top of page

SymbolStory Privacy Policy

Last updates: December, 2023

SymbolStory Ltd. (“SymbolStory”, “we”, “us” or “our”) respects the privacy of its users (“User(s)”, “your”, “you”, “data subject” or “visitors”), and is committed to protecting your privacy and the personal information that you share with us in connection with the use of the SymbolStory web, mobile application and the platform (the “Platform”), or any other related website that links to this privacy policy (the “Website” or “Site”, and together with the Platform, the “Services”). 

​About This Privacy Policy

This privacy policy ("Privacy Policy") is designed to describe our data collection and processing practices and to give you information about how we treat your personal data from our website visitors access and engage with us, through our website available at: www.symbolstory.app. This Policy forms part of your agreement with us, when you access our website.

 or otherwise engage with any of the services, features, or forms that we may make available to you from time to time through the Site, our mobile application or other hosting websites, including your use of our Services through the Platform.

We have created this Privacy Policy to demonstrate our commitment to our Site and Services user’s right to privacy. Your use of the Site and Services requires submitting Personal Data (as defined below), but only if you voluntarily choose to provide us with such Personal Data. Our Site is available to relevant users, and certain functionalities may require registration and submission of certain Personal Data, as described in this Privacy Policy, such as when you request to use our platform Services. We will retain your Personal Data you provide us through the use of the Site and Services in accordance with this Privacy Policy.

This Privacy Policy was designed according to the main applicable privacy regulations and Israel applicable privacy law. However, given the country of your residency, other rules may apply to your Personal Data (see defined below “Applicable Privacy Laws”). If you are EEA resident, please refer to our EEA Resident notice below. If you are a resident of the US, we advise you to refer to our COPPA and HIPAA notice below. If you are a resident of California, we advise you to refer to the CCPA Privacy notice below.

Please read the Privacy Policy carefully to ensure you understand it and agree with its terms before using the Site & Services. You have no legal requirement to provide us your Personal Data. We collect, process and retain your Personal Information only if you choose to access and engage with our Website and/or our Services and in accordance with this privacy policy. You can always avoid providing us certain Personal Data; however, you acknowledge that it may prevent us from providing you certain Services or use our Site. If you do not agree with any of the terms provided in this Privacy Policy, and the choices we provide do not mitigate your concerns, please do not access or use our Services and avoid accessing and using our Website.

​

Preliminary Notes

Please read this policy and make sure you fully understand our practices in relation to your Personal Data before you access or use the Website and our Services. If you have read this Privacy Policy, and remain opposed to our practices, you must immediately leave this Website, and avoid or discontinue all use of the Services.  If you have further questions or concerns regarding this policy, please do not hesitate to contact us at: contact@symbolstory.app.

Binding Agreement - This Privacy Policy and Cookies Policy constitutes an integral part of our T & C available at: https://www.symbolstory.app/privacy-policy  and unless explicitly mentioned otherwise in another agreement with you, is part of our legal engagement.”). 

Content - Our Site and Services do not contain inappropriate content. Nevertheless, we use appropriate technical and organizational measures to ensure the protection and retention of data subjects.

SymbolStory provides this Privacy Policy, as will be updated from time to time to inform you of our policies and procedures regarding the collection, use and disclosure of Personal Information we receive when you use the Website and our Services.

This Privacy Policy was designed with the Health Insurance Portability and Accountability Act of 1996, the Federal Health Insurance Portability & Accountability Act of 2013, HIPAA Omnibus Rule (All together “HIPAA”), the US Children's Online Privacy Protection Act of 1998 (COPPA), and Israel applicable privacy law. However, given the country of your residency, other rules may apply to your Personal Data (see defined below “Applicable Privacy Laws”). If you are a resident of California, we advise you to refer to the CCPA Privacy notice. If you are a resident of EU or EEA, please refer to the EU General Data Protection Regulation (GDPR) notice below.

