Privacy Policy

PLEASE READ THE FOLLOWING PRIVACY POLICY CAREFULLY BEFORE SUBSCRIBING & USING THIS PLATFORM. BY SELECTING THE CHECKBOX, YOU AGREE TO THE PRIVACY POLICY WHICH WILL BIND YOU.

We, PainLes, LLC, 2309 Santa Monica Blvd Suite 640, Santa Monica, CA 90404 (hereinafter "PainLes", "we" or "us") is committed to protecting and respecting your privacy when you use our website at www.painles.app and/or our iOS and Android Mobile Application (hereinafter our “Platform” and our “Services”).

This policy sets out the basis on which any personal information we collect from account holders or individual users or visitors to our Platform, or that is uploaded to our Platform, will be processed by us.

Account holders, users and visitors of our Platform or owners of Personal Information collected by us (each, “you”) should read the following carefully to understand our views and practices regarding your Personal Information and how we will treat it.

By providing any Personal Information to us, you consent to the collection, use, disclosure and transfer of such Personal Information in the manner and for the purposes set out below.

Principles of data processing
We process users' personal information only in compliance with the relevant data protection regulations, in particular the California Consumer Protection Act (“CCPA”) and the General Data Protection Regulation (“GDPR”). As such User data is only processed if the following legal permissions exist:

Table of Contents
- in order to provide our contractual services and online services
- processing is required by law
- with your consent
- on the basis of our legitimate interests (i.e., interest in the analysis, optimization and economic operation and security of our Platform within the meaning of Art. 6 para. 1 lit. f) GDPR, in particular in measuring reach, creating profiles for advertising and marketing purposes, and collecting access data and using third-party services).

The above legal bases are set out as follows:

  • Consent (Art. 6 para. 1 lit. a. and Art. 7 GDPR)
  • Processing for the fulfillment of our services and implementation of contractual measures (Art. 6 para. 1 lit. b) GDPR)
  • Processing for the fulfillment of our legal obligations (Art. 6 para. 1 lit. c) GDPR)
  • Processing to protect our legitimate interests (Art. 6 para. 1 lit. f) GDPR)

Information we may collect
We may collect and process the following data which may contain Personal Information:

  • information that you provide by filling in forms on the PainLes Platform, including information provided at the time of registering to use our Platform, subscribing to any services provided by us, posting material, reporting a problem with our Platform, or requesting further services;
  • information, data, documents or images that you upload onto our Platform;
  • details of transactions you carry out through our Platform;
  • details of your visits to our Platform, resources that you access and actions you are working on through the Platform;
  • if you contact us, a record of that correspondence; and
  • responses to surveys that we send to you, although you do not have to respond to them.
Business-related processing
In addition, we process:

  • Contract data (e.g., subject matter of the contract, term, category of customer), and
  • Payment data (e.g., bank details, payment history).
of our users, prospective users for the purpose of providing contractual services, service and customer care, marketing, advertising, and market research.

Contractual services
We process the data of our users within the scope of our contractual services. In doing so, we process:

  • inventory data (e.g., customer master data, such as names or addresses), contact data (e.g., e-mail, telephone numbers),
  • content data (e.g., content used when you use our application and services including text entries, images and video),
  • contract data (e.g., subject matter of contract, term),
  • payment data (e.g., bank details, payment history),
  • health data (Art. 9 GDPR) (e.g., medical conditions and symptoms),
  • usage data and metadata (e.g., in the context of evaluating and measuring the success of marketing measures).

As a matter of principle, we do not process special categories of personal data, unless these are components of commissioned processing. The purpose of the processing is the provision of contractual services, billing, and our customer service. We process data that is necessary for the justification and fulfillment of contractual services and point out the necessity of their disclosure. Disclosure to external parties only takes place if it is necessary in the context of the service.

When processing the data provided to us within the scope of providing our services, we act in accordance with the instructions of the client as well as the legal requirements of processing pursuant to Art. 28 GDPR and do not process the data for any other purposes than those specified in the service.

We delete the data after the expiry of statutory warranty and comparable obligations. The necessity of storing the data is reviewed every three years; in the case of statutory archiving obligations, the deletion takes place after their expiry.

