Effective December1, 2018
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUTYOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.PLEASE REVIEW IT CAREFULLY.
This Policy applies to the informationprocessed through our public website (including any subdomains and mobileversions thereof, the “Corporate Site”),and our subscription-based RK360 Cloud Record Platform (the “Service”).
Please take a moment to read this PrivacyPolicy (the “Policy”) to understandhow we collect, use, and share Personal Data of users of our Corporate Site andService (“you” or “your”), as well as your choices and rightswith respect to this information.
The Service and Corporate Site are ownedand operated by Prosocial Applications, Inc. (RedKangaroo, “us,” “our,” or “we”), a Colorado corporation with anaddress of 1905 15th St. #4585 Boulder CO 80302-4585. See below for how to contact us.
ThisPolicy is incorporated into the Terms of Service governing your use of theService. Any capitalized terms not defined in this Policy will have thedefinitions provided in our Terms of Service. Your use of our Corporate Site or Service indicates your acknowledgementof this Policy.
This Policy does not applyto information processed by third parties, for example, information created andstored by your health care provider, unless and until we receive yourinformation from them. Please review these third parties’ privacy policies tolearn more about how they process your Personal Data.
We may collect and process information that relates toidentified or identifiable individuals (“PersonalData”). Note that certainPersonal Data may include data relating to racial or ethnic origin, politicalopinions, religious or philosophical beliefs, or trade union membership,genetic data, biometric data, health information, or information relating tosex life or sexual orientation (“SpecialCategory Data”). We collect and process the following categoriesof Personal Data (note, specific Personal Data elements listed in each categoryare only examples and may change):
Identity Data: Personal Data used to identify aperson, such as your name, photo/avatar, username, identification documents, andother Personal Data you may provide during account registration or to proveyour identity.
Contact Data: Personal Data used to contact anindividual, e.g. email address(es), physical address(es), phone number(s), orusernames/handles, as well as a name or other salutation.
Financial Data: Personal Data relating to financial accountsor services, e.g. a credit card or other financial account number, or otherrelevant information you provide in connection with a financial transaction.
Insurance Data: Personal Data relating to your healthinsurance policy and coverage, including your insurance number. Thisinformation may be considered Special Category Data
Device Data: Pseudonymous Personal Data relating toyour device, browser, or application e.g. IP addresses, MAC addresses, applicationID, cookie identifiers, session navigation history and similar browsing metadata,and other data generated through applications, browsers, cookies, and similartechnologies.
Health Records: Health care records,and any Personal Data in them, that we receive from health care providers, suchas allergy records, vital statistics, lab tests and results,prescription/medication data, and information relating to medical proceduresand medical conditions. This information includes Special Category Data.
Health Profile Data: Personal Data you provideto us about you and your health including, blood type, race, ethnicity,religious affiliation, language, education, diet/digestion, lifestyle, knownhealth conditions and certain medical history, allergies, and medications, andother information relating to your health. This information includes SpecialCategory Data.
User Content: Information that a userprovides in a message, free text field, video/chat, in a file upload, scan orphoto, or unstructured format, including any Personal Data or Special CategoryData to the extent contained in or revealed by such content.
Data: An“RK360 Record” is a database account that stores Health Records and otherhealth information of a patient or “Record Owner.” A Record Owner may manageher own RK360 Record as “Record Administrator”; may at any time delegatemanagement to another person as Record Administrator; or, a RecordAdministrator with guardianship rights may manage the RK360 Record withoutRecord Owner authorization. Record Administrators may grant and control accesspermissions of “Authorized Users” to RK360 Records. By default, Record Ownersand Record Administrators are Authorized Users of RK360 Records.
Please Note:In certain cases, third parties (such as a Provider or other Distributor of theService) may initiate registration of an RK360 Record (e.g. as part of aProvider’s own operations) on behalf of a Record Owner who appoints self orother as Record Administrator. The Record Administrator, may, in turn, appointthe initiating Provider or other Distributor of the Service as Authorized Userson the RK360 Record.
When you first register an RK360 Record as a Record Owner or RecordAdministrator or first access an RK360 Record as an Authorized User, we will requestand process Identity Data, Device Data andcertain Contact Data, such as a copyof driver’s license, passport or other ID, and email address.
We may also process certain FinancialData or Insurance Data if youchoose to subscribe to our Service, or otherwise pay or seek payment for oursubscription fees. This Financial Data may be processed by us, a serviceprovider on our behalf, or may be completed outside of our Service (e.g.through the Apple App Store).
