DANA Privacy Policy (Last Updated: June 11, 2018)

This Privacy Policy outlines the AnthroTronix, Inc., (collectively “ATinc,” “we,” “us” or “our”) policies regarding data security and privacy, including the types of information we gather, how we use it, and the notice and choice affected individuals have regarding our use of that information. This policy applies to the DANA Brain Vital and DANA Modular applications and all associated products or services, (collectively referred to as “DANA”) and all personally identifiable information collected thereby.

This Privacy Policy explains:

• The information we collect and why (protected health information (PHI) and personally identifiable information (PII))
• How we use that information
• Data security and privacy measures we have implemented
• The choices we offer you regarding your information, how to access your information, your rights, etc.

ATinc reserves the right to change or modify this Privacy Policy at any time and in our sole discretion, including as required to comply with changes in the Health Insurance Portability and Accountability Act (HIPAA) and/or the Health Information Technology for Economic and Clinical Health (HITECH) Act regulations. If we make changes to this Privacy Policy, we will provide notice of such changes by posting the revised policy to our website, currently www.danabrainvital.com, and updating the “Last Updated” date shown above. We encourage you to review this Privacy Policy whenever you use or access DANA or otherwise interact with us to stay informed about our information practices and the ways you can help protect your privacy.

This Privacy Policy also addresses administrative and technical measures implemented by ATinc to comply with HIPAA and HITECH regulating the security and privacy of protected health information in the United States. This Privacy Policy also addresses Privacy Shield regulations to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States.

Definitions

As used herein, the following definitions apply:

Protected Health Information (PHI): PHI is personally identifiable information that consists of:
• health information, including demographic information, created or received by DANA and which relates to the past, present, or future physical or mental health or condition of an individual;
• the provision of health care to an individual; or
• the past, present, or future payment for the provision of health care to an individual and that identifies or can be used to identify the individual.

“Personally Identifiable Information”, “Personal Information”, or “PII” means any data element that:
1. is recorded in any form;
2. is about, or pertains to a specific individual; and
3. can be linked to that individual whether through the information or the collection of the information and other, publicly available, information on the individual. PII may include PHI.

Types of Personal Information Collected

Information You Provide to Us

We collect information provided directly to us by a patient or their provider.

The types of information we may collect from you include:

• Account information, such as name, email address, date of birth, gender, phone number, and any other information a patient or provider may choose to provide;

• PII and PHI. PHI and PII are processed in a way that is compatible with and relevant for the purpose for which it was collected and authorized by the individual.

• Information about others, such as the names, telephone numbers, and email addresses of patient caregivers.

• Other information you choose to provide when, for example, you contact us or when you request technical or customer support.

Information We Collect Automatically

When you access or use DANA, the types of information we may automatically collect about you include:

1. Non-personally identifiable information. We collect information about the DANA application and services used and how Users use them, such as the assessments completed within the DANA application. This information includes:

o Assessment data. We collect data regarding your responses on reaction time measurements and psychological questionnaires to share with your healthcare provider. These data include assessment type, date and time of the assessment, timestamps of responses, and responses (multiple choice or fill-in style).

o Device information. We collect device-specific information such as the mobile device model number and operating system version used for DANA.

o Log information. We may collect and store certain information when you use DANA to enable us to enhance future version of the application. This information may include the following:

a. The dates and times you use the application
b. Device event analytics such as application crashes
c. Hardware settings

We do not use cookies, web beacons, or other tracking technologies to collect additional information about any DANA users.

DANA does not maintain any Designated Record Set (“DRS”) as that term is defined by HIPAA. Accordingly, all requests for access to PHI contained within a DRS should be directed to the third party institutional user that created and / or maintains the DRS, such as the group, institutional or medical provider that provided you access to the DANA products. Similarly, requests for amendments or restrictions to PHI or PII under HIPAA should be directed to the same third parties.

Use of Information

We may use collected information for various purposes, including to:

1. Provide, maintain and improve DANA;
2. Manage a patient or provider account and send related information, including confirmations, updates, technical notices, security alerts and support and administrative messages;
3. Respond to comments, questions and requests and provide customer service;
4. Communicate about DANA;
5. Monitor and analyze trends, usage and activities in connection with DANA;
6. Detect, investigate and prevent fraudulent and other illegal activities and protect the rights and property of ATinc and others;
7. Personalize and improve DANA;
8. Link or combine with information we get from others to help understand your needs and provide you with a better experience; and
9. Carry out any other purpose for which the information was collected.

