Privacy Policy — Metric Health

Metric Health Privacy Policy

Last Updated: September 2025

We know privacy policies can be long, but your trust means everything to us. This Privacy Policy explains how Metric Health, Inc. (“Metric Health”, “we”, “us” and “our”) collects, uses, and protects the information you provide when you visit our website (https://www.mymetrichealth.com), our other web properties (collectively, the “Sites”), use our mobile applications (the "Apps"), or use the services we provide (together, the "Services"). This Privacy Policy outlines the data we collect, why we collect it, and how we keep it secure.

PLEASE READ THIS PRIVACY POLICY CAREFULLY TO UNDERSTAND HOW WE HANDLE YOUR INFORMATION. IF YOU DO NOT AGREE TO THIS PRIVACY POLICY, PLEASE DO NOT USE THE SERVICES.

Roles Under Privacy Laws

Metric Health is not a medical group or healthcare provider. Rather, Metric Health provides a technology platform where you can share health data with your healthcare clinician, clinic, or health system (collectively, the “Provider”). We act as a Business Associate in partnership with Providers to help deliver healthcare services. As a Business Associate, we are required under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to protect the privacy and confidentiality of your Protected Health Information (“PHI”), as well as other personal information we may collect, including health-related data that may not be governed by HIPAA. To meet these requirements, we have entered into Business Associate Agreements with Providers to ensure your PHI is safeguarded in compliance with HIPAA standards. We process PHI only as permitted under HIPAA and these Business Associate Agreements.

While we work with Providers to facilitate the services patients receive, your Provider is responsible for determining the purposes and means of processing clinical data related to your care. In other words, your Provider decides how and why your health information is used in connection with the treatment and services you receive.

1. Information We Collect

We practice data minimization and collect three main types of information: Personal Information, Personal Health Information (including PHI), and Non-Personal Information.

Personal Information

This is information that can be used to directly or indirectly identify you, such as:

Contact Information

For all users: First name, last name, and email address
For Providers: first name, last name, billing and mailing addresses, phone number, email address, professional title, and company name.

Demographic Information

City, state, country of residence, and postal code.

Communications Data

Information from interactions with you, such as when you contact us.

Account and Online Identifiers

Usernames, passwords, and other credentials used to access our websites and services.

Payment and Transaction Data

Payment details for Providers (for example, credit card information, bank account numbers), billing/payment history.

Marketing Preferences

Your preferences for receiving marketing communications and engagement details.

Audio, Visual, and Electronic Data

Photos, video and audio recordings in connection with your use of our Services or, where permitted by law, during conversations with us (such as when seeking customer support).

Personal Health Information:

This is health-related data that we may process on behalf of your Provider to help facilitate your care. This may include, but are not limited to:

Symptom Entries (including information about mental health)
Cognitive Assessments
Behavioral Assessments, including responses to questionnaires
Referral Preferences
Contextual Information you provide or that your Provider configures

Non-Personal Information

This is information that cannot be used to directly identify you on its own, such as:

Aggregated Data

General data trends, user statistics, and analytics that cannot be linked to any specific individual.

Usage Data

Data about how you interact with our Sites or Apps (for example, browsing history, device identifiers) that helps us improve the user experience but does not identify you personally.

Technical Information

Device types, IP addresses, operating systems, browser types, and other system-related information that are not associated with a specific person.

We understand how important privacy is, and we are committed to protecting yours. This is how we handle both your personal information and personal health information.

We do not sell your personal information or your personal health information.
We do not use your personal health information for targeted advertising or marketing purposes.
We do not share your personal health information with third parties, except when directed by you or your Provider, or as required by law.

2. How We Get Your Information

We collect data from a variety of sources to provide and improve our Services. These include:

You. This includes information you provide us or permissions you grant when using the Services
Your Provider. This may include patient enrollment details and contextual clinical information necessary for your care.
Device and Service Logs. This may include technical data from your device or operating system, such as logs generated by your use of our Services, which help us monitor and improve functionality.

