PRIVACY POLICY

ELLI Platform

Effective Date: August 8, 2025

INTRODUCTION

We, ELLI, value your privacy and strive to ensure maximum protection of your personal data. This Privacy Policy (hereinafter referred to as the "Policy") explains in detail how we collect, use, store, and protect your data, and defines your rights regarding this data.

This Policy has been developed in strict compliance with:

• Law of Ukraine "On Protection of Personal Data"
• EU General Data Protection Regulation (GDPR)
• US Health Insurance Portability and Accountability Act (HIPAA)

1. ABOUT THE ELLI PLATFORM

ELLI is an innovative online platform providing psychological support services using advanced artificial intelligence technologies. Users can interact with an AI psychologist through text communication format to receive personalized consultations aimed at improving emotional and mental well-being.

Privacy Contact Information: https://e-lli.com/contact

2. CATEGORIES OF DATA COLLECTED

We collect data exclusively on a voluntary basis or during the automatic functioning of the platform. All data is classified by protection categories:

2.1 PERSONAL IDENTIFICATION DATA

Collected only when voluntarily provided through platform forms:

• Username
• Email address
• Phone number (optional)
• Age
• Gender identity (if willing to provide)
• Country and region of residence
• Medical diagnoses (if willing to provide)

2.2 DATA ON MENTAL AND EMOTIONAL STATE

Special category of data requiring enhanced protection:

• Text messages during sessions with AI psychologist
• Voice recordings of consultations (when voice format is chosen)
• Video recordings of sessions (when video format is chosen)
• Answers to psychological questionnaires and tests
• Emotional reactions and states

IMPORTANT: All data in this category is automatically subjected to encryption procedures, which excludes the possibility of personal identification by both our company and third parties.

2.3 BEHAVIORAL DATA

Information about interaction with the platform:

• Start and end times of sessions
• Frequency of use of various functions
• Navigation patterns on the platform
• Preferences in interface settings
• History of access to various sections

2.4 TECHNICAL DATA

Automatically collected system data:

• IP address (with geolocation capability)
• Operating system type and version
• Browser and its version
• Screen resolution and device characteristics
• Cookies and local storage data
• Unique device identifiers

2.5 PSEUDONYMIZED IDENTIFIERS

Special technical data to ensure confidentiality:

• Unique hash user identifier (generated automatically by Clerk authentication system)
• Session tokens to maintain session state
• Cryptographic access keys to encrypted data

CRITICALLY IMPORTANT: The hash identifier represents a unique cryptographic string that is technically impossible to reverse into original personal data. This mechanism provides an additional level of privacy protection in accordance with the requirements of GDPR Article 4(5) on pseudonymization.

3. DATA COLLECTION METHODS

3.1 DIRECT PROVISION BY USER

Registration forms: When creating an account

Profile questionnaires: When filling in personal information

Interactive sessions: During communication with AI psychologist

Feedback: Through feedback and suggestion forms

3.2 AUTOMATIC COLLECTION

Cookies: To track preferences and sessions

Web analytics: Through integration with Google Analytics

Server logs: Records of technical interactions

Tracking pixels: To analyze interface effectiveness

3.3 THIRD-PARTY SOURCES

Analytics platforms: Google Analytics, Hotjar (only with consent)

Social networks: When authorizing through social accounts

Partner integrations: When using third-party services

3.4 AUTHENTICATION AND PSEUDONYMIZATION SYSTEM

3.4.1 Clerk Authentication System

The ELLI platform uses Clerk — a professional user identity and authentication management system compliant with SOC 2 Type II and GDPR standards.

Authentication process:

1. Initial registration: User provides basic data (email, name) through Clerk's secure form
2. Hash identifier generation: Clerk automatically creates a unique cryptographic hash (e.g., user_2nX8Kq9P3mN7vLbR4tY6wZ1s)
3. Data separation:
• Clerk stores personal identification data in its protected infrastructure
• ELLI platform receives and stores only the hash identifier
• The link between personal data and hash exists exclusively in Clerk's system
4. Authorized access: With each login, Clerk generates a temporary JWT token containing the hash identifier

3.4.2 Data Segregation Principle

Security architecture:

[Clerk Infrastructure] → Stores: Email, Name, Phone, Password

↓ (transmits only hash)

[ELLI Platform] → Stores: Hash identifier + Therapeutic data

Advantages of this architecture:

• Impossibility of re-identification: Even in case of data breach from ELLI, it is impossible to link therapeutic records to a specific person without access to Clerk system
• Data minimization: ELLI processes minimal set of identification data
• Separation of responsibility: Clerk is responsible for protecting personal data, ELLI — for therapeutic data
• Privacy by Design compliance: Architecture is designed with privacy protection in mind (Article 25 GDPR)

3.4.3 Hash-Based Record-Keeping Mechanism

All platform operations are linked to the hash identifier:

• Therapeutic sessions: Recorded as session_data[user_hash]
• Interaction history: Stored in format interaction_log[user_hash][timestamp]
• User settings: Saved as preferences[user_hash]
• Analytics data: Aggregated by hashes without possibility of de-anonymization

Technical record example:

{ "user_hash": "user_2nX8Kq9P3mN7vLbR4tY6wZ1s", "session_id": "sess_a7bC9d2E4f6G8h", "timestamp": "2025-08-15T14:30:00Z", "session_data": "[encrypted content]" }

Important: Personal data (name, email) is never stored in the same database with therapeutic records.

