Privacy Policy
MitaRev Health is a HIPAA-covered platform. We handle Protected Health Information (PHI) and are committed to safeguarding your privacy in accordance with the Health Insurance Portability and Accountability Act (HIPAA), the GDPR where applicable, and all other relevant data-protection laws. Please read this policy carefully.
1. Who We Are
MitaRev Health ("MitaRev", "we", "us", or "our") operates the MitaRev Health mobile application, the MitaRev Clinician Portal, and the associated backend services (collectively, the "Platform"). The Platform is a HIPAA-compliant nutritional health service designed to help patients manage their Glucose-Ketone Index (GKI) through personalised protocols, real-time monitoring, and integration with third-party health-tracking services.
For privacy enquiries, please contact us at privacy@mitarev.com.
2. Data We Collect
We collect the following categories of information when you use the Platform:
2.1 Account & Identity Data
- Full name (first name, last name)
- Email address
- Password (stored as a secure hash via Firebase Authentication; we never see your plain-text password)
- Phone number (optional)
- Postal address (optional)
- Date of birth (optional)
- Gender (optional)
- Timezone and notification preferences
2.2 Health & Biometric Data (PHI)
The following data constitutes Protected Health Information under HIPAA and is treated with the highest level of protection:
- Blood glucose readings (mg/dL)
- Blood ketone readings (mmol/L)
- Glucose-Ketone Index (GKI) calculations
- Nutritional diary data: calories, protein, carbohydrates, fat, fibre, sugar, and micronutrients
- Daily protocol log entries (food, testing, fasting, exercise, lifestyle, survey responses)
- Protocol history and adherence records
- Subjective health inputs (energy levels, hunger, sleep quality)
- Fasting window records
2.3 Usage & Technical Data
- IP address and approximate location (derived from IP)
- Device type, operating system, and app version
- Session timestamps and API request logs
- HIPAA audit log entries (who accessed what data, when, and from where)
2.4 Billing Data
Payment card details are processed directly by Stripe and are never stored on MitaRev servers. We retain billing records (subscription status, invoice history, transaction IDs) for financial and regulatory compliance purposes.
2.5 Data from Third-Party Integrations
If you connect a third-party service, we receive data from that service as described in Section 5.
3. How We Use Your Data
| Purpose | Data Used |
|---|---|
| Provide and operate the Platform (protocol management, daily plans, progress tracking) | Account data, health & biometric data, usage data |
| Enable clinicians to monitor and support their patients | Health & biometric data, protocol history, daily logs |
| Synchronise data from connected third-party devices and apps | OAuth tokens, nutrition and biometric data from integrations |
| Send notifications (protocol assignments, daily reminders, system alerts) | Email address, push notification token, notification preferences |
| Process payments and manage subscriptions | Billing data (via Stripe) |
| Maintain HIPAA-required audit logs | Usage data, access logs |
| Improve the Platform through anonymised, aggregated analytics | De-identified, aggregated health data (cannot be linked back to you) |
| Comply with legal obligations (HIPAA, financial regulations) | Audit logs, billing records |
| Detect and prevent fraud, abuse, and security incidents | Usage data, IP address, audit logs |
We do not sell your personal data or PHI to any third party, and we do not use your health data for advertising purposes.
4. Legal Basis for Processing
Where the GDPR or equivalent legislation applies, we rely on the following legal bases:
- Contract performance — processing necessary to provide the services you have signed up for (e.g., creating your account, generating your daily plan).
- Legitimate interests — security monitoring, fraud prevention, and improving the Platform, where these interests are not overridden by your rights.
- Legal obligation — retaining audit logs and billing records as required by HIPAA and financial regulations.
- Explicit consent — processing special-category health data where required by applicable law. You may withdraw consent at any time by contacting us, though this may affect your ability to use the Platform.
For HIPAA purposes, we process PHI under a Treatment, Payment, or Health Care Operations (TPO) basis, or with your explicit authorisation where required.
5. Third-Party Integrations
The Platform integrates with the following third-party services. Connecting these services is entirely optional. You can disconnect any integration at any time from within the app.
5.1 Cronometer
If you connect your Cronometer account, we use OAuth 2.0 to obtain an access token and retrieve your daily nutrition diary data (calories, macronutrients, micronutrients). Your Cronometer credentials are never shared with us — only the OAuth token is stored, in Google Secret Manager. Data is synchronised hourly and via real-time webhooks. Cronometer's own privacy policy governs how Cronometer handles your data on their platform.
5.2 KetoMojo
If you connect your KetoMojo account, we use OAuth 2.0 to retrieve your blood glucose and ketone readings. As with Cronometer, only the OAuth token is stored (in Google Secret Manager), and KetoMojo's privacy policy governs their handling of your data.
5.3 Stripe
Subscription billing is handled by Stripe. When you subscribe, you are redirected to a Stripe-hosted checkout page. MitaRev does not receive or store your full payment card details. Stripe's privacy policy governs how Stripe processes your payment information.
5.4 Firebase & Google Cloud Platform
The Platform is built on Google Cloud Platform (GCP) and Firebase, which provide authentication, database, hosting, and infrastructure services. All data is stored in HIPAA-compliant GCP regions (North America). Google has signed a Business Associate Agreement (BAA) with MitaRev, covering the use of GCP services for PHI. Google's privacy policy governs Google's own data practices.
