Korro AI Ltd

Last Updated on September 30, 2024

Privacy Policy

 

 

 

 

 

 

 

 

The protection of the security and confidentiality of your (hereinafter referred to as "You" or "User”) data is of particular importance to Korro AI Ltd (hereinafter referred to as “We”, “Us”, “Our” or “Korro”) who is responsible for the KORRO health application for mobile devices (hereinafter referred to as the "App") and as such will act as the data controller with regard to your personal data. In the following sections, we’ll inform you about the types of personal data that we’ll collect and process, the purposes we pursue and the rights you are entitled to enforce as a data subject.

1.  Purpose of the KORRO health app

The App is intended to supplement clinical care by coaching and motivating children undergoing or in need of occupational therapy. If You are a different type of healthcare provider and elect to use the App, You do so at Your sole risk and You are solely responsible for complying with Your local applicable law and all other local rules, codes and best practices of Your employer (if applicable), licensing organization(s) and industry. For more information regarding the use of the App please refer to the Terms and Conditions.

The App aims to encourage the User’s adherence to a therapeutic regimen specified by an Occupational Therapist (OT) and motivates the User to reach their occupational therapy goals. The App supplements and can be used as part of in-clinic therapy, i.e., a patient will use the App during therapy sessions with their therapist as well as between therapy sessions at home. The code to create Users’ account in the App is generated by the User’s occupational therapist. Users and their personal data are linked by default to their therapist who generates the User’s access to the App.

The App guides Users through a series of tasks, referred to as "Experiences," based on their therapy plan. These experiences aim to enhance certain physical abilities based on the User's therapeutic needs as identified by the User’s therapist. Throughout these experiences, the App processes personal data to track User engagement and to compute various metrics recorded during the User’s participation in the Experiences to monitor adherence to the at-home therapeutic regimen and support assessment of the User’s capabilities and progress.

These metrics are presented to the User after each completed Experience and stored in the App's backend system.

Patients/legal guardians:

Can access these metrics and statistics via the Web Portal (hereinafter referred to as “Portal”) where they created their account or opt-in to receive statistics by email.

Therapists:

Can access a daily report of these metrics and statistics via the App's user interface, or the Portal which includes data from past days and weeks.

Personal data is processed to authenticate the App, create and manage User profiles, and track engagement with the Experiences. This data helps Us and the occupational therapist to suggest appropriate Experiences and to adjust the automated therapy plan creation in a highly personalized manner. Afterward, this data is anonymized (removing identifying information) and stored in a database used to improve the App's performance and development.

Users should be aware that the App is designed for Users who are at least 5 years old.

Therapists may use the Portal or the App remotely to review information about therapy sessions conducted by patients at home.

Therapists data will be processed for the purpose of App authentication, creation and management of users’ profiles, creation of codes to create patient’s accounts and to link patients to therapists, enabling the use and analysis of Experiences by Users, parents and therapists.

For more information regarding the purposes and use of the App please refer to the Terms and Conditions. Categories of Personal Data.

While using the App, Users' personal data is stored on the app's systems. When we refer to “personal data,” we mean information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly to You or Your child. We collect personal data about You and Your child directly from You and automatically through Your and Your child’s use of the App or entered into the Portal. Throughout this privacy policy, when we refer to personal data, that includes data about You and about Your child. Special categories of personal data being processed pertains to sensitive data requiring extra protection, including health-related data.

The use of the App and collection of personal data is entirely voluntary. We only use the personal data collected for the purposes outlined in the following sections. We process personal data based on the User's explicit consent.

1.1.1. User Profile

Patient:

We collect personal data to create Your account and to verify Your identity, ensuring that the App is being used or supervised by an adult. The following categories of personal data are collected:

-        Your and Your child’s name,

-        age,

-        contact information (e.g. Email address and phone number),

-        the Encrypted Password for the account,

-        the patient’s therapy intake form,

-        diagnostic information, and

-        linked therapist(s) IDs (if applicable).

Names and other sensitive data like diagnostic information or intake form contents are stored with additional encryption.

Therapists:

Your personal data is processed for the purpose of enabling the creation and management of Your user profile and to that end the following categories of personal data may be stored in the App:

-        Name;

-        Email address; and

-        Link between You and Your therapist, if applicable.

Your name is stored with additional encryption and in unencrypted form only accessible on the local device by You and the patient linked to Your user account.

