Privacy Policy

Sirona Mind is a whole-person mental health platform that helps patients track their daily wellbeing and supports clinical care coordination between patients and their mental health providers. This Privacy Policy explains how we collect, use, share, and protect your personal information and protected health information (PHI) when you use our platform.

When Sirona Mind provides services to healthcare providers such as Mass Mind Center (MMC), we act as a HIPAA Business Associate and handle your information in accordance with those agreements and applicable law.

Protected health information (PHI) — full HIPAA protection

• Identity: Name, date of birth, and contact information
• Insurance: Insurance information and member ID
• Clinical history: Appointment records and clinical history provided during intake
• Daily check-ins: Mood, sleep, stress, and life domain entries
• Medication: Medication information you provide
• Session data: Session notes and preparation data shared with your clinician
• Assessments: PHQ-9 / GAD-7 self-reporting and symptom tracking

Non-PHI — standard platform data

• Device info: Device type, browser, and IP address (for platform operation)
• Usage data: Pages visited, features used, and session duration
• Pre-intake responses: Questionnaire responses from the pre-booking flow (before PHI is collected)

HIPAA permits use of PHI for Treatment, Payment, and Healthcare Operations (TPO) without explicit patient authorisation. Any use beyond TPO requires your written authorisation. Below are our permitted uses:

• Treatment: Sharing your check-in data, session prep, and life context with your clinician to support your care
• Payment: Verifying insurance eligibility and facilitating billing for clinical services
• Healthcare operations: Quality improvement, care coordination, and clinical performance monitoring
• Platform improvement (de-identified only): Aggregated, anonymised data may be used to improve the platform — never identifiable

We only share your PHI when necessary and with appropriate legal protections in place. Every third party that receives your PHI has signed a Business Associate Agreement (BAA) with Sirona Mind.

• Your clinical provider (e.g. MMC): Your care team receives your session prep, life context data, and appointment information — this is the core function of the platform
• Practice Fusion (EHR): Appointment data is written to and read from your provider's Electronic Health Record under a signed Business Associate Agreement
• Insurance carriers: For billing and eligibility verification only, limited to the minimum necessary information
• Legal disclosures: We may disclose PHI as required by law — court orders, mandatory reporting, or public health authorities
• Cloud infrastructure: AWS and/or Google Cloud under HIPAA-eligible service agreements and signed BAAs

Sirona Mind handles mental health information with the highest level of care and sensitivity. Mental health records are subject to additional protections under state law in many jurisdictions, and we comply with all applicable state mental health privacy requirements in addition to federal HIPAA standards.

We never disclose your mental health information to employers, family members, or any party without your explicit written consent, except as required by law or in situations involving risk of serious harm.

Under HIPAA, you have six specific rights regarding your health information. These rights are actionable — contact us at any time to exercise them.

You may request closure of your Sirona Mind account at any time by contacting privacy@sironamind.com.

• Non-clinical platform data will be deleted within 30 days of your request
• Health information forming part of a clinical record may be retained for the period required by applicable state law governing medical record retention — typically 7–10 years — and will not be accessible through the platform after account closure
• De-identified data is not subject to deletion requests as it cannot be linked back to you

The HIPAA Security Rule requires administrative, physical, and technical safeguards. Below are the measures we have in place:

Technical safeguards

• Encryption in transit: All data transmitted between your device and Sirona Mind is encrypted using TLS 1.2 or higher
• Encryption at rest: All stored health information is encrypted using AES-256
• Access controls: Role-based access — clinicians only see their own patients' data, admins have limited, audited access
• HIPAA-eligible infrastructure: Hosted on AWS / Google Cloud HIPAA-eligible services under signed Cloud Business Associate Agreements
• Audit logging: All access to PHI is logged with timestamp, user ID, and action type
• Breach notification: In the event of a breach involving your PHI, you will be notified within 60 days as required by the HIPAA Breach Notification Rule

Every organisation that receives your PHI has a signed Business Associate Agreement (BAA) with Sirona Mind. Our current Business Associates include:

• Practice Fusion (EHR integration): Appointment scheduling data is exchanged with Practice Fusion under a signed BAA
• Cloud infrastructure providers: AWS and/or Google Cloud under HIPAA-eligible service agreements and signed BAAs
• Healthcare provider partners (e.g. MMC): Your clinical provider receives your health data as part of your care — the primary purpose of the platform, governed by a BAA between Sirona Mind and the provider
• Analytics tools (non-PHI only): Aggregated, de-identified usage data may be processed by analytics tools. No PHI is shared with analytics providers

Sirona Mind uses essential cookies to operate the platform — these handle authentication and session management. We do not use advertising cookies or share browsing data with third-party advertisers.

You can disable non-essential cookies in your browser settings without affecting core platform functionality.

We may update this Privacy Policy periodically. Material changes affecting how we use your health information will be communicated to you directly by email at least 30 days before they take effect. The effective date at the top of this policy reflects the most recent revision. Continued use of Sirona Mind following notification of changes constitutes acceptance of the updated policy.

For privacy questions or to exercise your rights, contact us directly: