Privacy Policy - SleepImage

PRIVACY POLICY – US / UK / EU / Australia / Canada

SleepImage

Date of Last Revision: April 1, 2025

MyCardio, LLC dba SleepImage ("MyCardio", "we" or "us") is a medical device manufacturer that provides technology ("Technology") that accesses, collects, and stores certain information and data from compatible devices that are used with the Technology to aid clinical evaluation of sleep quality and sleep disorders. The Technology uses this data, independently or in combination with other data, for cardiopulmonary coupling (CPC) analysis, which provides physiological data for clinical analysis ("Sleep Data"). The Technology is intended for use by or on the order of healthcare professionals to aid in the evaluation of sleep disorders and to enable such professionals to provide Sleep Data information about patients under their care for health and wellness purposes.

THE SLEEPIMAGE OFFERINGS

As described in this Privacy Policy (the "Policy"), we collect certain information from visitors to our website found at www.sleepimage.com (including any subdomains thereof) (collectively, the "Website"). We also collect information from patients under the care of a healthcare professional through our related mobile application (the "App"). Patients under the care of a healthcare professional are referred to as "Patients." We also create, receive, maintain, and transmit personal information that is submitted to our Technology by healthcare professionals (each, a "Clinician") or that is transmitted to our Technology by Patients using the App. The Technology includes identifiable information about Patients and Clinicians. The Website, App, and Technology are collectively referred to as the "SleepImage Offerings." "Users" or "You" means Patients.

Please read this Policy carefully to understand our policies and practices regarding collection, use, and sharing of information. By engaging with the SleepImage Offerings, Users consent to the collection, use, sharing, and storage of their personal information, as described in this Policy. This Policy is incorporated into and is subject to the MyCardio Terms of Use Agreement (the "Agreement"). If you do not agree with this Policy, you are not authorized to use the SleepImage Offerings.

This Policy applies to information we collect from Users or information that Users may provide to us through the SleepImage Offerings, including personally identifiable information ("PII"). This Policy does not apply to information collected by any third party, including through any application or content that may link to or be accessible from the SleepImage Offerings.

CHANGES TO OUR POLICY

MyCardio reserves the right, in its sole and absolute discretion, to modify this Policy (in whole or in part) from time to time, and any such modification shall be immediately effective upon posting by MyCardio. The date this Policy was last revised is at the top of this page. If we make a material change to our Policy, we will provide notice by email or by posting on the SleepImage Offerings that our privacy practices have changed. Continued use of the SleepImage Offerings after we make changes to this Policy is deemed to be acceptance of those changes, so please review this Policy regularly for changes. If you have any questions concerning this Policy, please email MyCardio at privacy@sleepimage.com

PRIVACY PRINCIPLES

We follow the following privacy principles:

  • We do not collect more PII than we consider necessary to use the full functions of the SleepImage Offerings;
  • PII is used for the purposes we specify in this Policy;
  • We do not keep PII if longer than we deem necessary;
  • Other than as we specify in this Policy, we do not share PII with third parties; and
  • Protected Health Information (as defined by the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations ("HIPAA")) is a subset of PII. Where the law or our business associate agreement with a healthcare professional requires us to take or prohibits us from taking any action, we will follow the law and our business agreement, notwithstanding this Policy.

TYPES OF INFORMATION WE COLLECT

When Patients visit the Website, register for an account, or use the App or Technology, Patients may provide us with PII, including PHI, and non-personally identifiable information, such as information about their interaction with and use of the App or Technology. We also collect non-personally identifiable information, such as information about the interaction with and use of the Website from non-registered visitors to the Website. This non-personally identifiable information is referred to as "Usage Data."

PII and PHI

PII is necessary for several reasons. First, the Technology is a medical device, which means that it can be available for use by Patients. In addition, Clinicians and Patients may direct MyCardio to share their PHI with their healthcare professional that is also a Clinician via the App or vice versa, in which case we may ask that Clinicians and Patients provide certain PII to identify themselves.

When Patients authenticate their identity to use the App, we collect the following information:

  • Date of birth

When Patients authenticate their identity to use the App, we randomly generate the following information:

  • Patient's unique patient ID

Patients may choose not to provide PII; however, setting up and creating an account is a prerequisite for using the full functions of the SleepImage Offerings.

