Version Effective Date: 26 August 2022
Section I. Introduction
This privacy notice (“Notice”) is for people who use this Mahana website and for people with whom we communicate for marketing and product educational purposes (“you”).
Mahana Therapeutics, Inc., its subsidiary Mahana Therapeutics, Ltd. and their affiliates (collectively “Mahana” or “we”) respect your privacy and will treat your data in accordance with applicable law(s). This Notice describes the types of information we collect, the purposes for which it is used, and the choices you have with respect to how we use your data. There is a separate privacy statement for people who use the Mahana digital health products and associated services. We encourage you to read these notices before using our website, products or associated platforms.
If you are a California resident and would like to exercise your California privacy rights, please see our California Consumer Privacy Act Notice below. If you are a UK resident, please see our General Data Protection Regulation Notice below.
Mahana currently limits our activities to the United States and United Kingdom, where our products and services have received regulatory clearance and conformity assessments. Consequently, Mahana websites are not directed to residents outside the United States or United Kingdom and we do not intend to collect personal information from visitors outside those regions. Your use of this site indicates you acknowledge our collection, use and disclosure of your information as described in this Notice. If you disagree with the way we collect or handle your data, please do not use our website(s).
1. The personal data that we collect
In this Section 1, we have set out the general categories of personal data that we process and, in the case of personal data that we did not obtain directly from you, information about the source and specific categories of that data.Your data is collected by Mahana in a few ways. Here is a list of the categories of personal data that are collected and used, with examples.
Data provided by you. You may submit your name, email address, and other contact and location information, for example to obtain product information or to set up a product account. This data is collected with your consent.
Data you provide at events or to publish your testimonial. With your consent, we collect information, such as your name and contact information, for those who attend professional or patient education events or medical conferences or who wish to share product testimonials.
Data collected automatically. When you use our websites, we automatically collect your device information, such as operating system and IP address, and browsing information, such as time, frequency and use pattern (collectively, “Analytics”). We may share de-identified Analytics with third party marketing partners to develop, improve and test our website and products. We currently do not respond to “Do Not Track” technologies.
Data collected from third parties. We collect data from third parties who manage relevant business contact databases. For those who use our prescription digital therapeutics, we may receive personal data from your health care provider or pharmacy in order to deliver access and treatment.
2. What we do with your personal data
We use your data for a number of purposes to operate our business, develop products, and provide digital therapeutic products and associated services. These include:
Operations. We use your data for the provision of treatment and support in connection with our digital health products and contracts with payers and national health services; to operate our business; develop and improve products and services; and for fraud prevention purposes.
Inquiries. We use your contact details and inquiry details to respond to your request for product or other information. If you are a health care provider, we will add you as a business contact.
Marketing. We communicate with you about relevant products or services. We will notify consumers regarding important product updates or related information and may continue to provide access to data and educational content after your digital health product usage terminates (e.g., prescription period ends). We do not sell your personal data to third parties, or share it for cross-context behavioral advertising.
Understanding usage and improving services. Mahana records data and uses analytics tools to help analyze how users use the website.
Conduct Research. We may use your information to contact you about marketing or user surveys, studies or clinical trials for which you may be eligible or that might interest you.
Compliance. For compliance with legal obligations, such as regulatory safety reporting obligations and insurance contracts.
In appropriate circumstances, we may share your data with third parties. The following are examples of when your data might be shared:
Service providers. Your personal data may be shared with your health care provider, pharmacy, and/or health care plan and vendors who help us operate our websites and digital advertising. These third parties are legally and/or contractually obligated to maintain the confidentiality of your personal data consistent with the terms of this Notice and applicable data protection laws.
Legal purposes. We will disclose your personal data in response to valid legal process, for example, in response to a court order, a subpoena or other legal request for information, and/or to comply with applicable legal and regulatory reporting requirements. We also may disclose your data in response to a law enforcement agency’s request or other request for information from the U.S. or other government entities, or where we believe it is necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, serious adverse events, or to verify or enforce compliance with the policies governing our products and/or services and with applicable laws, or as otherwise required or permitted by law or consistent with legal requirements. In addition, we may, upon notice to you, transfer your data to an entity or individual that acquires, buys, or merges with Mahana, or our other business units.
