Last Updated: [PLACEHOLDER - Add date]
[PLACEHOLDER - Review with legal counsel] Mena Health Technologies ("Mena", "we", "us", "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use the Mena platform. As a mental health care management platform, we understand the sensitive nature of the data we process and take our obligations under the General Data Protection Regulation (GDPR) and applicable data protection laws seriously. Data Controller: Mena Health Technologies [PLACEHOLDER - Add registered address] [PLACEHOLDER - Add registration number] Email: privacy@menahealth.com [PLACEHOLDER - Add DPO contact details]
2. Data We Collect
[PLACEHOLDER - Review with legal counsel] We collect and process the following categories of personal data: Account Data: Name, email address, professional credentials, contact information, and practice details provided during registration. Clinical Data: Patient records, session notes, treatment plans, assessments, therapeutic process information, and other clinical documentation created through the platform. This data is classified as special category data under GDPR Article 9. Usage Data: Information about how you interact with the platform, including features used, pages visited, and actions taken. Technical Data: IP address, browser type, device information, operating system, and connection data collected automatically when you access the platform. Payment Data: Billing information processed through our payment provider (Stripe). We do not store complete payment card details on our servers.
3. Legal Basis for Processing
[PLACEHOLDER - Review with legal counsel] We process your personal data based on the following legal grounds under GDPR Article 6: Consent (Article 6(1)(a)): For processing special category health data, we rely on your explicit consent under Article 9(2)(a), obtained during registration and through our consent management system. Contract Performance (Article 6(1)(b)): Processing necessary to provide the Mena platform services as agreed in our Terms and Conditions. Legitimate Interest (Article 6(1)(f)): For platform security, fraud prevention, service improvement, and analytics, where our interests do not override your data protection rights. Legal Obligation (Article 6(1)(c)): Where processing is required by applicable healthcare regulations, tax laws, or other legal requirements.
4. How We Use Your Data
[PLACEHOLDER - Review with legal counsel] We use your personal data to: - Provide and maintain the Mena platform services - Enable clinical documentation and patient management - Process appointments and scheduling - Facilitate secure communication between practitioners - Generate AI-assisted clinical insights (with your consent) - Process payments and manage subscriptions - Send service-related notifications and updates - Improve platform functionality and user experience - Comply with legal and regulatory obligations - Ensure platform security and prevent unauthorized access
5. Data Sharing & Third Parties
[PLACEHOLDER - Review with legal counsel] We share personal data only with trusted third parties who assist in operating our platform: Payment Processing: Stripe processes payment transactions. Their privacy policy governs payment data handling. Cloud Infrastructure: Our platform is hosted on secure cloud infrastructure within the European Union. AI Processing: AI features use anonymized or pseudonymized data. Clinical data sent to AI services is processed under strict data processing agreements. Analytics: We use privacy-respecting analytics to understand platform usage patterns. We do not sell your personal data to third parties. All third-party processors are bound by Data Processing Agreements ensuring GDPR compliance.
6. International Data Transfers
[PLACEHOLDER - Review with legal counsel] Your data is primarily stored and processed within the European Economic Area (EEA). Where data transfers outside the EEA are necessary (e.g., for certain technical services), we ensure appropriate safeguards are in place, including: - Standard Contractual Clauses (SCCs) approved by the European Commission - Adequacy decisions where applicable - Transfer impact assessments as required You may request information about specific transfer mechanisms by contacting our DPO.
7. Data Retention
[PLACEHOLDER - Review with legal counsel] We retain personal data only as long as necessary for the purposes outlined in this policy: Account Data: Retained for the duration of your account and for [PLACEHOLDER] years after account closure for legal compliance. Clinical Data: Retained in accordance with applicable healthcare record retention requirements in your jurisdiction. [PLACEHOLDER - Specify retention periods per jurisdiction] Usage & Technical Data: Retained for up to [PLACEHOLDER] months for analytics and security purposes. Payment Records: Retained for [PLACEHOLDER] years as required by tax and financial regulations. You may request earlier deletion of your data, subject to legal retention requirements.
8. Your Rights
[PLACEHOLDER - Review with legal counsel] Under GDPR, you have the following rights regarding your personal data: Right of Access (Article 15): Request a copy of your personal data and information about how it is processed. Right to Rectification (Article 16): Request correction of inaccurate or incomplete personal data. Right to Erasure (Article 17): Request deletion of your personal data where there is no compelling reason for continued processing. Right to Data Portability (Article 20): Receive your personal data in a structured, commonly used, machine-readable format. Right to Restrict Processing (Article 18): Request restriction of processing in certain circumstances. Right to Object (Article 21): Object to processing based on legitimate interests or for direct marketing purposes. Right to Withdraw Consent: Withdraw consent at any time without affecting the lawfulness of prior processing. To exercise any of these rights, contact us at privacy@menahealth.com or through the in-app compliance center.
9. Security Measures
[PLACEHOLDER - Review with legal counsel] We implement comprehensive security measures to protect your data: - AES-256 field-level encryption for sensitive clinical data - Per-company encryption keys for data isolation - TLS 1.3 encryption for all data in transit - Role-based access control with company-level isolation - Regular security audits and vulnerability assessments - Secure development practices and code reviews - Employee access controls and security training - Incident response and breach notification procedures
10. Cookies & Tracking
[PLACEHOLDER - Review with legal counsel] The Mena platform uses essential cookies required for platform functionality, including: - Authentication session cookies - Language and theme preference cookies - Security tokens We do not use third-party advertising or tracking cookies. Analytics, where used, are privacy-respecting and do not track individual users across sites.
11. Children's Privacy
[PLACEHOLDER - Review with legal counsel] The Mena platform is designed for use by licensed mental health professionals. We do not knowingly collect personal data from children under 16. If clinical records involve minors, the treating professional is responsible for obtaining appropriate parental or guardian consent in accordance with applicable laws.
12. Changes to This Policy
[PLACEHOLDER - Review with legal counsel] We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify you of significant changes through: - In-app notifications - Email notification to registered users - Updated "Last Updated" date on this page We encourage you to review this policy periodically.
13. Contact & DPO Information
[PLACEHOLDER - Review with legal counsel] For privacy-related inquiries or to exercise your data protection rights: Data Protection Officer: [PLACEHOLDER - Add DPO name] Email: dpo@menahealth.com [PLACEHOLDER - Add DPO address] General Privacy Inquiries: Email: privacy@menahealth.com Supervisory Authority: You have the right to lodge a complaint with your local data protection authority. [PLACEHOLDER - Add relevant supervisory authority details for Portugal/EU]