Knapsack Privacy Policy
Knapsack Health, LLC (the “Company”), offers a mobile application known as “Knapsack” that allows its users (“You”) to store medical records and medical insurance information on your mobile device and/or in a cloud storage location operated by the Company.
The Company needs to collect and use certain information to operate the Knapsack application, as well as any other mobile applications owned or operated by the Company, any websites owned or operated by the Company, and any communication tools including email or any other content delivery method owned, operated, or utilized by the Company (collectively, the “Knapsack Services”). At the same time, the Company is committed to protecting the privacy and security of your personally identifying information. This Privacy Policy sets forth, among other things:
* How the Company collects information.
* What information the Company collects.
* How the Company may use this information.
* What information the Company may share and who the Company may share it with.
* Your choices regarding the sharing of information.
This Privacy Policy is governed by, and is subject to, the Company’s Terms of Service and Use (“TOS”), which are available (http://knapsackhealth.com/tos), and which are incorporated into this Privacy Policy by this reference. The Company reserves the right to revise this Privacy Policy at any time by posting such revisions on this webpage. Any such revisions become effective as of the date they are posted on this website, which date is evidenced by the Effective Date at the bottom of this Privacy Policy. Your continued use of the Knapsack Services constitutes your agreement to the revised Privacy Policy. If you do not agree to the revised Privacy Policy your only option is to discontinue use of the Knapsack Services and close your Account. The Company encourages you to periodically review this Privacy Policy.
YOUR ACKNOWLEDGEMENT AND AGREEMENT
Persons under the age of thirteen (13) are not permitted to use the Knapsack Services. Persons who are thirteen (13) years of age or older but less than eighteen (18) years of age may open an Account, use the Knapsack Services, or purchase goods or services from the Company if, and only if, they have permission from at least one of their parents or legal guardians. In the event that you provide the Company with information pertaining to a person who is less than thirteen (18) years of age, that information is treated in the same manner as information you provide about yourself. By using the Knapsack Services and/or submitting information to the Company, you consent to the Company’s use and sharing of the information collected or submitted as described in this Privacy Policy. If you do not consent to this Privacy Policy, you are not permitted to use the Knapsack Services.
HOW DOES THE COMPANY COLLECT INFORMATION AND WHAT INFORMATION IS COLLECTED?
The Company collects and combines personally identifiable information (“PII”) and non-personally identifiable information (“Non-PII”) through various sources, including those discussed below. For your reference, PII is data collected with an intention to specifically identify, contact, or locate a person, including but not limited to name, address, telephone number, and/or e-mail address. Conversely, Non-PII is data that is not used to specifically identify, contact, or locate an individual, including but not limited to zip code, gender, age, machine access code, and/or internet protocol address. In general, PII and Non-PII is collected from information you provide through the Knapsack Services. In some situations PII and Non-PII may also be collected or supplemented from information passively provided by your device, its software, or cookies. Information that is passively collected is generally limited to technical information such as mobile subscription identification numbers, system identification codes, international mobile equipment identification numbers, international mobile subscriber identities, mobile equipment identifiers, subscriber identity modules, mobile serial numbers, equipment serial numbers, operating systems, software versions, machine access codes, and/or internet protocol addresses.
Additionally, because the Knapsack Services involve the storage and transmission of medical and insurance information, the Company collects protected health information (“PHI”). In general, and subject to the definitions set forth in federal law, PHI is individually identifiable health information communicated between entities subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPPA”), including but not necessarily limited to health information that identifies an individual or which can reasonably be used to identify an individual.
The Company and the Knapsack Services are HIPPA compliant. As such, the Company will not sell your PHI without first obtaining your explicit written permission. Declining to give such permission does not prohibit you from using the Knapsack Services. The Company may sell PII and non-PII that is not related to your health.
To keep your PHI separate and distinct from PII and Non-PII, the Company collects PII and Non-PII separately from your PHI. Specifically, the Company collects PII and Non-PII when you access the Knapsack Services and/or open an Account. After you open an Account, you can submit PHI to the Company through the Knapsack Services. Although there some information in your PII and Non-PII may be identical or duplicative of information in your PHI, the Company stores and maintains your PHI separately from your PII and Non-PII.
In general, the Company collects only data needed to operate the Knapsack Services.