Research Partners. We may share information with our research partners for particular projects or surveys. If you take part in such a project, you will be informed of these third parties in a separate or supplemental privacy notice.
3. Your Choices
For those who have created user accounts, you can request that your account be deleted either through the mobile app (Under “Manage your Account” in the profile settings tab) or by contacting Customer Support (firstname.lastname@example.org or 1.844.624.2620). Note that, once your account is deleted, you will no longer have access to any product content or tools. For more information about data deletion, see the Data Subject Rights section, below.
In some cases, you may have consented to receive product information or marketing communications from Mahana. You may withdraw your consent to further use of your personal data by (i) using the unsubscribe link in any marketing email received; or (ii) submitting a request to Mahana’s Data Subject Portal, including your name, contact information, state/country of residence, and to which specific data you are directing the request. We will respond to your request once we have confirmed your identity and in accordance with the law(s) that applies[y] to you. Your personal data which we processed prior to your request may not be deleted from our website system records, but will be blocked from further use to contact you without your permission. A request to withdraw consent may not apply to information (i) collected by tracking technologies or used internally to recognize you and/or facilitate your visits to our website, (ii) we must keep in compliance with contractual or legal obligations; or (iii) necessary in order to provide you the digital health program during the prescription period.
4. GDPR Privacy Notice for UK/EU/EEA Residents(1)
Legal Bases. If you are an individual in the United Kingdom (UK), European Union (EU) or European Economic Area (EEA), Mahana Therapeutics, Ltd. (data controller) and Mahana Therapeutics, Inc. (data processor) collect and process your personal data only where we have a legal basis for doing so under applicable laws. The legal basis depends on how you use our services. This means we collect and use your personal information to conduct the following:
Operations - We may process your personal data for patient treatment and support in connection with our digital health products and services, subject to contracts with you and/or payers and national health services, and to operate our business, develop and improve our products and services, and for fraud prevention purposes. The legal bases for this processing is the performance of a contract between you (or your insurance provider) and us and/or taking steps, at your request, to provide digital therapeutic services and to meet applicable legal and regulatory requirements.
Relationships and communications - We may process contact data, account data, transaction data and/or communication data for the purposes of managing our relationships, communicating with you (excluding communicating for the purposes of direct marketing) by email, SMS, post, fax and/or telephone, providing support services and complaint handling. The legal basis for this processing is our legitimate interests, namely communications with our website visitors, service users, individual customers and customer personnel, the maintenance of relationships, and the proper administration of our website, services and business, and complying with applicable legal and regulatory requirements.
Marketing - We may process contact data, transaction data, and user testimonials for the purposes of creating, targeting and sending direct marketing communications by email, SMS, post and/or fax and making contact by telephone for marketing-related purposes. The legal basis for this processing is your consent.
Research and analysis - We may process your personal data for the purposes of researching and analysing the efficacy and use of our products and services, as well as researching and analysing other interactions with our business. The legal basis for this processing is consent.
Record keeping - We may process your personal data for the purposes of creating and maintaining our databases, back-up copies of our databases and our business records generally. The legal basis for this processing is our legitimate interests, namely ensuring that we have access to all the information we need to properly and efficiently run our business in accordance with this notice, as well as compliance with legal and regulatory requirements.
Security - We may process your personal data for the purposes of security and the prevention of fraud and other criminal activity. The legal basis of this processing is our legitimate interests, namely the protection of our website, services and business, and the protection of others, as well as compliance with legal and regulatory requirements.
Legal claims - We may process your personal data where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure. The legal basis for this processing is our legitimate interests, namely the protection and assertion of our legal rights, your legal rights and the legal rights of others.
Legal compliance and vital interests - We may also process your personal data where such processing is necessary for compliance with a legal obligation to which we are subject or in order to protect your vital interests or the vital interests of another natural person.
