Last Updated: April 27, 2022
MirrorMe3D, LLC
PLATFORM PRIVACY POLICY
We at MirrorMe3D, LLC (“MirrorMe,” “we,” “us,” or “our”) have created this privacy policy (this “Privacy Policy”) because we know that you care about how information you provide to us is used and shared. This Privacy Policy relates to the information collection and use practices of MirrorMe in connection with our Platform which is made available to you at app.mirrorme3d.com. This Privacy Policy includes an agreement to be abide by the Health Insurance Portability and Accountability Act (HIPAA) Rules governing the Privacy, Security, Breach Notification, and Enforcement Rules found at 45 CFR Part 160 and Part 164.
Description of Users and Acceptance of Terms
This Privacy Policy applies to customers who have signed up to access and use the Platform and the services offered through the Platform (the “Users”), including Doctors, a Doctor’s practice group, staff, clinical team, employees, contractors, or agents authorized by User to access and use the Platform as administrators (“Administrative Users” or “Clinical Team”), and Doctors invited and authorized by Administrative Users to access and use one or more patient workspaces through the Platform (“Doctors”).
By clicking “I AGREE,” when you sign up to access and use the Platform, you acknowledge that you have read, understood and agree to be legally bound by the terms of this Privacy Policy, and the accompanying Platform Terms of Use.
Capitalized terms not defined in this Privacy Policy shall have the meaning set forth in our Platform Terms of Use.
The Information We Collect and/or Receive
In the course of operating the Platform and the Website, we will collect (and/or receive) the following types of information. By using the Platform and the Website, you authorize us to collect and/or receive such information.
1. Contact Information.
In order to access and use our Platform, you will have to create an account by providing your name and an email address where you can receive and respond to communications from MirrorMe3D (collectively, the “Contact Information”).
2. Patient Records.
Through the Platform, Doctors will create access-controlled Patient Profiles that will contain a patient’s name, email, telephone, date of birth and Patient ID and may contain additional information such as an address, gender, biological sex, race, eye color and height (“Patient Content”). This patient metadata is accessible only by the creator of the Patient Profile and the authorized users within their Platform account. For each Patient Profile, the User creates a Case(s) that relates to a specific treatment, procedure, or course of care (as determined by the User) for that patient. The Case details will include a title (usually a description of the Case) and the date of the Case. The User can then identify any collaborating doctors, and upload the
medical imaging files, whether 3D imaging, DICOM files or 2D imaging such as JPEG or PNG files (collectively, the “Medical Content”). Users and collaborating doctors may append annotations, comments or notes to the Case. The information relating to the Patient’s case may be shared with a collaborating doctor and/or with the individual patient. This information can be viewed on the Platform but cannot be downloaded by either Doctors or Patients, except for the Medical Content that the User desiring to download uploaded to that particular file. To the extent Medical Content includes biometric data of the patient, you hereby represent to us that you have received a written release signed by the patient authorizing us to collect, store and process the patient’s biometric data for the purposes disclosed in this Privacy Policy.
3. Other Information.
In addition to the Contact Information, the Patient Content and the Medical Content, we may collect additional information (the “Other Information”). Such Other Information may include:
a. From Your Activity. Information that we automatically collect when you visit the Platform and the Website, such as your IP addresses, browser type and language, referring and exit pages and URLs, date and time, amount of time spent on particular pages, what sections of the Platform and the Website you visit, similar information concerning your use of the Platform and the Website.
b. From Cookies. We collect information using “cookie” technology. Cookies are small packets of data that a browser or website stores on your computer’s or mobile device’s hard drive so that your browser will “remember” information about your visit. Some of the Platform’s third-party services use session cookies, which expire once you close your web browser, to enhance your experience using the Platform and the Website. If you do not want your browser to place a cookie on your hard drive, you may be able to turn that feature off by accessing your browser’s settings. Please consult your Internet browser’s documentation for information on how to do this and how to delete persistent cookies. However, if you decide not to accept or block all cookies from us, the Platform and the Website may not function properly.
