Regulatory Compliance
Our commitment to meeting regulatory standards and protecting your rights
Last updated: 1/15/2026
Our Compliance Commitment
At ZoePaths, we are committed to operating in compliance with applicable laws and regulations governing data protection, privacy, and healthcare information. We believe in transparency about our compliance status and are continuously working to meet and exceed regulatory requirements.
This page outlines our current compliance posture, the frameworks we follow, and our ongoing efforts to maintain the highest standards of data protection and user rights.
β οΈ Important: HIPAA Status
ZoePaths is NOT a HIPAA-covered entity. We are a personal wellness journaling platform, not a healthcare provider, health plan, or healthcare clearinghouse.
- We do not provide medical treatment, diagnosis, or therapy
- We are not a substitute for professional mental health care
- Your journal entries are personal reflections, not protected health information (PHI) under HIPAA
- Clinicians using our platform should consult their own compliance requirements
What This Means: While we implement strong security and privacy practices, we do not offer HIPAA-compliant data storage. If you are a healthcare provider or require HIPAA compliance, please consult with your compliance team before using our platform for clinical purposes.
πͺπΊ GDPR Compliance (General Data Protection Regulation)
For users in the European Union, we comply with the General Data Protection Regulation (GDPR) by providing the following rights and protections:
Your GDPR Rights
- Right to Access: You can request a copy of all personal data we hold about you
- Right to Rectification: You can update or correct your personal information
- Right to Erasure: You can request deletion of your account and all associated data
- Right to Data Portability: You can export your journal data in a machine-readable format
- Right to Object: You can object to certain types of data processing
- Right to Restriction: You can request limitation of how we process your data
- Right to Withdraw Consent: You can withdraw consent for data processing at any time
Our GDPR Practices
- Clear and transparent privacy policies
- Lawful basis for all data processing activities
- Data minimization - we only collect necessary information
- User control over personal data
- Prompt response to data subject requests (within 30 days)
- Security measures to protect personal data
βΉοΈ Data Controller: ZoePaths acts as the data controller for personal information collected through our platform. For GDPR-related inquiries, contact: gdpr@zoepaths.com
πΊπΈ CCPA Compliance (California Consumer Privacy Act)
For California residents, we comply with the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) by providing:
Your CCPA Rights
- Right to Know: What personal information we collect and how we use it
- Right to Delete: Request deletion of your personal information
- Right to Opt-Out: Opt-out of the "sale" of personal information (we don't sell data)
- Right to Non-Discrimination: Equal service regardless of exercising privacy rights
- Right to Correct: Request correction of inaccurate personal information
- Right to Limit: Limit use and disclosure of sensitive personal information
Our Data Practices
- We do not sell personal information to third parties
- We do not share personal information for cross-context behavioral advertising
- We respond to verifiable consumer requests within 45 days
- We maintain records of data processing activities
βΏ Accessibility Compliance (WCAG & ADA)
We are committed to making ZoePaths accessible to all users, including those with disabilities. We strive to meet Web Content Accessibility Guidelines (WCAG) 2.1 Level AA standards.
Our Accessibility Efforts
- Keyboard Navigation: Full keyboard accessibility throughout the platform
- Screen Reader Support: Semantic HTML and ARIA labels for assistive technologies
- Color Contrast: Sufficient contrast ratios for text readability
- Responsive Design: Mobile-friendly interface that adapts to different devices
- Clear Language: Simple, clear language and instructions
- Error Identification: Clear error messages and validation feedback
βΉοΈ Accessibility Feedback: If you encounter accessibility barriers or have suggestions for improvement, please contact us at accessibility@zoepaths.com. We take all accessibility concerns seriously and will work to address them promptly.
π International Data Protection
We respect international data protection laws and implement appropriate safeguards for cross-border data transfers.
Data Transfer Mechanisms
- We use secure data transfer protocols for all international data flows
- We implement standard contractual clauses (SCCs) where appropriate
- We ensure adequate data protection measures in all jurisdictions
- We maintain transparency about where data is stored and processed
Regional Considerations
- EU Users: GDPR protections apply
- UK Users: UK GDPR and Data Protection Act 2018 compliance
- California Residents: CCPA/CPRA protections apply
- Canadian Users: PIPEDA compliance considerations
- Other Jurisdictions: Local privacy laws respected where applicable
πΆ Children's Privacy (COPPA)
Age Requirement: ZoePaths is intended for users who are 18 years of age or older. We do not knowingly collect personal information from children under 13 (or 16 in certain jurisdictions).
