Privacy Policy

Last updated: January 18, 2025

Introduction

Momentary ("we," "our," or "us") is committed to protecting your privacy and the privacy of research participants. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our ecological momentary assessment (EMA) and survey research platform (the "Service").

We understand that researchers and their participants trust us with sensitive data. This trust is the foundation of our business, and we take our responsibility seriously. Please read this policy carefully. If you disagree with our policies and practices, please do not use our Service.

Information We Collect

Information You Provide to Us

We collect information you voluntarily provide when using our Service, including:

  • Account Information: Name, email address, institutional affiliation, and payment information when you create an account or subscribe to our Service.
  • Study Configuration Data: Survey questions, study designs, scheduling parameters, and other configuration data you create within the platform.
  • Research Data: Responses, timestamps, and other data collected from research participants through your studies.
  • Communications: Information you provide when you contact us for support or other inquiries.

Information Collected Automatically

When you access our Service, we automatically collect certain information, including:

  • Log Data: IP address, browser type, operating system, referring URLs, pages viewed, and timestamps.
  • Device Information: Device type, unique device identifiers, and mobile network information.
  • Usage Data: Features used, actions taken, and performance metrics to improve our Service.

Cookies and Similar Technologies

We use cookies and similar tracking technologies to maintain your session, remember your preferences, and analyze usage patterns. You can control cookies through your browser settings, though disabling them may limit functionality.

How We Use Your Information

We use the information we collect for the following purposes:

  • Provide and Maintain the Service: To operate the platform, process transactions, and deliver the features you request.
  • Improve and Develop: To understand how users interact with our Service, identify issues, and develop new features.
  • Communicate: To send service-related notices, respond to inquiries, and provide customer support.
  • Security and Compliance: To detect, prevent, and address fraud, abuse, security risks, and technical issues.
  • Legal Obligations: To comply with applicable laws, regulations, and legal processes.

We do not use research participant data for any purpose other than providing the Service to researchers. We do not sell, rent, or share participant data with third parties for their marketing purposes.

Data Ownership and Research Data

We recognize the unique nature of research data and the ethical obligations researchers have to their participants:

  • You Own Your Data: All research data collected through your studies belongs to you. We act as a data processor on your behalf.
  • Limited Access: Our employees access research data only when necessary to provide technical support or as required by law.
  • No Secondary Use: We do not analyze, aggregate, or use your research data for any purpose beyond providing the Service.
  • Data Portability: You can export your data at any time in standard formats (CSV, JSON).
  • Data Deletion: Upon request or account termination, we will delete your research data in accordance with your instructions and our data retention policy.

Information Sharing and Disclosure

We do not sell your personal information. We may share information in the following circumstances:

  • Service Providers: With third-party vendors who perform services on our behalf (e.g., cloud hosting, payment processing, analytics), subject to confidentiality obligations.
  • Legal Requirements: When required by law, subpoena, court order, or governmental regulation.
  • Protection of Rights: To protect the rights, property, or safety of Momentary, our users, or others.
  • Business Transfers: In connection with a merger, acquisition, or sale of assets, with notice to affected users.
  • With Your Consent: When you have given explicit consent to share information.

Data Security

We implement robust security measures to protect your information:

  • Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256).
  • Access Controls: Strict role-based access controls limit who can access data within our organization.
  • Infrastructure Security: Our infrastructure is hosted on SOC 2 Type II certified cloud providers with 24/7 monitoring.
  • Regular Audits: We conduct regular security assessments and penetration testing.
  • Incident Response: We maintain an incident response plan and will notify affected users of any data breach as required by law.

While we strive to protect your information, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

Data Retention

We retain your information for as long as necessary to provide our Service and fulfill the purposes described in this policy:

  • Account Information: Retained while your account is active and for a reasonable period afterward for legal and business purposes.
  • Research Data: Retained according to your study settings and data retention preferences. You may configure automatic deletion periods.
  • Log Data: Generally retained for 90 days for security and troubleshooting purposes.
  • Backup Data: Maintained for disaster recovery and deleted according to our backup rotation schedule (typically 30 days).

You may request deletion of your data at any time by contacting us at privacy@momentary.io.

Your Rights and Choices

Depending on your location, you may have certain rights regarding your personal information:

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Request correction of inaccurate or incomplete information.
  • Deletion: Request deletion of your personal information, subject to certain exceptions.
  • Portability: Request a copy of your data in a machine-readable format.
  • Objection: Object to certain processing of your information.
  • Restriction: Request restriction of processing in certain circumstances.
  • Withdraw Consent: Where processing is based on consent, withdraw that consent at any time.

To exercise these rights, contact us at privacy@momentary.io. We will respond to your request within 30 days.

International Data Transfers

Our Service is operated in the United States. If you are located outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States where our servers are located.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on Standard Contractual Clauses approved by the European Commission to transfer data outside the EEA. We also offer data residency options for users who require data to remain in specific geographic regions.

GDPR Compliance

For users in the European Economic Area, we process personal data as follows:

  • Legal Basis: We process data based on contractual necessity (to provide the Service), legitimate interests (to improve and secure the Service), and consent (where required).
  • Data Controller: For researcher account data, Momentary acts as the data controller. For research participant data, the researcher is the data controller and Momentary is the data processor.
  • Data Protection Officer: You may contact our DPO at dpo@momentary.io.
  • Supervisory Authority: You have the right to lodge a complaint with your local data protection authority.

HIPAA Compliance

For researchers conducting studies that involve Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA):

  • We offer Business Associate Agreements (BAAs) for covered entities and their business associates.
  • Our infrastructure and practices are designed to support HIPAA compliance requirements.
  • Researchers are responsible for ensuring their use of the Service complies with HIPAA and obtaining appropriate authorizations from participants.

Contact us at compliance@momentary.io to request a BAA or discuss HIPAA requirements.

Children's Privacy

Our Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you are a researcher studying minors, you are responsible for obtaining appropriate parental consent and ensuring compliance with applicable laws including COPPA.

If we learn we have collected personal information from a child under 13 without parental consent, we will delete that information promptly. If you believe we have information from a child under 13, please contact us at privacy@momentary.io.

California Privacy Rights

California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know: Request information about the categories and specific pieces of personal information we have collected.
  • Right to Delete: Request deletion of your personal information.
  • Right to Opt-Out: Opt out of the sale or sharing of personal information. Note: We do not sell personal information.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
  • Right to Correct: Request correction of inaccurate personal information.

To exercise these rights, contact us at privacy@momentary.io or call us at [Phone Number]. You may designate an authorized agent to make requests on your behalf.

Do Not Track

Some browsers have a "Do Not Track" feature that signals websites not to track your online activities. Our Service does not currently respond to Do Not Track signals because there is no industry standard for how to respond to such signals.

Third-Party Links

Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party sites you visit.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the updated policy on this page with a new "Last updated" date
  • Sending an email notification to registered users for significant changes
  • Displaying a prominent notice within the Service

Your continued use of the Service after changes become effective constitutes acceptance of the revised policy.

Contact Us

If you have questions or concerns about this Privacy Policy or our privacy practices, please contact us:

Momentary

Email: privacy@momentary.io

For data protection inquiries: dpo@momentary.io

We will respond to your inquiry within 30 days.