c. Third-Party Analytics. We use one or more third–party analytics services (such as Google Analytics) to evaluate the general use of the Platform and the Website, compile reports on activity (based on their collection of IP addresses, Internet service provider, browser type, operating system and language, referring and exit pages and URLs, data and time, amount of time spent on particular pages, what sections of the Website are visited, number of links clicked while on the Platform and the Website, search terms and other similar usage data), and analyze performance metrics. These third parties use cookies and other technologies to help analyze and provide us the data. By accessing and using the Website and/or the Platform, you consent to the processing of this data about your session by these analytics providers in the manner and for the purposes set out in this Privacy Policy. For more information on these third parties. Please be advised that if you opt out of any these services, you may not be able to use the full functionality of the Website and/or the Platform.
• Customer Support
o Intercom, Webflow, Typeform
• Functionality and Infrastructure Optimizations
o Amazon Web Services, Cloudflare, Auth0, SendGrid
• Invoice and Billing
o Stripe, Xero
• Web and Mobile Analytics
o Google Analytics, DataDog
• Website Hosting
o Amazon Web Services
How We Use and Share the Information
We will use the Contact Information, Medical Content and the Other Information, but not the Patient Content, (collectively, the “Information”) to provide the Website and Platform to you, solicit your feedback, inform you about our products and services, provide customer support and to improve our Website and Platform.
You also authorize us to use and/or share your Information as described below.
• Agents, Providers and Related Third Parties. We may engage other companies and individuals to perform certain business-related functions on our behalf. Examples may include providing technical assistance, order fulfillment, customer service, and marketing assistance. These other companies will have access to the Information only as necessary to perform their functions and to the extent permitted by law. We may also share your Information with any of our parent companies, subsidiaries, or other companies under common control with us.
• Aggregated Information. In an ongoing effort to better understand our users, we might analyze your Information in aggregate form in order to operate, maintain, manage, and improve the Website, and the Platform. This aggregate information does not identify you personally and does not identify patient protected health information. We may share this aggregate data with our affiliates, agents, and business partners. We may also disclose aggregated user statistics in order to describe our Platform to current and prospective business partners and to other third parties for other lawful purposes.
• Business Transfers. As we develop our businesses, we might sell or buy businesses or assets. In the event of a corporate sale, merger, reorganization, sale of assets, dissolution, or similar event, your Information may be part of the transferred assets.
• Legal Requirements. To the extent permitted by law, we may also disclose your Information: (i) when required by law, court order, or other government or law enforcement authority or regulatory agency; or (ii) whenever we believe that disclosing such information is necessary or advisable, for example, to protect the rights, property, or safety of MirrorMe or others.
HIPAA Acknowledgement and Agreement
MirrorMe agrees to implement protections for any patient protected health information provided by Users subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the subsequent Privacy Rule, Security Rule and Breach Notification Rule. To the extent that the terms of this Privacy Policy with regard to the use and disclosure of protected health information may be inconsistent with the HIPAA Agreement, the terms of the HIPAA Agreement shall supersede the terms of the Privacy Policy.
Obligations
MirrorMe agrees to:
(a) Not use or disclose protected health information other than as permitted or required by law;
(b) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent use or disclosure of protected health information other than as provided for by the Agreement;
(c) Report to Users any use or disclosure of protected health information not provided for by this agreement of which it becomes aware, including breaches of unsecured protected health information, and any security incident of which it becomes aware;
(d) In accordance with HIPAA standards and rules, if applicable, ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of MirrorMe agree to the same restrictions, conditions, and requirements that apply to MirrorMe with respect to such information;
(e) Make available protected health information in a designated record set to the User as necessary to satisfy User’s obligations under HIPAA standards and rules;
(f) Make any amendment(s) to protected health information in a designated record set as directed or agreed to by the User pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy User’s obligations under 45 CFR 164.526;
(g) Maintain and make available the information required to provide an accounting of disclosures to the User as necessary to satisfy the User’s obligations under HIPAA standards;
(h) To the extent MirrorMe is to carry out one or more of User's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the User in the performance of such obligation(s); and
(i) Make its internal practices, books, and records available to the U.S. Department of Health and Human Services for purposes of determining compliance with the HIPAA Rules.
