Privacy Policy

Last Updated

Privacy Policy

Pathpal Inc. Effective Date: May 11, 2026


1. Introduction

Pathpal Inc. ("Pathpal," "we," "our," or "us") is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Pathpal application and related services (collectively, the "Services").

By accessing or using our Services, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree with this policy, please do not use our Services.


2. Who We Are

Pathpal Inc. is a workplace grief and wellbeing support platform headquartered in Toronto, Ontario, Canada. We provide peer-led communities, AI-facilitated workshops, on-demand resources, and HR analytics tools to employers and their employees.

For privacy-related inquiries, please contact us at:

Pathpal Inc. Toronto, Ontario, Canada Email: support@mypathpal.com Website: mypathpal.app


3. Information We Collect

3.1 Information You Provide Directly

  • Account information: Name, email address, password, and profile details when you register

  • Profile information: Job title, employer, and optional biographical information

  • Session information: Responses to pre-session questions including what brings you to a session, how you are feeling, and what you hope to get from a session

  • Workshop and session content: Information you share during AI-facilitated or live workshops, including text, audio, and chat messages

  • Communications: Messages you send to us, feedback you provide, and support requests

  • Calendar and scheduling data: Session bookings, reminders, and calendar integrations you authorize

  • Payment information: Billing details processed securely through our payment processor (Stripe); we do not store full payment card details

3.2 Information Collected Automatically

  • Usage data: Pages visited, features used, session duration, clicks, and interactions within the app

  • Device information: Device type, operating system, browser type, IP address, and unique device identifiers

  • Log data: Access times, error logs, and technical diagnostics

  • Cookies and tracking technologies: Session cookies, analytics cookies, and similar technologies (see Section 9)

3.3 Information From Third Parties

  • Employer-provided data: If your employer provides Pathpal as a benefit, we may receive your name, email address, and employment information from your employer

  • Calendar integrations: If you connect Google Calendar or Outlook, we access only the data necessary to create and manage your session bookings

  • Authentication providers: If you use Google OAuth or similar services to sign in, we receive basic profile information from those providers

3.4 Sensitive Information

Given the nature of our Services, you may choose to share sensitive personal information including information relating to your mental health, emotional wellbeing, bereavement, and personal loss. We treat this information with the highest level of care and apply additional safeguards as described in this policy. You are never required to share sensitive information to use our Services.


4. How We Use Your Information

We use the information we collect for the following purposes:

4.1 Providing and Improving Our Services

  • Creating and managing your account

  • Facilitating AI-facilitated and live workshops

  • Personalizing your session experience based on your pre-session responses

  • Matching you with appropriate workshop content and facilitators

  • Processing bookings, reminders, and calendar events

  • Generating HR analytics and wellbeing insights for your employer (in aggregate and anonymized form only — see Section 6)

  • Improving our AI facilitator personas, workshop content, and platform features

4.2 Communications

  • Sending session reminders, booking confirmations, and follow-up emails

  • Notifying you of platform updates, new features, and relevant content

  • Responding to your support requests and feedback

  • Sending crisis support resources where appropriate

4.3 Safety and Crisis Support

  • Monitoring for distress signals during AI-facilitated sessions

  • Providing crisis resources and routing users to appropriate support

  • Ensuring the safety and wellbeing of our users

4.4 Legal and Compliance

  • Complying with applicable laws and regulations including PIPEDA, GDPR, and other applicable privacy legislation

  • Enforcing our Terms of Service

  • Protecting the rights, property, and safety of Pathpal, our users, and the public

  • Responding to lawful requests from regulatory or law enforcement authorities

4.5 Business Operations

  • Processing payments and managing billing

  • Conducting internal research and analytics to improve our Services

  • Maintaining the security and integrity of our platform


5. Legal Basis for Processing (GDPR)

In accordance with GDPR Article 6, we rely on the following lawful bases for processing your personal data:

Legal Basis

Processing Activities

Consent (Article 6(1)(a))

Processing sensitive personal information; optional communications; cookie consent

Contract (Article 6(1)(b))

Providing the Services you have signed up for; processing bookings and payments

Legitimate Interests (Article 6(1)(f))

Improving our Services; fraud prevention; platform security

Legal Obligation (Article 6(1)(c))

Compliance with applicable laws; responding to lawful requests

Vital Interests (Article 6(1)(d))

Crisis intervention and safety situations

Where we rely on consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing prior to withdrawal.


