Privacy Policy

Language

Privacy and Security Policy KINETIKOS PLATFORM AND MKINETIKOS MOBILE APPLICATION FRAMEWORK KINETIKOS DRIVEN SOLUTIONS, S.A. (hereinafter Kinetikos) is a company incorporated under Portuguese law that has developed a service comprising two main components: the clinical platform, accessed at various clinical institutions via a web customer, as well as a mobile application, which accesses the personal data of its users (subscribers). The main objective of any of the services offered by Kinetikos, in its two branches, is to help improve the quality of life of its patients, with one or more of the following conditions (hereinafter Conditions): Patients with altered mobility associated with a medical condition, such as neurological conditions (Parkinson's and stroke injuries), rheumatic diseases (multiple sclerosis), chronic back pain and obesity. Patients undergoing lower limb and spinal surgery with an impact on mobility. Users interested in improving their functional capacity to prevent the risk of falling and promote longevity. Said services can enable closer and more attentive monitoring of the patient and the provision of up-to-date information to the health professionals accompanying them. The mobile application allows users to manage their condition, record symptoms, medication, answer questionnaires and collect their daily movements. The platform allows clinical staff to enter relevant information about their patients, as well as send movement data for analysis and reporting. The platform and the mobile application can be used individually, however, when connected, the platform allows each healthcare professional to access the data entered by the patient in the mobile application, as well as the reports generated from this information, and to interact with the patient so that, based on this information, they can provide a current clinical diagnosis that is conducive to the patient's true physical condition. In the mobile application, the data relating to the movements made by each patient is personal, in that it makes it possible to determine the location of the person (patient), their routines and, on the other hand, they are sensitive data, to the extent that they associate a physical and clinical condition with a particular person. The data collected through the movements of each patient, perfectly identified, is duly collected and communicated from the mobile application to the platform, depending on the acceptance of the patient and the healthcare professional. Kinetikos does not intend to replace any healthcare professional, and its operation always depends solely on the information uploaded by the patient and the healthcare professional themselves for subsequent analysis and consideration. This privacy and security policy aims to provide all customers and users of the Clinical Platform and Mobile Application with information on how their personal data is processed, for what purposes and for how long it is kept. ENTITIES RESPONSIBLE FOR PROCESSING YOUR PERSONAL DATA The clinical platform designed and owned by Kinetikos is accessed by the clinical and healthcare institutions that have signed up to said service, and the personal data entered into the respective clinical platform is only accessed by the healthcare professionals who accompany their patients. The entity responsible for processing the personal data entered into the clinical platform and accessed by the respective healthcare professionals is the clinical or healthcare institution that has subscribed to the services provided on the Kinetikos clinical platform, and it is up to each of these entities to determine the purpose for processing the personal data collected through the platform, as well as the type and size of personal data it needs to collect and access in order to provide the respective healthcare services to each patient. In this service, Kinetikos acts as a subcontractor for the clinical institution, which is responsible for processing the personal data in accordance with the instructions and for the purposes intended and chosen by each clinical institution. The data entered into the clinical platform is accessed by healthcare professionals who, in order to access and use the clinical platform, need to register by providing their full name and email address. Optionally, the healthcare professional can also indicate their mobile phone number to use the double authentication factor (sending an SMS with an authentication code). The mobile application is a service also designed by Kinetikos, available in the App Store and Google Play Store as "mKinetikos", where the patient can download the mobile application and through their mobile phone, all their movements are duly downloaded and monitored in any context, and all that is required for this purpose is a proximity between the patient and their mobile phone, with this application accessing data through GPS, meaning that, in addition to collecting mobile data, it is also possible to locate the patient, although not in real time. The entity responsible for processing personal data downloaded from the mobile application is: KINETIKOS - DRIVEN SOLUTIONS, S.A. Address: Rua Pedro Nunes, Edifício C, 3030-199 Coimbra, Portugal Email: info@kinetikoshealth.com Telephone: (+351) 215 836 938 WHAT TYPE OF PERSONAL DATA ARE COLLECTED The Clinical Platform collects the personal data selected, adjusted and adapted by each healthcare professional according to their clinical diagnosis. In order to access and use this clinical platform, the healthcare professional will have to register the patient and fill in the fields provided, entering at least the following personal details: External identification data - name and date of birth (the only compulsory data); Patient contact details - institution's internal code, contact details (email, telephone, mobile phone); Personal health data - identification of sex at birth, medical history, clinical questionnaires, prescribed treatments; Biometric data - data associated with