Clinic Administrators:

Your personal data is processed for the purpose of performing the contract with the clinic for which you work and managing the therapists under said contract. To that end the following categories of personal data may be stored by the Webportal:

-        Contact email address; and

-        Business phone number

Your name is stored with additional encryption.

1.1.2. Therapeutic Experiences

When You use the App, we collect personal data to allow You and Your child to engage with the Experiences, including the following information:

-        Visual data from the phone’s camera;

-        Accelerometer and gyroscopes sensor data;

-        Training plans (the sequence of Experiences);

-        Result metrics (scores and metrics from each level);

-        App analytics and performance data;

-        Settings used for each level; and

-        Game statistics (score, time spent, points collected, experience gained).

Visual data from the phone's camera is analyzed for metrics but not stored on the device. These metrics relate to User's health.

1.1.3. Data processed by therapists

When a therapist is linked to Your account, Your therapist(s) have access to:

-        User profile;

-        Metrics related to Experiences; and

-        Intake forms completed by parents or legal guardians and (automatically created) summaries thereof

-        Therapy data.

Therapists process personal data related to therapeutic experiences to monitor therapy goals.

1.1.4. Data processed by Clinics

Clinics are entities that engage in a business relationship with Korro and subscribe to the App for their therapists. When Clinics purchase subscriptions, they have access to:

-        User profile of therapists and patients.

-        Therapeutic experiences of patients

Clinics process personal data to manage the therapist patient relationship, assigning or reassigning patients to therapist.

1.1.5. Contractual and pre-contractual relationship

We collect the following information to enter into business relationships and fulfill our contractual obligations:

-        Name;

-        Address;

-        Contact details; and

-        Billing information.

We do not have access to data like credit card or bank account details. The information will be securely collected and stored by a third party.

1.2. Purpose of Processing Your Personal Data

We may use Your personal data for in the following ways for our business purposes:

1.2.1. To Serve You

We use Your personal data to:

-        Deliver the App services:

o   including, but not limited to the use of AI services to automatically process intake forms creating a summary of the collected data, and recording achieved progress;

-        Process, complete and fulfill Your requested transactions;

-        Operate our business;

-        Provide customer service and respond to requests or inquiries;

-        Communicate with You;

-        Tailor our marketing programs and campaigns; and

-        Provide You with newsletters, articles, alerts, announcements, invitations, and other information about products and brands.

1.2.2. To Validate Your Ability to Use the App

You must maintain a current and valid account to use the App, and also meet certain eligibility criteria (e.g., minimum age). In such cases, we may verify that You meet such criteria.

1.2.3. To Improve Products and Services and Protect Users

We use the information You provide for data analysis, to better understand how our products and services impact You and those You care for, to track and respond to concerns, for fraud prevention and to further develop and improve our products and services. In addition, we use the information You provide to comply with our regulatory monitoring and reporting obligations.

1.2.4. In Aggregated or De-identified Form

We may aggregate and/or de-identify data about You and use it for any purpose, including product and service development and improvement activities. These activities may include research purposes, such as when we combine deidentified data across users to identify trends. To the extent we deidentify any data originally based on personal data, we will maintain and use such data only in deidentified form and will not attempt to reidentify the data.

1.3. Notifications

We may use Your personal data, including information about Your therapy plan and related metrics, to send notifications to the device on which the App is installed, so-called push notifications. These notifications are intended to remind You of Experiences that should be completed to achieve therapy goals. In order for you to obtain these notifications your consent is required. You can opt-in to receive notifications during the app setup, and You can manage the type of push notifications you receive by modifying the settings within the operating system of your device..

For many devices, these services are provided by another company. The company providing the notification service on your device may use collect and process data in accordance with their own terms and privacy policy. Korro is not responsible for the data collected by the company providing the notification service.

1.4. Minimum Age Requirement for Using the Application

Our app may only be used by individuals who are at least 5 years old. Any collection or processing of personal data from individuals under the age of 5 is strictly against our policy, done without our knowledge, and a breach of our https://terms.korro.ai.Persons under 18 years of age are required to have their parents or legal guardian authorize their use of the application.

2.  Security Measures

We use technical and administrative and procedural measures designed to safeguard Your personal data from unauthorized access or use, including encryption of data in transit and in rest. Your data is made accessible on a strict need-to-know basis, which means only persons who absolutely need it will be able to access Your data. All data which can directly identify You (like e.g., your name) will be stored in Our database with additional encryption, such that only the person who provided the data will be able to read it.

3.  Consent

The type and form of consent will be identified based on the sensitivity of the Personal Information and the reasonable expectations of the individual.

