Greenspace Mental Health Ltd. (“Greenspace”, “we” or “our”) provides a digital platform that facilitates: (i) the measurement of patient progress and outcomes; (ii) the display of measurement information to patients and their health care provider(s); and (iii) other functions, tools and resources for the purpose of supporting the delivery of mental health care services (collectively, the “Services”). We know that the users of our Services are entrusting us with personal and sensitive information and the privacy of our users is extremely important to us. We are committed to protecting privacy and safeguarding personal information.

Table of Contents

1. Plain Language Summary of Our Privacy Practices
2. Scope of this Privacy Policy
3. Who Has Access to Our Services
4. Definitions
5. How We Collect and Use Your Personal Information
6. How We Use Cookies and Other Similar Tracking Technologies
7. How We Use Third Party Analytics Tool
8. How We Use Anonymized Information
9. How We Use De-Identified Information
10. How We Use Artificial Intelligence and Machine Learning
11. How We Share or Disclose Your Personal Information
12. How We Safeguard and Retain Your Personal Information
13. Where We Store and Process Your Personal Information
14. Your Privacy Rights
15. Third Party Links
16. Changes to this Privacy Policy
17. Contact Us

1. Plain Language Summary of Our Privacy Practices

While this summary is not exhaustive, here are some of the key provisions in this Privacy Policy that you should be aware of:

1. We are a service provider to our Customer: In providing our Services, Greenspace acts as a service provider or business associate to healthcare organizations or individual therapists, who are our Customers (as defined below under section 3 (Who Has Access to Our Services) of this Privacy Policy). This means that as a matter of law, Greenspace collects, uses or discloses personal information in accordance with our agreement with our Customer. This Privacy Policy is intended to provide you with information about those practices.
2. You must be an Authorized User of our Customer: In order to use the Services, you must be an Authorized User (Administrator, Treatment Provider or Patient, each defined below under section 3 (Who Has Access to Our Services) of this Privacy Policy) of our Customer.
3. We only collect and use what is needed: We only collect and use personal information that is required to provide our Services on behalf of our Customer. This personal information is provided: (i) directly by you; (ii) indirectly by your Treatment Provider or an Administrator; or (iii) indirectly by your parent, legal guardian or substitute decision-maker if you are a minor Patient.
4. We do not trade, rent or sell personal information: Under no circumstances will Greenspace trade, rent or sell your personal information.
5. We do not disclose your personal information, except as described in this Privacy Policy: We do not disclose or otherwise transfer your personal information without your consent, except as otherwise set out in this Privacy Policy.
6. We safeguard your information: We have implemented reasonable administrative, technical and physical measures to safeguard your personal information that are appropriate to the sensitivity of the information. All protected health information is stored in the United States.
7. Contact us: You can contact us at any time to exercise your privacy rights, as described below under section 16 (Your Privacy Rights) of this Privacy Policy. Since we are processing your personal information in our capacity as a service provider, certain requests will be forwarded to our Customer for response.

Please read this Privacy Policy carefully. If you have any questions or concerns regarding this Privacy Policy, please contact us at privacy@greenspacehealth.com.

2. Scope of this Privacy Policy

This Privacy Policy describes how we collect, use and disclose your personal information, (which, when used in this Privacy Policy includes your protected health information) when you use our Services in your capacity as an Authorized User (as defined below under section 3 (Who Has Access to Our Services) of this Privacy Policy). It applies whether such information is collected electronically at https://app.greenspacehealth.com or any website or other platform on which this Privacy Policy appears (the “Platform”), in person, over the telephone, in writing, via email messages or text messages. We may provide additional “just-in-time” disclosures or additional information about our data collection, use and disclosure practices. These notices may supplement or clarify our Privacy Policy or may provide you with additional choices about how we will process your personal information. This Privacy Policy does not apply to information which we may receive from you through your access and/or use of the general Greenspace website at https://greenspacehealth.com/ (the “Website”). If you are visiting the Website, please refer to the Website Privacy Policy to learn more about Greenspace’s privacy practices in relation to the Website.

