Back to HomeDigi Therapy

    Privacy Policy

    Last Updated: February 9, 2026 · Effective Date: February 9, 2026

    1. Introduction

    Digi Therapy Private Limited. ("Digi Therapy," "we," "us," or "our") operates the website located at digitherapy.com.npand related applications (collectively, the "Platform"). This Privacy Policy describes how we collect, use, disclose, retain, and safeguard your personal information when you access or use our Platform, and the choices you have with respect to your information.

    By accessing or using the Platform, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please discontinue use of the Platform immediately.

    This Privacy Policy is incorporated into and forms part of our Terms & Conditions. Capitalized terms used but not defined herein shall have the meanings ascribed to them in the Terms & Conditions.

    2. Information We Collect

    2.1 Information You Provide Directly

    When you create an account, book a session, fill out questionnaires, or otherwise interact with our Platform, you may provide us with the following categories of personal information:

    • Account & Identity Information: Full name, email address, phone number, user role (client, corporate client, therapist), and profile photograph.
    • Authentication Credentials: Password (hashed and salted; we never store plaintext passwords), OAuth tokens when you sign in via third-party providers (Google, GitHub, Facebook, LinkedIn).
    • Onboarding & Questionnaire Responses: Service type preferences (individual, couples, family, corporate), therapy goals, therapy experience level, online therapy comfort level, session type preferences, language preferences, scheduling preferences, gender preference for therapist selection, and any free-text responses you provide.
    • Clinical Intake & Screening Data: Intake summaries, consent acknowledgements, questionnaire responses (PHQ-9, GAD-7), and risk screening answers submitted through our clinical flows. These are stored securely and are only viewable after authentication.
    • Appointment & Session Data: Scheduled appointment date and time, session duration, session type (video), session notes, video room identifiers, and session status.
    • Payment Information: Payment amount, currency (NPR / USD), payment status, transaction identifiers, payment tokens, and related metadata processed through our third-party payment processor Khalti. We do not directly collect or store full credit card numbers, bank account numbers, or other sensitive financial instrument details.
    • Corporate / EAP Data: Company name, company code, EAP eligibility status, maximum sessions per employee, coverage percentage, and validity periods.
    • Communications: Any messages, feedback, support requests, or other communications you send to us.

    2.2 Information Collected Automatically

    When you use our Platform, we automatically collect certain technical and usage information through cookies, log files, and similar technologies:

    • Device & Browser Information: Browser type and version, operating system platform, screen resolution, colour depth, viewport dimensions, device category (mobile, tablet, desktop), and preferred language/locale.
    • Browser Fingerprint: We use FingerprintJS (open-source edition) to generate a stable, pseudonymous visitor identifier for the purpose of cross-session continuity and fraud prevention. This identifier does not, by itself, reveal your identity.
    • Usage & Analytics Data: Pages visited, features used, questionnaire funnel progress (steps viewed, steps completed, skips), A/B testing variant assignments, timestamps, click patterns, and referral sources. This data is collected solely to improve platform usability and personalise your experience.
    • Network & Security Data: IP address, user agent string, referrer URL, access timestamps, and request method — collected for audit logging, security monitoring, and fraud prevention.
    • Timezone & Locale:Your IANA timezone identifier (e.g., "Asia/Kathmandu") and browser locale — used for matching you with available therapists and displaying dates correctly.

    2.3 Information from Third Parties

    When you sign in using a third-party OAuth provider (Google, GitHub, Facebook, or LinkedIn), we receive your name, email address, profile photograph, and email verification status from that provider, subject to the permissions you grant during the OAuth flow. We do not receive or store your third-party account password.

    3. How We Use Your Information

    We use the information we collect for the following purposes, each of which constitutes a legitimate interest, contractual necessity, or is based upon your explicit consent:

    • Service Delivery: To create and manage your account, facilitate appointment bookings, process payments, enable video therapy sessions via Zoom Video SDK, and provide therapist matching recommendations.
    • Personalisation: To personalise your experience by tailoring therapist recommendations, session type suggestions, and content based on your questionnaire responses, preferences, and usage patterns.
    • Platform Improvement: To analyse usage patterns, conduct A/B testing, monitor funnel completion rates, and improve the overall user experience, functionality, and performance of the Platform.
    • Security & Fraud Prevention: To detect and prevent fraudulent activity, unauthorised access, and other malicious behaviour through audit logging, browser fingerprinting, and security monitoring.
    • Clinical Safety & Triage: To surface crisis guidance when risk screening indicates urgent needs and to prepare therapists with intake context after you sign in.
    • Communication: To send you appointment confirmations, reminders, service updates, security alerts, and respond to your enquiries and support requests.
    • Legal Compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.
    • Corporate / EAP Administration: To verify EAP eligibility, track session utilisation against corporate coverage, and administer corporate partnership programmes.