In the case of data disclosed to us by the user within the scope of a service, we delete the data in accordance with the specifications of the service, in principle after the end of the service.

Administration, financial accounting, office organization, contact management
We process data within the scope of administrative tasks as well as organization of our business, financial accounting, and compliance with legal obligations, such as archiving.
In doing so, we process the same data that we process in the context of providing our contractual services. The purpose and our interest in the processing lies in the administration, financial accounting, office organization, archiving of data, i.e., tasks that serve the maintenance of our business activities, performance of our tasks and provision of our services.
The deletion of data with regard to contractual services and contractual communication corresponds to the information mentioned in these processing activities.

In this context, we disclose or transmit data to the tax authorities, consultants such as tax advisors or auditors as well as other fee offices and payment service providers.
Furthermore, we store information on suppliers and other business partners on the basis of our business interests, e.g., for the purpose of contacting them at a later date. This data, most of which is company-related, is stored permanently.

Specific collection of technical data on the website
a) IP Addresses
We may also collect and process information about your device, including where available your IP address, operating system and browser type, for system administration and to report aggregate information to our business partners. This is statistical data about our users’ browsing actions and patterns and does not identify any individual.

b) Log Files
We may also collect and process access data that your internet browser automatically transmits to us for technical reasons in order to provide the website. Depending on the access protocol used, the protocol data record contains general information with the following contents: Your session data (usage behavior, length of stay, which links were clicked on, etc.), your abbreviated and unabbreviated IP address, your browser version, your operating system, your website-specific settings, your cookie IDs, your pixel IDs. This data does not allow any direct inference to your person and is processed to improve our website offer and to defend against attempted attacks on our web server.

c) Cookies
i) Why do we use cookies?
We use cookies to personalize content and ads, to provide social media features and to analyze our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you've provided to them or that they've collected from your use of their services.

Cookies are small text files that can be used by websites to make a user's experience more efficient. The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies, we need your permission.

This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.

ii) Types of cookies
There are different types of cookies:

Necessary cookies
Technically necessary cookies are required for our website to function properly; they enable you to navigate our website efficiently and use its functional features. An example of this is, for example, the reminder of recently performed actions (e.g., entered text) when you return to a page within the same session.

Functional cookies
Functional cookies are essential cookies to provide a correct and user-friendly website. Some examples:

Analytical cookies
These cookies are typical third party cookies that we use to collect statistical data about how our website is used, including:

  • Average page load time;
  • Pages visited;
  • Browser data;
  • IP address;
  • MAC address;
  • Duration of a (page) visit;
  • Data about the operating system;
  • Data about the device used;
  • Clicking behavior and other interactions on one or more pages.


The main purpose of these cookies and their statistical data is, after analysis, to optimize our performance, security, usability, content, and services.
Specific collection of technical data in the APP
a) Installation of our APP
Our APP can be downloaded from the APP stores "Google Playstore" and "Apple APP Store". Downloading our APP may require prior registration with the respective APP store and installation of the APP store software.
APP installation via the Google Playstore
You can use the Google service "Google Play" of Google Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, US, to install our APP.

As far as we are aware, Google collects and processes the following data;

  • License check,
  • network access,
  • network connection,
  • WLAN connections,
  • location information,
It cannot be ruled out that Google also transmits the information to a server in a third country. We cannot influence which personal information Google processes with your registration and the provision of downloads in the respective app store and app store software. The responsible party in this respect is solely Google as the operator of the Google Play Store. You can find more detailed information in Google's Privacy Policy, which you can access here: https://policies.google.com/privacy.