6. How We Share Your Information

We do not sell your personal information. We share your information only in the following circumstances:

6.1 With Your Employer

If your employer has provided Pathpal as a benefit, we may share aggregated and anonymized wellbeing insights and analytics through our HR analytics dashboard. We never share individually identifiable session content, personal disclosures, or sensitive information with your employer without your explicit consent.

6.2 With Service Providers

We share information with trusted third-party service providers who assist us in operating our platform, subject to appropriate data processing agreements:

Provider

Purpose

Amazon Web Services (AWS)

Cloud hosting and infrastructure

Stripe

Payment processing

SendGrid

Transactional email delivery

LiveKit

Real-time audio/video infrastructure

Deepgram

Speech-to-text transcription

Anthropic (Claude API)

AI facilitator intelligence

ElevenLabs

Text-to-speech voice synthesis

Google / Microsoft

Calendar integrations (where authorized)

6.3 For Legal Reasons

We may disclose your information where required by law, court order, or governmental authority, or where we believe disclosure is necessary to protect the rights, property, or safety of Pathpal, our users, or others.

6.4 Business Transfers

In the event of a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have.

6.5 With Your Consent

We may share your information for any other purpose with your explicit prior consent.

6.6 Internal Administrative Access

In limited circumstances authorised Pathpal administrators may access session content including transcripts and session summaries for the following purposes only:


  • Platform safety and crisis incident review

  • Quality assurance and facilitator improvement

  • Legal compliance and regulatory response

  • Technical support and error investigation

All staff with access to session content are subject to strict confidentiality obligations and data handling training. Access is logged, timestamped, and audited. Session content is never accessed for commercial purposes or shared with any third party including your employer.


7. Data Retention

We retain your personal information for as long as necessary to provide our Services and fulfill the purposes outlined in this policy, unless a longer retention period is required by law.

Data Type

Retention Period

Account information

Duration of account plus 2 years

Session content and pre-session responses

Duration of account plus 1 year

Payment records

7 years (legal/tax requirement)

Usage and analytics data

2 years

Crisis-related records

As required by applicable law

Employer HR analytics (aggregated)

Duration of employer contract plus 1 year

When you delete your account, we will delete or anonymize your personal information within 30 days, except where we are required to retain it by law or for legitimate business purposes.


8. Your Privacy Rights

8.1 Rights Under GDPR (EEA and UK Users)

In accordance with GDPR Articles 15–22, you have the following rights:

  • Right of access (Article 15): Request a copy of the personal data we hold about you

  • Right to rectification (Article 16): Request correction of inaccurate or incomplete data

  • Right to erasure (Article 17): Request deletion of your personal data where there is no compelling reason for its continued processing

  • Right to restrict processing (Article 18): Request that we limit how we use your data

  • Right to data portability (Article 20): Receive your data in a structured, machine-readable format

  • Right to object (Article 21): Object to processing based on legitimate interests

  • Rights related to automated decision-making (Article 22): Not be subject to solely automated decisions that significantly affect you

8.2 Rights Under PIPEDA (Canadian Users)

Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), you have the right to:

  • Access your personal information held by us

  • Challenge the accuracy and completeness of your information

  • Request correction of inaccurate information

  • Withdraw consent for the collection, use, or disclosure of your personal information (subject to legal or contractual restrictions)

  • File a complaint with the Office of the Privacy Commissioner of Canada

8.3 How to Exercise Your Rights

To exercise any of your privacy rights, please contact us at: support@mypathpal.com

We will respond to all requests within 30 days. We may need to verify your identity before processing your request. There is no fee for making a request unless it is manifestly unfounded or excessive.


9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to operate and improve our Services.

Cookie Type

Purpose

Duration

Essential cookies

Required for the platform to function

Session

Authentication cookies

Keeping you signed in

30 days

Analytics cookies

Understanding how users interact with our platform

2 years

Preference cookies

Remembering your settings and preferences

1 year

You can control cookies through your browser settings. Disabling essential cookies may affect the functionality of our Services. We do not use advertising or third-party tracking cookies.


