Last Updated November 2024
Welcome to Mirror! Mirror offers a mental health journaling tool designed to make daily journaling practice easy, meaningful, and aligned to clinical best practice. This Privacy Policy applies to the Mirror website (the “Site”) and the Mirror Application (the “Mirror App”).
The privacy and security of your information are very important to us, and this Privacy Policy describes how Mindful Digital Therapeutics LLC (“MDT,” “we”, “our,” or “us”) collects, uses, protects and discloses information collected about individuals (referred to in this policy as “you” or the “user”) who (i) visit and engage with the Mirror website located at MirrorJournal.com (the “Site”) or engage with us through our Mirror App and (ii) use the Mirror App. This Privacy Policy should be read in conjunction with our Terms of Use, available at MirrorJournal.com/terms (the “Terms”).
This Privacy Policy only applies to information collected through the Site or Mirror App, and is not intended to fully describe MDT’s privacy practices nor the privacy practices of any third party, even if websites of such party are linked to or accessible from the Site or Mirror App. By visiting or providing information through the Site or Mirror App, you agree to the privacy practices described in this Privacy Policy, unless such agreement is separately required by applicable law. Please read this Privacy Policy in its entirety. If you do not agree with the terms of this Privacy Policy, please do not use the Site or the Mirror App.
Age Requirement: To use the Site or App you must be at least thirteen (13) years of age, but if you are under 18 years of age, you must access and use the Site or the App with the consent of your parent or legal guardian. If you are under thirteen (13) years of age, you may not use the Site or App at any time or submit any information to MDT through the Site or the App.
Consistent with the Children’s Online Privacy Protection Act of 1998 (“COPPA”), MDT does not knowingly collect, use or disclose Personal Information from anyone under the age of thirteen (13) via the Site or, in connection with the Mirror App.
A Note to California Residents. If you are a resident of the state of California, please see below the section titled “California Specific Information” for additional information regarding our collection and processing of your Personal Information.
A Note to visitors from outside the United States. If you are based outside of the United States, including in European Economic Area (the “EEA”) or the United Kingdom (the “UK”), please see below the section titled “Visitors from Outside the United States” for additional information regarding our collection and processing of your Personal Information.
What Categories of Personal Information Do We Collect?
We collect, process and maintain several types of information, some of which may constitute Personal Information, from and about users of the Site and Mirror App. “Personal Information” means any information that identifies, relates to, describes, is reasonably capable of being associated with or could reasonably be linked, directly or indirectly, with a particular person, but does not include any information that is publicly available or that is aggregated or de-identified. Where any data processing activity carried out in the context of this Privacy Policy is subject to the data protection and privacy laws of the EEA or the UK, “Personal Information” will mean any information relating to an identified or identifiable natural person (‘data subject’).
The type of Personal Information we collect depends on how you choose to interact with our Site or the Mirror App. For instance, if you choose to sign up for an account as a user on the Mirror App, we will need different information than if you simply visit our Site for informational or educational purposes. As a general matter, we may collect the following categories of Personal Information about you in connection with your use of our Site or Mirror App, only when you voluntarily choose to provide them to us including:
Identifiers, such as your name, physical and/or mailing address, email address and mobile or other telephone number, username and password (when you sign up for an account on the Mirror App) or other similar identifiers;
Professional or employment-related information, (such as your name, business address, business email address or business mobile or telephone number when you interact with us); and
Any other Personal Information provided by you, including in connection with your access to and use of the Mirror App.
Additionally, we may automatically collect certain information about you through online technologies when you visit our Site or the Mirror App that may also constitute Personal Information; such information may include:
IP address or other device address or ID;
The type of browser, operating system or equipment used to access the Site or the Mirror App;
Usage details, such as the date and time you visited the Site or the Mirror App, the Internet address of the site from which you linked to the Site or the Mirror App, the links you follow from the Site or the Mirror App , and the reading history and other analytics related to how you use and view the content we have provided via the Site or the Mirror App; and
General activity information as part of our and our Service Providers’ (as defined below) fraud-prevention programs.
