Privacy Policy

Overview

This Privacy Policy explains how MindShift+ ("we," "our," or "us"), operated by MindShift Wellness Clinic, collects, uses, and protects your personal information and Protected Health Information (PHI) when you use our web application, patient portal, telehealth services, and related services (collectively, the "Service"). By using MindShift+, you agree to the practices described in this Policy.

HIPAA Compliance: MindShift Wellness Clinic is a HIPAA-covered entity. When you use our patient portal, schedule appointments, or receive telehealth services, we collect and maintain Protected Health Information (PHI) as defined by the Health Insurance Portability and Accountability Act (HIPAA). This Privacy Policy works in conjunction with our HIPAA Notice of Privacy Practices, which you will receive separately when you become a patient.

If you have questions, please reach out to us at info@mindshiftwellnessclinic.org before using the Service.

What We Collect

Information you provide directly

• Account information — your name, email address, phone number, date of birth, and password when you create an account.
• Profile data — your display name, preferred themes, and wellness goals you set in your profile.
• Journal entries and mood logs — text you write in the guided journaling feature and mood check-ins you submit.
• Conversation data — messages you send to Mia, our AI wellness coach.
• Custom breathing patterns — patterns you create and name within the breathing module.
• Payment information — if you subscribe to Premium, your payment is processed by Stripe. We do not store full card numbers on our servers.

Protected Health Information (PHI) for Patients

When you use our patient portal, schedule appointments, or receive clinical services, we collect and maintain PHI including:

• Patient registration information — full name, date of birth, address, phone number, email, emergency contact information, and insurance details.
• Medical and mental health history — intake forms, assessment questionnaires, diagnoses, treatment plans, and clinical notes.
• Appointment information — scheduled appointments, appointment type (in-person or telehealth), provider name, and appointment notes.
• Clinical documentation — visit notes, treatment plans, prescriptions, progress notes, and discharge summaries created by your clinician.
• Telehealth session data — video session URLs, session recordings (if consented), and session metadata. Video sessions are conducted through Whereby, a HIPAA-compliant third-party service.
• Billing and insurance information — claims, invoices, payment history, and insurance verification records.
• Communications — secure messages exchanged with your care team through the patient portal.

Information collected automatically

• Usage data — pages visited, features used, session duration, and in-app navigation patterns.
• Device information — browser type, operating system, screen resolution, and device identifiers.
• Log data — IP address, timestamps, error reports, and performance metrics.
• Cookies and similar technologies — see the Cookies section below for full details.

Information stored locally

Many features — including saved affirmations, custom breathing modes, mood constellation entries, and session history — are stored locally on your device using localStorage. This data does not leave your device unless you explicitly sync or export it.

How We Use It

We use the information we collect for the following purposes:

HIPAA-Permitted Uses and Disclosures

We may use and disclose your PHI without your authorization for:

• Treatment — providing, coordinating, or managing your mental health care and related services.
• Payment — billing activities, claims management, and determining insurance coverage.
• Healthcare Operations — quality assessment, staff training, licensing, and business planning.
• Required by Law — when disclosure is mandated by federal, state, or local law.
• Public Health Activities — reporting to public health authorities as required.
• Health Oversight Activities — audits, investigations, and inspections by health oversight agencies.
• Judicial and Administrative Proceedings — in response to court orders or lawful subpoenas.
• Law Enforcement — when required by law or in response to valid legal process.
• To Avert Serious Threat — when necessary to prevent or lessen a serious and imminent threat to health or safety.

We will never: Use your journal entries, mood logs, clinical notes, or AI conversations to train public machine learning models, sell your PHI to advertisers or data brokers, or use your health information for marketing purposes without your explicit written authorization.

Data Sharing

We do not sell your personal data or PHI. We share information only in the following limited circumstances:

Business Associates (HIPAA-Compliant Service Providers)

We work with trusted third-party vendors who help us operate the Service. All vendors who have access to PHI are Business Associates under HIPAA and are bound by Business Associate Agreements (BAAs) that require them to safeguard your PHI. These include:

• Supabase — HIPAA-compliant database and authentication services. Stores patient records, clinical data, and appointment information. BAA in place.
• Whereby — HIPAA-compliant telehealth video platform. Provides secure video conferencing for virtual appointments. BAA in place. See Whereby's Privacy Policy.
• Anthropic — powers the Mia AI coaching feature. Conversation messages are transmitted to Anthropic's API. For wellness app users (non-patients), this is not PHI. For patient portal users, AI conversations may contain PHI and are subject to BAA protections. See Anthropic's Privacy Policy.
• Stripe — processes payments securely. Payment information is not considered PHI under HIPAA. See Stripe's Privacy Policy.
• Hosting and infrastructure providers — HIPAA-compliant cloud services (Vercel, AWS) used to run and store our servers. BAAs in place.
• Email service providers — HIPAA-compliant email delivery for appointment reminders and clinical communications. BAA in place.

