NOCD

NOCD

NOCD INC
WiFi

Data da avaliação: 25 de Abril de 2023

|
A Mozilla investigou por 16 horas
|

Opinião da Mozilla

|
Votos das pessoas: Razoavelmente assustador

NOCD is an app designed to help treat Obsessive Compulsive Disorder or OCD. And with a big spike in people reporting OCD symptoms during the COVID-19 pandemic, it's no surprise investors are jumping on board, giving NOCD $33 million in funding at the end of 2021. The app helps users connect with a therapist who specializes in OCD treatment, provides face-to-face therapy, and supports users in between sessions with therapeutic tools and connections to others in the OCD community. It is currently free to download and use. Therapy session are paid for on a per session basis and NOCD says they do partner with many major insurance companies. NOCD is currently available in the US, UK, Australia, and parts of Canada. In 2022, we found a good bit to be concerned about with NOCD's privacy. However, it does seem they have improved some since we released our review last year.

O que pode acontecer se algo der errado?

First reviewed April 20, 2022. Review updated, April 25, 2023
Oh NOCD, what a journey it has been with you this last year. When we first reviewed NOCD in 2022 we had some serious concerns about their privacy. And our questions emailed to email address listed in their privacy policy for privacy related questions went unanswered before we launched our review. However, after our launch, when our review was brought to NOCD's attention by concerned users, NOCD came back to us and was open to communication and clarifying some confusing aspects of their privacy policy. We always appreciate constructive communication with any company looking to improve their privacy practices and privacy policies.

So, has NOCD improved over the last year? Yes, they have. In their responses to us, we were able to confirm they meet our Minimum Security Standards, which is good. And they have improved their privacy policy to offer some more clarity about their privacy practices, especially clarity around how personal information from website visitors, NOCD app/community members, and NOCD therapy members is handled. Clarity on this is good.

Now, their privacy notices make clear that they “do not use location tracking.” And this year, they promptly responded when we sent an email to the address listed in their privacy policy. In that email, they reassured us that they do not collect personal information from data brokers and when they combine information about you from third parties, it’s for treatment purposes only. We’d like to see them commit to that in their privacy notice so they can’t just change it whenever they want to, but their emailed reassurance is a good first step.

NOCD does seem to do a good job of protecting and respecting the privacy of therapy members. The data for those individuals is generally covered by HIPAA and more strongly protected. We do still have concerns about the privacy of information NOCD collects, uses, and shares for people visiting their website or who download their app. Some of that information, NOCD says, can be shared with third parties for targeted advertising purposes (they do clearly state in their privacy policy that no data used for treatment is shared for advertising purposes though).

So, yes, NOCD has gotten better since we reviewed them in 2022. That said, they do still raise a few privacy concerns for us. If you visit NOCD's website, don't be surprised to find their ads following you around the internet once you leave.

Read our 2022 review:

NOCD says they can collect a whole lot of information on their users. Everything from name, address, email address, and telephone number, to age, gender, to health information like your OCD triggers and intensity levels, to your precise location information when you're using the app and even when you're not. Yikes! NOCD also says they can collect even more information about you from third parties such as social media sites like Facebook, YouTube, and Instagram as well as "Companies that provide information to supplement what we already know about you" (like data brokers?). Double yikes!!! That's a whole lot of information NOCD is collecting on you. And it seems to us like information that goes beyond what they need to help you manage and treat your OCD.

What does NOCD say they can do with all this personal information and app usage data they collect on you? Well, to begin with, they say they can combine the information you give them with information they gather from third parties. Then they say they can use that information for things like learning your interests to better understand what tools interest you and to target you with ads. They actually use the word "might" a whole lot when they talk about how they say they can market you with targeted ads, which is a concern for us when it comes to privacy policies because that word "might" seems to offer a lot of wiggle room. Here's what they actually say, "We might use your information to serve you ads about tools and offers. We might tell you about new features or updates. These might be third party offers or tools, services or studies we think you might find interesting. We may also use your information to send you electronic communications. We and our partners may engage in interest-based advertising using information gathered across multiple websites, devices, or other platforms."

We "might" say this is all quite a bit concerning for an app that collects so much personal information. Ah heck, forget the "might", we do say that concerns us. NOCD says they can collect a whole lot of personal information, can combine that with other information they get from third parties like social media sites and potentially data brokers. They then say they can share that information with a whole host of third parties including business partners and the vague "For Other Reasons We May Describe to You."

