Privacy Policy Tiers (Global)

Privacy & Cookies Policy of the Koa Care 360 App

Full policy

This Privacy & Cookies Policy of the Koa Care 360 App (the “Privacy Policy”) applies to any collection and/or processing of personal data by Koa Health and its affiliates (collectively, “Koa,” “we,” “us,” “our,” or “ours”), performed as a result of your use of the Koa Care 360 mobile application (the “App” or “Koa Care 360”). All data collected by the App will not be processed for any other reason than is outlined in this Privacy Policy.

Note that this App might collect sensitive personal data that is health-related (hereinafter “Sensitive Data”). If you do not agree with this Privacy Policy, please do not access or use the App and the services provided therein.

Summary

1. Who collects, controls and processes your personal data?

The controller responsible for collecting and processing your data changes depending on your place of residence associated with your account:

When you are a registered user residing in the US or Canada:

The service provider is Koa Health Digital Solutions LLC, a company registered in the United States (“US”) with its registered address at 75 State Street, Boston MA 02109, United States of America. You can contact Koa at privacy@koahealth.com for any privacy related matter.

When you are a registered user residing in the UK, the EEA or other countries:

The personal data controller is Koa Health Digital Solutions Limited, a company registered in the United Kingdom (registered number 13298286) with registered address at 55 Baker Street, London WU1 7EU, UK.

Koa Health is the Data Controller (the “controller”) of all personal data collected through the App. Regardless of your location, your data will be processed as indicated in this privacy policy.

You can contact Koa Health at privacy@koahealth.com for any privacy related matter. The Data Protection Officer (Judith Vieberink) for Koa Health may be contacted at dpo@koahealth.com.

2. Why do we collect personal data about you and what do we do with it?

Help you manage your mental wellbeing

The main purpose of the App is to help you better understand and manage your wellbeing and recommend care pathways for mental health challenges you may be facing. The application contains questionnaires and exercises designed to give you tools to manage and improve your wellbeing. Also, in some cases, we will offer you access to higher levels of support from more specialized services to help you manage your wellbeing.

Your consent is the basis for the collection and process of personal data relating to this functionality. Some personal data collected for this purpose may be considered Sensitive Data. You can remove this consent at any time within the privacy page of the App or by contacting us at privacy@koahealth.com using, if possible, the same email address with which you registered in the App.

Provision of basic App services:

If you create an account in our App or sign-in with your corporate credentials using Single Sign-On (SSO), we will process some personal data for providing basic services of the App such as registration, authentication or support.

As we strictly need some personal data for the functioning of the App, the lawful basis of this processing is the performance of a contract, based on the Terms of Use of the App. Sensitive Data is not collected or processed for this purpose.

Improving the functioning of the App and our services:

We process personal data to improve the App performance and usability and to provide a better service. This includes aspects related to performance, navigation, availability and usability. To do this, we consider things like how often and for how long you use the App, how you navigate between screens, the activities you use and which screens you spend more time on. We might also ask for your feedback through email or the App. In some cases, the functionality of the App uses third-party services to support analytics and navigation and these third-party functions may involve cookies as described in our Cookies Policy (as detailed in Section 10 below). You may also provide us some additional background information, such as gender, ethnicity or clinical background to help us understand the demography of our users and help us reduce bias in our service.

Our legitimate interest is the legal basis for this processing. Where we use cookies for this purpose, your consent is the basis for collecting and processing personal data for this purpose. Sensitive Data (such as wellbeing scores) is not collected or processed for this purpose.

Communications:

We process your contact data to send you information about our services or products, such as product updates and new content. We may use third-party services to facilitate such communications.

Our legitimate interest is the legal basis for this processing. Sensitive Data (such as wellbeing scores) is not collected or processed for this purpose. You can opt-out of these communications using the “unsubscribe” option in one of our emails. When you opt out of these communications, you may still receive emails from us when we need to communicate with you in connection with our provision of the services or products.

Services provided by partner companies:

During your usage of the Koa Care 360 app, you may be recommended to use a service provided by a partner to Koa Care 360, such as a therapy provider and/or an employer-provided service integrated with Koa Care 360, such as an employee wellness or Employee Assistance Program (EAP) service. If you accept, then we will share some initial information and additional information to hep the provider understand the care you may need and why it may be helpful for you to speak with them.

As part of a company agreement with your employer:

When you are using Koa Care 360 as part of a benefit plan from your employer, they may share your personal information with us (First Name, Last Name, Year of Birth, Phone Number, Email Address, Residence State) to manage your eligibility to the App and so you may receive an invitation to join the App.

