Updated August 6, 2019
1) The information we collect, why we need it, and how use it.
2) What choices you can make about how we use your information.
3) The measures we take to protect the security of the information and maintain regulatory compliance for HIPAA, GDPR, and other data regulations.
The personal information we collect and transmit may include healthcare information, including billing, insurance, and medical information. Therefore, our privacy practices are intended to comply with the health insurance portability and accountability act (“HIPAA”) and General Data Protection Regulation (“GDPR”). We will maintain the privacy of your health information as required by HIPAA and the regulations promulgated under that act.
For additional information related to your healthcare information or if you have any questions, please reach out to us at firstname.lastname@example.org.
Access to and use of the Services by a healthcare provider who is an Eko customer (a “Customer”) and such Customer’s authorized users is subject to and governed by the agreement between Eko and the applicable Customer executed by authorized representatives of each party (the “Customer Agreement”). Eko may collect, use and disclose information from a Customer and such Customer’s authorized users as set forth in the Customer Agreement. If you would like more information about the Services or becoming a Customer, please contact us at email@example.com.
The information we collect, why we need it, and how we use it.
We may collect the following types of personal information from users of our Services, and store it on your mobile device, and/or in a secure third-party cloud services provider database:
When you register to use the Service or create an Eko account, we may collect your name and all other information provided to us, such as your email address, password, date of birth or gender. We also collect any information uploaded or otherwise input by you while using the Service, including, but not limited to, information related to medications you are taking and other health-related information about you. You may add information to your profile such as Patient ID, and information about your activity level, medical conditions, and medications. We use this information to create your account and provide you with the Services.
If you are a healthcare provider, we may also collect your National Provider Identifier (NPI).
Physiologic and Usage Data
We collect certain information through your use of the Devices and/or your smartphone connected to the Services, such as but not limited to: heart sound data, lung sound data, ECG data, diagnosed condition, mobile device accelerometer data, average heart rate, the location on the body where the recording was taken, local time, time zone and geographic location of data acquisition. We may collect such information from patients or from providers. We use this information to provide and improve the Services.
Customer Support Inquiries
If you contact us directly, such as when you contact our Customer Support team, we will receive the contents of your message or any attachments you may send to us, as well as any additional information you choose to provide. We may also collect technical information about your device, including your IP address or device ID, which we will use to provide you with support and to improve our services. Contact us at firstname.lastname@example.org if you have any questions.
Payment Information (applicable to Providers ONLY).
We use third-party payment processors to process any payments you make to us. When you make payments through the Services, you may need to provide your shipping address and financial account information, such as your credit card number, to our third-party service providers. All of the information you provide in connection with making a payment to us is collected and stored by the third-party service provider, not by Eko. We do not collect or store financial information, though we may receive transaction identifiers and summary information that does not include credit card or bank account numbers.
Non-Identiﬁable Data Related to Operation of the Service:
When You interact with Eko through the Services, We receive and store certain personally non-identiﬁable information. Such information, which We collect passively using various technologies, cannot presently be used to speciﬁcally identify You. We may store such information ourselves or such information may be included in databases owned and maintained by Eko affiliates, agents or service providers. The Services may use such information and pool it with other information to track, for example, the total number of users of the Services, the number of visitors to each page of Our Site, and the domain names of Our visitors’ Internet service providers
Aggregated Personal Data
In an ongoing effort to better understand and serve our Customers, other users of the Services and communities of patients with chronic health conditions, Eko conducts research on its user demographics and behavior based on the Personal Information we collect from you and the other information provided to us. This research may be compiled and analyzed on an aggregate basis, and Eko may share this research and related information in aggregated, de-identiﬁed and/or anonymized format with its aﬃliates, agents and other healthcare research and services entities. This aggregate information does not identify you personally. Eko may also disclose aggregated, de-identiﬁed and/or anonymized information in order to describe our business and the Services to current and prospective business partners and Customers, and to other third parties for other lawful purposes.
If you are a patient, your healthcare provider(s) may also monitor User Content in order to monitor your progress and overall condition and to follow up with you, as they deem appropriate in their independent judgment as your healthcare providers.
You agree that such monitoring activities, if in compliance with applicable privacy laws, will not entitle you to any cause of action or other right with respect to the manner in which Eko or its affiliates or agents monitor your communications and enforces or fails to enforce the Terms of this agreement. In no event will Eko or any of its affiliates or agents be liable for any costs, damages, expenses, or any other liabilities incurred by you as a result of monitoring activities by Eko or its affiliates or agents.
Device and ISP Data
We use common information-gathering tools, such as log files, cookies and similar technologies to automatically collect information, which may contain Personal Information, from your computer or mobile device as you navigate our websites or interact with emails we have sent you. As is true of most websites, we gather certain information automatically via log files. This collected information may include your Internet Protocol (IP) address (or proxy server), device and application identification numbers, your location, your browser type, your Internet service provider and/or mobile carrier, the pages and files you viewed, your searches, your operating system and system configuration information, and date/time stamps associated with your usage. This information is used to analyze overall trends, to help us provide and improve our websites and to guarantee their security and continued proper functioning. We also collect IP addresses from users when they log into the services as part of the Company’s security features.
How We Use the Information We Collect
To Provide and Improve our Services.
We use your information to:
- provide, evaluate, and improve the Services, including to provide you with heart sound analysis, lung sound analysis, and ECG analysis services and reports based on the analysis of your health-related information, including your physiologic data, Health Data, and data from third-party devices and services;
- analyze our products and their usage to enhance and improve our existing Service; to develop new products and services; manage our communications; and
- perform accounting, auditing and other internal functions.
To Communicate with You
We may send you emails, text messages, and push notifications to your mobile device, if you have them enabled, to verify your account and for informational and operational purposes, such as account management, providing instructions, alerts, reminders, customer service, system maintenance, and other Service-related purposes. We may also permit users, such as your health care providers, to use the Services to send you emails, text messages, and push notifications.
Marketing and Data Analysis
To the extent permitted by applicable law, we may use your information to provide online advertising on the Services and to send you newsletters, offers, surveys, and other promotional information related to Eko products and services. Where required under applicable law, we will obtain appropriate consent to send you marketing communications. You may opt out of email marketing by using the unsubscribe link in a marketing email, or by contacting us at email@example.com.
How We Share the Information We Collect
We consider your information to be a vital part of our relationship with you. There are, however, certain circumstances in which we may share your Personal Information with certain third parties without further notice to you. Those circumstances are described below:
With Our Customers: If you are a Patient, we will share your Personal Information and Health Data with our Customer(s) that provide healthcare services to you. This will enable your healthcare provider to track your Health Data and combine such Health Data with other information about you that your provider obtains in treating you.
With Patient-Authorized Persons: If you are a Patient, you may have the option of identifying family and/ or friends in the Eko application to view certain of your information and receive alerts regarding your health and/or activities (“Permissions”). If you designate Permissions, we may make available certain of your Personal Information and Health Data, and related alerts, to the people you designate.
In the Event of a Business Transfer: We might sell or buy businesses or assets. In the event of a corporate sale, merger, reorganization, dissolution or similar event, Personal Information may be part of the transferred assets.
With Our Agents, Consultants and Related Third Parties: Eko, like many businesses, sometimes hires other companies to perform certain business-related functions. Examples of such functions include data hosting and billing management. When we employ another entity to perform a function of this nature, we only provide the entity with the information that it needs to perform its speciﬁc function.
To Meet Our Legal Requirements: We may disclose your Personal Information if required to do so by law or if we have a good faith belief that such action is necessary to (i) comply with a legal obligation, (ii) protect and defend our rights or property, (iii) act in urgent circumstances to protect the personal safety of you, us, other users of the Services or the public, or (iv) protect against legal liability.
NOTE: We may, from time to time, rent or sell aggregated data and/or other information that does not contain any personal identifiers (i.e., if the information has been anonymized by stripping out identifiers such as name, address, phone number, etc.). The purpose of this type of disclosure is to allow research institutions to learn more about symptoms associated with your medical condition(s).
Cookies and Analytics Technologies
The information collected in this manner includes IP address, browser characteristics, device IDs and characteristics, operating system version, language preferences, referring URLs, and information about the usage of our Service. We may link this data to your profile. You may be able to change browser settings to block and delete cookies when you access the Sites through a web browser. However, if you do that, the Sites may not work properly. Our ad networks and analytics service providers may also collect information about your use of other websites and online services over time, if those websites and online services also use the same service providers.
We currently use Google Analytics and MixPanel to collect and process certain website usage data. To learn more about Google Analytics and how to opt out, please visit google.com/policies/privacy/partners/. To learn more about MixPanel, please visit https://mixpanel.com/privacy/
We use the following “session cookies,” which last for as long as you keep your browser open. We have described the purpose of each, whether each is owned by Eko or a third party, the information each collects, and how to withdraw consent below:
Cookie Name, Who Controls It, and Duration: Authentication Tokens 30 hours for web application.
Purpose: To authenticate you when you sign into the service.
Information Collected: A generated token that allows the server to identify you.
How to Withdraw Consent: Do not use our Service if you do not want to receive this cookie.
Unlimited for mobile.
For Patients: Under HIPAA, your healthcare provider is generally required to provide or make available to you a Notice of Privacy Practices (“NPP”). The NPP is intended to explain to you ways in which your healthcare provider may use and share your protected health information and inform you about your health privacy rights. For more information about how your healthcare provider uses and shares your information, ask your healthcare provider for a copy of their NPP. EKO IS NOT RESPONSIBLE FOR YOUR HEALTHCARE PROVIDER’S USE OR SHARING OF YOUR INFORMATION.
Eko processes Personal Data both as a Processor and as a Controller, as defined in the Directive and the GDPR.
Eko is a US-based company; we do not have locations in the EU nor do we store any data in the EU. If you are an EU citizen located in the EU, all of your data will be transmitted to Eko in the US and stored on US-based servers in compliance with US regulations.
All data collected by Eko will be stored exclusively in secure hosting facilities. Eko has a data processing agreement in place with its provider. All hosting is performed in accordance with the highest security regulations.
Your Rights and Choices
We offer you certain choices in connection with the information we collect about you.
Subject to applicable law, you may have the right to request access to and be informed about the information we maintain about you, update and correct inaccuracies in your information, and have the information blocked or deleted, as appropriate. If you wish to request access or an update to the information that we have concerning you, please email us at firstname.lastname@example.org
Your rights to your information may be limited in some circumstances by local legal requirements. You also have the right to withdraw your consent to the collection of your information. Note however that if you exercise your right of blocking or deletion, if you decline to share certain information with us, or if you withdraw your consent, we may not be able to provide to you some of the features and functionalities of the Service.
EU DATA SUBJECT RIGHTS
If you are an EU data subject, you have the following rights under certain circumstances:
- to receive communications related to the processing of your personal data that are concise, transparent, intelligible and easily accessible;
- to be provided with a copy of your personal data held by us;
- to request the rectification or erasure of your personal data held by us without undue delay;
- to request that we restrict the processing of your personal data (while we verify or investigate your concerns with this information, for example);
- to object to the further processing of your personal data, including the right to object to marketing;
- to request that your personal data be moved to a third party;
- to receive your personal data in a structured, commonly used and machine-readable format;
- to lodge a complaint with a supervisory authority.
Where our processing of your Personal Information is based on consent, you have the right to withdraw that consent without detriment at any time by contacting us at email@example.com You can also exercise the rights listed above at any time by contacting us at firstname.lastname@example.org.
Eko users may also contact us to:
– Stop the sharing of your information with a specific provider;
Update your email preferences or ask us to remove your information from our mailing lists; or
– Submit another type of request
Data Retention and Deletion
We store your Personal Information for as long as you maintain an account and up to five (5) years after the account is closed. At the end of this five-year period, we may remove your Personal Information from our databases and will request that our business partners remove your Personal Information from their databases. When we delete any information, it will be deleted from the active database, but may remain in our archives. However, once we disclose your Personal Information to third parties, we may not be able to access that Personal Information any longer and cannot force the deletion or modification of any such information by the parties to whom we have made those disclosures. Written requests for deletion of Personal Information other than as described should be directed to email@example.com. We retain anonymized data indefinitely.
We will continue to use de-identified and/or aggregated information, as permitted under applicable law and to comply with our legal obligations, agreements with physicians and healthcare providers, resolve disputes, enforce our rights, or similar purposes. You may delete the App or software to remove information stored on your device.
Data Sharing Confirmation
How We Protect Personal Information
We maintain administrative, technical and physical safeguards designed to protect the personal information you provide against accidental, unlawful or unauthorized destruction, loss, alteration, access, disclosure or use. No method of transmission over the Internet, or method of electronic storage, is 100% secure, however. Therefore, while Eko uses reasonable efforts to protect your information, we cannot guarantee its absolute security.
How You Can Protect Your Personal Information
We will NEVER send you an e-mail requesting confidential information such as account numbers, usernames, passwords, or social security numbers, and you should NEVER respond to any e-mail requesting such information. If you receive such an e-mail purportedly from Eko, DO NOT RESPOND to the e-mail and DO NOT CLICK on any links and/or open any attachments in the e-mail, and notify Eko support at firstname.lastname@example.org
You are responsible for taking reasonable precautions to protect your user ID, password, and other account information from disclosure to third parties, and you are not permitted to circumvent the use of required encryption technologies. You should immediately notify Eko at email@example.com if you know of or suspect any unauthorized use or disclosure of your user ID, password, and/or other User Account information, or any other security concern.
Information Submission by Minors
We do not knowingly collect personal information from individuals under the age of 18 and the Services are not directed to individuals under the age of 13. We request that these individuals not provide personal information through the Services. If you are aware of a user under the age of 13 using the Services, please contact us at firstname.lastname@example.org.
In compliance with the Privacy Shield Principles, Eko commits to resolve complaints about our collection or use of your personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Eko at:
Eko Devices, Inc.
Attn: Privacy Officer
2600 10th Street, Suite 260
Berkeley, CA 94710
Eko has further committed to cooperate with the panel established by the EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved Privacy Shield complaints concerning data transferred from the EU and Switzerland, including human resources data in the context of the employment relationship.
Please note that if your complaint is not resolved through these channels, under limited circumstances, a binding arbitration option may be available before a Privacy Shield Panel.
The Federal Trade Commission has jurisdiction with enforcement authority over Eko’s compliance with the Privacy Shield.
The Privacy Shield Principles describe Eko’s accountability for personal data that it subsequently transfers to a third-party agent. Under the Privacy Shield Principles, Eko shall remain liable if third party agents process the personal information in a manner inconsistent with the Privacy Shield Principles, unless Eko proves it is not responsible for the event giving rise to the damage.
Note that Eko may be required to release the personal data of EU and Swiss individuals pursuant to the Privacy Shield in response to legal requests from public authorities including to meet national security and law enforcement requirements.
How to Contact Us
Eko has a Data Protection Officer and Privacy Officer who is responsible for matters relating to privacy and data protection and who can be contacted at the information below.
Eko Devices, Inc.
Attn: Privacy Officer
2600 10th Street, Suite 260
Berkeley, CA 94710
If you are an EEA customer and are unable to reach Eko at the contact information provided above regarding your issue, you have the right to contact your local Data Protection Authority.
POL001 Rev A.0