Privacy Policy
Effective Date: June 12, 2023
When you access services provided by Kismet Health, Inc.. (collectively, “Kismet”), you trust us with your personal information. We highly value that trust. Our commitment to you is our ongoing transparency about the personal information we collect and our efforts to help you to understand our privacy practices. This notice describes the personal information we collect, how we use it, and the choices you can make regarding these data.
We are committed to protecting your privacy. This Privacy Policy (“Policy”) describes how we collect, use, disclose and protect your Personal Information (defined below). It applies to all Personal Information processed by us on any of the services provided by Kismet Health providers, as well as written, electronic, and oral communications.
This Policy does not describe how we collect or use your Protected Health Information (as defined by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), which is covered by our Notice of HIPAA Privacy Practices (” NPP”). For clarity, the NPP, not this Privacy Policy, explains our privacy practices with respect to your Protected Health Information (“PHI”).
Unless we define a term in this Policy, all capitalized terms used in this Policy have the meaning provided in the Clinical Services and Practice Policies Agreement, which you can view via your account profile. Please make sure that you have carefully read and understand the Terms of Service Agreement before you use our Services. By using our Services, you accept the Terms of Service Agreements and accept our privacy practices described in this Policy. If you do not feel comfortable with any part of this Policy or our Membership Terms, you must not use or access our Services.
We may modify this Policy from time to time. The date of change will be shown next to “Effective Date” at the top of this page. We encourage you to read this Policy periodically to ensure you have up-to-date knowledge of our privacy practices. Whenever material changes to this Policy are made, we will provide you with notice before the modifications are effective by sending a message to the email address associated with your account, or by posting a notice to your user account. By continuing to access or use the Services after changes to this Policy become effective, you agree to be bound by the revised Policy. If any changes are unacceptable to you, you should stop using Kismet health services.
Personal Information We Collect
We collect Personal Information when you use our Services, create an account with us, or submit Personal Information to us. Personal Information is any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly with a particular individual, including, but not limited to, a first and last name, email address, a home, postal or other physical address, and phone number. The types of Personal Information that we may collect about you are:
a. Information You Provide to Us
We collect information you give us when you answer screening/survey questions at the beginning of your use of the Kismet mobile application or Kismet websites, register with us for an account, when you use our Services, when you participate in surveys or promotional activities, or when you otherwise choose to submit or otherwise provide any information to us, regardless of account status.
When you sign up for an account we may also collect your name, address, phone number, title, birth date, gender, credit card information, together with other demographic and health-related information. We may also ask you about income or other financial information to determine if you qualify for a reduction in fees where applicable. When you use our Services, such as logging into your account, speaking with a Kismet representative or contractor or affiliated clinician, we may collect your name, address, birth date, credit card information, etc., to verify your identity and provide Services to you. From time-to-time, we may also ask you to volunteer to participate in surveys, promotional activities, or usability studies. When a user participates, we request certain Personal Information such as name and email address. Depending on the nature of the survey or contest, we use this information to follow-up with the participants, improve our services, or, if applicable, to notify contest winners and award prizes.
b. Communications from You When you use our Services (for example on our applications, website, or through the use of partner applications and tools), complete electronic forms, or contact us, by online chat, email, phone or text, we may collect and store certain information about you and the activity you engaged in, for example: your name and contact information; information that you voluntarily provide to us; the nature of your communication; the purpose of the interaction, and the action we took in response to your inquiry or request.
c. Information Related to Your Use of the Services We may automatically collect information about your use of the Services (we refer to this information as “Usage Data”), including information sent by Your Mobile Devices or computer. For example, we may collect: Device information, such as your hardware model, IP address (the Internet address of your computer), unique device identifiers, and other information such as your browser type and operating system. Website usage information regarding customer traffic patterns and website usage. This may include the web page that you were visiting before accessing our website or mobile application, the pages or features of our website or mobile application you browsed to inform us which part of our website, app and Services you visit and how much time you spend there. information about your preferences to make your use of the website more productive through the use of cookies.