From What Sources Do We Collect Personal Information?
A, Information you provide:
We collect the Personal Information you voluntarily choose to provide through the Site or the Mirror App, such as when you fill out forms or fields, register for an account in connection with the Mirror App, participate in online surveys, use the Mirror App, contact us or request information about us, the Site, the Mirror App or our services (whether by email or other means).
Information we automatically collect:
When you visit the Site, or use a third-party website that interacts with our Site, we may automatically receive and record certain information from your computer, web browser or mobile device that may constitute Personal Information (as further described above).
For example, when you use the Site, we may send one or more cookies (which are small text files containing a string of alphanumeric characters that are placed either on your computer’s hard drive or in your computer’s random-access memory) to your computer or mobile device to make the Site easier to navigate, recognize your browser and store visitor preferences, record past activity to provide better service, help analyze our web page flow and/or promote trust and safety.
Please note that if your browser permits, you may configure your browser to refuse or delete cookies, or to alert you when cookies are being sent. Please consult the corresponding instructions of the manufacturer for more detailed information on the actual procedure. If you choose to turn off cookies, however, some parts of the Site may not work properly. Even if you block or delete cookies, not all of the tracking that we have described in this Privacy Policy will stop.
We may also use Google Analytics or a similar service that uses cookies to help us analyze how users use the Site. That use may be subject to the Google Analytics Terms of Use and Google Privacy Policy. Please click here for more information about how Google uses information from sites or apps that use their services.
Do Not Track Disclosure. Third parties such as advertising networks, analytics providers and widget providers may collect information, including Personal Information, about your online activities over time and across different websites when you access or use our services. Currently, “Do Not Track” signals are a privacy preference that users can set in certain web browsers. When a user turns on the “Do Not Track” preference signal, the browser sends signals to websites requesting them not to track the user. The Site does not recognize or respond to “Do Not Track” signals.
Other information we may collect:
Information Collected via Third-Party Sources.
We may collect information about you (i) when you interact with our pages or accounts on social media platforms (e.g., click on our social media links and/or provide information to us via those accounts), (ii) through other sources, including your organization or company, and others who think you might be interested in our work, or (iii) through Service Providers (as defined below) acting on our behalf.
How Do We Use the Personal Information We Collect?
We may use the Personal Information we collect for the following purposes:
To provide you with information you request from us or to fulfill any other purposes for which you provide such information (including to request parental consent where required under applicable law).
To provide, maintain and administer your Mirror App account.
To contact you for administrative purposes such as account recovery or to notify you of changes to the Site or the Mirror App, our policies or our services.
To add you to our email list for promotional materials about our services. For more information on your choices, see Section 7.
To: (a) personalize our services, such as remembering your information so that you will not have to re-enter it during your visit or the next time you visit the Site or the Mirror App; (b) provide customized content and information; and/or (c) improve our services.
For any other purpose for which we have your express consent.
For any other purpose we may describe to you when you provide such information.
Additionally, we may use non-identifying information (including aggregated data) about your access to or use of the Site or the Mirror App to understand and analyze the usage metrics and trends and preferences of our users, to monitor, analyze the effectiveness of or otherwise improve the Site or the Mirror App, and to improve fraud detection and information security, without restriction.
To Whom and For What Purpose Do We Disclose Your Personal Information?
We may disclose Personal Information that we collect or you provide as described in this Privacy Policy (whether directly or automatically) to the following categories of third parties for the enumerated processing activities:
To our third-party service providers, including, but not limited to, fraud screening providers, analytics providers, hosting providers, (the foregoing “Service Providers”), to provide application and website development, hosting, data storage, maintenance, accounting, legal, advisory and other services for us.
