Manifold Logo

Compliance

HIPAA Compliance

At Manifold Care, Inc., protecting your health information is fundamental to our mission. This page describes how we comply with the Health Insurance Portability and Accountability Act (HIPAA) and safeguard the Protected Health Information (PHI) entrusted to us through our products, including Balance.

Last updated: March 1, 2026

Our Commitment

Manifold Care, Inc. treats all user health data collected through Balance and our other products as Protected Health Information (PHI) under HIPAA. This includes mood tracking data, wearable sensor data, self-reported health information, and any causal insights derived from that data.

We maintain comprehensive policies and procedures to ensure the confidentiality, integrity, and availability of all PHI we create, receive, maintain, or transmit. Our compliance program addresses the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

We never sell your health data. We never use your health data for advertising. Your data exists to serve you — not to extract value from you.

Technical Safeguards

We implement rigorous technical safeguards to protect PHI at every layer of our infrastructure.

  • Post-quantum encryption. All PHI is encrypted in transit and at rest using post-quantum cryptographic algorithms, ensuring your data remains protected against both current and future computational threats.
  • Access controls. Role-based access controls ensure that only authorized personnel can access PHI, and only to the minimum extent necessary to perform their job functions. Multi-factor authentication is required for all systems that process or store PHI.
  • Audit logging. All access to PHI is logged with tamper-evident audit trails. We monitor these logs continuously for unauthorized access attempts and anomalous activity.
  • Automatic session management. Sessions that access PHI are subject to automatic timeout and termination policies to prevent unauthorized access from unattended devices.
  • Transmission security. All data transmitted between your device and our servers is protected using TLS 1.3 or higher, with certificate pinning to prevent man-in-the-middle attacks.

Physical Safeguards

Our infrastructure is hosted on SOC 2 Type II certified cloud platforms with comprehensive physical security controls.

  • All data centers are SOC 2 Type II certified, with independent third-party audits verifying the design and operational effectiveness of security controls.
  • Physical access to servers and data storage facilities is restricted to authorized personnel through biometric and multi-factor access controls.
  • Environmental controls including fire suppression, climate management, and uninterruptible power supplies protect against physical threats to data integrity.
  • Workstation and device policies govern the use of all devices that may access PHI, including encryption requirements and remote wipe capabilities.

Administrative Safeguards

We maintain a robust set of administrative safeguards that govern how our organization handles PHI.

  • Designated Security Officer. A dedicated Security Officer is responsible for developing and implementing our HIPAA compliance program, including all policies, procedures, and training programs.
  • Employee training. All employees and contractors receive HIPAA training upon onboarding and at least annually thereafter. Training covers the handling of PHI, security best practices, and incident response procedures.
  • Risk assessments. We conduct regular risk assessments to identify potential vulnerabilities and threats to PHI. Findings are documented and remediated according to their severity and likelihood.
  • Incident response procedures. Documented incident response procedures ensure that any security incident involving PHI is identified, contained, investigated, and resolved promptly.
  • Business Associate Agreements. We maintain Business Associate Agreements (BAAs) with all third-party vendors and service providers that create, receive, maintain, or transmit PHI on our behalf. These agreements ensure that our partners are held to the same standards of compliance.
  • Minimum necessary standard. We apply the minimum necessary standard to all uses and disclosures of PHI, ensuring that only the information required for a specific purpose is accessed or shared.

Your Rights Under HIPAA

Under HIPAA, you have specific rights regarding your Protected Health Information. Manifold Care, Inc. is committed to honoring these rights.

  • Right to access. You have the right to request access to the PHI we maintain about you. We will provide your information in a readily producible format within 30 days of your request.
  • Right to amendment. You may request that we correct or amend inaccurate or incomplete PHI in your records. We will respond to amendment requests within 60 days.
  • Right to deletion. You may request deletion of your PHI. Upon receiving a verified request, we will delete your data from our active systems and instruct our business associates to do the same, subject to any legal retention requirements.
  • Right to an accounting of disclosures. You may request an accounting of certain disclosures of your PHI that we have made in the six years prior to your request.
  • Right to request restrictions. You may request that we restrict certain uses and disclosures of your PHI. While we are not required to agree to all restriction requests, we will carefully consider each one.
  • Right to confidential communications. You may request that we communicate with you about your PHI through alternative means or at alternative locations.

To exercise any of these rights, please contact our Privacy Officer using the information provided below.

Breach Notification

In compliance with the HIPAA Breach Notification Rule, Manifold Care, Inc. maintains procedures to detect, respond to, and report breaches of unsecured PHI.

  • In the event of a breach of unsecured PHI, we will notify affected individuals without unreasonable delay and no later than 60 days after discovery of the breach.
  • Breach notifications will include a description of the breach, the types of information involved, steps you should take to protect yourself, what we are doing to investigate and mitigate the breach, and contact information for further inquiries.
  • For breaches affecting 500 or more individuals, we will also notify the U.S. Department of Health and Human Services (HHS) and prominent media outlets as required by law.
  • We maintain a log of all breaches affecting fewer than 500 individuals and report them to HHS annually.

Contact Our Privacy Officer

If you have questions about our HIPAA compliance practices, wish to exercise your rights regarding your PHI, or need to report a privacy concern, please contact our Privacy Officer.

Manifold Care, Inc.

Privacy Officer

2261 Market Street, STE 76732
San Francisco, CA 94114, USA

Email: privacy@manifold.care

We will respond to all inquiries within a reasonable timeframe and in accordance with applicable HIPAA requirements.