|
|
|
Last Updated in April
2025 |
The protection of the security and
confidentiality of your (hereinafter referred to as "You" or "User”)
data is of particular importance to Korro AI Ltd (hereinafter referred to as
“We”, “Us”, “Our” or “Korro”) who is responsible for the KORRO health
application for mobile devices (hereinafter referred to as the "App")
and as such will act as the data controller with regard to your personal data.
In the following sections, we’ll inform you about the types of personal data
that we’ll collect and process, the purposes we pursue and the rights you are
entitled to enforce as a data subject.
The App is
intended to supplement clinical care by coaching and motivating children undergoing
or in need of occupational therapy. If You are a different type of healthcare
provider and elect to use the App, You do so at Your
sole risk and You are solely responsible for complying with Your local
applicable law and all other local rules, codes and best practices of Your
employer (if applicable), licensing organization(s) and industry. For more
information regarding the use of the App please refer to the https://userterms.korro.ai.
The App aims to
encourage the User’s adherence to a therapeutic regimen specified by an
Occupational Therapist (OT) and motivates the User to reach their occupational therapy
goals. The App supplements and can be used as part of in-clinic therapy, i.e.,
a patient will use the App during therapy sessions with their therapist as well
as between therapy sessions at home. The code to create Users’ account in the
App is generated by the User’s occupational therapist. Users and their personal
data are linked by default to their therapist who generates the User’s access
to the App.
The App guides Users
through a series of tasks, referred to as "Experiences," based on
their therapy plan. These experiences aim to enhance certain physical abilities
based on the User's therapeutic needs as identified by the User’s therapist.
Throughout these experiences, the App processes personal data to track User
engagement and to compute various metrics recorded during the User’s
participation in the Experiences to monitor adherence to the at-home
therapeutic regimen and support assessment of the User’s capabilities and
progress.
These metrics
are presented to the User after each completed Experience and stored in the App's
backend system.
Patients/legal
guardians:
Can access these
metrics and statistics via the Web Portal (hereinafter referred to as “Portal”)
where they created their account or opt-in to receive statistics by email.
Therapists:
Can access a
daily report of these metrics and statistics via the App's user interface, or
the Portal which includes data from past days and weeks.
Personal data is
processed to authenticate the App, create and manage User profiles, and track engagement
with the Experiences. This data helps Us and the occupational therapist to
suggest appropriate Experiences and to adjust the automated therapy plan
creation in a highly personalized manner. Afterward, this data is anonymized
(removing identifying information) and stored in a database used to improve the
App's performance and development.
Users should be
aware that the App is designed for Users who are at least 5 years old.
Therapists may
use the Portal or the App remotely to review information about therapy sessions
conducted by patients at home.
Therapists’ data
will be processed for the purpose of App authentication, creation and
management of users’ profiles, creation of codes to create patient’s accounts
and to link patients to therapists, enabling the use and analysis of
Experiences by Users, parents and therapists.
For more
information regarding the purposes and use of the App please refer to the Terms and Conditions. Categories of Personal Data.
While using the App,
Users' personal data is stored on the app's systems. When we refer to “personal
data,” we mean information that identifies, relates to, describes, is
reasonably capable of being associated with, or could reasonably be linked,
directly or indirectly to You or Your child. We collect personal data about You
and Your child directly from You and automatically through Your and Your
child’s use of the App or entered into the Portal.
Throughout this privacy policy, when we refer to personal data, that includes
data about You and about Your child. Special categories of personal data being
processed pertains to sensitive data requiring extra protection, including
health-related data.
We collect
personal data to create Your account and to verify Your identity, ensuring that
the App is being used or supervised by an adult. The following categories of personal data are collected:
-
Your and Your child’s name,
-
age,
-
contact information (e.g. Email address and
phone number),
-
the Encrypted Password for the account,
-
the patient’s therapy intake form,
-
diagnostic information, and
-
linked therapist(s) IDs (if applicable).
Therapists:
Your personal
data is processed for the purpose of enabling the creation and management of Your
user profile and to that end the following categories of personal data may be
stored in the App:
-
Name;
-
Email address; and
-
Link between You and Your therapist, if
applicable.
Your name is
stored with additional encryption and in unencrypted form only accessible on
the local device by You and the patient linked to Your user account.
