Privacy Policy

1. Introduction

Your privacy is important to Mirae AI Limited (“Mirae”, “we”, “us”, or “our”). This Privacy Policy explains how we collect, use, store, and disclose personal information when you use our website at www.miraehealth.ai, our mobile applications, and any related services (collectively, the “Platform”).

Mirae AI Limited is a company incorporated in England and Wales with its registered office at Africa House, 70 Kingsway, London WC2B 6AH. We are registered with the UK Information Commissioner’s Office (ICO) as a data controller.

Mirae provides an AI-powered patient companion and precision medicine platform for people living with complex chronic diseases, beginning with Inflammatory Bowel Disease (IBD). We capture patient-reported data, integrate with health records and wearable devices, and use artificial intelligence to help patients better understand and manage their condition. Mirae does not provide medical or clinical services. We are a health technology and research company. Any clinical care is provided by your own independent healthcare providers.

This Privacy Policy applies to information we collect through the Platform, including via email, in-app messaging, and other electronic communications between you and Mirae. It does not apply to information collected by third parties, including any application or content that may link to or be accessible from the Platform.

By accessing or using our Platform, you acknowledge that you have read, understood, and agree to this Privacy Policy. If you do not agree, please do not use the Platform. We may update this Privacy Policy from time to time; your continued use after any changes constitutes acceptance of the revised policy.

2. Legal Bases for Processing Your Data

Mirae processes your personal data in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and all applicable data protection laws in the jurisdictions where we operate, including US state privacy laws. We rely on the following legal bases for processing your personal data:

• Consent (Article 6(1)(a) and Article 9(2)(a) UK GDPR): We seek your explicit, informed consent before collecting your health data, sharing identifiable information with your physician, and for research purposes. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
• Legitimate Interests (Article 6(1)(f) UK GDPR): We process certain data where necessary for our legitimate interests, including improving the Platform, conducting de-identified research to advance treatment outcomes, and ensuring the security of our services, provided these interests are not overridden by your rights and freedoms.
• Performance of a Contract (Article 6(1)(b) UK GDPR): We process data as necessary to provide you with the services you have requested through the Platform.
• Legal Obligation (Article 6(1)(c) UK GDPR): We process data where required to comply with applicable laws and regulations.

3. Information We Collect

3.1 Information You Provide Directly

• Account Information: Name, email address, date of birth, postal address, and login credentials.
• Health and Clinical Data: Medical history, medication history (including reasons for treatment changes or discontinuation), diagnosis details, lab results, and other clinical information you choose to provide.
• Patient-Reported Outcomes (PROs): Daily symptom tracking, quality of life assessments, flare logs, and other self-reported health data you enter through the Platform.
• Communication Data: Records and copies of correspondence if you contact us, including support requests and feedback.
• Survey Responses: Information you provide in response to questionnaires or surveys administered through the Platform.

3.2 Information from Third Parties and Connected Devices

• Wearable and Device Data: With your consent, we integrate data from wearable devices and health-tracking sensors (e.g., activity levels, sleep patterns, heart rate) to provide between-visit intelligence and a more complete picture of your health.
• Electronic Health Records (EHR): With your consent, we may receive health records, lab results, and claims data from healthcare providers, health information exchanges, or other authorised third-party data sources.
• Third-Party Platforms: If you connect the Platform to other health applications or services, we may receive data from those services as authorised by you.

3.3 Information Collected Automatically

• Usage Data: IP addresses, browser type, device identifiers, operating system, pages viewed, time spent on pages, and other interaction data.
• Cookies and Similar Technologies: We use cookies, pixels, and similar tracking technologies to analyse how you interact with the Platform, to remember your preferences, and to improve our services. You can manage your cookie preferences through your browser settings or our cookie consent tool.
• Analytics: We use third-party analytics services to help us understand usage patterns. These services may collect information sent by your device, including pages visited and other information that assists us in improving the Platform.

4. How We Use Your Information

4.1 To Provide and Improve the Platform

• To operate, maintain, and deliver the features and functionality of the Platform.
• To provide your AI-powered patient companion, including medication adherence tracking, personalised education, flare prediction, and intelligent triage.
• To register and service your account and respond to your enquiries.
• To notify you of changes to the Platform or our services.