Changes and updates to this Privacy Policy - We reserve the right to modify or update this Privacy Policy, reflect changes in our Site services, data processing practices, or conform to a regulatory requirement. Such changes will be effective immediately upon the display of the revised Privacy Policy. The last revision date will be reflected in the "Last Updated" heading. If we make material changes to this Privacy Policy, we will do our best to notify you by email or through a notice on our website.

​

​Definitions:

  • Applicable Privacy Laws means any applicable privacy or other law to the extent applicable to our operation, including the Israeli Privacy Law – 1981 and any regulations enacted thereunder including the Privacy Protection Regulations (Transfer of Data to Databases Abroad), 5761-2001 and Privacy Protection Regulations (Data Security), 5777-2017 and any applicable guidelines, standards and/or instructions published by the Israeli privacy authority in effect from time to time relating to data security and data privacy; and the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. Seq, (CPPA) to the extent applicable; under USA jurisdiction – the Health Insurance Portability and Accountability Act of 1996, the Federal Health Insurance Portability & Accountability Act of 2013, HIPAA Omnibus Rule (All together “HIPAA”), and the Children's Online Privacy Protection Act of 1998 (COPPA), the General Data Protection Regulation (EU) 2016/679 (GDPR); European Union Member State laws, rules and guidelines implementing or supplementing the GDPR, as amended from time to time and to the extent applicable to our Company’s operation and our Services;

  • Minor refers to a data subject underage (under 16 years or less depending on the legal jurisdiction applicable), which processing his/her personal data is only lawful if parent or guardian consent has been obtained. (According to some EU countries, the mandatory age is more stringent). Under COPPA Minor is a child under the age of 13.

  • Data Controller refers to the person, organization, public authority, agency, or other body who, either alone or with others, determines the purposes for which and the manner in which any Personal Data is to be processed, and defines the controls required for such processing.

  • Data Processor refers to any person or organization (other than an employee of the Data Controller) who undertakes the processing of Personal Data on behalf of the Data Controller.

  • Data Subject refers to an individual who is the subject of Personal Data.

  • Data Subject Consent refers to the Data Subject’s approval or agreement for an activity to take place, having considered the benefits and risks of the activity. For consent to be valid, the data subject needs to be informed, have the capacity and knowledge to decide, and to have given their consent voluntarily. Specific requirements need to be met in connection with the consent which is given by Children, including validating parental consent and the age of the Child.

  • Personal Data refers to information about a living individual, which means that they can be identified (a) from that data, or (b) from that data and any other information which is, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular person or could in the future, come into the possession of the data controller, and as provided in this Privacy Policy below.

  • “Non-Personal Data” means information that does not personally identify you and does not reveal your specific identity as an individual, such as anonymized information.

  • Processing refers to any operation which is performed upon or applied to personal data, whether undertaken manually or by automated means, including its acquisition, organization, storage, retrieval, consultation, amendment, availability, disclosure, erasure, or destruction.

  • “Subprocessor” shall mean any entity appointed by us or by one of our sub-processors, to Process Personal Data on our behalf or on behalf of that sub-processor, excluding any employee of SymbolStory or of our sub-processor or of any such appointed person but including any contractor or affiliate of the foregoing.

  • The terms "Controller", "Processor", “Sub-Processor”, "Data Subject", "Personal Data", "Processing" (and/or "Process"), “Personal Data Breach”, the “Union”, “Member State” and "Special Categories of Personal Data" shall have the meanings given in the EU Data Protection Law. The terms “Business”, “Business Purpose”, “Consumer” and “Service Provider” shall have the same meaning as in the CCPA. The terms "Business Associate Agreement", "Covered Entity" and "Protected Health Information" shall have the meaning ascribed by HIPAA and shall be interpreted in accordance with relevant regulations issued by the U.S. Department of Health and Human Services. To the extent that CCPA applies, the term “Controller” shall also mean “Business”, and “Processor” shall also mean “Service Provider”. To the extent that HIPAA applies, the term “Controller” shall also mean “Covered Entity” and “Processor” shall also mean “Business Associate”.