To third parties as permitted or required to do so by applicable law or regulation or in the good-faith belief that such action is necessary to take precautions against liability; to comply with various reporting obligations; to protect ourselves and our other users from fraudulent, abusive, or unlawful uses or activity; to protect the security or integrity of the Site or Mirror App; to investigate and defend ourselves against any third-party claims or allegations; to assist government enforcement agencies; to comply with state and federal laws; or in response to a court order, judicial or other government subpoena or warrant.
To a buyer, investor or other successor in the event of a business transaction such as a divestiture, merger, consolidation, investment or asset sale, whether as a going concern or in the unlikely event of a bankruptcy or similar proceeding.
To any other third party in any way we may describe to you when you provide such information, to fulfill any other purposes for which you provide such information or for any other purpose with your consent or at your direction.
Additionally, we may disclose aggregated information about our users, and information that cannot independently be used to identify any individual, without restriction.
Artificial Intelligence
The Mirror App uses artificial intelligence (AI) in two limited ways. The Mirror App uses a large language model, which is hosted on our local servers, to summarize one journal entry at a time and provide condensed summaries of each journal entry. Also, voice journal entries are transcribed into text using AI.
Research
Under certain circumstances we may use personal information you provide through the Mirror App for research purposes, but only if you have separately consented to participate in such research. In these circumstances, the terms of the consent will govern the use of your personal information for research purposes.
Your Choices
You may, of course, decline to share certain information with us, in which case we may not be able to provide to you some of the features and functionality of the Site or the Mirror App or certain of our services.
Once you have registered for an account, you or, where applicable, your parent, may update your preferred pronouns or delete your account at any time by accessing your account preferences page through the Mirror App or the Site, as applicable. Any other updates or changes to your profile may be made by emailing support@mindfultherapeutics.org.
If you do not wish to receive email offers or newsletters from us, you can opt out of receiving email information from us (except for emails related to the completion of your Mirror account registration, change of password or other communications essential to the administration of the Mirror App) by using the unsubscribe process at the bottom of the email, or by contacting us directly using the methods set forth in the section titled “Contact Us” below. Should you opt out, we will promptly honor your request, though we may retain certain information you submit (including in backups or archives) for a variety of purposes, including analytics, the prevention of fraud or abuse and compliance with our legal or regulatory obligations.
Our Commitment to Data Security
We follow generally accepted industry standards to protect the Personal Information submitted to us to protect against the loss, misuse or alteration of such information; however, no method of transmission over the Internet or of electronic storage is 100 percent secure. Therefore, while we strive to use commercially acceptable means to protect your Personal Information, we cannot ensure or warrant the security of any information you transmit to us through the Site or the Mirror Application, and you do so at your own risk.
We are not responsible for circumvention of any privacy settings or security measures contained on the Site or the Mirror Application. Even after removal, copies of information that you have posted may remain viewable in cached and archived pages or if other users have copied or stored such information.
Visitors from Outside the United States
The Site and Mirror App are controlled and operated by MDT in the United States. If you are located outside the United States, and choose to access the Site or the Mirror App, you should be aware that the laws of the United States may be deemed to have inadequate data protection by your country; you acknowledge that you will be transferring your information, including Personal Information, outside of those regions to the United States for storage and processing, as necessary to provide to you the services available through the Site or Mirror App. Where required, we take all appropriate actions to comply with applicable legal frameworks relating to the collection, storage, use, and transfer of Personal Information.
If you are in the EEA or the UK, such actions we take to comply with cross-border data transfer rules under the applicable data protection laws, such as the General Data Protection Regulation (the “GDPR”), include entering into the Standard Contractual Clauses (“SCCs”) issued by the European Commission or the International Data Transfer Agreement or Addendum (“IDTA”) issued by the UK with the relevant counterparties, as appropriate. Where we transfer your data outside of the EEA or the UK based on the SCCs or IDTA, you may request a copy of such SCCs or IDTA or request further information in that respect. Where relevant and permissible under the applicable data protection law, we may also rely on one of the derogations under Article 49 of the GDPR to transfer your personal data (such as transfer of data that is necessary for the performance of our contract with you).
