Privacy Policy Carestation
Introduction
This Privacy Policy (this “Notice”) applies to the software and information services we offer through our website located at https://carestation.kestramedical.com, websites services, and communications sent as part of, in connection with, or relating to such software and information services (our “Services). We are committed to protecting the privacy of patients, customers, and partners.
By using the Services, you are consenting to our collection, use, disclosure, and transfer of your information as described in this Notice. This Privacy Policy is not a contract and does not create any contractual rights or obligations.
About Kestra Medical Technologies, Inc.
At Kestra Medical Technologies, Inc. (“Kestra”), it is our mission to provide innovative, intuitive medical technologies to protect and support at-risk patients. At the heart of Kestra is an uncompromising commitment to the highest quality our customers expect, and patients trust.
Throughout this Notice, “Kestra” refers to Kestra Medical Technologies, Inc., including its affiliated companies and subsidiaries (also referred to as “we,” “us” and “our”). You can find information on how to contact us in the section titled “Contact Information” below. You can also find additional contact and location information on our website at: https://kestramedical.com/contact/.
This notice applies to both Protected Health Information (PHI) and Personally Identifiable Information (PII) because the information collected by the app can be classified into these 2 categories. Protected Health Information is managed according to requirements outlined under the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (“HIPAA”). Accordingly, our use of such information is governed by HIPAA. Please submit all requests and questions related to your PII, or your patients PHI to Privacy@kestramedical.com. All PII and PHI is considered sensitive data and as such is protected with reasonable administrative and technical controls.
Please see State specific section below regarding specific privacy laws that may apply.
Information We Collect and How We Collect It
When you use our Services, Kestra may collect information about you, including:
- Personal information, which means information that identifies an individual or relates to an identifiable individual or household. Personal information may include your name andcontact information, such as your name, email address, and phone number. We collect this information directly from you, for example, when you submit information through our Services, complete one of our webforms or applications, or communicate with a Kestra agent.
Usage Data, which is information that we automatically collect about your Internet or other electronic network activity, including your use of the Services and the sort that Web browsers and servers typically make available, through Web server logs, Web beacons, cookies and other similar tracking technologies, about the devices you use to access our Services, as well as information on how you interact with our Services. Usage Data may include the IP address of a device or internet service used to connect your device to the Internet and may provide information about your location; computer and connection information such as your browser type and version; operating system and platform; and the URLs which lead you to and around the Services including the date and time of access. Usage Data generally does not directly identify an individual but may constitute Personal information in some instances. We use this information to ensure you have a good experience and can identify issues to serve you better.
- Protected Health Information of patients, which includes all the various kinds of data (events, trends, episodes, patient entered health symptoms, etc.) recorded by the Wearable Cardiac Device (WCD), and patient information from the face sheet is transferred to Kestra.
- Any other information you choose to provide, such as during telephone interviews with our agents.
Surveys, Feedback, and Informational Programs
You may be contacted for surveys, feedback, or information programs to help improve your experience or certain features of our Services. You may choose to provide us with additional information while participating. Participation in surveys and like requests is voluntary.
Cookies
We collect information about you and your devices through cookies and web beacons. A "cookie" is a small data file sent from a website and stored in your browser to identify your Device in the future and allow for an enhanced personalized user experience based on your previous activity on the website. A "session cookie" disappears after you close your web browser or may expire after a fixed period. A "persistent cookie" remains after you close your web browser and may be accessed every time you use our Services. We only use strictly necessary session and 24-hour cookies as part of the Service. You should consult your web browser to modify your cookie settings to your desired settings.
Ways We Collect Your Information
When you access or use the Services, Kestra may collect personal information in the following ways:
- Information You Provide to Kestra: Kestra collects personal information when you use and interact with the Services, such as when you complete and submit forms to us on our Services, or when you communicate with Kestra about our Services whether by letter, e-mail, online chat window, or telephone.
- Information that Kestra Collects Automatically: When you use the Services, Kestra may automatically collect Usage Data subject to the settings of your device that you use to access the Services. Kestra may use this data to analyze trends and statistics to improve your online experience or our customer service.
- Information from Other Sources: We may receive or proactively gather information about you from other sources and add it to information we otherwise have about you for any purpose described in this Notice. This may include situations where a third party seeks to communicate with you through the Services or establish an "Integration".
