Legal · Privacy

Privacy & Health Data Policy

How Mia handles your personal data when you take the Test — written to protect the sensitive health information you share with us.

This policy explains how Mia handles your personal data. The first part (the “global core”) applies to everyone. After it, country-specific addenda add or strengthen rights for people in particular places. Where an addendum addresses something differently from the core, the addendum applies for people in that place.

Data Controller Mia (mimia.co). Contact for any privacy question or request: info@mimia.co.

1. A note on sensitive health data

Mia asks about your body, symptoms, mood, and how you’re feeling. This is sensitive health data, and in some cases reproductive-health data. We treat it as the most protected category of information and only process it with your explicit consent. You are never required to answer any question — providing this information is voluntary.

2. What we collect

We do NOT ask for — and you should never enter — passwords, payment-card numbers, bank details, or government ID numbers.

3. Why we use it

We do NOT sell your data, we do NOT use it for targeted advertising, and we do NOT use it to train third-party AI models.

4. Our legal basis

Because this is health data, we rely on your explicit consent: Articles 6(1)(a) and 9(2)(a) GDPR (EU/Spain); Article 11 LGPD (Brazil); opt-in consent under US state consumer-health-data laws including Washington’s My Health My Data Act; and consent to collect sensitive information under the Australian Privacy Principles.

Research authorization. Using your data for research is a separate, affirmative opt-in and is never bundled with anything else. When you consent, all personal identifiers are permanently unlinked using rigorous technical standards before any analysis, so you cannot be re-identified. Research data is handled strictly in aggregate, solely to advance knowledge of perimenopause, and may appear in scientific publications, academic forums, or technical reports. It is never sold, never used for behavioral marketing, and never used to train third-party AI models.

Revoking research consent. You can withdraw your research authorization at any time, easily and without justification, through your privacy settings or our contact email. Withdrawing it does not affect the lawfulness of prior processing and does not change your access to Mia's core services.

5. Who can see your data

Any sharing beyond the above requires your separate consent. You can ask us for the list of third parties with whom we have shared your data, and how to contact them.

6. Where your data is stored and transferred

Your data is stored on servers in the European Union (via Tally). If you are outside the EU — in the US, Latin America, or Australia — your information is transferred to and stored in the EU, protected by appropriate safeguards (including standard contractual clauses where required). For participants in Australia, this means your data is held overseas; we remain accountable for protecting it.

7. How long we keep it

We keep pilot data only for 24 months from the end of the pilot program for the purposes above, after which we delete or anonymize it. You can ask us to delete it sooner. When data is deleted, our processor purges it from backups within 90 days.

8. Your rights

Wherever you live, you can ask us to: access the data we hold about you and receive a copy; correct anything inaccurate; delete your data; withdraw your consent (as easily as you gave it); and, in the EU and Brazil, restrict or object to processing and request portability.

To exercise any right, email info@mimia.co. We respond within 15 days where possible (and at most within the period your local law allows: 30 days EU, 15 days Brazil, 45 days under Washington’s MHMDA).

9. How we protect your data

Data is encrypted in transit and at rest. Access is limited to named team members. We apply technical and organizational security measures appropriate to sensitive health data, and we maintain a plan to notify you and the relevant authority promptly if a breach is likely to cause harm.

10. Children

Mia is for adults. We do not knowingly collect data from anyone under 18. If you are under 18, please do not submit the survey.

11. Complaints

If you’re unhappy with how we handle your data, contact us first at info@mimia.co.

12. Changes to this policy

We may update this policy. We’ll post changes here and update the date. For material changes affecting how we use your health data, we’ll seek your consent again where required.

Country-specific addenda

The sections below add to the core policy for people in particular places. Read the core policy and any addendum that applies to you.

13. European Union

If you are in the EU, the GDPR gives you the rights in Section 8 plus the right to lodge a complaint with a supervisory authority, in Spain the AEPD, aepd.es. We process your health data only on the basis of your explicit consent under Article 9(2)(a). Because we process special-category data, we maintain a record of processing and have assessed the risks of this pilot.

Where you opt in to research, we rely on your explicit consent under Articles 6(1)(a) and 9(2)(a) GDPR, together with the research safeguards in Article 89 GDPR and the Seventeenth Additional Provision of Spain's Ley Orgánica 3/2018. Your data is irreversibly anonymized before analysis and used only in aggregate for descriptive and analytical cohort studies.

In a later phase, Mia may run formal identifiable biomedical research in Spain. That is a separate process with its own explicit consent, approved by an ethics committee under Ley 14/2007, and it will never reuse your Test responses without asking you again.

14. United States — Consumer Health Data

Categories we collect: information about perimenopause symptoms; physical, vasomotor, psychological, and psychosocial experiences; menstrual and reproductive-health information you choose to share; and inferences we draw from your answers about your health status.

We collect this directly from you, with your opt-in consent, to generate your results and improve Mia. We share it only with our service providers (Tally and email tools) under contract. We do not sell consumer health data, we do not use it for targeted advertising, and we do not geofence health facilities.

If you opt in to research, that authorization is separate and independent from your consent to our core services, consistent with the Washington My Health My Data Act. We use your consumer health data for research only after irreversible de-identification, in aggregate, for academic disclosure. It is never sold, never used for behavioral marketing, and never used to train third-party AI models. You may revoke this authorization at any time without affecting your access to Mia's services.

Your rights (Washington MHMDA and similar state laws):

To exercise these, email info@mimia.co. We respond within 45 days. Mia does not and will not sell your consumer health data; doing so would require a separate signed authorization, which we do not seek.

15. Brazil

If you are in Brazil, the LGPD applies. We process your health data as sensitive data under Article 11, on the basis of your specific, highlighted consent. You have the rights to confirmation, access, correction, anonymization/blocking/deletion, portability, information on with whom we’ve shared your data, and to withdraw consent — and to complain to the ANPD. We respond to requests within 15 days. Please email info@mimia.co.

16. Mexico, Colombia, Argentina & other Latin American countries

Health data is sensitive across the region and we process it only with your express consent. In Mexico (LFPDPPP) we obtain express consent and provide this notice as our aviso de privacidad. In Colombia (Ley 1581/2012), providing sensitive data is voluntary and you may decline. In Argentina (LPDP), sensitive data is tightly protected and consent-based. In every case you can access, correct, delete, and withdraw consent by contacting us.

17. Australia

If you are in Australia, the Privacy Act 1988 and the Australian Privacy Principles apply. We collect sensitive health information only with your consent (APP 3) and tell you why (APP 5). Your data is stored overseas (on EU servers); we remain accountable for it (APP 8). We apply reasonable technical and organisational security measures (APP 11).

Last updated: 6 July 2026 · Mia