Version Effective Date: 26 August 2022
Before you proceed with this product, it is important that you read the Product Privacy Notice and Health Data Consent below. For further information on Mahana’s global privacy practices and your rights, please see the Website Privacy Notice posted here. To exercise your privacy rights, see Mahana’s Data Subject Portal.
This digital health product is provided by Mahana Therapeutics, Inc. in the United States (Mahana US), and, in the United Kingdom, by Mahana Therapeutics Ltd (Mahana UK), a wholly-owned subsidiary of Mahana US (collectively known as 'Mahana').
This Product Privacy Notice (‘Privacy Notice’ or ‘Notice’) describes how Mahana collects, receives, uses, retains, and discloses Personal Data and Sensitive Personal Data of users (also 'you', 'your' or 'patient'). Personal Data includes information about you that is personally identifying such as your name, email address, and phone number, and which is not otherwise publicly available, as well as information that can be used to directly identify you. Sensitive Personal Data includes information about your health and medical care. Only the legal definition of Personal Data and Sensitive Personal Data (collectively ‘Personal Data’) that applies to your location will apply to you under this Privacy Notice.
Mahana works with hospitals, clinics, practices, or other medical groups, healthcare providers (including telehealth providers), and healthcare systems to prescribe and/or, with your consent, monitor progress for digital health products by their respective patient populations (“Clinical Partners”). Mahana also works in partnership with health plans and national health services, including the NHS. For UK users, Personal Data collected in connection with your use of Mahana products may be transferred to the NHS as part of your patient record. Similarly, for US users of prescription digital products, Personal Data collected in connection with your use of Mahana products may be shared with your health plan and associated ePharmacy to dispense and reimburse for the product and/or associated services. Mahana digital health products are currently only available to users in the US and UK.
What Personal Data or information will Mahana collect?
The Mahana programs are provided through a website or mobile applications. To use the application (or “app”), you will need to register for an account.
This means that we may ask you for the following Personal Data during the sign-up process:
Your full name
Your email address
Your date of birth
Your telephone number
We may additionally collect insurance information, such as your insurance ID number or NHS number.
To help you understand if Mahana products are right for you, or to monitor your health and how you are doing on a program, Mahana will have you complete a self-reported questionnaire about your stress levels, symptoms, and impact of your health condition on your daily life. There are also interactive tasks within Mahana products, where you may record personal notes. The type of information collected is dependent on the information you provide to answer the associated questions.
Additionally, if you contact us by email at email@example.com or any other Mahana email address, we will collect your name, contact information, recording of the call (with your consent), or the content of your message.
What additional Personal Data is collected automatically?
When you use Mahana programs or websites, we or our third-party service providers may automatically receive and record certain data. For example, this may include personal identifiers, such as your device’s IP address, user-agent string, or internet activity, commercial data, such as records of services procured and information about how you use Mahana products or services during your current session and over time (including tracking to the pages you view and the files you download), the date and time of your visit, the length of time spent logged into Mahana products or services, the number and types of sessions completed, the links you click, searches you conduct, a view into the websites you may have visited before navigating to Mahana products or services, your software and hardware attributes (including browser and operating system type and version, device type, and device identifiers), your email address, and your general location inferred from IP address. To obtain such data, we or our third-party service providers, may use the following technologies to recognize your device and collect usage data:
Server logs. When you use Mahana products and services, we automatically receive and record certain data from your computer (or other device) and your browser. To obtain such data, we may use server logs or applications that recognize your device and gather data about its online activity.
Cookies. We also use essential, performance, functional and targeting Cookies when engaging with Mahana programs.
Web beacons, tags, pixels, and similar technologies. Mahana programs or the emails that you receive from us may use an application known as a 'web beacon' (also known as a 'tag' or 'pixel') and similar technologies. Web beacons are small strings of code that provide a method for delivering a graphic image on a web page or in an email message for the purpose of transferring data. For example, it may allow an email sender to determine whether a user has opened a particular email.
How does Mahana use my Personal Data?
Mahana and its service providers use your Personal Data for the following purposes, including to:
Create a user profile that is the basis of personalizing the therapy experience to you and to provide requested products and services.
Communicate with you as you progress through the on-boarding and therapy, and respond to your requests for technical assistance.
To engage in analytics, research, and reporting.
Facilitate your communication with your healthcare provider.
To respond to your request for information or comments.
To conduct audits, quality assurance or debugging activities.
Detection of security events.
For legal purposes as applicable by law.
With whom does Mahana share Personal Data?
We share Personal Data with third parties for a variety of reasons related to providing the digital therapeutic service, including as follows:
Clinical Partners and health plans/NHS: Your Personal Data may be accessed by Clinical Partners (as defined above) such as your health care providers, in order to manage and provide you with health care services. Your Personal Data may also be shared with (for UK users) the NHS to update your medical records or (for US users) your health plan to manage reimbursement.
