|
Last
Updated on September 30, 2024 |
The protection of the security and
confidentiality of your (hereinafter referred to as "You" or "User”)
data is of particular importance to Korro AI Ltd (hereinafter referred to as
“We”, “Us”, “Our” or “Korro”) who is responsible for the KORRO health
application for mobile devices (hereinafter referred to as the "App")
and as such will act as the data controller with regard to your personal data.
In the following sections, we’ll inform you about the types of personal data
that we’ll collect and process, the purposes we pursue and the rights you are
entitled to enforce as a data subject.
The App is
intended to supplement clinical care by coaching and motivating children undergoing
or in need of occupational therapy. If You are a different type of healthcare
provider and elect to use the App, You do so at Your
sole risk and You are solely responsible for complying with Your local
applicable law and all other local rules, codes and best practices of Your
employer (if applicable), licensing organization(s) and industry. For more
information regarding the use of the App please refer to the Terms and Conditions.
The App aims to
encourage the User’s adherence to a therapeutic regimen specified by an
Occupational Therapist (OT) and motivates the User to reach their occupational therapy
goals. The App supplements and can be used as part of in-clinic therapy, i.e.,
a patient will use the App during therapy sessions with their therapist as well
as between therapy sessions at home. The code to create Users’ account in the
App is generated by the User’s occupational therapist. Users and their personal
data are linked by default to their therapist who generates the User’s access
to the App.
The App guides Users
through a series of tasks, referred to as "Experiences," based on
their therapy plan. These experiences aim to enhance certain physical abilities
based on the User's therapeutic needs as identified by the User’s therapist.
Throughout these experiences, the App processes personal data to track User
engagement and to compute various metrics recorded during the User’s
participation in the Experiences to monitor adherence to the at-home
therapeutic regimen and support assessment of the User’s capabilities and
progress.
These metrics
are presented to the User after each completed Experience and stored in the App's
backend system.
Patients/legal
guardians:
Can access these
metrics and statistics via the Web Portal (hereinafter referred to as “Portal”)
where they created their account or opt-in to receive statistics by email.
Therapists:
Can access a
daily report of these metrics and statistics via the App's user interface, or
the Portal which includes data from past days and weeks.
Personal data is
processed to authenticate the App, create and manage User profiles, and track engagement
with the Experiences. This data helps Us and the occupational therapist to
suggest appropriate Experiences and to adjust the automated therapy plan
creation in a highly personalized manner. Afterward, this data is anonymized
(removing identifying information) and stored in a database used to improve the
App's performance and development.
Users should be
aware that the App is designed for Users who are at least 5 years old.
Therapists may
use the Portal or the App remotely to review information about therapy sessions
conducted by patients at home.
Therapists data will
be processed for the purpose of App authentication, creation and management of
users’ profiles, creation of codes to create patient’s accounts and to link patients
to therapists, enabling the use and analysis of Experiences by Users, parents
and therapists.
For more
information regarding the purposes and use of the App please refer to the Terms and Conditions. Categories of Personal Data.
While using the App,
Users' personal data is stored on the app's systems. When we refer to “personal
data,” we mean information that identifies, relates to, describes, is
reasonably capable of being associated with, or could reasonably be linked,
directly or indirectly to You or Your child. We collect personal data about You
and Your child directly from You and automatically through Your and Your
child’s use of the App or entered into the Portal. Throughout this privacy
policy, when we refer to personal data, that includes data about You and about Your
child. Special categories of personal data being processed pertains to
sensitive data requiring extra protection, including health-related data.
We collect
personal data to create Your account and to verify Your identity, ensuring that
the App is being used or supervised by an adult. The following categories of personal data are collected:
-
Your
and Your child’s name,
-
age,
-
contact
information (e.g. Email address and phone number),
-
the
Encrypted Password for the account,
-
the
patient’s therapy intake form,
-
diagnostic
information, and
-
linked
therapist(s) IDs (if applicable).
Therapists:
Your personal
data is processed for the purpose of enabling the creation and management of Your
user profile and to that end the following categories of personal data may be
stored in the App:
-
Name;
-
Email
address; and
-
Link
between You and Your therapist, if applicable.
Your name is
stored with additional encryption and in unencrypted form only accessible on
the local device by You and the patient linked to Your user account.