APP installation via the Apple APP Store
You can use the Apple service "App Store" a service of Apple Inc., 1 Infinite Loop, Cupertino, CA 95014, US, to install our APP.
As far as we are aware, Apple collects and processes the following data;

  • device identifiers,
  • IP addresses,
  • location information,
It cannot be excluded that Apple also transmits the information to a server in a third country. We cannot influence which personal information Apple processes with your registration and the provision of downloads in the respective app store and app store software. The responsible party in this respect is solely Apple as the operator of the Apple APP Store. You can find more detailed information in Apple's Privacy Policy, which you can access here: https://www.apple.com/legal/privacy/.
b) Device information
We collect information from and about the device(s) you use to access our APP, including hardware and software information such as IP address, device ID and type, device-specific and APP settings and properties, APP crashes, information about your wireless and mobile network connection such as your service provider and signal strength; information about device sensors such as accelerometer, gyroscope and compass.
c) Authorizations and Access
We may request access or permission to your phone and Notifications from your mobile device. The legal basis for data processing is our legitimate interest and the provision of contractual or pre-contractual measures. You can change your permissions at any time via Settings (iOS) or Settings Menu (Android).
d) Push messages
When using the APP, you may receive so-called push messages from us, even if you are not currently using the APP. These are messages that we send you as part of the performance of the contract, but also promotional information. You can adjust or stop receiving push messages at any time via the device settings of your device.
Specific collection of Personal Information
a) Registration
If you register on our Platform, we will request mandatory and, where applicable, non-mandatory data in accordance with our registration form for the purposes stated below. The entry of your data is encrypted so that third parties cannot read your data when it is entered. Your data will remain stored for as long as the registration lasts, in particular the storage is still necessary for the fulfillment/execution of the contract, for legal prosecution by us or for our other legitimate interests or we are required by law to retain your data (e.g., within the framework of tax retention periods).
b) Subscriptions
When subscribing to our services, it is necessary, among other things, to provide your name, e-mail address and postal address and your payment data. We process the personal information provided when you subscribe for the purpose of providing you with the service. Payment by credit card and debit card are made via our payment service provider to which we pass on your mandatory details provided during the checkout, for payment processing. Your data will only be passed on for the purpose of payment processing with the payment service provider and only insofar as it is necessary for this purpose.
c) Contacting us
When you contact us, the data you provide will be stored by us insofar as it is necessary to answer your questions. The contact is logged in order to be able to prove the contact in accordance with the legal requirements. We delete the data accruing in this context when the respective conversation with you has ended and the facts concerned have been conclusively clarified.
d) Profile
As a registered user, you have the opportunity to create a user profile with just a few clicks and details. When creating a profile, you can submit personal information. You have choices about the information on your profile. You don’t have to provide additional information on your profile; however, profile information helps you to get more from our Services. It’s your choice whether to include sensitive information on your profile and to make that sensitive information public. Please do not upload or add personal information to your profile that you would not want to be available.
The legal basis for the processing of your personal information is the establishment and implementation of the user contract for the use of the service.
e) Other Users
In addition to the information you provide to us directly, we also receive information about you from third parties. This includes other users who may provide us with information about you while using our Services. Equally, when you voluntarily share information on our Services, you disclose that information to other users. Please be careful with your information and make sure that you only share content that you truly agree to publish, as neither you nor we can control what others do with your information once you share it. If you want to make all or part of your profile or certain content visible only to certain groups of users, you can set appropriate restrictions in your settings.
g) Use of our platform
We process personal information of users for the purpose of using the platform and for the purpose of fulfilling the contract. The users can manage and change all information in their profile. If you use our platform, we store the data required for the fulfillment of the contract until final deletion of the access and/or after expiry of the statutory retention periods. The legal basis of the data processing is our obligation to fulfill the contract and/or to fulfill our pre-contractual obligations and/or our legitimate interest.
Where we store your data
The Personal Information that we collect may be transferred to, and stored at our AWS cloud server in the MongoDB database. By submitting any Personal Information to us, you agree to this transfer, storing or processing. We will take all steps reasonably necessary to ensure that your Personal Information is treated securely and in accordance with this privacy policy.
All information you provide to us is stored on our secure servers. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our Platform, you are responsible for keeping this password confidential. We ask you not to share the password with anyone.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your Personal Information, we cannot guarantee the security of your Personal Information transmitted to our Platform; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorized access.
Uses made of the information
We use information held, including Personal Information, in the following manner:
  • to ensure that content from our Platform is presented in the most effective manner for you and for your device;
  • to provide you with information, products or services that you request from us, and to otherwise carry out our obligations arising from any contracts entered into between you and us;
