Privacy Policy for EmEase

1. Introduction

Effective Date: 03/26/2025

Welcome to EmEase

This Privacy Policy explains how Underdog Club LLC (“we,” “us,” or “our”) collects, uses, shares, and protects your information when you use our EmEase application and website (collectively, the “Service”). EmEase is a Self EMDR (Eye Movement Desensitization and Reprocessing) application designed to provide therapeutic support through digital platforms.

About Us

EmEase is owned and operated by Underdog Club LLC, a Delaware corporation with operations based in Maryland. We are committed to protecting your privacy and ensuring the security of your personal and health information.

Contact Information

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at:

Underdog Club LLC
2833 Smith Avenue, Suite 305
Baltimore, MD 21209
Email: legal@emease.com
Website: https://EmEase.com

Scope of This Policy

This Privacy Policy applies to information we collect through:

By accessing or using our Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our policies and practices, please do not use our Service.

HIPAA Compliance

EmEase is designed to be compliant with the Health Insurance Portability and Accountability Act (HIPAA). We implement appropriate safeguards to protect the privacy and security of protected health information as required by law. More details about our HIPAA compliance measures are provided in Section 4 of this Privacy Policy.

2. Information Collection

Types of Information We Collect

Personal Information

We collect personal information that you voluntarily provide to us when you register for EmEase, including:

  • Name
  • Email address
  • Phone number (optional)
  • Account credentials
  • Billing information when you purchase a subscription

Health Information

As a Self EMDR application, EmEase may collect sensitive health information, including:

  • Self-reported mental health concerns or symptoms
  • Therapy goals and progress
  • EMDR session data and responses
  • Self-assessment results
  • Journal entries or notes
  • Treatment preferences

Technical Information

We automatically collect certain information about your device and how you interact with EmEase:

  • Device information (type, model, operating system)
  • IP address
  • Browser type and version
  • App usage statistics
  • Session duration and frequency
  • Feature utilization
  • Crash reports and performance data
  • Time zone and language settings
  • A/B testing data (which variants you’ve seen, test participation)
  • Error and crash reports (via Sentry.io and Firebase)
  • Performance metrics and debugging information
  • Subscription and purchase data (via RevenueCat)
  • Cross-platform usage synchronization data
  • Customer support interaction metadata (chat initiation, support topic categories - no PHI)

Location Information

We collect limited location information based on:

  • IP address geolocation (country/region level)
  • Time zone settings
  • We do not track precise GPS location unless explicitly permitted

Cross-Domain Tracking

We implement cross-domain tracking across our family of websites to provide a seamless user experience:

  • Tracked Domains: emease.com, try.emease.com
  • Features:
    • Preserves UTM parameters across all EmEase domains
    • Shares user ID for unified journey tracking
    • Preserves A/B test assignments when navigating between domains
    • Tracks cross-domain conversions for attribution
    • Maintains session continuity across our properties

How We Collect Information

Direct Collection

Information you provide directly when you:

  • Create an account
  • Complete profile information
  • Use the EMDR therapy features
  • Record session notes or journal entries
  • Communicate with our support team
  • Respond to surveys or provide feedback

Automated Collection

Information collected automatically through:

  • Cookies and similar technologies
  • Analytics tools
  • Application monitoring software
  • Error and crash reporting tools

Analytics and Usage Data

For our websites (emease.com, try.emease.com):

  • We use Google Analytics, cookies, and web beacons
  • We track page views, session duration, and user journeys
  • We implement cross-domain tracking between our marketing and trial sites

For our EMDR Therapy App (app.emease.com):

  • We use Firebase Analytics with enhanced privacy protections
  • We collect only anonymized usage patterns (e.g., “session_started”, “target_created”)
  • We never collect the content of your therapy sessions, targets, or personal reflections
  • All analytics can be disabled in Settings > Privacy & Security

Third-Party Sources

We may receive information about you from:

  • Authentication services (if you choose to sign in using third-party login)
  • Payment processors
  • App stores (Apple App Store, Google Play)
  • Marketing partners (with your consent)
  • Customer support interactions (general support topics and technical issues, excluding health information)

Cross-Platform and Cross-Site Collection

We may collect information about your interactions across:

  • Our related websites (emease.com and try.emease.com)
  • Multiple platforms (iOS, Android, web applications)
  • Different sessions and devices where you use the same account

This helps us provide a consistent experience and analyze complete user journeys across our services.

We collect and process your information based on:

  • Your explicit consent
  • The necessity to perform our contract with you (providing the EmEase service)
  • Our legitimate interests in maintaining and improving our service
  • Compliance with legal obligations

Minimization Principle

We strive to collect only the information necessary to provide, maintain, and improve the EmEase service. You may choose not to provide certain information, though this may limit your ability to use specific features of our application.

