The official version of this document is in the English language. This translation is provided for the convenience of our users and shall not be legally binding. In the event of conflict between this translation and the English language version, the English language version will prevail.
We’re Koa Health.
We have created Foundations to help you manage stress and improve your health and wellbeing. We manage all of your data in Foundations.
We only collect the information we need to run and improve Foundations.
We collect your information to help you support and maintain your health and wellness. We may collect additional information with your permission or to comply with applicable law.
You can choose not to share some information with us.
We offer you settings to control and manage the personal data shared with us. You can edit some of your personal data directly through your account and use the settings menu to understand what information you can stop sharing with us, and what Web App functions you will lose access to if you stop sharing.
We share information about you with third-party service providers.
This helps us provide some parts of the service (such as notifications). We ask our service providers to keep your information safe.
We may share anonymised information with organizations that we work with.
If you have access to Foundations through your employer, we may share anonymised summary reports with this organization (such as how many sign ups there have been). Beyond our services providers and clients, we may also share anonymised information with researchers to help us improve Foundations. We do not share any information that could identify you.
You need to be 16 or over to use Foundations.
By using Foundations you are confirming to us that you are at least 16 years old.
We work hard to keep your information safe.
We work to protect your information from being lost, stolen or misused. Because no system is perfect, you can help by keeping your password and account details safe.
We use your information to contact you.
This helps us communicate with you and respond to your questions. We never use your sensitive information in our communications with you.
Note that this Web App might collect personal sensitive information that is health-related (hereinafter “Sensitive Data”). If you do not agree with this Policy, please do not access or use the Web App and the Services.
1. Who collects, controls and processes your personal data?
The Data Controller responsible for collecting and processing your data changes depending on your location:
When in the USA and Canada:
Koa Health Digital Solutions Limited (hereinafter “Koa”), a company registered in the United States (“US”) with its registered address at 75 state street, Boston MA 02109, United States of America. You can contact Koa at email@example.com for any privacy related matter.
When in the UK, the EEA and other countries:
Koa Health B.V. (hereinafter “Koa”), a company registered in the Netherlands (registered number 78707838) with its registered address at Basisweg 10, 1043 AP, Amsterdam, The Netherlands.
Where the Web App is offered by an employer (Customer) to its employees, Koa may provide aggregated insights related to usage of the Web App, so that they can understand its impact. For example, we may provide information on what percentage of people who used the Web App have found it to be beneficial. These insights will never include personal information and your employer will not be provided with or have access to your name, email address nor see any raw data you have entered in the Web App.
Koa may choose to conduct a study with invited users. In this case, users will be invited by Koa or a third-party agency and Koa will process personal data of those participants following the same purposes described in this Policy. You can contact Koa at firstname.lastname@example.org for any privacy related matter. The Data Protection Officer (Judith Vieberink) for Koa may be contacted at email@example.com.
2. Why do we collect personal data about you and what do we do with it?
Help you manage your stress
The main purpose of the Web App is to help you better understand and manage your stress. In order to achieve that purpose, we collect and process information, including personal data. We analyze information from your interaction with the Web App, like your favorite activities and personal preferences, in order to offer you recommendations, activities and programs that may help you manage your stress.
Your consent is the basis for the collection and processing of personal data to manage your stress, including data collected through questionnaires. Some personal data collected for this purpose may be considered health data. You can withdraw your consent within the settings of the Web App at any time by contacting us at firstname.lastname@example.org using, if possible, the same e-mail address with which you registered in the Web App.
Provision of basic services:
If you create an account in our Web App, we will process some personal data for providing basic services of the Web App such as registration, authentication or support.
As we strictly need some personal data for the functioning of the Web App, the lawful basis of this processing is the performance of a contract, specifically the Terms & Conditions of the Web App. Sensitive data is not collected or processed for this purpose.
Improving the functioning of the App and our services:
We process personal data to improve the Web App performance, usability and to provide a better service. This includes aspects related to performance, navigation, availability and usability. To do this we consider aspects like how often and how long you use the Web App for, how you navigate between screens, the activities you use, and which screens you spend more time on. We might also ask for your feedback through email or the Web App. In some cases the functionality of the Web App uses third party services to support analytics and navigation and these functions may involve cookies as described in our cookies policy.
When using Foundations as part of a healthcare insurance plan in the US:
When you are using Foundations as part of your healthcare insurance plan in the US, we will receive information from them to verify your eligibility to access and use our Web App. This information has been provided to Koa by your insurance company.
3. What personal data do we collect about you and how?
We will not disclose your personal information to third parties for monetization. The Web App’s functionalities require the collection of personal data. Sometimes you provide us with data, sometimes data about you is collected or inferred through your use of the Web App or generated by us through analysis. We collect and process the minimum personal data necessary for each of the different purposes, and we will only keep it for as long as we provide you with a service. Should the purposes of the data collected change, we will inform you beforehand and ask for your consent again where applicable, before we process any data.
Since our service is focused on helping you manage your stress, some of the personal information that you share or we collect from you might be related to health conditions or stress behaviors. This is not directly requested by the Web App, but answers to certain questions may relate to a medical condition. The Web App and any information and/or services provided are not intended to be used in the detection, diagnosis, prevention, monitoring, prediction, prognosis, therapy, treatment or alleviation of any condition, disease or vital physiological processes or for the transmission of time sensitive health information. See our Terms & Conditions.
