Privacy & Cookies Policy of the Koa Mindset App

Summary version

This summary takes a minute to read and helps you to quickly understand the main points of the privacy policy. It does not replace the full policy, which explains your legal rights.

We’re Koa Health.

Your employer has given us permission to use some of your personal data so that you can use Koa Mindset.

We only collect the data we need.

To run Koa Mindset so that it helps you better manage your depression symptoms.

We don’t see your medical record.

To connect us to your clinical team we see your Medical Record Number and contact details.

We share some data with your clinical team.

This is so that they can monitor your care.

We don’t keep your data for longer than we need it.

Once your employer tells us you no longer need Koa Mindset we erase your data.

You need to be 18 or over to use Koa Mindset.

By using Koa Mindset you are telling us that this is true.

Your data’s safe with us.

We work to the highest industry standards to protect your data from being lost, stolen or misused.

This Privacy & Cookies Policy of the Koa Mindset App (the “Privacy Policy”) applies to any collection and/or processing of personal data by Koa Health and its affiliates (collectively, “Koa,” “we,” “us,” “our,” or “ours”), performed as a result of your use of the Koa Mindset mobile application (the “App” or “Koa Mindset”). All data collected by the App will not be processed for any other reason than is outlined in this Privacy Policy.

Note that this App might collect sensitive personal data that is health-related (hereinafter “Sensitive Data”). If you do not agree with this Privacy Policy, please do not access or use the App and the services provided therein.

Summary

1. Who collects, controls and processes your personal data?
2. Why do we collect personal data about you and what do we do with it?
3. What personal data do we collect about you and how?
4. Do we share personal data about you with others?
5. How long do we keep your data?
6. What rights do you have related to your personal data and how can you use them?
7. How do we keep your data safe?
8. Cookies Policy

1. Who collects, controls and processes your personal data?

Koa Health Digital Solutions LLC, a company registered in the United States (“US”) with its registered address at 75 state street, Boston MA 02109, United States of America is the data controller of the data collected in the Koa Mindset app in order to improve our own services.

The data controller for all data collected for other purposes, including the clinical treatment, is Openloop Healthcare Partners PC, 317 6th Ave Ste 400, Des Moines IA 50309, USA

Where the App is offered by an employer (“Customer”) to its employees, Koa may provide aggregated insights related to the usage of the App to the Customer, so that the Customer can understand the App’s impact. For example, we may provide information on what percentage of people who used the App have found it to be beneficial. These insights will not include personal data, and your employer will not be able to know your name or email address, nor see any raw data you have entered into the App.

You can contact Koa at privacy@koahealth.com for any privacy related matter. The Data Protection Officer (Judith Vieberink) contact for Koa may be contacted at dpo@koahealth.com.

2. Why do we collect personal data about you and what do we do with it?

Improving the functioning of the App and our services:

We process personal data to improve the App performance and usability and to provide a better service. This includes aspects related to performance, navigation, availability and usability. To do this, we consider things like how often and for how long you use the App, how you navigate between screens, the activities you use, and which screens you spend more time on. We might also ask for your feedback through email or the App.

Our legitimate interest is the legal basis for this processing. Sensitive or health data is not collected or processed for this purpose. You can object to this processing by contacting us at privacy@koahealth.com.

Communications:

We process your contact data to send you information about our services or products. We may use third party services to facilitate communications.

Our legitimate interest is the legal basis for this processing. Sensitive data is not collected or processed for this purpose. You can object to this processing by contacting us at privacy@koahealth.com.

3. What personal data do we collect about you and how?

The App’s functionalities require the collection of personal data. Sometimes you provide us with data, and sometimes data about you is collected or inferred through your use of the App or generated by us through analysis. We collect and process the minimum personal data necessary for each of the different purposes, and we will keep it as explained in Section 5 below. Should the purposes of the data collected change, we will inform you beforehand and ask for your consent again, where applicable, before we process any data.

When you create an account within the App, you share with us the following information:

• Name
• Email Address

We infer from your activity in the App the following information:

We process information to improve the user experience. Based on analysis of how users use the App we can make judgements like if loading times are slow, or if information is too hard to find, and use this to improve the user experience.

4. Do we share personal data about you with others?

Except as noted below, we do not share any personal data about you with our Customers. We will only share aggregated and/or de-identified information.