3. Service-Specific Privacy Practices

We use different privacy and tracking approaches across our services:

Marketing Website (emease.com)

  • Uses Google Analytics for website optimization
  • Implements cross-domain tracking with try.emease.com
  • Uses cookies for session management and analytics

Trial Platform (try.emease.com)

  • Uses Google Analytics
  • Shares tracking data with emease.com for user journey analysis
  • Uses cookies for session continuity

EMDR Therapy App (app.emease.com)

  • Enhanced Privacy Protection
  • Uses only Firebase Analytics (no Google Analytics)
  • No cookies or web beacons
  • All user IDs are hashed before analytics collection
  • Automatic PHI filtering - personal health information is never sent to analytics
  • User-controlled tracking - analytics can be disabled in app settings
  • Privacy-first crash reporting - error messages are sanitized to remove any personal data

4. HIPAA Compliance Statement

Our Commitment to HIPAA

EmEase is designed and operated in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations. We recognize the sensitive nature of the health information you entrust to us and are committed to maintaining the privacy and security of your Protected Health Information (PHI).

Our Role Under HIPAA

Underdog Club LLC, as the provider of EmEase, functions as a Business Associate under HIPAA when users utilize our application for health-related purposes. This means we are legally obligated to:

  • Implement appropriate safeguards to protect your PHI
  • Limit uses and disclosures of PHI to those permitted by law
  • Report security incidents involving PHI
  • Maintain appropriate documentation of our privacy practices

Safeguards Implemented

To protect your health information, we have implemented comprehensive administrative, physical, and technical safeguards:

Administrative Safeguards

  • Regular risk assessments and management procedures
  • Designated privacy and security officials
  • Workforce training on privacy and security
  • Documented policies and procedures for PHI handling
  • Regular review of information system activity

Technical Safeguards

  • End-to-end encryption for data in transit and at rest
  • Access controls and authentication requirements
  • Audit controls to record and examine activity
  • Integrity controls to prevent unauthorized PHI alteration
  • Transmission security to guard against unauthorized access

Physical Safeguards

  • Secure data centers with controlled access
  • Hardware and media controls
  • Workstation security protocols
  • Facility access and security measures

Business Associate Agreements

When we engage third-party service providers who may have access to PHI, we enter into Business Associate Agreements (BAAs) that contractually bind these entities to:

  • Use appropriate safeguards to protect PHI
  • Report security incidents
  • Comply with the same restrictions that apply to us

Breach Notification

In the unlikely event of a breach of unsecured PHI, we will:

  • Notify affected users without unreasonable delay (and no later than 60 days following discovery)
  • Provide information about what happened, what information was involved, steps individuals should take, what we are doing to investigate and mitigate, and contact procedures
  • Notify relevant authorities as required by law

HIPAA Rights

As a user of EmEase, you maintain certain rights regarding your PHI, including:

  • The right to access your PHI
  • The right to request corrections to your PHI
  • The right to receive an accounting of certain disclosures of your PHI
  • The right to request restrictions on certain uses and disclosures

To exercise these rights, please contact us at legal@emease.com.

Limitations

While EmEase is designed to be HIPAA-compliant, please note that your own handling of information outside our application (such as sharing screenshots or discussing your therapy through non-secure channels) may not be protected under HIPAA.

5. Use of Information

Primary Uses of Your Information

We use the information we collect primarily to provide, maintain, and improve the EmEase service. Specifically, we use your information to:

Deliver Core Functionality

  • Create and manage your EmEase account
  • Provide personalized Self EMDR therapy sessions
  • Track your progress and therapy outcomes
  • Store your session history and personal notes
  • Enable you to access your information across devices
  • Facilitate your therapeutic journey through the application

Service Operation and Support

  • Authenticate your identity and maintain account security
  • Process payments and manage subscriptions
  • Provide customer support and respond to your inquiries
  • Send service-related notifications and updates
  • Troubleshoot problems and optimize performance
  • Fulfill your requests for specific features or information
  • Provide technical customer support for application functionality and account issues
  • Maintain support interaction records for service quality (excluding health information)
  • Analyze general support trends to improve user experience and documentation
  • Send service-related notifications about system status or updates

Secondary Uses of Information

With your consent or where permitted by law, we may also use your information for:

Service Improvement

  • Analyze usage patterns to enhance user experience
  • Identify trends and areas for improvement
  • Develop new features and functionality
  • Test and debug application performance
  • Conduct research on EMDR effectiveness (using de-identified data)

Communication

  • Send you information about new features or services
  • Provide educational content related to EMDR therapy
  • Deliver promotional offers or discounts (only with explicit opt-in)
  • Request feedback on your experience with EmEase
  • Invite participation in surveys or research (optional)

Business Operations

  • Generate aggregated, non-identifying analytics and statistics
  • Protect against fraudulent or unauthorized activity
  • Enforce our Terms of Service
  • Comply with legal obligations

We process your information based on one or more of the following legal grounds:

  • When you explicitly agree to the processing of your information for specific purposes
  • You may withdraw your consent at any time by contacting us at legal@emease.com

Contract Performance

  • When processing is necessary to fulfill our contractual obligations to you
  • This includes providing the core EmEase service you have subscribed to

Legitimate Interests

  • When we have a legitimate business interest in processing your information
  • Examples include improving our services, preventing fraud, and ensuring network security
  • We balance our interests against your privacy rights and expectations
  • When we need to process your information to comply with a legal obligation
  • This may include responding to legal processes or government requests

Automated Decision-Making

EmEase may use algorithms to personalize your therapy experience based on your inputs and progress. However, we do not make solely automated decisions that would have legal or similarly significant effects on you without human oversight.

