Privacy Policy
This Privacy Policy describes how Mamaya Health (“Mamaya Health,” “Mamaya,” “we,” “us,” or “our”) collects, uses, discloses, and protects information when you use mamayahealth.com, our patient portal, and our clinical services.
Who we are
Mamaya Health is a registered brand and trade name of WellNash LLC, a Tennessee limited liability company, located at 1 Vantage Way, Ste E-130, Nashville, TN 37228. WellNash LLC is the data controller for personal information collected through this site. For privacy questions, contact us at support@mamayahealth.com.
Information we collect
Information you provide directly:
- Account registration details (name, email, password)
- Profile information (date of birth, state of residence, insurance/payor, life-stage signals)
- Intake and clinical history entered on our forms
- Communications you send us (support, care-team messages)
Protected Health Information (PHI): Through our clinical services and our EHR partner AdvancedMD, we collect and maintain clinical notes, diagnoses, medication records, session history, appointment data, billing and payor information, and assessment scores (PHQ-9, GAD-7, EPDS, MRS, PSQI, and others). PHI is handled under HIPAA (see our HIPAA Notice).
Oura Ring data (optional): When you connect your Oura Ring, we collect sleep data (stages, duration, efficiency), activity (steps, workouts), readiness scores and contributing factors, heart rate and HRV, respiratory rate, SpO2, body temperature variations, and other Oura wellness metrics. You can revoke Oura access at any time in your account settings or through your Oura account.
Blueprint assessment data (when enrolled): If your clinician enrolls you in Blueprint, we collect your responses to validated clinical instruments (PHQ-9, GAD-7, and others), timestamps, and derived scores. Blueprint operates under a signed Business Associate Agreement (BAA) with Mamaya Health.
AI Clinical Assistant recordings (when used): If your clinician uses AdvancedMD’s AI Clinical Assistant during your visit, the Service may capture an audio recording of your session, transcribe it using a medical-vocabulary AI, and generate suggested note content and follow-up action items. You will be informed when this feature is in use and may request recording be paused or stopped at any time.
SMS consent and mobile number: When you opt in to SMS — by checking the consent box on intake, texting START to our number, or giving verbal consent to your scheduler — we store your mobile number, opt-in method, timestamp, and (for web opt-ins) IP address.
Automatically collected: Device type, browser, IP address, pages visited, form submissions. No third-party advertising trackers.
How we use your information
- Create and manage your account and deliver clinical services.
- Match you with clinically and administratively appropriate providers.
- Schedule and coordinate care through AdvancedMD.
- Display, analyze, and present your Oura and Blueprint data so you and your care team can track trends.
- Generate personalized insights and care recommendations.
- Send appointment invitations, reminders, and care-team follow-up messages you have consented to.
- Bill your insurance or process direct payment.
- Communicate with you about your account, updates, and support.
- Detect, prevent, and respond to fraud, security incidents, and technical issues.
- Comply with legal, regulatory, and licensing obligations (state licensure, payor audits, safety reporting).
Who we share with
We do not sell your personal information or health data. We share only as needed:
- Your matched Mamaya provider(s) and credentialed support staff.
- Health payors for claims processing (therapy and medication management).
- Business Associates under signed BAAs — AdvancedMD (EHR + AI Clinical Assistant), Blueprint (measurement-based care), Oura Health Oy (data retrieval only), Spruce Health (SMS), Supabase (database), Resend (email), Vercel (hosting).
- Authorities when required by law, or to prevent imminent serious harm.
- Acquirers in the event of a merger, acquisition, or sale of assets (with notice to you).
We do not use PHI for advertising. We do not sell or license health data to insurance companies (outside claims with your consent), employers, pharmaceutical companies, or data brokers.
SMS messaging & mobile data
Mobile information will not be shared with third parties or affiliates for marketing or promotional purposes. Mobile opt-in data and SMS consent will not be sold to any third party. This applies to all mobile phone numbers and SMS consent records we collect.