  • to provide you with information, products or services which we feel may interest you, where you have consented to be contacted for such purposes;
  • to allow you to participate in interactive features of our service, when you choose to do so;
  • to notify you about changes to our services;
  • to investigate any complaints relating to the use of our Platform or any suspected unlawful activities;
  • complying with any applicable laws, regulations, codes of practice, guidelines, or rules, or to assist in law enforcement and investigations conducted by any governmental and/or regulatory authority;
  • any other purposes for which you have provided the information; and
  • carrying out whatever else is reasonable or related to or in connection with the above and our provision of services to you.
Disclosure of your information
We may disclose your Personal Information to third parties:
  • for the purposes of providing products or services that you request from us, fulfilling our obligations arising from any contracts entered into between you and us, processing payments in connection therewith or otherwise in connection with your use of our Platform;
  • where a third-party claims that any content posted or uploaded by you to our Platform constitutes a violation of their rights under applicable law, in which case we may disclose your identity to that third party;
  • in the event that we sell or buy any business or assets, in which case we may disclose your Personal Information to the prospective seller or buyer of such business or assets; or
  • if we or substantially all of our shares or assets are acquired by a third party, in which case Personal Information held by us about our users will be one of the transferred assets.
We may also disclose your Personal Information to a governmental or regulatory body, law enforcement, or other authorities, in order to enforce our terms of use for the Platform, to cooperate with any direction, request or order from such parties or to report any suspected unlawful activity.
Consent
Where any Personal Information relates to a third party, you represent and warrant that the Personal Information is up-to-date, complete, and accurate and that you have obtained the third party’s prior consent for our collection, use and disclosure of their Personal Information for the Purposes. You agree that you shall promptly provide us with written evidence of such consent upon demand by us.
Each use of our services by you shall constitute a fresh agreement for us to collect, use and disclose the Personal Information in accordance with this privacy policy.
You may withdraw your consent and request us to stop using and/or disclosing your Personal Information for any or all of the Purposes by submitting your request to us in writing. Should you withdraw your consent to the collection, use or disclosure of your Personal Information, it may impact our ability to proceed with your transactions, agreements or interactions with us. Prior to you exercising your choice to withdraw your consent, we will inform you of the consequences of the withdrawal of your consent. Please note that your withdrawal of consent will not prevent us from exercising our legal rights (including any remedies) or undertaking any steps as we may be entitled to at law.
GDPR Data Subject Rights
The following rights arise from the GDPR for you as a Citizen of the European Union:
  • Pursuant to Art. 15 GDPR, you may request information about your personal information processed by us. In particular, you can request information about the processing purposes, the categories of personal information, the categories of recipients to whom your data have been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right of complaint, the origin of your data if it has not been collected by us, about a transfer to third countries or to international organizations, and about the existence of automated decision-making, including profiling, and, if applicable, meaningful information about its details.
  • Pursuant to Art. 16 GDPR, you can immediately request the correction of inaccurate or the completion of your personal information stored by us.
  • Pursuant to Art. 17 GDPR, you may request the erasure of your personal information stored by us, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defense of legal claims.
  • Pursuant to Art. 18 GDPR, you may request the restriction of the processing of your personal information if you dispute the accuracy of the data, the processing is unlawful, we no longer need the data and you object to their erasure because you need them for the assertion, exercise or defense of legal claims. You also have the right under Article 18 of the GDPR if you have objected to the processing in accordance with Article 21 of the GDPR.
  • Pursuant to Art. 20 GDPR, you may request to receive your personal information that you have provided to us in a structured, commonly used and machine-readable format or you may request that it be transferred to another controller.
  • Pursuant to Art. 7 (3) GDPR, you may revoke your consent once given to us at any time. This has the consequence that we may no longer continue the data processing based on this consent for the future.
  • In accordance with Art. 77 GDPR, you have the right to complain to a supervisory authority. As a rule, you can contact the supervisory authority of your usual place of residence, your place of work or our company headquarters for this purpose.
  • Right of objection. When your personal information is processed on the basis of legitimate interests pursuant to Art. 6 (1) sentence 1 lit. f GDPR, you have the right to object to the processing of your personal information pursuant to Art. 21 GDPR, insofar as there are grounds for doing so that arise from your particular situation or the objection is directed against direct advertising. In the case of direct advertising, you have a general right of objection, which is implemented by us without specifying a particular situation.
Your Rights (CCPA)
As a California Resident or Citizen, you may have the right to request, twice in a 12-month period, the following information about the personal information we have collected about you during the past 12 months:
  • the categories and specific pieces of personal information we have collected about you;
  • the categories of sources from which we collected the personal information;
  • the business or commercial purpose for which we collected or sold the personal information;
  • the categories of third parties with whom we shared the personal information; and
  • the categories of personal information about you that we sold or disclosed for a business purpose, and the categories of third parties to whom we sold or disclosed that information for a business purpose.
To help protect your privacy and maintain security, we take steps to verify your identity before granting you access to your personal information or complying with your request. To the extent permitted by applicable law, we may charge a reasonable fee to comply with your request.