A/B Testing and Experimentation

We conduct A/B testing to improve user experience and optimize our services:

  • Test variants are randomly assigned and stored in cookies for 30 days
  • We track variant exposure, engagement metrics, and conversion events
  • For users arriving from paid advertising campaigns, we collect additional attribution data
  • A/B test data includes scroll depth, time on page, bounce rates, and interaction with CTAs

Marketing and Attribution Data

When you visit our sites through advertising campaigns:

  • We track the source of your visit (UTM parameters)
  • Ad campaign performance metrics are collected
  • Conversion events are attributed to specific campaigns
  • This data helps us understand marketing effectiveness
  • No personally identifiable information is shared with advertisers

Data Retention for These Purposes

We retain your information only as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. Different types of information may be kept for different periods based on their purpose and sensitivity.

6. Information Sharing and Disclosure

Overview

We understand the highly sensitive nature of the information you share with EmEase. We are committed to maintaining your privacy and will not sell your personal information. We limit sharing of your information to specific circumstances outlined below.

Third-Party Service Providers

We may share your information with trusted third-party service providers who perform services on our behalf. These providers are contractually obligated to use your information only for the purposes of providing these services to us and are required to maintain the confidentiality and security of your information.

Specifically, we work with the following service providers:

Infrastructure and Hosting

  • Vercel: Web hosting and content delivery network services
  • Firebase: Mobile app analytics, crash reporting, and performance monitoring

Analytics and Optimization

  • Google Tag Manager: Managing tracking technologies and analytics implementation
  • Google Analytics: Website and app usage analytics, user behavior analysis, and A/B testing
  • Sentry.io: Error tracking, performance monitoring, and crash reporting

Subscription Management

  • RevenueCat: Cross-platform subscription management, purchase validation, and revenue analytics

Customer Support

  • Intercom: Customer support chat and help desk management (does not have access to Protected Health Information)

Service providers with potential access to Protected Health Information (PHI) are bound by Business Associate Agreements (BAAs) in compliance with HIPAA requirements. Intercom does not have access to PHI as we explicitly instruct users not to share sensitive health information through support channels.

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency). Circumstances may include:

  • Responding to a subpoena, court order, or legal process
  • Protecting our rights, privacy, safety, or property
  • Preventing or investigating possible wrongdoing related to our services
  • Protecting against legal liability

When possible and permitted by law, we will notify you of such disclosures.

Business Transfers

If Underdog Club LLC is involved in a merger, acquisition, or sale of all or a portion of its assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website of any change in ownership or uses of your information, as well as any choices you may have regarding your information.

De-identified Data Sharing

We may share aggregated, de-identified, or anonymized data that cannot reasonably be used to identify you. This information may be used for:

  • Research purposes to advance understanding of EMDR therapy effectiveness
  • Industry benchmarking and analysis
  • Service improvement and development
  • Marketing and promotional materials (showing general statistics, not individual data)

We may share your information with third parties when you explicitly consent to such sharing. For example:

  • If you choose to integrate EmEase with other health applications
  • If you opt to share your progress with a healthcare provider
  • If you participate in research studies (with separate informed consent)

No Sale of Personal Information

We do not sell, rent, or lease your personal information to third parties. We do not share your information with third parties for their direct marketing purposes without your explicit consent.

International Data Transfers

If we transfer your information to service providers located outside your country of residence, we implement appropriate safeguards to ensure your information receives an adequate level of protection, including:

  • Standard contractual clauses approved by relevant data protection authorities
  • Privacy Shield certification (where applicable)
  • Binding corporate rules for transfers within our corporate group
  • Other legally approved mechanisms

Limitations on Sharing Health Information

We treat your health information with the highest level of confidentiality. Any sharing of health information is conducted in compliance with HIPAA and other applicable healthcare privacy laws, with appropriate safeguards in place.

7. Data Storage and Security

Data Storage

Storage Locations

EmEase stores your personal and health information using secure cloud infrastructure:

  • Primary hosting: Vercel (United States)
  • Database storage: Firebase (United States)
  • Analytics data: Google Analytics (United States)
  • Error tracking: Sentry.io (United States)
  • Subscription data: RevenueCat (United States)
  • Customer support metadata: Intercom (United States - no PHI stored)

All providers maintain robust physical security measures at their data centers and are bound by appropriate data processing agreements.

Data Separation and Protection

We implement strict data separation practices:

  • Protected Health Information (PHI) is isolated from general support and infrastructure systems
  • Customer support platforms receive only technical and account-related information
  • Automated systems scrub sensitive information before sending error reports or analytics data
  • Support staff are trained to recognize and properly handle any inadvertent PHI disclosure

Backup and Redundancy

To prevent data loss, we implement regular backup procedures and maintain redundant storage systems. These backups are encrypted and protected with the same level of security as our primary systems.