d. Information Sent by Your Mobile Devices We may collect certain information that your mobile devices send when you use our Services, such as a unique identifier, user settings and the operating system of your device, as well as information about your use of our services on your mobile device.
e. Location Information When you use our online Services, we may collect and store information about your general location by converting your IP address into a rough geo-location. We may also access your mobile device’s GPS coordinates or course location but only if you have previously agreed that we can collect this information by allowing the sharing of your location information. If you do not want us to have your location information, you agree to disable the location sharing feature on your device or browser.
f. Information from Our Clients and Partners We may receive your Personal Information from our business clients, business associates, vendors, and partners in connection with one or more business purposes, including making our Services available to you.
Cookies and Other Tracking Technologies
a. Cookies A “cookie” is a small data file that certain websites write to your computer or smart device when you visit them. A cookie can’t read data off your hard disk or read cookie files created by other websites. We use session cookies that are deleted when you leave our website and close your browser, and persistent cookies that can remain even after you leave. A cookie file can contain information such as a user ID that the website uses to track the pages you’ve visited. The cookies that are configured by our website do not contain directly identifying information, such as your name or sensitive information, such as your credit card number.
Types of Cookies on Our Services. We use the following types of cookies on our Services:
Strictly Necessary Cookies – These cookies are essential because they enable you to use our Services. For example, strictly necessary cookies allow you to access secure areas on our Services. Without these cookies, Services cannot be provided. These cookies do not gather information about you for marketing purposes. This category of cookies is essential for our Services to work and they cannot be disabled.
Functional Cookies – We use functional cookies to remember your choices so we can tailor our Services to provide you with enhanced features and personalized content. For example, these cookies can be used to remember your name and location or some elements of your login credentials. We do not use functional cookies to target you with online marketing. While some of these cookies can be disabled, this may result in less functionality during your use of our Services.
Performance or Analytics Cookies – These cookies collect passive information about how you use our Services, including webpages you visit and links you click. We use the information collected by such cookies to improve and optimize our Services. Third-Party Cookies – These are cookies that are provided by third-party service providers and belong in one of the cookie categories described above. These third-party providers process your Personal Information on our behalf pursuant to our instructions and obligations consistent with this Policy and our relevant business associate agreements.
How to Manage Cookies. Depending on whether you would like to manage a first-party or third-party cookie, you will need to take the following steps:
First-Party Cookies – If you prefer not to receive cookies while browsing our website, you can set your browser to warn you before accepting cookies and refuse the cookie when your browser alerts you to its presence. You can also refuse all cookies by changing the settings in your browser. You do not need to have cookies turned on to use and navigate through many parts of our website, although if you block or disable the cookie functions, you may not be able to access all portions or features of the website and the Services. Please follow instructions provided by your browser (usually located within the “Help”, “Tools” or “Edit” settings) to disable first-party cookies. You can find more information about how to change your browser cookie settings here.
Third-Party Cookies – Some third-party services providers that we engage (including third-party advertisers) may also place their own cookies on your device. Note that this Policy covers only our use of cookies and does not include use of cookies by such third parties. Modern browsers also allow you to block third-party cookies, please see section above to learn how to do that.
b. Web Beacons Web Beacons, also known as web bugs, pixel tags or clear GIFs, are tiny graphics with a unique identifier that may be included on our website to deliver or communicate with cookies, in order to track and measure the performance of our website and Services, monitor how many web visitors we have, and to monitor the effectiveness of our advertising. Unlike cookies, which are stored on the user’s device, Web Beacons are typically embedded invisibly on web pages (or in an e-mail).