3.4.4 Legal Basis for Pseudonymization

In accordance with GDPR Article 4(5), pseudonymization is defined as:

"Processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately."

Our system fully complies with this definition because:

• Hash identifiers are technically impossible to reverse
• Additional information (hash correspondence to real data) is stored separately in Clerk
• Access to Clerk system is strictly controlled and logged

Advantages of pseudonymization according to GDPR Recital 28:

• Reduction of risks for data subjects
• Assistance to controllers in fulfilling data protection obligations
• Additional security measure alongside encryption

4. PURPOSES AND LEGAL BASES FOR DATA PROCESSING

4.1 PROVISION OF CORE SERVICES

Legal basis: Performance of contract (Article 6(1)(b) GDPR)

• Personalization of AI psychologist consultations
• Adaptation of recommendations to individual needs
• Ensuring continuity of therapeutic sessions
• Monitoring user progress

4.2 IMPROVEMENT OF AI TECHNOLOGIES

Legal basis: Legitimate interest (Article 6(1)(f) GDPR)

• Training machine learning algorithms
• Increasing accuracy of psychological recommendations
• Development of new therapeutic methods
• Optimization of user experience

4.3 MARKETING PURPOSES

Legal basis: User consent (Article 6(1)(a) GDPR)

• Sending personalized offers
• Informing about new platform features
• Conducting marketing campaigns
• Analyzing effectiveness of advertising materials

4.4 SCIENTIFIC RESEARCH

Legal basis: Legitimate interest (Article 6(1)(f) GDPR) + Consent (Article 9(2)(a) for special categories)

• Research in the field of digital psychology
• Development of innovative therapeutic approaches
• Collaboration with scientific institutions
• Publication of anonymized research

Processing of health data is carried out exclusively with your explicit consent in accordance with Article 9 GDPR.

5. TRANSFER OF DATA TO THIRD PARTIES

5.1 LIMITED DATA TRANSFER

We DO NOT SELL and DO NOT RENT your personal data. Transfer is possible only in the following cases:

5.1.1 Law Enforcement Agencies

Condition: Presence of official court decision or request from competent authorities

Scope: Only personal data provided voluntarily through forms

Notification: User is notified unless prohibited by law

5.1.2 Third-Party Services and Contractors

Clerk Authentication Services: Processing authentication and identity management (full GDPR compliance, SOC 2 Type II)

Microsoft Azure Cloud Services: Storage of encrypted data and infrastructure provision

• Azure SQL Database for structured data
• Azure Blob Storage for media files
• Azure Key Vault for encryption key management
• Azure Cognitive Services for AI processing (when used)

Google Analytics: For web analytics (anonymized data)

Hotjar: For UX research (only with consent)

Payment systems: For processing transactions (only necessary data)

IT support: For technical maintenance (with limited access)

5.1.3 Data Processing Agreements with Key Partners

Clerk, Inc.:

• Location: USA (San Francisco, CA)
• Certifications: SOC 2 Type II, GDPR-compliant
• DPA: Standard data processing agreement with SCC
• Role: Authentication data processor
• Guarantees: Clerk commits not to use data for own purposes

Microsoft Corporation (Azure):

• Location: EU data centers (primarily Netherlands, Ireland)
• Certifications: ISO 27001, ISO 27018, SOC 1/2/3, GDPR, HIPAA-compliant
• DPA: Microsoft Online Services DPA with SCC
• Role: Sub-processor for cloud infrastructure
• Guarantees: EU data residency, encryption at-rest and in-transit

5.2 INTERNATIONAL TRANSFERS

For international data transfers, the following apply:

• EU Standard Contractual Clauses (SCC 2021) — for data transfer to USA (Clerk) and other jurisdictions
• Adequacy decisions — for countries recognized by EU
• Microsoft EU Data Boundary — for storing European user data exclusively in EU
• Binding Corporate Rules (BCR) — for company groups

Special guarantees for health data:

• All special category data (psychological sessions) is encrypted before transfer
• Encryption keys stored separately in Azure Key Vault in European data centers
• Pseudonymization through hash identifiers minimizes risks in cross-border transfers

6. DATA SECURITY AND STORAGE

6.1 TECHNICAL SECURITY MEASURES

6.1.1 Data Encryption

At rest:

• AES-256 encryption for all stored data in Azure Storage
• Transparent Data Encryption (TDE) for Azure SQL Database
• Double encryption for health data (client + server)

In transit:

• TLS 1.3 protocol for all communications between client and server
• HTTPS Strict Transport Security (HSTS) for web application
• Mutual TLS authentication for API interactions between services

Key management:

• Azure Key Vault with HSM (Hardware Security Module) for encryption key management
• Automatic key rotation every 90 days
• Key separation: separate keys for different data categories
• Principle of least privilege for key access

6.1.2 Access Control

Multi-factor authentication:

• Mandatory for all personnel with system access
• Azure Active Directory with Conditional Access
• Biometric authentication for critical operations

Principle of least privilege:

• Role-Based Access Control (RBAC) through Azure AD
• Just-in-Time (JIT) access for administrative operations
• Temporary permissions with automatic revocation

Data access control:

• Hash identifiers limit access to minimum necessary
• Separation of duties: ELLI personnel has no access to Clerk system
• Audit logging: all access operations recorded in Azure Monitor

6.1.3 Security Monitoring

24/7 monitoring:

• Azure Security Center for continuous threat tracking
• Azure Sentinel (SIEM) for security analysis and incident response
• Automatic alerts for suspicious activity

Intrusion detection systems:

• Azure DDoS Protection for protection against denial-of-service attacks
• Azure Web Application Firewall (WAF) for web application protection
• Intrusion Detection System (IDS) at network level

Logging and auditing:

• Azure Monitor Logs for complete recording of data operations
• Clerk Audit Logs for tracking authentication events
• Log retention: minimum 2 years for regulatory compliance
• SIEM integration for security event correlation

Security testing:

• Quarterly pentests by independent auditors
• Automated vulnerability scanning weekly
• Red Team exercises annually

6.1.4 Pseudonymization Architecture and Data Isolation

Multi-layered protection:

1. Authentication layer (Clerk):
   
   
• Storage of personal data in isolated infrastructure
• Generation and management of hash identifiers
• JWT tokens with short lifespan (15 minutes)
2. Application layer (ELLI Platform):
   
   
• Reception of only hash identifiers and tokens
• Linking all session data to hashes
• Absence of direct personal data in main DB
3. Storage layer (Azure):
   
   
• Encryption of all data with different keys
• Database separation: identifiers ↔ therapeutic data
• Geographic separation for European users

Architecture advantages:

• Breach containment: data breach from one layer doesn't compromise others
• Attack surface minimization: reduction of attack points
• Privacy by Design compliance: protection built into architecture

6.2 ORGANIZATIONAL MEASURES

6.2.1 Staff Training

Regular training on data protection and GDPR compliance

Specialized training:

• Working with health data (HIPAA guidelines)
• Incident response protocols
• Ethical standards of psychological practice

Employee certification on security standards (CISSP, CISM)

Agreement signing:

• NDA (Non-Disclosure Agreement) for all employees
• DPA (Data Processing Agreement) for contractors

6.2.2 Physical Security

Protected Microsoft Azure data centers:

• Certification: ISO 27001, SOC 2 Type II
• Biometric access control to server rooms
• 24/7 video surveillance and security
• Backup power and climate control systems
• Automatic fire suppression systems

Office security:

• Access control to workplaces with confidential data
• "Clean desk" policy to prevent leaks
• Encryption of work devices

6.3 DATA RETENTION PERIODS

Note on pseudonymized data:

After account deletion, the link between hash identifier and real person is destroyed in Clerk system. Therapeutic data linked to hash technically becomes anonymous, as there is no mechanism for re-identification.

6.4 DELETION PROCEDURES

6.4.1 Deletion Upon User Request

Standard deletion (right to be forgotten):

1. Day 0: User submits deletion request through personal account
2. Day 1: Clerk deactivates account and marks data for deletion
3. Day 30: Automatic deletion of personal data from Clerk
4. Day 30: Deletion of hash ↔ identity link (irreversible anonymization)
5. Day 90: Deletion of therapeutic data from Azure (if immediate deletion requested)

Emergency deletion (upon request):

• Immediate deactivation of account
• 72 hours: Complete deletion of all data from all systems
• Deletion confirmation sent to user

6.4.2 Cryptographic Erasure Methods

For personal data:

• Secure deletion through overwriting with random data (7 passes per DoD 5220.22-M)
• Cryptographic erasure: destruction of encryption keys in Azure Key Vault
• Soft delete + purge: using Azure's built-in mechanisms

For hash identifiers:

• Deletion from all databases and indexes
• Clearing of caches and temporary storage
• Verification of deletion through automated scripts

For backups:

• Automatic cleaning of deleted data from backups after 90 days
• Encrypted backups with destructible keys

6.4.3 Deletion Process Audit

Deletion certificates:

• Documentary confirmation of data destruction
• Provided to user upon request
• Includes details about volume and types of deleted data

Automatic checks:

• Monthly verification of deletion timeline compliance
• Audit of deletion logs in Azure Monitor
• Compliance reports for regulators

7. USER RIGHTS

7.1 RIGHT TO INFORMATION AND ACCESS (Article 15 GDPR)

Confirmation of processing: Information about whether your data is being processed

Copy of data: Obtaining a complete copy of all personal data

Processing details: Purposes, categories, recipients of data

Retention periods: Period of storage or criteria for determination

Specifics of access to pseudonymized data:

You have the right to receive:

• Personal data from Clerk: email, name, phone, registration date
• Therapeutic data from ELLI: all session records, questionnaire answers linked to your hash identifier
• Technical data: login logs, account settings

Provision format:

• JSON for structured data
• PDF report for therapeutic records
• CSV for usage statistics