Clinic Administrators:
Your personal
data is processed for the purpose of performing the contract with the clinic
for which you work and managing the therapists under said contract. To that end
the following categories of personal data may be stored by the Webportal:
-
Contact email address; and
-
Business phone number
Your name is
stored with additional encryption.
-
Visual data from the phone’s camera;
-
Accelerometer and gyroscopes sensor data;
-
Training plans (the sequence of Experiences);
-
Result metrics (scores and metrics from each
level);
-
Pose data (locations of observed joints) for
each played level
-
App analytics and
performance data;
-
Settings used for each level; and
-
Game statistics (score, time spent, points
collected, experience gained).
Visual data from the phone's camera is analyzed
for metrics but not stored on the device. These metrics relate to User's health.
When a therapist
is linked to Your account, Your therapist(s) have
access to:
-
User profile;
-
Metrics and game statistics related to
Experiences; and
-
Pose Data (to visualize Your motions using e.g.
a 3D representation); and
-
Intake forms completed by parents or legal guardians
and (automatically created) summaries thereof
-
Therapy data.
Therapists
process personal data related to therapeutic experiences to monitor therapy
goals.
Therapists may process additional health
information related to diagnostics or assessments carried out by the therapist
with the assistance of the App.
Therapists may
use in-app tools to facilitate the input of therapy goals or to complete notes
for insurance purposes, such as speech-to-text functions where audio data and
transcripts may be processed. Audio data and transcripts may contain personal
data, including health data.
Clinics are entities that engage in a business
relationship with Korro and subscribe to the App for their therapists. When
Clinics purchase subscriptions, they have access to:
-
User profile of therapists and patients.
-
Therapeutic experiences of patients and data
thereof
Clinics process personal data to manage the
therapist patient relationship, assigning or reassigning patients to therapist.
We collect the following information to enter into business relationships and fulfill our
contractual obligations:
-
Name;
-
Address;
-
Contact details; and
-
Billing information.
We do not have access to data like credit card
or bank account details. The information will be securely collected and stored
by a third party.
We may use Your personal data for in the
following ways for our business purposes:
-
Deliver the App services:
o
including, but not limited to the use of AI
services to automatically process intake forms creating a summary of the
collected data, complete initial reviews of assessments, and recording achieved
progress;
-
Process, complete and fulfill Your requested transactions;
-
Operate our business;
-
Provide customer service and respond to
requests or inquiries;
-
Communicate with You;
-
Tailor our marketing programs and campaigns;
and
-
Provide You with newsletters, articles, alerts,
announcements, invitations, and other information about products and brands.
You must maintain a current and valid account
to use the App, and also meet certain eligibility
criteria (e.g., minimum age). In such cases, we may verify that You meet such
criteria.
We may aggregate and/or de-identify data about You
and use it for any purpose, including product and service development and
improvement activities. These activities may include research purposes, such as
when we combine deidentified data across users to identify trends. To the
extent we deidentify any data originally based on personal data, we will
maintain and use such data only in deidentified form and will not attempt to
reidentify the data.
We may use Your
personal data, including information about Your therapy plan and related
metrics, to send notifications to the device on which the App is installed,
so-called push notifications. These notifications are intended to remind You of
Experiences that should be completed to achieve therapy goals. In order for you to obtain these notifications your consent
is required. You can opt-in to receive notifications during the app setup, and You
can manage the type of push notifications you receive by modifying the settings
within the operating system of your device..
For many
devices, these services are provided by another company. The company providing
the notification service on your device may use collect and process data in
accordance with their own terms and privacy policy. Korro is not responsible
for the data collected by the company providing the notification service.
Our app may only be used by individuals who are
at least 5 years old. Any collection or processing of personal data from
individuals under the age of 5 is strictly against our policy, done without our
knowledge, and a breach of our https://terms.korro.ai.Persons under 18 years
of age are required to have their parents or legal guardian authorize their use
of the application.
We use technical,
administrative and procedural measures designed to safeguard Your personal data
from unauthorized access or use, including encryption of data in transit and in
rest. Your data is made accessible on a strict need-to-know basis, which means
only persons who absolutely need it will be able to access Your data. All data
which can directly identify You (like e.g., your name) will be stored in Our
database with additional encryption, such that only the person who provided the
data will be able to read it.
The type and
form of consent will be identified based on the sensitivity of the Personal
Information and the reasonable expectations of the individual.
