Menthra HIPAA Notice of Privacy Practices

Menthra is committed to protecting your Protected Health Information (PHI) in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations. This Notice of Privacy Practices describes how your health information may be used and disclosed, and how you can access this information. Please review it carefully.

Protected Health Information (PHI) is any individually identifiable health information that is created, received, maintained, or transmitted by Menthra in connection with providing our services. This includes information related to your past, present, or future physical or mental health conditions, the provision of healthcare services, and payment for those services. Examples include conversation transcripts with AI companions or licensed therapists, assessment results, treatment plans, and any personal identifiers associated with that health data.

Menthra may use or disclose your PHI only in the following circumstances:

• •Treatment: We may use your PHI to provide, coordinate, and manage your mental health care. This includes sharing relevant information between your AI companion and a licensed therapist when you are receiving integrated care through Menthra.
• •Healthcare operations: We may use your PHI to support our internal operations, including quality improvement, auditing, compliance activities, and training of our clinical staff. Any use of data for operational purposes is conducted with appropriate safeguards.
• •Required by law: We may disclose your PHI when required to do so by applicable federal, state, or local law, including court orders, subpoenas, and public health reporting requirements.
• •With your authorization: For any use or disclosure not described above, we will obtain your written authorization before using or disclosing your PHI. You may revoke any authorization at any time by contacting us in writing.

Menthra will never use or disclose your PHI for any of the following purposes:

• •Sell your PHI: We will never sell your Protected Health Information to any third party, for any reason, under any circumstances.
• •Use PHI for marketing: We will never use your health information to market products or services to you without your explicit written authorization.
• •Share PHI with advertisers: We will never share your health information with advertising networks, data brokers, or any third-party advertisers.
• •Use PHI for AI model training: We will never use your identifiable health information to train general-purpose artificial intelligence models. Your conversations and health data are never fed back into model training pipelines.

Under HIPAA, you have the following rights with respect to your PHI:

• •Right to access: You may request a copy of your PHI that we maintain in our records. We will provide it in a readily accessible electronic format.
• •Right to amend: You may request that we amend your PHI if you believe it is inaccurate or incomplete. We will respond to your request within 60 days.
• •Right to an accounting of disclosures: You may request a list of certain disclosures we have made of your PHI during the six years prior to your request.
• •Right to request restrictions: You may request that we restrict certain uses or disclosures of your PHI. While we are not required to agree to all restrictions, we will honor any restriction to which we agree.
• •Right to confidential communications: You may request that we communicate with you about your PHI in a specific way or at a specific location. We will accommodate reasonable requests.
• •Right to a copy of this notice: You have the right to receive a paper or electronic copy of this Notice of Privacy Practices at any time upon request.
• •Right to file a complaint: If you believe your privacy rights have been violated, you may file a complaint with us or with the U.S. Department of Health and Human Services. You will not be penalized or retaliated against for filing a complaint.

Menthra is required by law to maintain the privacy and security of your PHI, to provide you with this Notice of our legal duties and privacy practices, and to notify you in the event of a breach of unsecured PHI. We are required to abide by the terms of this Notice currently in effect. We reserve the right to change our privacy practices and the terms of this Notice at any time, and to make the new provisions effective for all PHI we maintain. If we make a material change to this Notice, we will post the revised version on our website and make it available upon request.

Menthra works with a limited number of third-party service providers (business associates) that may have access to your PHI in order to provide their services to us. Each business associate is contractually bound by a HIPAA-compliant Business Associate Agreement (BAA) that requires them to safeguard your PHI to the same standard we maintain. Our business associates include:

• •Microsoft Azure: Cloud infrastructure provider for data storage and computing services. All PHI is encrypted at rest and in transit within Azure's HIPAA-eligible services.
• •AI service providers: We use AI models to power our companion features. All AI providers we work with have signed BAAs and are contractually prohibited from using your data for model training or any purpose other than providing the service to Menthra.

If you have questions about this Notice, wish to exercise any of your rights, or want to file a complaint, please contact our Privacy Officer at privacy@menthra.ai.