Your Privacy Matters
At Gulaf, we are committed to protecting your privacy and ensuring the security of your personal and health information. This policy explains how we collect, use, and safeguard your data.
Last Updated: July 30, 2025
HIPAA Compliant: We follow strict healthcare privacy standards
End-to-End Encryption: All sessions and communications are encrypted
Limited Sharing: Your data is only shared with your assigned doctors
Your Control: Access, modify, or delete your data anytime
Transparent: Clear information about data collection and use
Secure Storage: Data stored in encrypted, secure facilities
Personal Information
Name, email address, phone number, and date of birth
Profile photos and emergency contact information
Authentication data through NextAuth (Google OAuth, email/password)
Payment information processed securely through Razorpay
Health Information
Mental health concerns, symptoms, and treatment goals
Medical history relevant to your mental health care
Current medications and previous therapy experience
Session notes, treatment plans, and progress records
Technical Information
IP address, browser type, and device information
Session recordings and communications during therapy sessions
Usage patterns, preferences, and platform interactions
Location data (with your explicit consent only)
Primary Healthcare Purposes
Connecting you with qualified mental health doctors
AI-powered doctor matching based on your needs and preferences
Facilitating secure video calls, voice calls, and chat sessions
Maintaining comprehensive treatment records and session history
Platform Operations
Processing payments and managing billing information
Sending appointment reminders and important notifications
Improving our AI matching algorithms and platform features
Providing customer support and technical assistance
Legal and Safety
Complying with healthcare regulations and legal requirements
Ensuring platform security and preventing fraud
Responding to emergencies or safety concerns
Maintaining audit trails for regulatory compliance
With Your Doctors
Only doctors assigned to your sessions can access your information
Doctors see relevant treatment history and session notes
Emergency contact information is shared only when necessary
All doctors are bound by professional confidentiality agreements
Limited Third-Party Sharing
Payment processors (Razorpay) for secure transaction processing
Email service providers (Resend) for appointment confirmations
Cloud storage providers (with encryption) for data backup
Analytics services (anonymized data only) for platform improvement
Legal Requirements
When required by law or court order
To prevent imminent harm to yourself or others
In case of suspected child abuse or neglect
For regulatory compliance and audit purposes
Technical Safeguards
End-to-end encryption for all communications and sessions
Secure HTTPS connections for all platform interactions
Regular security audits and penetration testing
Multi-factor authentication for doctor accounts
Access Controls
Role-based access control limiting data access to authorized personnel
Regular access reviews and permission audits
Secure authentication systems with session management
Automatic logout after periods of inactivity
Data Protection
Regular automated backups with encryption
Secure data centers with physical access controls
Employee training on data protection and privacy
Incident response procedures for any security breaches
Access and Control
Request access to all personal information we hold about you
Correct or update your personal information at any time
Download your data in a portable format
Delete your account and associated data (with some limitations)
Communication Preferences
Opt out of marketing communications while keeping essential notifications
Choose your preferred communication methods (email, SMS, push notifications)
Control session reminder frequency and timing
Manage sharing preferences with your doctors
Data Portability
Export your session history and treatment records
Transfer your data to another healthcare provider
Obtain copies of your communications and notes
Request data in common formats (PDF, CSV, JSON)
Active Account Data
Personal profile information: Retained while your account is active
Session records: Kept for 7 years as required by healthcare regulations
Payment records: Retained for 7 years for tax and audit purposes
Communication logs: Kept for 3 years for quality assurance
Account Deletion
Upon account deletion, personal identifiers are removed immediately
Session records are anonymized but retained for regulatory compliance
Payment history is anonymized and kept for legal requirements
Some data may be retained longer if required by law
Essential Cookies
Authentication cookies to maintain your login session
Security cookies to prevent fraud and unauthorized access
Functionality cookies to remember your preferences
These cookies are necessary for the platform to function properly
Analytics & Performance
Anonymous usage analytics to improve platform performance
Session replay tools to identify and fix technical issues
Performance monitoring to ensure optimal service delivery
You can opt-out of these through your account settings
Age Requirements
Users must be 18 years or older to create an account independently
Users between 13-17 require guardian consent and involvement
Special protections apply to information from users under 18
Guardians have access rights to their minor's information
Guardian Responsibilities
Guardians must provide consent for their minor's account creation
Guardians can access and manage their minor's privacy settings
Regular consent renewal may be required for ongoing treatment
Emergency contacts must include guardian information for minors
Contact Our Privacy Team
Your Rights
This privacy policy may be updated periodically. We will notify you of any significant changes through email or platform notifications.
For the most current version, please check this page regularly.