Privacy Policy for the Enhearten
Last Updated 4/1/20

Welcome to Enhearten®, a service of Rissana, LLC (“Rissana”). Rissana is the St. Louis-based company that created and supports Enhearten®, (“Enhearten”) to support patients, providers (“Providers” or “your Provider”), and clinics in the recovery treatment process.

We want to be clear about how your information is protected. This Privacy Policy discloses our privacy practices and procedures in connection with Enhearten, the Enhearten App, the Enhearten Platform. In other words, this Privacy Policy describes what Rissana shares and does not share, and with whom.

Your access and use of the Services, including all services available therein, is subject to this Privacy Policy and to our separate End User Agreement. Capitalized terms used but not defined in this Privacy Policy are defined in the End User Agreement. If you use Enhearten, you are consenting to this Privacy Policy, as well as our End User Agreement.

This policy may change from time to time The most recent version of this Privacy Policy can be found at www.enhearten.io/privacy-policy or on the Enhearten App under the Settings tab.

This Privacy Policy will describe the following:
• What data Rissana and Enhearten collect about Patients and Providers and how it is collected
• Who has access to this data
• Who else might get access to the data
• Optional notifications outside of the App
• Where your data is stored
• How we protect and secure your data
• How long data is stored
• Our policy regarding children
• Your consent
• How you can contact us

What Data Rissana and Enhearten Collect About Patients and Providers and How it is Collected
We collect and store data provided to us by Patients and Providers through Patient interactions with the Enhearten App and Provider’s interactions with the Enhearten Platform. The data we collect and store includes personally identifiable information (PII), which is data that can be used to identify Patients and Providers individually.

Patient information stored by Rissana may include:
• Basic personal information, such as your name, username, email and physical address, telephone number, IP address, gender, and birthdate.
• Media, such as photographs or videos.
• Demographic information, such as income range, race and employment statistics
• Treatment information, such as medical information, recovery goals, and recovery tasks. Treatment information is end-to-end encrypted, so that only the patient and their provider(s) can read it.
• Messages sent or received using the Enhearten App and Platform (whether individual messages or group messages) including texts, emails or chats, answers to survey questions completed by You or Your Provider, and the names and identifies of personal contacts. Messages are end-to-end encrypted, so that only the patient and their provider(s) can read them.
• “Stories” and other social accounts authored or responded to by you.

Provider information stored by Rissana includes:
• Basic Provider information, such as your name, username, email and physical address, telephone number, IP address, corporate entities, and number and identity of Patients.
• Media, such as photographs or videos.
• Patient demographic information, such as income range, race and employment statistics
• Patient treatment information, such as medical information, recovery goals, and recovery tasks. Treatment information is end-to-end encrypted, so that only the patient and their provider(s) can read it.
• Messages sent or received using the Enhearten App and Platform (whether individual messages or group messages) including texts, emails or chats, answers to survey questions completed by You or Your Patients, and the names and identities of personal contacts. Messages are end-to-end encrypted, so that only the patient and their provider(s) can read them.
• “Stories” and other social accounts authored or responded to by you or your Patients.

The Enhearten App and Platform also collects certain information automatically from the device you use to access Enhearten. This information may include the type of mobile device you use, your mobile devices unique device ID, the IP address of your mobile device, your mobile operating system, the type of mobile Internet browsers you use, and information about the way you use Enhearten.

We may also may use 'cookies'. A cookie is a piece of alphanumeric data stored on your hard drive or device to help us improve your access to Enhearten and identify repeat visitors to Enhearten. Cookies allow us to customize and enhance the user experience.

While we save and store data, including PII, for use by a Patient’s Provider for purposes of supporting the individual Patient’s treatment, we also use the data we collect for research purposes, to learn about addition treatment outcomes and further developments in this area, and for other Providers to improve and benchmark their treatments and outcomes. When this is done, data that could be used to identify Patients are stripped away. This includes the Patient’s name, birthdate, contacts, and other similar identifying data. Patient data, stripped of the identifying data, is called “Research Data” and will be added to large numbers of population data from other clients and Providers and researchers or others using or reviewing this population data will not know what data is yours, or even whether you submitted data. Even understanding that your data will be stripped of its personal identifying information, if you would like to opt-out of having your Research Data shared with anyone other than Rissana (and your Provider or Patients, if applicable), you may do so by changing the settings on your 'Settings' page or by emailing us at privacy@enhearten.io.

Who has access to this data
Rissana, which operates and supports Enhearten, has access to all of the data above.
A Patient’s Provider has access to certain data for the purposes of your treatment, including but not limited to usage data, responses to surveys and treatment adherence data.
A Patient’s Provider, other Providers, Rissana, and Researchers authorized by Rissana can perform analytics and benchmarking on Research Data.
A Provider’s Patients have access to certain data for purposes of their treatment, including but not limited to contact information, methods to contact, location and status notifications or other messages from their Provider.
Finally, any content, including photographs, you share in the “Stories” feed can also be accessed by other Rissana users. Accordingly, please take care what is shared on the Stories feed.