The Company may engage third party operators, such as an advertising network or a social network plug-in that collects or maintains PII through the Knapsack Services. The name, address, telephone number, and email address of each such operator is listed below, along with a description of what information is provided to each operator and how each operator uses that information:
Website Registration Forms
The Company collects information about you when you open an Account. Account registration information may include, but is not limited to your:
* Full name
* Address(es)
* Telephone number(s)
* Email address(es)
* Date of birth
* Gender
No PHI is provided to the Company when you create an Account.
Use Information
The Company automatically collects information about how people access and use the Knapsack Services (“Use Information”). When you download the Knapsack mobile application the Company collects information showing the type of mobile device and the Unique Device Identification number (“UDID”) of that particular device. Each time you use the Knapsack Services the Company collects information showing the type of mobile device, UDID, type of internet web browser, operating system, internet service provider (“ISP”), internet protocol address (“IP address”), media access control address (“MAC ID”), date/time stamp, browser type, referring uniform resource locator (“URL”), the webpages you access on or through the Knapsack Services, the duration of time spent on each such page or using each such service, crash logs, and other information related to your use of the Knapsack Services. No PHI is included in Use Information.
Message Information
The Company collects data about messages and emails you send to the Company and/or through the Knapsack Services (“Message Information”). Message Information may include the sending user, the recipient, and the contents of the message. Depending on the contents of the message, PHI may or may not be included in Message Information.
The Company securely and permanently deletes Message Information on a regular basis. When Message Information is deleted in this manner, it cannot be retrieved by the Company, unless you have selected an option on your Account to archive such Message Information. Some Message Information may be stored or retained by the Company because it has a purpose other than transmission of the information. For example, if a user were to send an email to the Company describing a problem with an Account, the Company may store that Message Information so that it can investigate and correct the problem, or to preserve a record of communications between the Company and its users.
Cookies and Other Digital Identifiers
Cookies are small, removable files that contain unique alphanumeric identifiers and are saved on your mobile device. A cookie is created and saved in the local memory of your mobile device when you use a web browser to access the Knapsack Services. The Company uses cookies to collect Use Information and Non-PII, but does not use cookies to collect PII or PHI. If you delete this cookie or set your web browser to refuse requests to set cookies, the Knapsack Services may not function in whole or in part. You consent to the Company’s use of cookies.
Some web browsers offer a “do not track” setting that prevents web-based services from tracking your online activities. The Knapsack Services do not currently support “do not track” technology, although that feature may be added at a later date. If you utilize the “do not track” setting on your web browser, you may have to disable it to use the Knapsack Services.
Additionally, the Company may use pixel tracking technology to track the completion of transactions with the Company or its advertisers, the source information for those transactions, and your IP address, MAC ID, date/time stamp, browser type, and referring URL.
THIRD PARTY ACCOUNT INFORMATION
The Company advises you to log into your Account only through the Knapsack Services and to never utilize any third party software or service to access your Account. If, despite this advice, you nonetheless choose to utilize a third-party service to access your Account and/or utilize the Knapsack Services (i.e. via a single sign-on integration or service) you understand that some information will be shared between that third party service and the Company. Information the Company received from such third parties shall be associated with your Account and will be covered by this Privacy Policy.
You may revoke a third-party service’s right to access your Account and/or utilize the Knapsack Services in the Settings section of the Knapsack mobile application. Revoking such permission will disable data access between the third-party provider and the Knapsack Services.
HOW DO I CORRECT AN ERROR?
You can review, correct, update, or change your PII, so long as the change is factually accurate, by contacting the Company’s Customer Service department at ecesis@knapsackhealth.com. Please include your name, date of birth, and
account number in any communications with Customer Service.
HOW DOES COMPANY USE THIS INFORMATION?
The Company may use the collected PII, Non-PII, and PHI for any legally permissible purpose in the Company’s sole
discretion, including but not limited to those detailed below.
Provision of the Knapsack Services
The Company may use some or all of your PII and Non-PII to provide you with products or services, including improvements to the Company’s provision of products and services. The Company may use your PII and Non-PII to operate the Knapsack Services, service your Account, and charge you for orders. The Company may also use your PII and Non-PII to verify your identity or Account status and, where the Company determines in its sole discretion that it is appropriate, to investigate your compliance with the TOS or any advertisements or other offers. Please note that the Company retains your correspondence with the Company’s customer service personnel, and that any calls to the Company may be recorded for training purposes.