    4. Legal Bases for Processing

    We process your personal information under the following legal bases:

    • Contractual Necessity: Processing necessary for the performance of the contract between you and Digi Therapy (e.g., account creation, session booking, payment processing).
    • Legitimate Interest: Processing necessary for our legitimate interests, including platform security, fraud prevention, service improvement, and analytics, provided such interests are not overridden by your rights and freedoms.
    • Consent: Where you have given explicit consent, including for the use of non-essential cookies, browser fingerprinting, and certain marketing communications. You may withdraw consent at any time.
    • Legal Obligation: Processing necessary for compliance with a legal obligation to which we are subject.

    5. Cookies & Tracking Technologies

    We use cookies, local storage, session storage, and similar technologies to operate, secure, and improve our Platform. For full details, please refer to our Cookie Policy.

    In summary, we use the following categories of cookies:

    • Strictly Necessary Cookies: Authentication session tokens (Appwrite session cookie, NextAuth session token), CSRF protection tokens, and security-related cookies. These cannot be disabled.
    • Functional Cookies: Questionnaire progress storage (encrypted in localStorage), A/B testing variant assignment, onboarding entry context (sessionStorage), theme preferences, and timezone/locale settings.
    • Analytics Cookies: Questionnaire funnel tracking events and engagement metrics stored locally to understand how users interact with our Platform.

    You can manage your cookie preferences at any time through our cookie consent banner or your browser settings. Note that disabling strictly necessary cookies may impair the functionality of the Platform.

    6. Data Sharing & Disclosure

    We do not sell, rent, lease, or trade your personal information to any third party for their marketing purposes. Period.

    We may share limited information only in the following circumstances:

    • Service Providers & Processors:We engage trusted third-party service providers who process data on our behalf to deliver the Platform's core functionality. These include:
      • Appwrite — Backend-as-a-Service for user authentication, database storage, and file storage.
      • Khalti — Payment processing for session bookings (Khalti receives only the minimum payment data required to process transactions).
      • Zoom Video SDK— Video session infrastructure. Session participants' display names and meeting room identifiers are shared to facilitate the session.
      • OAuth Providers (Google, GitHub, Facebook, LinkedIn) — When you choose to sign in via social login, limited profile data is exchanged as part of the standard OAuth 2.0 / OpenID Connect flow.
      • Google Fonts— Font files are loaded from Google's servers; Google may receive your IP address and browser information as part of this request.
    • Therapist–Client Relationship: To facilitate your therapy sessions, your therapist will have access to your appointment details, session notes, session type, and any information you voluntarily share during sessions. Therapists are bound by professional confidentiality obligations.
    • Corporate / EAP Partners: If you are an EAP participant, your employer may receive aggregated, anonymised utilisation data. We will never share individual session content, diagnoses, or personally identifiable therapy information with your employer.
    • Legal Requirements: We may disclose your information if required to do so by law, regulation, governmental request, court order, subpoena, or other legal process, or if we believe in good faith that such disclosure is necessary to: (a) comply with a legal obligation; (b) protect and defend our rights or property; (c) prevent fraud or other illegal activity; (d) protect the personal safety of users or the public; or (e) protect against legal liability.
    • Business Transfers: In the event of a merger, acquisition, reorganisation, bankruptcy, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will notify you via prominent notice on our Platform and/or email prior to your personal information becoming subject to a different privacy policy.

    7. Data Retention

    We retain your personal information only for as long as is reasonably necessary to fulfil the purposes for which it was collected, including to satisfy any legal, regulatory, accounting, or reporting requirements. Specific retention periods include:

    • Account Data: Retained for the duration of your account and for up to 30 days following account deletion to allow for account recovery.
    • Clinical Intake & Screening: Stored according to clinical and legal requirements. Anonymous intakes are held only long enough to support login linking and are removed if not associated with an account.
    • Appointment & Session Records: Retained for a minimum of 7 years from the date of the session to comply with healthcare record-keeping obligations and applicable regulations.
    • Payment Records: Retained for a minimum of 7 years to comply with tax, accounting, and financial regulatory requirements.
    • Audit & Security Logs: Retained for up to 24 months for security monitoring and fraud prevention purposes.
    • Browser Fingerprints & Analytics Data: Retained for up to 24 months, or until account deletion, whichever occurs first.
    • Questionnaire Data:Client-side questionnaire data stored in your browser's localStorage is encrypted and is automatically cleared upon registration or when you clear your browser data.

    Upon expiration of the applicable retention period, or upon your valid request, we will securely delete or anonymise your personal information, unless retention is required by applicable law.

    8. Data Security

    We implement and maintain reasonable and appropriate technical, administrative, and organisational security measures designed to protect your personal information against unauthorised access, alteration, disclosure, or destruction. These measures include, but are not limited to:

    • Encryption of data in transit using TLS/HTTPS (enforced via HSTS with preload in production).
    • Encryption of sensitive client-side data (e.g., questionnaire responses) at rest using AES-GCM via the Web Crypto API.
    • Secure authentication with hashed and salted passwords, PKCE OAuth flows, CSRF protection, and secure session cookie configuration (HttpOnly, Secure, SameSite=Strict).
    • Content Security Policy (CSP), HTTP security headers (X-XSS-Protection, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy), and strict CORS configuration.
    • Comprehensive audit logging of security-relevant actions including user ID, action type, resource, IP address, and user agent.
    • Role-based access controls restricting data access to authorised personnel and users.
    • Regular security assessments, vulnerability scanning, and dependency auditing.