3. How (and Why) We Use Your Information

We process your information to deliver and improve our Services, enable secure sharing with your Provider, and comply with legal and regulatory responsibilities. The way we process data depends on the type of information you provide, your location, and whether the information is classified as personal health information, personal information, or sensitive personal information (for example, racial or ethnic data, religious beliefs, sexual orientation) under applicable laws. Here is how we handle each type of information:

Personal Health Information:

To Coordinate Treatment and Care: We send your health-related entries (for example, symptoms, cognition, behavior, mental health, journals) to your designated Provider and their care team to aid in your care.
To Provide our Service: Your personal health information may be used to provide our services, maintaining our Sites and Apps.
To Meet Legal Requirements: Sometimes, we are required to share your information to comply with legal obligations (for example, responding to subpoenas or government requests) or professional obligations including healthcare recordkeeping, auditing, and reporting.
To Keep Things Safe: We use your information to ensure our services are secure, authenticate your account, maintain network and information security, prevent fraud or abuse, and detect unauthorized access.
For Research and Troubleshooting: We may use de-identified personal health information to analyze trends and troubleshoot problems related to our Services. Any identifiable data used in research will require your separate informed consent and, where applicable, reviewed by an institutional review board or ethics committee.

Personal Information:

To Provide our Service: Your information may be used to provide our services and maintain our Sites and Apps.
To Communicate: We may contact you to respond to your questions and requests, send account notices, service updates, and security alerts.
To Stay in Touch: We may reach out to you with updates on our products, services, and news, or ask for your feedback to help us improve.
To Improve Our Services: We monitor how the Services are being used and track and analyze how our Services are performing. We also may receive your feedback so we can improve and fix things as needed.

For Research and Troubleshooting: Your information helps us troubleshoot and address issues with the Services, plan future projects, and keep our platform running smoothly
To Keep Things Safe: We use your information to ensure our Services are secure, authenticate your account, maintain network and information security, prevent fraud/abuse, and detect unauthorized access.
With Service Providers: We share information with trusted partners and contractors who help us provide our Services. This includes things like IT support, payment processing, and customer support.
To Create Anonymous Data: We may aggregate anonymous data to create statistics that help us understand user trends, which we might share with partners or third parties for business purposes.
With Our Affiliates: We might share your information with our parent company, subsidiaries, or other companies that we are affiliated with.
To Meet Legal Requirements: Sometimes, we have to share information to comply with legal obligations (for example, responding to subpoenas or government requests) or professional obligations including healthcare recordkeeping, auditing, and reporting.
In Case of a Corporate Event: If we undergo a merger, acquisition, or other business changes, your data could be part of the transaction.
For Internal Audits and Compliance: We audit our processes to ensure we are following the law, our policies, and our agreements.

Sensitive Personal Information:

For Research and Troubleshooting: We may use de-identified sensitive personal information to analyze trends, plan for future updates, and troubleshoot problems related to our Services. Any identifiable data used in research will require your separate informed consent and, where applicable, reviewed by an institutional review board or ethics committee.
To Keep Things Safe: We may use sensitive personal information to ensure our Services are secure, authenticate your account, maintain network and information security, prevent fraud/abuse, and detect unauthorized access.
To Meet Legal Requirements: We may share information to comply with legal obligations (for example, responding to subpoenas or government requests) or professional obligations, including healthcare recordkeeping, auditing, and reporting.

4. Third-Party Integrations
We may use third-party tools and integrations to enhance the functionality of our Sites and Apps. Each third-party provider has its own privacy practices, which we encourage you to review.

We only share information through these integrations with your consent or as needed to support a service you have requested. You may choose to connect the Apps with other health-related tools (for example, wearables, health apps, or provider systems). These integrations may allow:

Importing or exporting health data
Syncing activity, symptoms, or other wellness inputs
Enabling features powered by external services (for example, messaging platforms or AI-based tools)

Third-party integrations and tools may allow us to have access to and store additional information as it relates to your use of the Services (for example, to integrate your health data within the Services). If you do not wish to have this information disclosed, do not initiate these connections.

5. Cookies and Tracking Technologies

We use cookies and similar technologies on our Site to:

Understand how users interact with the Site
Improve site performance and user experience
Support secure login and session management
Where permitted, measure the effectiveness of outreach or communications

We do not use cookies to track your behavior across third-party websites, and we do not use cookies for targeted advertising of health information.