Permitted Used and Disclosures by MirrorMe
a) MirrorMe may only use or disclose patient protected health information as follows:
The MirrorMe Platform is a web-based application intended to be used as a software interface to assist Users in the visualization and communication of treatment options and as such, Users will upload patient protected health information including the minimum necessary patient identifiers and medical imaging files. The Platform allows users to view and annotate the medical images in a 3D viewer and share the access with collaborating doctors or allow limited access by patients. The Platform is intended for use by surgeons who are planning soft tissue surgical treatments. It is not intended to eliminate, replace, or substitute, in whole or in part, the healthcare provider’s judgment and analysis of the Patient’s condition. The Platform’s image display function is intended as a secondary display and is not for primary diagnostic use. MirrorMe may also use or disclose patient protected health information through its patient-specific, soft tissue planning business, may provide certain products including, without limitation, templates, guides, splints, and/or anatomical models (collectively, the “Products”) and certain patient-specific planning services (the “Services”) for use in connection with the Products.
b) MirrorMe may use or disclose protected health information as required by law.
c) MirrorMe agrees to make uses and disclosures and requests for protected health information consistent with User’s minimum necessary policies and procedures.
d) MirrorMe may not use or disclose protected health information in a manner that would violate Subpart E of 45 CFR Part 164 if done by User except for the specific uses and disclosures set forth below.
e) MirrorMe may use protected health information for the proper management and administration of MirrorMe or to carry out the legal responsibilities of MirrorMe.
f) MirrorMe may disclose protected health information for the proper management and administration of MirrorMe or to carry out the legal responsibilities of MirrorMe, provided the disclosures are required by law, or MirrorMe obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies MirrorMe of any instances of which it is aware in which the confidentiality of the information has been breached.
g) MirrorMe may provide data aggregation services relating to the health care operations of the User.
Term and Termination
(a) Term. The Term of this Agreement shall be effective as of the date the User creates an account with the MirrorMe and shall terminate on notification or on the date User terminates for cause as authorized in paragraph (b) of this Section, whichever is sooner.
b) Termination for Cause. MirrorMe authorizes termination of this Agreement by User, if User determines MirrorMe has violated a material term of the Agreement and MirrorMe has not cured the breach or ended the violation within the time specified by User.
c) Obligations of MirrorMe Upon Termination. Upon termination of this Agreement for any reason, MirrorMe shall destroy or return to the User all protected health information received from the User, or created, maintained, or received by MirrorMe on behalf of User, that MirrorMe still maintains in any form. MirrorMe shall retain no copies of the protected health information.
Accessing and Modifying Information and Communication Preferences
If you have provided us any personal information, you may access, remove, review, and/or make changes to the same by contacting us at dataprotection@mirrorme3d.com. In addition, you may manage your receipt of marketing and non-transactional communications by clicking on the “Unsubscribe” link located on the bottom of any MirrorMe marketing e-mail. We will use commercially reasonable efforts to process such requests in a timely manner. You should be aware, however, that it is not always possible to completely remove or modify information in our subscription databases.
How We Protect the Information
Protecting patient privacy and keeping you and your Patient Content and Medical Content secure are among our biggest priorities. Our Privacy Policy details how we may use, share, and maintain the information that you voluntarily share with MirrorMe in regard to normal business operations, which may include, without limitation your Patient Content and your Patient Medical Content, and other personally identifiable patient information (collectively, “Protected Health Information” or “PHI”).
Security Protections for the Protected Health Information
We have implemented a series of physical, personnel, administrative, access control, system, third party and transmission safeguards to prevent unauthorized access, to maintain data integrity and to ensure that only authorized persons who need to access PHI can do so. A brief description of some of our security measures follows.