    However, no method of transmission over the Internet, no method of electronic storage, and no security system is impenetrable. While we strive to use commercially acceptable and industry-standard means to protect your personal information, we cannot guarantee its absolute security. We cannot ensure or warrant the security of any information you transmit to us, and you do so at your own risk. In the unlikely event of a data breach that affects your personal information, we will notify you and the relevant authorities in accordance with applicable data breach notification laws.

    You are responsible for maintaining the confidentiality of your account credentials and for all activities that occur under your account. You agree to immediately notify us of any unauthorised use of your account or any other breach of security.

    9. Your Rights & Choices

    Depending on your location and applicable law, you may have the following rights with respect to your personal information:

    • Right of Access: You have the right to request a copy of the personal information we hold about you.
    • Right to Rectification: You have the right to request correction of inaccurate or incomplete personal information.
    • Right to Erasure ("Right to be Forgotten"): You have the right to request deletion of your personal information, subject to certain exceptions (e.g., legal retention requirements).
    • Right to Restriction of Processing: You have the right to request that we restrict the processing of your personal information under certain circumstances.
    • Right to Data Portability: You have the right to receive your personal information in a structured, commonly used, machine-readable format and to transmit it to another controller.
    • Right to Object: You have the right to object to the processing of your personal information for direct marketing or based on legitimate interests.
    • Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

    To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days of receipt, or such shorter period as may be required by applicable law. We may ask you to verify your identity before fulfilling your request.

    10. International Data Transfers

    Our Platform is primarily operated from Nepal. If you access the Platform from outside Nepal, please be aware that your information may be transferred to, stored, and processed in Nepal or in other jurisdictions where our service providers operate. These jurisdictions may have data protection laws that differ from those of your jurisdiction of residence.

    By using our Platform, you consent to the transfer of your information to Nepal and other jurisdictions as described in this Privacy Policy. Where required by applicable law, we will ensure that appropriate safeguards are in place to protect your personal information, including standard contractual clauses, data processing agreements, or other legally recognised transfer mechanisms.

    11. Children's Privacy

    Our Platform is not directed to, and we do not knowingly collect personal information from, individuals under the age of 16. If you are a parent or guardian and you become aware that your child has provided us with personal information without your consent, please contact us at [email protected]. If we become aware that we have collected personal information from a child under 16 without verification of parental consent, we will take steps to delete that information promptly.

    12. Third-Party Links & Services

    Our Platform may contain links to third-party websites, services, or applications that are not operated by us. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party service before providing any personal information. We are not responsible for the content, privacy practices, or data security of third-party services.

    13. Health Information Disclaimer

    Our Platform facilitates the booking and delivery of therapy sessions. Information you share during therapy sessions with your therapist is governed by the therapist's professional obligations, applicable healthcare confidentiality regulations, and the therapist's own professional ethics and policies. While we implement technical measures to protect session data, the content of therapy sessions is treated with the highest level of confidentiality.

    We do not access, monitor, or review the substance of therapy sessions conducted through the Platform. Video sessions are facilitated through Zoom Video SDK, and we do not record, store, or have access to the content of those sessions unless otherwise disclosed.

    14. Limitation of Liability for Data Breaches

    While we employ commercially reasonable security measures to protect your personal information, you acknowledge and agree that: (a) the transmission of information via the Internet is not completely secure; (b) we cannot guarantee the security of your data transmitted to or through the Platform; (c) any transmission of personal data is at your own risk; and (d) we shall not be liable for any breach of security or any unauthorised access to or use of your personal information beyond what is covered by applicable mandatory data protection laws.

    To the maximum extent permitted by applicable law, Digi Therapy and its officers, directors, employees, agents, affiliates, and licensors shall not be liable for any indirect, incidental, special, consequential, or punitive damages, including but not limited to loss of profits, data, goodwill, or other intangible losses, resulting from any breach of data security, except where such liability arises from our wilful misconduct or gross negligence.

    15. Changes to This Privacy Policy

    We reserve the right to update or modify this Privacy Policy at any time, at our sole discretion, to reflect changes in our data practices, legal requirements, or Platform functionality. When we make material changes, we will:

    • Update the "Last Updated" date at the top of this page.
    • Post a prominent notice on our Platform and/or send you an email notification (if we have your email address on file) at least 15 days prior to the changes taking effect.

    Your continued use of the Platform after the effective date of any revised Privacy Policy constitutes your acceptance of and agreement to the updated terms.

    16. Governing Law & Dispute Resolution

    This Privacy Policy shall be governed by and construed in accordance with the laws of Nepal, without regard to its conflict of laws provisions. Any disputes arising out of or in connection with this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of Kathmandu, Nepal.

    17. Contact Us

    If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

    • Data Protection Contact: [email protected]
    • General Enquiries: [email protected]
    • Postal Address: Digi Therapy, Inc., Kathmandu, Nepal

    We will endeavour to respond to all legitimate enquiries within 30 days.

    © 2026 Digi Therapy, Inc. All rights reserved. | Terms & Conditions | Cookie Policy