International Transfers. We may transfer your personal data from the European Economic Area (EEA) and the UK to the United States (US) for the purposes set out in this notice, pursuant to our Data Transfer Agreement with Mahana Therapeutics, Inc. The US is not currently covered by an adequacy decision under EU/UK data protection law.
The AWS hosting facilities for our website are currently situated in the United States. Transfers to the US will be protected by appropriate safeguards, namely the use of standard data protection clauses adopted or approved by the Information Commissioner’s Office (ICO), the terms of which are available here.
You acknowledge that personal data that you submit for publication through our website or services may be available, via the internet, around the world. We cannot prevent the use (or misuse) of such personal data by others.
5. Your rights
California Privacy Notice. If you are a California resident, California law provides you with specific rights regarding your personal information(2), including:
Access to your personal information
Delete your personal information (subject to certain exceptions)
Not to be discriminated against for exercising these privileges.
Transparency regarding what personal information we have collected and used over the past 12 months
We update this Privacy Notice annually to provide transparency regarding the categories of personal information we collect and how it is used. If you want to exercise your other data rights, you can submit (i) a data subject request here; or (ii) close your account via the Mahana application or Support@mahana.com. You can designate an agent to submit a data subject request on your behalf by either: (1) having your agent submit a letter, signed by you, certifying that the agent is acting on your behalf and showing proof that they are registered with the California Secretary of State; or (2) by you and the agent executing and sending us a notarized power of attorney stating that the agent is authorized to act on your behalf. Please note that we are only required to respond to two such requests per customer each year.
You also have the right to lodge a complaint to the California Privacy Protection Agency.
Mahana may have collected the following categories of personal information of California residents who visited the website in the past 12 months:
Identifiers such as a name, Internet Protocol address, email address, or other similar identifiers.
Categories of personal information described in subdivision (e) of California Civil Code Section 1798.80.
Internet or other electronic network activity information.
Sensitive personal information (health information) collected to determine if a product is right for you and to deliver therapeutic services.
This information is collected and used for the purposes disclosed in this notice. Mahana may have disclosed any of the above categories of personal information pursuant to an individual’s consent or under a written contract with a service provider for a business purpose (e.g., telehealth referral, prescription, billing) in the past 12 months. Personal information collected during the prescription and delivery of digital therapeutics will be maintained for at least seven years from completion of treatment, up to a maximum retention period of ten years. Consumer data collected solely for the purposes of marketing and other communications is retained for up to five years from collection.
Mahana has not sold personal information of website visitors in the past 12 months and does not sell consumer data to third parties for direct marketing purposes or share consumer data for cross-context behavioral advertising.
Data Subject Rights. For other individuals, depending on your country or state of residence (including Colorado, Connecticut, Utah, and Virginia residents) and as required by law, in addition to receiving the information provided in this Notice, you may have the right to:
Access and receive a portable copy of your data;
Delete or correct incomplete or inaccurate data, subject to Mahana’s legal and regulatory data retention requirements(3);
Restrict processing of sensitive data (e.g., health data) and opt-out of processing for profiling/targeting advertising; and
Confirm that Mahana does not sell your Personal Data.
For UK/EEA individuals, additionally:
Withdraw consent where we have relied solely on your consent to process your personal data;
Request to stop processing of your personal data;
Object to the processing of your data where we rely on our legitimate interest as the legal basis; and
We reserve the right to request additional information to verify your identity before we process your request and to maintain a copy of all requests for our legal records. If you wish to exercise these rights, please submit your request to Mahana’s Data Subject Portal and we will respond to verifiable requests within 30-45 days, depending on the applicable state or country regulations (if any). Applicable privacy laws may give you the right to file a complaint with a government regulator if you are not satisfied with our response.
6. Links to Other Websites
You should be aware that when you link to another website (e.g., telehealth provider partner) from the Mahana website, Mahana has no control over that other website. Accordingly, Mahana cannot guarantee that the operator of that website will treat your privacy in the same manner as Mahana.
7. Data security
We are committed to ensuring that your information is secure. In order to prevent unauthorized access or disclosure, we have put in place commercially reasonable physical, electronic, and managerial procedures to safeguard and secure the information we collect online. However, no security program is 100% secure, and thus we cannot guarantee the absolute security of your information.