If you are in the EEA or the UK, the General Data Protection Regulation outlines your rights, which are as follows:
Access and portability: You may access a copy of your Personal Information that we process about you and have that data provided to you or transferred to another provider.
Correct: To request that MDT update or correct your Personal Information.
Delete: In certain circumstances, you may request that we delete your Personal Information from our systems by contacting us.
Restrict: You may request that we restrict processing of your Personal Information in certain circumstances (for example, where you believe that the Personal Information we hold about you is not accurate or lawfully held).
Object: You may object to MDT’s processing of your Personal Information in certain circumstances.
Withdraw: If we rely on your consent to process your Personal Information, you have the right to withdraw that consent at any time.
Complain: If you have a concern about our privacy practices, including how we handle your Personal Information, you may report it to the relevant data protection authority (for example the authority in the EEA member state where you reside) or, if you are in the UK, to the Information Commissioner’s Office.
Please note that some of these rights are not absolute and exemptions may apply in certain circumstances.
To exercise your rights or if you have any other questions about our use of your Personal Information, please contact us using the methods set forth in Section 11 below. Please note that we may request you to provide us with additional information in order to confirm your identity and ensure that you are entitled to exercise your rights.
Furthermore, if you are in the EEA or UK, depending on the specific Personal Information concerned and the factual context, when we process Personal Information, we rely on the following legal bases as applicable:
As necessary for our contract: When we enter into a contract (including our Terms) with you, we process your Personal Information on the basis of that contract in order to prepare and enter into the contract, as well as to perform and manage the contract (i.e., providing the Site or Mirror App to you, communicating with you in the context of such contract, complying with contractual obligations, and related administration). Where we are relying on this legal basis, we may not be able to provide these activities if we do not process your Personal Information.
Consistent with consent: Where required by law, we also rely on your prior consent to conduct online marketing, including email marketing. You have the right to withdraw your consent at any time by contacting us using the methods set forth in Section 11 below.
As necessary to comply with our legal obligations: We process your Personal Information to comply with the legal obligations to which we are subject. This may include detecting, investigating, preventing, and stopping fraudulent, harmful, unauthorized, or illegal activity and includes compliance with applicable laws.
As necessary for our (or others’) legitimate interests: We process your Personal Information based on such legitimate interests to (i) develop, test, and improve our Site and Mirror App; (ii) ensure authentication, integrity, security, and safety of us and other persons, including detect, investigate, and prevent activities that may violate our policies or be fraudulent or illegal; and (iii) comply with non-EEA and non-UK laws, regulations, codes of practice, guidelines, or rules applicable to us and respond to requests from, and other communications with, competent non-EU and non-UK public, governmental, judicial, or other regulatory authorities, as well as meet our corporate and social responsibility commitments, protect our rights and property and the ones of our users and partners, resolve disputes, and enforce agreements.
Changes and Updates to this Privacy Policy.
We reserve the right to make changes to this Privacy Policy at any time. If we make any material change to this Privacy Policy, we will post the updated Privacy Policy and indicate at the top of the Privacy Policy when it was last updated. Please revisit this page periodically to stay aware of any changes to this Privacy Policy. If you disagree with our Privacy Policy modifications, you may choose not to use or access our Site or the Mirror App.
Our Contact Information
Please contact us with any questions or comments about this Privacy Policy by e-mail at mirror-privacy@mindfultherapeutics.org or by phone at (888) 829-4260.
You can also contact us by mail via the following address: Attn: Mirror Privacy; Mindful Digital Therapeutics, 215 E. 50th Street, New York, NY 10022.
California-Specific Information
The following disclosures apply solely with respect to individuals who qualify as residents of the state of California pursuant to the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, the “CCPA”). If you are a California resident, please note that other sections of this Privacy Policy also apply to our processing of your Personal Information, and therefore we encourage you to read our Privacy Policy above in its entirety in order to better understand our privacy practices with respect to your Personal Information.