Please note that privacy legislation and/or an individual’s right to privacy are different from one jurisdiction to another. While the Platform can be accessed from different countries around the world, the Platform and our Services are only intended for users in the United States. As such, this Privacy Policy is designed in accordance with applicable privacy laws in the United States. Please note that unless stated otherwise, any reference to personal information in this Privacy Policy includes protected health information.

3. Who Has Access to Our Services

In providing our Services, we act as a service provider or business associate to our customers, such as healthcare clinics or individual therapists (“Customers”), who may be classified as covered entities under applicable privacy statutes.

As a service provider, we supply our Services for the purpose of enabling our Customers to use our platform to collect, use, disclose, modify, retain, dispose or otherwise process personal information. Our collection, use, disclosure and other processing of your personal information is subject to our agreement with our Customer, which is described in this Privacy Policy.

You are entitled to use our Services if you fall within one of the following categories of authorized users of our Customer:

• supervisors, managers or administrators of the Customer that do not provide direct clinical treatment for Patients (each, an “Administrator”);
• treatment providers, therapists or clinicians of the Customer, including, but not limited to, psychiatrists, psychologists, social workers, occupational therapists, and psychotherapists (each a “Treatment Provider”); and
• individuals with whom the Customer or its Treatment Provider(s) have a clinical health care relationship for whom a file has been created on the Platform, whether such file has been opened by: (i) that individual; (ii) the Treatment Provider or Administrator for that individual; or (iii) a parent, legal guardian or substitute decision maker of that individual for that individual or themselves) (each, a “Patient” and collectively, with Administrators and Treatment Providers, the “Authorized Users”).

Patients receiving services from a Treatment Provider will receive a Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Notice of Privacy Practices (“NPP”) from their Treatment Provider or Administrator, with additional information regarding their Treatment Provider or Administrator’s access, use and disclosure of their personal information.

4. Definitions

For the purpose of this Privacy Policy:

• “Personal information” means any information that could reasonably be used on its own, or in combination with other information, to identify an individual or as otherwise defined under applicable privacy statutes. Personal information includes protected health information.
• “Protected health information” means personal information that is collected by your therapist or clinic and relates to your past, present, or future physical or mental health or condition; the provision of health care; or your past, present, or future payment for the provision of health care.
• “De-Identified Information” is information that has been de-identified to remove all direct personal identifiers but retaining some indirect identifiers such as a unique system-generated profile identification.
• “Anonymized Information” is information that has been aggregated and anonymized to permanently remove all direct and indirect personal identifiers in accordance with applicable law, our internal policies and industry best practices in a manner that no longer allows a person to reasonably be identified, directly or indirectly.

5. How We Collect and Use Your Personal Information

We only collect personal information that is necessary to operate our Platform and Services. Below is a summary of the ways we collect and use your personal information:

• Registering for Our Services:
  • Patients can obtain access and use our Services in a number of ways once a file is created by the Patient or for the Patient by an Administrator or Treatment Provider (whether directly on the Platform, through an integration or the browser extension): (i) offline, where your participation is directly facilitated by the Treatment Provider or Administrator; (ii) by invitation, sent to you via an email and/or text message with a request to complete personalized assessments; (iii) by creating a Patient user account, to allow you to complete personalized assessments and view assessment results (a “Patient Account”); or (iv) via a participant account created by a parent, legal guardian or substitute decision-maker if you are a minor.
  • The information required to create a Patient Account includes: first and last name, email address, phone number and password, as well as additional personal information set by our Customer.
• Delivering Assessments: In order to remotely deliver assessments to Patients:
  • For Patients with a Patient Account, we use the Patient's name, email address and/or telephone number, as set by the Patient to send a link to the personalized assessment(s).
  • For Patients without a Patient Account, we use the Patient's name, email address and/or telephone number, as set by their Treatment Provider or Administrator, to send a link to the personalized assessment(s).
• Completing Personalized Assessments: We collect personal information from Patients such as responses to assessment questions and quantitative assessment scores when Patients respond to a personalized assessment delivered by the Platform. We use this information to provide Patients, their Treatment Provider(s) and any appropriately permissioned Administrators, with a presentation of assessment results and progress.
• Assessing Results of Personalized Assessments: We use personal information collected from Patients’ responses to personalized assessments to enable Treatment Providers and Administrators to evaluate results and analyze Patients’ progress. This information is provided to the Patient’s Treatment Provider(s) and any appropriately permissioned Administrators to enhance their delivery of health services to their Patients, inform their care decisions and provide metrics about their practice in accordance with the Customer agreement.
• Improving Our Platform and Services: We use De-Identified Information for internal purposes only to improve our Platform and Services, for example to analyze the usage of our Platform and Services to help inform our product and/or user experience decisions, and train data for machine learning development. We only use data for artificial intelligence and machine learning with permission as further described in section 11 (How We Use Artificial Intelligence and Machine Learning) below.
• Providing Technical Support: We may use the personal information of an Authorized User in order to provide them the necessary technical support when using our Services.
• Interacting With You: When any Authorized User contacts us with a comment, question or complaint, you may be asked for personal information that identifies you such as your name, address, email address and a telephone number along with any additional information we may need to promptly answer your question or respond to your comment or complaint. We use this personal information to respond to your inquiry and improve our Services’ offerings.
• Information Received as a Business Associate: Some Treatment Providers, (such as psychiatrists, psychologists, clinical social workers, registered psychotherapists, professional counselors and marriage and family therapists) may be subject to laws and regulations governing the use and disclosure of the health information they create or receive, including the HIPAA and the regulations adopted thereunder. Greenspace will only use or disclose such information as permitted by the controlling business associate agreement or as otherwise permitted by law. Greenspace limits access to protected health information in accordance with HIPAA. Greenspace’s workforce members are trained on the privacy and security requirements applicable to protected health information, and Greenspace’s “business associates” are required, pursuant to the terms of their agreements with us, to implement required safeguards.
• Sharing our Newsletter and Other Updates: If you are an Administrator or Treatment Provider, we may use your name and email address, in accordance with applicable law, to provide you with copies of our newsletter or other updates about our products and Services that we believe may be of interest to you. You can unsubscribe at any time by clicking on the unsubscribe link included in every email or by contacting us as set out below at section 17 (Contact Us) of this Privacy Policy. We do not send newsletters or Services updates to Patients.

6. How We Use Cookies and Other Similar Tracking Technologies

Greenspace uses cookies, log files, web beacons and similar tracking technologies to remember user preferences and collect information about visitors to the Platform. Some cookies are required for the operation of the Platform and are not optional.

Cookies are small text files that our Platform can send to your browser, which may then be stored on your hard drive so we can recognize you when you return. We use cookies on the pages on our Platform where you are prompted to log in or that are customizable. If you have registered with our Platform, these cookies (i) may let us know who you are in order to authenticate and confirm your authorization to use the Platform and our Services, (ii) may be necessary to access your account information (stored on our servers) in order to deliver products and personalized services, and (iii) will provide us and our service providers with information that we will use to personalize our Platform and Services in accordance with your preferences.

You may set your Web browser to notify you when you receive a cookie or to not accept certain cookies. However, if you decide not to accept cookies from our Platform, you may not be able to take advantage of all of the features of our Platform.

Log files are records of all visits to the Platform, which are automatically generated. These files make a record of each visit to the Platform and log a number of details, that may include: the user’s operating system; IP address; the date, time and duration of the visit; the pages and documents accessed; and the previous site accessed by the user (such as, the search engine that referred the user to the Platform).

We may also use pixel tags, web beacons, clear GIFs or similar technologies in connection with some of our Platform pages and HTML-formatted email messages to track the actions of users and email recipients, measure the success of our marketing campaigns, and compile statistics about Platform usage and email response rates. These technologies usually work in conjunction with cookies.

7. How We Use Third Party Analytics Tools

Greenspace uses Mixpanel as an analytics tool (“Mixpanel”) to provide statistics about visitors to the Platform. For more information about Mixpanel, please follow the provided hyperlink. Mixpanel uses cookies and other identifiers to collect certain information such as user device or browser type, and user activity on our Platform such as click rates and bounce rates to measure and report statistics about user interactions on the Platform. Mixpanel is used for analysis, to create reports and to identify Platform trends.