Uses: We use the Identity Data and Contact Data as necessary to authenticate Users andto provide you with important information about your RK360 Record. FinancialData provided at registration will be used only as necessary to processtransactions at your request, or to store your information for use in futurepayments. Subject to Your Rights & Choices, we may also use IdentityData and Contact Data in connection with Marketing Communications, for Product and Service Improvement, and Information Security.
Data: Our Service allowsAuthorized Users, consistent with their permissions, to request import of HealthRecords and other health information into RK360 Records from diverse external sourcesincluding the electronic health records of healthcare providers (“Providers”). In connection with such requests,our Service will process any designated IdentityData, Health Profile Data, Health Records, InsuranceData, and User Content.
Please note: Our Service enables Authorized Users to request from Providers viaintermediary technology services such as Apple Health the import of HealthRecords, which are generated and controlled by Providers or their businessassociates. Therefore, data we import into RK360 Records may be inaccurate orincomplete depending upon the content of source records, and the quality ofintermediary technology services. See Your Rights & Choices for information regarding data accuracy and correction.
Uses: Our Service generallyprocesses Identity Data, Health Profile Data, Health Records, Insurance Data andUser Content as necessary to provide the Service, and in accordance with each AuthorizedUser’s consent, requests, preferences and permissions.
Our Service maycollect and process Identity Data, which may include driver’s license,passport, or insurance information, when you provide patient authorizations andmedical power of attorney or upload your insurance information to the Service.This Identity Data is stored by our Service, which offers you tools, consistentwith your permissions and preferences, for you to disclose this information tothird parties. This Identity Data is not processed for any purpose other thanfor operation of the Service, the disclosures you authorize, and subject to Your Rights & Choices, in connection with Audit Logs and Information Security.
Subject to Your Rights & Choices, and where permitted by law, we may also use Identity Data andContact Data in connection with Marketing Communications, Product and ServiceImprovement, and Information Security.
Data: Our Service allows AuthorizedUsers, consistent with their permissions and subscription status, to contact ourcustomer support agents. When you contact us, our Service will process Identity Data, Device Data, aswell as any User Content you choose to provide.
Uses: Subject to Your Rights & Choices, ourService will process any Personal Data collected from our communication functionality(via text, chat, email or phone) in order to respond to your request, provideyou with relevant information, or if appropriate, and in connection with Marketing Communications, Product and ServiceImprovement, and Information Security.
Data: Our Service may process IdentityData, Contact Data, and User Content when you contact us through theCorporate Site.
Uses: Subject to Your Rights & Choices, our Service will processany Personal Data we collect from our “contact us” form to respond to yourrequest, provide you with relevant information, or if appropriate, inconnection with Marketing Communications, Product and Service Improvement, and Information Security.
Data: Our Service mayprocess Identity Data and Contact Data in connection with email andsocial media marketing communications if you register for an RK360 Record, chooseto receive marketing communications or interact with our marketingcommunications.
Uses: Our Service processesIdentity Data and Contact Data as necessary to provide marketing communicationsyou request, and consistent with our legitimate business interests, we may sendyou certain marketing and promotional communications if you sign up for thosecommunications or register for our Service. See Your Rights & Choices for information about how you canlimit or opt out of this processing.
Cookiesand Similar Tracking Technologies
Data: Our Service,and certain third parties, mayprocess Identity Data, Contact Data and Device Data when you interactwith cookies and similar technologies on our Corporate Site. Our Service mayreceive this data from third parties to the extent allowed by the applicablepartner. Please note that the privacy policies of third parties may apply tothese technologies and information collected.
Uses: Subject to Your Rights & Choices, we use this information as follows:
(i) for “essential” or “functional” purposes, such as to enable variousfeatures of the Corporate Site such as remembering passwords, or staying loggedin during your session; and
(ii) for “analytics” purposes, consistent with our legitimate interests in howthe Corporate Site is used or performs, how users engage with and navigatethrough the Corporate Site, what sites users visit before visiting ourCorporate Site, how often they visit our Corporate Site, and other similarinformation.
Note: Some of these technologies maybe used by us and/or our third-party partners to identify you across platforms,devices, sites, and services.
Inorder to help secure our Service, meet our legal obligations, and help trackaccess to and disclosures of your Personal Data, our Service creates logs thatrecord Device Data, and if available, Identity Data when Health Records andother Personal Data are accessed, viewed, disclosed, modified, or deleted.These logs are subject to Your Rights & Choices,
Subject to Your Rights & Choices, we mayalso process any Personal Data we possess in order to monitor the use of ourService and Corporate Site for malicious activity, detect systemsvulnerabilities, and as otherwise appropriate to maintain the integrity andsecurity of our Service and Corporate Site and the Personal Data we process.
