HABITNU PRIVACY POLICY
Last Updated: March 24, 2026
This Privacy Policy explains how Prana Diabetes Inc., d/b/a HabitNu (“HabitNu,” “we,” “us”, ”our”) collects, uses, shares, and protects information about you when you use our website, mobile or web applications, and related services (collectively, the “Services”).
You may be invited to use the Services by HabitNu or an organization (like a health plan, employer, provider group, or program sponsor) for a lifestyle change or clinical care initiative, or you may sign up directly through the HabitNu website and/or application.
By using our Services, you agree to this Privacy Policy. If you don't agree, please don't continue to use them.
This policy answers common questions such as what data we collect, why, who we share it with, your choices, and data retention. It complies with the latest digital health privacy best practices, including ONC Model Privacy Notice and CARIN guidelines, and all relevant federal and state privacy laws.
1. KEY DEFINITIONS
  1. Personal Information:Information that identifies you or can reasonably be linked to you (for example, name, email, IP address, device identifiers).
  2. Health Information:Information about your health behaviors, care, and measurements (such as weight, activity, glucose levels you provide, and communications with coaches).
  3. PHI (Protected Health Information):Health information protected under HIPAA when HabitNu is acting as a Business Associate to a HIPAA Covered Entity (such as a health plan or provider). When HIPAA applies, it may control parts of how PHI is used/disclosed. More information about HabitNu’s Privacy Practices for HIPAA regulated information can be found here:
    {Insert Link Here}
  4. De-identified (Anonymized) Information:Information that has been changed so it cannot reasonably be linked back to you. We treat de-identified information as non-personal and do not try to re-identify it.
  5. Pseudonymized Information:Information that has been changed by replacing direct identifiers with a code, such as "Patient_001." Authorized people may be able to link the code back to you when needed. This type of information may be used for research, product improvement, support, security reviews, or recordkeeping.
2. WHAT INFORMATION WE COLLECT
We collect information in three main ways: from you, from others you approve, and automatically through the Services.
  1. Information you provide
    • User account and profile: name, email, contact information, date of birth, sex, program preferences, or other information provided during registration or through account settings.
    • health and lifestyle information you enter, such as goals, habits, nutrition logs, physical activity logs, weight, other biometric data, and program activity;
    • information about people you choose to include, such as a care provider, family member, or friend;
    • messages you send through the Services, including messages to a lifestyle coach, care manager, health professional, or support team;
    • content or reactions you post in community areas; and
    • any other information you choose to enter into the app or website.
  2. Information provided by others with your permission
    • program sponsor information, such as your sponsoring organization and enrollment details;
    • data from a healthcare provider or connected device you choose to connect, such as activity or measurement data; and
    • personal health record data from providers, payers, or personal health record services when that data has been confirmed to belong to you.
  3. Information collected automatically
    • device and usage data, such as IP address, browser type, device identifiers, app events, pages or screens viewed, time spent, and referring URLs;
    • cookies and similar technologies that help the Services work, remember your preferences, and measure use; and
    • chats or interactions between you and system tools, including AI chat assistants.
3. WHY WE COLLECT AND USE INFORMATION (PURPOSES)
We use information to:
  • provide the Services, including creating accounts, enrolling you in programs, delivering lessons, tracking progress, and supporting communications with coaches or providers;.
  • support and improve the Services, including fixing bugs, troubleshooting, reviewing use patterns, and improving features or content;.
  • communicate with you, including service messages and support responses;
  • messages you send through the Services, including messages to a lifestyle coach, care manager, health professional, or support team;
  • Program reporting (where applicable) to your sponsor, provider or regulating entities for program operations and measurement, as described in Section 7.
  • Security and fraud prevention (protect accounts, detect suspicious activity).
  • Legal, safety, and compliance (meet legal obligations, enforce terms, protect rights).
4. WHAT IS REQUIRED AND WHAT IS OPTIONAL (YOUR CHOICES)
Some information uses are required for the Services to work. Others are optional.
  1. Uses that are required
    Some information uses are required for the Services to work. Others are optional.
    • creating and managing your account;
    • providing core features, such as content and progress tracking;
    • allowing coaching or care communications if your program includes them;
    • using security tools, fraud prevention tools, and basic analytics needed to keep the Services running; and
    • meeting legal requirements and enforcing our agreements.
    If you choose not to provide certain required information, some or all parts of the Services may not work for you.
  2. Uses that are optional
    You may choose to limit or opt out of:
    • marketing messages;
    • research and product surveys;
    • non-essential cookies or analytics, where controls are available; and
    • device or provider connections that you choose to set up.