Mahana: Mahana may access Personal Data for both US and UK users to deliver therapeutic services, technical support or troubleshoot your account.
Select 3rd party vendors:Your Personal Data may also be provided to service providers under contract with Mahana and strictly adhering to the principles of confidentiality, integrity and accessibility. For example, Mahana uses Amazon Web Services (AWS) and Google Workspace to host and store our data and Zendesk to send you secure email communications in response to your questions or requests for technical assistance. Mahana also uses third parties to assist with operational and security support for the Mahana platform.
From time to time, Mahana may provide your Personal Data to select vendors for the purpose of data processing or specific functionality (e.g. analytics, operational support or messaging like email or push notifications). Mahana only provides Personal Data to vendors that demonstrate a commitment to compliance with privacy and security laws, regulations and requirements under (as applicable) a data protection agreement and/or, for facilitating US prescriptions and insurance coverage, a business associate agreement as required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Such agreements assure that our vendors must process your Sensitive Data with the same obligations (confidentiality, integrity, accessibility) that apply to Mahana US as a data processor/importer (for UK/EU Personal Data), a business associate (for data regulated under HIPAA) or a personal health records vendor (for data regulated under US Federal Trade Commission or state privacy laws). Otherwise, and if identifiable data is not needed for a particular purpose, vendors are allowed only to process data that is pseudonymised or de-identified and aggregated, so that your identity is not disclosed.
Legal purposes. We also may use or provide your Personal Data to third parties when we believe that doing so is necessary to:
comply with applicable law or a court order, subpoena, or other legal process.
investigate, prevent, or take action regarding illegal or prohibited activities, suspected fraud, violations of our terms and conditions, or situations involving threats to our property or the property or physical safety of any person or third party.
establish, protect, or exercise our legal rights or defend against legal claims.
facilitate the financing, securitization, acquisition, insuring, sale, assignment, bankruptcy, or other disposal of all or part of our business or assets.
With consent. Mahana may use your Personal Data for purposes other than those described in this Notice with your written consent, such as for text communications or marketing and advertising. However, communications with you for treatment delivery as requested by you, to inform you of similar products and services, allowing you to opt out of future communications, or other legitimate purposes, do not require consent.
Who can see what I write in Mahana IBS?
Mahana will not view the content of your entries in program journals, except for the following scenarios: technical support or troubleshooting, making product improvements, or other legally required or permissible scenarios.
Where is my Personal Data kept?
What are my rights regarding my Personal Data?
Your Personal Data will be processed in accordance with your rights under the applicable data protection legislation. For more information on your rights and how to exercise them, including for residents in California, Colorado, Connecticut, Utah, Virginia and the UK/EU, see Mahana’s Website Privacy Notice. Mahana does not sell Personal Data to third parties, nor do we have any arrangement involving an exchange of value ("consideration") between Mahana and a third party for Personal Data obtained from users. To exercise your privacy rights, including information access and data correction and deletion, please see Mahana’s Data Subject Portal.
What are the bases for processing UK/EU Personal Data?
Our lawful basis for collecting and processing Personal Data for UK/EU users will depend on the type of personal data and the purpose for which it was collected. When we collect Sensitive Personal Data related to your health, we do so with your consent or for the purpose of providing and/or billing for health care treatment and management. We may process your Personal Data as necessary to provide the digital therapeutic service we have contracted to provide you, and we maintain treatment records as legally and/or contractually required.
We may also process other Personal Data for our legitimate interests, such as to perform analytics and improve our services.
Where our processing is based solely on your consent, you have the right to withdraw your consent at any time. For more information on our legal bases and managing your consent, see the Mahana Website Privacy Notice and Mahana’s Data Subject Portal.
How can I delete my account?
For those who have created user accounts, you can request that your account be deleted either through the mobile app (Under “Manage your Account” in the profile settings tab) or by contacting Customer Support (firstname.lastname@example.org or 1.844.624.2620). Note that, once your account is deleted, you will no longer have access to any product content or tools.
How long is my Personal Data stored?
Mahana retains your Personal Data as long as reasonably necessary to provide the digital therapeutic services to you, and as otherwise required by law, insurance plan contract/regulations or the NHS guidelines, up to a maximum of ten (10) years.
How is my personal data secured?
We are committed to ensuring that your information is secure. In order to prevent unauthorized access or disclosure, we have put in place commercially reasonable physical, electronic, and managerial procedures to safeguard and secure the information we collect online, such as secure server software (SSL), firewalls, multi-factor authentication, and end-to-end encryption. However, no security program is 100% secure, and thus we cannot guarantee the absolute security of your information.
