Privacy Policy for EARS

Introduction

At Ksana, we put privacy at the front of everything we do. We appreciate that you are trusting us with information that is important to you, and we want to be transparent about how we use it. Here we describe the privacy practices for our applications, software, websites, APIs, products, and services (the “Services”). You will learn about the data we collect, how we use it, the controls we give you over your information, and the measures we take to keep it safe.

Specifically, we’ll cover:

  • Information We Collect About Your Participants
  • Information We Collect About You
  • How We Use Information
  • How Information Is Shared
  • Your Rights to Access and Control Your Personal Data
  • Data Retention
  • Analytics and Advertising Services Provided by Others
  • Our Policies for Children
  • Information Security
  • Our International Operations and Data Transfers
  • Changes to This Policy
  • Who We Are and How To Contact Us.

INFORMATION WE COLLECT ABOUT YOUR PARTICIPANTS

When you use our Services, we collect the following types of information.

  • INFORMATION YOUR PARTICIPANTS PROVIDE US
    • STUDY CODE
      • We collect a study code number that links to their device ID.
    • PAYMENT AND CARD INFORMATION
      • We do not require nor collect payment card information on our platform.
  • INFORMATION WE RECEIVE FROM THEIR USE OF OUR SERVICES
    • DEVICE INFORMATION
      • Their device collects data that is pushed to our analytics platform. The data collected varies depending on which device you use. When your device syncs with our applications or software, data recorded on their device is transferred from your device to our servers.
      • The application collects a variety of information types from your device including accelerometer, gyroscope, light sensor, all keyboard input (excluding numbers), music listened to, app usage, messaging info, survey responses, facial expressions from selfies.
    • LOCATION INFORMATION
      • The Services also include features that use precise location data, including GPS signals, device sensors, Wi-Fi access points, and cell tower IDs. We collect this type of data if you grant us access to your location. Participants can always remove our access using mobile device settings. We may also derive your approximate location from an IP address.
  • INFORMATION WE RECEIVE FROM THIRD PARTIES
    • We do not receive any data from third parties, and we do not share any personal identifying information with third parties.
  • HEALTH AND OTHER SPECIAL CATEGORIES OF PERSONAL DATA
    • To the extent that information we collect is health data or another special category of personal data subject to the European Union’s or United Kingdom’s General Data Protection Regulation (“GDPR”), we ask for your explicit consent to process the data. We obtain this consent separately when you enroll. You can use the account settings to withdraw consent at any time, including by stopping use of a feature, removing our access to a third-party service, unpairing the device, or deleting the data or the account.

INFORMATION WE COLLECT ABOUT YOU

In addition to the data we collect regarding the participants in your Study, we require some information regarding your and any team member you authorize to access the Research Platform.

  • ACCOUNT INFORMATION
    • Some information is required to create an account on our Research Platform, such as your name, email address, password, your mobile telephone number for multi-factor authentication. This is the only information you have to provide to create an account with us.

HOW WE USE INFORMATION

We use the information we collect to provide you with secure access to the Platform.

We use information collected from participants to deliver services to researchers, including the following services:

  • PROVIDE AND MAINTAIN THE SERVICES
    • Using the information that we collect, we are able to deliver the Services to you and honor our Terms of Service contract with you.
  • IMPROVE, PERSONALIZE, AND DEVELOP THE SERVICES
    • We use the information we collect to improve and personalize the Services and to develop new ones. For example, we use the information to troubleshoot and protect against errors; perform data analysis and testing; conduct research and surveys, and develop new features and Services.
    • When participants allow us to collect precise location information, we use that information to provide and improve features of the Services such as recording where an event took place or mapping an activity.
      • We use participant information in one of two ways:
        • Their data is used directly in the study in which they enrolled with information collected in alignment with the consent agreement for the study.
        • Anonymized and/or de-identified data is used across studies to improve the analysis of the data and our ability to leverage artificial intelligence to identify effective protocols.
  • COMMUNICATE WITH YOU

We use your information when needed to send you and your participants service notifications and to respond to you when you contact us.

  • PROMOTE SAFETY AND SECURITY

We use the information we collect to promote the safety and security of the Services, our users, and other parties. For example, we may use the information to authenticate users, protect against fraud and abuse, respond to a legal request or claim, conduct audits, and enforce our terms and policies.

We use cookies and similar technologies for the purposes described above. For more information, please read our Cookie Use statement.

For personal data subject to the GDPR, we rely on several legal bases to process the data. These include when you have given your consent, which you may withdraw at any time using your account settings and other tools; when the processing is necessary to perform a contract with you, like the Terms of Service; and our legitimate business interests, such as in improving, personalizing, and developing the Services, marketing new features or products that may be of interest, and promoting safety and security as described above.

HOW INFORMATION IS SHARED

We do not share personal information except in the limited circumstances described below.

WHEN YOU AGREE OR DIRECT US TO SHARE

You may direct us to disclose your information to others. For certain information, we provide you with privacy preferences in account settings and other tools to control how your information is visible to other users of the Services.

WE DO NOT SHARE YOUR DATA FOR EXTERNAL PROCESSING

We do not share your data with anyone for external processing. Data may be stored at a third-party hosting site, such as Amazon AWS, however, all data is encrypted and not accessible to the hosting organization.

FOR LEGAL REASONS OR TO PREVENT HARM

We may preserve or disclose information about you to comply with a law, regulation, legal process, or governmental request; to assert legal rights or defend against legal claims; or to prevent, detect, or investigate illegal activity, fraud, abuse, violations of our terms, or threats to the security of the Services or the physical safety of any person.

Please note: Our policy is to notify you of a legal process seeking access to your information, such as search warrants, court orders, or subpoenas unless we are prohibited by law from doing so. In cases where a court order specifies a non-disclosure period, we provide delayed notice after the expiration of the non-disclosure period. Exceptions to our notice policy include exigent or counterproductive circumstances, for example, when there is an emergency involving a danger of death or serious physical injury to a person.

We may share non-personal information that is aggregated or anonymized so that it cannot reasonably be used to identify an individual. We may disclose such information publicly and to third parties, for example, in public reports about exercise and activity, to partners under agreement with us, or as part of the community benchmarking information we provide to users of our subscription services.

If we are involved in a merger, acquisition, or sale of assets, we will continue to take measures to protect the confidentiality of personal information and give affected users notice before transferring any personal information to a new entity.

YOUR RIGHTS TO ACCESS AND CONTROL YOUR PERSONAL DATA

We provide you with account settings and tools to access and control the use of personal data, as described below, regardless of where you live. If you live in the European Economic Area, United Kingdom, and Switzerland (the “Designated Countries”), there are a number of legal rights with respect to personal information, which the account settings and tools allow participants to exercise, as outlined below.

If you choose to delete your account, please note that while most of the information will be deleted within 30 days, it may take up to 90 days to delete all of the information, like the data recorded by your Ksana Health device and other data stored in our backup systems. This is due to the size and complexity of the systems we use to store data. We may also preserve data for legal reasons or to prevent harm, including as described in the How Information Is Shared section.

OBJECTING TO DATA USE

We provide account settings and tools to control our data use. For example, through your privacy settings, participants can limit how their information is visible to other users of the Services; using notification settings, they can limit the notifications received from us; and under application settings, they can revoke the access of third-party applications that they previously connected to your Ksana Health account. Participants can also use the Ksana Health application to unpair the device from their account at any time.

If participants live in a Designated Country, in certain circumstances, they can object to our processing of information based on our legitimate interests, including as described in the How We Use Information section. Please also review our cookie policies statement for options to control how we use this data.

RESTRICTING OR LIMITING DATA USE

In addition to the various controls that we offer, if participants reside in a designated country, they can seek to restrict our processing of the data in certain circumstances. Please note that they can always delete their account at any time.

If you need further assistance regarding your rights or the rights of your participants, please contact our Data Protection Officer at privacy@KsanaHealth.com, and we will consider your request in accordance with applicable laws.

DATA RETENTION

We keep account information, like your name, email address, and password, for as long as the account is in existence because we need it to operate the account. We keep other information, like activity data, until participants use the account settings or tools to delete the data or the account because we use this data to support the goals of the Study and delivery of the Services under this agreement. We also keep information about you and your use of the services for as long as necessary for our legitimate business interests, for legal reasons, and to prevent harm, including as described in the How We Use Information and How Information Is Shared sections.

OUR POLICIES FOR MINORS

We appreciate the importance of taking additional measures to protect children’s privacy.  Parent or Guardian must give consent to participate in the study.  Minors are not permitted to install the application without parental consent. Any use of EARS for children under thirteen years of age will comply with the Children’s Online Privacy Protection Rule (COPPA). 

INFORMATION SECURITY

We work hard to keep your data safe. We use a combination of technical, administrative, and physical controls to maintain the security of your data. This includes using Transport Layer Security (“TLS”) to encrypt many of our Services. No method of transmitting or storing data is completely secure, however. If you have a security-related concern, please contact Ksana Information Security.

OUR INTERNATIONAL OPERATIONS AND DATA TRANSFERS

We operate internationally and transfer information to the United States and other countries for the purposes described in this policy.

We rely on multiple legal bases to lawfully transfer personal data around the world. Ksana’s international transfer of personal data collected in the European Economic Area, the United Kingdom, and Switzerland is governed by Standard Contractual Clauses. Ksana’s international transfer of personal data collected in participating Asia-Pacific Economic Cooperation (APEC) countries abides by the APEC Cross-Border Privacy Rules (CBPR) System and Privacy Recognition for Processors (PRP) System for the transfer of personal data. Ksana Health is subject to the oversight of the US Federal Trade Commission and remains responsible for personal information that we transfer to others who process it on our behalf as described in the How Information Is Shared section. If you have a complaint about our Privacy policies, please contact us.

Please note that the countries where we operate may have privacy and data protection laws that differ from, and are potentially less protective than, the laws of your country. You agree to this risk when you create a Ksana Health account and click “I agree” to data transfers, irrespective of which country you live in. If you later wish to withdraw your consent, you can delete your Ksana Health account as described in the Your Rights To Access and Control Your Personal Data section.

CHANGES TO THIS POLICY

We will notify you before we make material changes to this policy and give you an opportunity to review the revised policy before deciding if you would like to continue to use the Services. You can review previous versions of the policy in our archive on our website.

WHO WE ARE AND HOW TO CONTACT US

Ksana Health, a US company, is the data controller that provides you with the Services.

If you have questions, suggestions, or concerns about this policy, or about our use of your information, please contact us at privacy@ksanahealth.com. or by phone at +1 206-756-0573.

 

Privacy Policy for Vira and Vira Pro

Introduction

At Ksana, we put privacy at the front of everything we do. We appreciate that you are trusting us with information that is important to you, and we commit to transparency about how we use it. This policy describes the privacy practices for our applications, software, websites, APIs, products, and services (the “Services”). You will learn about the data we collect, how we use it, the controls we give you over your information, and the measures we take to keep it safe.

Specifically, we’ll cover:

  • Types of Users and the Information We Collect
  • How We Use Information
  • How Information Is Shared
  • Your Rights to Access and Control Your Personal Data
  • Data Retention
  • Analytics and Advertising Services Provided by Others
  • Our Policies for Children
  • Information Security
  • Our International Operations and Data Transfers
  • Changes to This Policy
  • Who We Are and How to Contact Us

TYPES OF USERS AND THE INFORMATION WE COLLECT

Mobile Application Users

End users of the Vira mobile applications may be patients, subscribers or enrolled members of an organization using the application in conjunction with the Vira Pro practitioner’s platform (‘Users’). Alternatively, end users may be individuals using the application as a stand-alone service for their own self-care (‘Users’).

Vira Pro Users

Healthcare systems, research institutions and their providers, practitioners and administrators utilize Vira Pro web-based practitioner’s applications to support their enrolled members using the Vira mobile application.

INFORMATION WE COLLECT ABOUT MOBILE APP USERS

The Vira mobile application collects the following types of information.

  • INFORMATION WE RECEIVE FROM YOUR USE OF OUR SERVICES
    • DEVICE INFORMATION
      • A User’s mobile device collects data that is pushed to our analytics platform. The data collected varies depending on which device you use, and which features you authorize. When your device syncs with our platform, data captured on the device is transferred to our servers securely.
      • The application collects a variety of information types from your device and may include motion and fitness, location, keyboard input (excluding numbers, passwords and anything entered into a secure field), and survey responses.
    • LOCATION INFORMATION
      • The Services also include features that use precise location data, including GPS signals, device sensors, Wi-Fi access points, and cell tower IDs. We collect this type of data if you grant us access to your location. Users can always remove our access using mobile device settings. We may also derive your approximate location from an IP address.
    • KEYBOARD INFORMATION
      • The keyboard logger collects text input across all applications on the mobile phone. The logger installs a specialized keyboard on the phone to collect every letter that you type into your phone, including SMS text messages, social media, searches, and emails, but NEVER passwords or credit card numbers entered into secure text fields. After processing this data is permanently deleted.
    •  
  • INFORMATION WE RECEIVE FROM THIRD PARTIES
    • We do not receive any data from third parties, and we do not share any personal identifying information with third parties.
    • Note: Practitioners with whom you choose to share data and interact with are considered to be authorized users and not third parties.
  • HEALTH AND OTHER SPECIAL CATEGORIES OF PERSONAL DATA
    • To the extent that information we collect is health data or another special category of personal data subject to the European Union’s and United Kingdom’s General Data Protection Regulation (“GDPR”) requirements. We ask for your explicit consent to process the data. We obtain this consent separately when you enroll. You can use the account settings to withdraw consent at any time, including by stopping use of a feature, removing our access to a particular service, unpairing the device, or deleting the data and the account.
  • PAYMENT AND CARD INFORMATION
    • We do not require nor collect payment card information on our platform.

INFORMATION WE COLLECT ABOUT VIRA PRO USERS

In addition to the data we collect regarding the members in your practice, we require some information regarding you and any team member you authorize to access the platform.

  • ACCOUNT INFORMATION
    • Some information is required to create an account on our Platform, such as your name, email address, password, and your mobile telephone number. This is the only information you have to provide to create an account with us.
  • PRACTITIONER RESOURCES
    • Organizations may choose to create custom content to share with their enrolled participants, including psychoeducation content, digitally enhanced therapeutics, rating scales and questionnaires. This content is owned by the organization and not Ksana.

HOW WE USE INFORMATION

We use the information we collect to provide you with secure access to the Platform.

We use information collected from Users to:

  • PROVIDE AND MAINTAIN THE SERVICES
    • Using the information that we collect we are able to deliver the Services to you and honor our Terms of Service contract with you.
  • IMPROVE, PERSONALIZE, AND DEVELOP THE SERVICES
    • We use the information we collect to improve and personalize the Services unless contractually prohibited. For example, we use the information to troubleshoot and protect against errors; perform data analysis and testing; conduct research and surveys; and develop new features and services.
  • COMMUNICATE WITH YOU
    • We use your information to send you Service notifications and respond to you when you contact us.
  • PROMOTE SAFETY AND SECURITY
    • We use the information we collect to promote the safety and security of the services, our users, and other parties. For example, we may use the information to authenticate users, protect against fraud and abuse, respond to a legal request or claim, conduct audits, and enforce our terms and policies.

HOW INFORMATION IS SHARED

We do not share personal information except with authorized users of the platform as described above.

WHEN YOU AGREE OR DIRECT US TO SHARE

You may direct us to disclose your information to others, such as your healthcare provider. For certain information, we provide you with privacy preferences in account settings and other tools to control how your information is collected and made visible to other users of the Services.

WE DO NOT SHARE YOUR DATA FOR EXTERNAL PROCESSING

We do not share your data with anyone for external processing. Data may be stored at a third-party hosting site, such as Microsoft’s Azure Cloud, however, all data is encrypted and not accessible to the hosting organization.

FOR LEGAL REASONS OR TO PREVENT HARM

We may preserve or disclose information about you to comply with a law, regulation, legal process, or governmental request; to assert legal rights or defend against legal claims; or to prevent, detect, or investigate illegal activity, fraud, abuse, violations of our terms, or threats to the security of the Services or the physical safety of any person.

Our policy is to notify you of legal processes seeking access to your information, such as search warrants, court orders, or subpoenas unless we are prohibited by law from doing so. In cases where a court order specifies a non-disclosure period, we provide delayed notice after the expiration of the non-disclosure period. Exceptions to our notice policy include exigent or counterproductive circumstances, for example, when there is an emergency involving a danger of death or serious physical injury to a person.

We may share non-personal information that is aggregated or anonymized so that it cannot reasonably be used to identify an individual. We may disclose such information publicly and to third parties, for example, in public reports about exercise and activity, to partners under agreement with us, or as part of the community benchmarking information we provide to users of our subscription services.

If we are involved in a merger, acquisition, or sale of assets, we will continue to take measures to protect the confidentiality of personal information and give affected users notice before transferring any personal information to a new entity.

