Koneksa Health
Koneksa Data Subject Privacy Policy

At Koneksa Health Inc. (“Koneksa”), protecting data subject privacy is part of our commitment to improving health.

THE KONEKSA PLATFORM

The Koneksa platform is used in conjunction with clinical trials and academic studies (studies) that are conducted by our clients (pharmaceutical, biotechnology, and medical device companies (sponsors); contract research institutions (CROs); academic institutions). We do this by integrating data from wearable devices, other health devices and apps (hereafter collectively known devices), as well as questionnaires, used by data subjects who are enrolled within those studies.

Data is collected by these devices and questionnaires that are in use by you, as a data subject. The data from these devices and questionnaires is transferred to the Koneksa platform and then sent to our client, in support of the studies they are sponsoring. For purposes of this privacy policy, we refer to our clients (sponsors, CROs, academic institutions) as the Data Controller of the data and we are the Data Processor. The exact configuration and devices you may use depends upon the study in which you are being asked to participate. The study protocol, which is designed and prepared by the Data Controller, defines the study configuration we are tasked with implementing. The Informed Consent Form (ICF), which is also prepared by the Data Controller, and that you sign with the Data Controller, identifies the devices that being used and the information being collected.

Your privacy is very important to us. By using our platform, you agree to the terms of this Koneksa External Privacy Policy. We may make changes to this policy from time-to-time, which we will post here. Such changes may be suggested by an Institutional Review Board (IRB) or Ethics Committee (EC) (i.e., the external groups formally designated to protect the rights, safety, and well-being of humans involved in a study) or legally advised due to the introduction of new regulations or updated guidance on the interpretation of existing regulations. Your continued use of the Koneksa platform is deemed to be acceptance of these changes. The Data Controller with which you have engaged is responsible for informing you as a data subject, as well as the appropriate IRB(s)/EC(s), of any substantive changes to this policy, which we will have communicated directly to the Data Controller.

DATA WE COLLECT

WEB BROWSERS

This section only applies to you if you have been provided with a login to use the Koneksa web application. Koneksa does not use third party cookies to track website behavior or other personally identifiable information (PII). Koneksa does however issue its own temporary cookie to users of our web application. The sole purpose of this cookie is to establish and maintain an authorized connection between your web browser and our platform. We do not collect any information about you through the use of cookies.

KONEKSA USER ACCOUNT

Koneksa does not require you to provide any personal information about yourself to have an authorized user account that will give you access to the Koneksa platform. In some cases, based on the study protocol as designed by the Data Controller, you may receive questionnaires, in which case additional information may be required. Refer to the QUESTIONNAIRES section for details.

QUESTIONNAIRES

If the study in which you are participating requires you to complete questionnaires on our platform, based on the study protocol design and upon direction from the Data Controller, Koneksa can send you reminders via email and/or cell phone.

Email

Koneksa by default will assign a study-specific email address (not your personal email) that you use for the duration of your participation in the study (and which is deleted at the end of the study). Alternatively, depending on our contractual agreement with the client (the Data Controller), we would allow you to use a personal email address that you specify.

Cell Phone

Koneksa can also send questionnaire reminders as text/short message service (SMS) messages to your cell phone number. Koneksa will not collect your cell phone number, unless specifically instructed and agreed upon with the Data Controller.

Automated notifications issued to you are sent by our platform and not directly by persons engaged by Koneksa. Notifications are generically addressed and do not contain PII or other information relating to any health condition. We will not contact you directly for any purpose other than sending you notifications about your account or reminders to complete questionnaires. Any and all other communications will come from either the Data Controller or their representative, such as a study site coordinator.

When you complete a study or if you withdraw your consent to continue to participate in the study, any email or cell phone number stored by us is deleted and your account on the Koneksa platform closed.

DEVICES & DEVICE DATA

Depending upon the study protocol design, Koneksa may need to contract a third party to provide devices for use in a study. Use of a third-party device may require that either Koneksa or our client or their representative create an account on the third party’s platform.

In the majority of cases, these third-party accounts do not require information about you to be created or operated during the study. The device ID assigned by the third-party vendor platform for the device you use is associated with your account in our platform. Our platform is the only place in which the association between you, your account, and any devices you use is maintained.

In some instances a third party may require an email address to create an account. In this case we will assign a study-specific email for this account that does not identify you.

If you withdraw your consent to participate in a study or complete a study, the association between you and any devices you used as part of the study is removed and no further data about you is collected. Koneksa only processes data that is associated with consented data subjects.

If required by our contractual obligations with our clients, the ICF you sign will provide specific information about the devices you are being asked to use, the configuration of any required accounts, and how the data flows from the device to our platform.

DATA PRIVACY

Koneksa is contracted by its clients to collect and process data on our clients’ behalf. At the end of a study, we transfer data to our client (the Data Controller). As above, Koneksa, and any third parties with which Koneksa contracts are identified as Data Processors.

Koneksa does not collect any PII (except as outlined in the QUESTIONNAIRES section). PII may be collected in accordance with the study protocol, which is defined by the Data Controller and to which you consented by signing the ICF.