Data Retention Periods

We retain different types of data for varying periods:

  • Account information: For as long as your account remains active, plus a retention period after account closure (typically 30 days)
  • Health information: For as long as necessary to provide services and comply with legal obligations
  • Usage data: Typically retained for 12-24 months to support service improvement
  • Payment information: As required by financial regulations and tax laws

You may request deletion of your data at any time, subject to legal retention requirements.

Security Measures

Encryption

  • Data in transit: All data transmitted between your device and our servers is encrypted using TLS (Transport Layer Security)
  • Data at rest: All stored data is encrypted using industry-standard AES-256 encryption
  • End-to-end encryption is implemented for particularly sensitive health information

Access Controls

  • Role-based access controls limit employee access to user data
  • Multi-factor authentication is required for administrative access
  • Principle of least privilege is enforced for all system access
  • Regular access reviews and privilege audits

Infrastructure Security

  • Firewalls and intrusion detection systems
  • Regular vulnerability scanning and penetration testing
  • Automated threat monitoring and alerting
  • Regular security patches and updates

Application Security

  • Secure development practices and code reviews
  • Regular security testing throughout the development lifecycle
  • Third-party security audits and assessments
  • Bug bounty program to identify and address vulnerabilities

Breach Notification Procedures

In the unlikely event of a data breach affecting your personal information, we will:

  1. Investigation: Promptly investigate the nature and scope of the incident
  2. Containment: Take immediate steps to contain the breach and mitigate potential harm
  3. Notification: Notify affected users without unreasonable delay, typically within 72 hours of discovery, unless a longer period is permitted by law
  4. Details Provided: Our notification will include:
    • Description of the incident
    • Types of information involved
    • Steps you can take to protect yourself
    • Measures we are taking to address the breach
    • Contact information for questions
  5. Regulatory Reporting: Report to relevant authorities as required by applicable laws, including HIPAA breach notification requirements
  6. Remediation: Implement corrective actions to prevent similar incidents in the future

Employee Training and Policies

Our security measures include:

  • Comprehensive security and privacy training for all staff
  • Background checks for employees with access to sensitive systems
  • Confidentiality agreements
  • Documented security policies and procedures
  • Regular security awareness updates

Continuous Improvement

We regularly review and enhance our security practices by:

  • Conducting periodic risk assessments
  • Staying current with industry best practices
  • Monitoring for emerging threats
  • Updating our security controls as technology evolves

Special Protections for App Users

Our EMDR therapy app implements additional privacy safeguards:

  • Automatic PHI Filtering: Our analytics system automatically detects and blocks personal health information from being transmitted
  • Hashed Identifiers: User IDs are cryptographically hashed using SHA-256 before any analytics collection
  • Sanitized Error Reporting: Crash reports remove all personal data, file paths, and sensitive information
  • Local Data Storage: Your therapy content is stored locally and in your private Firebase account, never in analytics

Your Role in Security

While we implement robust security measures, the security of your account also depends on:

  • Keeping your login credentials confidential
  • Using strong, unique passwords
  • Being cautious about the networks you use to access EmEase
  • Logging out of your account when using shared devices
  • Promptly reporting any suspicious activity to legal@emease.com

8. User Rights

Your Privacy Rights

As an EmEase user, you have certain rights regarding your personal information. We are committed to respecting these rights and providing you with control over your data.

Right to Access Your Information

You have the right to request access to the personal information we hold about you. This includes:

  • Confirmation that we are processing your personal information
  • Access to a copy of your personal information
  • Information about how we use and process your data

To request access to your information, please email legal@emease.com. We will respond to your request within 30 days, though we may extend this period by up to an additional 60 days if necessary, with notice.

Right to Correct Inaccurate Information

You have the right to request that we correct any inaccurate or incomplete personal information we maintain about you. You can:

  • Update certain information directly through your account settings
  • Contact us at legal@emease.com to request corrections to information you cannot modify yourself

We will respond to correction requests promptly, typically within 30 days.

Right to Deletion

You have the right to request deletion of your personal information in certain circumstances. This is sometimes called the “right to be forgotten.” Upon receiving a verified deletion request, we will:

  • Delete your personal information from our active systems
  • Ensure it is removed from backups during our regular backup rotation
  • Confirm deletion has been completed

Exceptions may apply if we need to:

  • Complete the transaction for which the information was collected
  • Comply with legal obligations
  • Detect security incidents or protect against fraud
  • Debug products to identify and repair errors
  • Exercise free speech or ensure another’s right to exercise free speech
  • Comply with the California Electronic Communications Privacy Act
  • Engage in public or peer-reviewed research with appropriate safeguards
  • Enable solely internal uses aligned with your expectations
  • Comply with a legal obligation

Right to Data Portability

You have the right to receive a copy of your personal information in a structured, commonly used, and machine-readable format. This allows you to transfer your data to another service provider. Upon request, we will:

  • Provide your data in a compatible format (typically JSON or CSV)
  • Transmit your data directly to another provider if technically feasible

Right to Restrict Processing

In certain circumstances, you have the right to request that we restrict the processing of your personal information, such as:

  • When you contest the accuracy of your personal information
  • When the processing is unlawful and you oppose deletion
  • When we no longer need the information but you need it for legal claims
  • When you have objected to processing pending verification of legitimate grounds

Right to Object to Processing

You may object to our processing of your personal information in certain circumstances, particularly when processing is based on our legitimate interests or for direct marketing purposes.