Please refer to section 11 (How We Share or Disclose Your Personal Information) of this Privacy Policy for more detail on our analytics service provider (Mixpanel).

8. How We Use Anonymized Information

We fully anonymize and aggregate data based on responses to assessments, feedback on our Services, and the frequency and way users use our Services (a) to publish fully anonymized and aggregated data, metrics or insights regarding our Services on our Platform and through various communication channels; and (b) to share fully anonymized and aggregated data, metrics or insights with current and prospective Customers, to better understand assessment outcomes and benchmark our Services. The data we may publish or share using Anonymized Information includes high level aggregated statistics such as the number and types of assessments completed on our Platform, or the number of Patients that have used our Platform.

None of this Anonymized Information, directly or indirectly, identifies or can be linked back to any Patients or other Authorized Users or Customers.

9. How We Use De-Identified Information

In accordance with our Customer agreement, we may use automated systems to analyze De-Identified Information of Authorized Users collected via user input, cookies, analytics tools and other technologies (as described above) in order to: (i) improve the Platform and Services; (ii) personalize Authorized User’s experience; (iii) automate certain aspects of the Platform; and (vi) protect the safety and security of the Platform. Notwithstanding the foregoing, De-Identified Information may also be used in accordance with section 10 (How We Use Artificial Intelligence and Machine Learning) of this Privacy Policy.

10. How We Use Data for Artificial Intelligence and Machine Learning

In accordance with our Customer agreement (and provided such Authorized Users have not opted out of such features), we may use automated systems to analyze De-Identified Information of Authorized Users collected via user input, cookies, analytics tools and other technologies (as described above) in order to: (i) use such data for machine learning training; and (ii) provide Authorized Users with certain artificial intelligence and machine learning features, such as predictive analytics.

11. How We Share or Disclose Your Personal Information

Under no circumstances will Greenspace trade, rent or sell your personal information. We will not disclose your personal information, without your consent, except as otherwise set out in this Privacy Policy.

• Authorized Service Providers: In order to provide our Services, we have arrangements with certain necessary service providers that are subject to contractual agreements that include appropriate privacy standards in accordance with applicable privacy laws. We may transfer (or otherwise make available) your personal information to such affiliates and other third party service providers for the purpose of enabling such parties to provide certain services on our behalf that are directly related to the provision of our Services to you. To the extent that any personal information is provided to our affiliates and service providers, we require that they be bound by legally enforceable written obligations consistent with this Privacy Policy and that they are given only the information they need and solely for the purpose of performing their designated functions. Our affiliates and service providers are not authorized to use or disclose personal information for their own marketing or other purposes. Our authorized affiliates and service providers with whom we share personal information fall into the following categories:
  • service providers that authorize and process payments on our behalf;
  • service providers that host our Platform, enable certain of its features, deliver assessments, and manage and analyze data;
  • service providers that send email and other communications;
  • service providers that are used to monitor our systems for reliability, security or compliance; and
  • service providers that are used to enable integration with other systems used by our Customers, including clinical systems, administrative systems and identity providers.
• Analytics Service Provider (Mixpanel). We do not share personal information with Mixpanel except for IP addresses, which are sometimes required for the operation of the Mixpanel analytics service. Mixpanel either does not store or anonymizes IP addresses, and does not use them for any purpose besides providing its analytics service. Personal health information is not shared with Mixpanel at any time.
• Business Transactions: Personal information (but not protected health information) may be disclosed in connection with a prospective or completed business transaction, as permitted in accordance with applicable privacy laws. In such cases, your personal information may only be used or disclosed by the recipient in order to assess and complete the transaction. After the transaction is closed, your personal information may only be used or disclosed by the recipient in accordance with this Privacy Policy, any existing agreements with the Customer, or as otherwise permitted by applicable privacy laws, unless subsequent consent is obtained from you for an additional purpose.
• Legal, Compliance and Loss Prevention: Greenspace, our affiliates and our service providers may be required to provide your personal information in response to a lawful request such as: (i) a court order, search warrant or subpoena; (ii) for the purposes of investigating a breach of an agreement, contravention of law, or actual or suspected harm to persons or loss of property; or (iv) as otherwise required or permitted by applicable law. Under no circumstances, will Greenspace disclose your personal information (including any protected health information) unless such disclosure is permitted or required by applicable laws.