Provision timeframe: 30 days from request

7.2 RIGHT TO RECTIFICATION (Article 16 GDPR)

Correction of inaccuracies: Correcting incorrect information in Clerk and ELLI

Data completion: Adding missing data to profile

Information update: Updating outdated data

How to implement:

• Through personal account for basic data
• Through request at (https://e-lli.com/contact) for therapeutic records

7.3 RIGHT TO ERASURE — "RIGHT TO BE FORGOTTEN" (Article 17 GDPR)

Grounds for deletion:

• Data is no longer necessary for original purposes
• Withdrawal of consent and absence of other legal grounds
• Unlawful data processing
• Compliance with legal obligation

Deletion process through pseudonymization:

1. Deletion request through personal account or email: https://e-lli.com/contact
2. Deletion of personal data from Clerk (de-identification)
3. Breaking hash ↔ identity link (irreversible anonymization)
4. Optional: Deletion of therapeutic data by hash from ELLI

Important: After breaking the link in Clerk, therapeutic data becomes technically anonymous, as there is no way to link hash to real person.

7.4 RIGHT TO RESTRICTION OF PROCESSING (Article 18 GDPR)

Cases of restriction:

• Contesting data accuracy
• Unlawful processing (alternative to deletion)
• Data needed for legal claims
• Pending verification of processing lawfulness

Technical implementation:

• Marking hash identifier as "restricted" in system
• Blocking processing of new data
• Preserving existing data without changes

7.5 RIGHT TO DATA PORTABILITY (Article 20 GDPR)

Structured format: JSON, CSV, XML

Machine-readable data: Suitable for automatic processing

Direct transmission: Possibility of transmission to another controller

Export includes:

• Personal data from Clerk (with your permission)
• All therapeutic records linked to your hash
• Session metadata and settings

Exceptions:

• Data obtained from AI analysis (derivative data) may be excluded
• Third-party data (e.g., other users) not included

7.6 RIGHT TO OBJECT (Article 21 GDPR)

• Against processing for legitimate interest (with justification)
• Against direct marketing (unconditional right)
• Against profiling for marketing purposes

Technical implementation:

• Settings in personal account for marketing communications
• Request via email for other processing purposes

7.7 RIGHT NOT TO BE SUBJECT TO AUTOMATED DECISION-MAKING (Article 22 GDPR)

• Exceptions from automatic decisions of AI psychologist
• Right to human intervention in critical situations
• Possibility to contest decisions of algorithm

Specifics for ELLI platform:

AI psychologist provides recommendations but does not make medical decisions affecting your rights. All critical cases are escalated to human specialist.

7.8 EXERCISING RIGHTS

Methods of contact:

1. Personal account: Self-management of data through interface (access to personal data, therapeutic records, data export)
2. Email (for complex requests and deletion): https://e-lli.com/contact
3. Online form (for GDPR rights requests): https://e-lli.com/contact

Response times:

Standard requests: Up to 30 days

Complex requests: Up to 90 days (with notification of extension)

Emergency cases: Up to 72 hours (e.g., deletion in case of security threat)

Identity verification:

To protect your data, we may request identity confirmation for requests:

• Verification code to registered email
• Answers to security questions
• Authentication through Clerk

8. CONSENT MANAGEMENT

8.1 OBTAINING CONSENT

Principles of valid consent:

Freely given: Without coercion or negative consequences of refusal

Specific: For defined processing purposes

Informed: With full understanding of consequences

Unambiguous: Through clear affirmative actions

Methods of obtaining:

• Checkboxes in registration forms (not pre-checked)
• Confirmation buttons in pop-up windows
• Electronic signature of documents
• Verbal consent (with audio recording)

Granular consent during registration:

When creating account through Clerk you provide consent for:

• Processing of personal data by Clerk system for authentication
• Transmission of hash identifier to ELLI platform
• Processing of therapeutic data by hash identifier

8.2 WITHDRAWAL OF CONSENT

Principles of withdrawal:

Simplicity: Not more difficult than consent procedure

Availability: Available at any time through personal account

Immediacy: Takes effect immediately after confirmation

Consequences of withdrawal:

• Cessation of data processing for corresponding purposes
• Preservation of lawfulness of previous processing
• Possible limitation of platform functionality (e.g., impossibility to continue therapy without consent for processing)

Withdrawal of authentication consent:

Upon withdrawal of consent for Clerk processing:

• Account is deactivated
• Personal data deleted from Clerk
• Therapeutic data becomes anonymous (breaking hash ↔ identity link)

8.3 GRANULAR CONSENT MANAGEMENT

Users can manage consent by categories:

Authentication and service personalization: Mandatory for platform operation (based on contract)

Marketing communications: Optional (consent can be withdrawn)

Scientific research: Optional (use of anonymized data)

Analytics and improvements: Optional (Google Analytics, Hotjar)

Consent management:

• Settings center in personal account
• Separate toggles for each category
• Consent change history

9. COOKIES AND TRACKING TECHNOLOGIES

9.1 TYPES OF COOKIES USED

9.1.1 Strictly Necessary cookies

Session identifiers: To maintain session

Clerk tokens: JWT tokens for authentication (stored in localStorage/cookies)

