• The information we collect and why (protected health information (PHI) and personally identifiable information (PII))
• How we use that information
• Data security and privacy measures we have implemented
• The choices we offer you regarding your information, how to access your information, your rights, etc.
As used herein, the following definitions apply:
Protected Health Information (PHI): PHI is personally identifiable information that consists of:
• health information, including demographic information, created or received by DANA and which relates to the past, present, or future physical or mental health or condition of an individual;
• the provision of health care to an individual; or
• the past, present, or future payment for the provision of health care to an individual and that identifies or can be used to identify the individual.
“Personally Identifiable Information”, “Personal Information”, or “PII” means any data element that:
1. is recorded in any form;
2. is about, or pertains to a specific individual; and
3. can be linked to that individual whether through the information or the collection of the information and other, publicly available, information on the individual. PII may include PHI.
Types of Personal Information Collected
Information You Provide to Us
We collect information provided directly to us by a patient or their provider.
The types of information we may collect from you include:
• Account information, such as name, email address, date of birth, gender, phone number, and any other information a patient or provider may choose to provide;
• PII and PHI. PHI and PII are processed in a way that is compatible with and relevant for the purpose for which it was collected and authorized by the individual.
• Information about others, such as the names, telephone numbers, and email addresses of patient caregivers.
• Other information you choose to provide when, for example, you contact us or when you request technical or customer support.
Information We Collect Automatically
When you access or use DANA, the types of information we may automatically collect about you include:
1. Non-personally identifiable information. We collect information about the DANA application and services used and how Users use them, such as the assessments completed within the DANA application. This information includes:
o Assessment data. We collect data regarding your responses on reaction time measurements and psychological questionnaires to share with your healthcare provider. These data include assessment type, date and time of the assessment, timestamps of responses, and responses (multiple choice or fill-in style).
o Device information. We collect device-specific information such as the mobile device model number and operating system version used for DANA.
o Log information. We may collect and store certain information when you use DANA to enable us to enhance future version of the application. This information may include the following:
a. The dates and times you use the application
b. Device event analytics such as application crashes
c. Hardware settings
DANA does not maintain any Designated Record Set (“DRS”) as that term is defined by HIPAA. Accordingly, all requests for access to PHI contained within a DRS should be directed to the third party institutional user that created and / or maintains the DRS, such as the group, institutional or medical provider that provided you access to the DANA products. Similarly, requests for amendments or restrictions to PHI or PII under HIPAA should be directed to the same third parties.
Use of Information
We may use collected information for various purposes, including to:
1. Provide, maintain and improve DANA;
2. Manage a patient or provider account and send related information, including confirmations, updates, technical notices, security alerts and support and administrative messages;
3. Respond to comments, questions and requests and provide customer service;
4. Communicate about DANA;
5. Monitor and analyze trends, usage and activities in connection with DANA;
6. Detect, investigate and prevent fraudulent and other illegal activities and protect the rights and property of ATinc and others;
7. Personalize and improve DANA;
8. Link or combine with information we get from others to help understand your needs and provide you with a better experience; and
9. Carry out any other purpose for which the information was collected.
Sharing of Information (with Third-Parties):
1. With vendors, consultants and other service providers who need access to such information to carry out work or perform services on our behalf;
2. In response to a request for information if we believe disclosure is in accordance with, or required by, any applicable law, rule, regulation or legal process;
3. If we believe your actions are inconsistent our license provisions or other policies, or to protect the rights, property or safety of ATinc or others;
5. Between and among ATinc and any current or future parent, associate, subsidiary and/or affiliated company; and
6. With your consent or at your direction.
You may further elect as part of your use of DANA to authorize us to share your name, address, and other health and wellness related information about you with one or more third parties designated by you. You acknowledge and agree that we may use your information in a de-identified manner to create aggregated, de-identified data sets, including to evaluate and implement future products or services and to share such de-identified data sets with third parties in accordance with applicable law, including without limitation, HIPAA and HITECH regulations.
International transfers of your personal data (European Union)
In this section we provide information about the circumstances in which your personal data may be transferred to countries outside the European Economic Area (EEA).
We are based in the United States. The information we collect is governed by U.S. law, and, for our E.U. data subjects, by the E.U.-U.S. Privacy Shield framework (discussed in the “Privacy Shield” section below). By accessing or using our sites and software or otherwise providing information to us, you consent to the processing and transfer of information in and to the U.S. and other countries.
The Federal Trade Commission has jurisdiction over ATinc’s compliance with the Privacy Shield.
• The types of personal information we collect (“Information You Provide to Us”)
• The purposes for which we collect and use personal information (“Use of Information”)
• The types of third parties to which we disclose personal information, and the purposes for which we do so (“Sharing of Personal Information”)
• Our liability for onward transfers to third parties (“Sharing of Personal Information”)
• The choices and means we offer individuals for limiting the use and disclosure of their personal information (“Promotional Communications”) and
• The right of individuals to access their personal information (“Access to Personal Information”)
ATinc is responsible for the processing of personal information it receives under the Privacy Shield Framework and subsequently transfers to a third party acting as an agent on its behalf, if any. ATinc complies with the Privacy Shield Principles for all onward transfers of personal data from the EU, including the onward transfer liability provisions.
EU data subjects may contact us for the handling of complaints, access requests, and any other issues arising under Privacy Shield as specified in the “Resolution” section below. If you have a complaint regarding our compliance with the Principles, first contact us to informally resolve your complaint.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact JAMS, our U.S.-based third party dispute resolution provider: https://www.jamsadr.com.
If you live in the EEA, you may also file a complaint with your local data protection regulator.