How We Use Your Information
- We use personal information about you, including personal information, for the following purposes, or as otherwise described in this Notice:
- To develop, operate, improve, deliver, maintain, and protect our Services including new functionality and features;
- Preparing and delivering announcements about features, functionality, terms of use, or other aspects of our Services;
- Analyzing usage trends and patterns or the features or functionality of the Services, including emails that may be sent by us to you;
- Preparing reports for any of the purposes described in this Notice, including for current or future sponsors, providers, or other partners to show utilization or trends about the use of our products and Services;
- Safeguarding, protecting, and securing our Services, the information we collect, and our rights, our users or third parties, and to comply with legal requirements, including applicable laws, rules, regulations, contractual obligations, Terms of Use and our policies;
- Verify your identity and detect and prevent fraud or other unauthorized or illegal activity;
- Any other purpose described in this Notice; or
- When we otherwise have your permission.
How We Share Your Information
- We may share information about you, including personal information, as follows, or as otherwise described in this Notice:
- With vendors, consultants and other service providers who need access to such information to carry out work or perform services on our behalf;
- In response to requests from local, state, provincial or federal law enforcement officials, any judicial, administrative or similar proceeding or order, such as a subpoena if we believe disclosure is in accordance with, or required by any applicable law;
- If we believe your actions are inconsistent with our user agreements or policies, or to protect the rights, property and safety of Kestra and others;
- To investigate suspected fraud, harassment, physical threats, or other violations of any law, rule or regulation, the Services’ rules or policies, or the rights of third parties or to investigate any suspected conduct which we deem improper;
- In connection with, or during negotiations of, any merger, sale of company assets, financing or acquisition of all or a portion of our business by another company;
- Between and among Kestra and our current and future parents, affiliates, subsidiaries, and other companies under common control and ownership;
- With your consent or at your direction; and
- As otherwise permitted or required by law.
Children’s Information
Kestra Services are not directed to minors. We do not knowingly collect or solicit personal information from children under 18. If you are a child under 18, please do not attempt to register for or otherwise use the Services or send us any personal information. If we learn we have collected personal information from a child under 18, we will delete that information as quickly as possible. If you believe that a child under 18 may have provided us personal information, please contact us immediately.
How We Protect Your Information
The privacy and security of your personal information is important to us. We employ a variety of reasonable safeguards to protect the confidentiality, integrity, and availability of this information. Although Kestra attempts to protect the personal information in our possession, no security system is perfect, and Kestra cannot promise that your personal information will remain absolutely secure in all circumstances.
Third-party Websites and Integrations
Our Services may provide, or third parties may provide, links to other websites or resources. This Notice applies only to our Services. It does not apply to products and services offered by third parties, including websites and other online services to which our websites may display links. When you click on such links, you may be redirected to websites or interactive services operated by third parties, who have their own information practices. We do not have control over how any third party collects or uses information, so we recommend that you review their privacy policies to learn of their practices.
How Long We Retain Your Information
We keep your personal information and the PHI of your patients for no longer than necessary for the business need for which the information is processed. The length of time for which we retain information depends on the purposes for which we collect and use it and/or as required to comply with applicable laws and to establish, exercise, or defend our legal rights. We may be required under applicable laws or regulations to retain information about you or your patients for extended periods of time or indefinitely. We may also have independent obligations under applicable laws or regulations to retain some information indefinitely.
United States Only
The Services are intended for use only in the United States of America. If you use the Services or contact us from outside of the United States of America, please be advised that (i) any information you provide to us or that we automatically collect will be transferred to the United States of America; and (ii) by using the Services or submitting information, you explicitly authorize its transfer to and subsequent processing in the United States of America in accordance with this Notice.
State Specific Law Privacy Rights
California Privacy Disclosures
Your browser may offer you a “Do Not Track” option, which allows you to signal to operators of websites and web applications and services that you do not wish such operators to track certain of your online activities over time and across different websites. Our Services do currently support Do Not Track requests. To find out more about “Do Not Track,” you can visit www.allaboutdnt.com.