10. Data Security

In accordance with GDPR Article 32, we implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption: All data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 encryption

  • Access controls: Role-based access controls limiting employee access to personal data on a need-to-know basis

  • Authentication: Multi-factor authentication for all internal systems

  • Security audits: Regular penetration testing and vulnerability assessments

  • Vendor assessments: Security reviews of all third-party service providers

  • Staff training: Regular privacy and security training for all employees

No method of electronic transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.


11. Data Breach Notification

In accordance with GDPR Article 33 and applicable Canadian privacy legislation, in the event of a data breach that poses a risk of harm to individuals, we will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (where required under GDPR)

  • Notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms

  • Maintain an internal record of all data breaches regardless of whether notification is required

  • Take immediate steps to contain and remediate the breach


12. International Data Transfers

Pathpal is headquartered in Canada. Your information may be transferred to and processed in countries other than your country of residence, including the United States and the European Economic Area, where our service providers operate.

Where we transfer personal data outside of the EEA, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses approved by the European Commission

  • Adequacy decisions where applicable

  • Other legally recognized transfer mechanisms


12.1 Canadian User Data and Cross-Border Processing

To deliver our AI-facilitated workshop sessions, your voice audio and session transcripts are processed in real time by third-party service providers based in the United States, including Anthropic, ElevenLabs, Deepgram, and LiveKit. This processing is transient — audio and transcripts are not retained by these providers beyond the duration of your session. All permanent session data is stored on servers located in Canada (AWS ca-central-1). These cross-border transfers are governed by Data Processing Agreements with each provider ensuring a comparable level of protection to Canadian privacy law. By using our AI-facilitated sessions you consent to this cross-border processing as described in this policy.


13. Children's Privacy

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe we have collected information from a minor, please contact us at support@mypathpal.com.


14. Mental Health and Sensitive Data

We recognize that users of our Services may share deeply personal information related to grief, loss, and mental health. We are committed to:

  • Treating all mental health and wellbeing information with the highest level of sensitivity and care

  • Never sharing individual session content or personal disclosures with employers

  • Never using sensitive personal information for advertising or third-party marketing

  • Providing crisis resources and routing to appropriate professional support where necessary

  • Training all staff who may access sensitive information on appropriate handling practices


15. AI Facilitation and Automated Processing

Our platform uses artificial intelligence to facilitate workshops and provide support. In this context:

  • AI facilitator sessions are powered by the Claude API (Anthropic) and use speech-to-text (Deepgram) and text-to-speech (ElevenLabs) technologies

  • Pre-session responses you provide are used to personalize your AI facilitated experience

  • Session transcripts may be retained in accordance with our data retention policy

  • We do not make significant automated decisions about you based solely on AI processing without human oversight

  • You may request a human-facilitated session at any time by selecting a Live Workshop


16. Third-Party Links and Services

Our platform may contain links to third-party websites or services. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access through our platform.


17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this policy

  • Notify you by email or in-app notification

  • Where required by law, obtain your consent to the updated policy

Your continued use of our Services after the effective date of any changes constitutes your acceptance of the updated policy.


18. Record of Processing Activities

In accordance with GDPR Article 30, Pathpal maintains an internal record of all processing activities carried out under our responsibility. This record includes the purposes of processing, categories of data subjects and personal data, recipients of personal data, and retention periods. This record is available to supervisory authorities upon request.


19. Contact Us and Supervisory Authority

For any privacy-related questions, requests, or concerns, please contact our Privacy team:

Email: support@mypathpal.com Website: mypathpal.app Mail: Pathpal Inc., Toronto, Ontario, Canada

If you are located in the EEA and are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EEA supervisory authorities is available at: https://edpb.europa.eu/about-edpb/board/members_en

If you are located in Canada and wish to file a complaint, you may contact the Office of the Privacy Commissioner of Canada at: https://www.priv.gc.ca

This Privacy Policy was prepared for Pathpal Inc. and reflects our commitment to transparent, lawful, and responsible data practices. This document is intended as a working draft and should be reviewed by qualified legal counsel before publication.

© 2026 Pathpal Inc. All rights reserved.