You can manage cookie preferences through your browser settings or opt out of non-essential cookies. However, please note that some features of the Sites and Apps may not function properly if cookies are disabled.

More information about how we use cookies and your rights regarding cookies may be found in our Cookie Policy.

6. Legal Bases for Data Processing and Privacy Rights by Region

Because Metric Health operates internationally, our legal basis for processing information depends on your location and the nature of the data.

UNITED STATES

For individuals in the United States, health information entered into the Apps may be considered PHI under HIPAA. We act as your Provider’s Business Associate under a Business Associate Agreement and process PHI only as permitted by HIPAA to support your treatment and your Provider’s health care operations.

We do not use or disclose PHI for marketing, sale, or research without valid HIPAA authorization and your explicit consent. Your Provider controls your medical records and manages your rights under HIPAA.

CALIFORNIA PRIVACY RIGHTS

California law entitles California residents to certain additional protections regarding Personal Information. For purposes of this section alone, “CCPA Personal Information” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household.

We collect the following categories of CCPA Personal Information: identifiers, commercial information, Internet or other electronic network activity information, and geolocation data. We collect, use, and disclose CCPA Personal Information in the ways described above in our Privacy Policy. We do not sell CCPA Personal Information to third parties. California residents have the following rights to the extent granted by applicable law:

Right to Know: You have the right to request information regarding the CCPA Personal Information we have collected in the past 12 months, including the categories of CCPA Personal Information we have collected, the categories of sources of such information, and the purposes for which we have collected such information.
Right to Disclosure: You have the right to know whether we have disclosed your CCPA Personal Information to third parties in the past 12 months. If we have disclosed it, you may request information about what categories of information we have disclosed, and what categories of third parties we have disclosed it to.
Right to Access: You may request a copy of your CCPA Personal Information collected by us in the past 12 months.
Right to Deletion: You have the right to request that we delete your CCPA Personal Information.

VIRGINIA RESIDENTS' PRIVACY RIGHTS

If you are a resident of Virginia, the Virginia Consumer Data Protection Act (VCDPA) provides you with certain rights regarding the processing of your Personal Information. To the extent established under applicable law, Virginia residents may have the following rights:

Right to Access: You have the right to request access to the Personal Information we have collected about you, including the categories of Personal Information, the purposes for which the data is used, and the categories of third parties to whom the data has been disclosed.
Right to Correct: You have the right to request the correction of inaccurate or incomplete Personal Information we hold about you.
Right to Delete: You have the right to request the deletion of your Personal Information, subject to certain exceptions under the law.
Right to Data Portability: You have the right to request that we provide you with a copy of your Personal Information in a portable and readily usable format to transmit to another entity, where technically feasible.
Right to Opt-Out of Targeted Advertising: You have the right to opt out of the processing of your Personal Information for targeted advertising purposes.
Right to Opt-Out of Sales: You have the right to opt out of the sale of your Personal Information to third parties, if applicable.

Right to Appeal: If we deny your request to exercise any of the above rights, you have the right to appeal our decision.

To make any of the above requests, please contact us at privacy@mymetrichealth.com or submit a webform here. We may require verification of your identity before further processing your request. In certain instances, we may be permitted by law to decline some or all of such request.

CANADA

If you are a resident of Canada, your personal information, including personal health information, is protected under the Personal Information Protection and Electronic Documents Act (PIPEDA). We process personal health information in accordance with the Ten Fair Information Principles under PIPEDA: accountability, identifying purposes, consent, limiting collection, limiting use/disclosure/retention, accuracy, safeguards, openness, access, individual access, and challenging compliance.

Your consent, whether through your Provider or directly through consent notices on our Sites or Apps, are the primary basis for processing.

Provincial Health Privacy Laws

In some provinces, additional health privacy laws apply. For example:

Ontario: Personal Health Information Protection Act (PHIPA)
Alberta: Health Information Act (HIA)
British Columbia: Freedom of Information and Protection of Privacy Act (FIPPA)

In these jurisdictions, your Provider is generally considered the Health Information Custodian (HIC) or equivalent, and is responsible for decisions related to recordkeeping, access, and retention.

Your Privacy Rights in Canada

If you are a resident of Canada, you have certain rights under PIPEDA and, where applicable, provincial health privacy laws.