Security settings: To protect against CSRF attacks

Language choice: To remember language preferences

Consent status: To store cookie decisions

9.1.2 Functional cookies

User preferences: Interface settings

User hash identifier: For linking session data (in encrypted form)

Interaction formats: Preferred communication methods

Session history: To continue interrupted consultations

9.1.3 Analytics cookies

Google Analytics: Traffic and behavior analysis (with IP anonymization)

Hotjar: Heat maps and session recordings (only with consent)

Azure Application Insights: Internal performance analytics

9.1.4 Marketing cookies

Retargeting: For showing relevant advertising

Social networks: Integration with Facebook, Instagram

Email campaigns: Tracking mailing effectiveness

Context campaigns: Integration with Google ADS

9.2 COOKIE MANAGEMENT

Management tools:

Cookie banner: On first website visit with granular choice

Settings center: In user personal account

Browser settings: Standard browser options

Mobile settings: Management in mobile application

Clerk and cookies:

Clerk uses secure, httpOnly cookies for storing session tokens. These cookies:

• Automatically deleted upon logout
• Have short lifespan (15 minutes for access token)
• Protected from XSS and CSRF attacks

9.3 THIRD-PARTY INTEGRATIONS

10. SPECIFICS OF PROCESSING MINORS' DATA

10.1 AGE RESTRICTIONS

Minimum age: 18 years

Age verification: During registration through Clerk form

Exceptions: None even with parental consent

10.2 DETECTION AND DELETION PROCEDURES

Upon detection of minors' data:

1. Immediate cessation of data processing
2. Account deletion from Clerk within 24 hours
3. Irreversible erasure of all related data from Azure
4. Notification to relevant supervisory authorities (if necessary)

10.3 REGISTRATION PREVENTION

• Age filters in Clerk registration forms
• Document verification in suspicious cases
• Pattern monitoring of behavior to detect minors

11. SECURITY BREACH NOTIFICATIONS

11.1 INCIDENT RESPONSE PROCEDURES

Time frames:

Detection: 24/7 monitoring systems (Azure Security Center, Azure Sentinel)

Risk assessment: Within 6 hours

Authority notification: Within 72 hours (if high risk)

User notification: Without undue delay

Specifics of pseudonymized data:

Risk assessment considers that:

• Breach of only hash identifiers without Clerk access does not allow user identification
• Breach of therapeutic data by hashes has reduced risk due to pseudonymization
• Critical is compromise of Clerk system or Azure Key Vault with encryption keys

11.2 USER NOTIFICATION CRITERIA

High risk to rights and freedoms:

• Compromise of health data with possibility of re-identification
• Financial data breach
• Simultaneous breach from Clerk and ELLI allowing hash-to-person linkage
• Compromise of encryption keys from Azure Key Vault
• Risk of discrimination or fraud
• Significant economic or social consequences

Medium and low risk (notification not mandatory):

• Breach of only hash identifiers without therapeutic data
• Breach of aggregated anonymous data
• Temporary system failures without data compromise

11.3 NOTIFICATION CONTENT

• Nature of security breach
• Categories and number of affected data
• Risk assessment: considering pseudonymization and encryption
• Likely consequences for users
• Measures taken to remedy the breach
• Recommendations for users (e.g., password change)
• Contact information for additional information

Coordination with partners:

In case of incident, immediately informed:

• Clerk (if authentication system affected)
• Microsoft Azure (if infrastructure affected)
• Regulators (in accordance with GDPR Article 33)

12. CHANGES TO PRIVACY POLICY

12.2 NOTIFICATION OF CHANGES

Substantial changes:

• Email notification 14 days before entry into force
• In-app notifications for active users
• Website banner about upcoming changes
• Push notifications in mobile application

Minor changes:

• Publication of updated version on website
• Indication of last update date

12.3 CONSENT TO CHANGES

• Continued use = consent to new terms
• Possibility of refusal before changes take effect
• Adaptation period of 14 days for users
• Data export: possibility to request data before changes take effect

13. CROSS-BORDER DATA TRANSFERS

13.1 COUNTRIES AND TERRITORIES OF PROCESSING

Main locations:

• Ukraine: Main servers and personnel
• European Union: Azure backup systems (Germany, Netherlands, Ireland)
• USA:
• Clerk, Inc. (San Francisco, CA) — authentication system
• Microsoft Azure (when using American data centers for non-EU users)

Data storage priority:

• For EU/EEA users: Data stored exclusively in European Azure data centers (EU Data Boundary)
• For Ukrainian users: Priority storage in EU with backup
• For other regions: Nearest geographic Azure data center

13.2 PROTECTION MECHANISMS

• EU adequacy decisions for countries with adequate protection
• Standard Contractual Clauses (SCC 2021) for data transfer to USA (Clerk) and other countries without adequacy decision
• Microsoft EU Data Boundary: Guarantee of storing European user data in EU
• Clerk Data Processing Addendum (DPA): Agreement with standard contractual clauses
• Binding Corporate Rules (BCR) of Microsoft for intra-group transfers

13.3 ADDITIONAL GUARANTEES

• Data encryption at all stages of transfer (TLS 1.3)
• Pseudonymization before transfer: Only hash identifiers transmitted between Clerk and ELLI
• Limited access only by authorized personnel
• Regular audits of compliance with protection standards
• Contractual guarantees from all data processors