4.2 Precision Medicine and Clinical Decision Support

• To match your medication history to your symptom profile and help identify treatment patterns.
• To generate summarised clinical profiles and insights for your healthcare provider, shared only with your explicit consent.
• To provide tailored literature reviews and treatment-matching information to support clinical decision-making by your physician.

4.3 Research and Development

Mirae is a research company committed to advancing understanding and treatment of complex chronic diseases. We use data for research as follows:

• De-identified Research: We de-identify your data (removing all information that could reasonably identify you) and use it to conduct research, including identifying patient subgroups (“bioclinical endotypes”), analysing treatment outcomes, revealing molecular patterns for potential drug target discovery, and generating real-world evidence (RWE). De-identified data may be shared with academic and pharmaceutical research partners. You do not need to provide separate consent for use of de-identified data, but you may opt out at any time.
• Identifiable Research: If we wish to use your identifiable health data for a specific research study, we will seek your separate, explicit consent before doing so. You will be provided with clear information about the study, its purpose, and how your data will be used before you are asked to consent.
• Research Publications: Results of our research may be published in scientific journals, presented at conferences, or shared with regulatory bodies. Any published results will use only aggregate or de-identified data and will never identify you personally.

4.4 Communications

• To send you service-related notices, including updates, security alerts, and administrative messages.
• To send you health-related educational content relevant to your condition, if you have opted in.
• We will not send you marketing communications from third parties without your consent.

4.5 Safety, Security, and Legal Compliance

• To detect, prevent, and address fraud, security issues, and technical problems.
• To comply with applicable laws, regulations, legal processes, or governmental requests.
• To enforce our terms of service and protect the rights, property, and safety of Mirae, our users, and the public.

5. Sharing Your Data with Your Physician

A core part of Mirae’s mission is to empower you in your relationship with your healthcare provider. We will only share your identifiable health data with your physician or clinical care team with your explicit, prior consent. Before any sharing occurs:

• You will be clearly informed of what data will be shared.
• You will be asked to provide affirmative consent (opt-in) for each sharing instance or for an ongoing sharing arrangement.
• You may revoke consent at any time, and we will cease sharing prospectively.

When you consent, we may provide your physician with a summarised clinical profile, PRO trends, wearable insights, and AI-generated treatment-matching recommendations. Your physician remains solely responsible for any clinical decisions.

6. Disclosure of Your Information

We do not sell your personal data. We may disclose your information in the following limited circumstances:

• Clinical Partners (with your consent): Data shared with your designated healthcare providers to support your treatment, as described in Section 5.
• Research Partners: De-identified data shared with academic institutions, pharmaceutical companies, and other research organisations to advance scientific understanding and improve treatments. Where identifiable data is involved, only with your explicit consent.
• Service Providers: Third-party vendors and contractors who perform services on our behalf (e.g., cloud hosting, data analytics, customer support). These providers are bound by contractual obligations to protect your data and use it only for the purposes we specify.
• Corporate Transactions: In the event of a merger, acquisition, reorganisation, or sale of assets, your data may be transferred to the successor entity, subject to the same privacy protections described in this policy.
• Legal Requirements: Where required by law, regulation, legal process, or governmental request, or where we believe disclosure is necessary to protect the rights, property, or safety of Mirae, our users, or others.
• With Your Consent: For any other purpose disclosed to you at the time of collection or for which you provide consent.

We do not share your personal data with advertisers. We do not display third-party advertisements on the Platform.

7. De-identification and Aggregation

We may create de-identified or aggregated data from your personal information. When we use the term “de-identified data,” we mean information that has been processed so that it cannot reasonably be used to identify you, in compliance with applicable de-identification standards (including the UK GDPR’s anonymisation standards and, where applicable, the HIPAA Safe Harbor or Expert Determination methods).

De-identified data is no longer considered personal data under applicable law. We may use and share de-identified data without restriction for research, analytics, product improvement, and publication purposes. If you wish to opt out of having your data included in de-identified datasets, you may contact us at help@miraehealth.ai. We will honour your request prospectively; research already in progress or completed prior to your request may still include your previously de-identified data.

