Version Effective Date: 26 August 2022
Note: If you wish to exercise privacy rights regarding data processed by Mahana, please submit requests to our Data Subject Portal or contact firstname.lastname@example.org with questions.
Section I. Introduction
This privacy notice (“Notice”) is for people who use this Mahana website and for people with whom we communicate for marketing and product educational purposes (“you”).
Mahana Therapeutics, Inc., its subsidiary Mahana Therapeutics, Ltd. and their affiliates (collectively “Mahana” or “we”) respect your privacy and will treat your data in accordance with applicable law(s). This Notice describes the types of information we collect, the purposes for which it is used, and the choices you have with respect to how we use your data. There is a separate privacy statement for people who use the Mahana digital health products and associated services. We encourage you to read these notices before using our website, products or associated platforms.
If you are a California resident and would like to exercise your California privacy rights, please see our California Consumer Privacy Act Notice below. If you are a UK resident, please see our General Data Protection Regulation Notice below.
Mahana currently limits our activities to the United States and United Kingdom, where our products and services have received regulatory clearance and conformity assessments. Consequently, Mahana websites are not directed to residents outside the United States or United Kingdom and we do not intend to collect personal information from visitors outside those regions. Your use of this site indicates you acknowledge our collection, use and disclosure of your information as described in this Notice. If you disagree with the way we collect or handle your data, please do not use our website(s).
1. The personal data that we collect
In this Section 1, we have set out the general categories of personal data that we process and, in the case of personal data that we did not obtain directly from you, information about the source and specific categories of that data. Your data is collected by Mahana in a few ways. Here is a list of the categories of personal data that are collected and used, with examples.
2. What we do with your personal data
We use your data for a number of purposes to operate our business, develop products, and provide digital therapeutic products and associated services. These include:
In appropriate circumstances, we may share your data with third parties. The following are examples of when your data might be shared:
3. Your Choices
For those who have created user accounts, you can request that your account be deleted either through the mobile app (Under “Manage your Account” in the profile settings tab) or by contacting Customer Support (email@example.com or 1.844.624.2620). Note that, once your account is deleted, you will no longer have access to any product content or tools. For more information about data deletion, see the Data Subject Rights section, below.
In some cases, you may have consented to receive product information or marketing communications from Mahana. You may withdraw your consent to further use of your personal data by (i) using the unsubscribe link in any marketing email received; or (ii) submitting a request to Mahana’s Data Subject Portal, including your name, contact information, state/country of residence, and to which specific data you are directing the request. We will respond to your request once we have confirmed your identity and in accordance with the law(s) that applies[y] to you. Your personal data which we processed prior to your request may not be deleted from our website system records, but will be blocked from further use to contact you without your permission. A request to withdraw consent may not apply to information (i) collected by tracking technologies or used internally to recognize you and/or facilitate your visits to our website, (ii) we must keep in compliance with contractual or legal obligations; or (iii) necessary in order to provide you the digital health program during the prescription period.
4. GDPR Privacy Notice for UK/EU/EEA Residents
Legal Bases. If you are an individual in the United Kingdom (UK), European Union (EU) or European Economic Area (EEA), Mahana Therapeutics, Ltd. (data controller) and Mahana Therapeutics, Inc. (data processor) collect and process your personal data only where we have a legal basis for doing so under applicable laws. The legal basis depends on how you use our services. This means we collect and use your personal information to conduct the following:
International Transfers. We may transfer your personal data from the European Economic Area (EEA) and the UK to the United States (US) for the purposes set out in this notice, pursuant to our Data Transfer Agreement with Mahana Therapeutics, Inc. The US is not currently covered by an adequacy decision under EU/UK data protection law.
The AWS hosting facilities for our website are currently situated in the United States. Transfers to the US will be protected by appropriate safeguards, namely the use of standard data protection clauses adopted or approved by the Information Commissioner’s Office (ICO), the terms of which are available here.
You acknowledge that personal data that you submit for publication through our website or services may be available, via the internet, around the world. We cannot prevent the use (or misuse) of such personal data by others.
5. Your rights
California Privacy Notice. If you are a California resident, California law provides you with specific rights regarding your personal information, including:
We update this Privacy Notice annually to provide transparency regarding the categories of personal information we collect and how it is used. If you want to exercise your other data rights, you can submit (i) a data subject request here; or (ii) close your account via the Mahana application or Support@mahanatx.com. You can designate an agent to submit a data subject request on your behalf by either: (1) having your agent submit a letter, signed by you, certifying that the agent is acting on your behalf and showing proof that they are registered with the California Secretary of State; or (2) by you and the agent executing and sending us a notarized power of attorney stating that the agent is authorized to act on your behalf. Please note that we are only required to respond to two such requests per customer each year.