YOUR RIGHTS TO ACCESS AND CONTROL YOUR PERSONAL DATA

We provide Users with account settings and tools to access and control use of personal data, as described below, regardless of where you live. If you live in the European Economic Area, United Kingdom, and Switzerland (the “Designated Countries”), there are several legal rights with respect to personal information, which the account settings and tools allow Users to exercise, as outlined below.

If a Vira mobile application User chooses to delete their account, the account and the user data on the phone will be deleted immediately. Any data that was in the midst of being processed may take up to two hours to delete. Some data may be required to be retained in accordance with legal and regulatory requirements, such as the HIPAA records retention requirements. Uninstalling the application will prevent any further data collection. We may also preserve data for legal reasons or to prevent harm, including as described in the How Information Is Shared section.

OBJECTING TO DATA USE

We provide account settings and tools for you to control our data use. For example, through your privacy settings, Users can limit how their information is visible to other users of the Services; using notification settings, they can limit the notifications received from us; and under application settings, they can revoke the access of third-party applications that they previously connected to their Ksana Health account. Users can also utilize the Ksana Health application to unpair the device from their account at any time.

If Users live in a Designated Country, in certain circumstances, they can object to our processing of information based on our legitimate interests, including as described in the How We Use Information section. Please also review our cookie policies statement for options to control how we use this data.

RESTRICTING OR LIMITING DATA USE

In addition to the various controls that we offer, if a User resides in a designated country, they can seek to restrict our processing of the data in certain circumstances. Please note that they can always delete their account at any time.

If you need further assistance regarding your rights or the rights of your participants, please contact our Data Protection Officer at privacy@KsanaHealth.com, and we will consider your request in accordance with applicable laws.

DATA RETENTION

We keep account information, like your name, email address, and password, for as long as the account is in existence because we need it to operate the account. We keep other information, like activity data, to support the delivery of the Services under this agreement. To limit the data retain, a User may uninstalls the application which stops data collection, update the account settings to rescind one or more permissions, submit request to delete the data or the account because we use this data We also keep information about you and your use of the services for as long as necessary for our legitimate business interests, for legal reasons, and to prevent harm, including as described in the How We Use Information and How Information Is Shared sections.

OUR POLICIES FOR MINORS

We appreciate the importance of taking additional measures to protect children’s privacy. A parent or guardian must give consent to their child’s practitioner for a minor to connect to a practitioner. This application is not intended to be used by children under the age of 13.

INFORMATION SECURITY

We work hard to keep your data safe. We use a combination of technical, administrative, and physical controls to maintain the security of your data. This includes using Transport Layer Security (“TLS”) to encrypt many of our Services. No method of transmitting or storing data is completely secure, however. If you have a security-related concern, please contact Ksana Information Security Team.

OUR INTERNATIONAL OPERATIONS AND DATA TRANSFERS

We operate internationally and transfer information to the United States and other countries for the purposes described in this policy.

We rely on multiple legal bases to lawfully transfer personal data around the world. Ksana’s international transfer of personal data collected in the European Economic Area, the United Kingdom, and Switzerland is governed by Standard Contractual Clauses. Ksana’s international transfer of personal data collected in participating Asia-Pacific Economic Cooperation (APEC) countries abides by the APEC Cross-Border Privacy Rules (CBPR) System and Privacy Recognition for Processors (PRP) System for the transfer of personal data. Ksana Health is subject to the oversight of the US Federal Trade Commission and remains responsible for personal information that we transfer to others who process it on our behalf as described in the How Information Is Shared section. If you have a complaint about our Privacy policies, please contact us.

Please note that the countries where we operate may have privacy and data protection laws that differ from and are potentially less protective than the laws of your country. You agree to this risk when you create a Ksana Health account and click “I agree” to data transfers, irrespective of which country you live in. If you later wish to withdraw your consent, you can delete your Ksana Health account as described in the Your Rights To Access and Control Your Personal Data section.

CHANGES TO THIS POLICY

We will notify you before we make material changes to this policy and give you an opportunity to review the revised policy before deciding if you would like to continue to use the Services. You can review previous versions of the policy in our archive on our website.

WHO WE ARE AND HOW TO CONTACT US

Ksana Health, a US company, is the data controller that provides you with the Services.

If you have questions, suggestions, complaints, or concerns about this policy, or about our use of your information, please contact us at privacy@ksanahealth.com or by phone at +1 206-756-0573.