3.1. Express consent

If express consent is required this means that a clear, affirmative, and easily withdrawable consent must be obtained on a voluntary basis, with all necessary information being understandable and readily available before consent is obtained.

3.2. Implied Consent

Implied consent can be inferred from an individual's actions or inaction, based on the context and sensitivity of the data involved.

3.3. Revocation of consent

Consent given to Us can be revoked at any time, with future effect, subject to any legal/contractual requirements. You can withdraw Your consent at any time by sending an email to office@first-privacy.com, stating Your KORRO user Id.

The withdrawal of consent does not affect the lawfulness of the processing carried out based on the consent until the withdrawal. If You withdraw Your consent, you will no longer be able to use the App.

For Users who revoke consent, no further data will be shared with Your therapist (if one was linked). However, Your personal information (e.g., notes about You, including Your medical condition) may still be processed by the therapist due to legal obligations to maintain medical records. We are not responsible for any further processing of this data by the therapist.

4.  Data Retention

For Users, once Your therapist removes You as an active patient, Your access to the App's Experiences and features will cease. This could occur upon completion of Your therapy plan or when therapy services, including the use of the App, end. We will retain Your data while You are an active patient and for one month following deactivation, providing You and Your therapist the opportunity to correct any deactivation-related issues or unintentional deactivation errors before Your data is permanently deleted.

After deactivation, You may consent to further storage of Your personal data. If so, You will be able to access the app and view Your personal data. Storing your personal data after deactivation can be beneficial if you wish to resume or re-enter therapy or access your data at a later time.

For therapists, You may delete Your account in the app settings. In that case, Your data will be permanently erased if You delete Your account.

5.  Data Protection Rights

You may access, correct, or update Your information by accessing Your accounts or profiles on Our Sites.  You may at any time request access to a summary of information we hold about you by contacting us at privacy@korro.ai.

6.  If You are a resident of the EEA

6.1. Legal Basis for Processing Under the GDPR

For residence of the EEA certain requirements pertain to the processing of personal data. All personal data processed must be based on a legal basis provided for within the GDPR. The processing of personal data is based on the following:

-        User profile and intake form analysis –explicit consent, Art. 9 Para.2 lit. a GDPR

-        Therapeutic Experiences – based on Your explicit consent, Art. 9 Para. 2 lit. a GDPR

-        Data Processed by Therapists – based on Your explicit consent, Art. 9 Para. 2 lit. a GDPR

-        Notifications – based on Your explicit consent, Art. 9 Para. 2 lit. a GDPR

-        Retaining data for one month after deactivation – based on Your explicit consent, Art. 9 Para. 2 lit. a GDPR

-        Any discloser of data as part of a legal obligation – compliance with a legal obligation, Art. 6 Para. 1 lit. c GDPR

-        Data processed to manage the therapist patient relationship – legitimate interest, Art. 6 Para. 1 lit. f GDPR

6.2.  EEA residences have the following data protection rights:

If You wish to access, correct, update or request deletion of Your personal information You can do so at any time.

You can object to processing of Your personal information, ask us to restrict processing of Your personal information or request portability of Your personal information.

You also have the right to request deletion of Your information at any time by sending an email with your KORRO User ID to privacy@korro.ai. Upon receipt of Your deletion request, all data associated with You, including therapy data, metrics, statistics, and user profile data, will be deleted. Please note that requesting the deletion of your personal information prior to the completion of therapy may interfere with therapy work and goals.

You can withdraw Your consent to the processing of Your personal data at any time. Withdrawing Your consent will not affect the lawfulness of any processing we conducted prior to Your withdrawal, nor will it affect processing of Your personal information conducted in reliance on lawful processing grounds other than consent.

You have the right to complain to a data protection authority about our collection and use of Your personal information.

If You wish to exercise any of these rights or want further information, please contact Us using the details below.

7.  If You are a resident of the United States

Residents of the United States may be entitled to certain rights dependent on the state of residence. Therefore, You may have the following data protection rights:

If You wish to access Your personal information You can do so at any time. Once we receive Your request, we will disclose to You the information requested (including free provision of a copy), including:

-        The categories of personal information collected.

-        The categories of sources of such information.

-        The purposes for which we collected the personal information.

-        The categories of personal information that we have disclosed for a business purpose.

-        Information about any sales of Your personal information.

You also have the right to rectify inaccurate personal data, restrict processing and object to the use of the data.

