AliveCor Privacy Policy
EFFECTIVE DATE: April 30, 2020
Welcome to AliveCor! This Privacy Policy (“Policy”) describes how AliveCor, Inc. (“we,” “us,” or “our”) collects, uses, and discloses information that we obtain about your use of the alivecor.com website (the “Site”), Kardia™ (“the App”), KardiaPro™ software (“KardiaPro”), collectively “the Service,” including information that we collect from the AliveCor devices (e.g., KardiaMobile®) that you connect to a mobile device running the App.
Does this Policy apply to you?
- This Privacy Policy applies to all personal uses of our Services globally and you should not use the Services if you do not agree to this Privacy Policy.
- This Privacy Policy applies to EEA (European Economic Area) data subjects unless the data subject is using the Services under direction from a physician where the physician and the data subject/patient have an agreement between them covering the use of the Services. In such a case the physician or his/her institution is the Data Controller for data collected from/by KardiaMobile and the App, and the physician’s or his/her institution’s privacy policy will apply, not this Privacy Policy.
- If you are located in the United States or a country outside the EEA, your information is stored in the United States. By using or downloading the Service, you agree that your personal information, including any information about your health that you provide directly to us or that we collect through your use of the Service, may be transferred to and stored in the United States.
- If you are an EEA user, we store your information in the European Union.
The Information We Collect About You. We collect information directly from you, from devices and third party services you connect, as well as automatically through your use of our Service.
When You Create, Update, or add information to Your Profile. When you register to use the Service, we collect the personal information you provide us, including your name, email address, password, gender, height, and birthdate. We also collect any additional information you choose to add to your profile, including: weight, body mass index (BMI), whether you are a smoker or non-smoker, medical conditions, information related to medications you are taking, patient ID, and activity levels.
We collect additional information from Devices you connect to your App:
-
When you Use a Kardia Device. We collect your raw electrocardiogram (“ECG,” “EKG”) measurement data, average heart rate, and location on the body where the ECG recording was taken (e.g. finger tips, chest, limbs etc.). We collect additional information from your mobile device at the time of recording, including accelerometer data, local time, local time zone, and geographic location.
You may use your mobile device to add notes, tags, or voice memos to ECG recordings you make with any connected device. Many users use this feature to supplement ECG recordings with information about their symptoms, activities, or diet related to their specific health conditions. Voice memos are automatically transcribed and included with the applicable ECG recordings. Please note that we collect information provided through notes, tags, or voice memos, including any personal or sensitive information you choose to provide through this feature.
-
Information Collected From Your Phone or Watch. In addition to the collection described above, we collect basic information from your mobile device, including device model and OS version, device ID, device language, activities within the App and how long the App is open.
If you choose to connect your mobile device to a compatible third-party service, such as Apple Health or Google Fit, with your permission, we collect information from your user profile including: username and email address, heart rate BPM, step count and distance traveled, activity sample, glucose and oxygen saturation levels, active and resting energy levels, sleep analysis, blood pressure readings, and workout history.
-
When You Use A Premium Feature. When you choose to participate in a premium service, we collect additional information from you related to those services. Some premium features are paid services. When you make payments through the Service, you may need to provide your shipping address and financial account information, such as your credit card number, to our third-party service providers. We do not collect or store financial account information, though we may receive transaction identifiers and summary information that does not include credit card or bank account numbers.
-
When You Use KardiaPro Service. When healthcare professionals enroll in KardiaPro service, we ask the healthcare professional to provide its National Provider Identifier (NPI) number. When a healthcare provider submits patient information through the KardiaPro service, based on permissions from both the patient and the healthcare professional, we receive patient profile information including: name, email address, telephone number, birthdate, gender, medical record number, and any notes, tags, or voice memos submitted by the healthcare professional. EEA-user data entered by healthcare providers using KardiaPro is independently controlled by the healthcare provider and AliveCor, and is subject to the healthcare provider’s privacy policy in addition to this Privacy Policy. All other EEA-user data collected through the Service is governed by this Privacy Policy for which AliveCor is the Data Controller.
-
When You Use The Clinical Interpretation Service. If you choose to use the AliveCor Clinical Interpretation Service, as defined in the AliveCor Terms of Service, we will receive the results of your clinical analysis and deliver those results to you through the App.
