Date of Last Revision: January 10, 2023
MyCardio, LLC dba SleepImage (“MyCardio”, “we” or “us”) provides US Food and Drug Administration (FDA)-cleared software as a medical device technology (“Technology”) that accesses, collects, and stores certain information and data from third-party devices that are used with the Technology to aid clinical evaluation of sleep quality and sleep disorders. The Technology uses this data, independently or in combination with other data, for cardiopulmonary coupling (CPC) analysis, which provides physiological data for clinical analysis (“Sleep Data”). The Technology is intended for use by or on the order of healthcare professionals to aid in the evaluation of sleep disorders and to enable such professionals to provide Sleep Data information about patients under their care for health and wellness purposes.
THE SLEEPIMAGE OFFERINGS
This Policy applies to information we collect from Users or information that Users may provide to us through the SleepImage Offerings, including personally identifiable information (“PII”). This Policy does not apply to information collected by any third party, including through any application or content that may link to or be accessible from the SleepImage Offerings.
CHANGES TO OUR POLICY
MyCardio reserves the right, in its sole and absolute discretion, to modify this Policy (in whole or in part) from time to time, and any such modification shall be immediately effective upon posting by MyCardio. The date this Policy was last revised is at the top of this page. If we make a material change to our Policy, we will provide notice by email or by posting on the SleepImage Offerings that our privacy practices have changed. Each Clinician is responsible for ensuring we have an up-to-date, active and deliverable email address. Continued use of the SleepImage Offerings after we make changes to this Policy is deemed to be acceptance of those changes, so please review this Policy regularly for changes. If you have any questions concerning this Policy, please email MyCardio at email@example.com.
We follow the following privacy principles:
- We do not collect more PII than we consider necessary to use the full functions of the SleepImage Offerings;
- PII is used for the purposes we specify in this Policy;
- We do not keep PII if longer than we deem necessary;
- Other than as we specify in this Policy, we do not share PII with third parties; and
- Protected Health Information (as defined by the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”)) is a subset of PII. Where the law or our business associate agreement with a healthcare professional requires us to take or prohibits us from taking any action, we will follow the law and our business agreement, notwithstanding this Policy.
TYPES OF INFORMATION WE COLLECT
When Clinicians or Patients visit the Website, register for an account, or use the App or Technology, Clinicians and Patients may provide us with PII, including PHI, and non-personally identifiable information, such as information about their interaction with and use of the App or Technology. We also collect non-personally identifiable information, such as information about the interaction with and use of the Website from non-registered visitors to the Website. This non-personally identifiable information is referred to as “Usage Data.” We only collect PII from Clinicians or Patients.
PII and PHI
PII is necessary for several reasons. First, the Technology is an FDA1-cleared software as a medical device, which means that it can be available for use by Clinicians and Patients under their care. In addition, Patients may direct MyCardio to share their PHI with their healthcare professional that is also a Clinician via the App or vice versa, in which case we may ask that Clinicians and Patients provide certain PII to identify themselves.
When Clinicians set up and register for an account, we may collect information from the Clinicians such as:
- E-mail address;
- Medical specialty; and
- Physical address.
When Patients authenticate their identity to use the App, we collect the following information:
- Date of birth
When Patients authenticate their identity to use the App, we randomly generate the following information:
- Patient’s unique patient ID
Clinicians and Patients may choose not to provide PII; however, setting up and creating an account is a prerequisite for using the full functions of the SleepImage Offerings.
1 United States Food and Drug Administration
Clinicians may also enter information into the Technology about and on the behalf of the Patients under their supervision and/or responsibility such as:
- Email address;
- Time zone location;
- Patient ID;
- Date of birth;
- Body Mass Index (BMI) calculated based on height and weight entered;
- Response to Epworth Sleepiness Scale
- Sleep Complaints;
- Medica History;
- Medications Used;
- Treatment Devices Used;
- Clinician’s Diagnosis of a Sleep Disorder;
- Clinician’s Impressions and Recommendations based on Test Results;
- And other clinical information that the Clinician deems appropriate.
Some of the information entered about the Patients may be PHI. In addition, when a Clinician’s account is used, we may also collect the following types of information about their Patients (some of which may be PHI):
- Physiological data (including, but not limited to: Electrocardiogram; Plethysmogram; Heart Rate; Heart (Pulse) Rate Variability; Electrocardiogram (Plethysmogram) Derived Respiration)
- Accelerometer data (including, but not limited to: Actigraphy, Body Position, Snoring);
- Oxygen Saturation (SpO 2) data (including, but not limited to: Desaturation events, Oxygen Desaturation Index (ODI), Apnea Hypopnea Index (sAHI).
PHI is entitled to special protections. If we create, receive, maintain, or transmit PHI, we use and disclose that information only in accordance with HIPAA and other state and federal laws and regulations (“Privacy Laws”). We are not a HIPAA covered entity, but we may be a business associate to certain healthcare professionals, including Clinicians. If we are a business associate, the business associate agreement terms, which are part of the Agreement, apply. To the extent HIPAA applies, each Clinician represents and warrants that it maintains the privacy of all Patients’ PHI in accordance with HIPAA and other applicable law and that it has all necessary rights to provide Patients’ PHI to us or to permit us to create, receive, maintain, and/or transmit PHI through the provision of the Technology. Patients have certain rights under HIPAA and should speak to their healthcare professionals for more information on this. If the Privacy Laws conflict with this Policy, we follow the Privacy Laws.
The Website includes functionality that permits Clinicians to make payment for certain products or services. We do not collect, access, view, or process Clinician’s credit card or debit card information. This information is transmitted directly to our third-party payment processor, which uses secure, industry-standard encryption technologies to protect Clinician information. We do store a Clinician’s shipping address and information about a Clinician’s order history for customer service and quality reasons; and as a result, we may have access to a Clinician’s payment information.
Usage Data and Cookies
In order to maintain and improve our services, we may collect non-personally identifiable Usage Data about how the SleepImage Offerings are used. This information is collected by automated means, including certain standard web measurement and tracking technologies such as “cookies,” web server logs, or other statistics programs.
- Authentication: to help us authenticate Clinicians and Patients to deliver personalized content.
- Security: to protect Users, us, and others and help us detect fraud and other violations of the Agreement.
- Performance: to make the SleepImage Offerings easier and faster to use.
- Features: to enable features and store information about Clinicians and Patients and their use of the
- Analytics and Research: to monitor and evaluate the use of the SleepImage Offerings.
A browser may have an option that allows users to accept cookies, reject cookies, or receive notification when a cookie is sent, but users should note that the use of such restrictive browser settings may limit usability of the SleepImage Offerings. Users may also be able to opt out of third-party advertiser and ad network placement of cookies for targeted advertising. If users delete their browser cookies, their opt-out cookie will also be deleted. Additionally, if users change computers or web browsers, they will need to opt out again. To the extent that we pair any of this Usage Data with a Clinician or Patient’s PII, we will treat such Usage Data in accordance with this Policy.
We use the following cookies:
|Sid||User session key|
We may de-identify PII to make it anonymous and use it in an aggregate form, either alone or in combination with Usage Data to create reports about trends or analyses of treatments, disorders, or conditions, demographic information, and performance information about the SleepImage Offerings. This type of information is referred to as “Aggregate Data.” If we de-identify PHI, we will do so in compliance with the Privacy Laws and the U.S. Department of Health and Human Services’ Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. De-identified data does not identify Clinicians or Patients personally. We reserve the right to share Aggregate Data with third parties, including for research or marketing purposes or to publish Aggregate Data in white papers, publications, or reports.
HOW WE USE INFORMATION
We use the information we collect for the following purposes:
- To provide, develop, maintain, operate, and improve the SleepImage Offerings;
- To provide Clinicians and Patients with information, products, or services that Clinicians or Patients request from us, including to track and calculate Sleep Data supplied by Clinicians for Patients;
- To share Patients’ PHI in the App or Technology with their Clinicians;
- To send service messages and information about the SleepImage Offerings in which Clinicians or Patients may be interested;
- To communicate with Clinicians and Patients and respond to Clinicians’ or Patients’ customer service inquiries;
- To communicate with Clinicians or Patients about other products, services, and promotional events;
- To carry out our obligations and enforce our rights arising from any contracts entered into between Clinicians, Patients, and us, including for billing and collection;
- In any other way we may describe when Clinicians or Patients provide the information; and
- For any other purpose with consent of the Clinician or Patient.
To the extent the Privacy Laws prohibit us from using PHI for any of the above purposes, we will comply with the law.
We may disclose information with our service providers, business partners, and others we use to support our business consistent with this Policy and applicable law. However, if Clinician or Patient consent is required by law, or we believe that Clinician or Patient consent is appropriate in the circumstances, we will obtain consent before sharing PII. When we share identifiable information with business partners, our agreements with these partners will limit the purposes for which identifiable information can be used. We will not sell, rent or otherwise provide PII to third parties for their own purposes.
We may also share PII with our service providers, consultants, or related third parties in order to provide Clinicians and Patients with the products and services they request. For example, these third parties may handle credit card processing, data management, email distribution, or providing Clinicians and Patients (if applicable) with the Technology or App. The service providers to whom we disclose PII are obliged to use such PII only to provide services to us and are not authorized by us to use or disclose PII except as necessary to perform services on our behalf, as specifically authorized by us, Clinicians, or Patients, or to comply with legal requirements.
We also may share PII to comply with any court order, law, or legal process, including to respond to any government or regulatory request.
MyCardio expressly reserves the right to transfer any and all such information including, without limitation, PII, to a buyer or other successor in interest of MyCardio that acquires rights to that information in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of MyCardio assets.
MyCardio uses reasonable physical, administrative, and technical safeguards to preserve the integrity and security of PII. MyCardio attempts to restrict access to PII to those employees, agents, contractors, and representative who need access to perform their job functions, such as customer service personnel, technical and development staff and management. Please note that the electronic transmission of information is not completely secure. MyCardio cannot guarantee, ensure or warrant the security of any information transmitted to MyCardio. Any transmission of personal information is at a Clinician’s or Patient’s own risk. We are not responsible for circumvention of any privacy settings or security measures contained in the SleepImage Offerings, or for information sent or provided to MyCardio relating to the SleepImage Offerings using any other communication methods such as phone or email. For any additional information about the security measures MyCardio uses relating to PII, PHI or other information relating to use of the SleepImage Offerings, please contact MyCardio at firstname.lastname@example.org.
The safety and security of PII also depends on Clinicians and Patients. Clinicians and Patients set authentication credentials for access to certain parts of the SleepImage Offerings. Clinicians and Patients are responsible for keeping credentials confidential at all times. We ask Clinicians and Patients not to share their credentials with anyone and we recommend that Clinicians and Patients change their passwords regularly.
HOW WE RESPOND TO DO NOT TRACK SIGNALS
A web browser may let users choose whether to allow the collection of information about their online activities over time and across different websites or online services. At this time, the Website and App do not respond to the preferences users may have set in their web browser regarding the collection of such information, and the Website and App may continue to collect information in the manner described in this Policy.
INFORMATION FROM CHILDREN
We understand and take very seriously the importance of protecting the privacy and safety of children. CHILDREN UNDER THE AGE OF EIGHTEEN (18) ARE NOT PERMITTED TO CREATE THEIR OWN ACCOUNT. We do not target the SleepImage Offerings to children under 18, and we do not intentionally collect information from children under 18, except as set forth in this paragraph. While we do not knowingly communicate with children under the age of eighteen (18) via the SleepImage Offerings, we may collect PII of a Patient under eighteen (18) years of age to the extent that (i) such Patient has been registered under the care of a Clinician and (ii) such Patient’s parent or guardian has provided consent to the Clinician regarding the collection of PII of their child. Any parent or guardian who believes that PII of their child has been submitted to us without having given prior consent to the Clinician may contact us at email@example.com to request that we take steps to delete the information as soon as possible.
The servers from which we provide the SleepImage Offerings, and to which all Sleep Data, PII, and PHI are sent, are located in the United States. If Clinicians or Patients are physically located within any region with laws or regulations governing PII collection, use, and disclosure that differ from United States laws, please be advised that the SleepImage Offerings transfer PII and PHI to the United States, and Clinicians and Patients consent to such transfer and the application of the laws of the United States and/or the State of Colorado with respect to any dispute arising from or related to such transfer.
MyCardio complies with the Personal Information Protection and Electronic Documents Act (“PIPEDA”). PIPEDA gives Canadian residents certain rights when it comes to the collection and handling of their data. These rights are encapsulated in the below section titled “Individuals’ Rights.” If you are a citizen or resident of Canada and have questions about your individual rights under this Policy or would like to enforce your rights under this Policy, please contact MyCardio at firstname.lastname@example.org.
- Right to Access and Rectification. Users have the right to request a copy of any PII that we hold about them. If Users would like a copy of their PII, please contact us using the contact information below. We may request proof of identity before sharing such information. If Users discover that the information we hold about them is incorrect or out of date, you may ask us to correct that information by contacting us using the contact information below.
- Right to Object and Erasure. Users may ask us to stop processing, or delete, the personally identifiable data we hold about Patients under their care in certain circumstances. It may not be possible for us to processing or delete all of the information we hold about them where we are fulfilling a transaction or have a legal basis to retain the information, however please contact us to discuss how we can assist with your request.
- Right to Withdraw Consent. When we process information on the basis that you have consented to such processing, you have the right to withdraw your consent, or ask us to stop or restrict processing the PII we have about you, at any time by contacting us using the contact information below.
- Right to Data Portability. You may also ask us to transfer your PII to a third party in certain circumstances. If you would like any further information about your rights or how to exercise them, please contact us using the contact information below.
- Right to Submit a Complaint. You may have the right to make a complaint at any time to the relevant data protection authority in your country.
Your information may be held by third parties or we may link to other sites or applications not affiliated, owned, or controlled by us. As mentioned in this Policy, we may use third-party devices to collect information from Patients. These third-party devices are not owned by or affiliated with MyCardio. We expressly disclaim any and all liability for the actions of third parties, whether related to devices or otherwise. The privacy practices of any third parties are outside the scope of this Policy and their use or disclosure of identifiable information will be governed by their own privacy practices or policies. We encourage you to review the privacy practices or policies of those third parties.
Clinicians may send secured links (“Links”) to Patients and to other third-parties to share study results and other information with ease. This information may contain PII (including PHI). MyCardio is not responsible for any unauthorized access, use, or disclosure of these Links and/or any PII (including PHI) accessed through the Links. Clinicians represent and warrant that they have all necessary rights to provide the Links to third-parties in accordance with all applicable Privacy Laws. Users understand that MyCardio does not control who receives the Links and that Clinicians are solely in control of that decision. Clinicians understand that they are responsible for those third-parties’ use or disclosure of the data made available to them through the Links. MyCardio expressly disclaims any and all liability that arises out of or is related to the sharing of these Links or the data contained therein or accessed through the use of the Links.
We will retain Clinician and Patient information for as long as needed to fulfill Clinicians’ and Patients’ requests, provide the SleepImage Offerings, comply with our legal obligations, resolve disputes, and enforce our agreements.
If Clinicians or Patients receive marketing emails from us, Clinicians and Patients can unsubscribe to our emails by clicking “unsubscribe” within each email. Clinicians and Patients may not opt-out of service-related communications, which are not promotional in nature.
UNSUBSCRIBING, REMOVING OR MODIFYING INFORMATION.
To edit or delete any information contained in a Clinician’s or Patient’s account, please login and update the profile. To unsubscribe from an email or other messaging, please follow the instructions in any email or messages Clinician or Patient receives. Clinicians and Patients may also send us an email at email@example.com to request access to, correct, or delete any PII that Clinicians or Patients have provided to us. We may not accommodate a request to change information if we believe the change would violate any law or legal requirement or cause the information to be incorrect.
California Civil Code Section 1798.83 permits Patients who are California residents to request and obtain from us a list of what PII (if any) we disclosed to third parties for direct marketing purposes in the preceding calendar year and the names and addresses of those third parties. Requests may be made only once a year and are free of charge. Under Section 1798.83, MyCardio currently does not share any PII with third parties for their direct marketing purposes. To make such a request, please send an email to firstname.lastname@example.org.
OTHER TERMS AND CONDITIONS.
In addition to this Policy, access to and use of the SleepImage Offerings are subject to the Agreement, which can be found at www.sleepimage.com including the disclaimer that MyCardio does not provide medical advice or information and only facilitates communication of Sleep Data for informational purposes between Patients and their Clinicians. PATIENTS SHOULD ALWAYS CONSULT THEIR DESIGNATED CLINICIAN REGARDING THEIR SLEEP DATA AND ANY RELATED CONDITION. IN A MEDICAL EMERGENCY, CALL 911, IF YOU ARE LOCATED IN THE UNITED STATES OF AMERICA. IF YOU ARE LOCATED IN ANY OTHER COUNTRY, IT IS YOUR RESPONIBILITY TO KNOW THE EMERGENCY NUMBER TO CALL. WE ARE NOT RESPONSIBLE FOR ANY HEALTH CONDITIONS OF ANY PATIENTS OR CLINICIANS RELATED TO SLEEP DATA
If you have any questions about this Policy or MyCardio’s information practices, privacy while using the SleepImage Offerings, or wish to review or update your information, please contact MyCardio at:
Privacy Office (Legal Department) MyCardio
3200 E Cherry Creek South Drive, Suite 540, Denver, CO 80209, USA
SleepImage® is a registered trademark of MyCardio LLC.