Where we process your information based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

How to Exercise Your Rights

To exercise any of these rights, please contact us at:

  • Email: legal@emease.com
  • Mail: Underdog Club LLC, 2833 Smith Avenue, Suite 305, Baltimore, MD 21209

Please include:

  • Your name and email address associated with your EmEase account
  • Clear description of the right you wish to exercise
  • Any relevant details to help us respond appropriately

Verification Process

To protect your privacy, we may need to verify your identity before processing your request. We will use information you have previously provided to verify your identity, and may request additional information if necessary.

Response Timeline

We will respond to all legitimate requests within 30 days. If your request is particularly complex or if you have made multiple requests, it may take us longer. In this case, we will notify you and keep you updated.

No Discrimination

We will not discriminate against you for exercising any of your privacy rights. This means we will not:

  • Deny you goods or services
  • Charge you different prices or rates
  • Provide you with a different level or quality of services
  • Suggest you will receive different prices or services

App-Specific Privacy Controls

Within the EMDR therapy app, you can:

  • Disable all analytics via Settings > Privacy & Security > Data Collection toggle
  • Export all your data in JSON format (GDPR/CCPA compliant)
  • Delete all therapy data while keeping your account active
  • View exactly what data is collected (only anonymized events, never therapy content)

Authorized Agents

You may designate an authorized agent to submit requests on your behalf. We may require verification of your agent’s authorization and may still require you to verify your identity directly with us.

9. Children’s Privacy

Age Restrictions

EmEase is designed for adults and is not intended for children under the age of 18. We do not knowingly collect personal information from children under 18 years of age. If you are under 18, please do not use or provide any information on our Service, including registering for an account, making purchases, or providing any personal information about yourself.

No Intentional Collection from Children

We do not:

  • Specifically target our marketing or Service to children under 18
  • Knowingly collect or solicit personal information from children under 18
  • Allow children under 18 to create accounts or use our Service

If a parent or guardian becomes aware that their child has provided us with personal information without their consent, they should contact us immediately at legal@emease.com. If we become aware that we have collected personal information from a child under 18 without verification of parental consent, we will take steps to remove that information from our servers.

Discovery of Child Data

If we learn that we have collected personal information from a child under 18, we will:

  1. Promptly delete the information from our records
  2. Terminate the child’s account immediately
  3. Take reasonable measures to ensure the data is removed from our systems
  4. Notify the parent or guardian if we have contact information

Special Considerations for Teens (13-17)

While our Service is not intended for anyone under 18, we recognize that EMDR therapy may be beneficial for adolescents. In cases where a healthcare provider recommends EmEase for a minor:

  1. The account must be created and managed by the parent or legal guardian
  2. The parent or guardian must provide verifiable consent
  3. The parent or guardian maintains the right to:
    • Review their child’s personal information
    • Request deletion of their child’s personal information
    • Refuse further collection or use of their child’s information

Educational or Therapeutic Use

If EmEase is used in educational or therapeutic settings with minors, it must be:

  1. Administered by qualified professionals
  2. Used with appropriate parental/guardian consent
  3. Managed in compliance with applicable laws regarding minors’ privacy

Compliance with Children’s Privacy Laws

We comply with the Children’s Online Privacy Protection Act (COPPA) and similar state and international laws protecting children’s privacy. Our data collection practices are designed to comply with these regulations.

Reporting Concerns

If you believe a child under 18 has provided personal information to EmEase, or if you have questions or comments about our Children’s Privacy practices, please contact us immediately at:

Email: legal@emease.com Mail: Underdog Club LLC, 2833 Smith Avenue, Suite 305, Baltimore, MD 21209

We take children’s privacy seriously and will respond promptly to any concerns.

10. Cross-Border Data Transfers

International Operations

EmEase is operated by Underdog Club LLC, based in the United States. If you are accessing our Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States where our servers and central database are located.

Data Transfer Mechanisms

When we transfer personal information from one jurisdiction to another, particularly from regions with comprehensive data protection laws (such as the European Economic Area, United Kingdom, Switzerland, or Canada) to the United States, we implement appropriate safeguards to ensure your information receives an adequate level of protection. These safeguards may include:

  • Standard Contractual Clauses (SCCs): We use European Commission-approved standard contractual clauses in our agreements with service providers and partners to ensure adequate protection for data transferred internationally.

  • Data Processing Agreements: We enter into data processing agreements with our service providers that include provisions for appropriate data protection.

  • Privacy Shield: While the EU-US Privacy Shield framework has been invalidated, we continue to honor its principles as a matter of good practice.

  • Binding Corporate Rules: For transfers within any future corporate group, we may implement binding corporate rules approved by data protection authorities.