Who else might get access to the data
Rissana may disclose your data to other organizations when (1) required to by law, such as to comply with a subpoena, or similar legal process; or (2) when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.

Also, Rissana may use trusted third-parties to help us deliver the Enhearten Platform and related services who, in this capacity, may have access to your data.

We do not sell your personal data.

Optional notifications outside of the App
The Enhearten App has the capability to push notifications to the home screen of your mobile device. This feature is optional. If enabled, a push notification is a message that pops up on a mobile device and can be sent at any time, even when you are not using the app. Although the notifications are short and will not include specific medical information, they do identify that you are using the Enhearten App and, depending on the settings of your mobile device, may appear on your home lock screen where others can see.

Where your data is stored
Rissana stores your data on secure servers using Google Cloud. You can learn more about Google Cloud and how it helps us protect your information here: https://cloud.google.com/security/compliance/hipaa/

How we protect and secure your data
We are committed to safeguarding the confidentiality of your data. We use commercially reasonable physical, electronic, and procedural safeguards to protect your PII against loss or unauthorized access, use, modification, or deletion. However, no security program is foolproof, and thus we cannot guarantee the absolute security of your PII or any other information you provide to us.

If you have any questions related to how we protect and secure your data, you can reach us by email at: privacy@enhearten.io.

How long data is stored
Your PII may be stored by Rissana until the later of: (1) a Patient stops using Enhearten or subsequent Rissana products or services; or (2) a Provider stops using a Enhearten or subsequent Rissana products or services. Even after both of those occurrences, your Research Data will continue to be used by Rissana unless you have opted out of providing such data. You may decide after you have stopped using Enhearten to opt-out, in which case you must send your opt-out request to Rissana in writing or by emailing your request to opt-out to privacy@enhearten.io.

Our policy regarding children
The Enhearten App and Enhearten Platform are not for children under the age of thirteen. If a parent or guardian becomes aware that his or her child has entered their own personal data into the Enhearten App or somehow been given an account by a Provider, please contact us at accounts@enhearten.io. If we become aware that a child under 13 has provided us with Personal Information, we take steps to remove that information and terminate the applicable account.

Changes to this Privacy Policy
Technology and the Internet are rapidly changing. Rissana, therefore, is likely to make changes to the Enhearten in the future and as a consequence will need to revise this Privacy Policy to reflect those changes. Rissana will post all such changes to the Privacy Policy on www.enhearten.io/privacy-policy so you should review the website periodically. If we make a material change to the Privacy Policy, you will be provided with appropriate notice, most likely via the Enhearten App. If we maintain your email address, we also may email you a copy of the revised Privacy Policy at your most recently provided email address. It is therefore important that you update your email address if it changes.

Your consent
As stated earlier, your use of Enhearten is an acknowledgement that you understand and consent to this Privacy Policy. Enhearten may modify this Privacy Policy at any time effective upon its posting. Your continued use of Enhearten constitutes your acceptance of this Privacy Policy and any updates. You will must also accept our End User Agreement (EUA) before you can start using the App. Read it carefully, too.

How you can contact us
If you have any questions regarding the Privacy Policy, please contact us at privacy@enhearten.io.

California Privacy Rights
In addition to the other rights set forth in this Policy, California residents who provide Personally Identifiable Information (as defined in the California Online Privacy Protection Act 2003 (CalOPPA)) and Personal Information (as defined in the California Consumer Privacy Act of 2018 (CCPA)) (collectively, the “Information”) to obtain our Services for personal, family, or household use are entitled to: (i) request and obtain from us deletion of Information, unless such Information is necessary to compute a transaction for which the Information was collected, to provide our Services, to detect or protect against security incidents, or as otherwise required or allowed by law; and (ii) request and obtain from us, up to twice in any twelve (12)-month period, information about the Information we shared in the immediately prior twelve (12)-month period, if any, including, if applicable, specific categories and pieces of such information collected, sources from which such information was collected, the identity of those businesses with which we shared such information and the business purpose for collecting or selling such information.

To make these requests please contact us at privacy@enhearten.io, and we will respond within forty-five (45) days of such verifiable request. We will need to collect information from you to verify your identity in connection with such request.

Currently, we do not sell any personal information you provide us. If in the future, circumstances arise under which we may sell personal information, you will be provided with notice and a right to opt out of the sale of any personal information you provide us.

We will not discriminate against you if you exercise any of the rights referenced above or in connection with the CCPA.

Copyright 2020, Rissana, LLC, All Rights Reserved.