We use your mobile number only to send the messages described in our SMS messaging program — appointment invitations with a tokenized scheduling link, appointment reminders, care-team follow-up messages, and scheduling confirmations. If your clinician enrolls you in Blueprint, you may also receive assessment-invitation SMS from Blueprint. We do not use SMS for commercial marketing.
SMS delivery is provided by Spruce Health under a signed BAA. Spruce Health processes message metadata (sender, recipient, timestamp, delivery status) solely to provide the service and does not share or sell that data for its own marketing. You can opt out at any time by replying STOP; your number is removed from our active SMS list within 24 hours. Reply HELPfor support. Message frequency is typically 2–4 messages per patient per month. Message and data rates may apply.
Blueprint measurement-based care
When your clinician enrolls you in Blueprint, you’ll receive SMS or email invitations from Blueprint to complete brief clinical assessments. Responses are delivered to your care team so they can track your progress and refine your treatment. Blueprint is HIPAA-compliant, operates under a signed BAA with Mamaya Health, and does not sell personally identifiable data. Only you and your care team have access to your responses. Request deletion by emailing support@blueprinthealth.com with the subject “Account Deletion.” Blueprint’s full privacy policy is at blueprinthealth.com/privacy.
AI Clinical Assistant (ambient listening & transcription)
If your clinician uses AdvancedMD’s AI Clinical Assistant during your visit:
- You will be informed when recording is about to begin and may decline.
- You can request recording be paused or stopped at any time during the session, without affecting your care.
- The audio is processed by a medical-vocabulary AI to generate a transcript.
- Suggested action items (problems, medical history, allergies, medications, lab orders) are reviewed and approved by your clinician before becoming part of your chart.
- Recordings and transcripts are stored within AdvancedMD under its BAA and accessible only to your care team.
The AI Clinical Assistant is a tool to reduce clinician documentation burden. Your clinician remains responsible for the content and accuracy of your medical record.
Data security
We use industry-standard encryption in transit (TLS) and at rest, row-level-security-enforced database access controls, multi-factor authentication for staff, staff training on PHI handling, and regular security + vendor-BAA reviews. No system is perfectly secure; if a breach affects your rights, we will notify you within HIPAA and state-law timeframes.
Cookies and tracking
Mamaya uses three categories of cookies on our public site:
- Essential cookies — authentication, session state, and the cookie-consent preference itself. These cannot be turned off; the site will not function without them.
- Analytics cookies — let us understand how visitors use the site so we can improve it. See “Advertising and analytics” below for the specific vendors.
- Preference cookies — remember your settings (e.g., the consent banner). No third-party advertising or cross-site behavioral-advertising trackers.
On your first visit, we show a banner asking whether you want non-essential cookies enabled. You can change your choice at any time by clearing site data in your browser; the banner re-appears. Most browsers can also block or remove cookies via their settings — note that doing so may affect site functionality. Mamaya honors browser-level Global Privacy Control (GPC) signals as valid opt-out requests for the sharing of analytics-linked information.
Advertising and analytics
This section describes the non-PHI information we collect on our public site for our analytical purposes. We engage service providers to provide analytics services subject to written agreements where required. These tools may use cookies, web beacons, device identifiers, and similar technologies to collect information about your use of our site — IP address, browser, mobile network information, pages viewed, time spent, links clicked, and conversion events. Mamaya uses this information to analyze traffic, understand which content is useful, and improve the experience.
Google Analytics 4 + Google Tag Manager. We use GA4 to measure traffic to and engagement with our public site. IP anonymization is enabled and Google Signals + ad-personalization signals are explicitly disabled. We do not transmit personally identifiable information (name, email, phone, health data) into GA4 events. Authenticated patient-portal, staff, partner, and screener routes are excluded from GA4 entirely — GA4 never observes those surfaces. To learn more, see how Google uses information from sites that use its services and the Google Privacy Policy.
