Version Effective Date: 12 December 2022
Health Data Consent
By using the Mahana program, I acknowledge and consent to the following:
By clicking on the button for the intake screen, you acknowledge that you agree to this Mahana Health Data Consent & Product Privacy Notice. Information on exercising your privacy rights (including withdrawing consent) is described in the Product Privacy Notice, below. To exercise your privacy rights, see Mahana’s Data Subject Portal.
Product Privacy Notice Overview
This digital health product is provided by Mahana Therapeutics, Inc. in the United States (Mahana US), and, in the United Kingdom, by Mahana Therapeutics Ltd (Mahana UK), a wholly-owned subsidiary of Mahana US (collectively known as 'Mahana').
This Product Privacy Notice (‘Privacy Notice’ or ‘Notice’) describes how Mahana collects, receives, uses, retains, and discloses Personal Data and Sensitive Personal Data of users (also 'you', 'your' or 'patient'). Personal Data includes information about you that is personally identifying such as your name, email address, and phone number, and which is not otherwise publicly available, as well as information that can be used to directly identify you. Sensitive Personal Data includes information about your health and medical care. Only the legal definition of Personal Data and Sensitive Personal Data (collectively ‘Personal Data’) that applies to your location will apply to you under this Privacy Notice.
Mahana works with hospitals, clinics, practices, or other medical groups, healthcare providers (including telehealth providers), and healthcare systems to prescribe and/or, with your consent, monitor progress for digital health products by their respective patient populations (“Clinical Partners”). Mahana also works in partnership with health plans and national health services, including the NHS. For UK users, Personal Data collected in connection with your use of Mahana products may be transferred to the NHS as part of your patient record. Similarly, for US users of prescription digital products, Personal Data collected in connection with your use of Mahana products may be shared with your health plan and associated ePharmacy to dispense and reimburse for the product and/or associated services. Mahana digital health products are currently only available to users in the US and UK.
What Personal Data or information will Mahana collect?
The Mahana programs are provided through a website or mobile applications. To use the application (or “app”), you will need to register for an account.
This means that we may ask you for the following Personal Data during the sign-up process:
We may additionally collect insurance information, such as your insurance ID number or NHS number.
To help you understand if Mahana products are right for you, or to monitor your health and how you are doing on a program, Mahana will have you complete a self-reported questionnaire about your stress levels, symptoms, and impact of your health condition on your daily life. There are also interactive tasks within Mahana products, where you may record personal notes. The type of information collected is dependent on the information you provide to answer the associated questions.
Additionally, if you contact us by email at firstname.lastname@example.org or any other Mahana email address, we will collect your name, contact information, recording of the call (with your consent), or the content of your message.
What additional Personal Data is collected automatically?
When you use Mahana programs or websites, we or our third-party service providers may automatically receive and record certain data. For example, this may include personal identifiers, such as your device’s IP address, user-agent string, or internet activity, commercial data, such as records of services procured and information about how you use Mahana products or services during your current session and over time (including tracking to the pages you view and the files you download), the date and time of your visit, the length of time spent logged into Mahana products or services, the number and types of sessions completed, the links you click, searches you conduct, a view into the websites you may have visited before navigating to Mahana products or services, your software and hardware attributes (including browser and operating system type and version, device type, and device identifiers), your email address, and your general location inferred from IP address. To obtain such data, we or our third-party service providers, may use the following technologies to recognize your device and collect usage data:
How does Mahana use my Personal Data?
Mahana and its service providers use your Personal Data for the following purposes, including to:
With whom does Mahana share Personal Data?
We share Personal Data with third parties for a variety of reasons related to providing the digital therapeutic service, including as follows:
Clinical Partners and health plans/NHS: Your Personal Data may be accessed by Clinical Partners (as defined above) such as your health care providers, in order to manage and provide you with health care services. Your Personal Data may also be shared with (for UK users) the NHS to update your medical records or (for US users) your health plan to manage reimbursement.
Mahana: Mahana may access Personal Data for both US and UK users to deliver therapeutic services, technical support or troubleshoot your account.
Select 3rd party vendors:Your Personal Data may also be provided to service providers under contract with Mahana and strictly adhering to the principles of confidentiality, integrity and accessibility. For example, Mahana uses Amazon Web Services (AWS) and Google Workspace to host and store our data and Zendesk to send you secure email communications in response to your questions or requests for technical assistance. Mahana also uses third parties to assist with operational and security support for the Mahana platform.
From time to time, Mahana may provide your Personal Data to select vendors for the purpose of data processing or specific functionality (e.g. analytics, operational support or messaging like email or push notifications). Mahana only provides Personal Data to vendors that demonstrate a commitment to compliance with privacy and security laws, regulations and requirements under (as applicable) a data protection agreement and/or, for facilitating US prescriptions and insurance coverage, a business associate agreement as required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Such agreements assure that our vendors must process your Sensitive Data with the same obligations (confidentiality, integrity, accessibility) that apply to Mahana US as a data processor/importer (for UK/EU Personal Data), a business associate (for data regulated under HIPAA) or a personal health records vendor (for data regulated under US Federal Trade Commission or state privacy laws). Otherwise, and if identifiable data is not needed for a particular purpose, vendors are allowed only to process data that is pseudonymised or de-identified and aggregated, so that your identity is not disclosed.
Legal purposes. We also may use or provide your Personal Data to third parties when we believe that doing so is necessary to:
With consent. Mahana may use your Personal Data for purposes other than those described in this Notice with your written consent, such as for text communications or marketing and advertising. However, communications with you for treatment delivery as requested by you, to inform you of similar products and services, allowing you to opt out of future communications, or other legitimate purposes, do not require consent.