If express
consent is required this means that a clear, affirmative, and easily
withdrawable consent must be obtained on a voluntary basis, with all necessary
information being understandable and readily available before consent is
obtained.
Implied consent can
be inferred from an individual's actions or inaction, based on the context and
sensitivity of the data involved.
Consent given to
Us can be revoked at any time, with future effect, subject to any
legal/contractual requirements. You can withdraw Your consent at any time by
sending an email to office@first-privacy.com, stating Your KORRO user Id.
The withdrawal
of consent does not affect the lawfulness of the processing carried out based
on the consent until the withdrawal. If You withdraw Your consent, you will no
longer be able to use the App.
For Users who
revoke consent, no further data will be shared with Your therapist (if one was
linked). However, Your personal information (e.g.,
notes about You, including Your medical condition) may still be processed by
the therapist due to legal obligations to maintain medical records. We are not
responsible for any further processing of this data by the therapist.
For Users, once Your
therapist removes You as an active patient, Your access
to the App's Experiences and features will cease. This could occur upon
completion of Your therapy plan or when therapy services, including the use of
the App, end. We will retain Your data while You are an active patient and for
one month following deactivation, providing You and Your therapist the
opportunity to correct any deactivation-related issues or unintentional
deactivation errors before Your data is permanently deleted.
After
deactivation, You may consent to further storage of Your
personal data. If so, You will be able to access the
app and view Your personal data. Storing your personal data after deactivation
can be beneficial if you wish to resume or re-enter therapy or access your data
at a later time.
For therapists, You may delete Your account in the app settings. In that
case, Your data will be permanently erased if You
delete Your account.
You may access,
correct, or update Your information by accessing Your accounts or profiles on Our
Sites. You may at any time request
access to a summary of information we hold about you by contacting us at privacy@korro.ai.
For residence of
the EEA certain requirements pertain to the processing of personal data. All
personal data processed must be based on a legal basis provided for within the
GDPR. The processing of personal data is based on the following:
-
User profile and intake form analysis –explicit
consent, Art. 9 Para.2 lit. a GDPR
-
Therapeutic Experiences – based on Your
explicit consent, Art. 9 Para. 2 lit. a GDPR
-
Data Processed by Therapists – based on Your
explicit consent, Art. 9 Para. 2 lit. a GDPR
-
Notifications – based on Your explicit consent,
Art. 9 Para. 2 lit. a GDPR
-
Retaining data for one month after deactivation
– based on Your explicit consent, Art. 9 Para. 2 lit. a GDPR
-
Any discloser of data as part of a legal
obligation – compliance with a legal obligation, Art. 6 Para. 1 lit. c GDPR
-
Data processed to manage the therapist patient
relationship – legitimate interest, Art. 6 Para. 1 lit. f GDPR
If You wish to
access, correct, update or request deletion of Your personal information You
can do so at any time.
You can object
to processing of Your personal information, ask us to restrict processing of Your
personal information or request portability of Your personal information.
You also have
the right to request deletion of Your information at any time by sending an
email with your KORRO User ID to privacy@korro.ai. Upon receipt of Your deletion request, all data associated with You,
including therapy data, metrics, statistics, and user profile data, will be
deleted. Please note that requesting the deletion of your personal information
prior to the completion of therapy may interfere with therapy work and goals.
You can withdraw
Your consent to the processing of Your personal data at any time. Withdrawing Your
consent will not affect the lawfulness of any processing we conducted prior to Your
withdrawal, nor will it affect processing of Your personal information
conducted in reliance on lawful processing grounds other than consent.
You have the
right to complain to a data protection authority about our collection and use
of Your personal information.
If You wish to
exercise any of these rights or want further information, please contact Us
using the details below.
Residents of the United
States may be entitled to certain rights dependent on the state of residence. Therefore,
You may have the following data protection rights:
If You wish to
access Your personal information You can do so at any time. Once we receive Your
request, we will disclose to You the information requested (including free
provision of a copy), including:
-
The categories of personal information
collected.
-
The categories of sources of such information.
-
The purposes for which we collected the
personal information.
-
The categories of personal information that we
have disclosed for a business purpose.
-
Information about any sales of Your personal
information.
You also have
the right to rectify inaccurate personal data, restrict processing and object
to the use of the data.