8. Privacy Notice Changes
We will revise this privacy notice when necessary, and we encourage you to check back in future for changes.
This website is owned and operated by Mahana Therapeutics, Inc., on behalf of itself and its subsidiary, Mahana Therapeutics, Ltd. You can contact us as follows:
Mahana Therapeutics, Inc., a Delaware corporation (6703171) 201 Mission Street, Suite 1200 San Francisco, California 94105 USA +1.844.624.2620 email@example.com
Mahana Therapeutics, Ltd., registered in England and Wales (11995982) Suite 2, First Floor 10 Temple Back Bristol, United Kingdom BS1 6FL
Our data protection officer's contact details are: Kathleen Determann, JD, CIPP/E, CIPM; firstname.lastname@example.org
What is a cookie? A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server. Cookies may be either "persistent" cookies or "session" cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed. Cookies may not contain any information that personally identifies a user, but personal data that we store about you may be linked to the information stored in and obtained from cookies.
Both websites and HTML emails may also contain other tracking technologies such as “web beacons” or “pixels.” These are typically small transparent images that provide us with statistics, for similar purposes as cookies. They are often used in conjunction with cookies, though they are not stored on your computer in the same way as cookies. As a result, if you disable cookies, web beacons may still load, but their functionality will be restricted.
Where we place cookies. We set cookies in a number of different locations across our services. These locations include our websites, mobile applications and the emails we send (collectively, “Services”).
Types of cookies. The bullet points below outline the types of cookies we use on our Services and why we use them. We also provide explanations of their purpose(s).
Strictly Necessary. These cookies are essential for our Services to perform their basic functions. These include cookies that are required to allow registered users to authenticate and perform account related functions, as well as to save content entered by you to facilitate digital therapeutic product functionality, and to store preferences set by users such as account name, language, and location.
Analytics. Performance cookies collect information on how users interact with our Services, including what pages are visited most, as well as other analytical data. We use these details to improve how our Services function and to understand how users interact with our Services
Security. We use these cookies to help identify and prevent potential security risks.
Targeting. These cookies are used to display relevant advertising to users who use our Services, as well as to understand and report on the efficacy of ads served on our Services. They track details such as the number of unique visitors, the number of times particular ads have been displayed, and the number of clicks the ads have received. They are also used to build user profiles, including showing you ads based on products or services you’ve viewed or acts you have taken on our (and other) websites and services. These are set by us and trusted third party networks and are generally persistent in nature.
If you disable cookies, please be aware that some of the features of our Services may not function correctly.
For more details on your choices regarding use of your web browsing activity for interest-based advertising you may visit the following sites:
On a mobile device, you may also be able to adjust your settings to limit ad tracking.
Do Not Track Signals. Generally, we do not currently respond to, or take any action with respect to web browser "do not track" signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personal information about an individual’s online activities over time and across third party websites or online services. However, in some instances our third party service providers who integrate within our Services do honor Do Not Track signals.
Consent for Advertising Cookies on Our Sites. You will see a “cookie banner” on our websites on your first visit. If you are visiting one of our Services from the UK(4), then we do not set, or allow our ad partners to set, cookies that are used to show you targeted ads before you click to accept. When you consent in this manner, we and our advertising partners may set advertising cookies on the site or other Service you are visiting and on other of our websites, dashboards, and services. We’ll display the banner to you periodically, just in case you change your mind.
(1) Mahana products and Services are not currently directed to the EU/EEA, but in the event such commercial activities are approved in the future, this section will apply to users in those regions as well.
(2) “Personal information” as defined in the CCPA is information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. It does not include publicly available, de-identified, or aggregate consumer information or information collected from job applicants, employees or contractors/consultants.
(3) For example, U.S federal regulations (e.g., HIPAA), national guidance (e.g., NHS, CMS) and commercial payer contracts set data retention requirements for health records with which Mahana must comply.
(4) Mahana products and Services are not currently directed to the EU/EEA, but in the event such commercial activities are approved in the future, this section will apply to users in those regions as well.