As further explained in the Principles, a binding arbitration option will also be made available to you in order to address residual complaints not resolved by any other means; for additional information please go to: https://www.privacyshield.gov/article?id=ANNEX-I-introduction.
If you have a Privacy Shield-related complaint, please contact us at firstname.lastname@example.org.
General Data Protection Regulation (GDPR)
The GDPR is a new, Europe-wide law that replaces the Data Protection Act of 1998 in the UK. It places greater obligations on organizations regarding how they handle personal data. It went into effect on May 25, 2018. The GDPR requires that companies processing the personal data of European users do so on the basis of specific legal grounds. As described below, we process the information of European users based on one or more of the grounds specified under the GDPR.
Below are the rights you may have under data protection law. You should read the relevant laws and guidance from the regulatory authorities for a full explanation of these rights. Please note that for each of the rights below we may have valid legal reasons to deny your request. In such instances, we will inform you for the reason of the denial.
1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated decision making and profiling.
If you would like to exercise any of the above rights, please e-mail, call, or write to us (see “How to Contact Us” below).
For more information on the General Data Protection Regulation (GDPR), you can find more resources at https://gdpr-info.eu and http://gdprandyou.ie.
Data Security and Privacy
ATinc takes reasonable and industry appropriate measures to help protect information about you from loss, theft, misuse and unauthorized access, disclosure, alteration, and destruction. Please understand, however, that no security system is impenetrable. Like other companies, we cannot guarantee 100% the security or confidentiality of the information provided to us. Consequently, while we endeavor to safeguard PII and PHI against unauthorized access and disclosure, we do not warrant or guarantee the absolute security of any personal information transmitted to, from, or through DANA.
ATinc has established comprehensive data security and privacy policies to protect PHI and PII from loss, misuse, unauthorized access, disclosure, alteration, and destruction. These include the implementation of appropriate administrative, physical, and technical safeguards to secure PHI and PII received, prevent misuse, and mitigate any potential harm to individuals in the event of a breach.
Our employees are trained on the requirements of HIPAA and their access to PII and PHI (including electronically provided PHI [“e-PHI”]) is minimized based on the requirements of their job function. DANA requires user authentication prior to allowing access to e-PHI and encryption is used to prevent unauthorized access to e-PHI. DANA implements other industry-standard security measures to protect e-PHI including, but not limited to, periodic audits of security controls.
The DANA application and Web Portal are HIPAA-compliant and use the security measures mentioned below. We maintain strict security standards for both hardware and software and have implemented policies and procedures to comply with federal, state and local laws and regulations regarding the use and disclosure of such PHI and PII, to protect confidentiality and integrity of PHI and PII we collect or create, and to prevent inappropriate access to or disclosure of such information. In addition to these security features, access to information is also restricted based on the minimum information necessary and user permission level.
Data are encrypted locally on the mobile device used and are decrypted via the application’s data export feature. The application is password-protected, requires a unique login to access, and includes an automatic logoff feature that activates when (a) an assessment is completed, (b) the user switches to another application, (c) the user exits the application to go to the Home screen or (d) the mobile device is turned off or its screen put to sleep.
DANA Cloud Database and Web Portal
All DANA data are securely encrypted and stored in a relational database on a dedicated server within a virtual private cloud (VPC). Primary access to the cloud database is provided via authentication on the DANA Web Portal (requiring the use of unique login credentials), which is also hosted on a HIPAA-compliant dedicated server. The Web Portal automatically logs out a user if they have been inactive on the site for ten minutes or longer. The DANA VPC provides advanced security features such as security groups and network access control lists to enable inbound and outbound filtering at the instance level and subnet level. The dedicated servers provide an additional layer of security by ensuring data are physically isolated at the host hardware level. Transport layer security (TLS) safeguards have been implemented for any data transfers among the DANA cloud database, DANA Web Portal, and DANA mobile applications.
With your consent, we may collect information about your actual location when you use the DANA mobile applications. You may stop the collection of this information at any time by changing the settings on your mobile device, but note that some features of our mobile applications may no longer function if you do so.
Access to Other Applications on the Mobile Device
Some features of our mobile applications may require access to certain native applications on your mobile device. If you decide to use these features, we will ask you for your consent prior to accessing the applications and collecting information. Note that you can revoke your consent at any time by changing the settings on your mobile device.
We do not knowingly collect any personal information from children under the age of 13. DANA is not for use by children. We request that children under the age of 13 not download / install DANA or submit any personal information through DANA. If we are advised in writing that we have inadvertently received or collected personal information from a child under 13 years of age, we will remove such information from our database.
1. the types of personal information disclosed to third parties during the immediately preceding calendar year,
2. the names and addresses of third parties that received the personal information, and
3. if the nature of a third party’s business cannot be reasonably determined from the third party’s name, examples of its products or services.
You are entitled to receive a copy of this information in a standardized format. Information provided will not be specific to you individually. All such requests must be in writing and e-mailed to us at email@example.com. You may also request this information once per calendar year by writing to us at
DANA Brain Vital
8737 Colesville Rd
Silver Spring, MD 20910
Recourse, Enforcement, and Liability
In compliance with the Privacy Shield Principles, ATinc commits to resolve complaints about our collection or use of your personal information. European Union and/or Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact ATinc at:
8737 Colesville Road
Silver Spring, MD 20910
ATinc commits to cooperate with (the panel established by the EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner, as applicable) and comply with the advice given by (the panel and/or Commissioner, as applicable) with regard to [human resources] data transferred from (the EU and/or Switzerland, as applicable) [in the context of the employment relationship].
How to Contact Us
Attn: Security and Privacy Officer
8737 Colesville Road
Silver Spring, MD 20910
Effective Date: June 11, 2018