You also have the right to lodge a complaint to the California Privacy Protection Agency.
Mahana may have collected the following categories of personal information of California residents who visited the website in the past 12 months:
This information is collected and used for the purposes disclosed in this notice. Mahana may have disclosed any of the above categories of personal information pursuant to an individual’s consent or under a written contract with a service provider for a business purpose (e.g., telehealth referral, prescription, billing) in the past 12 months. Personal information collected during the prescription and delivery of digital therapeutics will be maintained for at least seven years from completion of treatment, up to a maximum retention period of ten years. Consumer data collected solely for the purposes of marketing and other communications is retained for up to five years from collection.
Mahana has not sold personal information of website visitors in the past 12 months and does not sell consumer data to third parties for direct marketing purposes or share consumer data for cross-context behavioral advertising.
Data Subject Rights. For other individuals, depending on your country or state of residence (including Colorado, Connecticut, Utah, and Virginia residents) and as required by law, in addition to receiving the information provided in this Notice, you may have the right to:
We reserve the right to request additional information to verify your identity before we process your request and to maintain a copy of all requests for our legal records. If you wish to exercise these rights, please submit your request to Mahana’s Data Subject Portal and we will respond to verifiable requests within 30-45 days, depending on the applicable state or country regulations (if any). Applicable privacy laws may give you the right to file a complaint with a government regulator if you are not satisfied with our response.
6. Links to Other Websites
You should be aware that when you link to another website (e.g., telehealth provider partner) from the Mahana website, Mahana has no control over that other website. Accordingly, Mahana cannot guarantee that the operator of that website will treat your privacy in the same manner as Mahana.
7. Data security
We are committed to ensuring that your information is secure. In order to prevent unauthorized access or disclosure, we have put in place commercially reasonable physical, electronic, and managerial procedures to safeguard and secure the information we collect online. However, no security program is 100% secure, and thus we cannot guarantee the absolute security of your information.
8. Privacy Notice Changes
We will revise this privacy notice when necessary, and we encourage you to check back in future for changes.
This website is owned and operated by Mahana Therapeutics, Inc., on behalf of itself and its subsidiary, Mahana Therapeutics, Ltd. You can contact us as follows:
Mahana Therapeutics, Inc., a Delaware corporation (6703171)
201 Mission Street, Suite 1200
San Francisco, California 94105 USA
Mahana Therapeutics, Ltd., registered in England and Wales (11995982)
Suite 2, First Floor
10 Temple Back
Bristol, United Kingdom BS1 6FL
Our data protection officer's contact details are: Kathleen Determann, JD, CIPP/E, CIPM; firstname.lastname@example.org
What is a cookie? A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server. Cookies may be either "persistent" cookies or "session" cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed. Cookies may not contain any information that personally identifies a user, but personal data that we store about you may be linked to the information stored in and obtained from cookies.
Both websites and HTML emails may also contain other tracking technologies such as “web beacons” or “pixels.” These are typically small transparent images that provide us with statistics, for similar purposes as cookies. They are often used in conjunction with cookies, though they are not stored on your computer in the same way as cookies. As a result, if you disable cookies, web beacons may still load, but their functionality will be restricted.
Where we place cookies. We set cookies in a number of different locations across our services. These locations include our websites, mobile applications and the emails we send (collectively, “Services”).
Types of cookies. The bullet points below outline the types of cookies we use on our Services and why we use them. We also provide explanations of their purpose(s).
If you disable cookies, please be aware that some of the features of our Services may not function correctly.
For more details on your choices regarding use of your web browsing activity for interest-based advertising you may visit the following sites:
On a mobile device, you may also be able to adjust your settings to limit ad tracking.
Do Not Track Signals. Generally, we do not currently respond to, or take any action with respect to web browser "do not track" signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personal information about an individual’s online activities over time and across third party websites or online services. However, in some instances our third party service providers who integrate within our Services do honor Do Not Track signals.
Consent for Advertising Cookies on Our Sites. You will see a “cookie banner” on our websites on your first visit. If you are visiting one of our Services from the UK, then we do not set, or allow our ad partners to set, cookies that are used to show you targeted ads before you click to accept. When you consent in this manner, we and our advertising partners may set advertising cookies on the site or other Service you are visiting and on other of our websites, dashboards, and services. We’ll display the banner to you periodically, just in case you change your mind.