Compliance with International Regulations

We strive to comply with applicable data protection laws in the jurisdictions where we operate, including:

  • General Data Protection Regulation (GDPR): For users in the European Economic Area, United Kingdom, and Switzerland
  • Personal Information Protection and Electronic Documents Act (PIPEDA): For users in Canada
  • Lei Geral de Proteção de Dados (LGPD): For users in Brazil
  • Other applicable international data protection laws

International Data Storage

Your information may be stored on servers located in:

  • The United States (primary storage)
  • Other countries where our service providers maintain facilities

We select our storage providers based on their ability to provide adequate technical and organizational security measures.

Impact of Local Laws

The privacy laws in the United States and other countries where your data may be stored or processed might be different from those in your country of residence. Government authorities in these countries may have lawful access to your information under certain circumstances. By using EmEase, you acknowledge and consent to these potential cross-border transfers of your information.

Data Localization Requirements

For users in regions with data localization requirements, we make efforts to comply with such requirements by:

  • Working with local data storage providers where required
  • Implementing technical measures to ensure compliance
  • Adapting our practices to meet local legal requirements

Your Rights Regarding International Transfers

Regardless of where your information is stored or processed, you retain the rights outlined in Section 7 (User Rights) of this Privacy Policy. If you have concerns about international transfers of your data, please contact us at legal@emease.com.

Changes to Our International Transfer Mechanisms

If we change the mechanisms we use to transfer data internationally, we will update this Privacy Policy and, where appropriate, notify you directly of significant changes.

Additional Information for EEA, UK, and Swiss Residents

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the right to lodge a complaint with your local data protection authority if you believe our processing of your personal information does not comply with applicable law.

11. Cookies and Tracking Technologies

What Are Cookies and Tracking Technologies?

EmEase uses various technologies to collect and store information when you use our Service:

  • Cookies: Small text files placed on your device that allow us to recognize your browser or device across sessions and visits.
  • Web Beacons: Small graphic images (also known as “pixel tags” or “clear GIFs”) that may be included on our sites and services.
  • Local Storage: Technologies like HTML5 localStorage and indexedDB that provide similar functionality to cookies but can store larger amounts of data.
  • Analytics Tools: Software that collects data about how users interact with our Service.
  • Session Replay Tools: Technologies that help us understand how users navigate through our application.

Websites (emease.com, try.emease.com):

  • Full cookie implementation for analytics, session management, and A/B testing
  • Google Analytics cookies for usage tracking
  • Cross-domain tracking cookies
  • Marketing optimization cookies

EMDR Therapy App (app.emease.com):

  • Does not use cookies
  • Does not use web beacons or pixel tags
  • Uses only secure local storage for user preferences
  • Firebase Analytics operates without cookies using app instance IDs

Types of Cookies We Use

Essential Cookies

These cookies are necessary for the Service to function properly. They enable core functionality such as security, network management, and account authentication. You cannot opt out of these cookies as the Service cannot function properly without them.

Functional Cookies

These cookies enhance the functionality of our Service by storing your preferences. They may be set by us or by third-party providers whose services we have added to our pages.

Analytics Cookies

These cookies collect information about how you use our Service, helping us understand which features are most popular and how users navigate through the site. This helps us improve our Service.

Performance Cookies

These cookies collect information about system performance and error detection to help us improve the quality and speed of our Service.

A/B Testing Cookies

We use cookies and local storage to conduct A/B testing and optimize our Service. This includes:

  • Storing which version of content you’ve been shown
  • Tracking your interactions with different versions
  • Ensuring you see the same version consistently across visits
  • Measuring conversion rates and user engagement by variant

A/B testing data helps us improve the effectiveness of our Service and user experience.

Specific Tracking Technologies Used

TechnologyPurposeData CollectedDuration
Google AnalyticsAnalyze usage patterns, A/B testingPages visited, time spent, user journey, test variantsUp to 26 months
Google Tag ManagerManage tracking technologiesEvent data, user interactions, conversion trackingSession-based
Firebase AnalyticsMobile app performance and usageApp usage, feature interaction, crash dataUp to 14 months
Sentry.ioError tracking and performanceError reports, performance metrics, debugging data (scrubbed of PHI)Up to 90 days
IntercomCustomer support functionalitySupport session data, user identification for support context (no PHI)Until conversation closed
Session cookiesMaintain user sessionSession identifiers, authentication tokensUntil browser is closed
Authentication cookiesKeep users logged inLogin state, user preferencesUp to 30 days
A/B testing cookiesConsistent test experienceTest variant assignments, experiment dataUp to 30 days
Local storage dataStore user preferencesApp settings, theme choices, offline dataUntil manually cleared

How We Use This Information

Information collected through cookies and tracking technologies is used to:

  • Remember your preferences and settings
  • Keep you logged in between sessions
  • Understand how you use our Service
  • Identify and resolve errors
  • Improve the performance of our Service
  • Develop new features based on user behavior
  • Ensure the security of our Service

Your Control Over Cookies

Browser Settings

Most web browsers allow you to control cookies through their settings preferences. You can typically:

  • Delete existing cookies
  • Block cookies from being set
  • Set your browser to notify you when a cookie is being set
  • Browse in “private” or “incognito” mode

Mobile Device Settings

On mobile devices, you can adjust your privacy settings to limit tracking:

  • iOS devices: Settings > Privacy > Tracking
  • Android devices: Settings > Privacy > Ads

When you first visit our website, you’ll see a cookie banner that allows you to:

  • Accept all cookies
  • Reject non-essential cookies
  • Customize your cookie preferences
  • Access more information about our cookie practices

You can change your preferences at any time by clicking on “Cookie Preferences” in the footer of our website.