c. Analytics Technologies Users of our Services who have JavaScript enabled are tracked using analytics technologies, including Google Analytics and other analytics and/or crash reporting providers. The Analytics feature collects the following types of information from the user: type of user agent (web browser) used, software manufacturer and version number; type of operating system; network location and IP address; country, city, state, region, county, or any other geographic data; hostname; bandwidth (internet connection speed); time of visit; pages visited; time spent on each page of the website; referring site statistics; the website (URL) the user came through in order to arrive at our website; search engine query used (example: typing in a phrase into a search engine, and clicking on a link from that search engine). The data collected by the analytics technology is primarily used to optimize the Service experience for our users. We also use this data for our own business purposes, for example, to analyze how many users we have, where visitors come from, and understand how they interact with us.
d. Interest-Based Advertising We may use information collected about a user’s use of our Services to arrange for advertisements about our Services to be served to the user on third party’s websites. To do so, our advertising service providers place or recognize a unique cookie on the user’s browser and use other techniques, such as pixel tags. Users may, under some circumstances, opt-out of receiving interest-based advertising. The opt-out may be provided through specific opt-out cookies. Please visit the following: YourAdChoices.com and the Networkadvertising.org to learn more.
e. Mobile Applications Depending on your permissions, we may receive your Personal Information from your internet service and mobile device providers. Users of mobile devices who do not want to receive interest-based advertising may opt-out in several ways. Learn more about your choices for mobile devices by visiting Your Ad Choices (see above). To end all targeting on a mobile device immediately, turn on “Limit Ad Tracking” in the device settings.
f. Social Media Depending on your permissions, we may receive your Personal Information from your social media accounts. You can edit or remove Personal Information usage permissions by using privacy settings on your social media account. g. Advertising We do not target any advertisements toward individual consumers or health plan members of our platform without your prior written consent. Nothing you do on the Kismet app or web platform will be used by us to target any advertisements towards you as an individual consumer anywhere else on the internet. We may engage third party service providers who utilize tracking technologies on our corporate website (https://www.kismethealth.com/) to serve advertisements that may be of interest to potential buyers of our Services. If we do so, those third party service providers we engage are business associates of Kismet who are contractually obligated to protect your information. Some of these advertisements may be personalized, meaning that the advertisements are intended to be relevant to potential buyers based on what we, or the third party service providers, know about them, such as employment at or agency for a company that might be interested in offering Kismet as a benefit to its employees or health plan members. Your Settings and PreferencesYou can reduce the information cookies and other technologies collected from your device by changing your browser settings to notify you when a cookie is being set or updated, or to block cookies altogether. Some browsers also allow you to control local stored objects through your browser settings. More information about how to do this may be found at www.allaboutcookies.org/manage-cookies or in the “Help” section of your browser. If you choose to block cookies, your use of the Service may be impacted. If you would like more information about this and to know your choices about not having this information used by these companies, please visit: the Digital Advertising Alliance’s website, https://www.aboutads.info/, or the Network Advertising Initiative’s website, http://networkadvertising.org/consumer/opt_out.asp.
How We Use Your Personal Information
We will only use your Personal Information as described in this Policy, our Terms of Services, or otherwise through the informed consent / clinical services documents you agree to as a requirement for receiving services from us, paid or otherwise.
a. To Provide Our Services to You We will use your Personal Information to provide information or perform Services that you request. We may use general location information to improve and personalize our Services to you, such as providing location-relevant information and Services to you. If the applicable information is to be provided or Service is to be performed by a third party, then we will disclose the applicable information to the third party providing the information or performing the applicable Services. Your information may be available or provided to third-party service providers who are contractually obligated to protect your information as disclosed in this Policy and/or our Business Associate Agreements or other documentation you agree to. In the preceding twelve (12) months, we have not sold any Personal Information to any third party.
b. For the Operations and Administration of Our Business We will use your Personal Information for the purposes of furthering our business, including creating, operating, delivering, maintaining, and improving our content, products, and Services. We may monitor how our users use our Services including without limitation time spent using our Services, pages visited and content viewed. Aggregated forms of this data may also be used for research and development purposes in order to offer new features, functionalities, products and services.