You have the right to request deletion of your information at any time by sending an email with your KORRO User ID to privacy@korro.ai. Upon receipt of Your deletion request, all data associated with You, including therapy data, metrics, statistics, and user profile data, will be deleted. Please note that requesting the deletion of your personal information prior to the completion of therapy may interfere with therapy work and goals.

You can request portability of Your personal information, transferring the data collected about You to You or to a body designated by You.

You have the right to not receive discriminatory treatment for exercising Your rights, and We will not discriminate against You for exercising any of Your rights.

Your rights may be restricted in case a legal obligation to store Your personal data is applicable. If You wish to exercise any of these rights or want further information, please contact Us at privacy@korro.ai to do so.

8.  If You are a resident of Canada

8.1. Legal Basis for Processing Under the PIPEDA

For residences of Canada consent is required for the processing of your personal information. Consent to the collection, use, transfer and disclosure of personal information may be given in various ways as described above in Section 3.

In some cases, we may be permitted or required by law to collect, use, transfer and disclose Personal Information without consent, for example to comply with a court order or comply with local, provincial or federal regulations.

The processing of personal data is based on the following:

-        User profile and intake form analysis– explicit consent

-        Therapeutic Experiences – explicit consent

-        Data Processed by Therapists – explicit consent

-        Notifications – explicit consent

-        Retaining data for one month after deactivation – explicit consent

-        Any discloser of data as part of a legal obligation – compliance with a legal obligation

-        Data processed to manage the therapist patient relationship – explicit consent

-        Disclosures and transfers to third countries as listed below in section 10 – explicit consent

8.2. You have the following data protection rights:

If You wish to access, correct, update or request deletion of Your personal information You may do so at any time. You have the right to request access to information relating to the existence, use, and disclosure of Your personal information.

You have the right to withdraw consent at any time, however, we may retain personal information for the period in which it is necessary to fulfill the purpose for which it was collected. 

You have the right to file a complaint with the Office of the Privacy Commissioner (OPC) if You believe Korro is in violation of Personal Information Protection and Electronic Documents Act (PIPEDA).

If You wish to exercise any of these rights or want further information, please contact Us at privacy@korro.ai to do so.

9.  Children’s Privacy

Our collection of personal data about children is intended to follow current data protection regulations. We obtain parental consent before collecting personal data about children. We collect information about a child’s use of the App as described in this Privacy Policy and only as reasonably necessary to participate in the App. Parents may contact Us at privacy@korro.ai to review, update, or delete any of their children’s personal data that We may have collected and to elect for Us not to collect any additional personal data from their children. We do not sell personal data about children or legal guardians.

10.  How We Disclose Your Personal Data

It may be necessary for Us to disclose Your personal data to third parties. These parties may be located outside of the country in which You reside, which may include countries within the EEA, the United States or Israel. When transferring to third countries We do so in accordance with data protection regulations to which We are subject, including adequacy decisions, Standard Contractual Clauses, or other legal instruments.

We may disclose your personal data to third parties as follows:

10.1. Clinics and Therapists

We may transfer Your personal data to clinics and therapists who are working together with you to utilize the App. This data is necessary for the purposes of administering any changes to medical providers (therapists), provide accurate experience levels and monitor therapy goals. For more information please see Sections 1.1.3 and 1.1.4.

The transfer is based on contractual agreements, between Korro and the clinics or therapists, in accordance with data protection law, and where necessary including appropriate safeguards such as standard contractual clauses, which you can request at privacy@korro.ai.

10.2. In Connection with Business Transfers

We may transfer Your personal data to affiliates located in Israel and the United Kingdom. The transfer is based on the European Commission's recognition that Israel and the United Kingdom provide adequate protection for Your personal data. Click here for more details about the adequacy decisions. We may also transfer your personal data to the United States based on appropriate safeguards such as standard contractual clauses, which you can request at privacy@korro.ai.

If We sell or transfer Korro, a business unit, or an asset (such as a website or data assets) to another company (including in connection with any bankruptcy or similar proceedings), we will disclose Your personal data to such company and will require such company to use and protect Your personal data consistent with this Privacy Policy. We may also disclose Your personal data to companies that were formerly wholly or partly included in the Korro family of companies to whom We provide services during a transition period following separation.