Do Not Track Signals

Some browsers have a “Do Not Track” feature that signals to websites that you do not want to have your online activities tracked. Our system may not respond to Do Not Track signals, so your selection of the “Reject non-essential cookies” option from our cookie banner is the most effective way to prevent tracking by our website.

Third-Party Tracking

Some content or applications on our Service are served by third parties, including content providers and application providers. These third parties may use cookies or other tracking technologies to collect information about you when you use our Service. This includes:

  • Intercom: Uses cookies to maintain support chat sessions and provide personalized support experiences (limited to technical support data)
  • Google services: Analytics and optimization tracking as described above
  • Content delivery networks: For improved performance and security

We do not control these third parties’ tracking technologies or how they may be used. Third parties that may have access to health-related information are bound by Business Associate Agreements.

Cookies and HIPAA Compliance

Our use of cookies and tracking technologies is designed to be compatible with our HIPAA compliance obligations. We do not use cookies to collect Protected Health Information (PHI) unless necessary for providing our Service, and any PHI collected is handled in accordance with our HIPAA policies.

Privacy Features Quick Reference

FeatureMarketing SitesEMDR App
Google Analytics
Firebase Analytics
Cookies
Cross-domain Tracking
User ID Hashing
PHI FilteringN/A
User Can Disable
Data Export

We may update our use of cookies and tracking technologies from time to time. Any significant changes will be reflected in this Privacy Policy, and we may also notify you through the Service or via email.

12. Third-Party Integrations

RevenueCat Integration

We use RevenueCat to manage subscriptions across iOS, Android, and web platforms. RevenueCat processes:

  • Purchase transactions and subscription status
  • User identifiers for subscription management
  • Platform-specific payment information
  • Usage data for subscription analytics

Firebase Services

We use Firebase for mobile app functionality, including:

  • Analytics and user behavior tracking
  • Crash reporting and error detection
  • Performance monitoring
  • Push notifications (when enabled)

Error Tracking

Sentry.io helps us identify and resolve technical issues by collecting:

  • Error reports and stack traces (automatically scrubbed of sensitive information)
  • Performance monitoring data
  • User session information related to errors
  • Device and browser information for debugging

Error reports are automatically processed to remove any sensitive health information before transmission.

Customer Support Platform

We use Intercom to provide technical customer support. Important limitations:

  • No PHI Access: Intercom does not have access to your Protected Health Information
  • User Instructions: We explicitly instruct users not to share sensitive health information through support channels
  • Support Scope: Limited to technical issues, account management, and general product questions
  • Data Collected: Support conversation metadata, user identification for support context, and general inquiry topics

Support Best Practices: When contacting support through Intercom:

  • Focus on technical issues and account-related questions
  • Do not share details about your therapy sessions, health conditions, or personal therapeutic content
  • If you accidentally share sensitive information, inform our support team immediately so they can take appropriate privacy measures

Infrastructure Services

Vercel provides our web hosting and content delivery services. Vercel handles the technical delivery of our Service but does not have access to user application data beyond standard web server logs (IP addresses, page requests, etc.).

13. State-Specific Privacy Rights

California Privacy Rights

If you are a California resident, you have specific rights regarding your personal information under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA).

Your California Rights

As a California resident, you have the right to:

  1. Know what personal information we collect about you and how it is used and shared
  2. Delete personal information collected from you (with certain exceptions)
  3. Correct inaccurate personal information that we maintain about you
  4. Opt-out of the sale or sharing of your personal information
  5. Limit the use and disclosure of your sensitive personal information
  6. Non-discrimination for exercising your privacy rights

Categories of Information We Collect

In the past 12 months, we have collected the following categories of personal information:

  • Identifiers (name, email address, IP address)
  • Customer records information (billing details)
  • Protected characteristics (only if voluntarily provided)
  • Commercial information (subscription details)
  • Internet activity information (browsing history, app usage)
  • Geolocation data (general location based on IP address)
  • Audio/electronic information (if you provide voice notes)
  • Professional information (if voluntarily provided)
  • Inferences drawn from other personal information
  • Sensitive personal information (health information related to EMDR therapy)
  • Error and diagnostic information (crash reports, performance data)
  • A/B testing and optimization data (test variants, conversion tracking)
  • Cross-platform synchronization data
  • Subscription and payment processing information
  • Customer support interaction metadata (excluding health information)

How to Exercise Your California Rights

To exercise your rights under California law:

  • Email: legal@emease.com
  • Form: Available in your account settings under “Privacy”
  • Toll-free number: 1-866-972-8502

We will respond to verifiable consumer requests within 45 days.

Authorized Agent

You may designate an authorized agent to submit requests on your behalf. We may require verification of your agent’s authorization and may still require you to verify your identity directly.

Shine the Light Law

California’s “Shine the Light” law permits users who are California residents to request a list of third parties to whom we disclosed personal information for direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.