each patient's physical movements. In the mobile application, the patient creates their account by entering their email address and creating a password, which must be made up of 8 digits and must be confidential and inaccessible to third parties. The mobile application only accesses the personal data entered and downloaded by each patient, who must fill in the fields presented to them, some of which are compulsory, entering at least the following personal data: External identification data - name, date of birth (compulsory); Patient contact details - email address (mandatory); Personal health data - Identification of sex at birth, medical history, clinical questionnaires, prescribed treatments, medication; Biometric data - data associated with each patient's physical movements; Georeferencing data - data collected via the mobile phone's GPS and which enables the location of the patient and user of the mobile application to be obtained, albeit not in real time, and then analysed by the healthcare professional. The personal data collected through the clinical platform and the mobile application is adequate and sufficient to ensure the fulfilment of the respective processing purposes. HOW WE COLLECT AND ACCESS PERSONAL DATA Kinetikos collects the personal data entered by users and patients in the mobile application, and the personal data is entered directly by the user/patient when filling in the selected spaces. The information entered directly by the user/patient is then accessed by Kinetikos and shared on the clinical platform implemented in each clinical institution, so that the healthcare professional can have access to all the data collected and related to the movements recorded for each patient. On the clinical platform, personal data is entered by health professionals in the context of a clinical consultation specifically aimed at monitoring and following up conditions. Georeferenced personal data enabling the user/patient to be located is collected in order to guarantee the fulfilment of the purposes described and listed in this privacy and security policy. FOR WHAT PURPOSES PERSONAL DATA IS PROCESSED Within the scope and context of using the mobile application, the personal data collected is adequate, limited and proportionate for each of the processing purposes set out in this Privacy and Security Policy. The personal data downloaded by the user/patient is collected and shared on the clinical platform to fulfil the following purposes: Monitoring and follow-up of patients with conditions, to prepare a preventive clinical diagnosis, by monitoring, controlling, evolving and varying the patient's movements, and collecting the biometric data required for this purpose; Content management, which consists of the collection of personal data, through the express and informed consent of the user/patient to receive newsletters with news on the activity carried out by Kinetikos and other services provided by it. Content management for personalised services which, in the case of the mobile application, consists of collecting personal data, with the express and informed consent of the user/patient, in order to obtain their location, not in real time, with the aim of accessing the patient's movements, through which it can be assessed whether there are external signs of the progression of the Conditions in a given patient. The personal georeferencing data obtained and processed through the mobile application is collected to improve and personalise the service provided by Kinetikos, in order to, in conjunction with the information downloaded on the clinical platform and with health professionals, provide information to support accurate and preventive diagnosis of the progression of the Conditions in each patient, as well as according to their physical specificities. The collection of personal geo-referencing data is duly carried out with the express and informed consent of the user/patient, which can be withdrawn or revoked at any time, at no additional cost, leaving the patient/user unable to benefit from all the benefits of the "mKinetikos" application from a clinical point of view, and under no circumstances affecting the patient's medical follow-up and treatment. Withdrawal of consent does not affect the lawfulness of the processing of personal data that was processed before it was withdrawn or revoked. On the clinical platform, the purposes of treatment are delimited and defined by the healthcare professional hired by the clinical institution that treats the patient. Kinetikos, as the owner of the clinical platform, will adjust and provide its services in accordance with the purposes intended by the clinical institution and its healthcare professional. All consents given in any of the contexts or for any of the purposes identified above can be consulted by sending a request to data.protection@kinetikoshealth.com. RETENTION PERIODS FOR PERSONAL DATA Kinetikos processes and retains the personal data of the patient/user of the mobile application in and for the contractual context in question, in accordance with the purposes for which they are processed, retaining them only for the period strictly necessary and appropriate for monitoring and following up the Conditions. With regard to the use of the clinical platform by the healthcare professional, the retention periods for personal data may be determined by the clinical institution in question, and it is up to each of them to establish the retention period for the personal data collected in this context. Therefore: In the contractual context maintained with patients/users of the "mKinetikos" mobile application, the personal data collected is kept for the duration of the contractual relationship in question and the period during which the patient/user maintains their express and informed consent for the processing of their personal data. Once consent has been withdrawn, Kinetikos immediately encrypts and anonymises all the data collected, preventing the linking and/or association of any personal data collected, including