Clinic Administrators:
Your personal
data is processed for the purpose of performing the contract with the clinic
for which you work and managing the therapists under said contract. To that end
the following categories of personal data may be stored by the Webportal:
-
Contact
email address; and
-
Business
phone number
Your name is
stored with additional encryption.
-
Visual
data from the phone’s camera;
-
Accelerometer
and gyroscopes sensor data;
-
Training
plans (the sequence of Experiences);
-
Result
metrics (scores and metrics from each level);
-
App
analytics and performance data;
-
Settings
used for each level; and
-
Game
statistics (score, time spent, points collected, experience gained).
Visual data from the phone's camera is analyzed
for metrics but not stored on the device. These metrics relate to User's health.
When a therapist
is linked to Your account, Your therapist(s) have
access to:
-
User
profile;
-
Metrics
related to Experiences; and
-
Intake
forms completed by parents or legal guardians and (automatically created)
summaries thereof
-
Therapy
data.
Therapists
process personal data related to therapeutic experiences to monitor therapy
goals.
Clinics are entities that engage in a business
relationship with Korro and subscribe to the App for their therapists. When
Clinics purchase subscriptions, they have access to:
-
User
profile of therapists and patients.
-
Therapeutic
experiences of patients
Clinics process personal data to manage the
therapist patient relationship, assigning or reassigning patients to therapist.
We collect the following information to enter
into business relationships and fulfill our contractual obligations:
-
Name;
-
Address;
-
Contact
details; and
-
Billing
information.
We do not have access to data like credit card
or bank account details. The information will be securely collected and stored
by a third party.
We may use Your personal data for in the
following ways for our business purposes:
-
Deliver
the App services:
o
including,
but not limited to the use of AI services to automatically process intake forms
creating a summary of the collected data, and recording achieved progress;
-
Process,
complete and fulfill Your requested transactions;
-
Operate
our business;
-
Provide
customer service and respond to requests or inquiries;
-
Communicate
with You;
-
Tailor
our marketing programs and campaigns; and
-
Provide
You with newsletters, articles, alerts, announcements, invitations, and other
information about products and brands.
You must maintain a current and valid account
to use the App, and also meet certain eligibility criteria (e.g., minimum age).
In such cases, we may verify that You meet such criteria.
We may aggregate and/or de-identify data about You
and use it for any purpose, including product and service development and
improvement activities. These activities may include research purposes, such as
when we combine deidentified data across users to identify trends. To the
extent we deidentify any data originally based on personal data, we will
maintain and use such data only in deidentified form and will not attempt to
reidentify the data.
We may use Your
personal data, including information about Your therapy plan and related
metrics, to send notifications to the device on which the App is installed,
so-called push notifications. These notifications are intended to remind You of
Experiences that should be completed to achieve therapy goals. In order for you
to obtain these notifications your consent is required. You can opt-in to
receive notifications during the app setup, and You can manage the type of push
notifications you receive by modifying the settings within the operating system
of your device..
For many
devices, these services are provided by another company. The company providing
the notification service on your device may use collect and process data in
accordance with their own terms and privacy policy. Korro is not responsible
for the data collected by the company providing the notification service.
Our app may only be used by individuals who are
at least 5 years old. Any collection or processing of personal data from
individuals under the age of 5 is strictly against our policy, done without our
knowledge, and a breach of our https://terms.korro.ai.Persons under 18 years
of age are required to have their parents or legal guardian authorize their use
of the application.
We use technical
and administrative and procedural measures designed to safeguard Your personal
data from unauthorized access or use, including encryption of data in transit
and in rest. Your data is made accessible on a strict need-to-know basis, which
means only persons who absolutely need it will be able to access Your data. All
data which can directly identify You (like e.g., your name) will be stored in Our
database with additional encryption, such that only the person who provided the
data will be able to read it.
The type and
form of consent will be identified based on the sensitivity of the Personal
Information and the reasonable expectations of the individual.
If express
consent is required this means that a clear, affirmative, and easily
withdrawable consent must be obtained on a voluntary basis, with all necessary
information being understandable and readily available before consent is
obtained.
Implied consent can
be inferred from an individual's actions or inaction, based on the context and
sensitivity of the data involved.
