The MirrorMe3D Services are not intended to eliminate, replace, or substitute, in whole or in part, the healthcare provider’s judgment and analysis of the Patient’s condition. The image display function is intended as a secondary display and is not for primary diagnostic use.
In the course of operating the Services, we will collect (and/or receive) the following types of information. By using the MirrorMe3D Services, you authorize us to collect and/or receive such information.
In order to access and use our Platform, Doctors will have to create an account by providing a name and an email address where you can receive and respond to communications from MirrorMe3D (collectively, the “Contact Information”). Patients may create an account for access by inputting their Contact Information directly on the App or the Platform.
Users, either Patients or Doctors, may generate a 3D capture on the App. The 3D capture can be transferred to a Patient Profile, a Case or to a Patient’s account on the Platform. If the capture was generated by a Patient, it can be transferred to a Doctor’s account and become part of the Medical Content only if the Patient expressly connects to the Doctor to permit access to the 3D capture.
In addition to the Contact Information, the Patient Content and the Medical Content, we may collect additional information (the “Other Information”). Such Other Information may include:
Information that we automatically collect when you visit the Platform, the App and the Website, such as your IP addresses, browser type and language, referring and exit pages and URLs, date and time, amount of time spent on particular pages, what sections of the Platform, the App and/or the Website you visit, similar information concerning your use of the Services.
We collect information using “cookie” technology. Cookies are small packets of data that a browser or website stores on your computer’s or mobile device’s hard drive so that your browser will “remember” information about your visit. Some of the Platform, App or Website third-party services may use session cookies, which expire once you close your web browser, to enhance your experience using the Services. If you do not want your browser to place a cookie on your hard drive, you may be able to turn that feature off by accessing your browser’s settings. Please consult your Internet browser’s documentation for information on how to do this and how to delete persistent cookies. However, if you decide not to accept or block all cookies from us, the Platform, the App and the Website may not function properly.
Front, Webflow, Typeform
Amazon Web Services, Cloudflare, Auth0, SendGrid
Google Analytics, DataDog
Amazon Web Services
Specific for iPhone users of the MirrorMe mobile app, our application utilizes Apple's TrueDepth API to collect facial data. We use this data for two primary purposes: to authenticate users and to provide personalized augmented reality effects for 3D scanning.
Important: We do not share this data with third parties.
We will use the Contact Information, Medical Content and the Other Information, but not the Patient Content, (collectively, the “Information”) to provide the Platform, App and Website Services to you, solicit your feedback, inform you about our products and services, provide customer support and to improve our Services.
MirrorMe3D may access the Medical Contents on the Platform and 3D captures on the App to assist a Doctor in visualizing a treatment plan or to design and manufacture products at the direction of the Doctor for use before, during or after a surgical treatment. The MirrorMe3D Platform is a web-based application intended to be used to assist Users in the visualization and communication of treatment options and as such, Users will upload Patient Content including the minimum necessary patient identifiers and Medical Content. The Platform also allows Users to share the access with collaborating doctors or allow limited access by Patients.
You also authorize us to use and/or share your Information as described below.
MirrorMe3D agrees to:
(a) Not use or disclose protected health information other than as permitted or required by law;
(b) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent use or disclosure of protected health information other than as provided for by the Agreement;
(c) Report to Users any use or disclosure of protected health information not provided for by this agreement of which it becomes aware, including breaches of unsecured protected health information, and any security incident of which it becomes aware;
(d) In accordance with HIPAA standards and rules, if applicable, ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of MirrorMe3D agree to the same restrictions, conditions, and requirements that apply to MirrorMe3D with respect to such information;
(e) Make available protected health information in a designated record set to the User as necessary to satisfy User’s obligations under HIPAA standards and rules;
(f) Make any amendment(s) to protected health information in a designated record set as directed or agreed to by the User pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy User’s obligations under 45 CFR 164.526;
(g) Maintain and make available the information required to provide an accounting of disclosures to the User as necessary to satisfy the User’s obligations under HIPAA standards;
(h) To the extent MirrorMe3D is to carry out one or more of User's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the User in the performance of such obligation(s); and
(i) Make its internal practices, books, and records available to the U.S. Department of Health and Human Services for purposes of determining compliance with the HIPAA Rules.
