Privacy policy

Privacy Policy & Healthcare Privacy Policy Mish Health Ventures PLLC DBA Mars Well Effective Date: November 20, 2024 Last Updated: January 6, 2025

SECTION 1 — WEBSITE PRIVACY POLICY

Introduction

This Privacy Policy describes the data protection practices of Mish Health Ventures PLLC DBA Mars Well ("we," "our," or "us"), including when you visit our website at www.joinmarswell.com and any affiliated mobile applications (collectively, our "Website") or otherwise provide data to us. This Privacy Policy is incorporated into our Terms of Service. Please read this Privacy Policy carefully to understand how we handle your information. If you do not agree to this Privacy Policy, please do not use the Services.

1. The Information We Collect and the Sources of Such Information

We obtain information about you through various means when you use our Services. Certain information is necessary for us to provide the Services. If you do not provide such information or ask us to delete it, you may no longer be able to access or use parts of our Services.

Information You Provide to Us

We collect the following information that you provide directly to us:

  • Account Information: Name, address, email address, telephone number, date of birth, and other identifiers
  • Billing Information: Payment information collected by our payment processors on our behalf
  • Commercial Information: Information about your transactions including purchases and healthcare provider information
  • Health Information: Medical history, lifestyle data, symptoms, treatment options, medical records, and other relevant information
  • Demographic Information: Gender, age, marital status, and similar data
  • Geolocation Information: General location based on your IP address
  • User-Generated Content: Any content you post on our Services
  • Sensitive Personal Information: Health-related data, information about your sex life or sexual orientation, and sensitive demographic data

2. Purposes for How We Use Your Information

We may use your information for the following purposes:

  • Provide and Manage the Services: Facilitating healthcare services, processing orders, verifying your identity, and maintaining your account
  • Communication: To respond to inquiries, provide customer support, send notifications, and communicate on behalf of healthcare providers
  • Analytics and Improvements: Conduct research and analysis to improve our Services and enhance user experience
  • Personalization: Customize content to better match your preferences
  • Legal Obligations: Comply with legal obligations, protect the safety and rights of others, and safeguard our business

3. Online Analytics and Advertising

We may use third-party web analytics services such as Google Analytics to collect and analyze usage information. These services help us understand how users interact with our Services. You may opt out of cross-device tracking and tailored advertisements through your mobile device settings.

4. How We Disclose Your Information

We may disclose your information in the following ways:

  • Service Providers: We may share information with third-party service providers who assist us with payment processing, analytics, and other business operations
  • Health Care Providers: We may disclose health-related information to healthcare providers for treatment purposes
  • Legal Compliance: We may disclose information to comply with legal obligations such as court orders, subpoenas, or government requests
  • Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction

We do not sell your personal information.

5. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal information:

  • Right to Access: You can request access to the personal information we hold about you
  • Right to Correct: You may request that we correct any inaccuracies in your personal data
  • Right to Delete: You may request the deletion of your personal data subject to legal limitations
  • Right to Opt-Out of Marketing: You can opt out of receiving marketing communications from us
  • Cookie Preferences: You can manage your cookie settings through your browser

To exercise your rights please contact us at privacy@venusandmarswell.com.

6. Third-Party Services and Health Information

Our Services may link to third-party websites, apps, or services that are not controlled by us. This Privacy Policy does not cover those third-party services and we are not responsible for their privacy practices. Please review their privacy policies before providing any personal information.

Mish Health Ventures PLLC DBA Mars Well may disclose patient information to third-party service providers such as labs, pharmacies, and billing processors to facilitate treatment, payment, and healthcare operations.

7. How We Protect Your Information

We use a variety of security measures including encryption and access controls to protect your personal information. However no security system is completely foolproof and we cannot guarantee the absolute security of your data. You are responsible for keeping your account password confidential.

All employees undergo annual training on HIPAA compliance, data security, and our privacy policies.

In the event of a data breach involving your PHI we will notify you as required by law. Notifications will be made no later than 60 calendar days after the discovery of the breach in accordance with HIPAA regulations.

8. Retention of Your Information

We retain your information for as long as necessary to fulfill the purposes outlined in this Privacy Policy or as required by law. PHI is retained for a minimum of six years as required by HIPAA regulations. Once no longer required we securely delete or anonymize the data.

9. Children

Our Services are not directed at individuals under the age of 18. We do not knowingly collect personal information from individuals under 18. If we discover that we have collected such information we will promptly delete it.

10. Revisions to Our Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices or applicable laws. When we make material changes we will notify you by updating the effective date at the top of this policy. Your continued use of our Services constitutes your acknowledgment of these changes.

11. Privacy Information for California Residents

Note: The following provisions will apply when services expand to California. They are included here for transparency and future compliance purposes.

California residents have enhanced privacy protections under multiple state laws including the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the Confidentiality of Medical Information Act (CMIA), and California telehealth regulations.

