LAST MODIFIED: DECEMBER 10TH, 2019
Introduction: our commitment to your privacy
Our vision at K is to provide you with free access to relevant health information. Our ability to offer you relevant health information is based on your agreement to share with us your specific symptoms, and your information such as your age and gender. Only when K knows this information about you, it is able to compare you to similar people and tell you what they were diagnosed with and how they were treated. The more specific information you give us about you and your symptoms, the more accurate and relevant information we are able to provide you with.
The security of your personal information and your privacy are extremely important to us. When you share your personal information with us, we apply high-security standards to our operational practices and work in compliance with all applicable privacy laws. We are compliant with the European Data Protection Regulations (“GDPR”), and the California Consumer Privacy Act (“CCPA”), both of which are progressive laws governing data protection, and depending on your geographic location, each law offers you various rights in regards to your data (to read more about your rights that stem from our GDPR compliance, click here, and for California residents, click here. It is our intent to be at the forefront of data privacy and protection.
Our commitment to your privacy also means that we will use your data only to improve our services and to provide them to you. We will never sell your personal information to anyone. You will never see advertisements on our service that were tailored to you based on the information you provided us.
Using K anonymously
We believe everyone should have the right to know more about their health, even when they want to remain completely anonymous. It is your choice whether you want to use K anonymously, or whether you want to create a user account, that requires you to provide us with your email address and phone number.
When you use K anonymously, you need to provide a username (you may choose any name you’d like) and tell us your age and gender. Giving K information about your age and gender enables our AI models to ask you the right questions about your symptoms, and provide you with contextual results to your specific case. Note that when you use K anonymously and do not create a user account, you will not be able to recover your information in case you uninstalled the app or lost your phone, and you may not be able to use all our services, such as our “Virtual Visit” service.
Creating a secure user account
You may create a user account which we will verify through your email and an SMS sent to your phone. This option gives you an extra layer of privacy, as you can log out of your account at any time. Having an account also gives you the ability to access your information when you log on from another device (for example, when your phone is lost or broken), and to use all of our services that are available in your location. When you create an account you may also add information about your medical history, chronic conditions or smoking habits. When you add this information to your profile, K is able to provide you with more accurate results relevant to you and your case, and they are saved so you don’t have to enter them each time you use the app.
What types of information do we collect?
We collect non-personal information, which is un-identified and non-identifiable, both about users who use K anonymously and about users who create an account. This information mainly consists of technical and aggregated usage information, such as browsing activities, non-identifying information regarding the users’ devices, operating system, internet browser, and similar information.
We also collect personal information, which is information that identifies an individual or may, with reasonable efforts, cause the identification of an individual. This information may include your name, phone number, date of birth, gender, location, IP address, billing information (name, physical billing address, payment method and transaction details), email address, and in some instances, a copy of your driver’s license or other state-issued identification for identity verification purposes.
How do we use the information we collect?
We are using the information we collect for the following purposes:
- To provide you with relevant health information: The main reason we collect personal information is to enable K to give you relevant information about your health. K asks you detailed questions about yourself and your symptoms to compare your case with people like you who share your age, gender, and symptoms. Sharing your information with the app enables K to provide you with relevant health information based on what thousands of doctors did for people like you when they were in your situation.
- To make K smarter: We may use the information we collect in order to improve our AI models, so that we are constantly improving the information we provide our users. When you are using K, you are not only learning from people like you, they are also learning from you and your experiences. Over the long term, this growing repository of health experiences and clinical decision-making will accelerate medical research and improve our understanding of human disease. The information we use to improve our machine learning algorithms and technology is always used in an aggregated and anonymized way, and can never be traced back to you.
- To enable the use of our service: We may also use the information we collect in order to operate and customize our services; for example, to remember information about you so that you will not have to re-enter it when using our app, or to provide you with customer assistance and technical support.
- To contact you: We may use the information to be able to send you promotional content about our services by e-mail, text messages, push notifications and similar forms of communication from us or our partners (acting on our behalf). If you do not wish to receive such promotional messages, you may notify us at any time at email@example.com, or follow the “unsubscribe” or “STOP” instructions contained in the promotional communications you receive. If you choose to use our chat-based virtual visit, you will receive notifications to your mobile device when your physician responds.