Special measures for cross-border transfers of health data:

1. Double encryption before any cross-border transfer
2. Key storage in EU: Encryption keys of European users stored exclusively in Azure Key Vault EU
3. Transfer minimization: Data processing occurs as close to user as possible
4. Logging of all cross-border operations for audit

13.4 RIGHTS IN CROSS-BORDER TRANSFERS

You have the right to:

• Receive information about which countries your data is transferred to
• Request copies of protection mechanisms (SCC, DPA)
• Object to transfer to certain jurisdictions
• Demand data localization (if technically possible)

14. SUPERVISORY AUTHORITIES AND COMPLAINTS

14.1 UKRAINIAN SUPERVISORY AUTHORITIES

Commissioner of the Verkhovna Rada for Human Rights

Address: 21/8 Institutska Street, Kyiv, 01008

Phone: +380 44 253-93-48

Website: ombudsman.gov.ua

Email: hotline@ombudsman.gov.ua

14.2 EUROPEAN SUPERVISORY AUTHORITIES

When processing data of EU subjects:

Lead supervisory authority: Determined by main place of business

Local supervisory authorities: By location of data subject

Examples of EU supervisory authorities:

• CNIL (France)
• ICO (United Kingdom)
• BfDI (Germany)
• Autoriteit Persoonsgegevens (Netherlands)

14.3 COMPLAINT PROCEDURES

Internal procedures (recommended first):

1. Contact by email: https://e-lli.com/contact
2. Detailed description of problem
3. Review period: up to 30 days
4. Written response with review results

Contact with supervisory authorities:

• Possible in parallel with internal review
• Does not require prior contact with us
• Reviewed free of charge

Coordination with partners for complaints:

For complaints concerning authentication system or infrastructure:

• Clerk and Microsoft Azure will be notified
• Provision of joint explanations and documentation
• Coordination of measures to resolve issues

15. TECHNICAL AND LEGAL SUPPORT

15.1 CONTACT INFORMATION

For general privacy questions:

Online form: https://e-lli.com/contact

Response time: Up to 48 hours on business days

For technical security questions:

Email: https://e-lli.com/contact

Emergency cases: Response within 12 hours

PGP key: Available for encrypted correspondence

For legal questions:

Email: https://e-lli.com/contact

Questions about Clerk and authentication:

ELLI technical support: https://e-lli.com/contact

Directly to Clerk: support@clerk.com (for critical incidents)

Questions about Azure infrastructure:

Through ELLI support service: https://e-lli.com/contact

15.2 LANGUAGE SUPPORT

Consultations available in the following languages:

• Ukrainian language;
• Russian language;
• English language.

16. APPLICABLE LAW AND JURISDICTION

16.1 HIERARCHY OF APPLICABLE NORMS

1. GDPR — for data subjects from EU/EEA
2. Ukrainian legislation — for Ukrainian residents
3. HIPAA — for health data of American citizens
4. Local legislation — for users from other countries

Application to partners:

• Clerk is obliged to comply with GDPR, CCPA and other applicable laws
• Microsoft Azure complies with GDPR, HIPAA, ISO 27001 and regional requirements

16.2 DISPUTE RESOLUTION

Priority procedure:

1. Voluntary settlement through negotiations
2. Mediation through independent mediators
3. Arbitration according to LCIA rules
4. Court proceedings in courts of Ukraine

Applicable law:

• Substantive law of Ukraine
• Procedural norms of dispute resolution jurisdiction
• International treaties and conventions (when applicable)

16.3 SPECIFICS FOR INTERNATIONAL USERS

For EU users:

• Possibility to contact local supervisory authorities
• Application of "one-stop-shop" principle in cross-border processing
• Right to choose jurisdiction for court disputes

For US users:

• Additional guarantees in accordance with HIPAA
• Possibility of arbitration according to AAA Rules
• Application of US federal legislation when necessary

17. SPECIAL PROVISIONS FOR HEALTH DATA

17.1 CLASSIFICATION OF HEALTH DATA

In accordance with GDPR (Article 9) and HIPAA, mental health data is classified as a special category of data requiring enhanced protection:

• Psychological assessments and diagnoses
• Information about emotional state
• Content of therapeutic sessions
• Results of psychometric tests
• Information about medications taken

17.2 ADDITIONAL PROTECTION MEASURES

Technical measures:

• Double encryption for health data (client AES-256 + server TDE)
• Separate storage of encryption keys in Azure Key Vault
• Pseudonymization through hash identifiers: Therapeutic data linked only to hashes
• Processing prohibition without explicit consent
• Detailed logging of all operations in Azure Monitor

Organizational measures:

• Limited circle of employees with access (less than 5 people)
• Special staff training on medical confidentiality and ethics
• Compliance with ethical principles of medical practice
• Regular compliance audits of HIPAA and medical standards

Advantages of pseudonymization for health data:

Separation between Clerk (personal data) and ELLI (therapeutic data by hash) provides additional level of protection:

• Compromise of one system does not reveal full picture
• ELLI employees cannot identify users by therapeutic records
• Risk reduction when transferring data to researchers (only anonymized data transferred)

17.3 RIGHTS TO HEALTH DATA

Additional user rights:

• Right to obtain medical copy in compatible format (FHIR, PDF)
• Right to appoint representative for medical data (through Clerk)
• Right to restrict disclosure of certain data categories
• Right to accounting of disclosures of information to third parties (HIPAA Accounting of Disclosures)

Special procedures for health data:

• Enhanced identity verification for access requests
• Mandatory encryption when transmitting data copies
• Additional confirmation when deleting health data

18. AUTOMATED DECISION-MAKING AND PROFILING

18.1 USE OF AI FOR DECISION-MAKING

The ELLI platform uses artificial intelligence for:

• Personalization of recommendations based on your answers
• Progress analysis of therapeutic sessions
• Pattern identification in emotional state
• Detection of crisis situations requiring intervention

AI works with pseudonymized data:

• Algorithms process data linked to hash identifiers
• AI has no access to your personal data from Clerk
• Recommendations generated based on patterns, not personal information

18.2 LIMITATIONS OF AUTOMATIC DECISIONS

AI DOES NOT make automatic decisions regarding:

• Medical diagnoses or treatment
• Prescription of medications
• Forced intervention without consent
• Legally significant consequences for user
• Disclosure of your identity to third parties

18.3 RIGHTS IN AUTOMATED PROCESSING

• Right to human intervention in decision-making process
• Right to explanation of automated processing logic
• Right not to be subject to solely automated decision-making
• Right to contest results of automatic processing

Technical implementation:

You can request through https://e-lli.com/contact:

• Explanation of specific AI recommendation
• Review of decision by human specialist
• Disabling certain AI analysis functions

19. DATA PROCESSING IN EMERGENCY SITUATIONS

19.1 DEFINITION OF EMERGENCY SITUATIONS

Situations requiring immediate response:

• Suicidal thoughts or intentions
• Threat of harm to self or others
• Signs of severe mental disorder
• Suspicion of criminal activity (e.g., violence, human trafficking)

19.2 EMERGENCY RESPONSE PROCEDURES

Automatic systems:

• AI detection of critical phrases and states (works at hash identifier level)
• Immediate warnings to user with help contacts
• Escalation to human specialist within 15 minutes

19.3 LEGAL BASES FOR EMERGENCY PROCESSING

• Vital interests of data subject (Article 6(1)(d) GDPR)
• Medical purposes in emergency situations (Article 9(2)(c) GDPR)
• Protection of other persons from serious harm
• Compliance with legal obligation to report threats (according to Ukrainian legislation)

20. RESEARCH AND DEVELOPMENT

20.1 USE OF DATA FOR R&D

Scientific research purposes:

• Development of digital therapy methods
• Improvement of AI psychology algorithms
• Publication of scientific works in peer-reviewed journals
• Collaboration with universities and research centers

Use of pseudonymized data:

• Researchers receive access only to data linked to hash identifiers
• Complete absence of personal data in research datasets
• Additional aggregation and generalization of data before transfer

20.2 PRINCIPLES OF ETHICAL RESEARCH

Compliance with ethical standards:

• Approval by ethics committees before starting research
• Anonymization of all data before use in research (removal even of hash identifiers, replacement with research codes)
• Separate consent for research participation
• Right to refuse participation without consequences for core services

20.3 PUBLICATION OF RESULTS

Open science principles:

• Open access publication when possible
• Transparency of methodology and data used
• Impossibility of re-identification of research participants (even through hash identifiers)
• Provision of aggregated data for result verification

Publication examples:

• "Effectiveness of AI therapy for anxiety disorders" (data from 5000+ anonymous users)
• "Patterns of emotional states in digital therapy" (aggregated statistics)

21. PARTNERSHIPS AND INTEGRATIONS

21.1 TYPES OF PARTNERSHIPS

Technology partners:

Clerk, Inc. — Authentication and identity management system

• Role: Personal data processor
• Location: USA (San Francisco, CA)
• Compliance: GDPR, SOC 2 Type II, CCPA

Microsoft Corporation (Azure) — Cloud infrastructure

• Role: Sub-processor for storage and processing
• Location: EU (Netherlands, Ireland, Germany) for European users
• Compliance: GDPR, ISO 27001, ISO 27018, HIPAA, SOC 1/2/3

Google LLC (Analytics) — Web analytics

• Role: Analytics data processor
• Data: Anonymized metrics

Hotjar Ltd. — UX research

• Role: Behavioral data processor
• Data: Session recordings (only with consent)

Payment systems:

• Stripe, PayPal, MonoBank — Transaction processing
• Data: Minimal payment data

Medical and scientific partners:

• Universities for joint research (transfer of fully anonymized data)
• Professional psychologists for consultations (without access to personal data)
• Research institutes in mental health field

21.2 DATA PROCESSING AGREEMENTS (DPA)

With each partner the following are concluded:

• Data processing agreements in accordance with GDPR Article 28
• Technical and organizational measures for data protection
• Detailed description of processing purposes and methods
• Obligations to comply with applicable legislation
• Restrictions on sub-processing (partners obliged to notify us of new sub-processors)