This Policy was originally written in English. If you are reading a translation and it conflicts with the English language version, please note that the English language version prevails.

​Data Controller and Data Processor

Under the Applicable Privacy Laws, SymbolStory is the Data Controller of our Uses Personal Data collected through our Website. Concerning our Platform services we provide to our clients, we are the Data Processor, while the Data Controller is the entity using our platform to provide the Therapy treatment or Educational materials.

Our registered office is: Nahariya, Israel.

​

​​When Does This Privacy Policy Apply?

This Privacy Policy applies to Personal Data about you that we collect, use or otherwise process regarding your relationship with us as a Visitor of our Website or a user of our Services.​

 

Minors

SymbolStory, as a policy, will not collect the personal data directly from minors. If you are a minor according to legal jurisdictions, you cannot use our services and register to the SymbolStory’s Platform, without Parent explicit approval

 

​​The Types of Personal Data That We Collect

  • Registering Account Information: In the event you wish to use and access the Services, you shall be required to create an Account by providing your email address, name, phone number, ID number and determine your personal username (“Credentials”). Credentials and login information shall be defined as “User’s Login Information” and you will be designated with  an account identifier to allow us to identify you.

If you wish to use our Services, you need to register and create your SymbolStory account.

  • Information from actions you take: We collect information about your use of and activities on our Services.

  • Findings concerning the child's development in therapy, at home or other educational institutes (the “environment”): SymbolStory Services are designed to support the activities of the therapists (the “Customers”) providing treatment to the children which are the Data Subjects on the SymbolStory platform. For this purpose, the child's parent or therapist may insert data about the child's clinical condition and his clinical development. The data that can be inserted into the Platform may include documents, audio files, insights, records, etc. SymbolStory uses all technical and organizational measures to ensure the platform's security.

  • Information provided by you through your personal contact request: While browsing our Website, if you wish us to reach out and contact us at: contact@symbolstory.app so we can provide more information regarding use of the Personal data on our Website. If you wish to contact us you will be asked to provide us the Personal Data so we can contact you, including, for example: full name, email (“Contact Details”). You may choose to provide us additional Personal Data as part of your personal information request. Please do not provide more Personal Data than is required for us to contact you.

  • Technical Information about your device. We might collect information about the device you are using to access the Services. This includes information like: technical information, including the Internet Protocol (IP) address used to connect your computer to the internet, domain name and country which requests information; Information about your visit and usage, including the full Uniform Resource Locators (URL) clickstream to, through and from our Website (including date and time) , time and length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page, traffic data, location data, weblogs and other communication data and information provided when requesting further service or downloads as well as location information, which may be determined through your IP address.

  • Other information that we collect automatically. When you take certain actions on other Third Parties’ sites that refer to our Site, we may receive information about you. For example, if you click on an ad as part of our marketing campaigns, we may receive information about which ad you saw and on which platform. Similarly, we may also receive certain information when you click on a referral link, such as which website you came from

 

Cookies

A cookie is a small text file that is placed on the browser of the hard drive of your computer (or similar device) by websites that you visit. Cookies are typically used in order to make websites function, or function more efficiently, as well as to provide information to the operator of the particular website. Cookies make your use of the Site and Services easier to use and improve their functionality. They are used to make the login process easier for our users.

Some of the Services, features and tools that are integrated in our Site and Services may use their own cookies to be able to properly function. To know more about our cookies and our 3rd party cookies, please refer to our Cookie policy. Please be aware that you may set your browser to refuse or block any cookies from us or our 3rd party partners. In this case, however, some of the Services may not properly function.

​

​​How We Use Personal Data (Purposes of Processing)?

