Nerva Privacy Policy (Non-Australia)

Mindset Health Pty Ltd (ABN: 11 617 368 957) (“we”) are committed to protecting and respecting your privacy. This Privacy Policy (“Policy”) (together with our Terms and any other documents referred to on it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us and how you can get access to this information. If in doubt, the primary governing law of this policy is that of the state of Victoria, Australia. This Policy applies to people living outside of Australia, Australian residents have a separate policy below this policy that applies.

1. Purpose of this Policy

Mindset Health provides you (the “User”) with access to the online and mobile services associated with Nerva, including but not limited to, try.nervaibs.com and all associated subdomains (the “Website”), and the Nerva mobile application (the “App”), collectively the “System”.

2. Processing your data

What is the purpose of our processing?

We process your data in order to provide a program of personalised tools for helping you change your smoking habits (and to support the delivery of that program).

What is our legal basis for processing?

We require consent from all users before processing their data. This consent can be withdrawn at any time.

What data do we collect?

Personal information

Personal Information or personal data or personal identifiable information (PII) means information relating to an identified or identifiable natural person who can be directly or indirectly identified by reference to an identifier.

We collect and use information like your name, email address, gender, country, city, state and age bracket to personalise the course and communicate with you. You're able to opt out of any external communications (i.e., email and push notifications) at any time.

Health information

We collect information about your IBS symptoms (including, but not limited to, self-reported symptoms or difficulties associated with diarrhoea, pain, constipation, wind, bloating, nausea, anxiety and stress) in order to personalise our program.

We may also collect general information about your mental and physical wellbeing in order to evaluate progress against your self-defined goals.

Electronic identifiers

We may collection information about the devices you use to access the System, including (but not limited to) IP address, mobile device UDID and IMEI numbers, operating system, browser type, and screen size. This information is used to provide you with customer support, for system administration, to tailor your experience of the System, to report aggregate information internally, and to assist communication (e.g., push notifications).

Cookies

We may store cookies (small text files managed by your web browser) on your computer in order to improve your experience with the System. Example uses of these cookies include: recognising you when you return to the System, maintaining data you've entered across multiple sessions, and storing information about your personal preferences.

You may refuse to accept cookies by changing the settings on your device to prevent cookies from being set. However, if you select this setting you may be unable to access certain parts of the System. Unless you have adjusted your browser setting so that it will refuse cookies, our system may issue cookies when you visit the System.

Non-identifiable information

Non-Personal Information means any information that does not reveal Your specific identity either directly or indirectly.

We may include your data in aggregated data sets shared with our research partners. In these sets, your data is not personally identifiable, and would be used for supporting generalised statements (e.g., "women ages 30-40 working improved their IBS symptoms by more than men"). If you'd like to opt out, please email hello@mindsethealth.com.

Usage Data

Information collected automatically through Mindset Health (or third-party services employed in Mindset Health), which can include: behavioural data (e.g. number of sessions you complete, what techniques you practice or how many times you practice the techniques), the IP addresses or domain names of the computers utilised by the Users who use Mindset Health, the URI addresses (Uniform Resource Identifier), the time of the request, the method utilised to submit the request to the server, the size of the file received in response, the numerical code indicating the status of the server's answer (successful outcome, error, etc.), the country of origin, the features of the browser and the operating system utilised by the User, the various time details per visit (e.g., the time spent on each page within the Application) and the details about the path followed within the Application with special reference to the sequence of pages visited, and other parameters about the device operating system and/or the User's IT environment.

3. Who has access to that data?

Mindset Health understands that your identifiable health information is private and personal and is dedicated to maintaining its confidentiality and integrity. As such, we will never sell or rent it, and we have policies, procedures, and other safeguards to help protect it from improper use and disclosure.

The following categories describe the ways in which we use your identifiable health information and the rare instances that require us to disclose it to persons and entities outside of Mindset Health. We have not listed every use or disclosure within the categories below, but all permitted uses and disclosures will fall within one of the following categories. In addition, there are some uses and disclosures that may require your specific authorisation.

Mindset Health does not disclose Personal Information to third parties for any purpose materially different from the purpose(s) for which it was originally collected.

