Privacy Policy. (Last Updated:  01/18/2017)

This Privacy Policy outlines the AnthroTronix, Inc., (collectively, “ATinc,” “we,” “us” or “our”) policies regarding data security and privacy, including the types of information we gather, how we use it, and the notice and choice affected individuals have regarding our use of that information. This policy applies to the DANA Brain Vital and DANA Modular applications and all associated products or services, (collectively referred to as “DANA”) and all personally Identifiable Information collected thereby.

ATinc reserves the right to change or modify this Privacy Policy at any time and in our sole discretion, including as required to comply with changes in HIPAA and/or HITECH regulations. If we make changes to this Privacy Policy, we will provide notice of such changes by posting the revised policy to our website, currently www.danabrainvital.com, and updating the “Last Updated” date shown above. We encourage you to review this Privacy Policy whenever you use or access DANA or otherwise interact with us to stay informed about our information practices and the ways you can help protect your privacy.

This Privacy Policy also addresses administrative and technical measures implemented by ATinc to comply with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) regulating the security and privacy of protected health information in the United States.

As used herein, the following definitions apply:

Protected Health Information (PHI): PHI is Personally Identifiable Information that consists of health information, including demographic information, created or received by DANA and which relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual and that identifies or can be used to identify the individual.

Personally Identifiable Information”, “Personal Information”, or “PII” means any data element that: (1) is recorded in any form; (2) is about, or pertains to a specific individual; and (3) can be linked to that individual whether through the information or the collection of the information and other, publically available, information on the individual.  PII may include PHI.

Collection of Information:

Information You Provide to Us.

We collect information provided directly to us by a patient or his/her provider.

The types of information we may collect from you include:

(a)        Account Information, such as name, email address, phone number, and any other information a patient or provider may choose to provide;

(b)       PII and PHI.  PHI and PII are processed in a way that is compatible with and relevant for the purpose for which it was collected and authorized by the individual.

(c)        Information About Others, such as the names, telephone numbers and email addresses of patient caregivers.

(d)       Other information you choose to provide, such as when you contact us, or when you request technical or customer support. 

Information We Collect Automatically.

When you access or use DANA, the types of information we may automatically collect about you include:

(a)        Non-personally identifiable information. We collect information about the DANA application and services used and how Users use them, such as the assessments completed within the DANA application. This information includes:

o          Assessment data. We collect data regarding your responses on reaction time measurements and psychological questionnaires to share with your healthcare provider. These data include assessment type, date and time of the assessment, timestamps of responses, and response (chosen or filled in).

o          Device information. We collect device-specific information such as the mobile device model number and operating system version used for DANA.

o          Log information. We may collect and store certain information when you use DANA to enable us to enhance future version of the application. This information may include the following:

  • The dates and times you use the application
  • Device event analytics such as application crashes
  • Hardware settings

(b)       Information Collected by Cookies and Other Tracking Technologies: We and our service providers use various tracking technologies, including cookies and web beacons, to collect information about you when you interact with DANA. Cookies are small data files stored on your hard drive or in device memory that help us improve DANA and your experience, and count visits. Web beacons are electronic images that may be used in the operation of DANA or emails and help deliver cookies, count visits and understand usage and campaign effectiveness.

DANA does not maintain any Designated Record Set (“DRS”) as that term is defined by HIPAA. Accordingly, all requests for access to PHI contained within a DRS should be directed to the third party institutional user that created and/or maintains the DRS, such as the group, institutional or medical provider that provided you access to the DANA products. Similarly, requests for amendments or 
restrictions to PHI or PII under HIPAA should be directed to the same third parties.

Use of Information:

We may use collected information for various purposes, including to:

(a)        Provide, maintain and improve DANA;

(b)       Manage a patient or provider account and send related information, including confirmations, updates, technical notices, security alerts and support and administrative messages;

(c)        Respond to comments, questions and requests and provide customer service;

(d)       Communicate about DANA;

(e)        Monitor and analyze trends, usage and activities in connection with DANA;

(f)        Detect, investigate and prevent fraudulent and other illegal activities and protect the rights and property of ATinc and others;

(g)        Personalize and improve DANA;

(h)       Link or combine with information we get from others to help understand your needs and provide you with a better experience; and

(i)        Carry out any other purpose for which the information was collected.

Sharing of Information:

We may share information about you as follows or as otherwise described in this Privacy Policy:

(a)        With vendors, consultants and other service providers who need access to such information to carry out work or perform services on our behalf;

(b)       In response to a request for information if we believe disclosure is in accordance with, or required by, any applicable law, rule, regulation or legal process;

(c)        If we believe your actions are inconsistent our license provisions or other policies, or to protect the rights, property or safety of ATinc or others;

(d)       In connection with, or during negotiations of, any merger, acquisition, sale of assets or any business, other change of control transaction or financing; the recipient of your information may subsequently use your information under the terms of their own privacy policies, which may differ from this Privacy Policy

(e)        Between and among ATinc and any current or future parent, subsidiary and/or affiliated company; and

(f)        With your consent or at your direction.

You may further elect as part of your use of DANA to authorize us to share your name, address and other health and wellness related information about you with one or more third parties designated by you. You acknowledge and agree that we may use your information in a de-identified manner to create aggregated, de-identified data sets, including to evaluate and implement future products or services and to share such de-identified data sets with third parties in accordance with applicable law, including without limitation, HIPAA and HITECH regulations.

Security:

ATinc takes reasonable and industry appropriate measures to help protect information about you from loss, theft, misuse and unauthorized access, disclosure, alteration and destruction. Please understand, however, that no security system is impenetrable. Like other companies, we cannot guarantee 100% the security or confidentiality of the information provided to us. Consequently, while we endeavor to safeguard PII and PHI against unauthorized access and disclosure, we do not warrant or guarantee the absolute security of any personal information transmitted to, from or through DANA.

ATinc has established comprehensive data security and privacy policies to protect PHI and PII from loss, misuse and unauthorized access, disclosure, alteration and destruction. These include appropriate administrative, physical, and technical safeguards to secure PHI and PII received, prevent misuse, and mitigate any potential harm to individuals in the event of a breach.

Our employees are trained on the requirements of HIPAA and their access to PII and PHI (including electronically provided PHI [“e-PHI”]) is based on job function. DANA requires user 
authentication prior to allowing access to e-PHI and encryption is used to prevent unauthorized access to e-PHI. DANA implements other industry-standard security measures to protect e-PHI including, but not limited to, periodic audits of security controls.

The DANA application and web portal are HIPAA compliant and use the security measures mentioned below. We maintain strict security standards for both hardware and software and have implemented policies and procedures to comply with federal, state and local laws and regulations regarding the use and disclosure of such PHI and PII, to protect confidentiality and integrity of PHI and PII we collect or create, and to prevent inappropriate access to or disclosure of such information. In addition to these security features, access to information is also restricted based on the minimum information necessary and user permission level.

DANA Application

Data are encrypted locally on the mobile device used and is decrypted via the application’s data export feature. The application is password protected, requires a unique login to access, and includes an automatic logoff feature that activates when a.) the user switches to another application, b.) the user exits the application to go to the Home screen or c.) the mobile device is turned off or put to sleep.

DANA Cloud Database and Web Portal

All DANA data will be securely stored in a MySQL database on a dedicated server within a Virtual Private Cloud (VPC) provided and maintained by Amazon Web Services (AWS). External access to the cloud database is provided via authentication on the DANA web portal front end that requires a unique login, which is also hosted on the AWS HIPAA-compliant dedicated server. Amazon’s VPC provides advanced security features such as security groups and network access control lists to enable inbound and outbound filtering at the instance level and subnet level. The AWS dedicated instances / servers provide an additional layer of security by ensuring data are physically isolated at the host hardware level. Transport layer security (TLS) safeguards have been implemented for any data transfers to and from the cloud database and the web portal.  In the event of a breach of the confidentiality or security of your personally identifiable information, we will notify you as required by law, if reasonably possible and as reasonably necessary so that you can take appropriate protective steps. We may notify you under such circumstances using the e-mail address(es) we have on record for you or through alternative means. You should also take care with how you handle and disclose your personally identifiable information. Please refer to the Federal Trade Commission’s Web Site at http://www.consumer.ftc.gov/ for information about how to protect yourself against identity theft. Please note that once you leave the Sites, whether independently or via links from the Sites, the privacy policies of the site to which you migrate will apply.  This Privacy Policy applies to your interactions with our Sites only.

Your Choices:

Location Information.

With your consent, we may collect information about your actual location when you use our mobile applications. You may stop the collection of this information at any time by changing the settings on your mobile device, but note that some features of our mobile applications may no longer function if you do so.

Native Applications on Mobile Device.

Some features of our mobile applications may require access to certain native applications on your mobile device. If you decide to use these features, we will ask you for your consent prior to accessing the applications and collecting information. Note that you can revoke your consent at any time by changing the settings on your device.

Children.

We do not knowingly collect any personal information from children under the age of 13. DANA is not for use by children. We request that children under the age of 13 not download DANA or submit any personal information through DANA. If we are advised in writing that we have inadvertently received or collected personal information from a child under 13 years of age, we will remove such information from our database.

Your California Privacy Rights.

In addition to the other rights described in this Privacy Policy, California law permits residents of California to request certain details about how their information is shared with third parties for direct marketing purposes. Under the law, a business must either provide this information or permit California residents to opt in to, or opt out of, this type of sharing. You have the right to submit a request to ATinc and receive the following information within 30 days of its receipt of that request: (1) the types of personal information disclosed to third parties during the immediately preceding calendar year, (2) the names and addresses of third parties that received the personal information, and (3) if the nature of a third party’s business cannot be reasonably determined from the third party’s name, examples of its products or services. You are entitled to receive a copy of this information in a standardized format.  Information provided will not be specific to you individually. All such requests must be in writing and sent to us at info@danabrainvital.com.  ATinc permits California residents to opt out of having their information shared with third parties for direct marketing purposes. If you are a California resident, you may request this information once per calendar year by writing to us at DANA Brain Vital, 8737 Colesville Rd, Suite L-203, Silver Spring, MD 20910

Contact Us:

If you have any questions about this Privacy Policy, please contact us at:

AnthoTronix, Inc.

Attn: Security and Privacy Officer

8737 Colesville Road

Suite L-203

Silver Spring, MD 20910

USA

Effective Date: January 18, 2017