Virginia Privacy Rights

If you are a Virginia resident, you have rights under the Virginia Consumer Data Protection Act (VCDPA).

Your Virginia Rights

As a Virginia resident, you have the right to:

  1. Access your personal data
  2. Correct inaccuracies in your personal data
  3. Delete personal data provided by or obtained about you
  4. Obtain a copy of your personal data in a portable format
  5. Opt out of processing for targeted advertising, sale of personal data, or profiling

How to Exercise Your Virginia Rights

To exercise your rights under Virginia law, contact us at legal@emease.com. We will respond to your request within 45 days.

Appeal Process

If we decline to take action on your request, you may appeal our decision by emailing legal@emease.com. We will review your appeal and respond within 60 days.

Colorado Privacy Rights

If you are a Colorado resident, you have rights under the Colorado Privacy Act (CPA).

Your Colorado Rights

As a Colorado resident, you have the right to:

  1. Access your personal data
  2. Correct inaccuracies in your personal data
  3. Delete your personal data
  4. Obtain a copy of your personal data in a portable format
  5. Opt out of processing for targeted advertising, sale of personal data, or profiling

How to Exercise Your Colorado Rights

To exercise your rights under Colorado law, contact us at legal@emease.com. We will respond to your request within 45 days.

Connecticut Privacy Rights

If you are a Connecticut resident, you have rights under the Connecticut Data Privacy Act (CTDPA).

Your Connecticut Rights

Similar to Colorado, Connecticut residents have rights to access, correct, delete, and obtain a copy of their personal data, as well as opt out of certain processing.

How to Exercise Your Connecticut Rights

Contact us at legal@emease.com to exercise your rights under Connecticut law.

Utah Privacy Rights

If you are a Utah resident, you have rights under the Utah Consumer Privacy Act (UCPA).

Your Utah Rights

Utah residents have the right to access, delete, and obtain a copy of their personal data, as well as opt out of the sale of personal data or processing for targeted advertising.

How to Exercise Your Utah Rights

Contact us at legal@emease.com to exercise your rights under Utah law.

Other States

As additional states enact comprehensive privacy legislation, we will update this section to reflect any new rights and how to exercise them. We are committed to respecting the privacy rights of all our users, regardless of their state of residence.

Verification Process

To protect your privacy and security, we may need to verify your identity before processing your request. We will use information you have previously provided to verify your identity and may request additional information if necessary.

14. Contact Information

How to Reach Us

We welcome your questions, comments, and requests regarding this Privacy Policy and our privacy practices. You can contact us through any of the following methods:

Primary Contact Information

Email: legal@emease.com
Postal Address:
Underdog Club LLC
2833 Smith Avenue, Suite 305
Baltimore, MD 21209
United States

Additional Contact Methods

Website Contact Form: Available at https://EmEase.com/contact
In-App Support: Access through the “Help” or “Support” section in the EmEase application

Privacy Officer

For specific privacy-related inquiries or concerns, you can contact our designated Privacy Officer:

Privacy Officer
Email: legal@emease.com
Phone: 1-866-972-8502

Our Privacy Officer is responsible for overseeing compliance with this Privacy Policy and applicable privacy laws.

For questions specifically related to HIPAA compliance or to report potential violations of health information privacy:

HIPAA Compliance Officer
Email: legal@emease.com

How to Submit Specific Requests

Data Subject Rights Requests

To exercise any of your rights described in Section 7 (User Rights), please email legal@emease.com with the subject line “Privacy Rights Request” and include:

  • Your full name
  • Email address associated with your EmEase account
  • The specific right you wish to exercise
  • Any additional information that might help us process your request

Breach Notifications

If you believe your personal information has been compromised, please contact us immediately at legal@emease.com.

Complaints

If you have a complaint about our privacy practices:

  1. Email legal@emease.com with details of your concern
  2. We will acknowledge receipt within 3 business days
  3. We aim to provide a substantive response within 30 days

Response Times

We strive to respond to all legitimate inquiries within the following timeframes:

  • General inquiries: 3-5 business days
  • Data rights requests: Within 30 days (with possible extension if necessary)
  • Urgent security concerns: Within 24 hours
  • Complaints: Initial acknowledgment within 3 business days; substantive response within 30 days

Escalation Process

If you are not satisfied with our response to your inquiry or request, you may:

  1. Ask for your concern to be escalated to senior management
  2. Contact your local data protection authority
  3. For US residents, file a complaint with the Federal Trade Commission (www.ftc.gov)
  4. For health information concerns, file a complaint with the Office for Civil Rights at the Department of Health and Human Services (www.hhs.gov/ocr)

Changes to Contact Information

If our contact information changes, we will update this Privacy Policy and may also notify you through the Service or via email for significant changes.

Accessibility

If you have a disability and need this Privacy Policy in an alternative format, please contact us at legal@emease.com, and we will provide you with the information in a format that meets your needs.

Business Hours

Our team is available to respond to privacy inquiries during the following hours: Monday - Friday: 9:00 AM - 5:00 PM Eastern Time (excluding US federal holidays)

For urgent matters outside of business hours, please indicate “URGENT” in your email subject line.