Consent given to
Us can be revoked at any time, with future effect, subject to any
legal/contractual requirements. You can withdraw Your consent at any time by
sending an email to office@first-privacy.com, stating Your KORRO user Id.
The withdrawal
of consent does not affect the lawfulness of the processing carried out based
on the consent until the withdrawal. If You withdraw Your consent, you will no
longer be able to use the App.
For Users who
revoke consent, no further data will be shared with Your therapist (if one was
linked). However, Your personal information (e.g.,
notes about You, including Your medical condition) may still be processed by
the therapist due to legal obligations to maintain medical records. We are not
responsible for any further processing of this data by the therapist.
For Users, once Your
therapist removes You as an active patient, Your access
to the App's Experiences and features will cease. This could occur upon
completion of Your therapy plan or when therapy services, including the use of
the App, end. We will retain Your data while You are an active patient and for
one month following deactivation, providing You and Your therapist the
opportunity to correct any deactivation-related issues or unintentional
deactivation errors before Your data is permanently deleted.
After
deactivation, You may consent to further storage of Your
personal data. If so, You will be able to access the
app and view Your personal data. Storing your personal data after deactivation
can be beneficial if you wish to resume or re-enter therapy or access your data
at a later time.
For therapists, You may delete Your account in the app settings. In that
case, Your data will be permanently erased if You
delete Your account.
You may access,
correct, or update Your information by accessing Your accounts or profiles on Our
Sites. You may at any time request
access to a summary of information we hold about you by contacting us at privacy@korro.ai.
For residence of
the EEA certain requirements pertain to the processing of personal data. All
personal data processed must be based on a legal basis provided for within the
GDPR. The processing of personal data is based on the following:
-
User
profile and intake form analysis –explicit consent, Art. 9 Para.2 lit. a GDPR
-
Therapeutic
Experiences – based on Your explicit consent, Art. 9 Para. 2 lit. a GDPR
-
Data
Processed by Therapists – based on Your explicit consent, Art. 9 Para. 2 lit. a
GDPR
-
Notifications
– based on Your explicit consent, Art. 9 Para. 2 lit. a GDPR
-
Retaining
data for one month after deactivation – based on Your explicit consent, Art. 9
Para. 2 lit. a GDPR
-
Any
discloser of data as part of a legal obligation – compliance with a legal
obligation, Art. 6 Para. 1 lit. c GDPR
-
Data
processed to manage the therapist patient relationship – legitimate interest,
Art. 6 Para. 1 lit. f GDPR
If You wish to
access, correct, update or request deletion of Your personal information You
can do so at any time.
You can object
to processing of Your personal information, ask us to restrict processing of Your
personal information or request portability of Your personal information.
You also have
the right to request deletion of Your information at any time by sending an
email with your KORRO User ID to privacy@korro.ai. Upon receipt of Your deletion request, all data associated with You,
including therapy data, metrics, statistics, and user profile data, will be
deleted. Please note that requesting the deletion of your personal information
prior to the completion of therapy may interfere with therapy work and goals.
You can withdraw
Your consent to the processing of Your personal data at any time. Withdrawing Your
consent will not affect the lawfulness of any processing we conducted prior to Your
withdrawal, nor will it affect processing of Your personal information
conducted in reliance on lawful processing grounds other than consent.
You have the
right to complain to a data protection authority about our collection and use
of Your personal information.
If You wish to
exercise any of these rights or want further information, please contact Us
using the details below.
Residents of the United
States may be entitled to certain rights dependent on the state of residence. Therefore,
You may have the following data protection rights:
If You wish to
access Your personal information You can do so at any time. Once we receive Your
request, we will disclose to You the information requested (including free
provision of a copy), including:
-
The
categories of personal information collected.
-
The
categories of sources of such information.
-
The
purposes for which we collected the personal information.
-
The
categories of personal information that we have disclosed for a business
purpose.
-
Information
about any sales of Your personal information.
You also have
the right to rectify inaccurate personal data, restrict processing and object
to the use of the data.
You have the
right to request deletion of your information at any time by sending an email
with your KORRO User ID to privacy@korro.ai. Upon receipt of Your deletion request, all data associated with You,
including therapy data, metrics, statistics, and user profile data, will be
deleted. Please note that requesting the deletion of your personal information
prior to the completion of therapy may interfere with therapy work and goals.
You can request
portability of Your personal information, transferring the data collected about
You to You or to a body designated by You.
You have the
right to not receive discriminatory treatment for exercising Your rights, and We
will not discriminate against You for exercising any of Your rights.
Your rights may
be restricted in case a legal obligation to store Your personal data is
applicable. If You wish to exercise any of these rights or want further
information, please contact Us at privacy@korro.ai to do so.
For residences
of Canada consent is required for the processing of your personal information. Consent
to the collection, use, transfer and disclosure of personal information may be
given in various ways as described above in Section 3.
In some cases,
we may be permitted or required by law to collect, use, transfer and disclose
Personal Information without consent, for example to comply with a court order
or comply with local, provincial or federal regulations.
The processing
of personal data is based on the following:
-
User
profile and intake form analysis– explicit consent
-
Therapeutic
Experiences – explicit consent
-
Data
Processed by Therapists – explicit consent
-
Notifications
– explicit consent
-
Retaining
data for one month after deactivation – explicit consent
-
Any
discloser of data as part of a legal obligation – compliance with a legal
obligation
-
Data
processed to manage the therapist patient relationship – explicit consent
-
Disclosures
and transfers to third countries as listed below in section 10 – explicit
consent
If You wish to
access, correct, update or request deletion of Your personal information You may
do so at any time. You have the right to request access to information relating
to the existence, use, and disclosure of Your personal information.
You have the
right to withdraw consent at any time, however, we may retain personal
information for the period in which it is necessary to fulfill the purpose for
which it was collected.
You have the right
to file a complaint with the Office of the Privacy Commissioner (OPC) if You
believe Korro is in violation of Personal Information Protection and Electronic
Documents Act (PIPEDA).
If You wish to
exercise any of these rights or want further information, please contact Us at privacy@korro.ai to do so.
Our collection
of personal data about children is intended to follow current data protection
regulations. We obtain parental consent before collecting personal data about
children. We collect information about a child’s use of the App as described in
this Privacy Policy and only as reasonably necessary to participate in the App.
Parents may contact Us at privacy@korro.ai to review, update, or delete any of their children’s personal data that
We may have collected and to elect for Us not to collect any additional
personal data from their children. We do not sell personal data about children
or legal guardians.
It may be
necessary for Us to disclose Your personal data to third parties. These parties
may be located outside of the country in which You reside, which may include
countries within the EEA, the United States or Israel. When transferring to
third countries We do so in accordance with data protection regulations to
which We are subject, including adequacy decisions, Standard Contractual
Clauses, or other legal instruments.
We may disclose
your personal data to third parties as follows:
We may transfer
Your personal data to clinics and therapists who are working together with you
to utilize the App. This data is necessary for the purposes of administering
any changes to medical providers (therapists), provide accurate experience
levels and monitor therapy goals. For more information please see Sections
1.1.3 and 1.1.4.
The transfer is
based on contractual agreements, between Korro and the clinics or therapists,
in accordance with data protection law, and where necessary including
appropriate safeguards such as standard contractual clauses, which you can
request at privacy@korro.ai.
We may transfer Your
personal data to affiliates located in Israel and the United Kingdom. The
transfer is based on the European Commission's recognition that Israel and the
United Kingdom provide adequate protection for Your personal data. Click here for more details about the adequacy
decisions. We may also transfer your personal data to the United States based
on appropriate safeguards such as standard contractual clauses, which you can
request at privacy@korro.ai.
If We sell or
transfer Korro, a business unit, or an asset (such as a website or data assets)
to another company (including in connection with any bankruptcy or similar
proceedings), we will disclose Your personal data to such company and will
require such company to use and protect Your personal data consistent with this
Privacy Policy. We may also disclose Your personal data to companies that were
formerly wholly or partly included in the Korro family of companies to whom We
provide services during a transition period following separation.
We may retain
other companies and individuals to perform services on Our behalf and We may
collaborate with other companies and individuals with respect to particular
products or services (collectively, “Service Providers”). These third parties
may be provided with access to personal data, including through cookies,
pixels, and similar technologies, to perform their functions. Examples of Service Providers include companies that
provide order and payment processing services, customer (end user) service and support
and customer (clinic) relationship management services, as well as email and
SMS vendors, advertising vendors, data analytics firms, cloud providers, AI
service providers, hosting and development companies and fulfillment companies.
