Privacy Policy

Latest Version published: January 2023

Looking for our Terms of Use?

We at MirrorMe3D, LLC (“MirrorMe3D,” “we,” “us,” or “our”) have created this privacy policy (this “Privacy Policy”) because we know that you care about how information you provide to us is used and shared. This Privacy Policy relates to the information collection and use practices of MirrorMe3D in connection with services provided by us (collectively the “Services” or the “MirrorMe3D Services”). The MirrorMe3D Services include, but are not limited to, the proprietary web-based Platform (the “Platform”), which is made available to you at app.mirrorme3d.com, the mobile application, which is made available to you at https://app.mirrorme3d.com/patient/home or available on the Apple App Store as the “MirrorMe3D” app (the “App”) and  our website, located at https://www.mirrorme3d.com/ (the “Website”).

The MirrorMe3D Services are not intended to eliminate, replace, or substitute, in whole or in part, the healthcare provider’s judgment and analysis of the Patient’s condition. The image display function is intended as a secondary display and is not for primary diagnostic use.

This Privacy Policy includes an agreement to abide by the Health Insurance Portability and Accountability Act (HIPAA) Rules governing the Privacy, Security, Breach Notification, and Enforcement Rules found at 45 CFR Part 160 and Part 164.

Description of Users and Acceptance of Terms

This Privacy Policy applies to visitors to the Website and to Users of the Platform or the App. The Users may include customers who have signed up to access and use the Services offered through the Platform or App (the “Users”), including Doctors, a Doctor’s practice group, staff, clinical team, employees, contractors, or agents authorized by User to access and use the Services as administrators (“Administrative Users” or “Clinical Team”), and Doctors invited and authorized by Administrative Users to access and use one or more patient workspaces through the Services (collectively “Doctors”), as well as individuals who have begun to receive medical care, or intend to receive medical care from Doctors (“Patients”). Visitors, as the term implies, are people who do not register with us, but want to explore the MirrorMe3D Website. No login is required for Visitors who can (i) view all publicly available content on the Website; and (ii) can contact us by email or through chatbots.

By browsing the public areas of the Website and/or by clicking “I AGREE,” when you sign up to access and use the Platform or App, you acknowledge that you have read, understood and agree to be legally bound by the terms of this Privacy Policy, and the accompanying Terms of Use. 

Capitalized terms not defined in this Privacy Policy shall have the meaning set forth in our Terms of Use.

The Information We Collect and/or Receive

In the course of operating the Services, we will collect (and/or receive) the following types of information. By using the MirrorMe3D Services, you authorize us to collect and/or receive such information.

  1. Contact Information.

In order to access and use our Platform, Doctors will have to create an account by providing a name and an email address where you can receive and respond to communications from MirrorMe3D (collectively, the “Contact Information”). Patients may create an account for access by inputting their Contact Information directly on the App or the Platform.

  1. Patient Records.

Through the Platform, Doctors will create access-controlled Patient Profiles that will contain a patient’s name, and it may also contain an email address, telephone, date of birth and may contain additional information such as an address, gender, biological sex, race, eye color and height (“Patient Content”). This patient metadata is accessible only by the creator of the Patient Profile and the authorized users within their Platform account. For each Patient Profile, the User creates a Case(s) that relates to a specific treatment, procedure, or course of care (as determined by the User) for that patient. The Case details will include a title (usually a description of the Case) and the date of the Case (usually the date of the surgery). The User can then identify any collaborating doctors, and upload the medical imaging files, whether 3D imaging, DICOM files or 2D imaging such as JPEG or PNG files (collectively, the “Medical Content”). Users and collaborating doctors may append annotations, comments or notes to the Case. The information relating to the Patient’s case may be shared with a collaborating doctor and/or with the individual patient. This information can be viewed on the Platform but cannot be downloaded by either Doctors or Patients, except for the Medical Content that the User desiring to download uploaded to that particular file. To the extent Medical Content includes biometric data of the patient, you hereby represent to us that you have received a written release signed by the patient authorizing us to collect, store and process the patient’s biometric data for the purposes disclosed in this Privacy Policy.

 

Users, either Patients or Doctors, may generate a 3D capture on the App. The 3D capture can be transferred to a Patient Profile, a Case or to a Patient’s account on the Platform. If the capture was generated by a Patient, it can be transferred to a Doctor’s account and become part of the Medical Content only if the Patient expressly connects to the Doctor to permit access to the 3D capture.

  1. Other Information. 

In addition to the Contact Information, the Patient Content and the Medical Content, we may collect additional information (the “Other Information”). Such Other Information may include:

  1. From Your Activity.

Information that we automatically collect when you visit the Platform, the App and the Website, such as your IP addresses, browser type and language, referring and exit pages and URLs, date and time, amount of time spent on particular pages, what sections of the Platform, the App and/or the Website you visit, similar information concerning your use of the Services.

  1. From Cookies.

We collect information using “cookie” technology. Cookies are small packets of data that a browser or website stores on your computer’s or mobile device’s hard drive so that your browser will “remember” information about your visit. Some of the Platform, App or Website third-party services may use session cookies, which expire once you close your web browser, to enhance your experience using the Services. If you do not want your browser to place a cookie on your hard drive, you may be able to turn that feature off by accessing your browser’s settings. Please consult your Internet browser’s documentation for information on how to do this and how to delete persistent cookies. However, if you decide not to accept or block all cookies from us, the Platform, the App and the Website may not function properly.

  1. Third-Party Analytics.

We use one or more third–party analytics services (such as Google Analytics) to evaluate the general use of the Services, compile reports on activity (based on their collection of IP addresses, Internet service provider, browser type, operating system and language, referring and exit pages and URLs, data and time, amount of time spent on particular pages, what sections of the Website are visited, number of links clicked while on the Website, search terms and other similar usage data), and analyze performance metrics. These third parties use cookies and other technologies to help analyze and provide us the data. By accessing and using the Services, you consent to the processing of this data about your session by these analytics providers in the manner and for the purposes set out in this Privacy Policy. Please be advised that if you opt out of any of these services, you may not be able to use the full functionality of the Services.

  • Customer Support

Front, Webflow, Typeform

  • Functionality and Infrastructure Optimizations

Amazon Web Services, Cloudflare, Auth0, SendGrid

  • Invoice and Billing

Stripe, Xero

  • Web and Mobile Analytics

Google Analytics, DataDog

  • Website Hosting

Amazon Web Services

  1. Collection of FaceID and TrueDepth Data.

Specific for iPhone users of the MirrorMe mobile app, our application utilizes Apple's TrueDepth API to collect facial data. We use this data for two primary purposes: to authenticate users and to provide personalized augmented reality effects for 3D scanning.

Important: We do not share this data with third parties.

How We Use and Share the Information 

We will use the Contact Information, Medical Content and the Other Information, but not the Patient Content, (collectively, the “Information”) to provide the Platform, App and Website Services to you, solicit your feedback, inform you about our products and services, provide customer support and to improve our Services.

MirrorMe3D may access the Medical Contents on the Platform and 3D captures on the App to assist a Doctor in visualizing a treatment plan or to design and manufacture products at the direction of the Doctor for use before, during or after a surgical treatment. The MirrorMe3D Platform is a web-based application intended to be used to assist Users in the visualization and communication of treatment options and as such, Users will upload Patient Content including the minimum necessary patient identifiers and Medical Content. The Platform also allows Users to share the access with collaborating doctors or allow limited access by Patients.

You also authorize us to use and/or share your Information as described below.

  • Agents, Providers and Related Third Parties. We may engage other companies and individuals to perform certain business-related functions on our behalf. Examples may include providing technical assistance, order fulfillment, customer service, and marketing assistance. These other companies will have access to the Information only as necessary to perform their functions and to the extent permitted by law. We may also share your Information with any of our parent companies, subsidiaries, or other companies under common control with us.
  • Aggregated Information. In an ongoing effort to better understand our users, we might analyze your Information in aggregate form in order to operate, maintain, manage, and improve the Services. This aggregate information does not identify you personally and does not identify patient protected health information. We may share this aggregate data with our affiliates, agents, and business partners. We may also disclose aggregated user statistics in order to describe our Services to current and prospective business partners and to other third parties for other lawful purposes.
  • Business Transfers. As we develop our businesses, we might sell or buy businesses or assets. In the event of a corporate sale, merger, reorganization, sale of assets, dissolution, or similar event, your Information may be part of the transferred assets.
  • Legal Requirements. To the extent permitted by law, we may also disclose your Information: (i) when required by law, court order, or other government or law enforcement authority or regulatory agency; or (ii) whenever we believe that disclosing such information is necessary or advisable, for example, to protect the rights, property, or safety of MirrorMe3D or others.

HIPAA Acknowledgement and Agreement  

MirrorMe3D agrees to implement protections for any patient protected health information provided by Users subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the subsequent Privacy Rule, Security Rule and Breach Notification Rule. To the extent that the terms of this Privacy Policy with regard to the use and disclosure of protected health information may be inconsistent with the HIPAA Agreement, the terms of the HIPAA Agreement shall supersede the terms of the Privacy Policy.

Obligations

MirrorMe3D agrees to:

(a) Not use or disclose protected health information other than as permitted or required by law;

(b) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent use or disclosure of protected health information other than as provided for by the Agreement;

(c) Report to Users any use or disclosure of protected health information not provided for by this agreement of which it becomes aware, including breaches of unsecured protected health information, and any security incident of which it becomes aware;

(d) In accordance with HIPAA standards and rules, if applicable, ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of MirrorMe3D agree to the same restrictions, conditions, and requirements that apply to MirrorMe3D with respect to such information;

(e) Make available protected health information in a designated record set to the User as necessary to satisfy User’s obligations under HIPAA standards and rules;

(f) Make any amendment(s) to protected health information in a designated record set as directed or agreed to by the User pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy User’s obligations under 45 CFR 164.526;

(g) Maintain and make available the information required to provide an accounting of disclosures to the User as necessary to satisfy the User’s obligations under HIPAA standards;

(h) To the extent MirrorMe3D is to carry out one or more of User's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the User in the performance of such obligation(s); and

(i) Make its internal practices, books, and records available to the U.S. Department of Health and Human Services for purposes of determining compliance with the HIPAA Rules.

Permitted Used and Disclosures by MirrorMe3D

MirrorMe3D may only use or disclose patient protected health information as follows:

  1. MirrorMe3D may use or disclose patient protected health information through its patient-specific, soft tissue planning business, to provide certain products including, without limitation, templates, guides, splints, and/or anatomical models (collectively, the “Products”) and certain patient-specific treatment planning services for use in connection with the Products.
  1. MirrorMe3D may use or disclose protected health information as required by law.
  1. MirrorMe3D agrees to make uses and disclosures and requests for protected health information consistent with User’s minimum necessary policies and procedures.
  1. MirrorMe3D may not use or disclose protected health information in a manner that would violate Subpart E of 45 CFR Part 164 if done by User except for the specific uses and disclosures set forth below.
  1. MirrorMe may use protected health information for the proper management and administration of MirrorMe or to carry out the legal responsibilities of MirrorMe.
  1. MirrorMe3D may disclose protected health information for the proper management and administration of MirrorMe3D or to carry out the legal responsibilities of MirrorMe3D, provided the disclosures are required by law, or MirrorMe3D obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies MirrorMe3D of any instances of which it is aware in which the confidentiality of the information has been breached.
  1. MirrorMe3D may provide data aggregation services relating to the health care operations of the User.

Term and Termination

(a) Term. The Term of this Agreement shall be effective as of the date the User creates an account with the MirrorMe3D and shall terminate on notification or on the date User terminates for cause as authorized in paragraph (b) of this Section, whichever is sooner. 

b) Termination for Cause. MirrorMe3D authorizes termination of this Agreement by User, if User determines MirrorMe3D has violated a material term of the Agreement and MirrorMe3D has not cured the breach or ended the violation within the time specified by User.

c) Obligations of MirrorMe3D Upon Termination. Upon termination of this Agreement for any reason, MirrorMe3D shall destroy or return to the User all protected health information received from the User, or created, maintained, or received by MirrorMe3D on behalf of User, that MirrorMe3D still maintains in any form. MirrorMe3D shall retain no copies of the protected health information.

 

Accessing and Modifying Information and Communication Preferences

If you have provided us any personal information, you may access, remove, review, and/or make changes to the same by contacting us at [email protected]. In addition, you may manage your receipt of marketing and non-transactional communications by clicking on the “Unsubscribe” link located on the bottom of any MirrorMe3D marketing e-mail. We will use commercially reasonable efforts to process such requests in a timely manner. You should be aware, however, that it is not always possible to completely remove or modify information in our subscription databases. 

How We Protect the Information

Protecting patient privacy and keeping you and your Patient Content and Medical Content secure are among our biggest priorities. This Privacy Policy details how we may use, share, and maintain the information that you voluntarily share with MirrorMe3D in regard to normal business operations, which may include, without limitation your Patient Content and Patient Medical Content, and other personally identifiable patient information (collectively, “Protected Health Information” or “PHI”).

Security Protections for the Protected Health Information

We have implemented a series of physical, personnel, administrative, access control, system, third party and transmission safeguards to prevent unauthorized access, to maintain data integrity and to ensure that only authorized persons who need to access PHI can do so. A brief description of some of our security measures follows.

Physical Security measures include:

· Physical access to servers is restricted to MirrorMe3D personnel who have been authorized for server access

· Disaster recovery plan outlined 

Personnel Security measures include:

· Background and criminal reference check for employees

· Annual HIPAA and general privacy and security training for employees

Administrative Security measures include:

· Documentation of compliance training and regularly scheduled risk assessments

· Sanctions for employee violations of company policies and practices

Access Control Security measures include:

· Restricting access to protected health data, including PHI, to approved personnel on need basis only

· Identity Authentication including, but not limited to, written signature, passwords, multi-factor identification, tokens, biometrics or a combination thereof

System Security measures include:

· Business associate agreements and/or other business agreements with all partners, third parties and vendors with whom we share information that require them to implement all appropriate security procedures to maintain confidentiality

· Individual confidentiality agreements with all employees and consultants who are required to come into contact with your PHI

· Data protection agreements, including European Commission-approved Standard Contractual Clauses with business partners where PHI is to be processed from the European Economic Area

Transmission Security measures include:

· At-Rest and In-Transit Encryption of all Medical Information and Protected Health Information transmitted to and from our App and stored in our systems

Unless otherwise stated, we apply the law as necessary to all protected health information as required by HIPAA. We do not allow third parties to extract any protected heath information from our Platform or App unless required by law or as required for normal business operations. All third parties are listed in the Privacy Policy for your review. By using our Platform and App, you agree, without limitations, that we are acting lawfully while conducting legitimate business.

While we cannot guarantee that loss, misuse or alteration of data will not occur, we are committed to using proven safeguards, current best practices and security audit procedures designed to prevent any loss, misuse or alteration of data. You will be promptly notified of any security breach which may have allowed disclosure or compromised the security and privacy of any of your Protected Health Information.

External Sites

The Platform, the App and the Website may contain links to External Sites. MirrorMe3D has no control over the privacy practices or the content of these External Sites. As such, we are not responsible for the content or the privacy policies of those External Sites. You should check the applicable third-party privacy policy and terms of use when visiting any External Sites.

Children 

We do not knowingly collect personal information from children under the age of 18 through the MirrorMe3D Services without consent of their parent(s) or legal guardians. If you are under 18, please do not use the Platform or App. We encourage parents and legal guardians to monitor their children’s Internet usage and to help enforce our Privacy Policy by instructing their children never to provide personal information through the Platform and the App, or by contacting us through the Website, without their permission. If you have reason to believe that a child under the age of 18 has provided personal information to us, please contact us, and we will endeavor to delete that information from our databases.

Important Notice to Non-U.S. Residents

The Website, the Platform, the App and their servers are operated in the United States. If you are located outside of the United States, please be aware that any information you provide to us maybe transferred to, processed, maintained, and used on computers, servers, and systems located outside of your state, province, country, or other governmental jurisdiction where the privacy laws may not be as protective as those in your jurisdiction. If you are located outside the United States and choose to use the MirrorMe3D Services, you do so at your own risk. 

California Privacy Rights

Pursuant to Section 1798.83 of the California Civil Code, residents of California have the right to obtain certain information about the types of personal information that companies with whom they have an established business relationship (and that are not otherwise exempt) have shared with third parties for direct marketing purposes during the preceding calendar year, including the names and addresses of those third parties, and examples of the types of services or products marketed by those third parties. If you wish to submit a request pursuant to Section 1798.83, please contact MirrorMe3D via email at [email protected].

MirrorMe3D does not monitor, recognize, or honor any opt-out or do not track mechanisms, including general web browser “Do Not Track” settings and/or signals with regard to application functionality and performance. 

Changes to This Privacy Policy

This Privacy Policy is effective as of the date stated at the top of this Privacy Policy. We may change this Privacy Policy from time to time with or without notice to you. Any such changes will be posted on the Platform. In any event, you will be required to affirmatively accept the revised Privacy Policy prior to next logging-in to your account. Please be aware that, to the extent permitted by applicable law, our use of your information is governed by the Privacy Policy in effect at the time we collect the Information. Please refer back to this Privacy Policy on a regular basis. 

How to Contact Us

If you have questions about this Privacy Policy, please contact us at the address below or via e-mail at [email protected] with “Privacy Policy” in the subject line. 

MirrorMe3D

Attn: Legal Affairs

222 West 37th Street

Suite 1506

New York, NY 10018

USA