MYNA VOICE LABS
PRIVACY POLICY
Version 1.0 — Effective Date: April 6, 2026
1. Introduction
This Privacy Policy describes how Myna Voice Labs ("we," "our," or "us") collects, uses, stores, and protects your personal information and health data when you use the Myna voice analysis application and related services (collectively, the "Service"). The Service is a Software as a Medical Device (SaMD) currently available for research purposes only.
We are committed to protecting your privacy and handling your data in accordance with applicable laws, including the U.S. Health Insurance Portability and Accountability Act (HIPAA), the European Union General Data Protection Regulation (GDPR), and the EU Medical Devices Regulation (EU MDR 2017/745).
By using the Service, you consent to the data practices described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not use the Service.
2. Data Controller Information
For the purposes of GDPR and other applicable data protection laws, Myna Voice Labs is the data controller responsible for your personal data.
Contact: privacy@mynapd.com
3. Information We Collect
3.1 Information You Provide Directly
- Account information: name, email address, date of birth, phone number
- Authentication data: credentials for email/password, Google Sign-In, or Apple Sign-In
- Patient medical history (optional): demographics (age, sex, ethnicity), Parkinson’s diagnosis details, Hoehn & Yahr disease severity stage, current medications and dosages, speech impairment history, other neurological conditions, surgical history (including DBS), and family history
- Questionnaire responses related to your health and symptoms
- Feedback and communications you submit through the Service
3.2 Voice and Audio Data
- Voice recordings captured during structured recording sessions (44.1 kHz, 16-bit PCM mono audio)
- Audio metadata: duration, file size, recording format, session timestamps
- Audio quality metrics: signal-to-noise ratio (SNR), harmonic-to-noise ratio (HNR), jitter, shimmer, volume, spectral features
3.3 Information Collected Automatically
- Device information: device model, operating system version, app version
- Usage data: session frequency, feature usage, timestamps of interactions
- Pseudonymised IP address (SHA-256 hashed and truncated) for security audit purposes
- Crash reports and diagnostic logs via Firebase Crashlytics
3.4 Derived Data
- Machine learning inference results and confidence scores generated from your voice recordings
- Learned speech representations produced by our proprietary voice analysis algorithm
- Session-level and file-level aggregated predictions
4. How We Use Your Information
We use the information we collect for the following purposes:
4.1 Service Delivery and Research
- To provide voice analysis and generate research-grade results related to Parkinson’s Disease biomarkers
- To process your voice recordings through our proprietary speech foundation model for pattern detection
- To support clinical research into differential diagnosis between Parkinsonian conditions
- To improve and validate our machine learning models using de-identified or aggregated data
4.2 Account and Service Management
- To create and manage your account, verify your identity, and enforce role-based access controls
- To communicate with you about the Service, including updates and changes to this Privacy Policy
- To maintain audit trails of consent and session interactions as required by applicable regulations
4.3 Safety and Compliance
- To comply with HIPAA, GDPR, EU MDR, IEC 62304, and other regulatory obligations
- To detect, prevent, and address security incidents, fraud, and technical issues
- To conduct audio quality assessments to ensure the reliability of voice analysis results
5. Legal Basis for Processing (GDPR)
For individuals located in the European Economic Area (EEA) or the United Kingdom, we process your personal data on the following legal bases:
| Legal Basis | Purpose |
|---|---|
| Explicit Consent (Art. 9(2)(a)) | Processing of health data (voice recordings, medical history) and special category data for research purposes |
| Contract Performance (Art. 6(1)(b)) | Providing the Service, managing your account, delivering voice analysis results |
| Legitimate Interest (Art. 6(1)(f)) | Service security, fraud prevention, product improvement using aggregated data |
| Legal Obligation (Art. 6(1)(c)) | Compliance with medical device regulations, HIPAA, and applicable data protection laws |
6. Data Storage and Security
We implement industry-leading technical and organisational measures to protect your data:
6.1 Encryption
- All data is encrypted in transit using TLS 1.2 or higher
- Audio files are encrypted at rest in Firebase Storage using Google-managed encryption keys
- Protected Health Information (PHI) is encrypted at rest in Google Cloud Healthcare API (FHIR R4) using Google-managed keys
- Authentication tokens are stored in the iOS Keychain with hardware-backed 256-bit AES encryption
- Code signing certificates are encrypted with AES-256-CBC
6.2 Access Controls
- Role-based access control (RBAC) with three distinct roles: user, doctor, and admin
- Access code-based account activation with configurable usage limits and expiry
- Audio files are accessible only via time-limited signed URLs generated by the backend (15-minute validity)
- No direct client access to databases; all data access goes through authenticated and authorised API endpoints
6.3 Audit and Monitoring
- Immutable audit trail of all consent events, session interactions, and data access
- IP addresses are pseudonymised (SHA-256 hashed, truncated) in audit records
- Request ID correlation across all API calls for complete traceability
- Centralised logging to Google Cloud Logging with structured log format
6.4 Infrastructure
All data is hosted on Google Cloud Platform (GCP) infrastructure, which maintains SOC 2, ISO 27001, HIPAA, and FedRAMP certifications. Our primary data regions are in the United States (us-central1, us-east1).
7. Data Sharing and Disclosure
We do not sell your personal data. We may share your information in the following circumstances:
- Healthcare providers: If you are assigned to a doctor within the platform, that doctor may access your voice recording results, questionnaire responses, and medical history for clinical care and research purposes
- Service providers: Google Cloud Platform (infrastructure), Firebase (authentication and storage), and Apple/Google (sign-in providers). These providers are bound by data processing agreements
- Research collaborators: De-identified or aggregated data may be shared with academic and clinical research partners, subject to appropriate data sharing agreements and ethics review
- Legal requirements: We may disclose your data if required by law, regulation, legal process, or enforceable governmental request
8. International Data Transfers
Your data may be transferred to and processed in the United States and other countries where Google Cloud Platform maintains infrastructure. For transfers from the EEA or UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, together with supplementary technical measures (encryption, pseudonymisation) to ensure an adequate level of data protection.
9. Data Retention
We retain your personal data for as long as necessary to fulfil the purposes described in this Privacy Policy, subject to the following:
- Account data is retained for the duration of your account and for a reasonable period thereafter to comply with legal obligations
- Voice recordings and associated analysis results are retained for the duration of the research programme unless you request earlier deletion
- Deleted recording sessions are soft-deleted (marked inactive) and retained for an administrative retention period before permanent purging by authorised administrators only
- Audit trail records are retained as required by applicable medical device and data protection regulations
- De-identified or aggregated data used for model training may be retained indefinitely as it cannot be linked back to you
10. Your Rights
10.1 Rights Under GDPR (EEA/UK Residents)
If you are located in the EEA or UK, you have the following rights under GDPR:
- Right of access (Art. 15): Request a copy of your personal data
- Right to rectification (Art. 16): Request correction of inaccurate data
- Right to erasure (Art. 17): Request deletion of your personal data, subject to legal retention requirements
- Right to restriction (Art. 18): Request limitation of processing in certain circumstances
- Right to data portability (Art. 20): Receive your data in a structured, machine-readable format
- Right to object (Art. 21): Object to processing based on legitimate interests
- Right to withdraw consent (Art. 7(3)): Withdraw your consent at any time, without affecting the lawfulness of processing prior to withdrawal
10.2 Rights Under U.S. Privacy Laws
Depending on your state of residence, you may have additional rights under state privacy laws (such as the California Consumer Privacy Act or similar state legislation), including the right to know what data we collect, the right to request deletion, and the right to opt out of certain data sharing practices.
10.3 HIPAA Rights
To the extent that the Service processes your Protected Health Information (PHI) as defined by HIPAA, you have rights under HIPAA to access, amend, and receive an accounting of disclosures of your PHI. Requests should be directed to privacy@mynapd.com.
10.4 How to Exercise Your Rights
To exercise any of these rights, please contact us at privacy@mynapd.com. We will respond within 30 days (or the applicable statutory period). We may need to verify your identity before processing your request.
11. Consent and Research Participation
The Service is currently available for research purposes only. Before using the Service, you will be presented with a multi-step consent flow that includes:
- A research disclaimer explaining the study purpose and limitations
- Terms of Service agreement
- This Privacy Policy for your review
- A research consent declaration
Each step must be acknowledged and accepted. Your acceptance is logged with a timestamp in our audit trail. You may withdraw your consent and discontinue participation at any time by contacting us.
12. Children's Privacy
The Service is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 18, we will take steps to delete such information promptly. If you believe a child has provided us with personal data, please contact us at privacy@mynapd.com.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. We will notify you of material changes by posting the updated policy within the app and, where required, requesting your renewed consent. The "Effective Date" at the top of this policy indicates when the latest version took effect. Continued use of the Service after an update constitutes acceptance of the revised policy.
14. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Myna Voice Labs
Email: privacy@mynapd.com
Website: https://mynapd.com