The Company may utilize Use Information to monitor and improve the Knapsack Services. For this purpose the Company may collect Use Information including but not necessarily limited to how often you use the Knapsack Services, what webpages you visit on or through the Knapsack Services, what webpages you visited before or after using the Knapsack Services.
The Company may utilize Google Analytics for similar purposes. Although Google Analytics collects only the IP address assigned to your mobile device on a particular day, the Company may combine the data it receives from Google Analytics with other PII and Non-PII in the Company’s database.
Use of PHI
The Company may use your PHI to provide the Knapsack Services, including but not limited to collecting your PHI, transmitting your PHI, storing your PHI, and associating your PHI with your Account. The Company may disclose PHI when authorized or when necessary to protect public health. Your PHI may be used in certain circumstances, such as for treatment, payment, or healthcare operations. PHI may be viewed and used only by the Company, entities that you authorize to receive PHI, and entities to whom the Company reports PHI when necessary to protect public health or to comply with legal process.
When you submit a request through the Knapsack Services directing the Company to disclose some or all of your PHI to a specific recipient, the Company shall send an email to the designated recipient. The PHI subject to the request will be attached to the email as an encrypted portable document format (secure pdf) file. The password to decrypt and open the file is your birthday. To access the PHI, simply open the attachment, wait for the decryption prompt, type your birthday in the following format DD-MM-YYYY, and the file will then open in Adobe Reader. If you do not already have Adobe Reader installed on your mobile device, you can download it for free from the Google Play Store or the Apple App Store.
The Company will not sell your PHI without first obtaining your explicit written permission. Declining to give such permission does not prohibit you from using the Knapsack Services. In the event that you give the Company permission to sell your PHI, the Company will ordinarily remove personally identifying information from your PHI before it is sold. For example, if you give the Company permission to sell information related to your blood pressure, the Company will generally remove your name and other personal details from that information, combine your information with data provided by other users of the Knapsack Services, and sell that data to third parties that have a need for blood pressure information pertaining to a specific demographic, such as men in the Southwest United States, or women between the ages of 30 and 50.
Adobe and Adobe Reader are trademarks of Adobe Systems Incorporated, which is a separate company that is not
affiliated with or an endorser of Company or the Knapsack Services.
Marketing
The Company may use your PII and Non-PII, but not your PHI unless you have given the Company permission to do so, in its online and in-person marketing programs.
Data Retention
Except as provided elsewhere in this Privacy Policy, he Company retains the right, but not the obligation, to store PII, Non-PII, and PHI for the duration that you have an Account and for a period of seven (7) years thereafter.
HOW DOES COMPANY SHARE INFORMATION?
The Company may share your PHI for any legally permissible purpose in the Company’s sole discretion, including but not limited to those set forth in the “Use of PHI” section above and the “Governmental Agencies or Other Companies” section below.
The Company may share your PII and Non-PII for any legally permissible purpose in the Company’s sole discretion, including but not limited to those detailed below. Any PII and Non-PII shared with any third party will receive the same or
equal protection as that afforded by the Company.
Independent Contractors
The Company may share your PII and Non-PII with various third party independent contractors that perform services for or on behalf of the Company, including but not limited to vendors that provide the Company with technology to deploy commercial email, host websites, and maintenance of the Company and the Knapsack Services.
In general, the Company provides these independent contractors with only the information they need to provide their respective services. Each such independent contractor must agree to utilize reasonable security procedures, policies, practices, software, and hardware, as appropriate to the nature of the information involved and the service being provided. Independent contractors are prohibited from using your PII and Message Information except as authorized by the Company.
Ad Serving Companies
The Company may use third party advertising networks or ad serving companies to serve advertisements on the Knapsack Services. The Company may forward your PII and Non-PII to these companies so that they can deliver targeted advertisements that they believe will be of interest to you. The information forwarded to these companies may include, but is not limited to, your IP address, MAC ID, email address, full name, mailing address, telephone number, date of birth, gender, and any other non-PHI information that you may provide to the Company. Web pages that are served by these companies will state that they are “powered by” or “ads by” the applicable company and will contain a link to the provider’s privacy policy.
Data Enhancement/Appending/Validation
The Company may use third party service providers to enhance the Company’s database of PII and Non-PII information with additional elements. Further, the Company may use third party service providers to append telephone numbers to other PII and Non-PII data points that the Company has in its database. Company also may use third party service
providers to validate the PII and Non-PII information in the Company’s database.
Governmental Agencies or Other Companies
The Company may share your PII and Non-PII with law enforcement officials or governmental agencies: (1) in response to their request; (2) when permitted or required by law; or (3) to establish the Company’s compliance with applicable laws, rules, regulations, or guidelines. In addition, there are certain situations where the Company may be authorized or required by law to disclose your PHI to law enforcement officials or governmental agencies, such as when there is a threat to public health, or if the Company receives a valid subpoena for some or all of your PHI from a court of competent jurisdiction.
The Company may store and share your PII and Non-PII with third parties for suppression or opt-out purposes.
The Company also may share your PII and Non-PII with third parties when: (1) trying to protect against or prevent actual or potential fraud or unauthorized transactions; (2) investigating fraud that has already taken place; (3) enforcing or applying the TOS, existing terms and conditions, and/or other agreements; (4) protecting the rights, property or safety of the Company, the Knapsack Services, other users of the Knapsack Services, or third parties; or (5) responding to subpoenas, court orders or legal process, or to establish or exercise the Company’s legal rights or defend against legal claims. In such situations, this PII and Non-PII is not being provided to these entities or persons for marketing purposes.
Right to Transfer
Should the Company choose to sell or transfer business assets, it is possible that the PHI, PII, and Non-PII the Company possesses about you may be transferred as part of that transaction. The Company may decide to retain a copy of your PII
and Non-PII, but not your PHI, even after the sale or transfer has been completed.
CUSTOMER CHOICES
Marketing Communications
By sharing PII and Non-PII with the Company, including but not limited to your creation of an Account, you are consenting to receive marketing communications from the Company and its third party marketing partners, if any. If, after you have shared your PII and Non-PII with the Company, you decide that you do not want to receive marketing communications from the Company and its third party marketing partners, if any, you can discontinue the communications by following the opt-out instructions. If you have registered or submitted PII and Non-PII under more than one email account, you must submit separate unsubscribe requests for each email account.
Deleting Your Account
You may delete your Account, and all PII and PHI associated therewith, by selecting the appropriate option in the Knapsack mobile application, or by emailing the Company’s Customer Service department at ecesis@knapsackhealth.com. Please include your name, date of birth, and account number in any communications with Customer Service.
When the Company receives your request to cancel your service, Company shall close your Account, securely delete all PII and PHI in the Company’s possession, and securely delete all PHI stored in the Knapsack Folder, which is stored in the local memory of your mobile device. The Company may retain Non-PII for up to seven (7) years after your Account is deleted. Please allow thirty (30) days for Company to process your service cancellation request.
Revoking Permissions to Collect User and Use Information
The Knapsack Services will not work without the ability to collect PII and Use Information. Accordingly, the only manner by which you may revoke permission for the Company to collect PII and Use Information is by submitting a request to delete your Account.
Lost Devices
Sometimes people lose their mobile devices, or suspect that a third party has gained unauthorized access to those devices. The Company understands the unique risks that such unauthorized access may pose in the context of PHI, and has therefore built a feature into the Knapsack Services which allows you to securely delete your PHI upon request. To activate this feature simply log into your Account and select the appropriate option, or contact the Company’s Customer Service department at ecesis@knapsackhealth.com. Please include your name, date of birth, and account number in any communications with Customer Service. Upon receiving a valid request the Company will securely delete your PHI from the cloud servers utilized by the Company Services and/or from the Knapsack Folder in the local memory of your mobile device.
Please note that the remote deletion feature does not allow you to securely delete all of the data on your mobile device, nor will it necessarily delete all PHI which may be saved on your mobile device. The remote deletion feature will only delete the PHI that is saved in the Knapsack Folder. Therefore, the Company recommends that you save your PHI only in the Knapsack Folder and delete any other copies from the local memory of your mobile device.
WHAT HAPPENS IF YOU FOLLOW A HYPERLINK FROM ONE OF THE KNAPSACK SERVICES TO ANOTHER WEBSITE?
The Knapsack Services may offer links to other websites. Other websites have their own terms of use and privacy and security policies. If you choose to visit one of these sites, you should review the policies that govern that particular site.