We will not deny, charge different prices for, or provide a different level or quality of goods or services if you choose to exercise these rights.
Access and correction
Applicable Data Protection Law gives you the right to access your Personal Information. Your right of access can be exercised at any time without detriment. Any access request may be subject to a fee of an administrative fee at our rates then in force to meet our costs in providing you with details of the information we hold about you.
In the event that you wish to correct and/or update your Personal Information in our records, you may inform us in writing of the same by contacting us. In certain cases, Personal Information may also be corrected or updated via the Platform.
We will respond to requests regarding access and correction as soon as reasonably possible. Should we not be able to respond to your request within thirty (30) days after receiving your request, we will inform you in writing within thirty (30) days of the time by which we will be able to respond to your request. If we are unable to provide you with any Personal Information or to make a correction requested by you, we shall generally inform you of the reasons why we are unable to do so (except where we are not required to do so under applicable Data Protection Law).
Accuracy
We endeavor to ensure that all decisions involving your Personal Information are based upon accurate and timely information. However, we rely on you to disclose all relevant information to us and to inform us of any changes in your Personal Information. As such, please disclose all relevant information necessary for us to provide services to you and ensure all information submitted to us is up-to-date, complete, and accurate. Kindly inform us promptly if there are any changes in your Personal Information.
Retention
We may retain your Personal Information for at least five (5) years, or such other longer or shorter period as may be necessary to fulfil the purpose for which it was collected, or as required or permitted by applicable laws. We will cease to retain your Personal Information or remove the means by which the data can be associated with you, as soon as it is reasonable to assume that such retention no longer serves the purpose for which the Personal Information was collected and is no longer necessary for legal or business purposes.
Data Intermediary
Where we process your Personal Information as a data intermediary on behalf of a third party, we will process your Personal Information in accordance with the instructions of the third party and shall use it only for the purposes agreed between you and the third party. All such Personal Information will be protected and retained in accordance with this privacy policy.
We will take steps to inform the third party of any requests, complaints or questions that you may have regarding such Personal Information.
Security
State-of-the-art internet technologies are used to ensure the security of your data. During the online enquiry process, your details are secured with SSL encryption. For secure storage of your data, the systems are protected by firewalls that prevent unauthorized access from outside. In addition, technical and organizational security measures are used to protect the personal information you have provided against accidental or intentional manipulation, loss, destruction or access by unauthorized persons.
Data Breaches/Notification
Databases or data sets that include personal information may be breached inadvertently or through wrongful intrusion. Upon becoming aware of a data breach, PainLes will notify all affected individuals whose personal information data may have been compromised, and the notice will be accompanied by a description of action being taken to reconcile any damage as a result of the data breach. Notices will be provided as expeditiously as possible after the breach was discovered.
Confirmation of Confidentiality
All company employees must maintain the confidentiality of personal information as well as company proprietary data to which they may have access and understand that such personal information is to be restricted to only those with a business need to know. Employees with ongoing access to such data will sign acknowledgment reminders annually attesting to their understanding of this company requirement.
Social Media
We maintain online presences on the basis of our legitimate interests. We maintain online presences within social networks and platforms in order to communicate with users, interested parties and users who are active there. Unless otherwise stated in this policy, we process the data of users if they communicate with us within the social networks and platforms, e.g., write articles on our online presences or send us messages.
Cooperation with processors and third parties
If, in the course of our processing, we disclose data to other persons and companies (order processors or third parties), transmit it to them or otherwise grant them access to the data, this will only be done on the basis of a legal permission (e.g., if a transmission of the data to third parties, such as to payment service providers, is necessary for the performance of the contract pursuant to Art. 6 para. 1 lit. b GDPR), you have consented, a legal obligation provides for this or on the basis of our legitimate interests (e.g., when using agents, web hosts, etc.). If we commission third parties to process data on the basis of a so-called "processing agreement", this is done on the basis of Art. 28 GDPR.
Existence of automated decision-making
As a responsible company, we do not use automated decision-making or profiling.
External Links
Our platform contains links to the online services of other providers. We hereby point out that we have no influence on the content of the linked online services and the compliance with data protection regulations by their providers.
Personal information and children
Our services are aimed at people aged 18 and over. We will not knowingly collect, use or disclose personal information from minors under the age of 18 without first obtaining consent from a legal guardian through direct offline contact.
Changes and updates to the privacy policy
We kindly ask you to regularly inform yourself about the content of our privacy policy. We will amend the privacy policy as soon as changes to the information processing activities we carry out make this necessary. We will inform you as soon as the changes require an act of cooperation on your part (e.g., consent) or other individual notification.
Concerns and Contact
If you have any concerns about a possible compromise of your privacy or misuse of your personal information on our part, or any other questions or comments, you can contact us.