Sharing of Information (with Third-Parties):

We may share information about you as follows or as otherwise described in this Privacy Policy:

1. With vendors, consultants and other service providers who need access to such information to carry out work or perform services on our behalf;
2. In response to a request for information if we believe disclosure is in accordance with, or required by, any applicable law, rule, regulation or legal process;
3. If we believe your actions are inconsistent our license provisions or other policies, or to protect the rights, property or safety of ATinc or others;
4. In connection with, or during negotiations of, any merger, acquisition, sale of assets or any business, other change of control transaction or financing; the recipient of your information may subsequently use your information under the terms of their own privacy policies, which may differ from this Privacy Policy
5. Between and among ATinc and any current or future parent, associate, subsidiary and/or affiliated company; and
6. With your consent or at your direction.

You may further elect as part of your use of DANA to authorize us to share your name, address, and other health and wellness related information about you with one or more third parties designated by you. You acknowledge and agree that we may use your information in a de-identified manner to create aggregated, de-identified data sets, including to evaluate and implement future products or services and to share such de-identified data sets with third parties in accordance with applicable law, including without limitation, HIPAA and HITECH regulations.

International transfers of your personal data (European Union)

In this section we provide information about the circumstances in which your personal data may be transferred to countries outside the European Economic Area (EEA).

We are based in the United States. The information we collect is governed by U.S. law, and, for our E.U. data subjects, by the E.U.-U.S. Privacy Shield framework (discussed in the “Privacy Shield” section below). By accessing or using our sites and software or otherwise providing information to us, you consent to the processing and transfer of information in and to the U.S. and other countries.

Privacy Shield

ATinc and its partner entities, subsidiaries, associate and / or affiliated companies comply with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and / or Switzerland to the United States. ATinc has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.

The Federal Trade Commission has jurisdiction over ATinc’s compliance with the Privacy Shield.

In compliance with the Privacy Shield “Principles”, this Privacy Policy sets out:

• The types of personal information we collect (“Information You Provide to Us”)
• The purposes for which we collect and use personal information (“Use of Information”)
• The types of third parties to which we disclose personal information, and the purposes for which we do so (“Sharing of Personal Information”)
• Our liability for onward transfers to third parties (“Sharing of Personal Information”)
• The choices and means we offer individuals for limiting the use and disclosure of their personal information (“Promotional Communications”) and
• The right of individuals to access their personal information (“Access to Personal Information”)

ATinc is responsible for the processing of personal information it receives under the Privacy Shield Framework and subsequently transfers to a third party acting as an agent on its behalf, if any. ATinc complies with the Privacy Shield Principles for all onward transfers of personal data from the EU, including the onward transfer liability provisions.

EU data subjects may contact us for the handling of complaints, access requests, and any other issues arising under Privacy Shield as specified in the “Resolution” section below. If you have a complaint regarding our compliance with the Principles, first contact us to informally resolve your complaint.

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact JAMS, our U.S.-based third party dispute resolution provider: https://www.jamsadr.com.

If you live in the EEA, you may also file a complaint with your local data protection regulator.

As further explained in the Principles, a binding arbitration option will also be made available to you in order to address residual complaints not resolved by any other means; for additional information please go to: https://www.privacyshield.gov/article?id=ANNEX-I-introduction.

If you have a Privacy Shield-related complaint, please contact us at info@danabrainvital.com.

General Data Protection Regulation (GDPR)

The GDPR is a new, Europe-wide law that replaces the Data Protection Act of 1998 in the UK. It places greater obligations on organizations regarding how they handle personal data. It went into effect on May 25, 2018. The GDPR requires that companies processing the personal data of European users do so on the basis of specific legal grounds. As described below, we process the information of European users based on one or more of the grounds specified under the GDPR.

Your Rights

Below are the rights you may have under data protection law. You should read the relevant laws and guidance from the regulatory authorities for a full explanation of these rights. Please note that for each of the rights below we may have valid legal reasons to deny your request. In such instances, we will inform you for the reason of the denial.

1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated decision making and profiling.

If you would like to exercise any of the above rights, please e-mail, call, or write to us (see “How to Contact Us” below).

For more information on the General Data Protection Regulation (GDPR), you can find more resources at https://gdpr-info.eu and http://gdprandyou.ie.

Data Security and Privacy

ATinc takes reasonable and industry appropriate measures to help protect information about you from loss, theft, misuse and unauthorized access, disclosure, alteration, and destruction. Please understand, however, that no security system is impenetrable. Like other companies, we cannot guarantee 100% the security or confidentiality of the information provided to us. Consequently, while we endeavor to safeguard PII and PHI against unauthorized access and disclosure, we do not warrant or guarantee the absolute security of any personal information transmitted to, from, or through DANA.

ATinc has established comprehensive data security and privacy policies to protect PHI and PII from loss, misuse, unauthorized access, disclosure, alteration, and destruction. These include the implementation of appropriate administrative, physical, and technical safeguards to secure PHI and PII received, prevent misuse, and mitigate any potential harm to individuals in the event of a breach.