8. Your Rights

Depending on where you reside, you have the following rights with respect to your personal data. Mirae honours these rights for all users regardless of jurisdiction, to the extent technically and legally feasible.

8.1 Rights Under UK GDPR

• Right of Access: You may request a copy of the personal data we hold about you.
• Right to Rectification: You may request correction of inaccurate or incomplete personal data.
• Right to Erasure: You may request deletion of your personal data, subject to certain legal exceptions (e.g., where we are required to retain data for legal or regulatory compliance, or where data is needed for ongoing research that began before your request).
• Right to Restrict Processing: You may request that we limit how we use your data in certain circumstances.
• Right to Data Portability: You may request to receive your personal data in a structured, commonly used, machine-readable format.
• Right to Object: You may object to processing of your data based on our legitimate interests.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time.
• Right to Lodge a Complaint: You have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk or with the supervisory authority in your country of residence.

8.2 Rights Under US State Privacy Laws

If you are a resident of a US state with applicable consumer health data or comprehensive privacy legislation (including but not limited to California, Washington, Connecticut, Colorado, Virginia, and others), you may have additional rights, including:

• Right to Know: The categories and specific pieces of personal information we have collected about you, the sources, purposes, and third parties with whom data has been shared.
• Right to Delete: Request deletion of your consumer health data, including from archives and backups where required by applicable law.
• Right to Withdraw Consent: Withdraw any previously given consent to collect, use, or share your consumer health data.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
• Right to Opt Out of Sale: We do not sell your personal data. If this changes, we will provide a clear mechanism to opt out.

Washington My Health My Data Act: If you are a Washington state resident or your consumer health data is collected in Washington, you have specific rights under the My Health My Data Act, including the right to access your data, receive a list of all third parties and affiliates who have received your data (with contact information), delete your data, and withdraw consent. We maintain a separate Consumer Health Data Privacy Policy as required, which is available on our homepage.

California (CCPA/CPRA): California residents have rights to know, delete, correct, and opt out of the sale or sharing of personal information. We do not sell personal information. To exercise your rights, contact us at help@miraehealth.ai. You may make a data access or portability request up to twice in a 12-month period.

8.3 Exercising Your Rights

To exercise any of your rights, please contact us at help@miraehealth.ai or write to us at the address in Section 16. We will respond to your request within the timeframe required by applicable law (generally 30 days under UK GDPR, 45 days under US state laws). We may need to verify your identity before fulfilling your request.

9. Consent Framework

Mirae employs a layered consent model designed to give you granular control over your data:

• Platform Consent: When you create an account, you consent to our collection and use of your data as described in this Privacy Policy to operate the Platform and provide our core services.
• Physician Sharing Consent: Separate, explicit opt-in consent is required before we share any identifiable data with your healthcare provider. You control which providers receive your data.
• Research Consent: De-identified data may be used for research as part of our core services. For any identifiable research, we will obtain your separate, informed consent with a clear explanation of the study.
• Wearable and Third-Party Data Consent: You must affirmatively opt in before we access data from your wearable devices, EHR systems, or other connected health services.

All consents are freely given, specific, informed, and unambiguous. We do not use deceptive design patterns (“dark patterns”) to obtain consent. You may review and manage your consent preferences at any time through the Platform’s privacy settings.

10. Data Retention

We retain your personal data for as long as your account is active or as needed to provide you with our services. Upon account closure or deletion request:

• We will delete your identifiable personal data from active databases within 30 days, unless retention is required by law or for the completion of ongoing research that began before your request.
• De-identified data that has already been incorporated into research datasets or published results will not be deleted, as it cannot be linked back to you.
• Backups containing your data will be purged in accordance with our backup retention schedule (no longer than 90 days).
• Data required for legal compliance, dispute resolution, or enforcement of our agreements may be retained for the period required by applicable law.