What's the worst that could happen? Well, just how many people in the world need to know you are struggling with OCD? And why does NOCD need to say they can gather so much additional information about you from third parties sources such as social media sites and potentially even data brokers? NOCD doesn’t specifically state in their privacy policy that they don’t sell user data, which is something we like to see stated clearly. Not to mention, we couldn't determine if they meet our Minimum Security Standards. For an app that targets people dealing with the struggles of OCD, this all just seems like very very bad privacy practices. With OCD symptoms on the rise these days, an app that can help sounds wonderful. We worry that this app doesn't seem to protect the privacy of their users and potentially even exploits it. That's really not good. Not good at all.

Dicas para se proteger

- Chose a strong password! You may use a password control tool like 1Password, KeePass etc
- Use your device privacy controls to limit access to your personal information via app (do not give access to your camera, microphone, images, location unless neccessary)
- Keep your app regularly updated
- Limit ad tracking via your device (eg on iPhone go to Privacy -> Advertising -> Limit ad tracking) and biggest ad networks (for Google, go to Google account and turn off ad personalization)
- Request your data be deleted once you stop using the app. Simply deleting an app from your device usually does not erase your personal data.
- When starting a sign-up, do not agree to tracking of your data if possible.

  • mobile

Pode me bisbilhotar? informações

Câmera

Dispositivo: Não aplicável

Aplicativo: Sim

Microfone

Dispositivo: Não aplicável

Aplicativo: Sim

Rastreia localização

Dispositivo: Não aplicável

Aplicativo: Não

O que pode ser usado para se inscrever?

Google sign-up is available

Que dados a empresa coleta?

Como a empresa usa esses dados?

We ding this product for vague language around combining users' personal data with third-party data.

"We use Personal Information about you to send you ads or other news about our Services."

"We do not sell Personal Information about you."

"The California definition of selling data includes disseminating Personal Information for valuable consideration, and may be interpreted to include having a contract with a third party with which you share data. We do share data with third parties as needed for treatment, and we share limited non-treatment related data with third parties with which we have contracts to help with our marketing and analytics efforts, through cookies and pixels. This practice may be considered ‘selling’ data according to the CCPA’s broad definition, even though it is not a “sale” under the conventional definition of the word or under the laws in Virginia and Utah."

"Like many established companies, we work with third parties like Meta (Facebook) and Google to help us with our marketing efforts. These third parties use technologies, like pixels or cookies, to gather Personal Information about you when you visit our Platform so that we know when to send you messages about our Services. This includes information about your website activity and does not include any information about your health or treatment. We work with these third parties to serve you with our ads and content only—we do not sell or share Personal Information about you with any third parties for their own advertising or marketing purposes."

"Unlike many companies, NOCD has not configured our site with a Facebook login option to pull information about our members that is stored with Facebook. So, to give some examples, we are not collecting information about our members’ Facebook likes, profile information, or the messages they send. "

"We may receive Personal Information about you from other sources with your consent or as permitted by applicable law. For example, this may include receiving Personal Information from:
Our business partners, including health care providers, organizations that sponsor medical trials, online advertising networks, and data analytics vendors. Social media sites, including Facebook, Twitter, YouTube, and Instagram. Companies that provide information to supplement what we already know about you. This include third-party service providers that help us provide treatment and obtain insurance coverage, as well as third parties that help us track information about website visitor activity. We receive this information in de-identified form. These parties do not receive any information about your treatment."

Como você pode controlar seus dados?

"We intend to retain each of the above categories of Personal Information for as long as necessary for the purposes of providing and fulfilling your requests relating to our Services, complying with legal obligations, and improving our Platform and Services."

"You have the following rights (“Data Subject Right”) in relation to Personal Information that we hold about you. These rights may differ depending on where you live (including specifically in California, Virginia, Colorado, Connecticut, Utah, the UK, or the EEA), but we will endeavor to respect these rights no matter your country or state of residence.: <...> You may ask NOCD to delete or remove Personal Information, such as where you withdraw your consent, where applicable. If we shared Personal Information about you with others, we will tell them about the erasure as directed by law."

Qual é o histórico conhecido da empresa na proteção de dados dos usuários?

Médio

No known privacy or security incidents discovered in the last 3 years.

Informações de privacidade infantil

By using the Platform, you represent and warrant that you are at least eighteen (18) years of age;. If you discover that information of anyone under eighteen (18) years of age was submitted to the Services, please contact NOCD and they will remove such information.

Este produto pode ser usado offline?

Não

Informações de privacidade fáceis de entender?

Não

Links para informações de privacidade

Este produto atende aos nossos padrões mínimos de segurança? informações

Sim

Criptografia

Sim

Senha forte

Sim

Atualizações de segurança

Sim

Gerencia vulnerabilidades

Sim

NOCD says people can report security vulnerabilities at [email protected].

Política de privacidade

Sim

O produto usa inteligência artificial? informações

Não

*Privacidade não incluída

Mergulhe mais fundo

Comentários

Tem um comentário a fazer? Nos diga.