Our employees are trained on the requirements of HIPAA and their access to PII and PHI (including electronically provided PHI [“e-PHI”]) is minimized based on the requirements of their job function. DANA requires user authentication prior to allowing access to e-PHI and encryption is used to prevent unauthorized access to e-PHI. DANA implements other industry-standard security measures to protect e-PHI including, but not limited to, periodic audits of security controls.

The DANA application and Web Portal are HIPAA-compliant and use the security measures mentioned below. We maintain strict security standards for both hardware and software and have implemented policies and procedures to comply with federal, state and local laws and regulations regarding the use and disclosure of such PHI and PII, to protect confidentiality and integrity of PHI and PII we collect or create, and to prevent inappropriate access to or disclosure of such information. In addition to these security features, access to information is also restricted based on the minimum information necessary and user permission level.

DANA Application

Data are encrypted locally on the mobile device used and are decrypted via the application’s data export feature. The application is password-protected, requires a unique login to access, and includes an automatic logoff feature that activates when (a) an assessment is completed, (b) the user switches to another application, (c) the user exits the application to go to the Home screen or (d) the mobile device is turned off or its screen put to sleep.

DANA Cloud Database and Web Portal

All DANA data are securely encrypted and stored in a relational database on a dedicated server within a virtual private cloud (VPC). Primary access to the cloud database is provided via authentication on the DANA Web Portal (requiring the use of unique login credentials), which is also hosted on a HIPAA-compliant dedicated server. The Web Portal automatically logs out a user if they have been inactive on the site for ten minutes or longer. The DANA VPC provides advanced security features such as security groups and network access control lists to enable inbound and outbound filtering at the instance level and subnet level. The dedicated servers provide an additional layer of security by ensuring data are physically isolated at the host hardware level. Transport layer security (TLS) safeguards have been implemented for any data transfers among the DANA cloud database, DANA Web Portal, and DANA mobile applications.

In the event of a breach of the confidentiality or security of your personally identifiable information, we will notify you as required by law, if reasonably possible and as reasonably necessary, so that you can take appropriate protective steps. We may notify you under such circumstances using the e-mail address(es) we have on record for you or through alternative means. You should also take care with how you handle and disclose your personally identifiable information. Please refer to the Federal Trade Commission’s Website at http://www.consumer.ftc.gov for information about how to protect yourself against identity theft. Please note that once you leave the Sites, whether independently or via links from the Sites, the privacy policies of the site to which you migrate will apply. This Privacy Policy applies to your interactions with our Sites only.

Your Choices

Location Information

With your consent, we may collect information about your actual location when you use the DANA mobile applications. You may stop the collection of this information at any time by changing the settings on your mobile device, but note that some features of our mobile applications may no longer function if you do so.

Access to Other Applications on the Mobile Device

Some features of our mobile applications may require access to certain native applications on your mobile device. If you decide to use these features, we will ask you for your consent prior to accessing the applications and collecting information. Note that you can revoke your consent at any time by changing the settings on your mobile device.

Children

We do not knowingly collect any personal information from children under the age of 13. DANA is not for use by children. We request that children under the age of 13 not download / install DANA or submit any personal information through DANA. If we are advised in writing that we have inadvertently received or collected personal information from a child under 13 years of age, we will remove such information from our database.

Opt-Out

In addition to the other rights described in this Privacy Policy, you have the right to request certain details about how your information is shared with third parties for direct marketing purposes. You have the right to submit a request to ATinc and receive the following information within 30 days of its receipt of that request:
1. the types of personal information disclosed to third parties during the immediately preceding calendar year,
2. the names and addresses of third parties that received the personal information, and
3. if the nature of a third party’s business cannot be reasonably determined from the third party’s name, examples of its products or services.

You are entitled to receive a copy of this information in a standardized format. Information provided will not be specific to you individually. All such requests must be in writing and e-mailed to us at info@danabrainvital.com. You may also request this information once per calendar year by writing to us at

DANA Brain Vital
8737 Colesville Rd
Suite L-203
Silver Spring, MD 20910

Recourse, Enforcement, and Liability

In compliance with the Privacy Shield Principles, ATinc commits to resolve complaints about our collection or use of your personal information. European Union and/or Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact ATinc at:

AnthroTronix, Inc.
8737 Colesville Road
Suite L-203
Silver Spring, MD 20910

ATinc commits to cooperate with (the panel established by the EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner, as applicable) and comply with the advice given by (the panel and/or Commissioner, as applicable) with regard to [human resources] data transferred from (the EU and/or Switzerland, as applicable) [in the context of the employment relationship].

How to Contact Us

If you have any questions about this Privacy Policy, please contact us at:
AnthoTronix, Inc.
Attn: Security and Privacy Officer
8737 Colesville Road
Suite L-203
Silver Spring, MD 20910
USA

Email: info@danabrainvital.com

Effective Date: June 11, 2018