Who can see what I write in Mahana IBS?
Mahana will not view the content of your entries in program journals, except for the following scenarios: technical support or troubleshooting, making product improvements, or other legally required or permissible scenarios.
Where is my Personal Data kept?
What are my rights regarding my Personal Data?
Your Personal Data will be processed in accordance with your rights under the applicable data protection legislation. For more information on your rights and how to exercise them, including for residents in California, Colorado, Connecticut, Utah, Virginia and the UK/EU, see Mahana’s Website Privacy Notice. Mahana does not sell Personal Data to third parties, nor do we have any arrangement involving an exchange of value ("consideration") between Mahana and a third party for Personal Data obtained from users. To exercise your privacy rights, including information access and data correction and deletion, please see Mahana’s Data Subject Portal.
What are the bases for processing UK/EU Personal Data?
Our lawful basis for collecting and processing Personal Data for UK/EU users will depend on the type of personal data and the purpose for which it was collected. When we collect Sensitive Personal Data related to your health, we do so with your consent or for the purpose of providing and/or billing for health care treatment and management. We may process your Personal Data as necessary to provide the digital therapeutic service we have contracted to provide you, and we maintain treatment records as legally and/or contractually required.
We may also process other Personal Data for our legitimate interests, such as to perform analytics and improve our services.
Where our processing is based solely on your consent, you have the right to withdraw your consent at any time. For more information on our legal bases and managing your consent, see the Mahana Website Privacy Notice and Mahana’s Data Subject Portal.
How can I delete my account?
For those who have created user accounts, you can request that your account be deleted either through the mobile app (Under “Manage your Account” in the profile settings tab) or by contacting Customer Support (email@example.com or 1.844.624.2620). Note that, once your account is deleted, you will no longer have access to any product content or tools.
How long is my Personal Data stored?
Mahana retains your Personal Data as long as reasonably necessary to provide the digital therapeutic services to you, and as otherwise required by law, insurance plan contract/regulations or the NHS guidelines, up to a maximum of ten (10) years.
How is my personal data secured?
We are committed to ensuring that your information is secure. In order to prevent unauthorized access or disclosure, we have put in place commercially reasonable physical, electronic, and managerial procedures to safeguard and secure the information we collect online, such as secure server software (SSL), firewalls, multi-factor authentication, and end-to-end encryption. However, no security program is 100% secure, and thus we cannot guarantee the absolute security of your information.
Mahana’s digital health services are provided to you through your smartphone. Thus, there are steps that you should take to protect your device from unauthorized access. You can find more tips for staying safe online at https://staysafeonline.org/stay-safe-online, www.cyberaware.gov.uk and Cybersecurity and Infrastructure Security Agency.
International Transfers for UK users
As noted above, we store your Personal Data on servers located in the US and your data may be processed by both Mahana US and Mahana UK personnel in certain circumstances, such as to provide you with technical support, security activities, or to conduct analytics, research and reporting.
Mahana may also subcontract the processing of your data to, or otherwise share your data with, third parties in the US or other countries outside your country of residence, such as the data collected automatically for analytics, research and reporting. The data protection laws in these countries may be different from, and less stringent than, those in your country of residence.
We implement standard contractual clauses or other mechanisms as appropriate, to safeguard your Personal Data during such cross-border transfers. We also may transfer information to the United States or another country as necessary for the performance of our agreements with you or to establish, exercise, or defend legal claims.
Our programs or services are not intended for children. If you believe a child who is under age 13 has provided information to Mahana, please contact us using the information provided below.
Changes to this Policy
This Privacy Notice may change from time to time, so please check back periodically to check the most recent modification date to ensure that you are aware of any changes in our processing of your Personal Data. Your continued use of Mahana products and services after any changes signifies your express, explicit, voluntary and unambiguous consent to any such changes. If you do not agree to such changes, you must immediately stop using Mahana programs and services.
Contact Us About Complaints, Questions or Notices Related to this Privacy Notice
Mahana digital health programs are created by Mahana Therapeutics, Inc., on behalf of itself and its UK subsidiary, Mahana Therapeutics, Ltd. You can contact us as follows:
Mahana Therapeutics, Inc., a Delaware corporation (6703171)
201 Mission Street, Suite 1200
San Francisco, California 94105 USA
Mahana Therapeutics, Ltd., registered in England and Wales (11995982)
Suite 2, First Floor
10 Temple Back
Bristol, United Kingdom BS1 6FL
Our data protection officer's contact details are: Kathleen Determann, JD, CIPP/E, CIPM; firstname.lastname@example.org. You can also submit named or anonymous complaints via our Data Subject Portal. If your issue is not resolved, you can report to the applicable supervisory authority (such as the California Office of Attorney General, California Privacy Protection Agency, US Federal Trade Commission or Information Commissioner’s Office (UK)).
Right to withdraw consent
In relation to our product, you may have given consent for Mahana to contact you by certain means as part of our digital therapy (e.g., text reminders), to send marketing materials, or to share your Personal Data with Clinical Partners. You have the right to withdraw any consent you may have previously given us at any time. If you withdraw your consent, this will not affect the lawfulness of our collecting, using and sharing of your Personal Data or Sensitive Data as contemplated up to the point in time that you withdraw your consent. Even if you withdraw your consent, we may still use your information that (i) has been fully anonymized and does not personally identify you; or (ii) that has been collected under a legal basis other than consent, to the extent such use continues to be necessary for that other purpose. If you would like to withdraw consent for further processing your Personal Data, please submit a written request to Mahana’s Data Subject Portal. For more information on other types of consents, please see Mahana’s Website Privacy Notice.
© Copyright 2022. Mahana Therapeutics, Inc. All Rights Reserved