5.5 SendGrid (Email)
Transactional emails (invitations, notifications) are sent via SendGrid. We share your email address with SendGrid solely for the purpose of delivering these messages. SendGrid's privacy policy governs their handling of this data.
6. Data Sharing & Disclosure
We share your data only in the following circumstances:
6.1 Your Healthcare Team
If you are enrolled under a clinician or healthcare organisation on the Platform, your assigned clinician can view your health data, protocol history, and daily logs for the purpose of monitoring and supporting your care. Organisation administrators have access to limited demographic data only and cannot access your PHI.
6.2 Service Providers (Business Associates)
We share data with third-party service providers who process data on our behalf (e.g., Google Cloud, Stripe, SendGrid). All providers who handle PHI have signed a Business Associate Agreement (BAA) with MitaRev and are contractually required to protect your data in accordance with HIPAA.
6.3 Anonymised Research Data
We may use de-identified, aggregated data (which cannot be linked back to any individual) for research, analytics, and platform improvement. This data is not PHI and is not subject to HIPAA restrictions.
6.4 Legal Requirements
We may disclose your data if required to do so by law, court order, or governmental authority, or where we believe disclosure is necessary to protect the rights, property, or safety of MitaRev, our users, or the public.
6.5 Business Transfers
In the event of a merger, acquisition, or sale of all or part of our business, your data may be transferred to the acquiring entity. We will notify you before your data is transferred and becomes subject to a different privacy policy.
We do not sell, rent, or trade your personal data or PHI to any third party for marketing or commercial purposes.
7. Data Retention
We retain your data for as long as necessary to provide the Platform and comply with our legal obligations:
| Data Category | Retention Period | Reason |
|---|---|---|
| Account & profile data | Until account deletion, then promptly deleted | Service provision |
| Health & biometric data (PHI) | Until account deletion, then promptly deleted | Service provision |
| HIPAA audit logs | 6 years from creation | HIPAA regulatory requirement (45 CFR § 164.530(j)) |
| Billing records | Up to 7 years | Financial and tax regulations |
| Anonymised, aggregated research data | Indefinitely (cannot be linked back to you) | Research and platform improvement |
To request deletion of your account and personal data, please see our account deletion page or contact us at privacy@mitarev.com. Deletion requests are processed within 30 days.
8. Security
We implement industry-standard technical and organisational measures to protect your data, including:
- Encryption at rest — all data stored in Google Cloud Firestore is encrypted using Google-managed encryption keys.
- Encryption in transit — all data transmitted between your device and our servers uses TLS 1.2 or higher.
- Access control — role-based access control (RBAC) ensures that users can only access data they are authorised to see. Clinicians can only access patients assigned to them.
- Secret management — OAuth tokens and API credentials are stored in Google Secret Manager, not in environment variables or source code.
- Multi-factor authentication (MFA) — enforced for all administrative console access.
- HIPAA audit logging — all access to and modifications of PHI are logged with actor, action, resource, IP address, and timestamp. Logs are retained for 6 years.
- Security monitoring — automated alerts are configured for high access-denial rates, repeated authentication failures, and data export events.
- Isolated environments — staging and production environments are fully separated GCP projects with strict access controls.
Despite these measures, no system is completely secure. If you believe your account has been compromised, please contact us immediately at privacy@mitarev.com.
9. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
9.1 HIPAA Rights (US Patients)
- Right of Access — you have the right to request a copy of your PHI held by MitaRev.
- Right to Amend — you may request corrections to inaccurate or incomplete PHI.
- Right to an Accounting of Disclosures — you may request a list of disclosures of your PHI made by MitaRev.
- Right to Request Restrictions — you may request restrictions on how we use or disclose your PHI, though we are not always required to agree.
- Right to Confidential Communications — you may request that we communicate with you in a specific way or at a specific location.
- Right to a Paper Copy of This Notice — you may request a printed copy of this Privacy Policy at any time.
9.2 GDPR / UK GDPR Rights (EEA & UK Users)
- Right of access — obtain a copy of your personal data.
- Right to rectification — correct inaccurate data.
- Right to erasure ("right to be forgotten") — request deletion of your data (subject to legal retention obligations).
- Right to restriction of processing — ask us to limit how we use your data.
- Right to data portability — receive your data in a structured, machine-readable format.
- Right to object — object to processing based on legitimate interests.
- Right to withdraw consent — where processing is based on consent, withdraw it at any time.
- Right to lodge a complaint — with your national data protection authority.
9.3 How to Exercise Your Rights
To exercise any of the above rights, please contact us at privacy@mitarev.com. We will respond within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before processing your request.
To delete your account, you can also use the in-app deletion feature (Settings → Account → Delete Account) or visit our account deletion page.
10. Children's Privacy
The Platform is not directed at children under the age of 13 (or under 16 in the EEA/UK). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data without parental consent, please contact us at privacy@mitarev.com and we will delete the data promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the Platform, or applicable law. When we make material changes, we will notify you by email (to the address associated with your account) and/or by displaying a prominent notice within the app at least 30 days before the changes take effect.
The "Last updated" date at the top of this page indicates when the policy was most recently revised. Your continued use of the Platform after the effective date of any changes constitutes your acceptance of the updated policy.
12. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or the way we handle your data, please contact our privacy team:
Email: privacy@mitarev.com
Website: mitarev.com
For account deletion requests, please visit our account deletion page.