10.3. With Service Providers

We may retain other companies and individuals to perform services on Our behalf and We may collaborate with other companies and individuals with respect to particular products or services (collectively, “Service Providers”). These third parties may be provided with access to personal data, including through cookies, pixels, and similar technologies, to perform their functions. Examples of Service Providers include companies that provide order and payment processing services, customer (end user) service and support and customer (clinic) relationship management services, as well as email and SMS vendors, advertising vendors, data analytics firms, cloud providers, AI service providers, hosting and development companies and fulfillment companies. Some Service Providers may collect personal data on our behalf on the App or in the Portal.

We believe it very important to keep your personal data safe and therefore only provide AI systems, with anonymized data, this data is then, for instance, used to summarize your results and activities in our app as well as to adapt configurations and parametrizations of the app for the therapist to review.  

Safeguarding Your data is our top priority. Therefore, whenever such technologies are used, we ensure that personal data are processed only when necessary and in compliance with applicable data protection legislation. Here is how we address risks typically related to the use of AI systems:

1.     Accidental deletion or alteration: Our system is designed in a way that data provided by AI systems are always complementing but never replacing or altering existing data. E.g. we use AI systems to summarize the intake form provided to your therapist, but the original data of the intake form is never changed or updated in this process.

2.     Unauthorized access: all data provided to AI systems is anonymized, thus preventing unauthorized access to your personal data. In addition, the terms with service providers are setup in a way that data used for a specific request is not stored in the system of the service provider beyond the lifecycle of the request.

3.     Unintentional bias: no automatic decisions are being made in our platform based on the results we receive from AI systems. Review and approval steps are enforced in any critical path using AI systems.

4.     Your data being used to train models and advance the technology of service providers: The terms we have in place with our service providers prevent data being used for training purposes. Furthermore, your data is always undergoing an anonymization step before being sent to the service providers.

10.4. To Comply with Legal Obligations

We reserve the right to disclose your personal data as required by law, such as to comply with a subpoena or other legal process, or to comply with government reporting obligations; when We believe in good faith that disclosure is necessary (a) to protect our rights, the integrity of the services, or Your safety or the safety of others, or (b) to detect, prevent, or respond to fraud, intellectual property infringement, violations of our Terms of Use, violations of law, or other misuse of the services.

10.5. In the Aggregate/De-identified

We may also disclose aggregate and/or de-identified data that is not personally identifiable to third parties for any purpose permitted under applicable law.

11.  Changes to the Privacy Policy

We reserve the right to modify our security and privacy practices if technical developments necessitate it. In such instances, We will accordingly update our Privacy Policy and promptly notify you within the App. If this Privacy Policy changes in a way that significantly affects how We handle personal data, We will not use the personal data We previously gathered in the manner described in the new policy without providing notice and/or obtaining your consent, as appropriate. Please refer to the current version of our privacy policy. The date of the last revision of this Privacy Policy can be found at  https://privacy.korro.ai/.

Please note that, due to technological advancements, We cannot guarantee that previous versions of the App will remain functional.

12.  Questions, Suggestions and Complaints

You can access the Privacy Policy within the app at any time by clicking on the link in the settings page or by accessing https://privacy.korro.ai/.

For any further questions, suggestions or complaints regarding the Privacy Policy and the processing of Your personal data, please contact Us directly at privacy@korro.ai.

You also have the right, without prejudice to any other administrative or judicial remedy, to lodge a complaint with a data protection authority, especially in the Member State where You reside, work, or where the alleged infringement occurred, if You believe that the processing of personal data relating to you infringes the GDPR or local data protection laws.

13.  Consent

By clicking Submit, I consent to the processing of my/my child’s personal data particularly health information, to be collected, recorded, used, shared and retained as described in the preceding sections. I understand that I can withdraw my consent at any time, effective for the future, by sending a request to privacy@korro.ai.

By clicking Submit, I acknowledge that my/my child’s personal data, including information about my/my child’s health, will be gathered, stored and used for the purposes outlined in the preceding sections. I understand that the processing of my personal data, including my health data, is necessary for the proper functioning of the KORRO health application. I acknowledge that I have read and understand the Terms of Use (https://terms.korro.ai) and this Privacy Policy.

14.  Contact Information

14.1. Controller

Korro AI Limited

2nd Floor, 167-169 Great Portland Street,

London W1W 5PF,

United Kingdom

Web: www.korro.ai

E-mail: privacy@korro.ai

14.2. Details of the Data Protection Officer

You can contact our Data Protection Officer at:

FIRST PRIVACY GmbH

Konsul-Smidt-Str. 88

28217 Bremen, Germany     

Web: www.first-privacy.com

E-mail: office@first-privacy.com