Under CCPA/CPRA, California residents have the following rights:

  • Right to Know: You can request details about the categories and specific pieces of personal information we collect about you
  • Right to Delete: You can request that we delete your personal information subject to certain exceptions
  • Right to Correct: You can request that we correct inaccurate personal information
  • Right to Opt-Out of Sale or Sharing: We do not sell personal information but you can request to opt out of sharing for advertising purposes
  • Right to Limit Use of Sensitive Personal Information: You can request that we limit the use of your sensitive personal information
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights
  • Right to Data Portability: You can request a copy of your personal information in a portable format

Under the Confidentiality of Medical Information Act (CMIA):

  • Your medical information receives additional protections beyond HIPAA under California law
  • We will not disclose your medical information without your written authorization except as permitted by law
  • You have the right to receive a copy of your medical records within 15 days of request

California Telehealth Patients:

  • Telehealth services provided to California patients are subject to California telehealth laws including AB 890 and SB 351
  • California patients have the right to in-person care as an alternative to telehealth services
  • Your consent to telehealth services is voluntary and may be withdrawn at any time

To make any privacy request or exercise your California rights please contact us at privacy@venusandmarswell.com. We will respond to verifiable consumer requests within 45 days.

12. Privacy Information for Texas Residents

Note: The following provisions will apply when services expand to Texas. They are included here for transparency and future compliance purposes.

Under Texas law we may process your sensitive personal information such as health data in accordance with your consent. You have the right to request that we limit the use of your sensitive information for purposes other than providing you with the services you have requested.

Additionally under the Texas Data Privacy and Security Act (TDPSA) Texas residents have the following rights:

  • Right to access personal data
  • Right to correct inaccuracies
  • Right to delete personal data
  • Right to data portability
  • Right to opt out of the sale of personal data or targeted advertising

To make a request please contact us at privacy@venusandmarswell.com.

13. Privacy Information for Nevada Residents

Note: The following provisions will apply when services expand to Nevada. They are included here for transparency and future compliance purposes.

Nevada residents may opt out of the sale of personally identifiable information by contacting us at privacy@venusandmarswell.com. While we do not currently sell personal information we will process your request should our practices change.

Under Nevada's Senate Bill 220 you have the right to opt out of the sale of covered information. To submit an opt out request please contact us at privacy@venusandmarswell.com.

14. Privacy Information for Colorado Residents

Note: The following provisions will apply when services expand to Colorado. They are included here for transparency and future compliance purposes.

Under the Colorado Privacy Act (CPA) Colorado residents have the following rights regarding their personal information:

  • Right to access and know what personal data is being processed
  • Right to correct inaccurate personal data
  • Right to delete personal data
  • Right to opt out of the processing of personal data for targeted advertising or sale
  • Right to data portability

To make a request please contact us at privacy@venusandmarswell.com.

15. Privacy Information for Virginia Residents

Note: The following provisions will apply when services expand to Virginia. They are included here for transparency and future compliance purposes.

Under the Virginia Consumer Data Protection Act (VCDPA) Virginia residents have the following rights:

  • Right to access personal data
  • Right to correct inaccuracies
  • Right to delete personal data
  • Right to obtain a copy of personal data
  • Right to opt out of the sale of personal data or targeted advertising

To make a request please contact us at privacy@venusandmarswell.com.

16. Privacy Information for Connecticut Residents

Note: The following provisions will apply when services expand to Connecticut. They are included here for transparency and future compliance purposes.

Under the Connecticut Data Privacy Act (CTDPA) Connecticut residents have the following rights:

  • Right to access personal data
  • Right to correct inaccuracies
  • Right to delete personal data
  • Right to data portability
  • Right to opt out of targeted advertising or sale of personal data

To make a request please contact us at privacy@venusandmarswell.com.

17. Privacy Information for Utah Residents

Note: The following provisions will apply when services expand to Utah. They are included here for transparency and future compliance purposes.

Under the Utah Consumer Privacy Act (UCPA) Utah residents have the following rights:

  • Right to access personal data
  • Right to delete personal data provided by the consumer
  • Right to data portability
  • Right to opt out of the sale of personal data or targeted advertising

To make a request please contact us at privacy@venusandmarswell.com.

18. Privacy Information for Washington Residents

Note: The following provisions will apply when services expand to Washington. They are included here for transparency and future compliance purposes.

Under the Washington My Health MY Data Act Washington residents have enhanced protections for consumer health data. We do not sell consumer health data. Washington residents have the right to:

  • Access their consumer health data
  • Withdraw consent for collection or sharing of health data
  • Request deletion of health data
  • Know with whom their health data has been shared

To make a request please contact us at privacy@venusandmarswell.com.

19. Privacy Information for All Other States

Regardless of your state of residence we are committed to protecting your personal information in accordance with applicable federal law including HIPAA. If you have questions about your privacy rights please contact us at privacy@venusandmarswell.com.