Enabling wellbeing or rewards programs:

When you receive Koa Care 360 as part of a wellbeing or rewards program, you may be asked to share some of the information in the App back to the program to support its administration and operation of the healthcare plan. If your usage of Koa Care 360 is part of a HIPAA covered insurance company, then your insurer may require this data, in which case it can only be used under strictly regulated HIPAA conditions. In all other cases, you will control this data sharing via a specific consent process which describes how that data is used and which you may withdraw at any time.

3. What personal data do we collect about you and how?

The App's functionalities require the collection of personal and health data. Sometimes you provide us with data and sometimes data about you is collected or inferred through your use of the App or generated by us through analysis. We collect and process the minimum personal data necessary for each of the different purposes and we will keep it as explained in Section 5 below. Should the purposes of the data collected change, we will inform you beforehand and ask for your consent again, where applicable, before we process any data.

The App is not intended to be used in the detection, diagnosis, prevention, monitoring, prediction, prognosis, therapy, treatment or alleviation of any condition, disease or vital physiological processes of for the transmission of time sensitive health information. See our Terms & Conditions for more information.

When you create an account within the App or sign-in with your corporate credentials using Single Sign-On (SSO), you share with us the following information:

First Name
Last Name
Year of Birth
Phone Number
Email Address
Your current employer or the company that provided you with Koa Care 360

When you use the App and answer our questionnaires and tests, you share with us the following information:

Information on your perception of your current mental health with questions relating to mood, sleep and how stressed or overwhelmed you have felt over a period of time. We use standardized scales that are widely used by healthcare specialists and scientists worldwide and collect this information so that you can better understand your wellbeing and see how it might change over time.
Periodic information about how you feel and your mood (e.g., stressed, happy) through the answers you give to our questionnaires and activities.
Background information that you share with us, such as gender, ethnicity and whether you are already under treatment.

Through the use of cookies and other online tracking technologies (read our Cookies Policy), we collect and process the following information:

User activity in the App, including the frequency of access to the App, time spent on different screens, functions used, etc.

We monitor your activity in the App to improve your experience:

By analyzing aggregated data from how you use the App, we can identify usability issues and make improvements, for example, if loading times are slow or if information is too hard to find.

When you use the associated therapy services:

Questions about relevant mental health background needed to begin a therapy session.

Except as noted below, we do not share any personal data about you with our Customers or other companies. We will only share aggregated and/or de-identified information.

Where the App is offered by an employer ("Customer") to its employees, Koa Health my provide aggregated insights related to the usage of the App to the Customer, so that the Customer can understand the App's impact. For example, we may provide information on what percentage of people who used the App have found it to be beneficial. These insights are aggregated statistics which are only generated when there is a sufficiently large number of users of the App, nor see any raw data you have entered into the App.

If you are receiving Koa Care 360 as part of an employee wellbeing or rewards program, then with your consent, we may share aspects of your summary information about your activity with the program to support its administration and operation.

If you are in the US and your health plan company or healthcare provided is a covered entity and has signed a Business Associate agreement (BAA) with us, we may share aspects of your summary information about your activity in the App.

When logging in using your company's Single Sign-On (SSO), we will redirect you to your company's sign-in page. SSO is operated by your current employer or the company that provided you with Koa Care 360. The provide of SSO could know you are using Koa Care 360.

When you are redirected from Koa Care 360 to our therapy provider or an employee wellbeing service/EAP service provided by your employer, we may share with them the following information needed for identifying and contacting you:

First Name
Last Name
Date of Birth
Phone Number
Email Address
Your time zone
Country
Language
Scheduling requests and preferences

In addition to the above, when a therapy partner is engaged, we may share the following information needed for your health treatment:

Your gender, your sex assigned at birth and your pronouns
Country and/or state where you are requesting treatment from
Your responses in the questionnaire about your mental health background

Consistent with Section 3, we may share some of your personal data with service providers for specific activities such as hosting, providing customer support, analytics or application functionality such as notifications.

In he case that you accept a referral to a therapy partner, some of your data including personal and health data is shared so that the therapist can register you as a patient and begin the sessions as effectively as possible. The therapy partners operate under medical regulations as Independent Data Controllers (EU) or Health Care Practitioners (US), and they will provide you with their respective privacy policies.