When you create an account within the Web App, you share the following information with us:
- Email Address
- User activity in the Web App: Frequency of access to the Web App, time spent on different screens, functions used etc.
From your activity in the Web App we derive the the following information:
We process information to improve the user experience. Based on analysis of how users use the Web App we can draw conclusions if loading times are slow, or if information is too hard to find, and use this to improve the user experience.
4. Do we share personal data about you with others?
We do not share any personal information about you with our customers. We will only share aggregated or unidentifiable information that cannot be related to an individual.
5. How long do we keep your data?
We may retain your personal data for different periods of time, depending on the type of data involved and the purposes of the processing, but generally, following these criteria:
- As long as you are an active user of our services or we have legal obligations to retain the data.
- If you are not active in our Web App, we will erase your data after 24 months from the last time you accessed the Web App.
- You may be offered Koa Foundations by your employer for a trial period. In such cases, we might need to delete your data at the end of our agreement with your employer, if we have agreed to such a condition. Normally, this would be after the first three months of the trial.
- We will also erase or stop processing your data if you withdraw consent or request us to do so. In these cases, we will erase your data or anonymize it in such a manner that is no longer identifiable.
6. What rights do you have related your personal data and how can you use them?
The data protection laws give you a series of rights regarding the personal information that we manage about you. Specifically, the rights of access, rectification, erasure, limitation, objection, portability, as well as not being subject to automated decision making and to being able to withdraw your consent.
You can exercise these rights by contacting us at email@example.com, using if possible the same e-mail address with which you registered in the Web App and identifying the right you want to exercise. In the event that you decide to exercise one of these rights through a representative, it will be necessary to provide the documentation that proves this delegation with the request.
We will respond to your requests within a maximum of 30 days. That period may be extended by an additional 30 days if necessary. In the event of such extension, we will notify you within one month of receipt of the request, together with the reasons for the delay.
If you feel your data privacy rights have been breached, you also have the right to file a complaint with a Data Protection Control Authority (e.g., the Dutch Data Protection Authority, the Information Commissioner’s Office).
In order to register and use our services you must be over 16 years old. Therefore, by signing up you confirm that you meet this condition. We may contact you to confirm this. We do not knowingly collect information from those younger than 16 years. If you are a parent or guardian and believe that your child has used the App you may contact us at firstname.lastname@example.org and we will respond promptly.
7. How do we keep your data safe?
Koa Health is responsible for ensuring the security, integrity and confidentiality of your personal information. Therefore, as part of our commitment and in compliance with current legislation, we have adopted the most demanding and robust security measures and technical means to prevent any loss or misuse of personal data or access without your authorization.
We protect all communications between the Web App and the servers in line with best practice by using TLS for encryption and server authentication. We use ISO 27001 certified systems in order to protect your registration information including email and password. We store your personal data in an encrypted database.
Also, we promise to act quickly and responsibly in the event that the security of your data may be in danger, and to inform you if necessary.
9. Protected Health Information and HIPAA
When you are using Foundations as part of your healthcare insurance plan in the US, we might receive from your insurer your email address, which we will use to give you access to the Web App.
If you are receiving Foundations from your US health insurer, some of the information we collect about you is “Protected Health Information” (“PHI”) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Generally speaking, the following information will be PHI: (a) the information we receive from your healthcare insurance carrier and (b) information you provide in the Web App that relates to your past, present, or future physical or mental health or condition; the provision of health care to you; or the past, present, or future payment for the provision of health care to you.
Note that PHI can be deidentified in which case it is no longer considered PHI. This can be done by removing 18 specific types of identifier from the information pursuant to HIPAA regulations. We may de-identify PHI, in accordance with HIPAA, and use it as non-PHI for the purposes listed in Section 2.
10. California residents and CCPA
If you are a resident of the State of California in the United States, we comply with the California Consumer Privacy Act (“CCPA”) with regard to your Personal Data.
The CCPA gives California residents a right to know whether their Personal Data is being sold. This includes sharing with a third party for monetary or other valuable consideration for a purpose that is not a “business purpose” as set forth in the CCPA. Koa does not sell your Personal Data. Since Koa does not sell your Personal Data, it does not provide a sales opt-out process.
As required by the CCPA, Koa does not discriminate in response to privacy rights requests.
The CCPA gives California residents the right to know what data is being collected about them, a right to access that data and obtain a copy of it, and the right to request deletion of such data. For requests or information related to these rights you can contact Koa at email@example.com, and you may also exercise your rights as follows: You may designate an authorized agent to submit requests to exercise your data protection rights to Koa. Such authorized agent must be registered with the California Secretary of State and must submit proof that you have given the agent authorization to act on your behalf.
The CCPA requires that we indicate whether we honor “Do Not Track” or “DNT” settings in your browser concerning targeted advertising. Our Services do not currently use targeted advertising, and thus do not respond to web browser “Do Not Track” signals or other mechanisms that provide a method to opt out of the collection of information on the Web App.
Any disclosures we provide will only cover the 12 month period preceding the request of a verifiable consumer request. Our response will explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a CCPA-compliant format to provide your Personal Data that should allow you to transmit the information from one entity to another without hindrance.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
Effective From: March 2022