Physical Security measures include:
· Physical access to servers is restricted to MirrorMe3D personnel who have been authorized for server access
· Disaster recovery plan outlined
Personnel Security measures include:
· Background and criminal reference check for employees
· Annual HIPAA and general privacy and security training for employees
Administrative Security measures include:
· Documentation of compliance training and regularly scheduled risk assessments
· Sanctions for employee violations of company policies and practices
Access Control Security measures include:
· Restricting access to protected health data, including PHI, to approved personnel on need basis only
· Identity Authentication including, but not limited to, written signature, passwords, tokens, biometrics or a combination thereof
System Security measures include:
· Business associate agreements and/or other business agreements with all partners, third parties and vendors with whom we share information that require them to implement all appropriate security procedures to maintain confidentiality
· Individual confidentiality agreements with all employees and consultants who are required to come into contact with your PHI
· Data protection agreements, including European Commission-approved Standard Contractual Clauses with business partners where PHI is to be processed from the European Economic Area
Transmission Security measures include:
· At-Rest and In-Transit Encryption of all Medical Information and Protected Health Information transmitted to and from our App and stored in our systems
Unless otherwise stated, we apply the law as necessary to all protected health information as required by HIPPA. We do not allow third parties to extract any protected heath information from our Platform unless required by law or as required for normal business operations. All third parties are listed in the Privacy Policy for your review. By using our Platform, you agree, without limitations, that we are acting lawfully while conducting legitimate business.
While we cannot guarantee that loss, misuse or alteration of data will not occur, we are committed to using proven safeguards, current best practices and security audit procedures designed to prevent any loss, misuse or alteration of data. You will be promptly notified of any security breach which may have allowed disclosure or compromised the security and privacy of any of your Protected Health Information.
External Sites
The Platform and the Website may contain links to External Sites. MirrorMe has no control over the privacy practices or the content of these External Sites. As such, we are not responsible for the content or the privacy policies of those External Sites. You should check the applicable third-party privacy policy and terms of use when visiting any External Sites.
Children
We do not knowingly collect personal information from children under the age of 18 through the Platform and the Website without consent of their parent(s) or legal guardians. If you are under 18, please do not use the Platform. We encourage parents and legal guardians to monitor their children’s Internet usage and to help enforce our Privacy Policy by instructing their children never to provide personal information through the Platform and the Website without their permission. If you have reason to believe that a child under the age of 18 has provided personal information to us, please contact us, and we will endeavor to delete that information from our databases.
Important Notice to Non-U.S. Residents
The Website, the Platform and their servers are operated in the United States. If you are located outside of the United States, please be aware that any information you provide to us maybe transferred to, processed, maintained, and used on computers, servers, and systems located outside of your state, province, country, or other governmental jurisdiction where the privacy laws may not be as protective as those in your jurisdiction. If you are located outside the United States and choose to use the Platform, you do so at your own risk.
California Privacy Rights
Pursuant to Section 1798.83 of the California Civil Code, residents of California have the right to obtain certain information about the types of personal information that companies with whom they have an established business relationship (and that are not otherwise exempt) have shared with third parties for direct marketing purposes during the preceding calendar year, including the names and addresses of those third parties, and examples of the types of services or products marketed by those third parties. If you wish to submit a request pursuant to Section 1798.83, please contact MirrorMe via email at dataprotection@mirrorme3d.com.
MirrorMe does not monitor, recognize, or honor any opt-out or do not track mechanisms, including general web browser “Do Not Track” settings and/or signals with regard to application functionality and performance.
Changes to This Privacy Policy
This Privacy Policy is effective as of the date stated at the top of this Privacy Policy. We may change this Privacy Policy from time to time with or without notice to you. Any such changes will be posted on the Platform. In any event, you will be required to affirmatively accept the revised Privacy Policy prior to next logging-in to your account. Please be aware that, to the extent permitted by applicable law, our use of your
information is governed by the Privacy Policy in effect at the time we collect the Information. Please refer back to this Privacy Policy on a regular basis.
How to Contact Us
If you have questions about this Privacy Policy, please contact us at the address below or via e-mail at dataprotection@mirrorme3d.com with “Privacy Policy” in the subject line.
MirrorMe3D
Attn: Legal Affairs
222 West 37th Street
Suite 1506
New York, NY 10018
USA