Personal Data is used for the following primary purposes (as may be updated from time to time): to provide and operate the Website and Services; to monitor, study and analyze usage of the Website and Services and their functionalities; to provide, personalize and improve our Services. This information helps us surface features and promotions from our partners that may interest you and us. To provide on-going customer assistance, technical support and maintain the Website and Services; to provide service announcements and notices, promotional messages and market our Services subject to applicable laws; to enforce our Terms of Use, policies and other contractual arrangements and prevent misuse of the Website and/or Services; and to comply with court orders and warrants and to take any action in any legal dispute and proceeding; to better understand your needs, both on an aggregated or inferred basis; and on an individualized basis, in order to  further develop, customize and improve our Website and Services based on Visitors’ Users and Client’s preferences, experiences and difficulties; to communicate with you and contact you to obtain feedback from you regarding the Services and Site; to disclose to third party vendors, service providers, contractors or agents who perform functions on our behalf with respect to the Website and Services; and as otherwise authorized by you.

​

The Legal Basis for Personal Data Use

SymbolStory only processes personal data on your use of our Website, relying on your consent  and on your use of our Platform as part of your engagement with the Service Provider (e.g. Autism Therapy clinic)

The legal basis for the use of your Personal Data for providing our Services is based on our obligations as the Data Processor under the appropriate Business Associate Agreement (BAA) or Data Processing Agreements (DPA) with the relevant Data Controller, as applicable.

We will only process your Personal Data where we have a legal basis to do so. The legal basis will depend on the reason or reasons we collected and need to use your Personal Data.

​Sharing Personal Data with Third Parties

  • We do not sell, rent or lease your Personal Data. We may share your Personal Data with service providers and other third parties, to the extent necessary to fulfil our Services.

  • Third-party service providers: Like many businesses, we sometimes use trusted third-party subcontractors and service providers to assist us in the operation of the Services and process the information on our behalf and under our instructions. Examples of such services include, but are not limited to databases for supporting product features, cloud service providers, analytics tools, email services, customer support services etc.

  • Additionally, a merger, acquisition or any other structural change may require us to transfer your Personal Data to another entity, provided that the receiving entity will comply with this Policy.

  • We may need to disclose Personal Data in response to lawful requests by public authorities or law enforcement officials, including meeting national security or law enforcement requirements. We cooperate with government and law enforcement officials to enforce and comply with the law.
     

Transfer of Data Outside of Your Territory

If you are a resident of the EEA, it is possible that your data will be transferred outside the EEA, to third parties who can assist us in our Services. We may process your Personal Data in any country in which we do business, currently mainly the member states of the EU, Israel (a country declared by the EU Commission as an adequate country) or the US. If we shall transfer the Personal Data of an EU resident outside of Israel or the EU, we shall comply with Applicable Laws in relation to such transfer and according to our commitment under the DPA with the Data Controller.

We are subject to the provisions of the GDPR that protect your Personal Data. We will ensure that certain safeguards are in place to provide a similar degree of security for your Personal Data. Each transfer of data outside the EEA, such as to Israel where our offices are based, will be subjected to the Commission Implementing Decision (EU) 2021/915 given on 4 June 2021 (hereinafter: "SCC" and/or "Standard Contractual Clauses").

In any case, our transfer, storage, and handling of your Personal Data will continue to be governed by this Privacy Policy transfer and according to our commitment under the DPA with the Data Controller.

 

​Data Security

We take the safeguarding of the Personal Data and non-Personal Data very seriously, and use a variety of industry standard systems, applications and procedures to protect the Data from loss, theft, damage or unauthorized use or access. However, although we make efforts to protect your privacy, we cannot guarantee that the Website or our Platform will be immune from any wrongdoings, malfunctions, unlawful interceptions or access, or other kinds of abuse and misuse.

We also regularly monitor our systems for possible vulnerabilities and attacks, and regularly seek new ways and for further enhancing the security of our Website and Platform and protection of our Visitors’ and our users’ privacy.

