Privacy Policy & HIPAA Notice

Last updated: April 2026

Overview

Mieru Health (“we,” “us,” or “our”) is committed to protecting your privacy and your health information. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our platform.

HIPAA Compliance: We are committed to complying with the Health Insurance Portability and Accountability Act (HIPAA) and maintaining the privacy and security of your protected health information (PHI). This policy serves as our Notice of Privacy Practices.

HIPAA Compliance & Protected Health Information

Business Associate Agreements

We execute Business Associate Agreements (BAAs) with all research partners and data buyers who receive anonymized health data. These agreements ensure that any party receiving data maintains HIPAA compliance and uses the data solely for approved research purposes.

De-identification Standard

All Protected Health Information (PHI) is de-identified according to HIPAA Safe Harbor standards (45 CFR § 164.514) before being shared with researchers. This includes removal of:

  • • Names and geographic data smaller than state level
  • • Dates (except year) and ages over 89
  • • Telephone numbers, email addresses, and IP addresses
  • • Social Security numbers, medical record numbers, and health plan beneficiary numbers
  • • Account numbers, certificate/license numbers, and device identifiers
  • • Biometric identifiers and full-face photographic images
  • • Any other unique identifying numbers, characteristics, or codes

Data Anonymization Process

Your CGM glucose data is aggregated with data from hundreds of other users before being shared. Individual data points cannot be traced back to any specific user. We employ k-anonymity techniques (where k=5 minimum) to ensure that no individual can be identified within the dataset.

Information We Collect

Personal Information

  • • Email address (for account and payment)
  • • Country of residence
  • • CGM device type
  • • Stripe account information (for payments)

Health Information (PHI)

  • • Continuous glucose monitoring (CGM) readings
  • • Timestamps associated with glucose readings
  • • Trend arrows and rate of change data
  • • Device calibration data (if applicable)

Important: This health information is NEVER shared with researchers in identifiable form. It is always de-identified and aggregated before sharing.

Technical Information

  • • IP address (anonymized in logs after 30 days)
  • • Browser type and version
  • • Device type and operating system
  • • Usage patterns and interactions with our platform

How We Use Your Information

To Provide Our Service

We use your CGM data to create anonymized datasets that we sell to researchers. You receive payment for your participation. We use your email to send payments and communicate about your account.

For Research Purposes

Your de-identified data helps researchers understand diabetes patterns, develop new treatments, improve glucose monitoring algorithms, and advance diabetes care. We only share data with vetted research institutions and companies under strict data use agreements.

To Improve Our Platform

We analyze usage patterns to improve user experience, fix bugs, and develop new features. This analysis uses anonymized data only.

Security Measures

Encryption

AES-256 encryption for data at rest and TLS 1.3 for data in transit

Access Controls

Role-based access controls (RBAC) with multi-factor authentication

Audit Logs

Comprehensive logging of all data access and modifications

Penetration Testing

Annual third-party security assessments and penetration tests

Employee Training

Annual HIPAA training for all employees with data access

Breach Response

Incident response plan with 24-hour breach notification

Your Rights Under HIPAA

Right to Access

You have the right to access your PHI at any time. Request a copy of your data by emailing privacy@mieru.health.

Right to Amendment

If you believe your PHI is incorrect, you may request corrections.

Right to Accounting of Disclosures

You may request a record of when and to whom your de-identified data was shared (researchers receive only aggregated data).

Right to Restrict Sharing

You may request restrictions on how your data is used or shared. We will honor reasonable requests.

Right to Delete

You may request deletion of your account and data at any time. Note that de-identified data already shared with researchers cannot be retrieved.

Right to File a Complaint

If you believe your privacy rights have been violated, you may file a complaint with us or with the U.S. Department of Health and Human Services.

Data Retention

Active Accounts

We retain your data while your account is active. You may download your data at any time from your account dashboard.

Account Closure

Upon account closure, we delete your identifiable personal information within 30 days. De-identified data that has already been shared with researchers cannot be retrieved or deleted, as it contains no information that can identify you.

Legal Requirements

We may retain data longer if required by law, tax regulations, or for legal proceedings.

Breach Notification

In the event of a data breach affecting your unsecured PHI, we will notify you within 24 hours of discovery via email. We will also notify the U.S. Department of Health and Human Services and prominent media outlets if required by HIPAA.

Our breach response includes: immediate containment, forensic investigation, notification to affected users, and implementation of corrective measures to prevent future breaches.

Contact Us

If you have any questions about this Privacy Policy, your HIPAA rights, or how we handle your data, please contact our Privacy Officer:

Email: privacy@mieru.health

Response Time: Within 48 hours

HIPAA Complaints: You may also file a complaint with the U.S. Department of Health and Human Services at hhs.gov/hipaa

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by:

  • • Posting the new policy on this page
  • • Sending an email notification to registered users
  • • Updating the “Last updated” date at the top

Material changes to how we use your health information will require your explicit consent.