-
When You Contact Us. When you contact AliveCor directly, such as when you contact our Customer Support team, we will receive the contents of your message or any attachments you may send to us, as well as any additional information you choose to provide.
How We Use Your Information
We process your information, including your personal information, for the following purposes:
-
To provide our Service to you, to communicate with you about your use of our Service, to respond to your inquiries, and for other customer service purposes.
-
To tailor the content and information that we may send or display to you, to offer location customization, and personalized help and instructions, and to otherwise personalize your experiences while using the Service.
-
To research and develop new products and features, to the extent permitted by law and, where required, with your consent.
-
For marketing, promotional and informational purposes, to the extent permitted by law and, where required, with your consent. For example, we may use your information, such as your email address, to send you news and newsletters, special offers, and promotions, or to otherwise contact you about products or information we think may interest you. We also may use the information that we learn about you to assist us in advertising our services on third party websites. You can opt-out of receiving these emails at any time as described below.
-
To better understand how users access and use our Service, both on an aggregated and individualized basis, in order to improve our Service and respond to user desires and preferences, and for other analytical purposes.
-
To tailor the content and information that we may send or display to you, to understand if a recorded EKG is your personal data or a guests’ data, to offer location customization, and personalized help and instructions, and to otherwise personalize your experiences while using the Service.
-
To administer surveys and questionnaires.
-
To comply with legal obligations, as part of our general business operations, and for other business administration purposes.
-
Where we believe necessary to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person or violations of our Terms of Use or this Privacy Policy.
How We Share Your Information. We may share your information, including personal information, as follows:
-
AliveCor Third Party Partners. With your consent, we may share information from the Service with other third-party partners, including your personal information and data collected from your devices.
-
Your Healthcare Providers Or Family. With your consent, we may share your information, including information collected from your connected devices, with your healthcare providers and/or family members (e.g., immediate family or friends) that you designate to receive your information.
-
Clinical Trial Studies. With your consent, physicians and staff of clinical trial programs may use the Service as a means of collecting data for the trial study. If the Service is used as part of a clinical trial study, we will use and share information about the clinical trial collected through the Service in accordance with our agreement with the clinical trial program and any privacy notices provided to you as part of the clinical trial program.
-
Other Health-focused Mobile Apps. With your consent, we may share your profile information and data collected from your connected devices with other health-focused mobile applications installed on your mobile device to help you track your health and wellness information. If you share your information with these apps, your personal information, including your health information, will be used in accordance with privacy policies for those separate apps, not this Privacy Policy.
-
Aggregate and De-Identified Information. We may share aggregate or de-identified information—so that it cannot reasonably be used to identify an individual—with third parties for marketing, advertising, research or similar purposes.
-
Health Researchers. We may share data collected through the Service with healthcare researchers and other research organizations, including de-identified profile information and data collected from your connected devices. For example, we may share information such as your gender, height, weight, information about medications you have provided, and data from your connected devices, but we will not share your name or other information that could identify you.
-
Affiliates. We may disclose the information we collect from you to our affiliates or subsidiaries; however, if we do so, their use and disclosure of your personal information will be subject to this Policy.
-
Service Providers. We provide selected information we collect from you to third party vendors, service providers, contractors or agents who perform service functions needed by us to run the business, such as providers of hosting, email communication, customer support services, analytics, marketing, and advertising, based on our instructions, and in compliance with this Policy and any other appropriate confidentiality and security measures.
-
Business Transfers. If we are acquired by or merged with another company, if substantially all of our assets are transferred to another company, or as part of a bankruptcy proceeding or reorganization, we will give affected users notice before transferring any personal information to a new entity.
-
In Response to Legal Process. We may disclose the information we collect from you in order to comply with the law, a judicial proceeding, court order, or other legal process, such as in response to a court order or a subpoena.
- Please note: Our policy is to notify you of legal process seeking access to your information, such as search warrants, court orders, or subpoenas, unless we are prohibited by law from doing so. In cases where a court order specifies a non-disclosure period, we provide delayed notice after the expiration of the non-disclosure period. Exceptions to our notice policy include exigent or counterproductive circumstances, for example, when there is an emergency involving a danger of death or serious physical injury to a person.