biometric data, with a particular patient/user. Within the contractual context maintained with the patient/user within the scope of the clinical platform installed in the clinical institutions, it will be up to the clinical institution and healthcare professional to determine the conditions for the provision of express and informed consent by the patient. As soon as Kinetikos receives instructions from the clinical institution and/or healthcare professional to said purpose, it will anonymise and/or encrypt the personal data collected and downloaded onto the clinical platform, following the same procedure. In the context of content management, the personal data collected is kept for the duration of the contractual relationship in question and for as long as the patient/user maintains their express and informed consent for this type of processing. If consent is revoked or withdrawn, the patient's/user's personal data will be immediately erased or, alternatively, anonymised so that they are not associated or linkable to any patient/user. In the context of providing personalised services, personal data on the location of the patient/user will only be kept for the duration of the contractual relationship in question, and for as long as the customer/user maintains their express and informed consent for this type of processing. If consent is revoked or withdrawn, the personal data collected for the purpose of locating the patient/user will be deleted immediately. The anonymised personal data, once disassociated from any natural person (patient/user), can be used for statistical purposes and to carry out studies promoted by private entities on the characterisation, diagnosis and progress of the Conditions. COMMUNICATION AND SHARING OF PERSONAL DATA The personal data collected via the "mKinetikos" mobile application can be shared and downloaded onto the clinical platform, monitored by the healthcare professional, to prepare the clinical diagnosis of the patient's/user's conditions. The personal data entered by the healthcare professional on the clinical platform is shared within the clinical institution and with all the healthcare professionals who access the platform and accompany the patient. It is the responsibility of the clinical institution, as the entity responsible for processing the personal data, to promote and take the necessary steps to safeguard and protect the information, establishing the conditions of confidentiality of the information with its healthcare professionals. In any of the contexts described above, Kinetikos (owner of the mobile application and clinical platform) grants access to personal data to subcontractors for the management and storage of information collected through any of the channels and for maintaining the conditions of the mobile application and clinical platform. Subcontractors process personal data in the name and on behalf of Kinetikos, within the limits and in accordance with the options and instructions given to them. Kinetikos hereby ensures that any of its subcontractors have undertaken and uphold a confidentiality liability and that they have adopted technical and organisational measures that will ensure an adequate level of security in order to preserve the integrity, availability, confidentiality and correctness of personal data. Some of the subcontractors that access personal data have their own privacy and security policies, as well as procedures for handling and processing personal data that are also internal and over which Kinetikos has no intervention or involvement. To this extent, Kinetikos is not responsible for any security and privacy standards, procedures or policies applied by these subcontractors, but only guarantees that the security standards and procedures are fully complied with and activated in the event of a personal data breach. Kinetikos, in any of the contexts described above, is not responsible for the content of the privacy and security policies published by the subcontractors, nor for any content published or associated, or link published and referenced on each of the web pages. All content published on the websites of each of the subcontractors is their sole responsibility. On the other hand, Kinetikos is also not responsible for the privacy and security policies, nor for the information security measures applied and implemented in the clinical institutions where the clinical platform is installed, and the data subject (patient) must request from the responsible organisations all the information about their personal data and how it is processed. In any of the contexts described above, Kinetikos does not transfer your personal data to countries outside the European Union. RESPONSIBILITY OF PERSONAL DATA SUBJECTS (PATIENTS/USERS) Data Subjects undertake to comply with all the rules and procedures set out in this privacy and security policy, as well as the terms and conditions of use of the "mKinetikos" mobile application, available on the app. Healthcare professionals are required to comply with all the rules and procedures set out in this privacy and security policy, as well as the terms and conditions of use of the clinical platform. Kinetikos shall not be liable for any damages or losses arising, directly or indirectly, from failure to comply with or breach of any rules or procedures relating to the use of the mobile application and the clinical platform. RIGHTS OF PERSONAL DATA SUBJECTS Personal Data Subjects (patients/users) may at any time, free of charge and in accordance with the legislation in force, exercise the following rights: right to information, access, rectification or erasure of personal data, right to portability, right to limit or object to the processing of their personal data. Right to information - the data subject has the right to consult, at any time and in any place available and easily and unconditionally accessible, all the information on the scope of activity where their personal data may be processed in any way, in this case in the "mKinetikos" mobile