Privacy Policy

Effective May 29, 2026

1. Introduction

Wheva Inc. (“Company”, “we”, “us”, or “our”) is committed to protecting your privacy and the privacy of individuals whose information is processed through our platform. This Privacy Policy describes how we collect, use, disclose, retain, and protect personal information when you use the Wheva platform, including any associated applications, websites, and services (collectively, the “Service”).

This Privacy Policy is designed to comply with the Personal Information Protection and Electronic Documents Act (“PIPEDA”), applicable provincial privacy and health information legislation in Canada (including British Columbia’s Personal Information Protection Act, Quebec’s Act respecting the protection of personal information in the private sector (“Law 25”), Ontario’s Personal Health Information Protection Act, and Alberta’s Health Information Act, where applicable), and other relevant privacy laws that may apply based on the location of our Users or their patients.

By creating an account, you consent to the collection, use, and disclosure of your information as described in this Privacy Policy. If you do not agree with our practices, please do not use the Service.

2. Definitions

  • “Personal Information” means information about an identifiable individual, as defined under PIPEDA, including but not limited to name, email address, professional credentials, and usage data.
  • “Patient Data” means any information relating to an identified or identifiable individual receiving care, entered into the Service by Professional Users. Patient Data may include health information, session notes, treatment plans, progress metrics, and behavioral observations.
  • “Professional User” means a licensed or qualified professional who uses the Service to deliver, manage, or coordinate care for neurodivergent individuals.
  • “Data Controller” means the entity that determines the purposes and means of processing personal information.
  • “Data Processor” means the entity that processes personal information on behalf of the Data Controller.

3. Information We Collect

3.1 Information You Provide

Account Information: When you register for the Service, we collect:

  • Full name
  • Email address
  • Professional qualifications and credentials
  • Organization name and details
  • Role and job title
  • Password (stored as a salted hash, never in plain text)

Payment Information: If you subscribe to a paid plan, our third-party payment processor collects your payment details (credit card number, billing address). We do not store your payment card information on our servers. Payment processing is handled entirely by our third-party payment processor. We may retain a payment token and the last four digits of your card number for display and transaction reference purposes only.

Patient Data: Professional Users may enter Patient Data into the Service, including:

  • Patient names and identifiers
  • Session notes and clinical observations
  • Treatment plans and goals
  • Progress metrics and behavioral data
  • Visual aids and social stories created for patients

Communications: When you contact us (via email, support requests, or feedback), we collect the content of those communications.

3.2 Information Collected Automatically

Usage Data: We automatically collect information about your interaction with the Service, including:

  • Pages and features accessed
  • Actions performed within the Service
  • Date and time of access
  • Session duration

Device and Technical Information: We collect:

  • IP address
  • Browser type and version
  • Operating system
  • Device type (desktop, tablet, mobile)
  • Referring URLs

Cookies and Similar Technologies: We and our service providers use cookies and similar technologies on our website. See our Cookie Policy for details on which cookies we use, their purpose, retention, and how to manage your preferences.

3.3 Information from Third Parties

We may receive limited information from third-party authentication providers if you choose to sign in using a third-party service (such as Google or Microsoft). This is limited to your name and email address as authorized by you during the sign-in process.

4. How We Use Your Information

We use your information for the following purposes:

4.1 Service Delivery

  • Providing, maintaining, and operating the Service
  • Creating and managing your account
  • Processing transactions and managing subscriptions
  • Enabling collaboration features between team members

4.2 Communication

  • Sending transactional emails (account verification, password resets, billing receipts)
  • Sending important service notifications (security alerts, Terms updates, planned maintenance)
  • Responding to your inquiries and support requests

4.3 Service Improvement

  • Analyzing usage patterns to improve features and user experience
  • Identifying and fixing technical issues
  • Developing new features and functionality

4.4 Security and Fraud Prevention

  • Detecting, preventing, and responding to security incidents
  • Monitoring for unauthorized access or misuse
  • Enforcing our Terms of Service
  • Complying with applicable laws, regulations, and legal processes
  • Responding to lawful requests from government authorities
  • Establishing, exercising, or defending legal claims

4.6 How We Do Not Use Your Information

We do not:

  • Sell your Personal Information or Patient Data to third parties
  • Use Patient Data for advertising or marketing purposes
  • Use Patient Data to build profiles for purposes unrelated to the Service
  • Use Patient Data to train general-purpose AI models

When you use AI-powered features within the Service, the relevant inputs are sent to third-party AI model providers (see Section 7.1) for real-time processing. Under our contractual commitments with these providers, your inputs and outputs are not used to train their models and are retained only as strictly necessary for service delivery, abuse monitoring, or compliance with applicable law, after which they are deleted. We select AI providers that offer contractual commitments regarding the handling and limited retention of data.