Mahana’s digital health services are provided to you through your smartphone. Thus, there are steps that you should take to protect your device from unauthorized access. You can find more tips for staying safe online at https://staysafeonline.org/stay-safe-online,
International Transfers for UK users
As noted above, we store your Personal Data on servers located in the US and your data may be processed by both Mahana US and Mahana UK personnel in certain circumstances, such as to provide you with technical support, security activities, or to conduct analytics, research and reporting.
Mahana may also subcontract the processing of your data to, or otherwise share your data with, third parties in the US or other countries outside your country of residence, such as the data collected automatically for analytics, research and reporting. The data protection laws in these countries may be different from, and less stringent than, those in your country of residence.
We implement standard contractual clauses or other mechanisms as appropriate, to safeguard your Personal Data during such cross-border transfers. We also may transfer information to the United States or another country as necessary for the performance of our agreements with you or to establish, exercise, or defend legal claims.
Our programs or services are not intended for children. If you believe a child who is under age 13 has provided information to Mahana, please contact us using the information provided below.
Changes to this Policy
This Privacy Notice may change from time to time, so please check back periodically to check the most recent modification date to ensure that you are aware of any changes in our processing of your Personal Data. Your continued use of Mahana products and services after any changes signifies your express, explicit, voluntary and unambiguous consent to any such changes. If you do not agree to such changes, you must immediately stop using Mahana programs and services.
Contact Us About Complaints, Questions or Notices Related to this Privacy Notice
Mahana digital health programs are created by Mahana Therapeutics, Inc., on behalf of itself and its UK subsidiary, Mahana Therapeutics, Ltd. You can contact us as follows:
Mahana Therapeutics, Inc., a Delaware corporation (6703171) 201 Mission Street, Suite 1200 San Francisco, California 94105 USA +1.844.624.2620 Support@mahana.com
Mahana Therapeutics, Ltd., registered in England and Wales (11995982) Suite 2, First Floor 10 Temple Back Bristol, United Kingdom BS1 6FL Support@mahana.com
Our data protection officer's contact details are: Kathleen Determann, JD, CIPP/E, CIPM; email@example.com. You can also submit named or anonymous complaints via our Data Subject Portal. If your issue is not resolved, you can report to the applicable supervisory authority (such as the California Office of Attorney General, California Privacy Protection Agency, US Federal Trade Commission or Information Commissioner’s Office (UK)).
The Mahana Program Agreement
By using the Mahana program, I acknowledge and accept the following:
I understand that I can work through the Mahana program at my own pace within the total time allotted.
I understand that Mahana products are not emergency programs. If I am feeling very distressed or need immediate help I will contact friends or family who can help, or my doctor, or I will refer to the “Need help?” section(under Profile/Settings) which outlines more information. This section can be found under the Help section, in the navigation tab at the top of each page. If I am having a mental health crisis, I will (for the US) text the Crisis Text Line at 741741 or I will call the National Suicide Prevention Lifeline at 1-800-273-8255; or (for the UK) text or call one of the suicide prevention resources provided by the NHS. If I am having a mental health or medical emergency and I need immediate help, I will contact 911 (in the US) or 999 (in the UK).
I understand that I may receive reminder emails from the program.
I can use the Mahana program at any time, and am not constrained on when I need to login.
I have read and agree to this Mahana Product Privacy Notice and health data consent.
I understand that Mahana collects Personal Data as well as Sensitive Date related to my health and the provision of health services. I consent to the collection of my Personal Data and Sensitive Data for the uses described in this Notice or I will not proceed further with this product.
I understand and consent to Mahana sharing certain progress milestones for prescription digital health programs, such as status of the prescription and initiation and progress through the therapy, with my prescribing health care provider at my or their request.
Right to withdraw consent
In relation to our product, you may have given consent for Mahana to contact you by certain means as part of our digital therapy (e.g., text reminders), to send marketing materials, or to share your Personal Data with Clinical Partners. You have the right to withdraw any consent you may have previously given us at any time. If you withdraw your consent, this will not affect the lawfulness of our collecting, using and sharing of your Personal Data or Sensitive Data as contemplated up to the point in time that you withdraw your consent. Even if you withdraw your consent, we may still use your information that (i) has been fully anonymized and does not personally identify you; or (ii) that has been collected under a legal basis other than consent, to the extent such use continues to be necessary for that other purpose. If you would like to withdraw consent for further processing your Personal Data, please submit a written request to Mahana’s Data Subject Portal. For more information on other types of consents, please see Mahana’s Website Privacy Notice.
© Copyright 2022. Mahana Therapeutics, Inc. All Rights Reserved