- As part of our user support: We may also contact you with important information regarding our services, such as in event a certain service is temporarily suspended for maintenance, to reply to your support inquiries, or send you notices regarding payments for your subscriptions. It is important that you are always able to receive such messages. For this reason, you are not able to opt-out of receiving such service and billing messages unless you are no longer a user of the services. These types of messages are not encrypted, however, if we need to share information with you of a sensitive nature, we will direct you to log into the app in order to receive such information securely.
- For other legitimate interests: We may also use your personal information to enhance our data security and fraud prevention capabilities and tools, to support legitimate interests that we have as a business (such as for by identifying user trends) and to comply with any applicable laws and regulations or in connection with legal proceedings.
How do we collect information?
- Information you share with us: We collect the information you provide to us, for example when you create an account, contact us directly or write us on social media platforms. This information may include personal information including information relating to your health.
- Information we collect automatically: When you visit or use our app or website, we may gather, collect and record information about it. We do this ourselves or with the help of third-party services, including through the use of “cookies” and other tracking technologies, as further detailed below. This information may include your IP address (which may also be associated with your domain name or the domain name of your internet service provider), data relating to your use and navigation, unique identification numbers associated with your mobile device or our mobile application and your approximate geographical location.
- Information we receive from third parties and social media: We cooperate with third parties who help us operate K. From time to time, we may receive information about you from those third parties (such as Apple’s Healthkit or Fitbit).
When and with whom do we share your personal information?
We may share your personal information with third parties if we receive your explicit consent, or without your approval, only in the following manners and instances:
- Third party service providers: We may share personal information with certain service providers, whose services and solutions complement, facilitate and enhance our own. These include hosting and server services, communications and content delivery networks (CDNs), data and cybersecurity services, billing and payment processing services, session recording and remote access services, performance measurement services, data optimization and marketing services, content providers, and our legal and financial advisors. Click here to see the list of our third party service providers.Such service providers may have access to personal information according to their particular roles and purposes, and may only use the information for such purposes.
- Our Affiliated Doctors: If you chose to use our “Virtual Visit” service (available only in certain areas), we will share personal information with the doctors affiliated with us, in order for them to provide you care. If you are in the United States, communications with our virtual visit service are also governed by our HIPAA Notice of Privacy Practices.
- Transactions, Liquidation: We may share personal information with third parties in connection with a transaction, such as a merger, sale of company assets or shares, reorganization, financing, change of control or acquisition of all or a portion of our business, or in the event of a bankruptcy or related or similar proceedings.
- Law Enforcement, Legal Requests and Duties: Where permitted by local data protection laws, we may disclose your personal information pursuant to a legal request, or in compliance with applicable laws, if we have good faith belief that the law requires us to do so, with or without notice to you.
- Protecting Rights and Safety: Where permitted by law, we may share your personal information with others if we believe in good faith that it will help protect the rights, property or personal safety of K, any of our users, or any member of the general public, with or without notice to you.
With whom do we not share your personal information?
- We will never sell your personal information to anyone.
- We will never share your personal information with advertisers. We only share usage information stripped of both identifying information and any personal health-related information that helps us optimize our marketing campaigns.
When do we share non-personal information?
Information that cannot be traced back to an individual is non-personal information, such as anonymized or aggregated information. We may transfer, share, disclose or otherwise use non-personal Information in our sole discretion and without the need for any further approval from you. You accept that we own all the aggregated and anonymized data collected or created by us.
What about information you want to share with others?
K enables you to share your personal information with others, including healthcare providers, friends and contacts via social media, via our app or otherwise. Please use caution when sharing your personal information with others. The information you share will be shared according to your instructions and actions, and we have no control over what happens with your information once you share it with others.
How long do we keep your personal information?
We will keep your personal information for as long as your user account is active, in order to allow you to have access to your information and to provide you with our services.