Some Service Providers may collect personal data on our behalf on the App or in
the Portal.
We believe it
very important to keep your personal data safe and therefore only provide AI
systems, with anonymized data, this data is then, for instance, used to
summarize your results and activities in our app as well as to adapt configurations
and parametrizations of the app for the therapist to review.
Safeguarding
Your data is our top priority. Therefore, whenever such technologies are used,
we ensure that personal data are processed only when necessary and in
compliance with applicable data protection legislation. Here is how we address
risks typically related to the use of AI systems:
1. Accidental deletion or alteration: Our
system is designed in a way that data provided by AI systems are always
complementing but never replacing or altering existing data. E.g. we use AI
systems to summarize the intake form provided to your therapist, but the
original data of the intake form is never changed or updated in this process.
2. Unauthorized access: all data
provided to AI systems is anonymized, thus preventing unauthorized access to
your personal data. In addition, the terms with service providers are setup in
a way that data used for a specific request is not stored in the system of the
service provider beyond the lifecycle of the request.
3. Unintentional bias: no automatic
decisions are being made in our platform based on the results we receive from
AI systems. Review and approval steps are enforced in any critical path using
AI systems.
4. Your data being used to train models
and advance the technology of service providers: The terms we have in place
with our service providers prevent data being used for training purposes.
Furthermore, your data is always undergoing an anonymization step before being
sent to the service providers.
We reserve the
right to disclose your personal data as required by law, such as to comply with
a subpoena or other legal process, or to comply with government reporting
obligations; when We believe in good faith that disclosure is necessary (a) to
protect our rights, the integrity of the services, or Your safety or the safety
of others, or (b) to detect, prevent, or respond to fraud, intellectual
property infringement, violations of our Terms of Use, violations of law, or
other misuse of the services.
We may also
disclose aggregate and/or de-identified data that is not personally
identifiable to third parties for any purpose permitted under applicable law.
We reserve the
right to modify our security and privacy practices if technical developments
necessitate it. In such instances, We will accordingly
update our Privacy Policy and promptly notify you within the App. If this
Privacy Policy changes in a way that significantly affects how We handle
personal data, We will not use the personal data We
previously gathered in the manner described in the new policy without providing
notice and/or obtaining your consent, as appropriate. Please refer to the
current version of our privacy policy. The date of the last revision of this
Privacy Policy can be found at https://privacy.korro.ai/.
Please note
that, due to technological advancements, We cannot
guarantee that previous versions of the App will remain functional.
You can access the Privacy Policy within the app at any time by clicking
on the link in the settings page or by accessing https://privacy.korro.ai/.
For any further questions, suggestions or complaints regarding the
Privacy Policy and the processing of Your personal data, please contact Us
directly at privacy@korro.ai.
You also have the right, without prejudice to any other administrative
or judicial remedy, to lodge a complaint with a data protection authority,
especially in the Member State where You reside, work, or where the alleged
infringement occurred, if You believe that the processing of personal data
relating to you infringes the GDPR or local data protection laws.
By clicking Submit, I consent to the processing of
my/my child’s personal data particularly health information, to be collected,
recorded, used, shared and retained as described in the preceding sections. I
understand that I can withdraw my consent at any time, effective for the
future, by sending a request to privacy@korro.ai.
By clicking Submit, I acknowledge that my/my child’s
personal data, including information about my/my child’s health, will be
gathered, stored and used for the purposes outlined in the preceding sections.
I understand that the processing of my personal data, including my health data,
is necessary for the proper functioning of the KORRO health application. I
acknowledge that I have read and understand the Terms of Use (https://terms.korro.ai) and this Privacy Policy.
Korro AI Limited
2nd Floor, 167-169 Great Portland Street,
London W1W 5PF,
United Kingdom
Web: www.korro.ai
E-mail:
privacy@korro.ai
You can contact our Data Protection Officer at:
FIRST PRIVACY GmbH
Konsul-Smidt-Str. 88
28217 Bremen, Germany
E-mail:
office@first-privacy.com