Statement on use of Data and Privacy

Maya is an ethical data-driven enterprise.

As part of our commitment to this, Maya will continually stay abreast of, and adhere to data ethics best practices like those outlined by DataEthics.eu. These commitments include – but are not limited to – principles such as Maya never selling the personally identifying information or personal health information of our users. In addition, Maya’s de-identified, aggregated, and anonymized data will only be used for research purposes and will never be used for marketing purposes.

Beyond this, here are five key ways we attempt to maintain your privacy and operate as an ethical data driven business:

Privacy First

Privacy is of the utmost priority for Maya. In designing our product, we kept privacy at the forefront of this process. You can learn about what information we collect, how we protect your identity, how we store your information, and what we do with your information below.

Learn what we do with your information

What Information We Collect
When you register and use our platform, we collect personal information such as your name, email address, and web behavior information (including your IP address). We collect personal health information and health outcome information through your intake forms, treatment information, and survey responses you, or your practitioner provides.

How We Protect Your Identity
Maya makes use of aggregate information for conducting our research and delivering collective insights to the community and our practitioner customers. Aggregate information is data that has been amalgamated from multiple participants and is not linked to any specific individual. In addition, we will offer the ability to use Maya entirely pseudonymously, further protecting your privacy by removing the need to provide any personally identifiable information during registration.

How We Store Your Information
This personally identifiable information and all registration information will be stored separately from any aggregate information used for research purposes to minimize any possibility of identities being discovered from our research data.  

Third Party Technologies We Use
What We Do With Your Information
The information that our users (Practitioners and Clients) provide us with, as well as any passively collected data from interactions with our platforms, is used to communicate with our customers, optimize our services, conduct research, and deliver collective insights and benchmarks to our users. We will never sell or lease your personal data, and aggregate data will never be used for marketing purposes.

Your Data, Your Choice

Part of Maya’s core mission is to help accelerate the rate of acceptance of psychedelic medicine. We believe that in order to do this, the world of psychedelic medicine needs better data to surface safe, effective practices for scale. For this reason, gathering collective insights from across our user base is of the highest priority. We believe that by amalgamating our aggregate data, we can help impact the rate of acceptance of this revolutionary approach to healing. You can learn more about how collective insights improve health outcomes, how your data is handled, and who has access to your data below.

Learn more about how we use data for good

Right to choose
Through your account preferences, users are provided with controls over how their data is used within the Maya ecosystem. Users have the ability to opt-out of each individual way their data is used within our Services, including but not limited to, choosing whether to share your data in Maya’s aggregate data, to participate in any research activities, as well as choosing how Maya and our partners communicate with you and on what topics.You can regularly reassess and change the settings around how your information is stored, used, and shared at any time in your account preferences or by contacting privacy@mayahealth.com directly.

Right to be anonymous
Maya will provide users with the option to register entirely pseudonymously fully protecting their identity. Users who elect to do this will not have any limitations put on their experience apart from features being disabled to protect their identities (e.g. calendar sync).

Right to be forgotten
Maya complies with all GDPR and CCPA legislation. As such, a GDPR "right to be forgotten" request, can be sent to security@mayahealth.com. A sample letter for such a request can be found here. Please note that it takes up to 30 days to process such requests.

Data For Good

Part of Maya’s core mission is to help accelerate the rate of acceptance of psychedelic medicine. We believe that in order to do this, the world of psychedelic medicine needs better data to surface safe, effective practices for scale. For this reason, gathering collective insights from across our user base is of the highest priority. We believe that by amalgamating our aggregate data, we can help impact the rate of acceptance of this revolutionary approach to healing. You can learn more about how collective insights improve health outcomes, how your data is handled, and who has access to your data below.

Learn more about how we use data for good

Collective Insights Improve Health Outcomes
Maya uses aggregate information to develop collective insights to help further the collective understanding and knowledge of psychedelic medicines, protocols, efficacy, and approaches. This insight is available within the Maya Practitioner platform to help practitioners better understand how their approaches compare to the cross-practice benchmarks we develop using this information. This in turn helps to identify areas for improvement and helps our practitioner customers to improve their health outcomes.

How Maya Handles Data For Use In Collective Insights
We collect your individual-level information into what is called aggregate information. All Personally Identifiable Information has been removed in aggregated information. We use and share this aggregated information with selected third parties in order to conduct our own research, develop research reports, educate our users, and improve our services.

Access To Your Data
Maya will never sell or lease the personally identifying information or personal health information of our users. We will actively prevent your individual-level information from being viewable, downloadable, or exportable from our systems. In addition, Maya’s de-identified, aggregated, and anonymized data will only be used for research purposes and will never be used for marketing purposes.

Zero Trust Security

Maya believes that your health information requires very high level of security. Please read below to understand how we protect your information. You can learn more about user access and how our standards to secure and encrypt your information below.

Learn how we protect your information

Limited User Access
We limit data access to authorized personnel, based on job function and role. Maya access controls include multi-factor authentication, and strict least-privileged authorization policy. All access to services deployed by Maya are authenticated, authorized, and encrypted.

Standards and Procedures
Our practices include, but are not limited to, the following areas:

Zero-trust is a security principle believing that organizations should not inherently trust anything inside or outside of their perimeters and instead should verify anything trying to connect to their systems (without using a VPN).

Zero-Trust Cloud Networks at Maya
With a secured Zero-Trust architecture as outlined above (based on BeyondCorp), we can build layered security on top of applications and resources without the need for a VPN, while still centrally managing access. This can even extend beyond GCP to applications hosted in other cloud platforms like AWS and Azure.

ISO/IEC 27001:2013 certification
Our information security management system, which protects Maya systems, has been certified under the ISO/IEC 27001:2013 standard. View or download our certification here.

Encryption
Maya uses industry-standard security measures to encrypt patient data both at rest and in transit in compliance with HIPAA standards.

While our engineering team periodically reviews and improves our security measures to ensure compliance with best privacy practices, no digital system is one hundred percent secure and it is impossible to guarantee security of any such system.

Listening to You

As we value our users' opinions, experience, and observations, we encourage you to provide feedback and contribute to ongoing best practices by contacting us at privacy@mayahealth.com.
Last Updated: December 24, 2020