Clinicians may also enter information into the Technology about and on the behalf of the Patients under their supervision and/or responsibility such as:

  • Name;
  • Email Address;
  • Gender;
  • Time zone location;
  • Patient ID;
  • Date of birth;
  • Height;
  • Weight;
  • Body Mass Index (BMI) calculated based on height and weight entered;
  • Response to Epworth Sleepiness Scale
  • Sleep Complaints;
  • Medical History;
  • Medications Used;
  • Treatment Devices Used;
  • Clinician's Diagnosis of a Sleep Disorder;
  • Clinician's Impressions and Recommendations based on Test Results;
  • And other clinical information that the Clinician deems appropriate.

Some of the information entered about the Patients may be PHI. In addition, when a Clinician's account is used, we may also collect the following types of information about their Patients (some of which may be PHI):

  • Physiological data (including, but not limited to: Electrocardiogram; Plethysmogram; Heart Rate; Heart (Pulse) Rate Variability; Electrocardiogram (Plethysmogram) Derived Respiration)
  • Accelerometer data (including, but not limited to: Actigraphy, Body Position, Snoring);
  • Oxygen Saturation (SpO2) data (including, but not limited to: Desaturation events, Oxygen Desaturation Index (ODI), Apnea Hypopnea Index (sAHI).

HIPAA Compliance

PHI is entitled to special protections. If we create, receive, maintain, or transmit PHI, we use and disclose that information only in accordance with HIPAA and other state and federal laws and regulations ("Privacy Laws"). We are not a HIPAA covered entity, but we may be a business associate to certain healthcare professionals, including Clinicians. If we are a business associate, the business associate agreement terms, which are part of the Agreement, apply. Patients have certain rights under HIPAA and should speak to their healthcare professionals for more information on this. If the Privacy Laws conflict with this Policy, we follow the Privacy Laws.

Usage Data and Cookies

In order to maintain and improve our services, we may collect non-personally identifiable Usage Data about how the SleepImage Offerings are used. This information is collected by automated means, including certain standard web measurement and tracking technologies such as "cookies," web server logs, or other statistics programs.

We may use cookies for things like:

  • Authentication: to help us authenticate Patients to deliver personalized content.
  • Security: to protect Users, us, and others and help us detect fraud and other violations of the Agreement.
  • Performance: to make the SleepImage Offerings easier and faster to use.
  • Features: to enable features and store information about Patients and their use of the SleepImage Offerings.
  • Analytics and Research: to monitor and evaluate the use of the SleepImage Offerings.

A browser may have an option that allows users to accept cookies, reject cookies, or receive notification when a cookie is sent, but users should note that the use of such restrictive browser settings may limit usability of the SleepImage Offerings. Users may also be able to opt out of third-party advertiser and ad network placement of cookies for targeted advertising. If users delete their browser cookies, their opt-out cookie will also be deleted. Additionally, if users change computers or web browsers, they will need to opt out again. To the extent that we pair any of this Usage Data with a Patient's PII, we will treat such Usage Data in accordance with this Policy.

We use the following cookies:

Cookie Name Purpose
Sid User session key

De-Identified Data

We may de-identify PII to make it anonymous and use it in an aggregate form, either alone or in combination with Usage Data to create reports about trends or analyses of treatments, disorders, or conditions, demographic information, and performance information about the SleepImage Offerings. This type of information is referred to as "Aggregate Data." If we de-identify PHI, we will do so in compliance with the Privacy Laws and the U.S. Department of Health and Human Services' Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. De-identified data does not identify Patients personally. We reserve the right to share Aggregate Data with third parties, including for research or marketing purposes or to publish Aggregate Data in white papers, publications, or reports.

HOW WE USE INFORMATION

We use the information we collect for the following purposes:

  • To provide, develop, maintain, operate, and improve the SleepImage Offerings;
  • To provide Patients with information, products, or services that Patients request from us, including to track and calculate Sleep Data supplied by Patients;
  • To share Patients' PHI in the App or Technology with their Clinicians;
  • To send service messages and information about the SleepImage Offerings in which Patients may be interested;
  • To communicate with Patients and respond to Patients' customer service inquiries;
  • To communicate with Patients about other products, services, and promotional events;
  • To carry out our obligations and enforce our rights arising from any contracts entered into between Clinicians, Patients, and us, including for billing and collection;
  • In any other way we may describe when Patients provide the information; and
  • For any other purpose with consent of the Patient.

To the extent the Privacy Laws prohibit us from using PHI for any of the above purposes, we will comply with the law.

SHARING INFORMATION

We may disclose information with our service providers, business partners, and others we use to support our business consistent with this Policy and applicable law. However, if Patient consent is required by law, or we believe that Patient consent is appropriate in the circumstances, we will obtain consent before sharing PII. When we share identifiable information with business partners, our agreements with these partners will limit the purposes for which identifiable information can be used. We will not sell, rent or otherwise provide PII to third parties for their own purposes.

We may also share PII with our service providers, consultants, or related third parties in order to provide Patients with the products and services they request. For example, these third parties may handle credit card processing, data management, email distribution, or providing Patients (if applicable) with the Technology or App. The service providers to whom we disclose PII are obliged to use such PII only to provide services to us and are not authorized by us to use or disclose PII except as necessary to perform services on our behalf, as specifically authorized by us, Clinicians, or Patients, or to comply with legal requirements.

We also may share PII to comply with any court order, law, or legal process, including to respond to any government or regulatory request.

MyCardio expressly reserves the right to transfer any and all such information including, without limitation, PII, to a buyer or other successor in interest of MyCardio that acquires rights to that information in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of MyCardio assets.

DATA SECURITY

MyCardio uses reasonable physical, administrative, and technical safeguards to preserve the integrity and security of PII. MyCardio attempts to restrict access to PII to those employees, agents, contractors, and representative who need access to perform their job functions, such as customer service personnel, technical and development staff and management. Please note that the electronic transmission of information is not completely secure. MyCardio cannot guarantee, ensure or warrant the security of any information transmitted to MyCardio. Any transmission of personal information is at a Patient's own risk. We are not responsible for circumvention of any privacy settings or security measures contained in the SleepImage Offerings, or for information sent or provided to MyCardio relating to the SleepImage Offerings using any other communication methods such as phone or email. For any additional information about the security measures MyCardio uses relating to PII, PHI or other information relating to use of the SleepImage Offerings, please contact MyCardio at privacy@sleepimage.com.

The safety and security of PII also depends on Patients. Patients set authentication credentials for access to certain parts of the SleepImage Offerings. Patients are responsible for keeping credentials confidential at all times. We ask Patients not to share their credentials with anyone, and we recommend that Patients change their passwords regularly.

HOW WE RESPOND TO DO NOT TRACK SIGNALS

A web browser may let users choose whether to allow the collection of information about their online activities over time and across different websites or online services. At this time, the Website and App do not respond to the preferences users may have set in their web browser regarding the collection of such information, and the Website and App may continue to collect information in the manner described in this Policy.

INFORMATION FROM CHILDREN

We understand and take very seriously the importance of protecting the privacy and safety of children. CHILDREN UNDER THE AGE OF EIGHTEEN (18) ARE NOT PERMITTED TO CREATE THEIR OWN ACCOUNT. We do not target the SleepImage Offerings to children under 18, and we do not intentionally collect information from children under 18, except as set forth in this paragraph. While we do not knowingly communicate with children under the age of eighteen (18) via the SleepImage Offerings, we may collect PII of a Patient under eighteen (18) years of age to the extent that (i) such Patient has been registered under the care of a Clinician and (ii) such Patient's parent or guardian has provided consent to the Clinician regarding the collection of PII of their child. Any parent or guardian who believes that PII of their child has been submitted to us without having given prior consent to the Clinician may contact us at privacy@sleepimage.com to request that we take steps to delete the information as soon as possible.

DATA TRANSFERS AND GOVERNING LAW

The servers from which we provide the SleepImage Offerings, and to which all Sleep Data, PII, and PHI are sent, are located in the United States [and other countries in which Patients are located]. If Patients are physically located within any region with laws or regulations governing PII collection, use, and disclosure that differ from United States laws, please be advised that the SleepImage Offerings transfer PII and PHI to the United States, and Patients consent to such transfer and the application of the laws of the United States and/or the State of Colorado with respect to any dispute arising from or related to such transfer.

CANADIAN RESIDENTS

MyCardio complies with the Personal Information Protection and Electronic Documents Act ("PIPEDA"). PIPEDA gives Canadian residents certain rights when it comes to the collection and handling of their data. These rights are encapsulated in the below section titled "Individuals' Rights." If you are a citizen or resident of Canada and have questions about your individual rights under this Policy or would like to enforce your rights under this Policy, please contact MyCardio at privacy@sleepimage.com.

Individuals' Rights

  • Right to Access and Rectification. Users have the right to request a copy of any PII that we hold about them. If Users would like a copy of their PII, please contact us using the contact information below. We may request proof of identity before sharing such information. If Users discover that the information we hold about them is incorrect or out of date, you may ask us to correct that information by contacting us using the contact information below.
  • Right to Object and Erasure. Users may ask us to stop processing, or delete, the personally identifiable data we hold about Patients under their care in certain circumstances. It may not be possible for us to processing or delete all of the information we hold about them where we are fulfilling a transaction or have a legal basis to retain the information, however please contact us to discuss how we can assist with your request.
  • Right to Withdraw Consent. When we process information on the basis that you have consented to such processing, you have the right to withdraw your consent, or ask us to stop or restrict processing the PII we have about you, at any time by contacting us using the contact information below.
  • Right to Data Portability. You may also ask us to transfer your PII to a third party in certain circumstances. If you would like any further information about your rights or how to exercise them, please contact us using the contact information below.
  • Right to Submit a Complaint. You may have the right to make a complaint at any time to the relevant data protection authority in your country.

Additional Privacy Rights for U.K. and Other E.U. Residents (GDPR)

MyCardio complies with the General Data Protection Regulation (GDPR). GDPR gives various European and U.K. residents certain rights when it comes to the collection and handling of their data. These rights are encapsulated in the below section. If you are a citizen or resident of the E.U. or U.K. and have questions about your individual rights under this Policy or would like to enforce your rights under this Policy, please contact MyCardio at privacy@sleepimage.com.

Legal Basis for Processing Personal Data under GDPR

We may process personal data under the following conditions:

Consent: You have given your consent for processing Personal Data for one or more specific purposes.

Performance of a contract: Provision of personal data is necessary for the performance of an agreement with you and/or for any pre-contractual obligations thereof.

Legal obligations: Processing personal data is necessary for compliance with a legal obligation to which MyCardio is subject.

Vital interests: Processing personal data is necessary in order to protect your vital interests or of another natural person.

Public interests: Processing personal data is related to a task that is carried out in the public interest or in the exercise of official authority vested in MyCardio.

Legitimate interests: Processing personal data is necessary for the purposes of the legitimate interests pursued by MyCardio.

In any case, MyCardio will gladly help to clarify the specific legal basis that applies to the processing, and in particular whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.

Your Rights under the GDPR

MyCardio undertakes to respect the confidentiality of your personal data and to guarantee you can exercise your rights.

You have the right under this Privacy Policy, and by law if you are within the E.U. or U.K., to:

Request Access to Your Personal Data. The right to access, update or delete the information we have on you. Whenever made possible, you can access, update or request deletion of your personal data directly within your account settings section. If you are unable to perform these actions yourself, please contact us to assist you. This also enables you to receive a copy of the personal data we hold about you.

Request Correction of the Personal Data That We hold About You. You have the right to have any incomplete or inaccurate information we hold about you corrected.

Object to Processing of Your Personal Data. This right exists where we are relying on a legitimate interest as the legal basis for our processing and there is something about your particular situation, which makes you want to object to our processing of your personal data on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.

Request Erasure of Your Personal Data. You have the right to ask us to delete or remove personal data when there is no good reason for us to continue processing it.

Request the Transfer of Your Personal Data. We will provide to you, or to a third-party you have chosen, your personal data in a structured, commonly used, machine-readable format. Please note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

Withdraw Your Consent. You have the right to withdraw your consent on using your personal data. If you withdraw your consent, we may not be able to provide you with access to certain specific functionalities of the service.

Exercising of Your GDPR Data Protection Rights

You may exercise your rights of access, rectification, cancellation and opposition by contacting us. Please note that we may ask you to verify your identity before responding to such requests. If you make a request, we will try our best to respond to you as soon as possible.

You have the right to complain to a Data Protection Authority about our collection and use of your personal data. For more information, if you are in the European Economic Area (EEA), please contact your local data protection authority in the EEA.

THIRD PARTIES

Your information may be held by third parties or we may link to other sites or applications not affiliated, owned, or controlled by us. As mentioned in this Policy, we may use third-party devices to collect information from Patients. These third-party devices are not owned by or affiliated with MyCardio. We expressly disclaim any and all liability for the actions of third parties, whether related to devices or otherwise. The privacy practices of any third parties are outside the scope of this Policy and their use or disclosure of identifiable information will be governed by their own privacy practices or policies. We encourage you to review the privacy practices or policies of those third parties.

Clinicians may send secured links ("Links") to Patients and to other third-parties to share study results and other information with ease. This information may contain PII (including PHI). MyCardio is not responsible for any unauthorized access, use, or disclosure of these Links and/or any PII (including PHI) accessed through the Links. Users understand that MyCardio does not control who receives the Links and that Clinicians are solely in control of that decision. MyCardio expressly disclaims any and all liability that arises out of or is related to the sharing of these Links or the data contained therein or accessed through the use of the Links.

DATA RETENTION

We will retain information for as long as needed to fulfill Patients' requests, provide the SleepImage Offerings, comply with our legal obligations, resolve disputes, and enforce our agreements.

EMAIL COMMUNICATIONS

If Patients receive marketing emails from us, Patients can unsubscribe to our emails by clicking "unsubscribe" within each email. Patients may not opt-out of service-related communications, which are not promotional in nature.

UNSUBSCRIBING, REMOVING OR MODIFYING INFORMATION

To edit or delete your information contained in a Clinician's account, please contact your Clinician to request an update to your profile or to delete your information. To unsubscribe from an email or other messaging, please follow the instructions in any email or messages Patient receives. Patients may also send us an email at privacy@sleepimage.com to request access to, correct, or delete any PII that Patients have provided to us. We may not accommodate a request to change information if we believe the change would violate any law or legal requirement or cause the information to be incorrect.

CALIFORNIA RESIDENTS

If you are a California resident, you have additional privacy rights, which can be accessed in our Privacy Notice for California Residents.

ADDITIONAL STATE RIGHTS

Other states offer similar rights to their residents. For a summary of such rights, please see below:

Right to Access (CO, CT, UT, TX, OR, MT and VA)

You have the right to know and see what personal information we have collected about you in a usable format.

Right to Delete (CO, CT, UT, TX, OR, MT and VA)

You have the right to request that we delete the personal information we have collected about you, subject to applicable exceptions.

Right to Correct (CO, CT, TX, MT, OR and VA)

You have the right to request that we correct inaccurate personal information.

Right to Opt-Out of Targeted Advertising and Sale of Personal Data

You have the right to opt-out of targeted advertising (CO, CT, UT, TX, OR, MT and VA) and the sale of your personal information (CO, CT, TX, OR, and MT) (as defined under applicable law).

Note, MyCardio does not engage in targeted advertising or sell your personal information.

Exercising Your Privacy Rights

Making Access, Deletion, and Correction Requests

To make an access, deletion, or correction request, as applicable, please submit your request to support@sleepimage.com. To submit a request by phone, you may call +1 888 975 7464. Before completing your request, we may need to verify your identity.

Making Requests to Opt-Out of Targeted Advertising or the Sale of Personal Data

To submit a request to opt-out of targeted advertising or the sale of your personal data, as defined by applicable law, please submit your request to support@sleepimage.com. To submit a request by phone, you may call +1 888 975 7464.

Note, you will not need to opt-out, as MyCardio does not engage in targeted advertising or sell your personal information.

Authorized Agents

Where applicable under state law, you may use an authorized agent to submit an access, deletion, correction or opt-out request on your behalf. Before completing requests from authorized agents, we may contact you directly to confirm you've given permission and/or to verify your identity.

OTHER TERMS AND CONDITIONS

In addition to this Policy, access to and use of the SleepImage Offerings are subject to the Agreement, which can be found at www.sleepimage.com including the disclaimer that MyCardio does not provide medical advice or information and only facilitates communication of Sleep Data for informational purposes between Patients and their Clinicians. PATIENTS SHOULD ALWAYS CONSULT THEIR DESIGNATED CLINICIAN REGARDING THEIR SLEEP DATA AND ANY RELATED CONDITION. IN A MEDICAL EMERGENCY, CALL 911, IF YOU ARE LOCATED IN THE UNITED STATES OF AMERICA. IF YOU ARE LOCATED IN ANY OTHER COUNTRY, IT IS YOUR RESPONIBILITY TO KNOW THE EMERGENCY NUMBER TO CALL. WE ARE NOT RESPONSIBLE FOR ANY HEALTH CONDITIONS OF ANY PATIENTS RELATED TO SLEEP DATA.

QUESTIONS?

If you have any questions about this Policy or MyCardio's information practices, privacy while using the SleepImage Offerings, or wish to review or update your information, please contact MyCardio at:

Privacy Office (Legal Department) MyCardio
3200 E Cherry Creek South Dr, Suite 540
Denver, CO 80209, USA
email: privacy@sleepimage.com

SleepImage® is a registered trademark of MyCardio LLC.

Click here to get a PDF of this Privacy Policy