Your Rights May Include:

Access to Your Information: You can request access to the personal or health information we hold about you. In most cases, this will be managed through your Provider, who serves as the custodian of your health records.
Correction of Inaccuracies: You can ask to correct inaccurate or incomplete information.
Withdrawal of Consent: You can withdraw consent for optional features at any time (for example, app integrations, research, etc.).
Information About Our Practices: You may request details about how we collect, use, store, and share your personal information, and the safeguards we use to protect it.
Filing a Complaint: If you have concerns about how your information is being handled, you have the right to contact us directly at privacy@mymetrichealth.com or file a complaint with your provincial regulator.

EUROPEAN ECONOMIC AREA / UNITED KINGDOM

If you are located in the United Kingdom (“UK”) or European Economic Area (“EEA”), certain data protection laws, such as the General Data Protection Regulation (“GDPR”), grant you specific rights and require us to explain the legal bases for processing your information. References to “personal information” in this Privacy Policy are equivalent to “personal data” governed by European data protection legislation.

Under the GDPR, we process your personal information under the following bases:

Contractual Necessity: We process information as necessary to provide our Services at your request and to support your relationship with your healthcare Provider.
Legal Obligation: We are legally obligated to process certain of your information (for example, for recordkeeping or responding to regulatory requests.
Vital Interests: In rare situations, we process your information to protect your life or the life of another person (for example, responding to urgent safety or health threats).
Legitimate Interests: We process certain information to operate our Sites and Apps, for fraud prevention, and service security, provided such interests do not override your fundamental rights

Processing of Special Categories of Data Under the GDPR

Because our Service involves mental health and behavioral data, we rely primarily on:

Provision of Health or Social Care: We process your data when necessary to provide health or social care services, in coordination with your healthcare Provider.
Explicit Consent: We rely on your explicit consent to provide optional features, such as AI-generated insights, third-party integrations with health apps, or participation in research. You may withdraw your consent at any time.

If you are located in the UK or EEA, your data may be transferred to the United States or other EEA. When we do this, we rely on Standard Contractual Clauses approved by the European Commission (or UK authorities) and implement supplementary safeguards to protect your information.

Additionally, UK or EEA residents may have the following rights:

Right to Access and Update: You have the right to access, review, and update your personal data
Right to Restriction: You have the right to restrict our processing of your personal data
Right to Data Portability: You have the right to request that we provide you with a copy of, or access to, your personal data in a structured, commonly used, and machine-readable format. You may also request that we transfer your personal data to another controller, when technically feasible.
Right to Withdraw Consent: You have the right to withdraw your consent when our processing of your personal data is based on consent (and not another legitimate basis).
Right to Erasure: You have the right to request that we delete your personal data, subject to certain limitations.
Right to Lodge a Complaint: You have the right to lodge a complaint with the applicable supervisory authority in the EU. Before you do this, we ask that you please contact us directly in order to give us an opportunity to work directly with you to resolve any concerns about your privacy.

OTHER JURISDICTIONS

For users outside the U.S., Canada, UK, and EEA, we process data under the legal bases provided by the laws of your jurisdiction, or under our contract with you and your Provider. Where local consumer protection or privacy laws give you additional non-waivable rights, we will honor them.

7. How We Share Information

We do not sell your personal information, use health data for advertising, or engage in cross-context behavioral tracking. We only share your information when necessary to provide our Services, support your care, meet legal obligations, or improve system functionality.

We may share your information in the following ways:

With Your Provider: We share your health-related entries with your designated Provider and their authorized care team to support your treatment and care coordination.
With Trusted Service Providers: We may share your data with trusted third-party service providers who perform services on our behalf (for example, hosting, data analysis, customer support). These providers are contractually obligated to handle your data with the same care that we do.
For Legal and Safety Reasons: We may disclose your data when required by law, to protect our legal rights, or to comply with legal processes (for example, subpoenas, court orders).