Disclosure at your request

We may disclose information relating to your use of the System when requested by you. This disclosure at your request may require written authorisation by you.

Payment

We do not store credit card or customer details with any 3rd parties except trusted suppliers who help us deliver the services associated with the System and we are committed to ensuring that all suppliers meet our security and data protection standards.

Services and Operations

We may use and disclose your identifiable health information in connection with providing services, for our internal operations, which include administration, eligibility, planning, analytics and various activities that assess and improve the quality and cost effectiveness of the service that we deliver to you. Examples are using information about you to improve quality of the service, satisfaction surveys, de-identifying health information, customer services and internal training. To the extent you receive access to our Website and App through your employer or your health plan, our services may include supporting, and sharing information with, your employer’s wellness program, your health plan or third-party administrator or other similar programs. Possible information to be shared may include participation data (i.e. the fact that you used Nerva), milestone data (e.g. number of sessions you complete or how many times you practice the techniques) to allow you to earn incentives and rewards (if those are offered as part of your wellness program), as well as data from your self-reported IBS-related symptoms.

Emails

We may receive a confirmation when you open an email from us, or click on a link in an email, if your computer supports this type of program. We use this confirmation to help us make emails more interesting and helpful. When you receive an email from us, you can opt out of receiving further emails by following the included instructions to unsubscribe. However, by opting out of further email communications after you sign up, you may limit program reminders and other valuable program content and components.

In-app Chat

We allow chat support messages within the Nerva app and Website to support your interaction with, or completion of tasks relating to your use of the System. We may use your personal information and health information assist in these conversations. You can opt out by emailing us at hello@mindsethealth.com.

Reminders and notifications

We may use and disclose your identifiable health information to contact you as a reminder to interact with, or complete tasks relating to your use of the System. You may make changes to the format and frequency of these reminders, or cancel these reminders and/or notifications by logging into your Nerva account in the App, and/or by accessing the native notification settings on your mobile device when using the App.

Third party service providers

There are some services provided in our organisation through third party services providers. Examples of third party services providers include accounting services, server hosting and email delivery providers, business associates, vendors and other business partners and reputable companies in the industry who subcontract to us or to those of your employer as our corporate customers, where permitted by law. We may disclose your identifiable health information to our third party services providers so that they can perform the job that is required of them. To protect your identifiable health information, we require appropriate contracts or written agreements be in place that safeguard your identifiable health information.

Third party medical professionals

With your explicit permission, we may share your identifiable health information with third party medical professionals nominated by you.

Threat to health or safety

We may use and disclose your identifiable health information when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person. Any disclosure, however, would only be to someone able to help prevent the threat.

As required by law

Certain laws permit or require certain uses and disclosures of identifiable health information for example, for public health activities, health oversight activities and law enforcement. In these instances, Mindset Health will only use or disclose your identifiable health information to the extent the law requires.

For research and publicity purposes

We may use de-identifying health information for internal and external research and publicity purposes. This may include publishing aggregate information about our users (for example, that women ages 30-40 with IBS improved their symptoms by 70%) in the context of providing public health information and conducting academic research. In certain instances, we may only provide such information with special waivers and permissions from you. You can opt out by emailing us at hello@mindsethealth.com.

Analytics

Some of the third-party services that we use to monitor and analyse web traffic to keep track of user behaviour include:

• Google Analytics (privacy policy) – We use Google Analytics to help us better understand traffic (add, organic and paid) to and from our site and apps.
  
• Facebook Analytics (privacy policy) – We use Facebook Analytics to help us better understand the traffic that comes from our Facebook and/or Facebook ads.
  
• Amplitude (privacy policy) – We use Amplitude to analyse user behaviour in our site and apps.
  

• Vero (privacy policy) – We use Vero to manage our email newsletter service and collect feedback from app users.
• Segment (privacy policy) – Segment is a tag management service that helps track behavioural data for other third-party service providers.
  

Transfer of business assets

In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets. If Mindset Health or substantially all of its assets are acquired by a third party, personal data held by it about its customers will be one of the transferred assets. Mindset Health will ensure that information transferred to third parties will only be used in a way that is compliant with our privacy principles, and will remain liable in cases of onward transfers to third parties.