MirrorMe3D may only use or disclose patient protected health information as follows:
(a) Term. The Term of this Agreement shall be effective as of the date the User creates an account with the MirrorMe3D and shall terminate on notification or on the date User terminates for cause as authorized in paragraph (b) of this Section, whichever is sooner.
b) Termination for Cause. MirrorMe3D authorizes termination of this Agreement by User, if User determines MirrorMe3D has violated a material term of the Agreement and MirrorMe3D has not cured the breach or ended the violation within the time specified by User.
c) Obligations of MirrorMe3D Upon Termination. Upon termination of this Agreement for any reason, MirrorMe3D shall destroy or return to the User all protected health information received from the User, or created, maintained, or received by MirrorMe3D on behalf of User, that MirrorMe3D still maintains in any form. MirrorMe3D shall retain no copies of the protected health information.
If you have provided us any personal information, you may access, remove, review, and/or make changes to the same by contacting us at firstname.lastname@example.org. In addition, you may manage your receipt of marketing and non-transactional communications by clicking on the “Unsubscribe” link located on the bottom of any MirrorMe3D marketing e-mail. We will use commercially reasonable efforts to process such requests in a timely manner. You should be aware, however, that it is not always possible to completely remove or modify information in our subscription databases.
Security Protections for the Protected Health Information
We have implemented a series of physical, personnel, administrative, access control, system, third party and transmission safeguards to prevent unauthorized access, to maintain data integrity and to ensure that only authorized persons who need to access PHI can do so. A brief description of some of our security measures follows.
Physical Security measures include:
· Physical access to servers is restricted to MirrorMe3D personnel who have been authorized for server access
· Disaster recovery plan outlined
Personnel Security measures include:
· Background and criminal reference check for employees
· Annual HIPAA and general privacy and security training for employees
Administrative Security measures include:
· Documentation of compliance training and regularly scheduled risk assessments
· Sanctions for employee violations of company policies and practices
Access Control Security measures include:
· Restricting access to protected health data, including PHI, to approved personnel on need basis only
· Identity Authentication including, but not limited to, written signature, passwords, multi-factor identification, tokens, biometrics or a combination thereof
System Security measures include:
· Business associate agreements and/or other business agreements with all partners, third parties and vendors with whom we share information that require them to implement all appropriate security procedures to maintain confidentiality
· Individual confidentiality agreements with all employees and consultants who are required to come into contact with your PHI
· Data protection agreements, including European Commission-approved Standard Contractual Clauses with business partners where PHI is to be processed from the European Economic Area
Transmission Security measures include:
· At-Rest and In-Transit Encryption of all Medical Information and Protected Health Information transmitted to and from our App and stored in our systems
While we cannot guarantee that loss, misuse or alteration of data will not occur, we are committed to using proven safeguards, current best practices and security audit procedures designed to prevent any loss, misuse or alteration of data. You will be promptly notified of any security breach which may have allowed disclosure or compromised the security and privacy of any of your Protected Health Information.
The Website, the Platform, the App and their servers are operated in the United States. If you are located outside of the United States, please be aware that any information you provide to us maybe transferred to, processed, maintained, and used on computers, servers, and systems located outside of your state, province, country, or other governmental jurisdiction where the privacy laws may not be as protective as those in your jurisdiction. If you are located outside the United States and choose to use the MirrorMe3D Services, you do so at your own risk.
Pursuant to Section 1798.83 of the California Civil Code, residents of California have the right to obtain certain information about the types of personal information that companies with whom they have an established business relationship (and that are not otherwise exempt) have shared with third parties for direct marketing purposes during the preceding calendar year, including the names and addresses of those third parties, and examples of the types of services or products marketed by those third parties. If you wish to submit a request pursuant to Section 1798.83, please contact MirrorMe3D via email at email@example.com.
MirrorMe3D does not monitor, recognize, or honor any opt-out or do not track mechanisms, including general web browser “Do Not Track” settings and/or signals with regard to application functionality and performance.
Attn: Legal Affairs
222 West 37th Street
New York, NY 10018