Privacy Policy

This Privacy Policy is issued by Neyda Technologies INC. (“we,” “our,” or “us”), the company that operates Jenora. It explains what personal data we collect when you use the Jenora mobile application, web application, and related services (the “Services”), how we process and protect that data, and your rights as a data subject.

Jenora is designed for personal growth, mental health support, and recovery. We understand that the information you share with us is highly sensitive. We treat it with the highest standard of care and process it only for the purposes described in this policy.

1. Data Controller

The Data Controller responsible for your personal data is:

Neyda Technologies INC.
Operating as: Jenora
Email: privacy@jenora.com

As Data Controller, we determine the purposes and means of processing your personal data. If you have any questions about how we handle your data, you may contact us at the email address above.

2. Information We Collect

Information you provide directly

• Account information: Email address, display name, and password when you create an account.
• Onboarding responses: Your focus area (recovery, mental health, personal growth), self-reported patterns, values, and goals — used to personalize your roadmap.
• Reflections and journal entries: Check-ins, mood logs, guided reflections, and journal entries you create within the app.
• Worksheet responses: Responses to structured exercises, CBT tools, and psychoeducation activities.
• Zone planning data: Green, yellow, and red zone plans and entries you create.
• Progress data: Roadmap progress, learning history, and activity records.

Information collected automatically

• Usage data: Features used, pages visited, and general interaction patterns — used to improve the app experience.
• Device information: Device type, operating system, and app version for debugging and compatibility purposes.
• Authentication tokens: Secure session tokens used to keep you signed in safely.

Sensitive personal data

Mental health information, recovery status, mood data, and related health-related content you share in Jenora is classified as sensitive personal data under the Thailand Personal Data Protection Act B.E. 2562 (PDPA) Section 26. We collect and process this category of data only with your explicit, informed consent, which you provide during onboarding. You may withdraw this consent at any time (see Section 9).

Information from therapist connections

If you choose to connect your account to a therapist or clinician using the Jenora Therapist Portal, you control exactly which categories of data (check-ins, mood logs, zone scores, roadmap progress) are visible to them. No data is shared with a connected therapist by default. See Section 6 for details.

3. Legal Basis for Processing

We process your personal data on the following legal bases under the PDPA:

• Explicit consent (PDPA Section 19 & 26): For sensitive personal data including mental health information, mood data, and recovery-related content. You provide this consent during onboarding and may withdraw it at any time.
• Performance of a contract (PDPA Section 24(3)): For account information and core service delivery — processing necessary to provide the Services you have agreed to use.
• Legitimate interest (PDPA Section 24(5)): For usage analytics and app improvement, where our interest in improving the product does not override your rights and freedoms.
• Legal obligation (PDPA Section 24(6)): Where processing is necessary to comply with applicable law.

4. How We Use Your Information

We use the information we collect to:

• Provide, personalize, and improve the Jenora Services
• Build and maintain your personalized roadmap and progress history
• Generate AI-assisted insights and recommendations within the app
• Display your data to connected therapists, only with your explicit consent
• Send you in-app notifications and service-related communications
• Diagnose technical issues and improve app reliability
• Comply with legal obligations

We do not use your mental health data for advertising, marketing profiling, or any purpose unrelated to delivering the Services to you. We do not sell or rent your personal data to third parties.

5. How We Protect Your Information

• Encryption in transit: All data transmitted between your device and our servers uses TLS (Transport Layer Security).
• Encryption at rest: Data stored in our database is encrypted at rest using industry-standard methods.
• Access controls: Role-based access controls limit both system components and authorised personnel to the data needed for their specific function or task.
• Limited staff access: A limited number of authorised Neyda Technologies personnel may access stored account and app data when necessary for customer support, technical troubleshooting, security incident response, fraud prevention, or legal compliance. Such access is logged, reviewed, and subject to confidentiality obligations.
• Session security: Sessions are managed using secure, httpOnly cookies with role-differentiated expiration — 8 hours for clinician accounts and 14 days for personal accounts.
• Infrastructure: Jenora is built on Google Firebase, a SOC 2 Type II and ISO 27001 certified platform.

No method of transmission or storage is 100% secure. We cannot guarantee absolute security, but we take reasonable and industry-standard measures to protect your data.

6. Therapist Access and Consent

The Jenora Therapist Portal allows licensed clinicians to view a structured summary of a client’s engagement and progress — only when the client has explicitly consented.

• Consent is required before any data is shared. A therapist cannot view any client data until the client links their account and selects what to share.
• You control the scope. You choose which categories of data are visible. You can change or revoke this at any time from within the app.
• Revocation is immediate. When you revoke a therapist’s access, they lose visibility immediately.
• Therapist access is logged. Access events to your data via the portal are logged for auditability.

