Last Updated: April 27, 2022
Description of Users and Acceptance of Terms
The Information We Collect and/or Receive
In the course of operating the Platform and the Website, we will collect (and/or receive) the following types of information. By using the Platform and the Website, you authorize us to collect and/or receive such information.
1. Contact Information.
In order to access and use our Platform, you will have to create an account by providing your name and an email address where you can receive and respond to communications from MirrorMe3D (collectively, the “Contact Information”).
2. Patient Records.
Through the Platform, Doctors will create access-controlled Patient Profiles that will contain a patient’s name, email, telephone, date of birth and Patient ID and may contain additional information such as an address, gender, biological sex, race, eye color and height (“Patient Content”). This patient metadata is accessible only by the creator of the Patient Profile and the authorized users within their Platform account. For each Patient Profile, the User creates a Case(s) that relates to a specific treatment, procedure, or course of care (as determined by the User) for that patient. The Case details will include a title (usually a description of the Case) and the date of the Case. The User can then identify any collaborating doctors, and upload the
3. Other Information.
In addition to the Contact Information, the Patient Content and the Medical Content, we may collect additional information (the “Other Information”). Such Other Information may include:
a. From Your Activity. Information that we automatically collect when you visit the Platform and the Website, such as your IP addresses, browser type and language, referring and exit pages and URLs, date and time, amount of time spent on particular pages, what sections of the Platform and the Website you visit, similar information concerning your use of the Platform and the Website.
b. From Cookies. We collect information using “cookie” technology. Cookies are small packets of data that a browser or website stores on your computer’s or mobile device’s hard drive so that your browser will “remember” information about your visit. Some of the Platform’s third-party services use session cookies, which expire once you close your web browser, to enhance your experience using the Platform and the Website. If you do not want your browser to place a cookie on your hard drive, you may be able to turn that feature off by accessing your browser’s settings. Please consult your Internet browser’s documentation for information on how to do this and how to delete persistent cookies. However, if you decide not to accept or block all cookies from us, the Platform and the Website may not function properly.
• Customer Support
o Intercom, Webflow, Typeform
• Functionality and Infrastructure Optimizations
o Amazon Web Services, Cloudflare, Auth0, SendGrid
• Invoice and Billing
o Stripe, Xero
• Web and Mobile Analytics
o Google Analytics, DataDog
• Website Hosting
o Amazon Web Services
How We Use and Share the Information
We will use the Contact Information, Medical Content and the Other Information, but not the Patient Content, (collectively, the “Information”) to provide the Website and Platform to you, solicit your feedback, inform you about our products and services, provide customer support and to improve our Website and Platform.
You also authorize us to use and/or share your Information as described below.
• Agents, Providers and Related Third Parties. We may engage other companies and individuals to perform certain business-related functions on our behalf. Examples may include providing technical assistance, order fulfillment, customer service, and marketing assistance. These other companies will have access to the Information only as necessary to perform their functions and to the extent permitted by law. We may also share your Information with any of our parent companies, subsidiaries, or other companies under common control with us.
• Aggregated Information. In an ongoing effort to better understand our users, we might analyze your Information in aggregate form in order to operate, maintain, manage, and improve the Website, and the Platform. This aggregate information does not identify you personally and does not identify patient protected health information. We may share this aggregate data with our affiliates, agents, and business partners. We may also disclose aggregated user statistics in order to describe our Platform to current and prospective business partners and to other third parties for other lawful purposes.
• Business Transfers. As we develop our businesses, we might sell or buy businesses or assets. In the event of a corporate sale, merger, reorganization, sale of assets, dissolution, or similar event, your Information may be part of the transferred assets.
• Legal Requirements. To the extent permitted by law, we may also disclose your Information: (i) when required by law, court order, or other government or law enforcement authority or regulatory agency; or (ii) whenever we believe that disclosing such information is necessary or advisable, for example, to protect the rights, property, or safety of MirrorMe or others.
HIPAA Acknowledgement and Agreement
MirrorMe agrees to:
(a) Not use or disclose protected health information other than as permitted or required by law;
(b) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent use or disclosure of protected health information other than as provided for by the Agreement;
(c) Report to Users any use or disclosure of protected health information not provided for by this agreement of which it becomes aware, including breaches of unsecured protected health information, and any security incident of which it becomes aware;
(d) In accordance with HIPAA standards and rules, if applicable, ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of MirrorMe agree to the same restrictions, conditions, and requirements that apply to MirrorMe with respect to such information;
(e) Make available protected health information in a designated record set to the User as necessary to satisfy User’s obligations under HIPAA standards and rules;
(f) Make any amendment(s) to protected health information in a designated record set as directed or agreed to by the User pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy User’s obligations under 45 CFR 164.526;
(g) Maintain and make available the information required to provide an accounting of disclosures to the User as necessary to satisfy the User’s obligations under HIPAA standards;
(h) To the extent MirrorMe is to carry out one or more of User's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the User in the performance of such obligation(s); and
(i) Make its internal practices, books, and records available to the U.S. Department of Health and Human Services for purposes of determining compliance with the HIPAA Rules.
Permitted Used and Disclosures by MirrorMe
a) MirrorMe may only use or disclose patient protected health information as follows:
The MirrorMe Platform is a web-based application intended to be used as a software interface to assist Users in the visualization and communication of treatment options and as such, Users will upload patient protected health information including the minimum necessary patient identifiers and medical imaging files. The Platform allows users to view and annotate the medical images in a 3D viewer and share the access with collaborating doctors or allow limited access by patients. The Platform is intended for use by surgeons who are planning soft tissue surgical treatments. It is not intended to eliminate, replace, or substitute, in whole or in part, the healthcare provider’s judgment and analysis of the Patient’s condition. The Platform’s image display function is intended as a secondary display and is not for primary diagnostic use. MirrorMe may also use or disclose patient protected health information through its patient-specific, soft tissue planning business, may provide certain products including, without limitation, templates, guides, splints, and/or anatomical models (collectively, the “Products”) and certain patient-specific planning services (the “Services”) for use in connection with the Products.
b) MirrorMe may use or disclose protected health information as required by law.
c) MirrorMe agrees to make uses and disclosures and requests for protected health information consistent with User’s minimum necessary policies and procedures.
d) MirrorMe may not use or disclose protected health information in a manner that would violate Subpart E of 45 CFR Part 164 if done by User except for the specific uses and disclosures set forth below.
e) MirrorMe may use protected health information for the proper management and administration of MirrorMe or to carry out the legal responsibilities of MirrorMe.
f) MirrorMe may disclose protected health information for the proper management and administration of MirrorMe or to carry out the legal responsibilities of MirrorMe, provided the disclosures are required by law, or MirrorMe obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies MirrorMe of any instances of which it is aware in which the confidentiality of the information has been breached.
g) MirrorMe may provide data aggregation services relating to the health care operations of the User.
Term and Termination
(a) Term. The Term of this Agreement shall be effective as of the date the User creates an account with the MirrorMe and shall terminate on notification or on the date User terminates for cause as authorized in paragraph (b) of this Section, whichever is sooner.
b) Termination for Cause. MirrorMe authorizes termination of this Agreement by User, if User determines MirrorMe has violated a material term of the Agreement and MirrorMe has not cured the breach or ended the violation within the time specified by User.
c) Obligations of MirrorMe Upon Termination. Upon termination of this Agreement for any reason, MirrorMe shall destroy or return to the User all protected health information received from the User, or created, maintained, or received by MirrorMe on behalf of User, that MirrorMe still maintains in any form. MirrorMe shall retain no copies of the protected health information.
Accessing and Modifying Information and Communication Preferences
If you have provided us any personal information, you may access, remove, review, and/or make changes to the same by contacting us at firstname.lastname@example.org. In addition, you may manage your receipt of marketing and non-transactional communications by clicking on the “Unsubscribe” link located on the bottom of any MirrorMe marketing e-mail. We will use commercially reasonable efforts to process such requests in a timely manner. You should be aware, however, that it is not always possible to completely remove or modify information in our subscription databases.
How We Protect the Information
Security Protections for the Protected Health Information
We have implemented a series of physical, personnel, administrative, access control, system, third party and transmission safeguards to prevent unauthorized access, to maintain data integrity and to ensure that only authorized persons who need to access PHI can do so. A brief description of some of our security measures follows.
Physical Security measures include:
· Physical access to servers is restricted to MirrorMe3D personnel who have been authorized for server access
· Disaster recovery plan outlined
Personnel Security measures include:
· Background and criminal reference check for employees
· Annual HIPAA and general privacy and security training for employees
Administrative Security measures include:
· Documentation of compliance training and regularly scheduled risk assessments
· Sanctions for employee violations of company policies and practices
Access Control Security measures include:
· Restricting access to protected health data, including PHI, to approved personnel on need basis only
· Identity Authentication including, but not limited to, written signature, passwords, tokens, biometrics or a combination thereof
System Security measures include:
· Business associate agreements and/or other business agreements with all partners, third parties and vendors with whom we share information that require them to implement all appropriate security procedures to maintain confidentiality
· Individual confidentiality agreements with all employees and consultants who are required to come into contact with your PHI
· Data protection agreements, including European Commission-approved Standard Contractual Clauses with business partners where PHI is to be processed from the European Economic Area
Transmission Security measures include:
· At-Rest and In-Transit Encryption of all Medical Information and Protected Health Information transmitted to and from our App and stored in our systems
While we cannot guarantee that loss, misuse or alteration of data will not occur, we are committed to using proven safeguards, current best practices and security audit procedures designed to prevent any loss, misuse or alteration of data. You will be promptly notified of any security breach which may have allowed disclosure or compromised the security and privacy of any of your Protected Health Information.
Important Notice to Non-U.S. Residents
The Website, the Platform and their servers are operated in the United States. If you are located outside of the United States, please be aware that any information you provide to us maybe transferred to, processed, maintained, and used on computers, servers, and systems located outside of your state, province, country, or other governmental jurisdiction where the privacy laws may not be as protective as those in your jurisdiction. If you are located outside the United States and choose to use the Platform, you do so at your own risk.
California Privacy Rights
Pursuant to Section 1798.83 of the California Civil Code, residents of California have the right to obtain certain information about the types of personal information that companies with whom they have an established business relationship (and that are not otherwise exempt) have shared with third parties for direct marketing purposes during the preceding calendar year, including the names and addresses of those third parties, and examples of the types of services or products marketed by those third parties. If you wish to submit a request pursuant to Section 1798.83, please contact MirrorMe via email at email@example.com.
MirrorMe does not monitor, recognize, or honor any opt-out or do not track mechanisms, including general web browser “Do Not Track” settings and/or signals with regard to application functionality and performance.
How to Contact Us
Attn: Legal Affairs
222 West 37th Street
New York, NY 10018