    HabitNu does not use your Personal Information for targeted advertising. HabitNu also does not use automated decision-making that produces legal or similarly significant effects on you.
5. WHEN OTHER PEOPLE'S PRIVACY MAY BE AFFECTED
If you share information about another person, that can affect their privacy too. For example, this could happen if you share family history, household information, or progress updates with someone else.
Please think about their preferences before you:
  • add them as a contact;
  • share messages involving them; or
  • post information that identifies them.
6. HOW WE SHARE INFORMATION
We share information only in the ways described below.
  1. Inside HabitNu
    HabitNu staff have assigned roles and receive training. Access is limited based on job needs. Staff may access information to operate the Services, respond to issues, or improve the product. When possible, we use pseudonymized or de-identified information.
  2. With service providers
    We use vendors to help run the Services, such as vendors for hosting, security, and customer support tools. These vendors may use information only to provide services to HabitNu and must protect it. HabitNu requires vendors supporting service delivery to meet equal or better security and compliance expectations. Hosted services and data are restricted to the United States.
  3. With your program sponsor or care team, when applicable
    If you are in a sponsor-run program, we may share information needed for program operations. This may include:
    • enrollment status and participation;
    • progress metrics, such as session completion;
    • coach engagement metrics; and
    • outcomes and reporting required by the program.
    What we share depends on the program and the agreements in place. If HIPAA applies, sharing of PHI is controlled by HIPAA and our agreements with the Covered Entity.
  4. With connected integrations you choose
    If you connect a device or third-party integration, we may send and receive data based on your settings. You can disconnect an integration at any time.
  5. For legal, safety, and compliance reasons
    We may disclose information if we believe it is reasonably necessary to:
    • follow the law or legal process;
    • respond to lawful requests from public authorities;
    • protect the safety, rights, or property of users, HabitNu, or others; or
    • investigate fraud or security issues.
  6. During a business transfer
    If HabitNu is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred as part of that transaction. See Section 13.
  7. What we do not do
    • We do not sell your Personal Information.
    • We do not sell your Health Information.
    • We do not share your Personal Information or Health Information for targeted advertising.
7. DISCLOSURES AND PERSISTENCE: ONE-TIME VS ONGOING
Some information sharing happens once. Other sharing continues while you use the Services.
Examples:
  • Account setup and enrollment are usually one-time events, though they may be updated later.
  • Program participation and progress sharing may continue while you are enrolled.
  • Coaching and support messages continue while you send or receive messages.
  • Connected device or integration data may continue until you disconnect the integration.
  • Cookies and app analytics may continue while you use the Services, depending on your settings and available controls.
8. CONSENT, WITHDRAWAL, AND CONNECTION CONTROLS
We share information only in the ways described below.
  1. Withdrawing consent / stopping participation
    If your participation is based on consent, you can withdraw consent by:
    • contacting us (see Section 15), or
    • contacting your program sponsor if the sponsor manages enrollment.
    After you withdraw:
    • we will stop getting new information from you through our services. The only information we will still collect is a small amount needed to keep things secure, follow rules, or make sure the program is working right; 
    • your access may end or become limited, depending on the program;
    • we may keep some information as described in Section 12 for legal, security, audit, or contract reasons; and
    • information already shared with a sponsor or provider may be kept under that sponsor's or provider's own policies.
    If HIPAA applies, extra rules may control how PHI is kept or shared.
  2. Disconnecting devices and integrations
    You can disconnect a device or integration through the Services, when available, or by contacting us.
    After you disconnect it:
    • we stop receiving new data from that connection; and
    • data already collected stays subject to the retention and deletion rules in Section 12, unless it is deleted based on a valid request.
9. YOUR COMMUNICATION PREFERENCES
We may send you two types of messages:
  • Service messages, such as account, security, program, and important product updates. You may not be able to opt out of all service messages.
  • Optional messages, such as marketing about HabitNu services.
To opt out of marketing messages:
HabitNu does not use cookies for cross-site targeted advertising.
10. COOKIES, ANALYTICS, AND TRACKING
We use cookies and similar technologies to:
  • keep the Services working;
  • remember your preferences;
  • detect and prevent suspicious activity; and
  • understand use and improve performance.
Your controls:
  • You can change your browser settings to refuse some cookies or alert you when cookies are used.
  • Mobile devices may let you control certain advertising identifiers. HabitNu does not use targeted advertising, but these identifiers may still exist at the device level.
  • Some features may not work properly if you disable required cookies.
HabitNu does not use cookies for cross-site targeted advertising.
11. TARGETED ADVERTISING AND AUTOMATED DECISION-MAKING
HabitNu does not use or disclose Personal Information for targeted advertising.
HabitNu does not use automated decision-making that produces legal or similarly important effects on you, such as decisions about eligibility, coverage, employment, housing, or credit.
We may use basic automation for product functions, such as reminders or content sequencing, but not for legal or similarly important decisions.
12. DATA RETENTION, DELETION AND INACTIVE ACCOUNTS
  1. How long we keep information
    We keep Personal Information only as long as reasonably necessary to:
    • provide the Services and support your program;
    • meet legal, regulatory, contractual, and audit requirements;
    • maintain security and prevent fraud;
    • resolve disputes and enforce agreements.
    Typical approach:
    • Active accounts and active programs: kept while active.
    • After a program ends or an account closes: kept for a limited period for legal, security, audit, and sponsor reporting needs, then deleted or de-identified where feasible.
    • When applicable, HabitNu is required by HIPAA to keep records for at least seven (7) years, including certain backups, system logs, and other auditable records.
  2. Inactive accounts
    If your account becomes inactive, we may:
    • keep limited information for security or audit purposes;
    • keep program records if required by law or sponsor contracts; and
    • delete or de-identify information under our retention practices.
  3. How deletion works
    When we delete information:
    • Personal Information and Health Information are deleted or de-identified from active systems first;
    • the same information may remain in backups for a limited time based on our backup schedule; and
    • some information may be kept if required for legal, security, compliance, or program integrity reasons.
13. BUSINESS TRANSFERS, COMPANY SALE, OR SHUTDOWN
If HabitNu is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of some or all assets, your information may be transferred as part of that transaction.
In that event, we may offer one or more of these options:
  • a way to close your account;
  • a commitment that the new owner's privacy commitments will stay consistent with this policy, or notice of material changes when required by law; and
  • secure disposal of information if the business ends and no successor continues the Services, subject to legal obligations.
When required or appropriate, we will provide notice by email and/or through a clear notice in the Services.
14. SECURITY
We use reasonable administrative, technical, and physical safeguards to protect information from unauthorized access, use, or disclosure. These safeguards may include access controls, encryption in transit, monitoring, and role-based access.
No system is 100% secure. If you think your account has been compromised, please contact us right away. See Section 15.
15. YOUR RIGHTS: ACCESS, CORRECTION, PORTABILITY, AND DELETION
Depending on where you live and how HabitNu works with your information, including whether HIPAA applies, you may have the right to:
  • Access your Personal Information;
  • Correct inaccurate information and, when appropriate, add context;
  • Delete certain Personal Information;
  • Receive your information in a usable format, where feasible; and
  • Opt out of certain processing, where state law applies.
To make a request, email support@habitnu.com and include:
  • your name,
  • the email/phone associated with your account,
  • the request you are making.
We may need to verify your identity before we complete your request. If you are in a sponsor-run program, we may also need to work with the sponsor or provider based on legal duties and role assignments. Your message will be reviewed promptly, with an average response time of 2 business days. If needed, our Compliance Officer may contact you for more information.
Downstream recipients
If you approved sharing with a sponsor, provider, or integration, we can tell you, on request, whether and how corrections or deletions can be passed along. In some cases, those other parties keep their own records and follow their own processes, which may be outside our direct control.
16. SPECIAL NOTICE FOR HIPAA-REGULATED DATA
When HabitNu is acting as a Business Associate for a HIPAA Covered Entity, PHI is handled under HIPAA and the agreements that apply. Your sponsor or provider may also give you a Notice of Privacy Practices that explains HIPAA rights and disclosures for PHI.
This Privacy Policy still applies to information not governed by HIPAA and to general Service practices.
{Insert Link Here}
17. CHILDREN'S PRIVACY
The Services are not meant for children under 13, and in some cases not for people under 18, unless use is allowed through a lawful program. If you believe a child gave us information without proper authorization, please contact us. See Section 15.
18. CHANGES TO THIS PRIVACY POLICY
We may update this Privacy Policy from time to time.
If we do:
  • we will post the updated policy and change the "Last Updated" date;
  • if the changes are material, we will provide clear notice before the changes take effect when required or reasonable; and
  • your continued use of the Services after the update means you accept the updated policy.
When required or appropriate, we will provide notice by email and/or through a clear notice in the Services.
19. CONTACT US
Questions, requests, or complaints:
HabitNu Support
Email: support@habitnu.com
20. ADDENDUM: STATE PRIVACY RIGHTS
Extra state privacy rights may apply. For more information, please see:
Supplemental US Privacy Policy