Privacy Policy

1. Introduction

At KRY, healthcare personnel, together with technical personnel, work jointly to develop and provide healthcare. For us at KRY, you as an individual and as a patient always come first and this privacy policy (the “Privacy Policy”) explains how we handle your personal data when you seek healthcare or similar services from us (the “Services”).

We explain in more detail in this Privacy Policy how KRY works for you as a “user” and “patient” and who is responsible for the processing of personal data, which is carried out in connection to your use of the Services. We also describe which personal data about you is processed when you use the Services, how we process the personal data, and why. We also describe the legal basis for our processing and which external parties may handle personal data about you in order for us to provide you with the Services. You also receive information about your rights in relation to the processing of your personal data and what you can do to exercise these rights.

2. Who is responsible for the processing of personal data?

webbhälsa AB, company reg. no. 556967-0820 (“Webbhälsa”), the parent company in the KRY group, owns and makes available the ”KRY” technical platform and application (the “App”) and is the controller for the processing of the personal data, which you register in the App, up until the time at which you commence contact with a healthcare provider for medical advice and follow-up. When you seek healthcare from KRY, it is solely established healthcare providers who are responsible for providing the healthcare, including the processing of personal data which is carried out in connection to your use of the Services. In practice, this means that as soon as you begin sharing information about your health via the App, the responsibility for your personal data is transferred to the Healthcare Provider.

In Norway it is Webbhälsa’s wholly owned subsidiary, Digital Medical Supply Norway AS, company reg. no. 918 106 030, which provides healthcare within the Services (the “Healthcare Provider”), unless otherwise clearly communicated to you in connection with your use of the Services. In relation to healthcare, Webbhälsa acts, in its capacity as a processor of personal data, only as a supplier of the technical platform and the related service. This means that your personal data is only processed according to the instructions of the Healthcare Provider. In the event another healthcare provider joins the KRY platform and processes your personal data in connection to your use of the Services, we will inform you when you use the Services so that you always know which healthcare provider is the controller of your personal data.

If you have any questions or comments regarding the processing of your personal data in connection to your use of the Services, you are always welcome to contact us and/or our data protection officer by sending an email to privacy@kry.no.

3. Where do we collect your personal data which is processed when you use the Services?

3.1. Personal data which is registered via your user account in the App

Webbhälsa and the Healthcare Provider process personal data about you, which you register via your account such as your name, personal ID number, address and email address when you open your user account with us and, subsequently, any information you register when you use the App. In addition, we may automatically collect and process the following information: (i) technical information, including IP address, login information, type and version of operating system and unit, time settings, language settings, cookies, etc.; and (ii) information about the Services we provide to you, and keystrokes.

Information regarding our use of cookies may also be found in KRY’s Cookies Policy.

We call these categories of personal data, which are provided when you download and use the App, “User Data” below.

3.2. Personal data to and from the Healthcare Provider

When you seek healthcare from us, you are asked to share data linked to your physical and/or mental health. You do this primarily by filling in the relevant symptoms form in the App. This information may include, but is not limited to, information that you are suffering from an illness, your medical history, or your physiological or medical condition. The Healthcare Provider with whom you come into contact by using the Services may also transfer personal data about you for the purpose of providing healthcare and following up on the healthcare you received within the scope of the Services.

Personal data related to your health which the Healthcare Provider uses in order to provide healthcare services is referred to below as “Patient Data”.

3.3. Personal data from third parties including other Healthcare Providers

Your personal data may also be updated and processed by us as Patient Data based on the healthcare you have received from other healthcare providers who are not associated with KRY. In the event this data is considered relevant to the provision of healthcare within the scope of the Services, it may be saved and processed by the Healthcare Provider and entered in your medical records by the clinician who is treating you.

4. Where is your personal data stored?

The App is a technical platform developed by Webbhälsa and is also owned and controlled by Webbhälsa. The App is continually being developed and quality-ensured. Most of your personal data which we collect when you use the Services is not saved in your smartphone or tablet. Instead, this personal data is stored by Webbhälsa, in infrastructure provided by one of Webbhälsa’s subcontracted processors. The personal data is handled and stored primarily within the EU/EEA and no sensitive personal data, such as information related to your health, is stored outside of the EU/EEA in connection to your use of the Services. The Healthcare Provider is obligated to maintain medical records when performing the Services and relevant patient data is filed in a medical record system (specifically developed in order to fulfil the requirements of the applicable legislation) at the request of the Healthcare Provider. Your personal data in your medical record is handled and stored within the EU/EEA.

5. Why personal data is processed when you use KRY

5.1. Webbhälsa’s processing of your User Data

Webbhälsa processes your User Data (as described above in section 3.1) for the following purposes:

  • (i) to process your application or terminate your user account in the App;
  • (ii) to provide you with authorization to login and use your user account;
  • (iii) to verify your identity and age;
  • (iv) to maintain correct and up-to-date information about you;
  • (v) for you to be able to monitor and administer ongoing care matters;
  • (vi) to handle your choice of settings and information about payment; and
  • (vii) to otherwise be able to provide the Services to you according to our General Terms and Conditions.