HIPPA POLICY

At PainLes, LLC, 2309 Santa Monica Blvd Suite 640, Santa Monica, CA 90404 (hereinafter " PainLes", "we", "our" or "us"), we take all necessary measures to comply with the most stringent privacy and security regulations, including HIPAA guidelines. The PainLes platform is designed to enable our users to comply with such requirements under applicable patient privacy laws.
In addition, PainLes takes all reasonable steps to keep the use or disclosure of protected health information to an absolute minimum in order to provide the promised services. PainLes works hard so that its products and services meet or exceed industry standards with respect to the U.S. Health Insurance Portability and Accountability Act ("HIPAA") of 1996.
The Health Insurance Portability and Accountability Act (HIPAA) establishes two important rules for in connection with the use of protected health information: the security provision and the privacy provision, which are established under a general HIPAA category called the Administrative Simplification Act. Both provisions affect the transmission, storage, and management of protected health information.
In the security provision: the HIPAA security provision became effective on April 21, 2003. Its purpose is to protect confidential medical information. The security provision establishes guidelines to facilitate the storage, maintenance, and transmission of protected health information in a "secure electronic environment". This includes administrative procedures and physical safeguards, as well as technical measures to control and monitor access to protected health information and prevent unauthorized access to data during transmission.
Privacy Rule: HIPAA's privacy rule addresses the use and disclosure of protected health information and became effective April 14, 2001. The Privacy Rule requires to make reasonable efforts to limit the use and disclosure of such protected health information by staff to the "minimum necessary" to perform their services. Service Providers are further expected to limit the likelihood of "inadvertent disclosure" to individuals for whom there is no reasonable need to know as a matter of law. In addition, service providers must maintain a log of disclosures of certain protected health information that is not directly related to the patient's care.
Products and Services
PainLes’s platform and services are designed with specific features to help our users comply with HIPAA regulations. PainLes uses a relational database that employs a secured username and password login process. This means users must have specific access rights, such as to edit or add data, or are denied access to certain data. When a user adds or changes data in the database, a record is created indicating the change. The revision log created in this way can be reviewed by authorized administrators.
Customer Support
PainLes's support staff assists users in using PainLes’s platform in a HIPAA-compliant environment. All remote access by PainLes support staff to protected health information is protected via a fully encrypted protocol.
Business partner
HIPAA requires service providers to enter into specific "business associate" contracts with certain entities to which they disclose patient health information. These business associate contracts generally require the recipients of such information to take appropriate precautions to protect the patient health information they receive. To perform certain service and support tasks, PainLes employees may need access to patient health information maintained by PainLes users. As a result, PainLes may be considered a business associate ("Business Associate") of the users who receive these services. PainLes is providing a new Business Associate standard contract for its users that meets HIPAA requirements.
PainLes' new Business Associate Agreement provides general assurances to users that the company will use the protected health information they submit only to provide services and support and will protect that data against misuse.
Our Policy
To implement these requirements for business associates and to protect the confidentiality and integrity of protected health information received, the HIPPA Policy sets forth the following:
  • It provides that the Company will retrieve and use confidential protected health information provided by its users only to the extent necessary to perform customer service and support.
  • It restricts access to such data to those employees and agents who provide specific service and support.
