data might be shared with agencies, legal bodies, courts, or governmental entities, consistent with the compliance and protection motives explained previously.

Your Privacy Options

Should you wish, Cartha allows you to delete your account. More details on this are available in our 'Contact Us' section.

Refusing Online Trackers

Our Cookie Policy provides guidance on opting out from third-party cookies. You can manage cookie preferences through our cookie consent banner.

Your Data Rights

We empower you with choices regarding the personal data we maintain. Depending on your location and your interaction type with Cartha, you might be entitled to:

  • Insight into the data collection and use. This is readily available in this Privacy Policy.
  • Access to the personal data we have gathered. We ensure it's in an accessible and machine-readable format where required.
  • Correction of any incorrect or outdated personal information.
  • Removal of unnecessary personal data unless needed for the Services or legal obligations.
  • Revoke Consent. If we've used your data based on consent, you can retract it. This doesn't impact any previous data uses done lawfully before the withdrawal.
  • Other rights might include objection or restriction requests related to how we handle your data.
  • Data Portability: Receive your data in a structured, commonly used format.
  • Right to Complain: Lodge a complaint with your local data protection authority.

Social Media and Third-Party Logins

We provide the option to sign up for and log into our Services using third-party accounts, including but not limited to Facebook, Google, and Apple. This is to simplify the login process and allow you to use our Services more conveniently. When you choose to log in through these third-party platforms, we receive access to certain information from your social media or third-party account as permitted by the settings and your agreement with the respective platform. The information we typically receive includes your name, email address, and profile picture (if available). This data is used solely for the purposes of account creation, authentication, and integration of your account with our Services. Please note the following regarding these third-party logins:

  • Data Usage: The information obtained from these third-party platforms is used to create or authenticate your user account in our system. It enables us to provide a seamless integration between Cartha AI and your chosen platform for logging in.
  • Data Security: We apply the same data protection and security measures to your information obtained via third-party logins as we do for all other user data under our care.
  • Data Sharing: We do not share, sell, or rent information obtained from these third-party platforms with other parties, except as outlined in our Privacy Policy under "Trusted Partners" and "Legal Bodies and Regulatory Authorities."
  • User Control and Consent: By opting to use third-party login options, you consent to the transfer of your information from the respective platform to Cartha AI. You maintain the right to disconnect your third-party account from our Services at any time.
  • Compliance with Third-Party Policies: Our use of information obtained through these third-party platforms is in compliance with the terms and conditions, as well as privacy policies, of the respective platforms.

For more information on how these platforms handle your personal information and the kind of data we receive from them, please refer to their respective privacy policies.

Request Procedures

Reach out to us via the 'Contact Us' section to make a request. We may ask for verification. Authorized agents acting on your behalf must prove their identity and authority. Rights exercised should be free from bias. We will respond to your request within 30 days.

Privacy Limitations

Some situations may limit your choices due to others' rights, our service delivery, or legal obligations. If unsatisfied with our response, raise concerns via 'Contact Us'. Depending on your location, you may also consult a data protection authority.

Do Not Track Signals

Cartha AI respects "Do Not Track" signals where technically feasible and limits tracking accordingly.

Data Safety

Cartha AI prioritizes data protection, applying strict measures against unauthorized access and misuse. Specific team members maintain security and service quality. Sensitive data, like conversation logs, is encrypted and access is strictly controlled.

No security is absolute. Use of our Services comes with inherent risks. Your account's security is your duty, and carelessness may risk data exposure.

Third-Party Content

Our Services may include third-party links. Engaging with them subjects your data to their terms and policies.

Children and Teens

Under 13: Cartha is not directed to children under 13. We do not knowingly collect data from children under 13. Parents or guardians who believe we have inadvertently collected personal information from a child under 13 should contact us immediately at support@cartha.ai; we will delete it promptly.

Teens 13-17: Users aged 13-17 may self-consent where permitted by law; certain states may require additional parental authorization—see State Privacy Appendix. We provide enhanced privacy protections for teen users including: no data sharing or selling, no advertising cookies, and additional privacy rights. Teen users may optionally invite a parent or guardian to their account. In compliance with the New York Child Data Protection Act, we do not engage in profiling or targeted advertising to users under 18 years of age.

Retention

We retain personal data according to the following schedule:

  • Account Information: Retained while account is active plus 30 days
  • Conversation Data: 24 months from last interaction
  • Analytics Data: 12 months
  • Security Logs: 6 months

You may request deletion at any time. Some data may be retained longer if required by law or to defend legal claims.

International Data Transfers

Personal data you provide goes directly to our Services in the United States. We might also relay this data to our affiliates, collaborators, and third-party providers in the U.S. and other regions. For transfers outside your country, we use appropriate safeguards such as Standard Contractual Clauses. Be aware that these regions might not offer identical data protection measures as those in your residence.

Algorithmic Decision-Making and Bias

Our AI model may reflect biases present in its training data. We work to identify and mitigate these biases through regular testing and updates. You have the right to request human review of any significant decisions made about you based on automated processing.

Policy Updates

As Cartha AI constantly enhances its Services, changes to this Privacy Policy may be necessary. We will provide at least 30 days' notice for material changes via email or in-app notification. Kindly note that we retain the authority to adjust this Privacy Policy at our discretion.

When updates are made, and unless legislation mandates a different form of notification, we will publish the revised policy on this page. Choosing to engage with our Services post-modification implies your acceptance of the updated Privacy Policy.

U.S. State Privacy Rights

Residents of California, Colorado, Connecticut, Nevada, New York, Utah, Virginia, and Washington have additional rights, including the right to: (i) opt out of targeted advertising, (ii) request deletion of consumer health data, and (iii) appeal denials of privacy requests. Cartha honours these rights nationwide. To exercise them email support@cartha.ai or use the in-app Privacy Center.

Washington Residents' Rights

Under the My Health My Data Act, Washington residents have additional rights regarding consumer health data. We will respond to requests within 45 days and require separate, specific opt-in consent for processing health data. Washington residents may withdraw consent at any time.

California Privacy Rights

California residents have additional rights under CCPA and CPRA, including the right to know, delete, correct, and opt-out of sale/sharing of personal information. We do not sell or share personal information.

EU AI Act Compliance

Cartha is undertaking the technical documentation and post-market monitoring required for high-risk systems under Regulation (EU) 2024/1689.

Contact Us

Entity in charge: Cartha AI is tasked with overseeing personal information processing under this Privacy Policy (acting as a controller, where defined by applicable regulations).

For inquiries or feedback regarding this Privacy Policy, please connect with the Cartha AI team at:

  • Email: support@cartha.ai
  • Privacy-specific inquiries: privacy@cartha.ai
  • Data Protection Officer: dpo@cartha.ai
  • Mailing Address: Cartha AI, Inc., 1820 S Bentley Ave, Los Angeles, CA 90025

Have questions about our Privacy Policy?

Contact Support