What Categories of Personal Information Do We Collect and For What Purposes is this Information Collected?
As explained in our Privacy Policy in the sections titled “What Categories of Personal Information Do We Collect?” and “For What Purposes Do We Use and Process Personal Information?”, we collect or process, and have in the past twelve (12) months collected and processed, the following categories of Personal Information for the purposes described below:
Identifiers (e.g., your name, IP address, physical and/or mailing address, email address, mobile or other telephone number, username and password (when you sign up for an account on the Mirror App or other similar identifiers)
Purpose of Collection:
To provide you with information you request from us or to fulfill any other purposes for which you provide such information.
To provide, maintain and administer your Mirror App account.
To contact you for administrative purposes such as account recovery or to notify you of changes to the Site or the Mirror App, our policies or our services.
To add you to our email list for promotional materials about our services. For more information on your choices, see Section 7.
To: (a) personalize our services, such as remembering your information so that you will not have to re-enter it during your visit or the next time you visit the Site or the Mirror App; (b) provide customized content and information; and/or (c) improve our services.
For any other purpose for which we have your express consent.
For any other purpose we may describe to you when you provide such information.
Professional or employment-related information, (such as your name, business address, business email address or business mobile or telephone number);
Purpose of Collection:
To provide you with information you request from us or to fulfill any other purposes for which you provide such information.
To provide, maintain and administer your Mirror App account.
To contact you for administrative purposes such as account recovery or to notify you of changes to the Site or the Mirror App, our policies or our services.
For any other purpose for which we have your express consent.
For any other purpose we may describe to you when you provide such information.
Internet or other electronic network activity information (e.g., device address or ID; type of browser, operating system or equipment used to access the Site or the Mirror App; usage details, such as the date and time you visited the Site or the Mirror App, the Internet address of the site from which you linked to the Site or the Mirror App, the links you follow from the Site or the Mirror App; reading history and other analytics related to how you use and view the content we have provided via the Site or the Mirror App)
Purpose of Collection:
To provide, maintain and administer your Mirror App account
To: (a) personalize our services, such as remembering your information so that you will not have to re-enter it during your visit or the next time you visit the Site or the Mirror App; (b) provide customized content and information; and/or (c) improve our services.
For any other purpose for which we have your express consent.
For any other purpose we may describe to you when you provide such information.
As noted above, we also process Personal Information that has been aggregated and/or de-identified as those terms are defined by the CCPA. Where we process de-identified information, we take reasonable measures to ensure such information cannot be associated with a particular consumer or household, commit to maintain and use such information in anonymized form and not attempt to re-identify such information and contractually mandate third parties to whom we disclose such information to adhere to the same obligations.
We do not collect Sensitive Personal Information as that term is defined under the CCPA through the Site.
To Whom and For What Purposes Do We Disclose Your Personal Information?
As explained in our Privacy Policy in the section titled “To Whom and For What Purposes Do We Disclose Your Personal Information?”, we collect or process, and have in the past twelve (12) months collected and processed, the following categories of Personal Information for the business or commercial purposes described below:
To our third-party Service Providers, including fraud screening providers, analytics providers, hosting providers and other third-party service providers, to provide application and website development, hosting, data storage, maintenance, accounting, legal, advisory and other services for us.
Categories of Personal Information Disclosed: Identifiers; Professional or employment-related information; Internet or other electronic network activity information
To third parties as permitted or required to do so by applicable law or regulation or in the good-faith belief that such action is necessary to take precautions against liability; to comply with various reporting obligations. to protect ourselves and our other users from fraudulent, abusive, or unlawful uses or activity; to protect the security or integrity of the Site or Mirror App; to investigate and defend ourselves against any third-party claims or allegations, to assist government enforcement agencies; to comply with state and federal laws or in response to a court order, judicial or other government subpoena or warrant.
Categories of Personal Information Disclosed: Identifiers; Professional or employment-related information; Internet or other electronic network activity information
To a buyer, investor or other successor in the event of a business transaction such as a divestiture, merger, consolidation, investment or asset sale, whether as a going concern or in the unlikely event of a bankruptcy or similar proceeding.