Subject to Your Rights & Choices, we may process any Identity Data, Contact Data, Financial Data, Device Data, and User Content in order to analyze how users interact with our Serviceor Corporate Site, in connection with market research, for product and Serviceimprovements, and as necessary to monitor and maintain the integrity andsecurity of our Service, Corporate Site and the data we process.
We may also process and disclose yourPersonal Data for uses related to medical research, public health, productrecalls and other medical product liability/safety matters, and for otherresearch and public health/safety grounds, to the extent and under theconditions allowed by applicable law.
Ifwe process Personal Data in connection with our Service or Corporate Site in a way not described in this Policy,this Policy will still apply generally (e.g. with respect to Your Rights & Choices) unless otherwise stated when youprovide it.
Notethat we may, without your consent, also process your Personal Data on certainpublic interest grounds. For example, we may process information as necessaryto fulfill our legal obligations, to protect the vital interests of anyindividuals, or otherwise in the public interest. Please see the Data Sharing section for more information about how we disclosePersonal Data in extraordinary circumstances.
Informationwe collect may be shared with a variety of parties, depending upon the purposefor and context in which that information was provided. We generally transferdata to the following categories of recipients:
ARecord Administrator, whether appointed by the Record Owner or acting aspersonal representative, guardian or medical power of attorney for the RecordOwner, may have access to any Personal Data in the RK360 Record of the RecordOwner, including Medical Records and Medical Profile Data. Record Administratorsmay also disclose that information to third parties or grant access to othersubordinate Authorized Users, to the extent such functionality is madeavailable through the Service and the Record Administrator is appropriatelyauthorized.
OurService enables the exchange of medical information and other contents of RK360Records with external sources and recipients of designated information such ashealthcare Providers. When Authorized Users, consistent with their permissions,utilize tools in RK360 Records to exchange Personal Data in RK360 Recordsthrough the Service, the Service may share any designated information includingHealth Record Data, Health Profile Data and any Sensitive Personal Data
To the extent we processpersonal data subject to the Health Insurance Portability and Accountability Actof 1996 (HIPAA), we may disclose such Health Record Data and Health ProfileData, Contact Data, Identity Data, and Insurance Data where authorized for Treatment,Payment, and Healthcare Operations. These include activities such as disclosinginformation to Providers, for our Product and Service Improvement, or if necessary to billpatients or insurance providers.
In connection with our general businessoperations, product/service improvements, to enable certain features, and inconnection with our other legitimate business interests, we may share anyPersonal Data with service providers or subprocessors who provide certainservices or process data on our behalf.
In order to streamline certain businessoperations and develop products and services that better meet the interests andneeds of our Users, and inform our customers about relevant products and services,we may share your Personal Data with any of our current or future affiliatedentities, subsidiaries, and parent companies.
Any Personal Data may be processed withoutyour consent in the event that we go through a business transition, such as amerger, acquisition, liquidation, or sale of all or a portion of our assets.For example, Personal Data may be part of the assets transferred, or may bedisclosed (subject to confidentiality restrictions) during the due diligenceprocess for a potential transaction.
In limited circumstances, we may, withoutnotice or your consent, access and disclose your Personal Data, anycommunications sent or received by you, and any other information that we mayhave about you to the extent we believe such disclosure is legally required, toprevent or respond to a crime, or for other law enforcement and nationalsecurity reasons, to investigate violations of our Terms of Service, or whenthe disclosure is in the vital interests of us or any person. Note, these disclosures may be madeto governments or other authorities in jurisdictions that do not ensure thesame degree of protection of your Personal Data as your home jurisdiction. Wemay, in our sole discretion (but without any obligation), object to thedisclosure of your Personal Data to such parties on any lawful grounds we mayhave.
We may disclose any Personal Data withoutyour consent on certain public interest grounds. For example, we may processinformation as necessary to fulfil our legal obligations, for public health andother matters in the public interest, to medical providers or healthcareorganizations, medical examiners, in connection with organ and tissue donorrequests, or where otherwise allowed by applicable law.
Applicable law may grant you some orall of the following rights in your Personal Data. To the extent applicable lawgrants you these rights, you may exercise these rights using the methods setforth below, or by contacting us. Please note: we may require that youprovide additional Personal Data to exercise these rights, e.g. Identity Datathat is necessary to prove you are authorized to make a request.