We may continue to retain your personal information even after you deactivate your user account or stop using K, as reasonably necessary to comply with our legal obligations, to resolve disputes regarding our users, enforce our agreements or protect our legitimate interests.
If you use our “Virtual Visit” service, we may be obligated to keep your personal information for a longer period, and we will do what is legally required in each case.
When your personal information is no longer required, we will ensure it is securely deleted.
Your GDPR rights in relation to your personal information
Residents of the European Union have certain rights with respect to their personal information according to the General Data Protection Regulation (GDPR). Since our users’ privacy is very important to us, we grant such GDPR rights to all our users, alongside other rights they may have, regardless of their location.
Your GDPR rights include the following:
- The right to be notified of your personal information.
- The right to receive a copy of your personal information.
- The right to request the correcting of any inaccurate or incomplete personal information.
- The right to request the deletion of all your personal information from our servers (unless there is a legitimate and legal reason for which we are unable to do so, in which case we will inform you of this in writing).
- The right to file a complaint with your local supervisory authority for data protection (but we still recommend that you contact us first).
In order to receive information about your personal information, or exercise any of your GDPR rights, please contact us at firstname.lastname@example.org.
Before disclosing the requested personal information, we may ask you for additional information in order to confirm your identity and for security purposes. We will ordinarily not charge you any amount in relation to the exercise of your rights, nevertheless, we reserve the right to charge a fee that reflects that administrative cost where permitted by law (e.g. if your request is unfounded or excessive).
Please note that if you exercise your right to be forgotten, or ask us to stop processing your information, the deletion of your personal information will be irreversible and non-retrievable, and you will not be able to use our services.
Information for California residents
Currently, various browsers — including Internet Explorer, Firefox, and Safari — offer a “do not track” or “DNT” option that relies on a technology known as a DNT header, which sends a signal to Web sites’ visited by the user about the user’s browser DNT preference setting. We do not currently commit to responding to browsers’ DNT signals with respect to sites we provide, in part, because no common industry standard for DNT has been adopted by industry groups, technology companies or regulators, including no consistent standard of interpreting user intent. We will take all steps required by any such browser signals for the California Consumer Privacy Act (“CCPA”).
California Consumer Privacy Act rights
Under the CCPA, California residents have certain rights regarding their personally identifiable information. If you would like to exercise these rights on or after January 1, 2020, please contact us at email@example.com. As provided by CCPA, we may require you to provide information to allow us to verify your identity before providing the requested information. It may take us some time to respond to your request, but we will do so within the requirements of the CCPA.
- What types of information do we collect?
- How do we use the information we collect?
- When and with whom do we share your personal information?
We do not sell your personal information as provided under the CCPA.
Right to request disclosure as to personal information we have collected about you:
- You may access, correct, update and delete your account with us. You may change your choices for subscriptions and newsletters. Once you have chosen to receive newsletters or other information from us, “Opt-out” instructions from all our newsletters and press material are included in each issue. You may choose whether to receive from us information about our additional products and services, about which you may be interested in. You may ask to see the personal information that K holds about you. To review, verify or correct such information, contact firstname.lastname@example.org. Please note that any such communication must be in writing.
- The categories of personal information we have collected about you.
- The categories of sources from which the personal information was collected.
- The business purpose behind collecting the personal information.
- The categories of third parties with whom we have shared the information.
- The specific pieces of personal information we have collected about you.
Please note that even if your request is validated, we will not at any time disclose sensitive information such your health information or answers to security questions.
Right to request deletion: upon a verifiable request, made through a request to email@example.com, we will delete personal information we have regarding you and direct our service providers to delete your personal information from their records, to the extent provided by the CCPA. Please note that one or more exceptions may cause us to deny your deletion request as set forth below:
- Complete the transaction for which we collected the personally identifiable information provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
- Debug products to identify and repair errors that impair existing intended functionality.
- Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
- Comply with a legal obligation.
- Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
Right to be free from discrimination: We will not discriminate against you for exercising any of your rights under the CCPA. Please keep in mind that under certain circumstances, we may charge you a different price or rate, or provide a different level or quality of goods or services, if that difference is reasonably related to the value provided to us by your personal information.