APPLICATION OF THIS PRIVACY POLICY
This Privacy Policy applies to all information collected by or submitted to the Company. Other affiliated entities of the Company may obtain PII and Non-PII independently from transactions and experiences with you or from other sources.
This Privacy Policy does not pertain to that information.
WHAT IS THE POLICY WITH RESPECT TO COMMUNICATING WITH CHILDREN?
The Company recognizes the unique privacy concerns regarding children and is committed to carefully protecting privacy where children are involved no matter the point of contact. In particular, it is the Company’s intention is to fully comply with the Children’s Online Privacy Protection Act (“COPPA”). Per COPPA guidelines, Company does not knowingly collect PII from children under the age of 13. If a parent or guardian is made aware that a child under the age of 13 has provided the Company with PII through any point of contact, the parent or guardian should contact the Company, whereupon the Company shall use commercially reasonable efforts to delete the PII about the child from its files. In the event that you provide the Company with information about a child under the age of 13, for example a son, daughter, niece, nephew, or grandchild, the Company treats that information the same as information you provide about yourself unless you instruct the Company to treat that information differently.
COPPA NOTICE OF PARENTAL RIGHTS
Pursuant to COPPA, the Company hereby notifies parents about its practices for collecting information from children under the age of 13. The Company will not require a child under the age of 13 to provide any information at all. If you choose to provide information about a child under the age of 13, the Company will not require you to provide more information about that child than is reasonably necessary for the Company to provide the Knapsack Services and complete its other routine business operations. You can review any information you provide about a child under the age of 13 in the same way that you review any other information you provide to the Company. You may direct the Company to stop further collection or use of information you provided about a child under the age of 13, authorize the Company to continue collection and use of information you provided about a child under the age of 13 but cease disclosure to third parties unless they are an integral part of the Knapsack Services, or direct the Company to delete information you provided about a child under the age of 13, by sending an email to the Company’s Customer Service department at ecesis@knapsackhealth.com.
In the event that you provide the Company with information about a child under the age of 13, the Company collects information about the parents or legal guardians of that child for the purpose of obtaining their consent to its collection, storage, and use of that information. That consent is required for the Company’s collection, storage, and use of that information. The types of information that are collected from children under the age of 13 is the same as the types of information collected from other users of the Knapsack Services, which are detailed in the section above entitled “How does the Company collect information and what information is collected?” Parents and legal guardians give their consent for the Company to collect, store, and use this information by providing it to the Company. That consent can be revoked or limited using the procedures set forth in the preceding paragraph. If a parent or legal guardian revokes their consent, or the Company determines that the user who provided the information lacked legal authority to do so, the Company will delete the information and the parent’s online contact information from the Company’s records.
SECURITY
There is no such thing as complete security on the Internet or otherwise. The Company uses various security techniques on the Knapsack Services to help protect against the loss, misuse, or modification of information collected from you. When you transmit your information to the Company, that information is stored on servers for which the Company has taken steps to protect against unauthorized access or intrusion. While the Company strives to protect your information, the Company cannot and does not ensure or warrant the security of any information you provide to the Company. You acknowledge and assume this risk when communicating with the Company.
DATA BREACHES
If the Company experiences a data breach, the Company shall attempt to determine how the intrusion was made, who perpetrated the breach, what information was taken, and which Accounts were affected. The Company shall notify the registered owner of each such Account utilizing the contact information provided during the Account creation process.
LIMITATION OF LIABILITY
YOU UNDERSTAND AND AGREE THAT ANY DISPUTE OVER PRIVACY IS SUBJECT TO THE TOS, AS SUPPLEMENTED BY THE TERMS AND CONDITIONS OF THIS PRIVACY POLICY. YOU AGREE THAT THE COMPANY’S LIABILITY FOR ANY BREACH OF THE TOS OR THIS PRIVACY POLICY IS LIMITED TO THE AMOUNT
YOU HAVE PAID TO THE COMPANY.
State-Specific Terms and Conditions
Pursuant to Sections 1798.83 and 1798.84 of the California Civil Code, residents of the State of California have the right to request a notice specifying the categories of PII that the Company shares with affiliates and third parties for marketing purposes and the contact information for those affiliates and third parties. You may submit such a request by sending an email to the Company’s Customer Service department at ecesis@knapsackhealth.com. Please include your name, date of birth, and account number in any communications with Customer Service.
Effective Date: May 16, 2019.