Privacy Policy
How we protect your information
⚠️ Important Medical Disclaimer
What's In Me is NOT a medical device and is NOT a substitute for professional medical advice.
Always consult your physician and MRI facility before any MRI procedure. We provide publicly available FDA and manufacturer data as a convenience only.
MRI safety decisions must be made by qualified healthcare professionals.
Information We Collect
Account Information
- • Email address (required for account creation)
- • Password (securely hashed and stored)
- • Full name (optional, for your profile)
- • Date of birth (optional, for your safety card)
- • Phone number and emergency contact (optional)
- • Primary physician name (optional)
Device Information
- • Implant selections (device IDs linked to your account)
- • Safety Card data you choose to save
Analytics & Usage Data
- • Vercel Web Analytics (anonymized, cookie-free)
- • Authentication cookies (Supabase, session only, not for tracking)
- • Server logs (Vercel, IP/browser/timestamps, security purposes only)
What We Do NOT Collect
- • Home address or physical location
- • Payment or billing information
- • Medical records or diagnoses
- • Biometric data
- • Advertising or tracking cookies
How We Use Your Information
To Provide Our Service
- • MRI safety lookup for implanted devices
- • Saved device management
- • Safety card generation and sharing
Communication
- • Send recall alerts (opt-in email notifications only)
- • Essential service communications
Service Improvement
- • Anonymized analytics to improve user experience
- • Security monitoring and fraud prevention
We will never sell, rent, or share your information with third parties for marketing purposes.
HIPAA Status
Whatsinme LLC is NOT a HIPAA-covered entity.
We do not access, store, or transmit Protected Health Information (PHI). Users voluntarily select devices from our public database; this is not a medical record and does not constitute medical documentation.
Data Security
We implement industry-standard security measures to protect your information:
- • Encryption in transit (TLS/HTTPS)
- • Encryption at rest for stored data
- • Secure authentication via Supabase
- • Regular security monitoring
Your Rights
You have the right to:
- • Access your stored data
- • Export your data
- • Delete your account and all associated data
- • Update your information at any time
Delete My Account: Available in your Profile settings. This action permanently removes all your data and cannot be undone.
Children's Privacy (COPPA Compliance)
What's In Me is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you become aware that a child has provided us with personal information, please contact us immediately.
State Privacy Rights
California Residents (CCPA)
California residents have additional rights including:
- • Right to know what personal information is collected
- • Right to delete personal information
- • Right to opt-out of sale (note: we do not sell personal information)
- • Right to non-discrimination for exercising privacy rights
European Residents (GDPR)
European residents have rights including:
- • Right to access and portability
- • Right to rectification and erasure
- • Right to restrict processing
- • Right to object to processing
Cookie Disclosure
We only use essential authentication cookies. No tracking cookies, advertising cookies, or third-party cookies are used on our site.
DMCA Safe Harbor
User-Generated Content Protection
We operate under the Digital Millennium Copyright Act (DMCA) safe harbor provisions for user-submitted content, including device photos and safety information. We respond promptly to valid DMCA takedown notices.
DMCA Notice Procedure:
To report copyright infringement, send a DMCA notice to privacy@whatsinme.life with: (1) identification of copyrighted work, (2) location of infringing material, (3) your contact information, (4) good faith statement, (5) accuracy statement, and (6) electronic signature.
Counter-Notice: If you believe content was removed in error, you may submit a counter-notice following DMCA procedures. We will restore content after the statutory waiting period unless the original complainant files a court action.
Data Retention Policy
How Long We Keep Your Data:
Account Information:
• Email and hashed password: Until account deletion
• Device selections: Until account deletion or individual device removal
Analytics Data:
• Vercel analytics: 30 days (anonymized)
• Server logs: 90 days maximum
User Content:
• Device photos: Until removed by user or account deletion
• Safety cards: Until account deletion
Communication Records:
• Support emails: 2 years for service improvement
• DMCA notices: 3 years as required by law
Automatic Deletion
- Inactive accounts (no login) for 3+ years may be automatically deleted
- Temporary data (session tokens, password reset codes) expire automatically
- Anonymized usage statistics may be retained indefinitely for research
Your Data Rights
You Have the Right To:
Access Your Data
View all personal information we have about you through your Profile page, or request a complete data export.
Correct Your Data
Update your email, change device selections, or modify your Safety Card information at any time.
Export Your Data
Download a copy of your account data in JSON format. Available in Profile settings or by email request.
Delete Your Data
Permanently delete your account and all associated data. This action cannot be undone.
Opt Out of Communications
Unsubscribe from recall alerts or other optional communications at any time via email links or Profile settings.
How to Exercise Your Rights:
Self-Service (Recommended): Most actions can be performed through your Profile settings when logged in.
Email Request: Contact privacy@whatsinme.life for data export requests or if you need assistance.
Response Time: Self-service is immediate. Email requests are processed within 30 days (usually much faster).
Verification: For security, we may need to verify your identity before processing data requests sent via email.
Breach Notification
In compliance with the FTC Health Breach Notification Rule (16 CFR Part 318), in the event of an unauthorized acquisition of unsecured personally identifiable health information, we will:
- • Notify affected individuals without unreasonable delay and within 60 calendar days of discovery
- • Notify the Federal Trade Commission as required by the Rule
- • Notify prominent media outlets if the breach affects 500 or more residents of a state or jurisdiction
To report a security concern or potential data breach, contact us at privacy@whatsinme.life.
Contact Us
If you have questions about this Privacy Policy or want to exercise your rights, please contact us:
Governing Law
This Privacy Policy is governed by the laws of the State of Texas and the jurisdiction of Dallas County, Texas.