5. How long do we keep your data?

We may retain your personal data for different periods of time, depending on the type of data involved and the purposes of the processing, but generally, following these criteria:

As long as you are an active user of our services.
If you are not active in our App, we will erase your health data after 24 months from the last time you used it.
We will also erase or stop processing your data if you withdraw consent or require us to do so. In these cases, we will erase your data or anonymize it in such a manner that it is no longer identifiable.
Notwithstanding anything in the foregoing, we may retain your personal data as required by applicable law.

Data protection laws may give you a series of rights regarding the personal data that we manage about you. For example, the right of access, rectification, erasure, limitation, objection, portability, as well as not being subject to automated decision making and being able to remove your consent.

You can request to exercise these rights by contacting us at privacy@koahealth.com. When sending us a request, use the same email address with which you registered in the App and the right you want to request, if possible. If you decide to exercise one of these rights through a representative, it will be necessary to provide documentation to authorize the request.

We will respond to any other requests within a maximum of 30 days. That period may be extended by an additional 30 days if necessary. In the event of such an extension, we will notify you within 30 days of receipt of the request, together with the reasons for the delay.

If you feel your data privacy rights have been breached, you also have the right to file a complaint with the Information Commissioner's Officer, or the U.S. Department of Health and Human Services.

In order to register and use our services you must be over 18 years old. Therefore, by signing up you confirm that you meet this condition. We may contact you to confirm this. We do not knowingly collect information from those younger than 18 years old. If you are a parent or guardian and believe that your child has used the App, you may contact us at privacy@koahealth.com.

7. How do we keep your data safe?

Koa understands the importance of the security, integrity and confidentiality of your personal data. Therefore, as part of our commitment and in compliance with applicable legislation, we have adopted security measures and technical means designed to prevent the loss of, misuse of or unauthorized access to personal data.

We protect all communications between the App and the servers by using TLS for encryption and server authentication. Koa Health products are certified to SOC2 Type 2 which is the standard for cloud based information system security and equivalent to the ISO 27001 standard commonly used in Europe. Data is always encrypted in storage and in transit using industry standard technology.

Also, we promise to act quickly and responsibly in the event that the security of your data may be in danger, and to inform you if necessary.

8. Changes to this Privacy Policy

We may modify this Privacy Policy from time to time and will post any revisions on our App. We will indicate at the bottom of the Privacy Policy the Effective Date of the most recent update. If an update requires additional notice to you or your consent, we will contact you to provide that notice or seek that consent.

9. Protected Health Information and HIPAA

When you are using Koa Care 360 as part of your healthcare insurance plan in the US, we might receive from your insurer your name and email address, which we will use to give you access to the App.

If you are based in the US, then some of the information we collect about you is “Protected Health Information” (“PHI”) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Generally speaking, the following information will be PHI: (a) the information we receive from your healthcare insurance carrier and (b) information you provide in the App that relates to your past, present or future physical or mental health or condition; the provision of health care to you; or the past, present or future payment for the provision of health care to you and (c) summary information from any therapy sessions such as show/no-show, improving/worsening; information which allow us to ensure the therapist is doing a good job.

10. Cookies Policy

What are cookies?

When you access our services, using a browser, we may use cookies, pixels and other online tracking technologies (collectively referred to here as “cookies”). Cookies are widely used by online service providers in order (for example) for services to work and/or function, or to work more efficiently, as well as to provide reporting information.

Cookies set by the controller are called “first-party cookies”. Cookies set by parties other than the controller are called “third-party cookies”. Third-party cookies enable third-party features or functionality to be provided through the app you are using (such as interactive content and analytics). The third parties that set these third-party cookies can recognize your device both when it visits the service in question and also when it visits certain other websites or services.

Why do we use cookies and other tracking technologies?

The third-party cookies or similar tracking technologies such as software development Kits (“SDKs”) help us track and target the activity of our users. For example, we use cookies for analytics, configuration, and other purposes. The cookies we use include the following:

Essential cookies: Essential cookies or strictly necessary cookies are cookies that are essential for a website or an app to function correctly. Essential cookies cannot be turned off, as they would impact the way our products work. We use essential cookies for managing authentication to our services.

Analytics: We do not use analytics cookies or other tracking technologies.

Communications: We collect and share technical data from our App with OneSignal so that we can send users more relevant communications based on how they interact with the App.

How can I deactivate cookies or similar tracking technologies?

You can withdraw consent for the usage of cookies by following the instructions of Section 6 of this Privacy Policy.

Effective from: May 2024