PostHog product analytics.We use PostHog to understand how features on our public site are used (e.g., which CTAs convert, which pages funnel into intake). Auto-capture is disabled, session replay is disabled, and we explicitly mask form input values — the only events we record are pageviews on public routes plus events we explicitly fire (e.g., “intake-submitted”). PostHog operates under a data processing addendum with us. PHI from authenticated patient-portal surfaces is never sent to PostHog.
Cookie consent gating. If you decline non-essential cookies via the banner, GA4, GTM, and PostHog all opt out before any pageview fires for the rest of your session. The opt-out is stored in your browser; clearing site data resets it.
State-specific privacy rights (California, Colorado, and others)
California (CCPA / CPRA). California residents have the right to (1) know more about the categories and specific pieces of personal information we collect, use, and disclose; (2) request correction of personal information; (3) request deletion of personal information; and (4) not be discriminated against for exercising these rights. To exercise these rights, email support@mamayahealth.com. We may verify your request by asking you to confirm details related to your interactions with us. If we deny your request, you may appeal by replying to that email.
Sale and sharing of personal information.Under the CCPA “sale” broadly means disclosing personal information for valuable consideration; “sharing” means disclosing it to a third party for cross-context behavioral advertising. In the preceding 12 months, Mamaya has not “sold” or “shared” personal information to or with third parties for cross-context behavioral advertising. We do not knowingly sell or share personal information about consumers under 16.
Colorado. Colorado’s privacy law requires us to notify you if we use your information for “Targeted Advertising” (advertisements selected based on personal information obtained from your activities across non-affiliated websites or applications, used to predict your preferences). Mamaya does not use your personal information for targeted advertising.
Opt-out preference signals.Some browsers let you enable privacy controls (e.g., Global Privacy Control) that automatically signal your opt-out preference. Mamaya honors these signals as a valid request to opt out of the sharing of analytics-linked information. Note that opt-out preference tools are limited to the browser or device you’re using; clearing cookies may remove your opt-out so you may need to re-opt-out.
Authorized agents. If you submit a request through an authorized agent without a valid power of attorney, we may ask the agent to provide proof you gave them signed permission. We may also require you to verify your own identity directly with us. To submit an agent-based request, contact support@mamayahealth.com.
Transfer of information across jurisdictions
Mamaya is headquartered in the United States, and our services are offered to U.S. residents. We use vendors and infrastructure based primarily in the U.S. (Vercel, Supabase, AdvancedMD, Resend, Spruce Health). We do not currently market or operate internationally; if you access our site from outside the U.S., your information will be transferred to and processed in the U.S., which may not provide equivalent data-protection levels to your home jurisdiction. Where required by law, we will provide adequate protection for the transfer.
Data retention
We retain your information as long as your account is active. Clinical records (PHI) are retained per HIPAA and state-law requirements (typically 7–10 years from the last date of service). Oura and Blueprint data are retained while your account is active. Upon deletion, non-clinical data is removed or anonymized within 30 days, subject to legal retention obligations.
Your rights and choices
- Access — request a copy of your information.
- Correction — fix inaccurate or incomplete information.
- Deletion — request deletion (subject to HIPAA retention for clinical records).
- Portability — request your data in a machine-readable format.
- Objection or restriction — object to or restrict certain processing.
- Withdraw consent — at any time.
- Disconnect Oura in your account settings, opt out of SMS by replying STOP, or request Blueprint deletion directly.
Contact support@mamayahealth.com. We respond within 30 days.
Children
Mamaya services are for adults 18+. We do not knowingly collect information from children under 18.
Third-party links
Our Service may contain links to third-party websites. We are not responsible for their privacy practices; review their policies before providing information.
Changes to this Policy
We may update this Policy. Material changes will be communicated at least 14 days before they take effect.
Contact
Mamaya Health (WellNash LLC)
1 Vantage Way, Ste E-130, Nashville, TN 37228
Privacy questions: support@mamayahealth.com
General support: support@mamayahealth.com
This page is an initial draft. Specific PHI handling provisions, data retention schedules, state-specific addenda, and payor-audit language need legal review before Mamaya enrolls its first billable client.