  • It prohibits the disclosure of protected health information provided by users to anyone who is not an employee or agent of the Company, unless specifically authorized by PainLes and by the user, as appropriate.
  • It requires all Company employees and agents to report any use or disclosure of protected health information in violation of PainLes's HIPPA Policy.
  • It provides that PainLes will investigate all reports that protected health information has been used in a manner not permitted by PainLes's HIPPA Policy and will impose appropriate sanctions on conduct prohibited by the policy.
  • It specifies that PainLes employees who may come into contact with protected health information receive training on PainLes's privacy and security policy and the importance of protecting the confidentiality and security of protected health information.
  • It provides for transferring protected health information provided by users in a secured manner so that the integrity, confidentiality and availability of the data is protected.
PainLes has put together some suggestions to help ensure that protected health information are managed by in a responsible and HIPAA-compliant manner when using PainLes:
  • Be sure to obtain explicit (preferably written) permission when required.
  • Keep your passwords in a secure location that unauthorized staff and users cannot access.
  • Set up user accounts for your computers that require users to log in with a password.
  • Always lock or log out of your PainLes account when not in use.
  • Develop standard procedures under which every handling of protected health information must be documented.
  • Keep your laptop, computer and device in a secure location with limited access.
In addition to complying with HIPAA security recommendations, PainLes adheres to the FTC's Security by Design Guidelines:
  • Data security is carefully assessed for each component of the PainLes platform
  • Data is encrypted both in transit and at rest
  • PainLes is protected against common vulnerabilities
  • Our team keeps up to date with new vulnerabilities and keeps the platform updated accordingly
Network Protection
PainLes servers and supporting systems are protected from hackers and network intrusion by firewalls and other leading security measures.
Controlled Employee Access
Certain PainLes staff and system administrators may need to access the PainLes platform to provide operational / administrative support. Access rights are strictly controlled, and access is granted only to those who need it to support the PainLes platform and its users. All PainLes employees and subcontractors are required to sign confidentiality agreements. Access to the system is granted only after validation of the user's identification data, assigned role and system permissions.
User Passwords
Users must enter their username and password to gain access to the PainLes platform. These credentials are created by users during registration. To reset a password, the information is sent to the user's email on file. If two-factor authentication is enabled, a unique passcode is sent via SMS after the account password is entered. Administrators do not have access to user passwords and passwords can only be reset by following a link sent via email User Request.
Encryption
Encryption provides users with a secure way to exchange information. This makes it unusable for anyone who does not have a protected decryption key to (decrypt) the information. PainLes provides encryption for user interactions through Secure Socket Layer (SSL) technology with a robust 256-bit encryption key. PainLes also uses industry-proven encryption standards, TLS) when health information is transmitted into or out of PainLes.
Physical Security
The PainLes server and supporting systems are physically secured and protected in world-class data centers. Access to the physical systems is carefully controlled through security measures at multiple levels. of authentication requirements (e.g., user keys, biometrics), security guard and registration check-in requirements, and state-of-the-art security monitoring and alert systems.
Access tracking and disclosure
In accordance with HIPAA standards, PainLes logs relevant details each time health information is viewed, edited, or exported to ensure system integrity.
Changes
This policy and our commitment to protecting the privacy of your personal data can result in changes to this policy. Please regularly review this policy to keep up to date with any changes.
Queries and Complaints
Any comments or queries on this policy should be directed to us. If you believe that we have not complied with this policy or acted otherwise than in accordance with data protection law, then you should contact us.