You should take steps to protect against unauthorized access to your device by, among other things, protecting your mobile phone/device by one of the security means enabled by the device, signing off after using a shared computer and keeping your log-in credentials private.

If you receive an e-mail asking you to update your information with respect to the Website, do not reply and please contact us at: contact@symbolstory.app.

Data Retention

We retain different types of information for different periods, depending on the purposes for processing the data. We may retain Personal Data for as long as necessary in order to support our legitimate business purposes and Services, for example, for storing data, for documentation, for cyber-security management purposes, legal proceedings and tax issues.

We may store aggregated or anonymized Non-Personal Data without a time limit. In any case, as long as you use the Website and Services, we will keep information about you as provided above in this Policy, unless we are legally required to delete it, or to the extent applicable under Applicable Law – if you exercise your rights to delete the information, subject to our legal requirements.

EEA Residents Notice

Depending on your country of residency, and on the type of your use of our Website (Visitor or a User) certain rights concerning your Personal Data may be available to you. 

If you are located in the European Economic Area (“EEA”), you have certain rights with respect to your Personal Data, including:

·      the right to be informed

·      the right of access

·      the right to rectification

·      the right to erasure 

·      the right to restrict processing

·      the right to object to processing

·      the rights in relation to automated decision making and profiling.

Please contact us at: contact@symbolstory.app with your detailed request and sufficient information to allow us to verify you and your request, and we will process your verifiable request within the timeframe indicated in the applicable regulation. Please note, that when handling these requests, we may ask for additional information from you. We will make good-faith efforts to locate the data that you request to access.

When you ask us to exercise any of your rights under this Policy and the applicable law, we may need to ask you to provide us certain credentials to make sure that you are who you claim you are, to avoid phishing and/or disclosure to you of Personal Data related to others.

We may redact from the data which we will make available to you, any Personal Data related to others, if applicable.

​

Note to California’s Residents

We hereby inform Visitors and Users that are California residents (in this section “You”, “Your”), of the following rights (by virtue of the CCPA) with respect to the Processing of your Personal Data:

To learn more about the Personal Data we collect, including the specific Personal Data categories collected, sources of collection, our purposes for collection, and the categories of service providers with whom we share Personal Data, please see the headlines above. 

We do not sell Personal Data for business or commercial purposes. We may disclose aggregated information to a third party for a business purpose, including our Affiliated Companies. When we do so, we enter a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except performing the contract.

​

Consumer Rights

  • The CCPA grants California consumers specific rights in connection with the Personal Data collected by businesses, as described below:

  • Right to Know: You have the right to know the categories and specific pieces of Personal Data we have collected about you in the previous 12 months.

  • Right to Deletion: You have the right to request that we delete any Personal Data we have collected about you.

  • Right to Request Information: You have the right to request information about our collection, sale, and disclosure of your Personal Data from the previous 12 months.

  • Right to Opt-out of the Sale of Personal Data: You have the right to opt-out of the sale of Personal Data we have collected about you. As of the date of this Policy, we do not sell the Personal Data we have collected about you.

  • Right to Non-Discrimination: You have the right not to receive discriminatory treatment for exercising your CCPA rights. We will not treat you differently for exercising any of the above rights.

 

Exercising Your Rights

To exercise any of the CCPA rights above, don't hesitate to contact us by emailing: contact@symbolstory.app. We will fulfill your request within 45 days of receiving your request. Some of these rights may be subject to limitations and qualifications, such as where fulfilling the request would conflict with federal, state, or local law, regulatory inquiries, subpoenas, or our ability to defend against legal claims. We will verify your request using your email address. If you've created an account with us, we will also verify your request using the information associated with your account, including billing information. 

Note that we cannot respond to your request if we cannot verify your identity and confirm the Personal Data related to you. Making a verifiable consumer request does not require you to create an account with us. If you wish to use an authorized agent to submit a request to opt-out on your behalf, you must provide the authorized agent with written permission signed by you. We may deny a request from an authorized agent if the agent cannot provide to us your signed authorization demonstrating that they have been authorized to act on your behalf.