Access: You may access the Personal Data thatwe process to the extent required and permitted by law. Further, our Serviceoffers you tools (e.g. through the account services menu), consistent with yourpermissions as a User, for securely accessing your personal data, includingHealth Records, Health Profile Data, data from Audit Logs, and otherinformation about your RK360 Record.
Rectification: Our Service offers you tools, consistent with your permissionsas a User, for correcting any Personal Data that the Service holds about you tothe extent required and permitted by law. You may be able to make changes to PersonalData, such as Account Registration Data and Medical Profile Data through theuser account settings menu provided through the Service.
Pleasenote: Our Service stores and displays copiesof Health Records that are maintained in Providers’ systems; we do not controland cannot alter the content of your Health Records. Please contact therelevant Provider to exercise your right to correct Health Records. UpdatedHealth Records will be reflected in the Service when updated by the Providerand only if the Service is authorized to receive the updated Health Record.
Erasure: Our Service offers you tools,consistent with your permissions as a User, for deletion of Health Records,Health Profile Data, account registration data and contents of RK360 Records. Youmay not, however, delete the Audit Logs that document User activities on theService and in RK360 Records. We will explain how to use these tools but cannotutilize these tools on your behalf.
Pleasenote: we store and display copies of HealthRecords that are maintained in Providers’ systems if they are shared with us;we do not control and cannot delete Health Records stored in Providers’ systems.Please contact the relevant Provider to exercise your right to delete yourprimary Health Records.
Data Portability: To the extent required by applicable law, our Service will enable youto export and send to yourself, to Providers or to other third parties, copiesof certain Personal Data in your RK360 Record in a common portable format ofour choice. Before you delete Data, our Service will remind you to export acopy of your Data to a destination storage location you control. To exportdata, you may use the data sharing functionality that our Service offers andyou may employ as destinations your personal email or fax, or the email or faxof the appropriate third party. We will explain how to use these tools butcannot utilize these tools on your behalf.
Complaints: You have the right to contact or filea complaint with us, as well as regulators or supervisory authorities, aboutour processing of Personal Data. To file a complaint with us, simply contact us. To file a complaint with governmental bodies, pleasecontact your local data protection or consumer protection authority. In the US,you may be able to file a complaint with the Federal Trade Commission, or ifappropriate, the Department of Health and Human Services, in each case, bysubmitting a complaint through their online complaint processes. We will notretaliate against your for filing a complaint.
California Rights: Residents of California (and others to the extent required byapplicable law) may request a list of Personal Data we have disclosed about youto third parties for directmarketing purposes during the preceding calendar year (if any). Please contact us to make this request.
HIPAA: To the extent required by applicable law, we will provideyou with an accounting of the disclosures of your Health Data or Health ProfileData (if any). To do so, please contact us.
It is possible for you to use portionsof our Corporate Site without providing any Personal Data, but you may not beable to access certain features or view certain content. You have the followingchoices regarding the Personal Data we process, however, please note that wemay not be required to agree to a requested restriction to the extent permittedby law:
Data Collection &Sharing: You may generally control how PersonalData is shared with us, and how we share your Personal Data. You can controlwhat Personal Data we collect by modifying your permissions with your Providers,or modifying your authorizations to share data with third parties. Additionally,you may change your authorization for our Service to receive continuous updatesof your Health Records through the account settings menu. You may also limitsharing of any Health Records and Health Profile Data, as well as any otherPersonal Data (including data shared with third parties and subordinate Users) throughthe account settings menu. Note, only Account Administrators may directly limitthe rights and permissions of subordinate Users. You may contact us for guidance about how to employ the account settingsmenu.
Consent: If you consent to any other processing ofyour Personal Data, you may withdraw your consent at any time. Please note, asthe primary function of the Service is to collect, aggregate, store and sharecopies of your Health Records and Health Profile Data, your sole means ofrevoking consent may be to delete data from the Service, or delete youraccount.
Direct Marketing: You may have alegal right not to receive such messages in certain circumstances, in whichcase, you will only receive direct marketing communications if you consent. Youhave the choice to opt-out of or withdraw your consent to direct marketingcommunications you receive. You may exercise your choice via the links in ourcommunications or by contacting us re:direct marketing.