20. Contacting Us

If you have any questions about this Privacy Policy or wish to exercise your privacy rights please contact us at:

Mish Health Ventures PLLC DBA Mars Well Email: privacy@venusandmarswell.com Website: www.joinmarswell.com

SECTION 2 — HEALTHCARE PRIVACY POLICY

Introduction

This Healthcare Privacy Policy describes how Mish Health Ventures PLLC DBA Mars Well collects, uses, and protects your protected health information ("PHI") in connection with the clinical services we provide. This policy applies to all patients of Mars Well and is separate from but complements our Website Privacy Policy above.

For your full HIPAA Notice of Privacy Practices please visit www.joinmarswell.com or request a copy at privacy@venusandmarswell.com.

1. What is Protected Health Information?

Protected Health Information is information that identifies or could reasonably be used to identify you and relates to your past, present, or future physical or mental health, the provision of healthcare to you, or the payment for your healthcare.

2. How We Use and Disclose Your PHI

We may use and disclose your PHI for the following purposes without your written authorization:

  • Treatment: To provide, coordinate, and manage your medical care including sharing with labs, pharmacies, and other providers involved in your care
  • Payment: To bill and collect payment for services rendered
  • Healthcare Operations: For quality assessment, case management, and business planning activities
  • As Required by Law: To comply with federal, state, or local legal requirements
  • Health Oversight: For audits, investigations, and inspections required by law
  • Emergency Situations: To prevent a serious threat to your health or safety or the health and safety of others

3. Your Rights Regarding Your PHI

You have the following rights regarding your protected health information:

  • Right to Inspect and Copy: Request access to your medical and billing records
  • Right to Amend: Request corrections to your health information
  • Right to an Accounting of Disclosures: Request a list of disclosures we have made of your PHI
  • Right to Request Restrictions: Request limitations on how we use or disclose your PHI
  • Right to Confidential Communications: Request that we communicate with you in a specific way or at a specific location
  • Right to a Paper Copy: Request a paper copy of our Notice of Privacy Practices at any time

To exercise any of these rights please contact us in writing at privacy@venusandmarswell.com.

4. Business Associates

We may share your PHI with business associates who perform services on our behalf including labs, pharmacies, and billing processors. We require all business associates to appropriately safeguard your PHI through signed Business Associate Agreements.

5. Telehealth Privacy

As a telehealth practice your PHI may be transmitted electronically through HIPAA-compliant platforms including Healthie and Zoom for Healthcare. While we take every precaution to protect your information no electronic transmission is completely secure. By using our telehealth services you acknowledge and accept this risk.

For secure communications outside of telehealth sessions patients are encouraged to use the Healthie messaging platform or the Spruce app.

6. Data Security

We implement administrative, physical, and technical safeguards to protect your PHI including:

  • Encryption of electronic PHI
  • Access controls and authentication requirements
  • Annual HIPAA training for all staff
  • Regular security risk assessments
  • Business Associate Agreements with all vendors who access PHI

7. Breach Notification

In the event of a breach of your unsecured PHI we will notify you no later than 60 calendar days after discovery of the breach as required by HIPAA. We will also notify the U.S. Department of Health and Human Services and where required the media.

8. Retention of PHI

We retain your PHI for a minimum of six years from the date of creation or the date it was last in effect whichever is later in accordance with HIPAA requirements and applicable state law.

9. How to File a Complaint

If you believe your privacy rights have been violated you may file a complaint with:

Mars Well Privacy Officer: Email: privacy@venusandmarswell.com

U.S. Department of Health and Human Services: Office for Civil Rights 200 Independence Avenue SW Washington, DC 20201 www.hhs.gov/ocr

You will not be retaliated against for filing a complaint.

10. State-Specific Healthcare Privacy Rights

Kentucky Patients: Your PHI is protected under Kentucky state law in addition to federal HIPAA requirements. Kentucky law may provide additional protections for certain categories of health information.

Indiana Patients: Your PHI is protected under Indiana state law in addition to federal HIPAA requirements. Indiana law may provide additional protections for certain categories of health information consistent with Indiana Senate Bill 282 and applicable telehealth regulations.

All Other States: As Mars Well expands to additional states your PHI will be protected under both federal HIPAA requirements and applicable state law. State-specific privacy rights and protections will be communicated to you at the time services become available in your state.

11. Changes to This Healthcare Privacy Policy

We reserve the right to change the terms of this Healthcare Privacy Policy at any time. We will post the revised policy on our website at www.joinmarswell.com and make copies available upon request. Changes will be effective upon posting.

12. Contact Us

If you have any questions about this Healthcare Privacy Policy or your rights regarding your PHI please contact us at:

Mish Health Ventures PLLC DBA Mars Well Privacy Officer: Megan Bush, NP Email: privacy@venusandmarswell.com Website: www.joinmarswell.com

Mish Health Ventures PLLC DBA Mars Well | Effective Date: November 20, 2024 | Last Updated: January 6, 2025