-
To Protect Us and Others. We may disclose the information we collect from you where we believe it is necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, violations of our Terms of Use or this Policy, or as evidence in litigation in which AliveCor is involved.
-
Third Party Analytics. We use automated devices and applications, such as Google Analytics and Mixpanel, to evaluate usage of our Service. We also may use other analytic means to evaluate our Service. We use these tools to help us improve our Service, performance, and user experiences. Users may opt-out of Mixpanel’s analytics tracking by visiting https://mixpanel.com/optout. If you choose to use the Mixpanel opt-out, you will need to access the opt-out on each device you use.
Privacy Shield Information For EU and Swiss Individuals
AliveCor complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States pursuant to the Privacy Shield. AliveCor has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this Privacy Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit http://www.privacyshield.gov.
In compliance with the Privacy Shield Principles, AliveCor commits to resolve complaints about your privacy and our collection or use of your personal information pursuant to the Privacy Shield. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact AliveCor at the contact address below.
privacy@alivecor.com
AliveCor, Inc.
Attn. Privacy
444 Castro St #600
Mountain View, CA 94041
AliveCor has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint.
Please note that if your complaint is not resolved through these channels, under limited circumstances, a binding arbitration option may be available before a Privacy Shield Panel.
The Federal Trade Commission has jurisdiction with enforcement authority over AliveCor’s compliance with the Privacy Shield.
The Privacy Shield Principles describe AliveCor’s accountability for personal data that it subsequently transfers to a third-party agent. Pursuant to the Privacy Shield Principles, AliveCor remains liable for the transfer of personal data to third parties acting as our agents unless we can prove we were not a party to the events giving rise to the damages.
Note that AliveCor may be required to release the personal data of EU and Swiss individuals pursuant to the Privacy Shield in response to legal requests from public authorities including to meet national security and law enforcement requirements.
Cookies
Cookies are small text files stored on your device and used by web browsers to deliver personalized content and remember logins and account settings. In addition to improving user experience, we use cookies and similar technologies for analytic and advertising purposes. You can manage your cookies locally by adjusting your browser settings, or you can opt-out of targeted advertising through cookies by visiting networkadvertising.org/choices or aboutads.info/choices. Because there is not yet a common understanding of how to interpret Do Not Track signals, we are unable to respond to Do Not Track requests from browsers, however we are monitoring for updates and will revisit this policy once a common standard is established.
Third-Party Links
Our Service may contain links to third-party websites. Any access to and use of such linked websites is not governed by this Privacy Policy, but instead is governed by the privacy policies of those third party websites. We are not responsible for the information practices of such third party websites.
Security of My Personal Information
We have implemented reasonable precautions to protect the information we collect from loss, misuse, and unauthorized access, disclosure, alteration, and destruction. Please be aware that despite our best efforts, no data security measures can guarantee security.
You should take steps to protect against unauthorized access to your password, phone, and computer by, among other things, signing off after using a shared computer, choosing a robust password that nobody else knows or can easily guess, and keeping your log-in and password private. We are not responsible for any lost, stolen, or compromised passwords or for any activity on your account via unauthorized password activity.
Access to, Storage of and Deleting My Personal Information
You may access and modify personal information that you have submitted by logging into your account and updating your profile information. Please note that copies of information that you have updated, modified or deleted may remain viewable in cached and archived pages of the Service for a period of time. Your personal data including EKG data are stored and accessible on your device as well as in the cloud.
We store information associated with your account until your account is deleted. You can delete your account at any time by contacting Customer Support at privacy@alivecor.com. Please note that it may take a bit of time to delete your account information, and we may preserve it for legal reasons or to prevent harm, including as described in the How Information Is Shared section.
What Choices Do I Have Regarding Promotional and Informational Emails?
We may send periodic promotional or informational emails to you. You may opt-out of such communications by following the opt-out instructions contained in the email. Please note that it may take up to 10 business days for us to process opt-out requests. We may still send you emails about your account or any services you have requested or received from us.
Users Under 18
Our services are not designed for users under 18. If we discover that a user under 18 has provided us with personal information, we will delete such information from our systems.
Your California Privacy Rights.