We are required by law to maintain theprivacy of your Health Records and Health Profile Data, and we implement reasonableand appropriate security measures to safeguard the Personal Data you provide us.However, we sometimes share Personal Data with third parties as noted above,and we do not have control over third parties’ security processes. Further,certain methods of sharing your Health Records you may choose to use maypresent risks to the confidentiality of Sensitive Personal Data. We do notwarrant perfect security and we do not provide any guarantee that your PersonalData or any other information you provide us will remain secure, nor will we beliable for any unauthorized disclosures that occur following your choice toshare Personal Data with Authorized Users or recipients you designate, such as Providers.We will notify you if there is a breach of the security of unsecured PersonalData we may process, where such notice is required by law.
OurService keeps the Medical Records and Profile Data of Authorized Users untilthose Users employ the tools the Service offers, consistent with theirpermissions, to delete that data at which point we retain only Audit Logs ofUser activity in accordance with Your Rights & Choices. Otherwise, our Service retainsPersonal Data for so long as it, in our discretion, remains relevant to itspurpose, and in any event, for so long as is required by law. To the extent ourService retains any Personal Data, we will review retention periodsperiodically, and may pseudonymize or anonymize data held for longer periods,if appropriate.
Our Service and Corporate Site are neitherdirected at nor intended for use by minors under the age of majority in therelevant jurisdiction. Further, we do not knowingly collect Personal Data from suchindividuals unless we receive the consent of the minor’s parent or guardian. Ifwe learn that we have inadvertently done so, we will promptly delete it. Do notaccess or use the Service or Corporate Site if you are not of the age ofmajority in your jurisdiction unless you have the consent of your parent orguardian.
We operate in and use Internet service providerslocated in the United States. If you are located outside the U.S., yourPersonal Data may be transferred to the U.S. The U.S. does not provide the samelegal protections guaranteed to Personal Data in the European Union.Accordingly, your Personal Data may be transferred to the U.S. pursuant to the EU-U.S.Privacy Shield Framework, the Standard Contractual Clauses, or other adequacymechanisms, or pursuant to exemptions provided under EU law. Contact us formore information regarding the specific mechanism used to ensure adequateprotection of Personal Data subject to EU Law.
Prosocial Applications, Inc. is the data controller for PersonalData collected under this Policy.
The legalbases of our processing of your Personal Data is described in the table below.If you have questions about the legal basis of how we process your PersonalData, contact us at email@example.com.
Processing is necessary to perform the contract governing our provision of the Service or to take steps that you request prior to signing up for the Service. This may include processing that is necessary to provide the Service.
The following processing activities constitute our legitimate interests. We balance any potential impact on you when we process your Personal Data for our legitimate interests. You may object to this processing as described in the Rights of EU Users section below. For example, our legitimate interests include:
Determining the effectiveness of marketing campaigns
Product and Service Improvement
Treatment, Payment, and Healthcare Operations
To create, provide, support, maintain, and improve our products and Service, or to improve the efficiency of our Service, and operate our business
Product and Service Improvement
To secure our platform and network, investigate suspicious activity or violations of our terms or policies; and to protect the safety of Personal Data, including to prevent exploitation or other harms to which Users may be particularly vulnerable.
Processing is necessary to comply with our legal obligations, for example, tax laws, fraud reporting, etc.
Medical Power of Attorney
Processing is based on your consent. Where we rely on your consent you have the right to withdraw it anytime by contacting us at firstname.lastname@example.org
All Personal Data
Note, we may process and disclose Personal Data where it is in the vital interests of a data subject, to comply with a legal obligation to which we are subject, in the public interest, for public health purposes and medical or scientific research, or other appropriate legal ground which may apply under applicable law.
Right to Object: Where weprocess data on the basis of our legitimate interests, you can object to thatprocessing to extent allowed by law. Note that we must only limit processingwhere our interests in processing do not override an individual’s interests,rights, and freedoms, or the processing is not for the establishment exercise,or defense of a legal claim.
Right to Restrict: You may have the restrictprocessing of your Personal Data where the accuracy of the Personal Data iscontested, the processing is unlawful but you object to deleting the PersonalData, or we no longer require the Personal Data, but it is still required forthe establishment, exercise, or defense of a legal claim, or while we assess anobjection to processing.
We are required to complywith the effective version of this Policy. We may change this Policy from timeto time, and when we do so, the changes will apply to all Personal Data wemaintain, to the extent allowed by applicable law. Changes will be posted onthis page with the effective date. Please visit this page regularly so that youare aware of our latest updates. Your use of the Service following notice of anychanges indicates acceptance of any changes. You may download and print a papercopy of this notice from the Corporate Site.
Feel free to contact us with questions orconcerns using the appropriate address below.
General inquires: email@example.com
Data rights & privacy: RK 360 Privacy Office
Physical address: ProsocialApplications
1905 15th St.#4585