To exercise your CCPA rights: please contact us at firstname.lastname@example.org.
You may authorize another person (your “agent”) to submit a request on your behalf. If an authorized agent will be submitting a request for you, please contact us at email@example.com. We will aim to complete requests as soon as reasonably practicable and consistent with any applicable laws. Please note that we are required to verify that your agent has been properly authorized to request information on your behalf and this may take additional time to fulfill your request.
We engage certain trusted third parties to perform functions and provide services to us, including hosting and maintenance, error monitoring, debugging, performance monitoring, billing, customer relationship, database storage and management, and direct marketing campaigns. We may share your personally identifiable information with these third parties, but only to the extent necessary to perform these functions and provide such services. We also require these third parties to maintain the privacy and security of the personally identifiable information they process on our behalf.
California “Shine the Light” law
If you are a California resident, California Civil Code Section 1798.83 permits you to request information regarding the disclosure of your personal information by K Health to third parties for the third parties’ direct marketing purposes. To make such a request, please send an email to firstname.lastname@example.org or write to us:
CA Shine the Light Privacy Rights
Attn: Privacy Officer
298 Fifth Ave, Seventh Floor
New York, NY 10001
Information for Nevada residents
Pursuant to Nevada law, you may direct a business that operates an internet website not to sell certain personal information a business has collected or will collect about you. K does not sell your personal information pursuant to Nevada law. However, Nevada residents have the legal right to opt out of the sale of their personal information, even if their information is not currently being sold. For more information about how we handle and share your personal information or to opt-out under Nevada law, contact us at email@example.com.
How old do you have to be to use K?
All our services at K are not designed for anyone under the age of 18. Furthermore, we do not knowingly collect or solicit any information from anyone under the age of 18. If we learn or are informed that we unintentionally collected personal information from an individual under the age of 18, we will delete such information. If you believe that we might have any information regarding a person under the age of 18, please contact us at firstname.lastname@example.org.
Where is the information stored?
The information we collect from you may be stored and processed in the United States, Israel, or any other country in which we, or our affiliates, maintain facilities in, and in other jurisdictions as necessary for the proper delivery of our services or as may be required by law. If you are located outside the US or Israel, please note that we may transfer your information, including your personal information, to a country that does not have the same data protection laws as your jurisdiction, and you consent to such transfer of information to the U.S. or any other country in which the company or its service providers maintain facilities.
Our participation in the “Privacy Shield Framework”
The Privacy Shield frameworks were designed by the U.S Department of Commerce and the European Commission and Swiss Administration to enable companies on both sides of the Atlantic to comply with data and privacy protection requirements.
We participate in, and have certified our compliance with, the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. We are committed to subjecting all personal information received from European Union (EU) member countries and Switzerland, respectively, in reliance on the Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce’s Privacy Shield List at: https://www.privacyshield.gov/welcome
We are responsible for the processing of personal information we receive, under the Privacy Shield Framework, and subsequent transfers to a third party acting as an agent on our behalf. We comply with the Privacy Shield Principles for all onward transfers of Personal Information from the EU, including the onward transfer liability provisions. With respect to personal information received or transferred pursuant to the Privacy Shield Framework, we are subject to the regulatory enforcement powers of the U.S. Federal Trade Commission (FTC). In certain situations, we may be asked to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, and will do so where permitted by local data protection laws.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please send your complaint to our U.S.-based third party dispute resolution provider (free of charge) at the EU Data Protection Authorities (DPAs), or to the Swiss Federal Data Protection and Information Commissioner (FDPIC) regarding Swiss data. Under certain conditions, more fully described on the Privacy Shield website [https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint], you may invoke binding arbitration when other dispute resolution procedures have been exhausted.
Who has access to your personal information?
Your personal information may be processed or accessed by K employees, contractors and service providers in the US or Israel. Our Staff members that have access to personal information and sensitive data are specifically trained and are granted only the minimal access rights required to perform their duties. We have detailed internal privacy and security policies and procedures and perform periodic training of our staff to ensure that they are all aware of our security and privacy procedures.