Data collected by you (e.g., via devices you wear) or from you (e.g., by completing a questionnaire) is stored de-identified in a dedicated database. De-identified (anonymized) means that it is not possible to identify you as an individual. Any identifiers that are collected to support the study protocol are stored in a separate dedicated database. Koneksa has systems, policies, and procedures in place to ensure that our systems are secure and that your data is kept private.

DATA MODIFICATION

Koneksa does not change data submitted by you. We furthermore ensure that the data held within our platform is accurate and up-to-date. Koneksa will only change your data, if requested by you, upon receiving the proper authorizations from the Data Controller. All changes to data in our platform are fully tracked and recorded.

DATA REMOVAL

Koneksa does not delete data from our platform, unless specifically directed to do so by authorized client personnel (acting as the Data Controller). As a data subject, you may have the right to request that your data be removed, based on the considerations with which you agreed in the ICF you signed.

When you complete the study in which you are participating or if you withdraw your consent, any personal identifiers we may have collected from you are removed by our system. The study data you contributed under consent is retained de-identified.

DATA HOSTING

The Koneksa platform is hosted and supported from the USA on dedicated servers. Our hosting provider is contractually obligated to meet the additional requirements that apply to storing healthcare data and has appropriate industry standard certifications for maintaining the operational integrity and security of these dedicated servers.

DATA RETENTION

We retain de-identified data according to the governing regulations for the locations in which a study is conducted and according to the requirements of our clients. This can range from indefinitely to a fixed period of time according to requirement and governing law. Regardless, based on applicable national and international regulatory requirements, the Data Controller is responsible for the long-term retention of all data collected as part of any studies it conducts.

Koneska maintains and retains your data for the duration of the Data Controller’s study. We may retain the data for a longer period of time, if required by the Data Controller and/or to comply apply with applicable regulatory requirements. Koneksa maintains and retains non-personal/de-identified data for the purposes described below in the section HOW KONEKSA USES DATA.

PRIVACY DISPUTES

Koneksa complies with all applicable national and international clinical and data privacy and security regulatory requirements. In particular, this includes a commitment to comply with the General Data Protection Regulation (GDPR) (beginning May 25, 2018) and EU-US Privacy Shield requirements.

With regard to the EU-US Privacy Shield in particular, Koneksa complies with the EU-US Privacy Shield framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union (EU) to the United States (US). Koneksa has certified to the US Department of Commerce that it adheres to the Privacy Shield principles. For purposes of enforcing compliance with the Privacy Shield, Koneksa is subject to the investigatory and enforcement authority of the US Federal Trade Commission. If there is any conflict between the terms in this privacy policy and the Privacy Shield principles, the Privacy Shield principles shall govern. To learn more about the Privacy Shield site, and to view our certification, visit https://www.privacyshield.gov/.

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.

You may have the option to select binding arbitration for the resolution of your complaint under certain circumstances, provided you have taken the following steps: (1) raised your compliant directly with Koneksa and provided us the opportunity to resolve the issue; (2) made use of the independent dispute resolution mechanism identified above; and (3) raised the issue through the relevant data protection authority and allowed the US Department of Commerce an opportunity to resolve the complaint at no cost to you. For more information on binding arbitration, see the US Department of Commerce's Privacy Shield Framework: Annex I (Binding Arbitration).

HOW KONEKSA USES DATA

Koneksa uses the data being collected on the Koneksa platform to assess the effectiveness of device or app data integration into our platform; to evaluate the quality of the data; to analyze possible associations among the data aggregated from the devices and applications; and to evaluate the effectiveness of interventions that have been offered and used with you.

We only retain and use de-identified data for future analysis and research, to inform other study designs, or for demonstration or research publication purposes with clients.

De-identified means all PII has been removed and any and all connections between the data and your identity have been removed.

HOW KONEKSA SHARES DATA

Other third parties who support us in managing the Koneksa platform, as well as management of the study of which you are a part, may have access to the data. We require all third parties who have such access to the data to agree to protect it appropriately. We only share data for the purposes of the study and within the confines of our agreement with our client and the consent to which you agreed.

We do not share data for marketing other related purposes.

Where required, we enter into written agreements with those third-party agents and service providers requiring them to provide the same level of protection the EU-US Privacy Shield and the GDPR require, and limiting their use of the data to the specified services provided on our behalf. Under certain circumstances, we may remain liable for the acts of our third-party agents or service providers who perform services on our behalf for their handling of personal data.

While we do not plan to use or share your data in other ways, we may be required by law, regulation, or a court or government authority to use or share your information. If this happens, we will so inform the Data Controller (our client) with whom you were engaged (for them to contact you), and we will comply with those requirements and will also seek to preserve your privacy as we comply.

HOW TO ASK A QUESTION OR RAISE A CONCERN ABOUT KONEKSA

You may email us at privacy[at]koneksahealth.com or send a written letter to:

Privacy Officer

Koneksa Health Inc.

222 Broadway

New York, NY 10038

USA

We will investigate and attempt to resolve any complaints or disputes regarding the use or disclosure of your personal data within 30 calendar days of receiving your complaint. We have agreed to resolve any unresolved complaints through independent dispute resolution process.

EFFECTIVE DATE OF THIS POLICY

May 24, 2018