4. How do we store your data?

We store all your personal information on secure servers. In some cases, to ensure a fast user experience, we may store some data on your device.

Where you have chosen a password that enables you to access certain parts of our App, you are responsible for keeping this password confidential. We ask you not to share the password with anyone.

We do not store any credit or debit card information. Payments are processed via a third party payment provider that is fully compliant with Level 1 Payment Card Industry (PCI) data security standards. Any payment transactions are encrypted using SSL technology.

Once we have received your information from the app or website, we will use strict procedures and security features to try to prevent unauthorised access. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy. We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so. Information you provide to us is stored in encrypted form on secure servers located in the US, which are owned and operated by Google Cloud Platform (GCP). GCP are industry leaders in the provision of hosting services and take security very seriously - you can find out more about their security policies and processes in their Security Whitepapers.

We may process some of your data with third parties to use their software platforms who have servers outside the US, UK or EEA to send communication emails to our users, but always in accordance with data protection law and subject to strict safeguards.

5. Your rights

Users of the System have certain specific rights with regard to their information.

Right to access

A user of the System has the right to view all personal information that Mindset Health has collected about them, as well as the disclosure of this data. In order to receive this data, please contact the Security, Privacy, and Compliance Officer. The first copy of this information is provided free of charge, and in a portable / common electronic form (e.g., CSV file).

Right to accuracy

A user of the System has the right to ensure that the data we have stored is accurate. In most cases, the system allows you to directly modify your own information. However, if there is incorrect data within our system that you are not able to change, please contact the Security, Privacy, and Compliance Officer and we will work directly with you to update this information.

Right to deletion

Subject to any exemptions provided by law, a user of the System has the right to request deletion of all data within the system. To request your data be deleted, please contact the Security, Privacy, and Compliance Officer. In most cases, this request will be completed within 30 days. If circumstances require a delay to this deletion, Mindset Health will notify you directly explaining the reason for the delay. Note also that in some cases, there may be a legal requirement to hold on to your data. Again, Mindset Health will notify you directly if this is the case.

Right to withdraw consent

A user of the System has the right to withdraw their consent at any time by contacting the Security, Privacy, and Compliance Officer. Please note that without consent to process your data, we will be unable to deliver the Nerva program.

Right to notification of disclosure

In addition to the right to request disclosures of your data specified in the "right to access" above, we will notify you as required by law if there has been a breach of the security of your identifiable health information.

Concerns or complaints

If you believe that any of your rights with respect to your or others’ identifiable health information have been violated by us, our employees or agents, please communicate with the Mindset Health Security, Privacy, and Compliance Officer.

6. Amending this Policy

We reserve the right to revise this Policy without notification. Any changes or updates will be effective immediately upon posting to https://www.mindsethealth.com/legal/nerva-privacy-policy. Your continued use of the System constitutes your agreement to abide by the Privacy Policy as changed. Under certain circumstances (for example, if we expand the ways in which we use your personal information beyond the uses stated in our Privacy Policy at the time of collection), we may also elect to notify you of changes or updates to our Privacy Policy by additional means, such as by sending you an email.

Questions relating to revisions to this Policy may be addressed to the Security, Privacy, and Compliance Officer.

7. Who can you contact?

Security, Privacy, and Compliance Officer

Mindset Health's Security, Privacy, and Compliance Officer (and Data Controller) can be reached at:
Alexander Naoumidis
Level 2, 620 Church Street, Cremorne VIC 3121

‍privacy@mindsethealth.com

HIPAA

If we are subject to the Health Insurance Portability and Accountability Act (“HIPAA”), you may also contact the Secretary of the U.S. Department of Health and Human Services. Under no circumstances will we take any retaliation against you for filing a complaint.

8. Effective Date

This Policy is effective as of October 26, 2024.

--------------------------------------------------------------------------------

Privacy Policy (Australia)

Last Updated: 26/10/2024

Mindset Health Pty Ltd (ABN 11 617 368 957) (Mindset, us or we) understands the importance of protecting the privacy of an individual’s personal information.

This Privacy Policy applies to people located in Australia and describes how we aim to protect the privacy of your personal information, your rights in relation to your personal information that we manage and the way we collect, hold, use and disclose your personal information.