c. For Business Analytics Purposes We analyze, and may engage third parties to analyze, your Personal Information and Usage Data to determine the usefulness of our website, mobile app, and other elements of the Services. Any third parties who analyze your Personal Information and Usage Data on our behalf are contractually obligated to protect your information as disclosed in this Policy. Analytics help us determine how effective our navigational structure is in helping users reach the information they seek, completing the task they wish to complete, etc., and to tailor features and functionalities to our users’ needs and preferences.
d. For Our Own Marketing Purposes Marketing lets us grow our user base and update you about new products and services. We process your contact information or information about your interactions on our Services to: send you marketing communications and keep you updated about our products and services; provide you with informational content; and deliver targeted marketing to you. We may periodically send you free newsletters and e-mails that promote our Services, and that we believe may be of interest to you. When you receive such promotional communications from us, you may have the opportunity to “opt-out” (either through your account or by following the unsubscribe instructions provided in the e-mail you receive). We do need to send you certain administrative and transactional communications regarding the Services and you will not be able to opt out of those communications – e.g., communications regarding updates to our Terms of Services, this Policy, your treatment services, or information about billing and renewals, among others.
e. To Provide Customer Support or Respond to You We collect information that you provide to us when you contact us, such as with questions, concerns, feedback, disputes or issues, so we can address your needs and support your use and enjoyment of the Services.
f. For Account and Network Security Purposes We care about keeping you secure and safe while using our Services. Keeping you safe requires us to process your Personal Information, such as your device information, log-in information, activity information and other relevant information to proactively manage privacy and security risks. We use such information to combat spam, malware, malicious activities or security risks; improve and enforce our security measures; and to monitor and verify your identity so that unauthorized users do not gain access to your information.
g. To Maintain Legal and Regulatory Compliance Our Services are subject to certain laws and regulations which may require us to process your Personal Information. For example, we process your Personal Information to comply with privacy laws, comply with employment laws, or as necessary to manage risk as required under applicable law or as may be necessary to provide clinical services or keep you or others safe.
h. To Enforce Compliance with Our Terms and Agreements or Policies When you access or use our Services, you are bound to this Policy and our informed consent / clinical services agreements. To ensure you comply with them, we process your Personal Information to actively monitor, investigate, prevent and mitigate any alleged or actual prohibited, illicit or illegal activities on our Services. We also process your Personal Information to investigate, prevent or mitigate violations of our terms, agreements or policies.
Information Sharing and Disclosure
Your Personal Information is not shared with third parties without your permission, except as described below.
a. Information Shared with Our Employees, Services Providers We may engage employees and third-party services providers to work with us to administer and provide the Services or to promote our Services. These employees and third-party services providers have access to your Personal Information only for the purpose of performing services on our behalf and are expressly obligated not to disclose or use your Personal Information for any other purpose.
b. Information Shared with Our Business Clients Subject to the Notice of Privacy Practices, we may share your Personal Information with our business clients for Services provision and business operations purposes. We are a service provider to our business clients who purchase our Services for their employees and dependents. We may share your Personal Information with our business clients for the purposes of performing services for these clients in accordance with our contractual obligations, including to make our Services available to you and your dependents.
c. Information Disclosed in Connection with Business Transactions If we are acquired by a third party as a result of a transaction such as a merger, acquisition or asset sale, or if our assets are acquired by a third party in the event we go out of business or enter bankruptcy, some or all of our assets, including your Personal Information, may be disclosed or transferred to a third-party acquirer in connection with the transaction. Other than to the extent ordered by a bankruptcy or other court, the use and disclosure of all transferred user information will be subject to this Policy. Any information you submit or that is collected after a transfer, however, will be subject to a new privacy policy adopted by the successor entity.
d. Information Disclosed for Our Protection and the Protection of Others We cooperate with government and law enforcement officials to enforce and comply with the law. We may disclose information about you to government or law enforcement officials as we, in our sole discretion, believe necessary or appropriate: (i) to enforce our Membership Terms, (ii) to respond to claims and legal process (including subpoenas); (iii) to protect the property, rights and safety of a third party, our users, or the public in general; (iv) to protect our property, rights and safety; (v) to stop any activity that we consider fraudulent, illegal, unethical or legally actionable; and (vi) as required by applicable local, state or federal laws.e. Information disclosed as allowable under HIPAA and subject to the Business Associate Agreements we have signed.
Data Security and Retention
We protect the security of the information you provide to us with reasonable and appropriate physical, electronic, and administrative safeguards. For certain features of our Services we use industry-standard SSL-encryption to enhance the security of data transmissions. Your account information is password-protected for your privacy and security. While we strive to protect your information, we cannot guarantee the security of the Internet, and cannot ensure the security of the information that is transmitted through the Internet.
Please recognize that protecting your Personal Information is also your responsibility. We urge you to take every precaution to protect your information when you are on the Internet, or when you communicate with us and with others through the Internet. Change your passwords often, use a combination of letters and numbers, and make sure you use a secure browser. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of your account might have been compromised), or if you suspect someone else is using your account, please let us know immediately by contacting us as indicated in the “Contact Us” section. If your credit information, username, or password is lost, stolen, or used without permission, please promptly notify us and we will assist you in updating your account details. We will retain Personal Information for the period necessary to fulfill the purposes outlined in this Privacy policy unless a longer retention period is required or permitted by law. Any clinical records will be securely maintained for the greater of: (i) the minimum number of years such records are required to be maintained under state and federal law or (ii) 7 years.
Some portions of the Services (for example our presence on social media) allow users to submit comments, reviews, ratings and other information that may be displayed on the Services and viewed by others. We recommend that you do not post on or through the Services any information that you do not want to make available to other users or the public generally. You assume all responsibility for any loss of privacy or other harm resulting from information you post publicly.
a. Responding to Do Not Track Signals We currently may not respond to web browser “do not track” signals or other mechanisms that may allow you to opt out of the collection of information across networks of websites and online services as there is no standard for how online services should respond to such signals. As standards develop, we may develop policies for responding to do-not-track signals that we will describe in this Policy.
b. Children and Privacy We are committed to protecting the privacy of children in connection with the use of our Services. This Section explains our online information collection, disclosure, and parental consent practices with respect to information collection from children under the age of 13 (“child” or “children”) in accordance with the U.S. Children’s Online Privacy Protection Act (“COPPA”). For more information about COPPA and general tips about protecting children’s online privacy, please go to https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/childrens-online-privacy-protection-rule. Our Services include online services that may be used to facilitate health care for a child. A parent or guardian can create a Kismet account on behalf of a dependent child and attest that they have legal authority to do so. Children under the age of 18 are not eligible at this time to register directly for an account. If your child directly uses your Kismet account, either with or without your permission, we may collect information directly from the child. If you prefer for your child to not directly interact with Kismet online, please do not provide account credentials to your child. Please note certain state patient privacy laws may permit a child to directly obtain certain types of health care services independent of their parent or guardian. For registration, children cannot directly register for our Services. During the user registration process, the parent or guardian can create a children’s account by providing certain information about the child, including name, birth date, address, and login credentials.
Consent: During account registration for a child, parents or guardians are asked to review and consent to our COPPA Parental Consent form. If a parent or guardian chooses not to consent to the collection and use of their child’s information, they may not create an online account for the child. At any time, a parent and guardian may revoke their consent. Once consent is revoked, a child may not use any Services online, unless a new consent is signed.
The above sections of this Policy contains details about the information we collect, which extend to information we collect about children. The information we collect will be used for the purposes described above.
No personal information about a child will be made available to the public or sold. We may share information with our service providers if necessary for them to perform business, professional, or technology services for us, always in accordance with all applicable laws including HIPAA.
In addition to your right to revoke your consent for the collection of your child’s personal information, you may request to review the personal information we have collected from your child. Please submit your request or any questions to us at privacy@kismethealth.com.
c. Links to Third Party Sites We may contain links to other sites that are owned or operated by third parties. We are not responsible for the content, privacy or security practices of any third parties. To protect your information, we encourage you to learn about the privacy policies of those third parties.
d. Our Social Media Usage We have accounts on social media platforms through which we may post information or conduct promotional activities. If you use social media to follow us or interact with us, we may collect Personal Information you choose to share with us. Please understand your use of the social media services may result in the collection or sharing of information about you by those social media services. We have no control over, and decline all responsibility for, the use of your personal data by these third parties. Your use of social media, including your interactions with us on social media, are at your discretion. We encourage you to review the privacy policies and settings on the social media services with which you interact to make sure you understand how your information may be collected, used, and shared by those social media services.
e. International Transfer Your information may be stored on controlled servers with limited access and may be stored and processed in the United States or another country where our service providers or backup service providers are located. We offer our Services only to individuals located in the United States, and we do not advertise our Services outside the United States. If you are located outside the United States and choose to provide your Personal Information to us, please note that we may transfer your Personal Information to the United States or another country where our service providers are located, and such countries may not provide the same data protection. Those who choose to access and use the Services from outside the United States do so on their own initiative, at their own risk, with this understanding.Information for California Residents The California Consumer Privacy Act (“CCPA”) grants California residents some additional privacy rights. Importantly, the CCPA does not include “protected health information” that is governed by HIPAA. Our Notice of Privacy Practices will govern HIPAA protected health information. This section, in contrast, will cover information on California residents who visit the Kismet websites and applications but are not identifiable as patients, and information on California residents that Kismet otherwise creates or receives but that is not subject to HIPAA. This section applies to both information that Kismet collects through our websites/applications and information it creates or receives offline, including hard copy information.If you are in California, this is information about what we collect, how we use it, and how it may be shared.The following lists the categories of information we collect about California residents, describes how we use the information, and lists the categories of third-parties with whom information has been shared with during the previous twelve months.
b. Accessing, deleting, and opting-out of the sale of your information
The following are the rights provided to California residents under the CCPA.
i. The right to access information
Kismet, upon receipt of a verifiable request, will provide the requestor the pieces of information that it holds about the individual. If Kismet cannot verify the individual, Kismet will provide the requestor a list of categories of the pieces of information Kismet has collected about the individual.
ii. The right to delete information
Kismet, upon receipt of a verifiable request, will delete the information it holds about the individual unless an exception under the CCPA applies or the information is otherwise subject to HIPAA, in which case HIPAA will preempt CCPA.
iii. The right to opt out of the sale of information
An individual may request that Kismet not sell information about the user.
NOTE: Under CCPA, the definition of “sale” is very broad. Kismet does not sell personal information for financial gain. However, by using third party services, some information sharing might be considered a “sale” under the CCPA. The definition of “sale” under CCPA includes “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or third party for monetary or other valuable consideration.”
iv. The right to non-discrimination for the exercise of a consumer’s privacy rights. You will not receive discriminatory treatment by Kismet on the basis of you exercising your privacy rights conferred by the CCPA.
To exercise these CCPA rights, you may visit us at privacy@kismethealth.com. For requests of access and deletion, Kismet will use the information you provide in your request to verify your identity and to identify the presence of the requestor in our systems. Information required for a request to access or delete personal information includes: Name, date of birth, email address, phone number, and address. You may elect to designate an authorized agent to make this request. For more information on authorized agents under the CCPA, please visit the California Attorney General’s website.
We will honor any legal right you may have to access such information, but fees, if permitted by law, may apply.
Revisions
As state and federal laws change, and as we add new features to our Sites, Kismet may periodically revise this Policy. We will post changes to this policy on our website or applications. Your continued use of our Sites and mobile applications following the posting of changes will mean you accept those changes.
Questions:
For questions about our privacy practices, please contact us at: privacy@kismethealth.com.