Categories of Personal Information Disclosed: Identifiers; Professional or employment-related information; Internet or other electronic network activity information; Any other Personal Information you provide
To any other third party in any way we may describe to you when you provide such information, to fulfill any other purposes for which you provide such information or for any other purpose with your consent or at your direction.
Categories of Personal Information Disclosed: Identifiers; Professional or employment-related information; Internet or other electronic network activity information; Any other Personal Information you provide
Additionally, we may disclose aggregated information about our users, and information that cannot independently be used to identify any individual, without restriction.
We do not “sell” or “share” (as such terms are defined in the CCPA) Personal Information for monetary or other valuable consideration. To the extent we have any Personal Information related to individuals under the age of eighteen (18), we have no actual knowledge that we “sell” or “share” (as such terms are defined in the CCPA) such individuals’ Personal Information.
Your California Privacy Rights
The CCPA provides California residents with the following privacy rights in connection with the collection and/or processing of their Personal Information:
Right to Know: Know what Personal Information we collect about you, including the categories of Personal Information collected, the categories of sources from which the Personal Information is collected, the business or commercial purpose for collecting, selling or sharing Personal Information, the categories of third parties to whom we disclose Personal Information and the specific pieces of Personal Information we have collected about you;
Right to Request Deletion: Request deletion of your Personal Information that we have collected or maintained, subject to certain exceptions;
Right to Correct: Request that we correct inaccurate Personal Information that we maintain about you;
Right to be Free from Discrimination and Retaliation: Not receive discriminatory treatment by us for the exercise of your privacy rights conferred by applicable the CCPA, including your right not to be retaliated against for the exercise of these rights; and
Right to Opt-out. As noted above, we do not “sell” or “share” Personal Information for monetary or other valuable consideration and therefore do not offer a right to opt-out of this processing.
We do not use or disclose Sensitive Personal Information for the purposes of inferring characteristics about you nor do we use such information for any other purpose other than as noted above or as expressly permitted by the CCPA, and therefore do not offer rights to limit our use or disclosure of such information.
Exercising Your California Privacy Rights
Method to Submit Your Requests. If you wish to exercise any of the rights listed above or if you consider that we have processed your Personal Information in violation of applicable law, by e-mail at mirror-privacy@mindfultherapeutics.org or by phone at (888) 829-4260. You can also submit requests via Request Data page.
Authorized Agents. The CCPA provides you with the right to appoint an authorized agent to make requests on your behalf; you may designate an agent to submit a request on your behalf using the methods described above. If you designate an authorized agent, (a) we may require you to provide your authorized agent with written permission to do so, and (b) for access, correction and deletion requests, we may require you to verify your own identity with us directly.
As disclosed above, we do not “sell” or “share” Personal Information, and therefore we do not currently recognize or respond to opt-out preference signals such as the Global Privacy Control.
Verification Procedures. To respond to your requests, we may ask you for at least two pieces of Personal Information and, for requests for specific pieces of Personal Information, we may ask you for at least three pieces of Personal Information, that we will match with data points we already have, in order to verify your identity to the degree of certainly required by applicable law. The information we require may vary depending on your relationship to us, and may include your full legal name, residential address, email, phone, as well information we may have on file about you or other information that may be necessary to verify your identity. If we are unable to verify your identity to the degree of certainty required by applicable law through any reasonable method, we will state in a written response to you that we are unable to verify it, along with a reason as to why there is no reasonable method by which we can verify your identity.
California’s Shine the Light Law
In addition, under California’s Shine the Light Law (California Civil Code Section 1798.83), if you are a California resident and your business relationship with us is primarily for personal, family or household purposes, you may request certain data regarding our disclosure, if any, of Personal Information to third parties for the third parties’ direct marketing purposes. We do not share Personal Information with third parties for such third parties’ direct marketing purposes.