What security measures do we take to secure the data?
We care deeply about the security of your information, and we maintain high standards of physical, administrative, and technological safeguards to preserve the integrity and security of all information collected by us.
We use encrypted transportation of any data when it is transferred from the app to our servers, and we encrypt the data while it is stored in our database servers.
The HIPAA (Health Insurance Portability and Accountability Act of 1996) Security Rule establishes national US standards to protect individuals’ electronic personal health information, and K is compliant with HIPAA standards. All service providers that we use and that deal with sensitive data, are HIPAA compliant and meet our strict requirements, and all applicable laws and regulations.
We also regularly monitor our systems for possible vulnerabilities and attacks, and regularly seek new ways and third party services for further enhancing the security of our services and protection of our users’ privacy.
Please note that regardless of the measures and efforts taken by K, we cannot and do not guarantee the absolute protection and security of your personal information we hold. In the event that any information under our control is compromised as a result of a breach of security or a technical failure, we will take reasonable steps to investigate the situation and, where appropriate, notify those individuals whose information may have been compromised and take other steps, in accordance with any applicable laws and regulations.
We, together with our marketing, analytics and technology partners, use certain monitoring and tracking technologies (such as cookies, beacons, pixels, tags and scripts) on our website, certain partner sites and social networks. These technologies are used in order to maintain, provide and improve our services on an ongoing basis, and in order to provide our users with a better experience. Such technologies enable us to maintain and keep track of our users preferences and authenticated sessions, to better secure our services, to identify technical issues, user trends and effectiveness of campaigns, and to monitor and improve the overall performance of our services.
In order for some of these technologies to work properly, a small data file (“cookie”) must be downloaded and stored on your device. By default, we use several persistent cookies for purposes of session and user authentication, security, keeping the user’s preferences (such as regarding default settings), monitoring performance of our services, and generally providing and improving our services.
If you would prefer not to accept cookies, most browsers will allow you to adjust your settings to notify you when you receive them, automatically reject them or disable existing ones. Depending on your mobile device and operating system, you may not be able to block and delete all cookies.
Deleting cookies does not delete Local Storage Objects (LSOs) such as Flash Objects and HTML5 Local Storage or Session Storage. If you use Google Chrome, You can learn more about locally stored data in your browser, and how to control at: https://www.google.com/chrome/privacy.
Please note that deleting our cookies or disabling future cookies or tracking technologies may prevent you from accessing certain areas or features of our services, or may otherwise adversely affect your user experience.
How do I manage cookies?
Most web browsers let you choose whether to accept cookies. Most also let you delete cookies already set. The choices available, and the mechanism used, will vary from browser to browser. Such browser settings are typically found in the “options”, “tools” or “preferences” menu. You may also consult the browser’s “help” menu. For example:
- Cookie settings in Internet Explorer
- Cookie settings in Firefox
- Cookie settings in Chrome
- Cookie settings in Safari
There are online tools available for clearing all cookies left behind by the websites you have visited, such as www.allaboutcookies.org. Usually, deletion of cookies will anonymize the information associated with the pixel and a website will not receive any further associated information.
In order to promote our app and services, we use platforms such as Facebook for online campaigns.
For example, we may use Facebook’s “Custom Audience Tool” to display interest-based ads promoting our app. We do not share personal information with Facebook, but given that Facebook knows the identity of their users, they may link the fact you clicked on our ad with your identity. Further, we report app events to Facebook to help optimize our campaigns, but we do not share with Facebook the meaning of such events. In other words, Facebook will receive information about your usage of the app (for example “User X completed apple” which means something about your usage of the app to us, but not to Facebook) but not any personal, medical or health related content. If you do not want to receive interest-based ads on Facebook, you can adjust your ad preferences through your Facebook settings. We use the same approach with other ad partners, such as Google; we will never share your personal information with any of them.
Choice of law and dispute resolution
Please contact us also if you have any issues regarding our use of your personal information.
You may also contact us by mail at:
Attn: Privacy Officer
298 Fifth Ave, Seventh Floor
New York, NY 10001