12. How We Safeguard and Retain Your Personal Information

We have implemented reasonable physical, organizational and technological measures appropriate to the sensitivity of the personal information in an effort to safeguard the personal information in our custody and control or that we process on behalf of our Customers to protect against theft, loss and unauthorized access, use, modification and disclosure. Such measures, which may necessarily evolve over time as the availability and effectiveness of methods vary, include the following:

• restricting access to personal information to employees, contractors and third-party service providers who require access to fulfill their job or services, are bound by confidentiality and/or non-disclosure requirements and who are required to abide by this Privacy Policy and Greenspace’s privacy and security policies;
• restricting access to our systems, accounts and electronic databases or other electronic formats that may contain personal information through password protection and internal security policies; and
• implementing technical security measures such as firewall technology, anti-malware screening and data encryption technology.

While Greenspace employs advanced data encryption technology when interfacing with our users, third party service providers and other partners, you should be aware that there is a residual risk in transmitting any data electronically. Despite our efforts, no security measure is perfect or impenetrable and no method of data transmission can be guaranteed against any interception or other type of misuse. This risk is inherent in all Internet dealings.

You should exercise discretion when providing any personal information via email or text messages as such communications may not be encrypted. In particular, you should not include any protected health information or other sensitive information in your email or text messages sent to us.

If you suspect your personal information has been improperly accessed, used, or disclosed, please contact us immediately as set out under section 17 (Contact Us) of this Privacy Policy.

We have personal information retention processes designed to retain personal information for no longer than necessary for the purposes stated above, as provided in our Customer agreements, or to otherwise meet legal requirements. We securely dispose of or anonymize personal information of Authorized Users once it has served such purposes, in accordance with applicable law and our agreement with the Customer.

13. Where We Store and Process Your Personal Information

All protected health information is stored in the United States.

Other types of personal information may be stored or processed by Greenspace or our authorized service providers in a foreign jurisdiction outside of the United States. When this occurs, your personal information may be subject to the laws of such jurisdiction and accessible without notice to you by the courts, law enforcement and national security authorities of that jurisdiction. You can obtain more information about our policies and practices with respect to the use of third-party service providers outside of the United States by contacting us as described below, under section 17 (Contact Us) of this Privacy Policy.

14. Your Privacy Rights

Under privacy laws, you have the right to access, update and correct inaccuracies in your personal information, subject to certain exceptions. Since Greenspace is acting as a service provider to clinics or healthcare professionals, we will forward requests for the exercise of user rights under privacy laws to our Customer, who will respond to you.

15. Third Party Links

The Platform may contain links to third party platforms. While we try to link only to platforms that share our high standards and respect for privacy, please understand that we are not responsible for the content of, or the privacy practices employed by, other platforms and this Privacy Policy does not apply to those platforms. We encourage you to review the privacy policies of each platform you visit.

16. Changes to this Privacy Policy

We may amend this Privacy Policy from time to time as our business evolves, in response to legal developments, as new technologies become available, or as we introduce new features, products or services.

When we make changes to this Privacy Policy we will revise the “Last Update” date at the bottom of this page. You should check back here periodically to find out if any changes have been made to this Privacy Policy. If we make substantial changes we will, as appropriate, prominently post these changes to our Platform and/or notify registered users of our Services.

17. Contact Us

Please contact our Privacy Officer at privacy@greenspacehealth.com if:

• you have any questions or comments about this Privacy Policy;
• you wish to access, update or correct inaccuracies in your personal information;
• you wish to withdraw your consent to our collection, use or disclosure of your personal information as described in this Privacy Policy; or
• you otherwise have a question or complaint about the manner in which we or our service providers treat your personal information.

Since email communications are not always secure, please do not include protected health information or other confidential or sensitive information in your emails to us.

Last Update: July 22, 2025