We may share some of your personal data with service providers for specific activities such as hosting, providing customer support, or application functionality such as notifications. We only share the minimum information and authorize our service providers to process your information following our instructions. We make sure that our service providers erase all your personal information right after their services are finished. Some of our service providers may be located in the EEA, others may be located outside, such as companies in the United States. We take the appropriate measures to ensure those providers comply with applicable law standards in every processing of personal data they perform on our behalf, by requiring appropriate guarantees such as Standard Contractual Clauses.

Internal team members shall process your personal data following professional responsibilities and contractual obligations only for the purposes established in this Privacy Policy. We take appropriate measures to guarantee the fair and confidential use of all personal data by our employees.

5. How long do we keep your data?

We may retain your personal data for different periods of time, depending on the type of data involved and the purposes of the processing, but generally, following these criteria:

• As long as you are an active user of our services.
• If you are not active in our App, we will erase your data after 12 months from the last time you used it.
• We will also erase or stop processing your data if you withdraw consent or require us to do so. In these cases, we will erase your data or anonymize it in such a manner that it is no longer identifiable.
• Notwithstanding anything in the foregoing, we may retain your personal data as required by applicable law.

6. What rights do you have related to your personal data and how can you use them?

Data protection laws may give you a series of rights regarding the personal data that we manage about you. For example, the rights of access, rectification, erasure, limitation, objection, portability, as well as not being subject to automated decision making and being able to remove your consent.

You can request to exercise these rights by contacting us at privacy@koahealth.com. When sending us a request, use the same email address with which you registered in the App and the right you want to request, if possible. If you decide to exercise one of these rights through a representative, it will be necessary to provide documentation to authorize the request.

If you receive Koa Mindset part of an employee wellbeing program in the US, we will forward any records request to your healthcare plan to be fulfilled, and we will respond to any other requests within a maximum of 30 days. That period may be extended by an additional 30 days if necessary. In the event of such an extension, we will notify you within 30 days of receipt of the request, together with the reasons for the delay.

If you feel your data privacy rights have been breached, you also have the right to file a complaint with a Data Protection Control Authority (e.g., the Dutch Data Protection Authority, the Information Commissioner’s Office, or the U.S. Department of Health and Human Services).

In order to register and use our services you must be over 18 years old. Therefore, by signing up you confirm that you meet this condition. We may contact you to confirm this. We do not knowingly collect information from those younger than 18 years. If you are a parent or guardian and believe that your child has used the App, you may contact us at privacy@koahealth.com.

7. How do we keep your data safe?

Koa understands the importance of the security, integrity and confidentiality of your personal data. Therefore, as part of our commitment and in compliance with applicable legislation, we have adopted security measures and technical means designed to prevent the loss of, misuse of or unauthorized access to personal data.

We protect all communications between the App and the servers by using TLS for encryption and server authentication. We use ISO 27001 certified systems in order to protect your registration information including your email and password. We store your personal data in an encrypted database.

Also, we promise to act quickly and responsibly in the event that the security of your data may be in danger, and to inform you if necessary.

8. Changes to this Privacy Policy

We may modify this Privacy Policy from time to time and will post any revisions on our App. We will indicate at the bottom of the Privacy Policy the Effective Date of the most recent update. If an update requires additional notice to you or your consent, we will contact you to provide that notice or seek that consent.

9. Cookies Policy

What are cookies?

When you access our services, using a browser, we may use cookies, pixels, and other online tracking technologies (collectively referred to here as “cookies”). Cookies are widely used by online service providers in order (for example) for services to work and/or function, or to work more efficiently, as well as to provide reporting information.

Cookies set by the controller are called “first-party cookies”. Cookies set by parties other than the controller are called “third-party cookies”. Third-party cookies enable third-party features or functionality to be provided through the app you are using (such as interactive content and analytics). The third parties that set these third-party cookies can recognize your device both when it visits the service in question and also when it visits certain other websites or services.

Why do we use cookies and other tracking technologies?

The third-party cookies or similar tracking technologies such as software development Kits (“SDKs”) help us track and target the activity of our users. For example, we use cookies for analytics, configuration, and other purposes. The cookies we use include the following:

Essential cookies: Essential cookies or strictly necessary cookies are cookies that are essential for a website or an app to function correctly. Essential cookies cannot be turned off, as they would impact the way our products work.

Analytics: We do not use analytics cookies.

Marketing cookies: We do not use marketing cookies.

How can I deactivate cookies or similar tracking technologies?

You can withdraw consent for the usage of cookies in the settings section of the App, or by following the instructions of Section 6 of this Privacy Policy.