Privacy Policy

1. Introduction

At Kry, healthcare personnel work side by side with technical personnel to develop and deliver health services. At Kry, we always put you as an individual and patient first, and this privacy policy ("Privacy Policy") explains how we process your personal data when you seek healthcare or similar services from us ("Services").

We explain in more detail in this privacy policy how Kry works for you as a "user" and "patient" and who is responsible for the processing of your personal data, which is carried out in connection with your use of the Services.

We describe what personal data about you is processed when you use the services, how we process the personal data, and why. We describe the legal basis for our processing and which external parties may process personal data about you in order for us to be able to provide you with the Services.

You will also receive information about your rights in connection with the processing of your personal data and about what you can do to exercise these rights.

2. Who is responsible for the processing of personal data?

Using the App without seeking medical advice

Kry International AB (publ), company registration no. 556967-0820 ("Kry International"), which is the parent company of the Kry Group, owns and makes available the technical platform "Kry" and the application (the "App"), and is the data controller for the personal data that you register in the App, right up until you initiate contact with a healthcare provider for medical advice and follow-up.

When you seek healthcare services from Kry, only established healthcare providers are responsible for providing healthcare services, including the processing of personal data carried out in connection with your use of the Services.

In practice, this means that as soon as you start sharing information about your health via the App, the responsibility for your personal data is transferred to the Healthcare Provider.

Healthcare via the app

In Norway, Kry International's wholly-owned subsidiary Digital Medical Supply Norway AS, organization no. 918 106 030, provides the health services in the Services ("Healthcare Provider"), unless otherwise clearly disclosed to you in connection with your use of the Services.

The healthcare provider is the data controller for the processing of personal data that is carried out in connection with your use of the healthcare services. In connection with health services, Kry International, in its capacity as a processor of personal data, acts only as a provider of the technical platform and the associated service. This means that your personal data will only be processed in accordance with the instructions of the Healthcare Provider.

In the event that another healthcare provider joins the Kry platform and processes your personal data in connection with your use of the Services, we will inform you when you use the Services so that you always know which healthcare provider is the controller of your personal data.

Contact details of the data controller

Kry International AB (publ)Box 3468SE-103 69 Stockholm, Sweden

Digital Medical Supply Norway AS. 
Hoffsveien 920377 Oslo, Norway

If you have any questions or comments regarding the processing of your personal data in connection with your use of the Services, you are always welcome to contact us and/or our Data Protection Officer by sending an email to privacy@kry.no.

3. Where do we obtain your personal data that is processed when you use the Services?

3.1. Personal data registered through your user account in the App

Kry International and the Healthcare Provider process your personal data, which you register through the account, such as your name, social security number, address and email address when you open a user account with us, and then any information that you register when you use the App. In addition, we may collect and process the following information automatically:

  • i) technical information, including IP address, login information, type and version of operating system and device, time settings, language settings, cookies, etc.;

  • ii) information about the Services we provide to you, as well as keystrokes.

Information about our use of cookies can also be found in Kry's cookie policy. We refer to these categories of personal data, which you provide when you download and use the App, "User Data" below.

3.2. Personal data to and from the Healthcare Provider

When you wish to receive healthcare services from us, you will be asked to share data related to your physical and/or mental health. You do this mainly by filling out the form with relevant symptoms in the App. This information may include, but is not limited to, information that you are suffering from an illness, your medical history, or your physiological or medical condition. The healthcare provider with whom you come into contact through the Services may also transfer personal data about you in order to provide healthcare services and follow up on the healthcare services you have received within the framework of the Services. Personal data related to your health that the Healthcare Provider uses to provide healthcare services is referred to below as "Patient Data".

3.3. Personal data of third parties, including other healthcare providers

Your personal data may also be updated and processed by us as patient data based on the healthcare services you have received from other healthcare providers that are not linked to Kry. In the event that this data is considered relevant for the provision of healthcare services within the scope of the Services, it may be stored and processed by the Healthcare Provider and entered into your patient record by the doctor treating you.

4. Where is your personal data stored?

The app is a technical platform developed by Kry International and also owned and controlled by Kry International. The app is continuously developed and quality assured. Most of your personal information that we collect when you use the Services is not stored on your smartphone or tablet. Instead, this personal data is stored by Kry International, in infrastructure provided by one of Kry International's subcontractors. The personal data is mainly handled and stored within the EU/EEA, and no sensitive personal data, such as information about your health, is stored outside the EU/EEA in connection with your use of the Services. The Healthcare Provider is obliged to maintain patient records when performing the Services and relevant patient data is entered into a patient record system (specifically designed to meet the requirements of applicable legislation) at the request of the Healthcare Provider. The personal data in your patient records is handled and stored within the EU/EEA.