7. Information Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share your information only in the following limited circumstances:

• Authorised internal personnel: Limited Neyda Technologies personnel may access data only for the operational purposes described in this policy and only under role-based access controls, logging, and confidentiality obligations.
• Service providers: We use third-party services — including Google Firebase (authentication, database, and hosting) and OpenAI (AI features, when consented) — that process data on our behalf under strict data processing agreements.
• Connected therapists: Only data you explicitly consent to share, as described in Section 6.
• Legal requirements: If required by law, court order, or governmental authority, we may disclose information as necessary.
• Safety: If we believe disclosure is necessary to prevent imminent harm to you or others, we may share information with appropriate parties.
• Business transfer: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your data becomes subject to a different privacy policy.

8. Cross-Border Data Transfers

Neyda Technologies INC. uses Google Firebase (United States) for data storage and processing, and OpenAI (United States) to power AI features when you have consented to AI Processing. Neither the United States nor any other country to which your data may be transferred has received an adequacy decision under the PDPA.

We rely on the following safeguards for cross-border transfers, as permitted under PDPA Sections 28–29:

• Explicit consent: By accepting this Privacy Policy and the Data Consent during onboarding, you explicitly consent to the transfer of your personal data to the United States for the purposes described in this policy.
• Contractual safeguards: We maintain Data Processing Agreements with Google (Firebase) and OpenAI that impose data protection obligations consistent with the PDPA, including restrictions on onward transfer, data security requirements, and obligations to assist with data subject rights.

Google Firebase maintains SOC 2 Type II and ISO 27001 certifications. OpenAI does not use API-submitted data for model training under our agreement. These certifications do not substitute for the contractual safeguards above but reflect the security standards of the platforms we use.

9. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Services. We do not retain personal data longer than necessary for the purposes for which it was collected.

If you delete your account, we will delete or anonymize your personal data within 30 days, except where we are required to retain it for legal or compliance purposes. Sensitive personal data is deleted promptly upon account deletion unless legally required to be retained.

You can request deletion of your account and associated data at any time by contacting us at privacy@jenora.com.

10. Data Breach Notification

In the event of a personal data breach, we will act in accordance with PDPA Section 37:

• PDPC notification: If the breach is likely to result in risk to the rights and freedoms of data subjects, we will notify the Personal Data Protection Committee (PDPC) within 72 hours of becoming aware of the breach, where feasible.
• Individual notification: If the breach is likely to result in high risk to your rights and freedoms, we will notify you without undue delay, describing the nature of the breach, the likely consequences, and the measures we are taking to address it.

To report a suspected security issue, contact privacy@jenora.com.

11. Your Rights

Under the Thailand Personal Data Protection Act (PDPA) and applicable law, you have the following rights regarding your personal data:

• Right to be informed: To know what personal data we collect and how we use it (this policy fulfills this right).
• Right of access: To request a copy of the personal data we hold about you.
• Right to rectification: To correct inaccurate or incomplete personal data.
• Right to erasure: To request deletion of your personal data, subject to legal retention requirements.
• Right to restriction: To request that we restrict the processing of your data in certain circumstances.
• Right to data portability: To receive your data in a structured, commonly used format.
• Right to object: To object to processing based on legitimate interest.
• Right to withdraw consent: Where processing is based on consent, to withdraw that consent at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint: To lodge a complaint with the Personal Data Protection Committee (PDPC) if you believe we have processed your personal data unlawfully or in violation of the PDPA. The PDPC can be reached at pdpc.or.th.

To exercise any of these rights, contact us at privacy@jenora.com. We will respond within 30 days of receiving your request. In some cases, we may need to verify your identity before fulfilling a request.

12. HIPAA Notice

Jenora is not currently operating as a HIPAA-covered entity or Business Associate under the U.S. Health Insurance Portability and Accountability Act (HIPAA). We are working toward formal HIPAA alignment as we expand our services to users in the United States and will update this policy when that milestone is reached.

Regardless of HIPAA certification status, we apply equivalent data handling standards to all mental health data: explicit consent before collection, encryption in transit and at rest, strict access controls, and comprehensive audit logging. Therapists using the Jenora Therapist Portal should evaluate their own HIPAA obligations before using the portal for clients subject to HIPAA protections.

13. Children’s Privacy

Jenora is not directed to individuals under the age of 20 (or under the age of 18 in jurisdictions where that is the applicable age of majority). We do not knowingly collect personal information from minors without verifiable parental or guardian consent. If you believe we have inadvertently collected information from a minor, please contact us at privacy@jenora.com and we will delete it promptly.

14. Third-Party Services

Jenora uses the following third-party infrastructure:

• Google Firebase — Authentication, database (Firestore), and cloud hosting. Subject to Google’s privacy and security standards and our Data Processing Agreement with Google.
• OpenAI — AI processing for consented AI features. Receives limited prompt context through Jenora’s secure backend only. Does not use API-submitted data for model training under our agreement.

We do not integrate advertising networks, social media trackers, or analytics platforms that profile you across the web.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the effective date at the top of this page and, for material changes, notify you via in-app notice or email at least 30 days before the changes take effect. Your continued use of the Services after any change constitutes your acceptance of the updated policy. If a material change affects how we process sensitive personal data, we will request fresh consent where required by law.

16. Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or your personal data, please contact us:

Neyda Technologies INC.
Operating as Jenora
Email: privacy@jenora.com

We take all privacy inquiries seriously and aim to respond within 30 days.