1) The information we collect, why we need it, and how use it.
2) What choices you can make about how we use your information.
3) The measures we take to protect the security of the information and maintain regulatory compliance for HIPAA, GDPR, and other data regulations.
The personal information we collect and transmit may include healthcare information, including billing, insurance, and medical information. Therefore, our privacy practices are intended to comply with the health insurance portability and accountability act (“HIPAA”), General Data Protection Regulation (“GDPR”), and other global privacy laws where we operate. We will maintain the privacy of your health information as required by HIPAA and the regulations promulgated under that act.
For additional information related to your healthcare information or if you have any questions, please reach out to us at firstname.lastname@example.org.
Access to and use of the Services by a healthcare provider who is an Eko customer (a “Customer”) and such Customer’s authorized users is subject to and governed by the agreement between Eko and the applicable Customer executed by authorized representatives of each party (the “Customer Agreement”). Eko may collect, use and disclose information from a Customer and such Customer’s authorized users as set forth in the Customer Agreement. If you would like more information about the Services or becoming a Customer, please contact us at email@example.com.
The information we collect, why we need it, and how we use it.
We may collect the following types of personal information from users of our Services, and store it on your mobile device, and/or in a secure third-party cloud services provider database:
When you register to use the Service or create an Eko account, we may collect your name and all other information provided to us, such as your email address, password, date of birth or gender. We also collect any information uploaded or otherwise input by you while using the Service, including, but not limited to, information related to medications you are taking and other health-related information about you. You may add information to your profile such as Patient ID, and information about your activity level, medical conditions, and medications. We use this information to create your account and provide you with the Services.
If you are a healthcare provider, we may also collect your National Provider Identifier (NPI).
Physiologic and Usage Data
We collect certain information through your use of the Devices and/or your smartphone connected to the Services, such as but not limited to: heart sound data, lung sound data, ECG data, diagnosed condition, mobile device accelerometer data, average heart rate, the location on the body where the recording was taken, local time, time zone and geographic location of data acquisition. We may collect such information from patients or from providers. We use this information to provide and improve the Services.
Customer Support Inquiries
If you contact us directly, such as when you contact our Customer Support team, we will receive the contents of your message or any attachments you may send to us, as well as any additional information you choose to provide. We may also collect technical information about your device, including your IP address or device ID, which we will use to provide you with support and to improve our services. Contact us at firstname.lastname@example.org if you have any questions.
Payment Information (applicable to Providers ONLY).
We use third-party payment processors to process any payments you make to us. When you make payments through the Services, you may need to provide your shipping address and financial account information, such as your credit card number, to our third-party service providers. All of the information you provide in connection with making a payment to us is collected and stored by the third-party service provider, not by Eko. We do not collect or store financial information, though we may receive transaction identifiers and summary information that does not include credit card or bank account numbers.
De-identified, Anonymized and Pseudonymized Data
In an ongoing effort to better understand and serve our Customers, which are other users of the Services and communities of patients with chronic health conditions, Eko conducts research based on data, including the Personal Information we collect from you and the other information provided to us. We compile and analyze any data we collect both on an aggregate basis and on a de-identifed and pseudonymized basis to produce research and analyses. De-identified data and pseudonymized data cannot be used to identify you, but may contain markers that permit later reidentification by Eko. Anonymized data cannot be used to identify you and is unable to be re-identified and is no longer considered Personal Information. While the data Eko uses to create the research and analyses may be de-identified or pseudonymized, the research and analyses products will be anonymized. Eko may share the research and analyses in aggregated and anonymized format with its aﬃliates, agents, Customers, Customers’ affiliates, and other healthcare research and services entities. The research and analyses cannot be used to identify you personally and cannot be re-identified. Eko may disclose aggregated, de-identiﬁed and/or pseudonymized information in order to describe our business and the Services to current and prospective business partners and Customers, and to other third parties for other lawful purposes. Eko retains anonymized files of the PCG and ECG recordings from Devices. These do not contain any associated Personal Information.