In handling your personal information, we will comply with the Privacy Act 1988 (Cth) (Privacy Act) and with the Australian Privacy Principles in the Privacy Act and applicable health records legislation. This policy may be updated from time to time.

Personal information we collect

Personal information is information or an opinion about an identified, or reasonably identifiable, individual.  During the provision of our services and products, we may collect your personal information.

Generally, we collect the following kinds of personal information:

• contact and identification details, such as your name, telephone number, email address, date of birth, and postal address;
• service and product usage information, such as the information you provide to us when you interact with our services and products;
• sensitive information including  health information that you may choose to provide in connection with accessing and using our services and products and to personalize your program, for example, information pertaining to IBS, menopause, pain, whether or not you smoke, or information about your worry and anxiety (including, but not limited to, self-reported symptoms or difficulties associated with worry, anxiety, mood, sleep, and stress);  
• payment information needed to complete any purchases (including name, payment card information, billing information), and your transaction history. Payment information is processed by our third-party payment processor Stripe, in accordance with Stripe’s privacy policy and terms of service. We do not have access to payment card numbers;
• communications that we exchange with you, including when you contact us with questions, feedback, or otherwise;
• marketing information, such as your preferences for receiving communications about our services, products and publications, and details about how you engage with our communications; and
• other information required for our functions and activities, including where required by law.

How we collect personal information

Generally, we collect your personal information directly from you, through your use of our services and products, including our app and our website, when you complete an online form, or where you interact with us by way of telephone, email, or post, for example:  

• When you complete forms on our app or website. This includes information provided at the time of registering to use our services and products;
• whenever you provide your personal information to us when reporting a problem with our services or products, making a complaint, making an enquiry, or contacting us for any other reason. If you contact us, we may keep a record of that correspondence;
• details of your visits to our app or website, including, but not limited to, traffic data, location data, weblogs and other communication data, whether this is required for our own billing purposes or otherwise, and the resources that you access (see our ‘Marketing and cookies’ section below); and
• whenever you disclose your personal information to us, or we collect your personal information from you in any other way, through our app, website or otherwise.

There may be occasions when we collect your personal information from other sources such as from:

• social media platforms. When you visit or interact with our pages on social media platforms such as Facebook, Instagram, Twitter, and LinkedIn, we may obtain your personal information from or through the platform; and
• third-party logins. When you link, connect, or login to use our services and products through a third party service (e.g. Auth0), you direct the third party service to disclose to us personal information as controlled by that service or as authorized by you via your privacy settings at that service.

Generally, we will only collect your personal information from sources other than you if it is unreasonable or impracticable to collect your personal information from you.  

How we use personal information

We collect, hold, use and disclose personal information where it is reasonably necessary for the purposes of:

• providing our services and products to you, including enabling you to create an account on our app,  administering, hosting, and operating our services and products; communicating with you and responding to any inquiries you may have, and analyzing your use of our services and products to allow us to evaluate and improve the services and products;
• accounting, billing, quality assurance, and other internal administrative purposes;
• notifying you about changes to our services and products;
• enabling us to market or promote our services or products to you;
• processing and dealing with any complaints or enquiries made by you;
• research, development, benchmarking, and improving our services and products. We may use your personal information to analyze and improve our services or products, identify trends, and operate and expand our business activities. We may also create aggregated, anonymized, or other de-identified statistics, which we may use for lawful business purposes, including for analytics, forecasting, and strategic planning; and  
• compliance and protection, including to enforce any applicable terms and conditions, comply with legal obligations, defend against legal claims or disputes, protect the security and integrity of our services and products, and identify and investigate fraudulent, harmful, unauthorized, unethical or illegal activity.

We may also use your personal information for purposes related to the above purposes and for which you would reasonably expect us to do so in the circumstances, or where you have consented, or the use is otherwise in accordance with law.

Where personal information is used or disclosed, we take steps reasonable in the circumstances to ensure it is relevant to the purpose for which it is to be used or disclosed.

You are under no obligation to provide your personal information to us.  However, without certain information from you, we may not be able to provide our services and/or products to you.