​HIPAA Notice for US Residents

This notice describes how medical information about United States residents may be used and disclosed and how you can access this information.

SymbolStory Services, including its systems and mobile app, is fully HIPAA compliant, operating as a Business Associate to Covered Entities, such as Healthcare organizations, Speech Therapy Clinics, etc., under Business Associate agreements (BAA) as required by HIPAA.

We implemented all strict HIPAA Privacy and Security rules, and we communicate only with Covered Entities according to the specific BAA of each covered entity.

This Notice of Privacy Practices (“Notice”) describes how we may use and disclose your Protected Health Information (“PHI”) to carry out our Services, and for other specified purposes that are required by the Covered Entity in the BAA or permitted or required by law.

  • Our responsibilities – SymbolStory and the members of its workforce are committed to protecting the privacy and confidentiality of your personal information, clinical information under its role of a Business Associate.

  • SymbolStory operates only according to clear and agreed Business Associate Agreement (“BAA”) with its customers (“Covered Entities”)

  • SymbolStory is required by the HIPAA, as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”), to maintain the privacy and security of a PHI and to act only according to BAA instructions.

  • SymbolStory will not, under any circumstances, disclose a PHI to a third party without explicit written instruction of a Covered Entity.

  • Definition of protected health information: PHI is information about an individual, including demographic information, that relates to physical or mental health condition or health care provided to you by a Covered Entity. PHI can include medical history, laboratory results, insurance information, and other health information that is collected, generated, used, and communicated by our Customers.

  • PHI rights - You have rights with respect to your PHI, as defined by HIPAA. To exercise any of these rights, please contact the Privacy Officer of the Covered Entity.

  • Breach notification- SymbolStory is required by law to notify a Covered Entity following the discovery that there has been a breach of unsecured PHI.

  • Compliance with laws - If more than one law applies to this notice, such as a more stringent state law, we will follow the more stringent law.

 

COPPA Notice for US Residents

We recognize the obligation to protect Personal Data obtained from young children. The Services are not geared toward Minors - children under the age of 13, and we do not knowingly collect any Personal Data from such children other than those stated in this section. If we collect any Personal Data as defined in the COOPA, from children under the age of 13, we will either (1) use measures to comply with the requirements of COPPA and gain prior verifiable parental consent or direct parental notification of the nature and intended use of such information, which shall include an opportunity for the parent to prevent use of the information and participation in the activity; or (2)  take all reasonable steps to remove from our files and records such data  following a written notice from a parent or a guardian informing us and requesting to do so. Otherwise, we will not allow any access to our Site and/or our Services that require registration of Personal Data. For more information about COPPA and children’s rights to online privacy, please visit the Children’s Privacy section of the Federal Trade Commission’s website at www.business.ftc.gov/privacy-and-security/childrens-privacy .

In addition, we advise that children over the age of 13 shall ask their parents for permission before providing any of their Personal Data to anyone over the Internet, and we suggest parents tell their children not to provide their Personal Data, without permission, when using the Internet.

Thus, the services will be given to those authorized by law only.

‍Changes in our Privacy Policy Regarding Minors Under the Age of 13

We may amend our Privacy Policy Regarding Minors under the Age of 13 at any time. We will apply material changes in our Privacy Policy Regarding Minors under the Age of 13 in conformance with applicable law, including any applicable provisions of COPPA that require parental consent.

 

​Contact Us

For further information about this Policy, please contact us at: contact@symbolstory.app.

If you have any concerns relating to this Policy, please contact us and we will make good-faith efforts to address your concerns. We are usually able to resolve privacy questions or concerns promptly and effectively. If you are not satisfied with the response you receive from us, you may escalate concerns to the applicable privacy regulator in your jurisdiction. Upon request, we will provide you with the contact information for that regulator.

bottom of page