5. Why is personal data processed when you use Kry?

5.1. Kry International's processing of your user data Kry International processes your User Data (as described above in section 3.1) for the following purposes:

  • i) to process your application or close your user account in the App,

  • ii) to allow you to log in and use your user account;

  • iii) to verify your identity and age;

  • iv) to keep accurate and up-to-date information about you;

  • v) to enable you to supervise and manage ongoing health matters;

  • vi) to manage your choices of settings and payment information, and

  • vii) to otherwise provide the Services to you in accordance with our General Terms.

The legal basis for processing your user data is that it is necessary for the performance of our contract, which constitutes our General Terms, for the purpose of providing the Services, including enabling the Healthcare Provider to provide good health care in connection with your use of the Services.

5.2. The provision of health services by the health service provider

The healthcare provider processes patient data (as described above in section 3.2) for the purpose of providing the Services to you in the form of healthcare and other necessary treatments or advice in connection with the provision of the healthcare service itself. As a Healthcare Provider, our business activities are regulated by national legislation. We therefore process your personal data in accordance with applicable law. The processing of your patient data necessary to provide the Services is also necessary to comply with other legal obligations of the Healthcare Provider. This includes that our doctors keep patient records, which the Healthcare Provider is obliged to keep for a specified period of time. The Healthcare Provider also uses Kry International to ensure the quality of and develop the Services. In this way, Kry International may process (work technically with and store) sensitive personal data about you in order to ensure a high quality of health treatment and the provision of health services within the Services in accordance with applicable legislation. This processing of your sensitive personal data takes place independently of Kry International and in accordance with the instructions of the Healthcare Provider. Anonymised data that does not constitute personal data may be shared by the Healthcare Provider with KRY International for the purpose of developing the Services and developing our business operations.

5.3. Provision of support services in connection with your use of the Services

Kry International and the healthcare service may communicate with you as a user of the Services. This includes, among other things, responding to inquiries and investigating complaints and matters relating to user support (including technical support) through our support services by telephone or on digital channels.

Depending on your circumstances, you may share additional user data and patient data, which we then process in order to help you use the Services in the best possible way.

Kry International and the Healthcare Provider provide support as described above as part of the Services (i.e. as necessary to fulfil the contract with you and KRY International).

To the extent that the Support Services are related to health treatment or the processing of patient data (or sensitive personal data about you), the processing is for the purpose of providing healthcare services as part of the Services and to ensure high-quality healthcare.

The processing of your personal data in connection with support services may also take place in order for the Healthcare Provider to comply with its legal obligations under applicable health legislation (see also section 5.5 below).

5.4. To be able to market products and services and improve your user experience

Kry International processes some of your user data (as described above in section 3.1) for the following purposes: direct marketing to you by e-mail or text messages, or other similar electronic communication channels, for example in connection with campaigns and offers in cooperation with Kry International's partners.

This includes analytics about you as a Kry user and how you use the Services (for example, which websites you have visited and what web searches you have performed) and your history based on your contact with the Healthcare Provider. Our analysis also includes information about your age and place of residence.

Kry International uses information about your use of the Services for these purposes on the basis of its legitimate interest in improving the user experience in the App.

The information about you as a user is also used for marketing purposes. Marketing will be sent to you by email on the basis of your consent, which you may withdraw at any time in accordance with Section 9 below.

5.5. To comply with legal obligations

Kry International and the Healthcare Provider may process your User Data and Patient Data (as described above in Sections 3.1-3.2) as necessary to comply with their legal obligations as set out in statutes, court orders, or decisions of public authorities.

To the extent that patient data is relevant, Kry International and the Healthcare Provider also rely on providing healthcare services as part of the Services and to ensure high-quality healthcare services.

Otherwise, we store and process your personal data to the extent necessary to be able to comply with our legal obligations and requirements.

5.6. To be able to evaluate, develop and improve the quality of the Services

Kry International and the Healthcare Provider may process your user data in order to develop and improve the Services and the IT systems used to provide the Services.

This is done on the basis of our legitimate interests in constantly improving the security and processing of personal data, and to make the App more user-friendly, for example by changing the user interface to simplify the flow of information, or to highlight features that are frequently used by users.

We only process sensitive personal data about you in order to provide the Services (i.e. to be able to fulfil a contract between you and Kry International) and to be able to ensure high-quality healthcare and provide healthcare in accordance with applicable legislation.

All other development of our Services takes place using anonymized data.

6. How long do we keep your personal data?

We will only process your personal data for as long as necessary for the purposes of the processing of the information in question, in accordance with section 5 above. This means for as long as it is necessary to provide good health care or to otherwise provide the Services, or to comply with our legal obligations.

The healthcare provider is obliged to store patient records in connection with health meetings with you for a specified period of time. We also have routines for how we store or anonymize personal data to ensure that your personal data is always sufficient and relevant to our continued provision of the Services.

Your user data will be deleted or anonymized no later than six (6) months from the time you close your user account with us, provided that it is not necessary to store personal data in order for us to comply with our legal obligations or if the information is otherwise necessary to enforce legal requirements.

After the purpose of the information has been achieved, any information that is not necessary for the fulfillment and development of the Services, or to ensure quality, is anonymized and stored, or deleted automatically.