Key DPA provisions with Clerk:

• Clerk acts exclusively as data processor
• Processes data only according to our instructions
• Does not use data for own purposes
• Commits to delete or return data upon termination of cooperation
• Provides full transparency of its sub-processors

Key DPA provisions with Microsoft Azure:

• Compliance with EU Data Boundary for European users
• Encryption of all data at-rest and in-transit
• Commitment not to disclose data to government authorities without notification (except legally mandatory cases)
• Regular security audits

21.3 CONTROL OVER PARTNERS

Regular checks include:

• Compliance audits with data protection standards (annually)
• Monitoring of compliance with DPA terms
• Security incident reports (within 24 hours)
• Agreement updates when circumstances change
• Certificate verification (SOC 2, ISO 27001) of partners

22. NOTIFICATIONS AND COMMUNICATIONS

22.1 COMMUNICATION CHANNELS

Official channels for important notifications:

• Email notifications to registered address (through Clerk)
• Notifications in personal account on platform
• Public announcements on official website

22.2 TYPES OF NOTIFICATIONS

By criticality:

Critical (immediate):

• Data security breaches
• Changes in authentication system (Clerk)
• Changes in health data processing terms
• Service termination

Important (up to 7 days):

• Substantial changes in Policy
• New partnerships affecting data processing
• Changes in user rights
• Infrastructure migration (e.g., Azure data center change)

Informational (up to 30 days):

• New platform features
• Technical updates
• Marketing communications (with consent)

22.3 NOTIFICATION SETTINGS

Users can configure:

• Frequency of email notifications (except critical)
• Communication language (Ukrainian, Russian, English)
• Preferred channel (email, push, SMS)

Important: Critical security notifications are always sent regardless of settings.

23. FINAL PROVISIONS

23.1 COMPLETENESS AND RELEVANCE OF POLICY

This Privacy Policy represents a complete and exhaustive description of personal data processing practices by the ELLI platform. All previous versions of policies and agreements become invalid from the effective date of this document.

23.2 PRIORITY OF DOCUMENTS

In case of contradictions between documents:

1. Privacy Policy (this document)
2. User Agreement
3. DPA with partners (Clerk, Microsoft Azure)
4. Disclaimer
5. Additional agreements and terms

23.3 INVALIDITY OF INDIVIDUAL PROVISIONS

If any provision of this Policy is deemed invalid or unenforceable by a competent court or regulatory authority, this does not affect the validity of remaining provisions.

23.4 TRANSLATIONS AND LANGUAGE VERSIONS

• Ukrainian version is primary for interpretation
• Russian version has equal legal force
• English version is intended for international users

Note: in case of contradictions, Ukrainian version takes priority

23.5 TECHNICAL GLOSSARY

For better understanding of technical aspects:

Hash identifier (Hash ID) — Unique cryptographic string (e.g., user_2nX8Kq9P3mN7vLbR4tY6wZ1s) that is impossible to reverse into original data. Used for data linkage without storing personal information.

Clerk — Professional authentication management platform that processes your personal data (email, name) separately from ELLI therapeutic data.

Pseudonymization — Data protection method where personal data is processed in such a way that it can no longer be attributed to a specific person without additional information, which is stored separately.

Azure — Microsoft cloud platform used for secure storage of encrypted data.

JWT token — Temporary encrypted access token that confirms your identity without transmitting password.

TLS 1.3 — Modern encryption protocol for protecting data during internet transmission.

AES-256 — Military-grade encryption standard for protecting data in storage.

24. ENTRY INTO FORCE AND TRANSITIONAL PROVISIONS

24.1 EFFECTIVE DATE

This Privacy Policy enters into force on August 8, 2025 and applies to all personal data processing operations from the specified date.

24.2 TRANSITIONAL PROVISIONS

For existing users:

• Adaptation period: 30 days from effective date
• Automatic application of new terms upon continued use
• Right to refuse with account deletion during transition period (without penalties)
• Individual notifications about key changes (especially about Clerk system implementation)

For new users:

• Immediate application of all provisions of this Policy
• Mandatory consent upon registration through Clerk
• Complete familiarization before starting use

24.3 ARCHIVING OF PREVIOUS VERSIONS

All previous versions of the Privacy Policy are archived and remain available for review on the website for 5 years from the date of their replacement.

Archive access: https://e-lli.com/contact

CONTACT INFORMATION

General privacy questions; Data security questions; Technical support; And others:

Contact form: https://e-lli.com/contact

Document prepared in compliance with requirements of:

• EU General Data Protection Regulation (GDPR)
• Law of Ukraine "On Protection of Personal Data"
• US Health Insurance Portability and Accountability Act (HIPAA)
• Privacy by Design and by Default principles
• International standards ISO 27001, ISO 27018

ATTENTION: This Privacy Policy is a legally binding document. Carefully review all provisions before using the Platform.

Thanks to the use of pseudonymization through hash identifiers and data separation, we ensure maximum protection of your privacy in accordance with Privacy by Design principles.

© 2025 ELLI. All rights reserved.

Last updated: August 8, 2025 Document version: 1.0

Legal