Privacy Policy (MHIRA / Digital Care Systems L.L.C)

2. Scope and roles (controller vs. processor)

Controller (our own activities). We act as data controller for personal data related to:

• our website and app accounts, authentication and access logs;
• billing and vendor management;
• support communications and operational security.

Processor (client data in MHIRA). For data that clients load into MHIRA (including health data), the Client is the data controller and DCS is the data processor. Processing is governed by the Service Agreement and Annex 2 – DPA. Clients remain responsible for lawful collection, notices / consent, and data-subject requests concerning their own datasets.

If you provide us personal data about other individuals, you must ensure you are authorised to do so and that the information is accurate.

3. What we collect as controller

We collect the minimum necessary information:

• Account & sign-in data: name, email, authentication identifiers (e.g. via Google / Firebase).
• Usage & technical logs: IP address, device and browser information, timestamps, pages / actions for security and reliability.
• Support & sales communications: message content, attachments, contact details.
• Billing data (if applicable): invoice details, payment confirmations (we don’t store card numbers; payments are processed by third-party providers).
• Cookies / identifiers: only what’s needed to run the service securely and, if enabled, optional analytics (see §9).

4. What we process as processor (client data in MHIRA)

When acting for clients, we may process health / assessment data, clinician notes, identifiers, scheduling metadata, and audit logs, strictly under the client’s instructions as described in the DPA.

• Reports are generated on demand; only raw assessment data is stored.
• Highly sensitive items (e.g. notes or AI-generated reports) are protected by envelope encryption (see §8).

5. Purposes and legal bases (controller)

We process personal data for:

• Providing and securing MHIRA (account creation, authentication, availability, incident prevention) — Art. 6 (1)(b) and (f) GDPR.
• Communicating with you (support, operational messages, contracts) — Art. 6 (1)(b) and (f).
• Billing and vendor management — Art. 6 (1)(b) and (c).
• Improving service and preventing abuse (diagnostics, logs, fraud prevention) — Art. 6 (1)(f).
• Consent-based features (e.g. newsletters or optional analytics) — Art. 6 (1)(a); you may withdraw consent at any time.

When acting as processor, our legal basis is that of the Client (controller); we follow their instructions (Art. 28 GDPR).

6. Sharing and recipients

We never sell personal data. We share only as necessary:

• Service providers / sub‑processors: hosting, authentication, email delivery, analytics/support tooling — all under written agreements with appropriate data‑protection terms.
• Professional advisers and authorities: where required by law or to protect rights.
• Clients (as controllers): they may receive exports of their own datasets.

We maintain a current list of sub‑processor categories and will provide details on request; changes are communicated as set out in the DPA.

7. International transfers

Where data leaves the EEA/UK/CH, we implement appropriate safeguards such as Standard Contractual Clauses and, where applicable, recognised transfer frameworks. Client data hosting is provisioned in EU regions where configured by the client.

8. Security

We implement technical and organisational measures appropriate to risk, including:

• Encryption in transit (HTTPS) and at rest with managed key services;
• Role‑based access control and least‑privilege principles;
• Regular backups with limited retention and secure deletion;
• Logging and monitoring; staff confidentiality and training;
• Vulnerability management and incident‑response processes.

No method is 100% secure, but we promptly address identified issues.

9. Cookies and similar technologies

We use essential cookies for secure login and session continuity. Optional analytics or performance cookies (if enabled) are used only with consent. You can manage cookies in your browser. IP addresses in analytics are truncated / anonymised and data-sharing features disabled.

For detailed information about the cookies we set, their purpose, and retention, see our Cookie Policy.

10. Retention

As controller, we retain:

• account, billing and support records as long as needed to provide the service and meet legal obligations;
• security logs for up to 12 months unless needed longer for investigations;
• marketing data until you withdraw consent.

As processor, we retain client data for the contract term and delete or return it per client instructions and the DPA (except where law requires retention).

11. Automated decision‑making

We do not engage in automated decision‑making that produces legal or similarly significant effects.

12. Your rights (EU / EEA / UK / CH)

You may have the right to access, rectify, erase, restrict, object, and data portability under applicable law, and to withdraw consent at any time (for future processing).

• Requests concerning client datasets should be sent to the Client (controller); we assist them as required by the DPA.
• Requests about data we control (accounts, logs, billing, support) can be sent to our privacy contact email (see Contact).

You also have the right to lodge a complaint with a supervisory authority.

13. Children

MHIRA is used by professional organisations. We do not knowingly collect controller-side data directly from children.

14. EEA/UK representative (if applicable)

If we do not have an establishment in the EEA/UK but our processing falls within the scope of GDPR/UK GDPR, we will designate a representative for data subjects and authorities to contact. To obtain the current representative details, please contact us using the details below.

15. Changes to this Policy

We may update this Policy periodically. The current version is available at mhira.app with its effective date. Material changes will be communicated through the service or by email where appropriate.

16. Contact