COPPA Compliance
- We do not direct our services to children under 13
- We do not knowingly collect information from children
- If we discover we have collected data from a child, we will delete it promptly
- Parents can contact us to request deletion of their child's data
β οΈ Parental Notice: If you believe your child has created an account or provided personal information to ZoePaths, please contact us immediately at privacy@zoepaths.com so we can delete the information.
π¨ Data Breach Notification
In the event of a data breach that affects your personal information, we will:
Our Breach Response Commitment
- Rapid Detection: Continuous monitoring for security incidents
- Immediate Investigation: Prompt assessment of the breach scope and impact
- User Notification: Notify affected users within 72 hours of discovery (as required by GDPR)
- Regulatory Reporting: Report breaches to relevant authorities as required
- Remediation: Take immediate steps to contain and remedy the breach
- Transparency: Provide clear information about what happened and what we're doing
- Support: Offer assistance and guidance to affected users
What We'll Tell You
- Nature of the personal data affected
- Likely consequences of the breach
- Measures taken to address the breach
- Steps you can take to protect yourself
- Contact information for questions
π Compliance Roadmap
We are continuously working to enhance our compliance posture. Our ongoing compliance initiatives include:
Current Status
- β GDPR compliance framework implemented
- β CCPA/CPRA compliance measures in place
- β Basic accessibility standards (WCAG 2.1 Level A)
- β Data protection impact assessments conducted
- β Privacy by design principles followed
Planned Certifications & Improvements
- π SOC 2 Type II certification (in progress)
- π ISO 27001 information security certification
- π WCAG 2.1 Level AA full compliance
- π Enhanced data encryption and security controls
- π Third-party security audits and penetration testing
Timeline: We aim to achieve these certifications over the next 12-18 months as we continue to grow and mature our compliance program.
π€ Third-Party Service Providers
We work with carefully selected third-party service providers who assist in operating our platform. All third parties are required to meet our security and privacy standards.
Vendor Management
- All vendors undergo security and privacy assessments
- Data processing agreements (DPAs) are in place with all vendors
- Regular vendor compliance reviews and audits
- Contractual obligations for data protection and security
- Incident response requirements for all vendors
Categories of Service Providers
- Infrastructure Providers: Cloud hosting and database services
- Authentication Services: Identity and access management
- Analytics Services: Usage analytics and platform monitoring
- Communication Services: Email delivery and notifications
π Ongoing Compliance Monitoring
Compliance is not a one-time achievement but an ongoing commitment. We maintain compliance through:
Regular Assessments
- Quarterly privacy and security reviews
- Annual compliance audits
- Regular policy and procedure updates
- Continuous monitoring of regulatory changes
- Employee training on compliance requirements
Documentation & Records
- Records of processing activities (ROPA)
- Data protection impact assessments (DPIAs)
- Incident response logs and breach records
- User consent and preference records
- Vendor agreements and DPAs
π§ Compliance Contact Information
For compliance-related inquiries, requests, or concerns, please contact our compliance team:
π Data Protection Officer
Email: dpo@zoepaths.com
πͺπΊ GDPR Inquiries
Email: gdpr@zoepaths.com
πΊπΈ CCPA Requests
Email: ccpa@zoepaths.com
βΏ Accessibility
Email: accessibility@zoepaths.com
π¬ Mailing Address:
ZoePaths Compliance Team
[Your Business Address]
[City, State ZIP]
π Policy Updates
We review and update our compliance practices regularly to align with changing regulations and best practices. When we make material changes to our compliance policies, we will:
- Update the "Last Updated" date at the top of this page
- Notify users via email or in-platform notification
- Provide a summary of significant changes
- Allow users to review changes before they take effect
Continued use of ZoePaths after policy updates constitutes acceptance of the revised policies.
π Related Resources
For more information about how we protect your data and respect your rights, please review: