Privacy & Cookies Policy of the Koa Foundations App

Summary of Privacy Policy - Reading time 2 mins

This summary helps you quickly understand the main points of the Privacy Policy. It is provided for convenience only. Because it does not replace our full Privacy Policy, please read the full Privacy Policy to understand the complete picture of how we handle personal data.

We’re Koa Health.

We have created Koa Foundations to help you manage stress and improve your health and wellbeing. We manage all of your data collected through Koa Foundations.

We collect the information we need to run and improve Koa Foundations.

We collect your information to help you support and maintain your health and wellness. We may collect additional information with your permission or to comply with applicable law.

You can choose not to share some information with us.

You can use the settings menu to understand what information you can stop sharing with us, and what App functions you will lose access to if you stop sharing.

We share information about you with third-party service providers.

This helps us provide some parts of the service (such as notifications). We ask our service providers to keep your information safe.

We may share certain information with organizations that we work with.

If you have access to Koa Foundations through your employer, we may share anonymized or aggregated summary reports with this organization (such as how many sign-ups there have been). Beyond our services providers and Customers, we may also share anonymized or aggregated information with researchers to help us improve Koa Foundations.

We have different age restrictions depending on where you are.

By using Koa Foundations, you are telling us that you are at least 18 years old in the US, and at least 16 years old in the UK, the EEA and or other countries.

We work hard to keep your information safe.

We work to protect your information from being lost, stolen or misused. Because no system is perfect, you can help by keeping your password and account details safe.

We use your information to contact you.

This helps us communicate with you and respond to your questions.

Full policy

This Privacy & Cookies Policy of the Koa Foundations App (the “Privacy Policy”) applies to any collection and/or processing of personal data by Koa Health and its affiliates (collectively, “Koa,” “we,” “us,” “our,” or “ours”), performed as a result of your use of the Koa Foundations mobile application (the “App” or “Koa Foundations”). All data collected by the App will not be processed for any other reason than is outlined in this Privacy Policy.

Note that this App might collect sensitive personal data that is health-related (hereinafter “Sensitive Data”).  If you do not agree with this Privacy Policy, please do not access or use the App and the services provided therein.

1. Who collects, controls and processes your personal data?

The controller responsible for collecting and processing your data changes depending on your place of residence associated with your account:

When you are a registered user residing in the US or Canada:

The personal data controller is Koa Health Digital Solutions LLC, a company registered in the United States (“US”) with its registered address at 75 State Street, Boston MA 02109, United States of America. You can contact Koa at privacy@koahealth.com for any privacy related matter.

When you are a registered user residing in the UK, the EEA or other countries:

The personal data controller is Koa Health Digital Solutions Limited, a company registered in the United Kingdom (registered number 13298286) with registered address at 55 Baker Street, London WU1 7EU, UK.

Koa Health is the Data Controller (the “controller”) of all personal data collected through the App. Regardless of your location, your data will be processed as indicated in this privacy policy.

Where the App is offered by an employer (“Customer”) to its employees, Koa may provide aggregated insights related to the usage of the App to the Customer, so that the Customer can understand the App’s impact. For example, we may provide information on what percentage of people who used the App have found it to be beneficial. These insights will not include personal data, and your employer will not be able to know your name or email address, nor see any raw data you have entered into the App.

Koa may choose to conduct a study with invited users. In this case, users will be invited by Koa or a third-party agency, and Koa will process personal data pursuant to your authorization and consent to participate in the study, and as indicated in the study’s privacy policy, which will override this one where they conflict. You can contact Koa at privacy@koahealth.com for any privacy related matter. The Data Protection Officer (Judith Vieberink)​ for Koa Health may be contacted at dpo@koahealth.com.

2. Why do we collect personal data about you and what do we do with it?

Help you manage your mental wellbeing

The main purpose of the App is to help you better understand and manage your stress. In order to achieve that purpose, we collect and process information, including personal data. We analyze information from your interaction with the appApp, like your favorite activities and personal preferences, in order to offer you recommendations, activities and programs that may help you manage your stress.

Your consent is the basis for the collection and process of personal data to manage your stress, including data collected through questionnaires. Some personal data collected for this purpose may be considered Sensitive Data. You can remove this consent within the settings of the App, or at any time by contacting us at privacy@koahealth.com using, if possible, the same email address with which you registered in the App.

Personalized notifications based on your activity

We may optimize the notifications we send you by basing these on your preferences or activity within the App, to make them as relevant as possible. For example, we may inform you about new programs we think you might be interested in based on your preferences. This processing may include the use of cookies or similar technologies, as detailed in our Cookies Policy (as detailed in Section 10 below). The lawful basis for this processing is your consent. You will be asked for consent the first time you use the App, as part of the onboarding. You can manage and remove your consent at any time within the App settings.

Provision of basic App services:

If you create an account in our App or sign-in with your corporate credentials using Single Sign-On (SSO), we will process some personal data for providing basic services of the App such as registration, authentication or support.

As we strictly need some personal data for the functioning of the App, the lawful basis of this processing is the performance of a contract, based on the Terms of Use  of the App. Sensitive Data is not collected or processed for this purpose.

Improving the functioning of the App and our services:

We process personal data to improve the App performance and usability and to provide a better service. This includes aspects related to performance, navigation, availability and usability. To do this, we consider things like how often and for how long you use the App, how you navigate between screens, the activities you use, and which screens you spend more time on. We might also ask for your feedback through email or the App. In some cases, the functionality of the App uses third-party services to support analytics and navigation and these third-party functions may involve cookies as described in our Cookies Policy (as detailed in Section 10 below).

Our legitimate interest is the legal basis for this processing. Where we use cookies for this purpose, your consent is the basis for collecting and processing personal data for this purpose. Sensitive Data (such as wellbeing scores) is not collected or processed for this purpose.

Communications:

We process your contact data to send you information about our services or products, such as product updates and new content. We may use third-party services to facilitate such communications.

Our legitimate interest is the legal basis for this processing. Sensitive Data (such as wellbeing scores) is not collected or processed for this purpose. You can opt-out of these communications using the “unsubscribe” option in one of our emails.  When you opt out of these communications, you may still receive emails from us when we need to communicate with you in connection with our provision of the services or products.

Enabling wellbeing program rewards in the US:

When you receive Koa Foundations as part of a wellbeing employee program in the US, we may need to share some of your information with your healthcare plan to support the administration and operation of the healthcare plan. This information cannot be used by your healthcare plan for any purpose apart from the operations of the healthcare plan.

When using Koa Foundations as part of a healthcare insurance plan in the US:

When you are using Koa Foundations as part of your healthcare insurance plan in the US, we will receive information from them to verify your eligibility to access and use our App. This information will be provided to Koa Health by your insurance company or employer.

3. What personal data do we collect about you and how?

The App’s functionalities require the collection of personal data. Sometimes you provide us with data, and sometimes data about you is collected or inferred through your use of the App or generated by us through analysis. We collect and process the minimum personal data necessary for each of the different purposes, and we will keep it as explained in Section 5 below. Should the purposes of the data collected change, we will inform you beforehand and ask for your consent again, where applicable, before we process any data.

Since our service is focused on helping you manage your stress, some of the personal data that you share or we collect from you might be related to mental health conditions and behaviors. The App and any information and/or services provided by the App are not intended to be used in the detection, diagnosis, prevention, monitoring, prediction, prognosis, therapy, treatment or alleviation of any condition, disease or vital physiological processes or for the transmission of time sensitive health information. See the Terms of Use for more information.

When you create an account within the App, or sign-in with your corporate credentials using Single Sign-On (SSO), you share with us the following information:

• Name
• Email Address
• Your current employer or the company that provided you with Koa Foundations

When you use the App and answer our questionnaires and tests, you share with us the following information:

Your responses when using the App, such as feeling overwhelmed, trouble sleeping, etc.

• Information related to the activities provided within the App, such as which activities you have completed or the text and responses you have given.
• Your opinion on the App and its functionality, if you choose to provide us with feedback.

You can also choose to share with us the following data related to your mental health and wellbeing:

• Information on your perception of your mental health with questions relating to  mood, sleep and how stressed or overwhelmed you have felt over the past week. We use standardized scales that are widely used by healthcare specialists and scientists worldwide and collect this information so that you can better understand your wellbeing and see how it might change over time.
• Periodic information about how you feel and your mood (e.g., stressed, happy) through the answers you give to our questionnaires and activities.

Through the use of cookies and other online tracking technologies (read our Cookies Policy), we collect and process the following information:

• User activity in the App, including the frequency of access to the App, time spent on different screens, functions used, etc.

We monitor your activity in the App to improve your experience.

By analyzing aggregated data from everyone who uses the App, we can draw conclusions and make improvements, for example, if loading times are slow or if information is too hard to find.

4. Do we share personal data about you with others?

Except as noted below, we do not share any personal data about you with our Customers or other companies. We will only share aggregated and/or de-identified information.

When logging in using your company’s Single Sign-On (SSO), we will redirect you to your company’s sign-in page. SSO is operated by your current employer or the company that provided you with Koa Foundations. The provider of SSO could know you are using Koa Foundations.

If you are receiving Koa Foundations as part of an employee wellbeing program in the US, we may be required to share aspects of your personal data with your healthcare plan to support the administration and operation of the healthcare plan.

On the legal basis mentioned in Section 3, we may share some of your personal data with service providers for specific activities such as hosting, providing customer support, analytics or application functionality such as notifications. We only share the minimum information and authorize our service providers to process your information following our instructions. We contractually require our service providers to erase all your personal data once their services are finished. We take the appropriate measures designed to ensure that providers outside the EEA comply with EEA standards and this Privacy Policy in every processing of personal data they perform on our behalf, by requiring appropriate safeguards and guarantees such as Standard Contractual Clauses.

Internal team members will process your personal data following professional responsibilities and contractual obligations only for the purposes established in this Privacy Policy. We take appropriate measures designed for the fair and confidential use of all personal data by our employees.

5. How long do we keep your data?

We may retain your personal data for different periods of time, depending on the type of data involved and the purposes of the processing, but generally, following these criteria:

• As long as you are an active user of our services.
• If you are not active in our App, we will erase your health data after 24 months from the last time you used it.
• You may be offered Koa Foundations by your employer for a trial period. In such cases, we might need to delete your data at the end of our agreement with your employer, if we have agreed to such a condition. Normally, this would be after the first three months of the trial.
• We will also erase or stop processing your data if you withdraw consent or require us to do so. In these cases, we will erase your data or anonymize it in such a manner that it is no longer identifiable.
• Notwithstanding anything in the foregoing, we may retain your personal data as required by applicable law.

6. What rights do you have related to your personal data and how can you use them?

Data protection laws may give you a series of rights regarding the personal data that we manage about you. You have the following rights: the rights of access, rectification, erasure, restriction, portability, objection as well as not being subject to automated decision making and being able to remove your consent.

You can request to exercise these rights by contacting us at privacy@koahealth.com.  We will respond as soon as possible without delay, and in all cases within one month of the receipt of your request.  Depending on the complexity and other factors, we may extend this period as permitted by data protection laws.  When sending us a request, use the same email address with which you registered in the App and the right you want to request, if possible. If you decide to exercise one of these rights through a representative, it will be necessary to provide documentation to authorize the request.

If you receive Koa Foundations as part of an employee wellbeing program in the US, we will forward any records request to your healthcare plan to be fulfilled, and we will respond to any other requests within a maximum of 30 days. That period may be extended by an additional 30 days if necessary. In the event of such an extension, we will notify you within 30 days of receipt of the request, together with the reasons for the delay.

If you feel your data privacy rights have been breached, you also have the right to file a complaint with a Data Protection Control Authority (e.g., the Information Commissioner’s Office, the Dutch Data Protection Authority, or the U.S. Department of Health and Human Services).