To whom we disclose your personal information

We disclose your personal information for the purpose for which we collect it.  That is, generally, we will only disclose your personal information for a purpose set out in the ‘How we use your personal information’ section. This may include disclosing your personal information to:

• clinicians. We may share your  personal information with your designated clinician at your direction and with your consent, including your log of events and other relevant personal information in order to allow the clinician to provide you with the appropriate level of assistance. You can stop the sharing of your personal information with a clinician member at any time by deleting that clinician on the app;
• third party service providers. We share your personal information with companies and individuals that provide services on our behalf or help us operate our services and products or our business (such as hosting services, communications, data and cyber security services, billing and payment processing services, fraud detection, investigation and prevention services, web and mobile analytics, email and communication distribution and monitoring services, and customer relation management systems);
• advertising partners. We may share your personal information that we collect on our website with third party advertising companies (including for interest-based advertising purposes), lead generation partners, and channel partners, resellers, and distributors that allow us to explore and pursue growth opportunities;
• professional advisors. We may share your personal information with professional advisors, such as lawyers, auditors, bankers and insurers, where necessary in the course of the professional services that they render to us;
• regulatory bodies if and as necessary;  
• business transferees. We may share your personal information with acquirers and other relevant participants in business transactions (or negotiations for such transactions) involving a corporate divestiture, merger, consolidation, acquisition, reorganization, sale or other disposition of all or any portion of the business or assets of, or equity interests in, Mindset or our affiliates (including, in connection with a bankruptcy or similar proceedings); and
• as required by law.

Overseas disclosure

We may disclose personal information to overseas recipients in order to provide our services and/or products and for administrative or other business management purposes.

It is impracticable to list all countries in which recipients may be located. However, we are likely to disclose personal information to our parent company in the United States of America and to other related bodies corporate.

Overseas recipients may have different privacy and data protection standards. However, before disclosing any personal information to an overseas recipient, we take steps reasonable in the circumstances to ensure the overseas recipient complies with the Australian Privacy Principles or is bound by a substantially similar privacy scheme unless you consent to the overseas disclosure or it is otherwise required or permitted by law. If you have any queries or objections to such disclosures, please contact our Privacy Officer on the details set in the ‘Contact us’ section below.

Marketing and cookies

We may use and disclose your personal information for direct marketing in order to inform you of products and services that may be of interest to you. In the event you do not wish to receive such communications, you can opt-out by contacting us via the contact details set out in the ‘Contact us’ section below or through any opt-out mechanism contained in a marketing communication to you.

We may use your personal information for marketing and advertising, including for interest-based advertising. We engage our advertising partners, including third party advertising companies and social media companies, to advertise our services and products.

Cookies

We and our service providers may use cookies and other similar technologies to automatically log information about you, your computer or mobile device, and your interaction over time with our services and products, such as:

• Device data, such as your computer’s or mobile device’s operating system, manufacturer and model, browser type, IP address, unique identifiers, language settings, mobile device carrier, and general location information such as city, state or geographic area; and
• Usage data, such as pages or screens you viewed, how long you spent on a page, browsing history, and access times.

Cookies are text files that websites store on your device or in the browser for the purpose of helping you navigate between pages efficiently, remembering your preferences, enabling functionality, and helping us understand user activity and patterns.

Opt-out

Opt-out of push notifications. If you opt in to receive push notifications within the app, we may send push notifications or alerts to your mobile device from time to time. You can deactivate push notifications and alerts at any time by changing your device settings, changing the push notification settings within the application, or deleting the app.

Opt-out of interest-based advertising. You may limit online tracking by:

• Blocking cookies in your browser. Most browsers let you remove or reject third-party cookies, including cookies used for interest-based advertising. To do this, follow the instructions in your browser settings. Many browsers accept cookies by default until you change your settings. For more information about cookies, including how to see what cookies have been set on your device and how to manage and delete them, visit www.allaboutcookies.org.
• Blocking advertising ID use in your mobile settings. Your mobile device settings may provide functionality to limit use of the advertising ID associated with your mobile device for interest-based advertising purposes.
• Using privacy plug-ins or browsers. You can block our websites from setting cookies used for interest-based ads by using a browser with privacy features, like Brave, or installing browser plugins like Privacy Badger, Ghostery, or uBlock Origin, and configuring them to block third party cookies/trackers. You can also opt out of Google Analytics by downloading and installing the browser plug-in available at: https://tools.google.com/dlpage/gaoptout.  
• Platform opt outs. The following advertising partners offer opt out features that let you opt out of use of your information for interest-based advertising:
  • Google: www.adsettings.google.com    
  • Facebook: https://www.facebook.com/about/ads
  • Advertising industry opt out tools. You can also use these opt out options to limit use of your information for interest-based advertising by participating companies:
  • Digital Advertising Alliance for Websites: outout.aboutads.info  
  • Digital Advertising Alliance for Mobile Apps: https://youradchoices.com/appchoices
  • Network Advertising Initiative: optout.networkadvertising.org

Note that because these opt out mechanisms are specific to the device or browser on which they are exercised, you will need to opt out on every browser and device that you use.

Do Not Track. Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. We currently do not respond to "Do Not Track" or similar signals. To find out more about "Do Not Track," please visit http://www.allaboutdnt.com.

Research participation

We may engage in clinical research and trials that use only aggregated and de-identified data we have collected.  If you would not like your personal information used in our studies, please contact us via the contact details set out in the ‘Contact us’ section below.

Data security

We take steps reasonable in the circumstances to ensure that the personal information we hold is protected from misuse, interference and loss and from unauthorised access, modification or disclosure.  

We hold personal information in electronic form on secure servers, including by means of firewalls, encryptions, logins and password protection, accessible only by authorised users.  

We also hold personal information in hard copy form, accessible only by authorised users with an office access pass.  

We will destroy or de-identify personal information on request, unless we are otherwise required or authorised by law to retain the information. We may delete or de-identify personal information in circumstances where it is no longer required.

Children

Our services and products are not intended for use by children without the consent of their parents or guardians. If we learn that we have collected personal information through our services or products from an individual under 15 without the consent of the child’s parent or guardian as required by law, we will delete or destroy it.

Can you access and correct the personal information that we hold about you?

We take steps reasonable in the circumstances to ensure personal information we hold is accurate, up-to-date, complete, relevant and not misleading.  Under the Privacy Act and applicable health records legislation, you have a right to access and seek correction of your personal information that we collect and hold.  

If at any time you would like to access or correct the personal information that we hold about you, or you would like more information on our approach to privacy, please contact our Privacy Officer on the details set out in the ‘Contact us’ section below.

We will grant access to the extent required or authorised by the Privacy Act and applicable health records legislation and take steps reasonable in the circumstances to correct personal information where necessary and appropriate.  

To obtain access to your personal information:

• you will have to provide proof of identity to ensure that personal information is provided only to the correct individuals and that the privacy of others is protected;
• we request that you be reasonably specific about the information you require; and
• we may charge you a reasonable administration fee, which reflects the cost to us, for providing access in accordance with your request.

If we refuse your request to access or correct your personal information, we will provide you with written reasons for the refusal and details of complaint mechanisms. We will also take steps reasonable in the circumstance to provide you with access in a manner that meets your needs and our needs.

We will endeavour to respond to your request to access or correct your personal information within 30 days from your request.  

Contact us

For further information or enquiries regarding your personal information, or if you would like to opt-out of receiving any promotional or marketing communications, please contact our Privacy Officer at: privacy@mindsethealth.com.

Privacy complaints

Please direct all privacy complaints to our Privacy Officer.  At all times, privacy complaints:

• will be treated seriously;
• will be dealt with promptly;
• will be dealt with in a confidential manner; and
• will not affect your existing obligations or affect the commercial arrangements between you and us.

Our Privacy Officer will commence an investigation into your complaint.  You will be informed of the outcome of your complaint following completion of the investigation. If you are dissatisfied with the outcome of your complaint, you may refer the complaint to the Office of the Australian Information Commissioner.

Changes to This Privacy Policy

We reserve the right to modify this Privacy Policy at any time. If we make material changes to this Privacy Policy, we will notify you by updating the date of this Privacy Policy. We may also provide notification of changes in another way that we believe is reasonably likely to reach you, such as via e-mail (if you have an account where we have your contact information) or another manner.

‍