Under PIPEDA and applicable privacy legislation, we process your Personal Information based on the following lawful grounds:

  • Consent: You provide consent when you create an account and agree to these terms. You may withdraw consent at any time (see Section 8).
  • Contractual Necessity: Processing is necessary to perform our contractual obligations to you (providing the Service).
  • Legitimate Interest: We have a legitimate interest in maintaining the security and integrity of the Service, improving our products, and communicating with you about your account.
  • Legal Obligation: We may process information to comply with applicable laws and regulations.

6. Data Controller and Data Processor Roles

6.1 Your Account Information

Wheva Inc. is the Data Controller for your account information (name, email, credentials, usage data). We determine the purposes and means of processing this information.

6.2 Patient Data

For Patient Data entered into the Service:

  • You (or your Organization) are the Data Controller. You determine what Patient Data is entered, how it is used, and who has access to it within the platform.
  • Wheva Inc. is the Data Processor. We process Patient Data solely on your behalf and in accordance with your instructions, these Terms, and this Privacy Policy.

As Data Controller for Patient Data, you are responsible for:

  • Obtaining any required consents from patients or their legal guardians
  • Complying with applicable privacy and health information legislation
  • Ensuring that Patient Data entered into the Service is accurate and necessary
  • Managing access permissions for team members within your Organization

7. Data Sharing and Disclosure

We do not sell your Personal Information. We may share information only in the following circumstances:

7.1 Service Providers (Sub-Processors)

We engage trusted third-party service providers (sub-processors) to operate the Service. These providers support functions such as cloud infrastructure, authentication, transactional email delivery, payment processing, and AI-assisted content generation. Some of these providers are located in the United States, which means your data is transferred to and processed in the United States (see Section 13 for details on cross-border transfers).

All service providers are bound by contractual obligations to protect your data and use it only for the purposes for which it is disclosed.

A current list of our sub-processors is available on request by contacting privacy@wheva.com.

7.2 Within Your Organization

If you belong to an Organization on the platform, your account information (name, role, professional qualifications) and your activity within shared patient records may be visible to other authorized members of your Organization, as determined by the Organization’s administrator.

We may disclose your information if required to do so by law, or if we believe in good faith that disclosure is necessary to:

  • Comply with a legal obligation, court order, or legal process
  • Protect and defend the rights or property of Wheva Inc.
  • Prevent or investigate possible wrongdoing in connection with the Service
  • Protect the personal safety of Users or the public
  • Protect against legal liability

7.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email or a prominent notice within the Service before your information is transferred and becomes subject to a different privacy policy.

8. Your Privacy Rights

Under PIPEDA and applicable provincial legislation, you have the following rights:

8.1 Right of Access

You have the right to request access to the Personal Information we hold about you. We will respond to your request within 30 days, subject to any extension permitted under PIPEDA (for example, where additional time is required to handle a large volume of information or to consult with third parties). Where an extension is applied, we will notify you within the original 30-day period.

8.2 Right to Correction

You have the right to request correction of inaccurate or incomplete Personal Information. You can update most account information directly through the Service.

8.3 Right to Deletion

You have the right to request deletion of your Personal Information. Upon receiving a valid deletion request:

  • We will delete your account and associated Personal Information within 30 days
  • Patient Data for which your Organization is the Data Controller remains under the Organization’s control; if another authorized user within your Organization retains access to that data, it will not be deleted as part of your individual deletion request. To delete Organization-owned Patient Data, a request must come from the Organization administrator (see Section 9.2 for what happens on full account or Organization termination)
  • Some information may be retained where required by law or legitimate business purposes (such as billing records)

8.4 Right to Data Portability

You have the right to request a copy of your data in a commonly used, structured, machine-readable format. You can trigger a self-serve export from Settings › Privacy & data in the web console; we will email you a time-limited download link to a JSON bundle of your account information, organization memberships, and the patient records you solely control. You may also contact support@wheva.com if you prefer a manual fulfillment.

You may withdraw your consent to the processing of your Personal Information at any time by:

  • Adjusting your account settings
  • Contacting us at privacy@wheva.com
  • Deleting your account

Withdrawal of consent may affect your ability to use certain features of the Service. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

8.6 Right to Complain

If you believe your privacy rights have been violated, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada (www.priv.gc.ca) or the applicable provincial privacy commissioner.

9. Data Retention

9.1 Active Accounts

We retain your Personal Information and Patient Data for as long as your account is active and as necessary to provide the Service.

9.2 Account Deletion

Upon account deletion:

  • Your sign-in is revoked immediately upon request, and your Personal Information and Patient Data are deleted from our active systems within 24 hours of your confirmation.
  • Continuous backups (point-in-time recovery snapshots) may retain copies for up to 35 days, after which they are automatically purged.
  • A minimal audit record (hashed identifier, deletion timestamps, legal basis) is retained for 7 years to satisfy record-retention obligations and support investigations into data-subject requests.