Categories of Information We Collect, Use, and Disclose for Business Purposes
As described in the “Information We Collect and How We Collect It” section, we collect the following categories of personal information listed below regarding California residents:
| Categories of Collected CPRA Personal Information | Examples |
|---|---|
| Identifiers | A real name, unique personal identifiers, Internet Protocol address, e-mail address, telephone number, and other similar identifiers |
| Commercial Information | Records of the Services or devices you use, obtained, or considered. |
| Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) | A name telephone number, medical information of patients. Note that some personal information included in this category may overlap with other categories. |
| Internet or other similar network activity | Browsing history, search history, information on a consumer’s interaction with the website, application, page views, domain name, and hosting space. |
| Geolocation information | IP Address, MAC address |
| Other | Information you provide us regarding products and services; other information as described in this Notice. |
Categories of Sources from Which the Personal Information is Collected
- Directly from you;
- Indirectly from you, which includes information collected in course of delivering servicesand information collected automatically through use of our Services;
- Other third parties that interact with us in connection with our Services;
- Health care providers;
Business or Commercial Purposes for Collecting Personal Information
Kestra uses the personal information we collect about California residents for the purposes set forth in the Section titled “How We Use Your Information.”
Your Privacy Rights
If you or your patients reside in certain states, such as California and other US states with privacy laws, you and your patients may have legal rights with respect to your personal information. Such as the right to: (i) request additional disclosures about the personal information we collect, use, and share; (ii) request access to and deletion of personal information, subject to certain exceptions; (iii) opt out of the sale and sharing of personal information; (iv) correct inaccurate personal information that we maintain; (v) limit the use and disclosure of sensitive personal information; and (vi) obtain a copy of personal information. We will not discriminate against anyone for exercising any of these rights.
Methods for Submitting Requests
To exercise any of these rights, please email Privacy@kestramedical.com with the phrase “Privacy Rights” in the subject line. A request may be sent to us via postal mail at 3933 Lake Washington Blvd NE, St 300, Kirkland, WA 98033 (please mark the envelope ‘Data Protection Officer’) or call us toll free at (800) 957-0028. We will process your request within the timeframe provided by applicable law. The rights described herein are not absolute and we reserve all of our rights available to us at law in this regard. You may have the right to appeal our decision with respect to a request you have submitted by emailing us at Privacy@kestramedical.com. Additionally, if we retain you or your patient’s personal information only in de-identified form, we will not attempt to re-identify the data in response to a privacy rights request.
If you or your patients make a request related to personal information, we require a valid means of identification as a security precaution. We will verify identity with a reasonably high degree of certainty using the following procedure where feasible: we will match identifying information provided when making the request to the personal information maintained by us. If it is necessary to collect additional information, we will use the information only for verification purposes and will delete it as soon as practicable after complying with the request. For requests related to particularly sensitive information, we may require additional proof of identity.
Authorized Agents
You or your patient may use an authorized agent to submit a privacy rights request. When we verify the agent’s request, we may verify both the requestor and your agent’s identity and request a signed document from the requestor that authorizes your agent to make the request on your behalf. To protect your personal information, we reserve the right to deny a request from an agent that does not submit adequate proof of authorization to act for you.
Sales and Sharing of Personal Information
Under the CPRA, a ‘sale’ is defined broadly to include disclosing or making available personal information to a third-party in exchange for monetary compensation or other benefits or value, and ‘share’ broadly includes disclosing or making available personal information to a third party for purposes of cross-context behavioral advertising. As such, we do not sell or share personal information.
We share personal information about California residents as set forth in the section titled “How We Share Your Information.”
Changes to This Notice
We may update this Notice when changes occur to what data we collect, how it is used, or the parties involved. When we make changes, we will update the “effective on” date to reflect the current status. In other instances where we make material changes, we will use reasonable efforts to notify you of the change. For example, by posting a prominent notice on our website or sending you an email. Continued use of our site or Services means you acknowledge and accept the privacy practices as described herein.
Contact Information
If you have questions or are concerned that any of your privacy rights have been violated, wish to exercise any of your rights described in this Notice, or ask questions about those rights, please contact us at:
Phone: (800) 957-0028
Email: privacy@kestramedical.com
Mailing:
ATTN: PRIVACY OFFICER KESTRA MEDICAL TECHNOLOGIES, INC. 3933 LAKE WASHINGTON BLVD., SUITE 200 KIRKLAND, WA 98033 UNITED STATES OF AMERICA
Privacy Notice Updates
Effective 02.26.24
80793-001_A