In order to register and use our services you must be over 18 years old in the US, or over 16 in the UK, EU or Worldwide. Therefore, by signing up you confirm that you meet this condition. We may contact you to confirm this. We do not knowingly collect information from those younger than 18 years old in the US, or over 16 in the UK, EU or Worldwide. If you are a parent or guardian and believe that your child has used the App, you may contact us at privacy@koahealth.com.

7. How do we keep your data safe?

Koa understands the importance of the security, integrity and confidentiality of your personal data. Therefore, as part of our commitment and in compliance with applicable legislation, we have adopted security measures and technical means designed to prevent the loss of, misuse of or unauthorized access to personal data.

We protect all communications between the App and the servers by using TLS for encryption and server authentication. We use ISO 27001 certified systems in order to protect your registration information including your email and password. We store your personal data in an encrypted database.

Also, we promise to act quickly and responsibly in the event that the security of your data may be in danger, and to inform you if necessary.

8. Changes to this Privacy Policy

We may modify this Privacy Policy from time to time and will post any revisions on our App.  We will indicate at the bottom of the Privacy Policy the Effective Date of the most recent update. If an update requires additional notice to you or your consent, we will contact you to provide that notice or seek that consent.

9. Protected Health Information and HIPAA

When you are using Koa Foundations as part of your healthcare insurance plan in the US, we might receive from your insurer your name and email address, which we will use to give you access to the App.

If you are receiving Koa Foundations from your US health insurer, some of the information we collect about you is “Protected Health Information” (“PHI”) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  Generally speaking, the following information will be PHI: (a) the information we receive from your healthcare insurance carrier and (b) information you provide in the App that relates to your past, present, or future physical or mental health or condition; the provision of health care to you; or the past, present, or future payment for the provision of health care to you.

We want to make sure you know that, notwithstanding anything else in this Privacy Policy, we only use and share PHI as permitted by HIPAA and our business associate agreement with your healthcare insurance carrier. This means we only use and share your PHI with your healthcare insurance carrier to support your treatment or upon your direction or consent. Your healthcare insurance carrier will provide you with a “Notice of Privacy Practices” that explains how they use your PHI in compliance with HIPAA.

Note that PHI can be deidentified in which case it is no longer considered PHI. This can be done by removing 18 specific types of identifiers from the information pursuant to HIPAA regulations. We may deidentify PHI, in accordance with HIPAA, and use it as non-PHI for the purposes listed in Section 2.

10. Cookies Policy

What are cookies?

When you access our services, using a browser, we may use cookies, pixels, and other online tracking technologies (collectively referred to here as “cookies”). Cookies are widely used by online service providers in order (for example) for services to work and/or function, or to work more efficiently, as well as to provide reporting information.

Cookies set by the controller are called “first-party cookies”. Cookies set by parties other than the controller are called “third-party cookies”. Third-party cookies enable third-party features or functionality to be provided through the app you are using (such as interactive content and analytics). The third parties that set these third-party cookies can recognize your device both when it visits the service in question and also when it visits certain other websites or services.

Why do we use cookies and other tracking technologies?

The third-party cookies or similar tracking technologies such as software development Kits (“SDKs”) help us track and target the activity of our users. For example, we use cookies for analytics, configuration, and other purposes.  The cookies we use include the following:

Essential cookies: Essential cookies or strictly necessary cookies are cookies that are essential for a website or an app to function correctly. Essential cookies cannot be turned off, as they would impact the way our products work.

Analytics: We collect and share technical data from our App with Mixpanel so that we can better understand how users interact with our App. This is used to be able to better understand and track activities within the App to inform you based directly on your activities and to be able to improve the App services overall.

Personalized notifications: We collect and share technical data from our App with OneSignal so that we can send users more relevant notifications based on how they interact with the App.

How can I deactivate cookies or similar tracking technologies?

You can withdraw consent for the usage of cookies in the settings section of the App or by following the instructions of Section 6 of this Privacy Policy.

Effective from: November 2023