You have the
right to request deletion of your information at any time by sending an email
with your KORRO User ID to privacy@korro.ai. Upon receipt of Your deletion request, all data associated with You,
including therapy data, metrics, statistics, and user profile data, will be
deleted. Please note that requesting the deletion of your personal information
prior to the completion of therapy may interfere with therapy work and goals.
You can request
portability of Your personal information, transferring the data collected about
You to You or to a body designated by You.
You have the
right to not receive discriminatory treatment for exercising Your rights, and We
will not discriminate against You for exercising any of Your rights.
Your rights may
be restricted in case a legal obligation to store Your personal data is
applicable. If You wish to exercise any of these rights or want further
information, please contact Us at privacy@korro.ai to do so.
For residences
of Canada consent is required for the processing of your personal information. Consent
to the collection, use, transfer and disclosure of personal information may be
given in various ways as described above in Section 3.
In some cases,
we may be permitted or required by law to collect, use, transfer and disclose
Personal Information without consent, for example to comply with a court order
or comply with local, provincial or federal regulations.
The processing
of personal data is based on the following:
-
User profile and intake form analysis– explicit
consent
-
Therapeutic Experiences – explicit consent
-
Data Processed by Therapists – explicit consent
-
Notifications – explicit consent
-
Retaining data for one month after deactivation
– explicit consent
-
Any discloser of data as part of a legal
obligation – compliance with a legal obligation
-
Data processed to manage the therapist patient
relationship – explicit consent
-
Disclosures and transfers to third countries as
listed below in section 10 – explicit consent
If You wish to
access, correct, update or request deletion of Your personal information You may
do so at any time. You have the right to request access to information relating
to the existence, use, and disclosure of Your personal information.
You have the
right to withdraw consent at any time, however, we may retain personal
information for the period in which it is necessary to fulfill the purpose for
which it was collected.
You have the right
to file a complaint with the Office of the Privacy Commissioner (OPC) if You
believe Korro is in violation of Personal Information Protection and Electronic
Documents Act (PIPEDA).
If You wish to
exercise any of these rights or want further information, please contact Us at privacy@korro.ai to do so.
Our collection
of personal data about children is intended to follow current data protection
regulations. We obtain parental consent before collecting personal data about
children. We collect information about a child’s use of the App as described in
this Privacy Policy and only as reasonably necessary to participate in the App.
Parents may contact Us at privacy@korro.ai to review, update, or delete any of their children’s personal data that
We may have collected and to elect for Us not to collect any additional
personal data from their children. We do not sell personal data about children
or legal guardians.
It may be
necessary for Us to disclose Your personal data to third parties. These parties
may be located outside of the country in which You reside, which may include
countries within the EEA, the United States or Israel. When transferring to
third countries We do so in accordance with data protection regulations to
which We are subject, including adequacy decisions, Standard Contractual
Clauses, or other legal instruments.
We may disclose
your personal data to third parties as follows:
We may transfer
Your personal data to clinics and therapists who are working together with you
to utilize the App. This data is necessary for the purposes of administering
any changes to medical providers (therapists), provide accurate experience
levels and monitor therapy goals. For more information
please see Sections 1.1.3 and 1.1.4.
The transfer is
based on contractual agreements, between Korro and the clinics or therapists,
in accordance with data protection law, and where necessary including
appropriate safeguards such as standard contractual clauses, which you can
request at privacy@korro.ai.
We may transfer Your
personal data to affiliates located in Israel and the United Kingdom. The
transfer is based on the European Commission's recognition that Israel and the
United Kingdom provide adequate protection for Your personal data. Click here for more details about the adequacy
decisions. We may also transfer your personal data to the United States based
on appropriate safeguards such as standard contractual clauses, which you can
request at privacy@korro.ai.
If We sell or
transfer Korro, a business unit, or an asset (such as a website or data assets)
to another company (including in connection with any bankruptcy or similar
proceedings), we will disclose Your personal data to such company and will
require such company to use and protect Your personal data consistent with this
Privacy Policy. We may also disclose Your personal data to companies that were
formerly wholly or partly included in the Korro family of companies to whom We
provide services during a transition period following separation.