application; Right of access - the data subject has the right to know whether or not their personal data is processed for the purposes set out in this security and privacy policy, the categories of personal data processed, the entities to which the personal data may be processed and shared, the retention periods, the origin of the data and the ways or methods by which it is collected and its possible transfer to other entities located outside the European Union; Right to rectification - the data subject has the right to rectify their personal data at any time and at no cost when it is inaccurate or out of date; Right to erasure - the data subject has the right to obtain, at any time and at no cost, the erasure of their personal data provided that from the moment their data is no longer necessary for the purpose for which it was collected and there is no legal rule requiring it to be kept for longer; whenever the data subject withdraws their consent; whenever the personal data is collected and/or processed unlawfully; whenever the data subject has objected to the use and processing of their personal data for marketing and advertising purposes, as well as for their localisation and profiling; Right to restriction of processing - the data subject may request that the processing of their personal data be restricted in its use, and that it not be shared with third parties or erased, and this right may be exercised when it is found, in any way, that the personal data being processed is incorrect or inaccurate; Right to data portability - the data subject has the right to receive their data from the controller - Kinetikos - in a structured, commonly used and machine-readable format, as well as the right to transmit this data to another responsible entity, provided they have given their consent, or the processing is based on a contract or is carried out automatically or by automated means. Right to object - the data subject may oppose the processing of its personal data whenever the possible re-use of its personal data for a finality other than the one foreseen for a certain type of processing is involved, or whenever the personal data may be used and processed for the protection of Kinetikos' legitimate interests, or whenever they are used for marketing and advertising purposes. All rights may be exercised at any time and free of charge, provided that the request is not manifestly unfounded or excessive, in which case the organisations responsible reserve the right to demand payment of a fee to cover all administrative costs associated with said request. Any of the rights described above can be exercised through the following means: Email: data.protection@kinetikoshealth.com Registered post with acknowledgement of receipt to: Rua Pedro Nunes, Edifício C, 3030-199 Coimbra, Portugal; Kinetikos undertakes to respond to the request as soon as possible, never exceeding the legally stipulated deadlines, justifying and justifying its decision in accordance with the legal parameters in force. In any case, whenever the data subject considers that their rights have been violated or not safeguarded, it can lodge a formal complaint with the National Commission for the Protection of Personal Data. SAFETY AND SECURITY MEASURES In any of the contexts described above, Kinetikos promotes all legally required security measures in order to guarantee the privacy of the Personal Data collected and processed, ensuring the security of all information in online and offline systems. Whenever sensitive information with an increased degree of confidentiality is collected, the personal data is immediately encrypted using the Secure Stocker Layer protocol (SSL in the current TLS version). Said technology is used to improve the quality of the sharing and transmission of personal data over the internet, encrypting and protecting sensitive information using the HTTPS protocol, guaranteeing the customer/user that their data is not fraudulently intercepted and that all information is treated with the highest level of security. Likewise, cloud traffic between the machines and the volumes where the data is stored is duly encrypted. The data storage servers are contained in a VPC (private network inaccessible from the outside) and cannot be accessed directly, not even by Kinetikos employees. All access is protected by an audit log. The database stores the data files on an encrypted volume (AES 256-bit algorithm). This data is stored as follows on two different servers: the user's identification metadata (such as name, ID card or passport number) is entered and stored on one server. From this information, a unique code is generated (one-way secure hash algorithm), which is stored on a second server along with the rest of the user's data - data resulting from clinical evaluation, such as strength assessment, special tests, level of pain and disability, amongst others; and biomechanical assessment, such as angular data from bone segments. The use of this technology ensures that it is virtually impossible for third parties to link the data from the two servers, even if they have access to their total or partial content. By guaranteeing the logical separation of health data from other personal data, confidentiality and security of sensitive data is observed. Any interaction of a duly authorised user with the data, through one of the solutions, is recorded by the cloud service provider and can be consulted whenever requested by us. APPLICABLE LAW This privacy and security policy has been drawn up and is fully subject to the legislation in force in the European Union, the General Data Protection Regulation (GDPR) and its implementing law, as well as the recommendations and guidelines issued by the European Data Protection Board. CHANGES TO THIS PRIVACY AND SECURITY POLICY Kinetikos reserves the right to amend this privacy and security policy or any terms and conditions of sectoral security and privacy policies, always in accordance with applicable national and EU legislation. Coimbra, 24 November 2023.