8. AI Transparency and Human Oversight

We may use artificial intelligence (“AI”) technologies to help enhance the functionality of our Services and improve your experience. Specifically, AI may assist with:

Personalizing content and recommendations
Analyzing patterns to improve services
Enhancing customer support through AI-assisted responses
Increasing efficiency and accuracy
Detecting and preventing fraud or security risks

These tools support our legitimate business purposes, but they do not replace human care or clinical decision-making. Any AI-generated outputs are for informational purposes only and are not a substitute for medical advice, diagnosis, or treatment. Always consult your Provider before acting on any such insights.

We maintain human oversight in all health-related processes. Critical decisions related to your care always involve qualified healthcare professionals.

The information processed through AI systems is protected under the same data protection and security measures described throughout this Privacy Policy, including your applicable data rights.

9. Children and Teens

The Services are generally intended for individuals over the age of eighteen (18). Individuals under the age of 13 may only use our Services as recommended by their Provider and with the supervision and consent of their parents or legal guardians. If we learn that we have collected personal information from someone under the age of 13 that was not provided with the supervision and consent of the minor’s parents or legal guardian, we will promptly delete that information. If you believe we have impermissibly collected personal information from someone under the age of 13, please contact us at privacy@mymetrichealth.com.

10. How to Exercise Your Rights

We provide tools and support to help you manage your privacy and data preferences. Your ability to exercise certain rights may depend on your location and the type of data involved.

Please note, some information you enter becomes part of your official medical record and is managed by your Provider. In those cases, requests like correction or deletion may need to go through your Provider directly, in line with healthcare regulations (for example, HIPAA).

Ways to Manage Your Information:

In-App Tools: You may manage your data, including account deletion, permissions, and data export, through the App’s privacy settings.
Through Your Provider: You may contact your Provider directly for access, correction, or deletion of PHI. They are the official custodian of that information.
By Email: You may contact us at privacy@mymetrichealth.com for privacy questions or requests not covered above. We may require identity verification before responding and may reject requests that are unlawful, unreasonably repetitive, or would require disproportionate technical effort.

11. Data Security

We take the security of your information seriously and implement administrative, physical, and technical safeguards proportionate to risks, designed to protect it. However, no system can be guaranteed to be completely secure.

We apply a layered security approach, consistent with industry standards and healthcare regulations, including:

Encryption: All data is encrypted both in transit and at rest using strong encryption protocols.
Access Controls: We limit access to personal information to authorized personnel only. Access is granted based on the user’s role and need to know.
Two-Factor Authentication: We offer two-factor authentication to users for added protection when accessing sensitive data.
Audit Logging: We log and monitor system access and activity to detect unauthorized use.
Network & Infrastructure Security: We use firewalls, intrusion detection and prevention, and regular vulnerability testing.
Vendor Management: We require all third-party vendors and subcontractors to implement appropriate security and privacy safeguards. This includes signed Data Processing Agreements and Business Associate Agreements, as applicable.
Employee Training: Team members who handle sensitive data receive training on handling health information securely.

Data Breach Notification

If a data breach involves your personal or health information, we follow applicable laws to notify the right parties as follows:

HIPAA (United States): We will notify your Provider, who is responsible for notifying you as required by HIPAA.
GDPR (EEA/UK ): We will notify supervisory authorities and affected individuals of breaches where legally required.
PIPEDA (Canada): We will report material breaches to the Office of the Privacy Commissioner and notify affected individuals when there is a real risk of significant harm.

Your Role in Security

Use a strong and unique password and keep your login credentials confidential.
Enable device-level protections (for example, passcodes, biometric locks).
Do not share your account with others.
Be aware that communications sent outside the Apps and Sites (for example, via email or SMS) may not be encrypted.

Retention of Security Logs

We retain system and security logs for at least 24 months (or longer where required) to support monitoring, auditing, and regulatory compliance.

12. Data Retention

We retain information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Once health data is shared with your Provider, it may be incorporated into your official medical record. Your Provider, not Metric Health, determines how long that information is retained.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will post updates here and endeavor to provide notice for material changes either through the Sites, the Apps, or through email. Please check this page regularly for updates. Continued use after the effective date means you accept the updated policy.

14. Contact Us

If you have questions or wish to exercise your rights, contact:

Metric Health, Inc.

167 Madison Ave, Suite 205

New York NY, 10016

Email: privacy@mymetrichealth.com

Website: www.mymetrichealth.com