This Privacy Policy complies with the California Consumer Privacy Act (CCPA), which requires that we provide California residents with notice that you have the right to:
-
opt-out of the sale of personal information,
-
know about personal information collected, disclosed or sold,
-
to request deletion of personal information, and
-
to be treated without discrimination should you exercise these rights.
More information regarding the: sources from which we collect personal information can be found above in the section titled “The Information We Collect About You”; business and commercial purposes for which we collect your personal information can be found above in the section titled “How We Use Your Information”; categories of recipients with whom personal information is shared or sold can be found in the section above titles “How We Share Your Information.”
We do not sell any personal information collected from your use of the AliveCor Service.
We do use cookies on our website that collect and share information collected from your browser for behavioral targeting which is a “sale” under the CCPA. We will not do this if you click the “Do Not Sell My Personal Information” link on the website. In addition you can opt out of all collection of your data for behavioral advertising by visiting networkadvertising.org/choices or aboutads.info/choices.
To make a request under the California Consumer Privacy Act, or for any questions or concerns about our Privacy Policy or practices, please contact us at privacy@alivecor.com.
GDPR – Rights For EEA Users and AliveCor’s Capabilities for Worldwide Users
What Rights Do I Have? Individuals located in the European Economic Area (EEA) have certain rights in respect of your personal information. AliveCor will provide the capabilities to exercise these certain rights to all our worldwide users, including:
-
the right of access to your personal data;
-
the right to correct or rectify any inaccurate personal data;
-
the right to restrict or oppose processing of personal data;
-
the right to erase your personal data; and
-
the right to personal data portability.
We rely on your consent as a lawful basis processing personal data for the following purposes:
-
initial collection of personal data through the Service;
-
providing you with marketing or promotional communications. You may opt out of such communications at any time by clicking the “unsubscribe” link found within AliveCor email updates and changing your contact preferences.
We process personal data in order to perform our contract with you.
Additionally, we process personal data based on our contractual obligations to provide you the Service as described in the section “How We Use Your Information”, including:
-
To enable the Service to function as expected;
-
To communicate with you in response to customer service inquiries, to deliver non-promotional, service-related emails, or to administer surveys and questionnaires; and
-
To tailor your experience based on your general region. For example, we process Clinical Interpretation Service requests from EEA-based users through an EEA-based Clinical Interpretation Service partner.
In some cases, AliveCor may process personal information pursuant to a legal obligation or to protect your vital interests or those of another person.
For EEA users only per GDPR requirements, you can turn off local and cloud storage by going to settings and toggling the switch to “off”. If you do turn off this functionality none of your ECG data will be stored either on the cloud or on your device; AliveCor will be unable to retrieve this data and will not send out reports, for example monthly reports under premium services.
This Privacy Policy May Not Apply to All EEA Users. This Privacy Policy does not apply to EEA users using the Services under direction from a physician and where the physician and the patient have an agreement between them covering the use of the Services; in such a case the physician or his/her institution controls data collected from/by KardiaMobile and the App, and the physician’s or his/her institution’s privacy policy will apply, not this Privacy Policy.
How May I Exercise My Individual Rights? AliveCor users whose data is governed by this Privacy Policy located worldwide may access and update their personal information as follows:
-
Account holders may access and update personal information through their account settings in the AliveCor platform;
-
Account holders may exercise their rights to data deletion and data portability by contacting AliveCor’s Data Controller Representative at privacy@alivecor.com.
-
AliveCor does not retain any personal information from users who do not create AliveCor accounts.
Please note that AliveCor may request additional information from you to verify your identity before we disclose any personal or account information.
Contact Us
If you have questions about our privacy practices, please contact us at privacy@alivecor.com.
AliveCor, Inc.
Attn. Privacy
444 Castro St #600
Mountain View, CA 94041
If you are an EEA customer and are unable to reach AliveCor at the contact information provided above regarding your issue, you have the right to contact your local Data Protection Authority.
Changes to this Policy
This Policy is current as of the Effective Date set forth above. We may change this Policy from time to time, so please be sure to check back periodically. We will post any changes to this Policy on our Service. If we make any changes to this Policy that materially affect our practices with regard to the personal information we have previously collected from you, we will endeavor to provide you with notice in advance of such change.