11. Data Security

We implement appropriate technical and organisational measures to protect your personal data from unauthorised access, loss, misuse, alteration, or destruction. These measures include:

• Encryption of data in transit (TLS) and at rest (AES-256 or equivalent).
• Access controls limiting data access to authorised personnel on a need-to-know basis.
• Regular security assessments, penetration testing, and vulnerability scanning.
• Employee training on data protection and information security.
• Incident response procedures for detecting, reporting, and responding to data breaches.

While we take commercially reasonable precautions to protect your data, no method of transmission or storage is 100% secure. You are responsible for maintaining the confidentiality of your account credentials. If you believe your account has been compromised, please contact us immediately at help@miraehealth.ai.

12. International Data Transfers

Mirae AI Limited is based in the United Kingdom. As we provide services to users in the United States and potentially other jurisdictions, your personal data may be transferred to, stored, and processed in countries outside the UK, including the United States.

Where we transfer personal data outside the UK, we ensure appropriate safeguards are in place, including:

• UK International Data Transfer Agreements (IDTAs) or the UK Addendum to the EU Standard Contractual Clauses (SCCs).
• Adequacy decisions by the UK Secretary of State, where applicable.
• Other legally recognised transfer mechanisms under UK GDPR.

Where personal data is transferred to the United States, we rely on appropriate safeguards and contractual protections to ensure your data receives a level of protection consistent with UK data protection standards. You may contact us for more information about the specific safeguards we apply to international transfers.

13. Children’s Privacy

The Platform is not intended for use by individuals under the age of 18 (or the minimum age required by applicable law in the user’s jurisdiction). We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without appropriate parental consent, we will take steps to delete that information promptly. If you believe we may have collected information from a child, please contact us at help@miraehealth.ai.

14. Third-Party Links and Services

The Platform may contain links to third-party websites, applications, or services. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access through the Platform. Mirae is not responsible for the privacy practices of third parties.

15. Artificial Intelligence and Automated Processing

Mirae uses artificial intelligence and machine learning to analyse your health data and generate insights. These capabilities are central to how the Platform works and include:

• Symptom pattern recognition and flare prediction based on your PRO data and wearable signals.
• Treatment-matching suggestions informed by your medication history and clinical profile.
• Summarised clinical profiles and trend analyses prepared for sharing with your physician (with your consent).
• Identification of patient subgroups and bioclinical endotypes to advance research.

AI-generated outputs are not designed to replace the clinical judgment of your healthcare provider. No AI output from Mirae constitutes medical advice, a diagnosis, or a treatment recommendation. When we share AI-generated insights with your physician (with your consent), we clearly label them as AI-generated so your provider understands the source and can apply their own clinical judgment.

15.1 How Our AI Models Are Trained

Our AI models are trained on de-identified, aggregated patient data. Your identifiable personal data is not used to train our general-purpose models unless you have provided separate, explicit consent to participate in a specific research initiative. We regularly evaluate our models for accuracy, bias, and clinical safety.

15.2 Automated Decision-Making

Mirae does not use automated processing, including AI, to make decisions that produce legal or similarly significant effects on you without human involvement. Any clinical decisions remain the sole responsibility of your healthcare provider. Under UK GDPR Article 22, you have the right not to be subject to solely automated decision-making that significantly affects you. If you have questions or concerns about how AI is used in our Platform, or if you wish to request a human-readable explanation of any AI-generated insight, please contact us at help@miraehealth.ai.

16. Data Protection Contact and DPO

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have concerns about how we handle your data, please contact our privacy lead:

Mirae AI Limited
Attn: James Finucane, Privacy Lead
Africa House, 70 Kingsway, London WC2B 6AH
Email: help@miraehealth.ai

Mirae is in the process of appointing a formal Data Protection Officer (DPO) in accordance with UK GDPR Article 37. Details of the appointed DPO will be published here and registered with the ICO upon appointment. In the interim, James Finucane serves as the primary point of contact for all data protection matters.

You also have the right to lodge a complaint with your local data protection authority. In the UK, this is the Information Commissioner’s Office (ICO): ico.org.uk.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes, we will notify you by email (to the address associated with your account) and/or by posting a prominent notice on the Platform at least 30 days before the changes take effect. The date this Privacy Policy was last revised is identified at the top of this document. Your continued use of the Platform after any changes constitutes acceptance of the updated policy.