All Business Associates are contractually required to use appropriate safeguards to protect your PHI and may only use your data as directed by us for the purposes specified in their BAA.

Analytics providers

We use analytics services to understand how users interact with our wellness app features. Analytics data is anonymized, aggregated, and does not include PHI. You can manage analytics preferences via Cookie Settings.

Legal requirements and mandatory disclosures

We may disclose personal data and PHI when required by law, including:

• Court orders and subpoenas — when compelled by valid legal process.
• Mandatory reporting — suspected child abuse, elder abuse, or domestic violence as required by Massachusetts law.
• Duty to warn — when there is a serious and imminent threat of harm to an identifiable person or the public.
• Law enforcement — in limited circumstances permitted by HIPAA, such as identifying or locating a suspect or responding to crimes on our premises.
• Health oversight activities — audits and investigations by state licensing boards or federal agencies.

Disclosures requiring your authorization

We will obtain your written authorization before using or disclosing your PHI for purposes not covered by this Policy or HIPAA, including:

• Marketing communications that involve financial remuneration.
• Sale of PHI (we do not sell PHI under any circumstances).
• Most uses and disclosures of psychotherapy notes (if maintained separately).
• Sharing information with family members or friends (unless you provide verbal permission or in emergency situations).

You may revoke any authorization in writing at any time by contacting our Privacy Officer.

Business transfers

If MindShift+ is acquired by or merges with another company, your information (including PHI) may be transferred as part of that transaction. The acquiring entity will be required to comply with HIPAA and honor the commitments made in this Privacy Policy. We will notify you via email and/or a prominent notice on our website at least 30 days before your data is subject to a different privacy policy.

Cookies

We use cookies and similar tracking technologies to enhance your experience. You can manage your preferences at any time via our Cookie Settings page.

Security Safeguards

We implement administrative, physical, and technical safeguards designed to protect your personal information and PHI from unauthorized access, use, or disclosure, as required by HIPAA and applicable state and federal law.

Technical Safeguards

• Encryption in transit — All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher.
• Encryption at rest — PHI stored in our databases is encrypted using AES-256 encryption.
• Access controls — Role-based access controls ensure that only authorized personnel can access PHI, and only to the extent necessary for their job functions.
• Authentication — Multi-factor authentication (MFA) is required for all administrative and clinician accounts.
• Audit logs — We maintain detailed logs of access to PHI for security monitoring and breach detection.
• Secure video conferencing — Telehealth sessions use end-to-end encrypted video through Whereby's HIPAA-compliant platform.

Administrative Safeguards

• HIPAA training — All workforce members receive annual HIPAA privacy and security training.
• Business Associate Agreements — All third-party vendors with access to PHI sign BAAs committing to HIPAA compliance.
• Risk assessments — We conduct annual security risk assessments and implement corrective action plans.
• Incident response plan — We maintain a documented breach notification and incident response plan.
• Privacy Officer — We have designated a Privacy Officer responsible for HIPAA compliance and privacy inquiries.

Physical Safeguards

• Secure facilities — Our servers are hosted in SOC 2 Type II certified data centers with physical access controls.
• Workstation security — Clinician workstations use encrypted hard drives, automatic screen locks, and secure disposal procedures.
• Device management — Mobile devices used to access PHI are password-protected and remotely wipeable.

While we implement industry-standard security measures, no method of transmission or storage is 100% secure. If you have reason to believe your account security has been compromised, contact us immediately at info@mindshiftwellnessclinic.org.

Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Specifically:

• Account data (wellness app) — retained until you delete your account.
• Journal entries and mood logs — retained until you delete them or your account.
• AI conversation history (wellness app) — retained for 12 months, then automatically deleted.
• Payment records — retained for 7 years for financial and tax compliance.
• Server logs — retained for 90 days.
• Local storage data — stored on your device indefinitely until you clear browser data or use the in-app "Clear my data" option.

Medical Records Retention (PHI)

Protected Health Information is retained in accordance with federal and Massachusetts state law:

• Adult patient records — retained for a minimum of 7 years from the date of last treatment or service.
• Minor patient records — retained until the patient reaches age 25, or 7 years from the date of last treatment, whichever is longer.
• Clinical documentation — visit notes, treatment plans, prescriptions, and assessments are retained as part of your medical record.
• Billing and insurance records — retained for 10 years to comply with federal and state requirements.
• Telehealth session metadata — appointment records retained per medical records retention policy. Video recordings (if any) are retained only with your explicit consent and for the duration specified in your consent form.
• Archived appointments — appointments marked as "archived" in the admin portal are automatically deleted after 2 years. This does not affect the underlying medical records, which are retained per the retention periods above.

Important: When you delete your wellness app account, your clinical medical records (if you are a patient) are NOT automatically deleted. Medical records must be retained per legal requirements. If you wish to request amendment, restriction, or access to your medical records, please contact our Privacy Officer using the information in the Contact section.

After the required retention period, PHI is securely destroyed using methods that render it unreadable and indecipherable (secure deletion, shredding, or de-identification).

Your Rights

HIPAA Rights (for Patients)

Under HIPAA, you have the following rights regarding your Protected Health Information:

General Privacy Rights (All Users)

Depending on where you live, you may have additional rights regarding your personal data:

• Access — Request a copy of the personal data we hold about you.
• Correction — Ask us to correct inaccurate or incomplete information.
• Deletion — Request erasure of your personal data ("right to be forgotten"), subject to legal retention requirements.
• Portability — Receive your data in a structured, machine-readable format.
• Objection — Object to processing based on legitimate interests or for direct marketing.
• Restriction — Request that we limit how we use your data while a dispute is resolved.
• Withdraw Consent — Revoke any consent you've given at any time without affecting past processing.
• Do Not Sell (CCPA) — California residents can opt out of the "sale" of personal data. We do not sell data.

To exercise any of these rights, contact our Privacy Officer at info@mindshiftwellnessclinic.org or call 508-306-1128. We will respond within 30 days (or within the timeframe required by applicable law).

To file a HIPAA complaint with the federal government:
U.S. Department of Health and Human Services
Office for Civil Rights
200 Independence Avenue, S.W.
Washington, D.C. 20201
Phone: 1-877-696-6775
Online: www.hhs.gov/ocr/complaints

Breach Notification

In the event of a breach of unsecured PHI, we will notify affected individuals without unreasonable delay and in no case later than 60 days after discovery of the breach, as required by the HIPAA Breach Notification Rule.

What constitutes a breach

A breach is an impermissible use or disclosure of PHI that compromises the security or privacy of the information. Not all unauthorized access constitutes a reportable breach — we conduct a risk assessment to determine if notification is required.

How we will notify you

If a breach affects your PHI, we will notify you by:

• Written notice — sent to the email address or mailing address on file.
• Telephone — if we cannot reach you by mail or email, or if the situation requires more immediate notice.
• Substitute notice — if we do not have sufficient contact information, we will post a notice on our website and/or in local media.

The notification will include:

• A description of what happened and when the breach occurred.
• The types of PHI involved in the breach.
• Steps you can take to protect yourself.
• What we are doing to investigate, mitigate harm, and prevent future breaches.
• Contact information for further questions.

We will also notify the U.S. Department of Health and Human Services and, if the breach affects 500 or more individuals, prominent media outlets, as required by law.

Children's Privacy

The MindShift+ wellness app is not directed to children under the age of 13 (or 16 in certain jurisdictions). We do not knowingly collect personal data from children through the wellness app without parental consent.

Minor Patients (Clinical Services)

We do provide clinical mental health services to minors (patients under age 18) through our clinic. When treating minor patients:

• We obtain consent from a parent or legal guardian before providing treatment.
• Parents/guardians have the right to access their minor child's medical records, except in limited circumstances where state law grants minors privacy rights (e.g., certain mental health or substance abuse treatment).
• Minor patient records are retained until the patient reaches age 25, or 7 years from the date of last treatment, whichever is longer, as required by Massachusetts law.
• We comply with Massachusetts General Laws Chapter 112, Section 12F regarding minors' consent for mental health treatment.

If you are a parent or guardian and have questions about your child's privacy rights or wish to access your child's medical records, please contact our Privacy Officer at info@mindshiftwellnessclinic.org or call 508-306-1128.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (at the address associated with your account) and by posting a notice on our website at least 14 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the revised Policy.

We will keep prior versions of this Policy archived and accessible upon request.

Contact

Questions, concerns, or requests related to this Privacy Policy or your HIPAA rights should be directed to:

For HIPAA-related requests: Please include "HIPAA Request" in the subject line and provide your full name, date of birth, and a description of your request. We may require identity verification before processing your request.