We may retain
other companies and individuals to perform services on Our behalf and We may
collaborate with other companies and individuals with respect to particular products or services (collectively, “Service
Providers”). These third parties may be provided with access to personal data,
including through cookies, pixels, and similar technologies, to perform their
functions. Examples of Service Providers include
companies that provide order and payment processing services, customer (end
user) service and support and customer (clinic) relationship management
services, as well as email and SMS vendors, advertising vendors, data analytics
firms, cloud providers, AI service providers, speech-to-text providers, hosting
and development companies and fulfillment companies. Some Service Providers
may collect personal data on our behalf on the App or in the Portal.
We believe it
very important to keep your personal data safe and therefore only provide AI
systems, with anonymized data, this data is then, for instance, used to
summarize your results and activities in our app as well as to adapt configurations
and parametrizations of the app for the therapist to review.
Safeguarding
Your data is our top priority. Therefore, whenever such technologies are used,
we ensure that personal data are processed only when necessary and in
compliance with applicable data protection legislation. Here is how we address
risks typically related to the use of AI systems:
1. Accidental
deletion or alteration: Our system is designed in a way that data provided by
AI systems are always complementing but never replacing or altering existing
data. E.g. we use AI systems to summarize the intake form provided to your
therapist, but the original data of the intake form is never changed or updated
in this process.
2. Unauthorized
access: all data provided to AI systems is anonymized, thus preventing
unauthorized access to your personal data. In addition, the terms with service
providers are setup in a way that data used for a specific request is not
stored in the system of the service provider beyond the lifecycle of the
request.
3. Unintentional
bias: no automatic decisions are being made in our platform based on the
results we receive from AI systems. Review and approval steps are enforced in
any critical path using AI systems.
4. Your data being
used to train models and advance the technology of service providers: The terms
we have in place with our service providers prevent data being used for
training purposes. Furthermore, your data is always undergoing an anonymization
step before being sent to the service providers.
We reserve the
right to disclose your personal data as required by law, such as to comply with
a subpoena or other legal process, or to comply with government reporting
obligations; when We believe in good faith that disclosure is necessary (a) to
protect our rights, the integrity of the services, or Your safety or the safety
of others, or (b) to detect, prevent, or respond to fraud, intellectual
property infringement, violations of our Terms of Use, violations of law, or
other misuse of the services.
We may also
disclose aggregate and/or de-identified data that is not personally
identifiable to third parties for any purpose permitted under applicable law.
We reserve the
right to modify our security and privacy practices if technical developments
necessitate it. In such instances, We will accordingly
update our Privacy Policy and promptly notify you within the App. If this
Privacy Policy changes in a way that significantly affects how We handle
personal data, We will not use the personal data We
previously gathered in the manner described in the new policy without providing
notice and/or obtaining your consent, as appropriate. Please refer to the
current version of our privacy policy. The date of the last revision of this
Privacy Policy can be found at https://privacy.korro.ai/.
Please note
that, due to technological advancements, We cannot
guarantee that previous versions of the App will remain functional.
You can access the Privacy Policy within the app at any time by clicking
on the link in the settings page or by accessing https://privacy.korro.ai/.
For any further questions, suggestions or complaints regarding the
Privacy Policy and the processing of Your personal data, please contact Us
directly at privacy@korro.ai.
You also have the right, without prejudice to any other administrative
or judicial remedy, to lodge a complaint with a data protection authority,
especially in the Member State where You reside, work, or where the alleged
infringement occurred, if You believe that the processing of personal data
relating to you infringes the GDPR or local data protection laws.
By clicking Submit, I consent to the processing of
my/my child’s personal data particularly health information, to be collected,
recorded, used, shared and retained as described in the preceding sections. I
understand that I can withdraw my consent at any time, effective for the
future, by sending a request to privacy@korro.ai.
By clicking Submit, I acknowledge that my/my child’s
personal data, including information about my/my child’s health, will be
gathered, stored and used for the purposes outlined in the preceding sections.
I understand that the processing of my personal data, including my health data,
is necessary for the proper functioning of the KORRO health application. I
acknowledge that I have read and understand the Terms of Use (https://terms.korro.ai) and this Privacy Policy.
Korro AI Limited
2nd Floor, 167-169 Great Portland Street,
London W1W 5PF,
United Kingdom
Web: www.korro.ai
E-mail:
privacy@korro.ai
You can contact our Data Protection Officer at:
FIRST PRIVACY GmbH
Konsul-Smidt-Str. 88
28217 Bremen, Germany
E-mail:
office@first-privacy.com