User data stored on the basis of your consent will be deleted by us if you withdraw your consent. You can read more in section 9 about how to exercise your right to withdraw your consent.

7. Third parties with whom your personal data may be shared when you use the Services

7.1. Kry International's subcontractors

In order for us to provide you with the Services, we use certain third-party service providers that process personal information in certain cases. The external suppliers are mainly Amazon Web Services, Inc (operating provider), Pridok AS (provider of patient record management systems) and Zendesk (customer service and support tools).

The external suppliers only work at the request of Kry International and/or Digital Medical Supply Norway AS, and only process personal data (in their capacity as data processor) in accordance with instructions.

Kry International also uses services from suppliers who work independently, and who in this way are responsible for the processing of your personal data, such as suppliers of payment solutions. Where applicable, you will be asked to enter into separate agreements directly with these suppliers.

Please note that this Privacy Policy does not apply to the processing of personal data that takes place with the help of these providers. For information on how other providers process your personal data, please contact these providers.

7.2. Healthcare subcontractors

The healthcare provider maintains patient records in accordance with applicable legislation in connection with the provision of healthcare services within the scope of the Services.

The patient records are stored in patient record systems outside of the App of a third-party hosting provider, at the request of the Healthcare Provider and in accordance with the instructions of the Healthcare Provider.

The healthcare provider is responsible for all personal data (patient data) stored in patient records.

7.3. Employers and insurance companies

If you have been referred to us by your insurer to deal with your specific case, we may provide information to your insurer that you have used the Services and about your health condition, including copies of your medical records.

Such transfer of your personal data as described above is carried out by us in such cases at the request of your insurer, as we are the controller of personal data.

In other words, this requires that you have entered into an agreement with your insurer or otherwise expressly consented to treatment with your insurer.

This Privacy Policy does not apply to the processing of personal data carried out by your insurer. For more information about how your insurer processes personal data, please contact your insurer.

If you have been referred to us by your employer, we act as the data controller for personal data. We do not disclose sensitive personal information to your employer, i.e. information about your health, including whether or not you have used the Services.

8. Transfers to third countries

Kry International and the Healthcare Provider use IT suppliers for operational services outside the EU/EEA, which means that Kry International and the Healthcare Provider will transfer your personal data outside the EU/EEA, currently to the USA. However, transfers of personal data only take place in extraordinary cases to countries outside the EU/EEA, and only provided that the transfer is lawful in accordance with applicable data protection legislation in the recipient country with reference to:

  • i) the European Commission's decision on an adequate level of security;

  • ii) the use of the European Commission's Standard Contractual Clauses for transfers to third parties;

  • iii) that the recipient is covered by the Privacy Shield Rules and thus by the requirement of an adequate level of security (applies to transfers to the United States); or

  • iv) other applicable safeguards to comply with applicable data protection laws.

9. Your rights as registered in the App and as a user of the Services

You have the right to receive information about what personal data about you we process, for what purpose it is processed, whether such personal data has been transferred to a third country, and which parties have received your personal data. To clarify this, you can contact us at any time to:

  • Request access to, and information about, the personal data processed in connection with your use of the App and/or Services;

  • Ask us to correct any errors in the information about you;

  • Ask us to have your personal data deleted (however, please note here that Healthcare Providers have certain legal obligations to retain personal data, particularly in relation to patient data, including maintaining patient records in connection with the use of the Services). At your request, any Patient Data that we do not have a legal obligation to keep will be deleted;

  • Ask us to restrict the processing of your personal data when you believe that this data is inaccurate; that our processing is unlawful; or that we no longer need to process this data for a specific purpose unless we are unable to delete the data due to a legal or other obligation, or because you do not want us to delete it;

  • Object to the processing of your personal data when the legal ground for our processing of your personal data is our legitimate interest. We will comply with your request unless we have compelling legitimate grounds for the processing which override your interests and rights, or if we need to continue to process the data for the establishment, exercise or defence of a legal claim;

  • If we use your personal data on the basis of your consent, you have the right to withdraw your consent at any time, free of charge. This also includes if you wish to opt-out of marketing messages. Please note that Kry International and the Healthcare Provider handle your personal data in connection with various purposes (both as a technical provider of the App, but also as a Healthcare Provider). Withdrawal of consent does not affect the Healthcare Provider's obligation to keep patient records, or to process your personal data in accordance with applicable law; or

  • Request that your personal data be transferred to another controller of personal data, to the extent that you have provided it, in an electronic format that is normally used to be able to transmit it to another party (right to data portability).

If you wish to contact us regarding any of the points above, we encourage you to send an email to privacy@kry.no.

10. Right to lodge a complaint with the supervisory authority

With this privacy policy, we sincerely hope that we have made it clear to you how we handle your personal data. If you still have questions, please feel free to contact us.

We would also like to inform you that if you believe that the processing of your personal data is incorrect or does not comply with legal requirements, you have the right to lodge a complaint with the relevant supervisory authority.