We may retain certain information beyond the periods described above where required by applicable law, including:

  • Billing and transaction records (as required by tax and financial regulations)
  • Records necessary to resolve disputes or enforce agreements
  • Information required by a legal hold or preservation order

9.4 Anonymized and Aggregated Data

We may process Personal Information to create anonymized, aggregated data that cannot be used to identify any individual. Anonymization involves permanently removing or altering identifying details so the data can no longer be linked back to you. We use this anonymized data for analytical and service improvement purposes, such as understanding general usage patterns and improving platform features. Once data has been truly anonymized, it is no longer considered Personal Information and is not subject to the rights described in Section 8.

10. Cookies and Tracking Technologies

We and our service providers use cookies, pixels, tags, local storage, and similar technologies on our website. For details about which cookies we use, their purpose, how long they are retained, and how you can manage your preferences, please see our Cookie Policy.

11. Data Security

11.1 Technical Measures

We implement industry-standard technical measures to protect your data, including:

  • Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher
  • Encryption at rest: All stored data is encrypted using AES-256 encryption
  • Access controls: Role-based access controls ensure that only authorized personnel can access data
  • Infrastructure security: We host our services on cloud infrastructure located in the United States. Our infrastructure provider maintains SOC 2, ISO 27001, and other security certifications. Wheva itself is not currently independently certified against these frameworks

11.2 Organizational Measures

  • Regular security assessments and vulnerability testing
  • Employee access limited to what is necessary for their role
  • Security awareness training for all personnel
  • Audit trails for data access and modifications
  • Incident response procedures

11.3 Limitations

While we implement robust security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to promptly addressing any security vulnerabilities.

12. Data Breach Notification

In the event of a data breach involving your Personal Information that creates a real risk of significant harm:

  • We will notify affected individuals as soon as feasible after determining that the breach has occurred
  • We will report the breach to the Office of the Privacy Commissioner of Canada as required by PIPEDA
  • We will notify any other organizations or government institutions that we believe can reduce the risk of harm
  • Our notification will include a description of the breach, the types of information involved, steps we are taking to address the breach, and steps you can take to protect yourself

13. International Data Transfers

13.1 Data Location

Your data is primarily stored and processed on cloud infrastructure located in the United States.

13.2 Cross-Border Transfers

Because our infrastructure is hosted in the United States, your data is transferred to and stored in the United States. The United States has different privacy laws than Canada, and your data may be subject to access by US government authorities under applicable US laws (such as the USA PATRIOT Act or the CLOUD Act).

By creating an account and using the Service, you acknowledge that your data will be transferred to and stored in the United States for storage and processing. You may withdraw this acknowledgement at any time by deleting your account, which will result in termination of the Service.

To protect your data in connection with cross-border transfers:

  • We ensure that appropriate safeguards are in place, including contractual obligations that provide a level of protection substantially similar to PIPEDA
  • We conduct assessments to evaluate the privacy implications of the hosting jurisdiction
  • We limit the data transferred and stored to what is strictly necessary for the provision of the Service
  • We apply the same technical and organizational security measures (encryption, access controls, audit trails) regardless of data location

13.3 International Users

The Service is operated from Canada and is primarily governed by Canadian privacy law. If you are located outside of Canada, please be aware of the following:

Users in the United States: The Service is not currently certified as compliant with the Health Insurance Portability and Accountability Act (HIPAA). If you are a healthcare provider or other covered entity under HIPAA, you are responsible for evaluating whether your use of the Service meets your regulatory obligations before entering Patient Data. Certain US state laws (such as Washington’s My Health My Data Act and similar state consumer health data laws) may apply to the processing of health-related data. We encourage you to review your obligations under applicable state and federal laws.

Users in other jurisdictions: If you access the Service from outside Canada and the United States, you are responsible for ensuring that your use of the Service complies with the laws of your jurisdiction, including any requirements related to the cross-border transfer of personal or health information.

We do not represent that the Service is appropriate or available for use in all locations. Those who access the Service from other jurisdictions do so on their own initiative and are responsible for compliance with local laws.

14. Children’s Privacy

The Service is designed for use by Professional Users: qualified adults who provide care to neurodivergent individuals, including children. We do not knowingly collect Personal Information directly from children.

Patient Data related to minors is entered into the Service by authorized Professional Users acting in their professional capacity. These professionals are responsible for obtaining any necessary consents and complying with applicable laws regarding the collection and use of information about minors.

If we become aware that we have inadvertently collected Personal Information from a child without appropriate authorization, we will take immediate steps to delete that information.

15. Automated Decision-Making

The Service may use automated processing, including AI-powered features, to generate content such as visual aids and social stories. These features:

  • Are designed to assist Professional Users, not to make autonomous clinical decisions
  • Require professional review and approval before use with patients
  • Do not produce decisions that have legal or similarly significant effects on individuals
  • Can be overridden or modified at any time by the Professional User

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

  • Material changes: We will notify you via email to the address associated with your account and/or through a prominent notice within the Service at least 30 days before the changes take effect.
  • Non-material changes: We will update the “Last Updated” date at the top of this policy.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree with the changes, you should stop using the Service and delete your account.

17. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Wheva Inc. British Columbia, Canada

You may also contact the Office of the Privacy Commissioner of Canada: