Moodr Health Privacy Policy

 

Purpose

This Privacy Policy outlines how we collect, use, disclose, and protect personal information, including sensitive health data managed by our application built on the Salesforce platform. We are committed to safeguarding the privacy of all users and ensuring compliance with applicable laws and regulations.

 

Scope

This policy applies to all individuals who interact with our application, including patients, healthcare providers, employees, contractors, and any other users. It covers all personal data collected, processed, or stored by our systems.

 

Information We Collect

  • Personal Identification Information: Name, address, email address, phone number, and other contact details.
  • Health Information: Medical records, treatment histories, diagnoses, and other health-related data pertinent to patient care.
  • Usage Data: Information on how users interact with our application, including log-in times, accessed features, and system usage patterns.
  • Technical Data: IP addresses, device information, browser type, and operating system details collected through cookies and similar technologies.

How We Use Collected Information

We use personal information for the following purposes:

  • Service Provision: To deliver and improve our application services, ensuring optimal performance and user experience.
  • Patient Care: To facilitate healthcare delivery, including sharing relevant health information with authorized healthcare providers.
  • Communication: To send notifications, updates, and respond to inquiries or support requests.
  • Compliance and Legal Obligations: To comply with applicable laws, regulations, and court orders.
  • Security: To monitor, prevent, and detect fraudulent or unauthorized activities, in line with our Audit Logging and Monitoring Policy.

Legal Basis for Processing

Our processing of personal data is based on:

  • Consent: When users have given explicit permission for specific processing activities.
  • Contractual Necessity: Processing is necessary to perform a contract with the user or to take steps preparatory to such a contract.
  • Legal Obligations: Compliance with legal and regulatory requirements.
  • Legitimate Interests: Processing is necessary for our legitimate interests, provided these are not overridden by the rights and interests of the users.

Data Sharing and Disclosure

We may share personal data with:

  • Authorized Healthcare Providers: To support patient care and treatment coordination.
  • Regulatory and Legal Authorities: When disclosure is required by law or necessary to protect our rights.

Data Security

We implement robust security measures to protect personal data, including:

  • Encryption: Protecting data at rest and in transit using industry-standard encryption protocols.
  • Access Controls: Enforcing strict access management in accordance with our Identity and Access Management Policy.
  • Regular Security Assessments: Conducting periodic reviews and updates to our security practices.

Data Retention

Personal data is retained only as long as necessary for the purposes outlined in this policy or as required by law. Secure disposal methods are employed to destroy data that is no longer needed.

User Rights

Users have the right to:

  • Access: Request access to their personal data held by us.
  • Rectification: Request correction of inaccurate or incomplete data.
  • Erasure: Request deletion of their personal data under certain conditions.
  • Restriction: Request limitation of processing their personal data.
  • Objection: Object to the processing of their personal data for certain purposes.
  • Data Portability: Receive a copy of their personal data in a structured, commonly used format.

To exercise these rights, users should contact us using the contact information provided in the Contact Information section of this document.

Incident Response Policy

We are committed to promptly responding to any data breaches or security incidents involving personal data. Our Incident Response procedures include:

  • Detection and Reporting: Immediate identification and reporting of suspected incidents to the Incident Response Team.
  • Assessment: Evaluating the scope and impact of the incident.
  • Containment: Implementing measures to contain and mitigate the incident.
  • Notification: Informing affected users and relevant authorities as required by law, in compliance with our Information Security Policy.
  • Investigation: Conducting a thorough investigation to determine the root cause.
  • Recovery: Restoring systems and data from secure backups as necessary.
  • Documentation: Recording all aspects of the incident and response actions taken.
  • Review and Improvement: Updating policies and procedures to prevent future incidents, aligning with our Business Continuity and Disaster Recovery Policy.

This approach ensures incidents are handled efficiently, minimizing impact on users and maintaining compliance with legal obligations.

Third-Party Links

Our application may contain links to external websites not operated by us. We are not responsible for the privacy practices of these sites and encourage users to review their privacy policies.

Annual Review

This Privacy Policy will undergo an annual review to ensure:

  • Compliance: Alignment with current laws, regulations, and industry standards.
  • Effectiveness: The policy effectively addresses privacy risks and user concerns.
  • Consistency: No conflicts exist with other organizational policies, such as our Information Security Policy or Identity and Access Management Policy.

Contact Information

For questions or concerns regarding this Privacy Policy or our data practices, please contact:

Email: [email protected]

Approval and Review History

  • Initial Approval Date: 5/10/24
  • Last Review Date: 9/17/25
  • Next Scheduled Review Date: 9/17/26
  • Reviewed by: Ashok Aggarwal, CEO