If you are a patient, your healthcare provider(s) may also monitor User Content in order to monitor your progress and overall condition and to follow up with you, as they deem appropriate in their independent judgment as your healthcare providers.
You agree that such monitoring activities, if in compliance with applicable privacy laws, will not entitle you to any cause of action or other right with respect to the manner in which Eko or its affiliates or agents monitor your communications and enforces or fails to enforce the Terms of this agreement. In no event will Eko or any of its affiliates or agents be liable for any costs, damages, expenses, or any other liabilities incurred by you as a result of monitoring activities by Eko or its affiliates or agents.
Device and ISP Data
We use common information-gathering tools, such as log files, cookies and similar technologies to automatically collect information, which may contain Personal Information, from your computer or mobile device as you navigate our websites or interact with emails we have sent you. As is true of most websites, we gather certain information automatically via log files. This collected information may include your Internet Protocol (IP) address (or proxy server), device and application identification numbers, your location, your browser type, your Internet service provider and/or mobile carrier, the pages and files you viewed, your searches, your operating system and system configuration information, and date/time stamps associated with your usage. This information is used to analyze overall trends, to help us provide and improve our websites and to guarantee their security and continued proper functioning. We also collect IP addresses from users when they log into the services as part of the Company’s security features.
How We Use the Information We Collect
To Provide and Improve our Services.
Where permitted under applicable law, We use your information to:
To Communicate with You
We may send you emails, text messages, and push notifications to your mobile device, if you have them enabled, to verify your account and for informational and operational purposes, such as account management, providing instructions, alerts, reminders, customer service, system maintenance, and other Service-related purposes. We may also permit users, such as your health care providers, to use the Services to send you emails, text messages, and push notifications.
Marketing and Data Analysis
To the extent permitted by applicable law, we may use your information to provide online advertising on the Services and to send you newsletters, offers, surveys, and other promotional information related to Eko products and services. Where required under applicable law, we will obtain appropriate consent to send you marketing communications. You may opt out of email marketing by using the unsubscribe link in a marketing email, or by contacting us at email@example.com.
How We Share the Information We Collect
We consider your information to be a vital part of our relationship with you. There are, however, certain circumstances in which we may share your Personal Information with certain third parties without further notice to you. Those circumstances are described below:
With Our Customers: If you are a Patient, we will share your Personal Information and Health Data with our Customer(s) that provide healthcare services to you. This will enable your healthcare provider to track your Health Data and combine such Health Data with other information about you that your provider obtains in treating you.
With Patient-Authorized Persons: If you are a Patient, you may have the option of identifying family, friends, or other people in the Eko application to view certain of your information and receive alerts regarding your health and/or activities (“Permissions”). If you designate Permissions, we may make available certain of your Personal Information and Health Data, and related alerts, to the people you designate.
In the Event of a Business Transfer: We might sell or buy businesses or assets. In the event of a corporate sale, merger, reorganization, dissolution or similar event, Personal Information may be part of the transferred assets.
With Our Agents, Consultants and Related Third Parties: Eko, like many businesses, sometimes hires other companies to perform certain business-related functions. Examples of such functions include data hosting and billing management. When we employ another entity to perform a function of this nature, we only provide the entity with the information that it needs to perform its speciﬁc function.
To Meet Our Legal Requirements: We may disclose your Personal Information if required to do so by law or if we have a good faith belief that such action is necessary to (i) comply with a legal obligation, (ii) protect and defend our rights or property, (iii) act in urgent circumstances to protect the personal safety of you, us, other users of the Services or the public, or (iv) protect against legal liability.
NOTE: We may, from time to time, rent or sell aggregated data and/or other information that does not contain any personal identifiers (i.e., if the information has been anonymized by stripping out identifiers such as name, address, phone number, etc.). The purpose of this type of disclosure is to allow research institutions to learn more about symptoms associated with your medical condition(s).
Cookies and Analytics Technologies
The information collected in this manner includes IP address, browser characteristics, device IDs and characteristics, operating system version, language preferences, referring URLs, and information about the usage of our Service. We may link this data to your profile. You may be able to change browser settings to block and delete cookies when you access the Sites through a web browser. However, if you do that, the Sites may not work properly. Our ad networks and analytics service providers may also collect information about your use of other websites and online services over time, if those websites and online services also use the same service providers.
We currently use Google Analytics and MixPanel to collect and process certain website usage data. To learn more about Google Analytics and how to opt out, please visit google.com/policies/privacy/partners/. To learn more about MixPanel, please visit https://mixpanel.com/privacy/
We use the following “session cookies,” which last for as long as you keep your browser open. We have described the purpose of each, whether each is owned by Eko or a third party, the information each collects, and how to withdraw consent below:
Cookie Name, Who Controls It, and Duration: Authentication Tokens 30 hours for web application.
Purpose: To authenticate you when you sign into the service.
Information Collected: A generated token that allows the server to identify you.
How to Withdraw Consent: Do not use our Service if you do not want to receive this cookie.
Unlimited for mobile.
For Patients: Under HIPAA, your healthcare provider is generally required to provide or make available to you a Notice of Privacy Practices (“NPP”). The NPP is intended to explain to you the ways in which your healthcare provider may use and share your protected health information and inform you about your health privacy rights. For more information about how your healthcare provider uses and shares your information, ask your healthcare provider for a copy of their NPP. EKO IS NOT RESPONSIBLE FOR YOUR HEALTHCARE PROVIDER’S USE OR SHARING OF YOUR INFORMATION.
Eko processes Personal Information both as a Processor and as a Controller, as defined under the GDPR and other global privacy laws. With respect to the data that Eko processes on your behalf, you represent and warrant that you have have established an appropriate legal basis or bases to allow Eko to process such data.
Eko is a US-based company; we do not have locations in international jurisdictions, nor do we store any data outside of the US. If you are located outside of the US, all of your data will be transmitted to Eko in the US and stored on US-based servers in compliance with applicable regulations.
All data collected by Eko will be stored exclusively in secure hosting facilities. Eko has a data processing agreement in place with its provider. All hosting is performed in accordance with the highest security regulations.
Under the GDPR and other global privacy laws, Eko is typically a processor of data for patient data subjects and the medical professionals that purchase and use Eko devices are the controllers of the data. Based on the data that Eko collects and processes, Eko is acting pursuant to Article 6 of the GDPR when processing data of EU medical professionals that create an account with us and use our software dashboard; either you have provided consent to the processing of your Personal Information, such processing is necessary for the performance of a contract, and/or such processing is necessary for the purposes of Eko’s legitimate business interests which include providing these Services. Eko also has appropriate legal bases to process your information in other international jurisdictions.
Your Rights and Choices
We offer you certain choices in connection with the information we collect about you.
Subject to applicable law, you may have the right to request access to and be informed about the information we maintain about you, update and correct inaccuracies in your information, and have the information blocked or deleted, as appropriate. If you wish to request access or an update to the information that we have concerning you, please email us at firstname.lastname@example.org
Additionally, your health or medical information may be subject to special protections under some jurisdictions. We comply with all such applicable requirements.
Your rights to your information may be limited in some circumstances by local legal requirements. You also have the right to withdraw your consent to the collection of your information. Note however that if you exercise your right of blocking or deletion, if you decline to share certain information with us, or if you withdraw your consent, we may not be able to provide to you some of the features and functionalities of the Service.
EU DATA SUBJECT RIGHTS
If you are an EU data subject, the GDPR may apply to the Personal Information we collect from you. If so, you have the following rights under certain circumstances:
Where our processing of your Personal Information is based on consent, you have the right to withdraw that consent without detriment at any time by contacting us at email@example.com. You can also exercise the rights listed above at any time by contacting us at firstname.lastname@example.org.
We also process patients’ Personal Information, including health information, in accordance with Articles 6 and 9 of the GDPR. We process this information on behalf of their healthcare provider to assist them or their affiliates. We may also process health data to provide, develop, or improve our Services. Under Article 6, processing is necessary for the purposes of our legitimate interests, which include providing these Services to our customers and to the Controllers of the Personal Information and developing and improving our Services. Under Article 9, such processing is necessary in the interest of public health (including ensuring high standards of quality of health care, of our devices, and of our Services) and/or necessary for scientific research purposes.
Eko users may also contact us to:
– Stop the sharing of your information with a specific provider;
Update your email preferences or ask us to remove your information from our mailing lists; or
– Submit another type of request
Data Retention and Deletion
We store your Personal Information for as long as you maintain an account and up to five (5) years after the account is closed. At the end of this five-year period, we may remove your Personal Information from our databases and will request that our business partners remove your Personal Information from their databases. When we delete any information, it will be deleted from the active database, but may remain in our archives. However, once we disclose your Personal Information to third parties, we may not be able to access that Personal Information any longer and cannot force the deletion or modification of any such information by the parties to whom we have made those disclosures. Written requests for deletion of Personal Information other than as described should be directed to email@example.com. We retain anonymized data indefinitely.
We will continue to use de-identified and/or aggregated information, as permitted under applicable law and to comply with our legal obligations, agreements with physicians and healthcare providers, resolve disputes, enforce our rights, or similar purposes. You may delete the App or software to remove information stored on your device.
Data Sharing Confirmation
EU-U.S. Privacy Shield
Due to EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework, Eko is subject to the investigatory and enforcements powers of the Federal Trade Commission, under certain conditions, You may be permitted to invoke a binding arbitration for any issues, and Eko may be liable in cases of prohibited onward transfers to third parties.
Furthermore, in compliance with the Privacy Shield Principles, Eko commits to resolve complaints about our collection or use of your personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Eko at firstname.lastname@example.org or You also may write to:
Eko Devices, Inc.
Attn: Privacy Officer
1212 Broadway, Suite 100
Oakland, CA 94612
Eko has further committed to cooperate with the panel established by the EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved Privacy Shield complaints concerning human resources data transferred from the EU and Switzerland in the context of the employment relationship.
How We Protect Personal Information
We maintain administrative, technical, and physical safeguards designed to protect the personal information you provide against accidental, unlawful, or unauthorized destruction, loss, alteration, access, disclosure, or use. No method of transmission over the Internet, or method of electronic storage, is 100% secure, however. Therefore, while Eko uses reasonable efforts to protect your information, we cannot guarantee its absolute security.
How You Can Protect Your Personal Information
We will NEVER send you an e-mail requesting confidential information such as account numbers, usernames, passwords, or social security numbers, and you should NEVER respond to any e-mail requesting such information. If you receive such an e-mail purportedly from Eko, DO NOT RESPOND to the e-mail and DO NOT CLICK on any links and/or open any attachments in the e-mail, and notify Eko support at email@example.com
You are responsible for taking reasonable precautions to protect your user ID, password, and other account information from disclosure to third parties, and you are not permitted to circumvent the use of required encryption technologies. You should immediately notify Eko at firstname.lastname@example.org if you know of or suspect any unauthorized use or disclosure of your user ID, password, and/or other User Account information, or any other security concern.
Information Submission by Minors
We do not knowingly collect personal information from individuals under the age of 18 and the Services are not directed to individuals under the age of 13. We request that these individuals not provide personal information through the Services. If you are aware of a user under the age of 13 using the Services, please contact us at email@example.com.
How to Contact Us
Eko has a Data Protection Officer and Privacy Officer who is responsible for matters relating to privacy and data protection and who can be contacted at the information below.
Eko Devices, Inc.
Attn: Privacy Officer
1212 Broadway, Suite 100
Oakland, CA 94612
If you are are unable to reach Eko at the contact information provided above regarding your issue, you may have the right to contact your local Data Protection Authority, depending on your jurisdiction.