Privacy Policy

Effective Date: April 1, 2026 · Version 1.0

1. Introduction

EmpathySystem Inc. ("EmpathySystem," "we," "us") operates the EmpathySystem platform ("Services"). This Privacy Policy explains how we collect, use, share, and protect information about participants, case managers, organization staff, funders, and community members ("you").

Our core principle: Your data is yours. You control it. EmpathySystem is designed as a participant-owned, privacy-first system. We never sell personal information and never use your data for advertising.

2. Information We Collect

2.1 Information You Provide

  • Account Information: Name, email address, phone number, date of birth, and address when you register.
  • Profile Information: Goals, interests, support needs, and self-reported demographic information.
  • Health & Social Determinants Data: Information about housing, employment, education, health, food access, transportation, and other social determinants of health (SDOH) that you choose to share.
  • Communications: Messages you send through Seth (our AI companion), direct messages to case managers, check-in responses, and community posts.
  • Documents: Files you upload including identification documents, benefits paperwork, and other records.

2.2 Information Collected Automatically

  • Usage Data: Pages visited, features used, session duration, and interaction patterns.
  • Device Information: Browser type, operating system, and device identifiers.
  • Log Data: IP addresses, access times, and referring URLs for security and fraud prevention.

2.3 Information from Organizations

When you enroll with a participating organization, that organization may provide us with your name, contact information, enrollment status, and case management notes as permitted by your consent settings.

3. AI-Powered Services Disclosure

EmpathySystem uses artificial intelligence, including our AI companion named Seth, to provide personalized support. We disclose the following about our AI systems in compliance with the California AI Transparency Act:

  • Seth AI Companion: Seth is an AI-powered conversational assistant. Seth is not a therapist, counselor, medical professional, or legal advisor. Seth provides general guidance, resource suggestions, and encouragement based on information you choose to share.
  • How AI Processes Your Data: Seth analyzes your messages to provide relevant responses. Your conversations may be used to generate embeddings (mathematical representations) for retrieval purposes. AI processing respects your consent settings—Seth can only access data buckets you have authorized.
  • SDOH Detection: Our system may identify social determinants of health signals in your communications to connect you with relevant resources. This is subject to your AI consent settings and can be disabled.
  • Human Oversight: All AI-generated content flags are reviewed by human moderators. Case managers maintain oversight of AI-suggested interventions. You can request human-only support at any time.
  • No Automated Decision-Making: EmpathySystem does not use AI to make decisions about your eligibility for benefits, services, or opportunities. AI is used solely to augment human support, never to replace it.

4. How We Use Your Information

  • To provide and improve our Services, including AI-powered support.
  • To connect you with resources, programs, and support services.
  • To enable case managers and support teams to coordinate your care (with your consent).
  • To generate anonymized, aggregated impact reports for organizations and funders.
  • To maintain security, detect fraud, and prevent abuse.
  • To comply with legal obligations including CCPA and HIPAA where applicable.

5. Consent & Data Sharing

EmpathySystem uses a consent-by-default model with six data buckets. Your default setting is "me only"—no one sees your data unless you choose to share it.

5.1 Consent Buckets

You control sharing for each of these categories independently:

  • Identity & Demographics
  • Health & Wellness
  • Work & Education
  • Housing & Basic Needs
  • Goals & Progress
  • AI Context (what Seth can access)

5.2 Sharing Levels

For each bucket, you choose who can see your data:

  • Me Only: Only you can see this data (default).
  • My Support Team: Your assigned case manager(s) can see this data.
  • My Organization: Staff at your enrolled organization can see this data.
  • Trusted Network: Your designated trusted contacts can see this data.
  • Community/Public: Visible in community feeds (anonymized where applicable).

5.3 Consent Changes

You can change your consent settings at any time. Changes take effect immediately. All consent changes are recorded in an immutable ledger for your protection and cannot be altered retroactively.

5.4 Multi-Organization Enrollment

If you are enrolled with multiple organizations, your consent settings apply independently to each organization. Data is never shared between organizations without your explicit consent.

6. Your Privacy Rights (CCPA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act:

  • Right to Know: You may request a copy of the personal information we have collected about you in the preceding 12 months, including the categories of data, sources, purposes, and third parties with whom we shared it.
  • Right to Delete: You may request deletion of your personal information, subject to certain legal exceptions (e.g., compliance with legal obligations, completing transactions).
  • Right to Opt-Out of Sale: We do not sell your personal information. We have never sold personal information and will not do so.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights. You will receive the same quality of service regardless of your privacy choices.
  • Right to Correct: You may request correction of inaccurate personal information.

To exercise these rights, use the Data Subject Access Request (DSAR) portal in your account settings, or contact us at privacy@empathysystem.ai. We will respond within 45 days as required by law.

7. Health Information (HIPAA Notice)

Certain organizations using EmpathySystem may be covered entities under the Health Insurance Portability and Accountability Act (HIPAA). When handling Protected Health Information (PHI) on behalf of these organizations:

  • We act as a Business Associate and maintain a Business Associate Agreement (BAA) with covered entities.
  • PHI is encrypted at rest (AES-256) and in transit (TLS 1.3).
  • Access to PHI is logged and auditable.
  • PHI is never used for AI training or model improvement.
  • PHI access is governed by your consent settings and minimum-necessary principles.

If you believe your health information has been handled improperly, contact privacy@empathysystem.ai or file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights.

8. Data Retention

  • Active Accounts: Data is retained as long as your account is active.
  • Deleted Accounts: Upon account deletion request, personal data is removed within 30 days. Anonymized aggregate data may be retained for reporting.
  • Consent Ledger: Consent change records are retained permanently as an immutable audit trail for your protection.
  • DSAR Exports: Downloadable data exports expire after 7 days and are automatically deleted.
  • Legal Holds: Data subject to legal proceedings may be retained beyond standard periods as required by law.

9. Security

We implement industry-standard security measures including:

  • AES-256 encryption for data at rest.
  • TLS 1.3 encryption for data in transit.
  • Role-based access controls with organization-scoped tenancy.
  • Two-factor authentication for staff accounts.
  • Comprehensive audit logging of all data access.
  • Regular security assessments and penetration testing.
  • SOC 2 Type II compliance framework.

10. Cookies & Tracking

We use essential cookies required for authentication and session management. We do not use third-party advertising cookies, cross-site tracking, or behavioral advertising. We do not participate in ad networks or data broker exchanges.

11. Children's Privacy

Our Services are not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us at privacy@empathysystem.ai and we will promptly delete it.

Participants between ages 13 and 17 may use the platform with the consent and oversight of a parent, guardian, or authorized case manager.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email and/or in-platform notification at least 30 days before changes take effect. The "Effective Date" at the top of this page indicates when the policy was last revised.

13. Contact Us

For privacy questions, DSAR requests, or concerns:

  • Email: privacy@empathysystem.ai
  • Mail: EmpathySystem Inc., Attn: Data Protection Officer, PO Box [TBD], California, USA