Privacy Policy

1. Information We Collect

We collect the following categories of information:

• Account Information: Display name and email address, used for authentication and account management.
• Mood and Wellness Data: Mood entries, mood levels, and optional notes you provide when logging your daily mood.
• Journal Entries: Written reflections, moods associated with entries, and timestamps.
• Breathing Session Data: Exercise type, duration, and completion records.
• Consent Records: Timestamps and version identifiers for your privacy consent and data-sharing agreements.

2. De-Identification of Data

To protect your privacy and comply with HIPAA requirements, we implement robust de-identification practices:

• Safe Harbor Method: When data is used for analytics, research, or product improvement, we remove all 18 categories of identifiers specified under the HIPAA Safe Harbor method (45 CFR 164.514(b)(2)), including names, geographic data, dates, phone numbers, email addresses, and all other direct and indirect identifiers.
• Anonymized Analytics: Any aggregated wellness data used for service improvement is fully de-identified and cannot be traced back to any individual user.
• Separation of Identifiers: Your personal identifiers (email, display name) are stored separately from your wellness data (mood, journal, breathing sessions) using unique internal identifiers that have no external meaning.
• No Re-Identification: We do not attempt to re-identify de-identified data, and we contractually require the same of any third parties who may access de-identified data.

3. How We Use Your Information

• Providing the Service: To display your mood trends, journal history, breathing statistics, and personalized dashboard.
• Service Improvement: Using de-identified, aggregated data to improve features and user experience.
• Communication: Sending account-related notifications (e.g., email confirmation, password reset). We will never send marketing emails without explicit opt-in consent.
• Legal Compliance: To comply with applicable laws, regulations, and legal processes.

4. Data Storage and Security

We implement administrative, physical, and technical safeguards as required under the HIPAA Security Rule:

• Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
• Row-Level Security (RLS): Database-enforced access controls ensure each user can only access their own data.
• Access Controls: Strict role-based access limits who can view or modify data within our systems.
• Audit Logging: All consent changes and data access events are logged in an immutable audit trail.
• Secure Authentication: Passwords are hashed using industry-standard algorithms, and sessions are managed with secure, HTTP-only cookies.

5. Data Sharing and Disclosure

We do not sell your personal information or Protected Health Information. We may share data only in these limited circumstances:

• With Your Consent: If you explicitly authorize sharing with a healthcare provider or other third party.
• De-Identified Data: Aggregated, de-identified data that cannot identify you may be used for research or product improvement.
• Legal Requirements: When required by law, subpoena, court order, or to protect against imminent harm as permitted under HIPAA.
• Service Providers: With trusted vendors who process data on our behalf under Business Associate Agreements (BAAs) that require them to protect your data to the same standards as we do.

6. Your Rights Under HIPAA

You have the following rights regarding your health information:

• Right to Access: You may request a copy of your health information at any time through your dashboard settings.
• Right to Amendment: You may request corrections to your health information if you believe it is inaccurate or incomplete.
• Right to an Accounting of Disclosures: You may request a list of instances where your PHI was disclosed for purposes other than treatment, payment, or healthcare operations.
• Right to Request Restrictions: You may ask us to limit how we use or disclose your health information.
• Right to Revoke Consent: You may withdraw your consent for data sharing at any time via your account settings. Withdrawal does not affect data processed before the withdrawal.
• Right to Deletion: You may request permanent deletion of your account and all associated data.
• Right to Data Portability: You may request an export of your data in a machine-readable format.

7. Breach Notification

In the event of a breach of unsecured Protected Health Information, we will notify affected individuals without unreasonable delay and no later than 60 days following discovery of the breach, in accordance with the HIPAA Breach Notification Rule (45 CFR 164.400-414). We will also notify the U.S. Department of Health and Human Services (HHS) and, where applicable, prominent media outlets as required by law.

8. Data Retention

We retain your data for as long as your account is active or as needed to provide the service. You may delete your account at any time, which will trigger permanent deletion of all your personal and health data within 30 days. De-identified, aggregated data may be retained indefinitely as it cannot be linked to any individual. Consent audit logs are retained for a minimum of 6 years as required by HIPAA.

9. Children's Privacy

SortedMindz is not intended for use by individuals under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected data from a child under 13, we will promptly delete that information.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and/or by posting a notice on our app. Changes are effective when posted. Your continued use of SortedMindz after changes are posted constitutes acceptance of the updated policy. If revised terms require a new consent under HIPAA, we will request your affirmative consent before applying the changes.

11. Contact Us

If you have questions about this Privacy Policy, your data rights, or HIPAA compliance, please contact our Privacy Officer at: privacy@sortedmindz.com