The legal basis for processing your User Data is that it is necessary for the performance of our contract, which constitutes our General Terms and Conditions, for the purpose of being able to offer the services, including making possible the Healthcare Provider’s provision of good care in connection to your use of the Services.

5.2. The Healthcare Provider’s provision of care services

The Healthcare Provider processes Patient Data (as described above in section 3.2) for the purpose of providing the Services to you in the form of healthcare and other necessary treatment or advice within the scope of providing the healthcare itself.

As a Healthcare Provider, our business operations are governed by national legislation. We therefore process your personal data in accordance with applicable law. The processing of Patient Data regarding you needed to provide the Services is also necessary in order to fulfil other legal obligations of the Healthcare Provider. This includes that our clinicians keep medical records, which the Healthcare Provider is obligated to save for a particular period of time.

The Healthcare Provider also retains Webbhälsa in order to ensure the quality of, and develop, the Services. Through this, Webbhälsa may process (technically work on and to store) sensitive personal data about you for the purpose of ensuring high standards of quality in healthcare and provision of healthcare in the Services in accordance with applicable legislation. This processing of your sensitive personal data takes place independent of Webbhälsa and in accordance with the Healthcare Provider’s instructions.

Anonymised data which does not constitute personal data may be shared by the Healthcare Provider with Webbhälsa for the purpose of developing the Services and developing our business.

5.3. Provision of support services related to your use of the Services

Webbhälsa and the Healthcare Provider may communicate with you, in your capacity as a user of the Services. This includes, among other things, responding to inquiries and investigating complaints and support matters (including technical support) through our support service by telephone or via our digital channels. Depending on your matter, you may share additional User Data and Patient Data which we then process to be able to help you use the Services in the best possible manner.

Webbhälsa and the Healthcare Provider provide support as set forth above as a part of the Services (i.e. necessary to perform the contract with you and Webbhälsa). To the extent the support services are related to care or processing of Patient Data (or sensitive personal data about you), the processing takes place in order to provide healthcare as part of the Services and ensure high standards of quality of healthcare. The processing of your personal data in conjunction with support services may also take place in order for the Healthcare Provider to be able to perform its legal obligations under applicable legislation in the field of healthcare (see also section 5.5 below).

5.4. To be able to market products and services and improve your user experience

Webbhälsa processes some of your User Data (as described above in section 3.1) for the following purposes: direct marketing to you by email and text messages, or other similar electronic channels of communications, for example in connection to campaigns and offers in cooperation with Webbhälsa’s partners. This includes analyses about you as a user of KRY and how you use the Services (for example which web pages you have visited, and which web searches you have made) and your history based on your contact with the Healthcare Provider. Our analysis also includes information about your age and place of residence.

Webbhälsa uses information about your use of the Services for these purposes on the basis of its legitimate interest in improving the user experience in the App.

Information about you as a user is also used for marketing purposes. Marketing is sent to you, via e-mail based upon your consent, which you can withdraw at any time in accordance with section 9 below.

5.5. To perform legal obligations

Webbhälsa and the Healthcare Provider may process your User Data and Patient Data (as described above in sections 3.1 – 3.2) because it is necessary to fulfil its legal obligations as set forth in statutes, court judgments, or decisions by public authorities. To the extent Patient Data is relevant, Webbhälsa and the Healthcare Provider also rely on the basis of providing health care as part of the Services and ensuring high standards of quality in healthcare.

We otherwise save and process your personal data to the extent necessary to be able to fulfil our legal obligations and requirements.

5.6. To be able to evaluate, develop and improve the quality of Services

Webbhälsa and the Healthcare Provider may process your User Data for the purpose of developing and improving the Services and the IT systems used to provide the Services. This is done on the basis of our legitimate interests in continually improving the security and our handling of personal data, and in order to make the App more user-friendly, for example by changing the user interface in order to simplify the flow of information, or to highlight functions which are often used by our users.

We only process sensitive personal data about you for the purpose of being able to provide the Services (i.e. in order to be able to perform a contract between you and Webbhälsa) and to be able to ensure high standards of quality in healthcare and provide healthcare in accordance with applicable legislation. All other development of our Services takes place using anonymised data.

6. How long do we save your personal data?

We only process your personal data as long as is necessary for the purposes for which the information in question is processed according to section 5 above. This means as long as it is necessary in order to be able to provide good care or otherwise be able to provide the Services, or in order to fulfil the legal obligations incumbent upon us. The Healthcare Provider has an obligation to save medical records connected to healthcare meetings with you for a specific period of time. We otherwise have routines for how we store or anonymised personal data in order to regularly ensure that your personal data is always adequate and relevant for our continued provision of the Services. Your User Data is erased or anonymised not later than six (6) months from the time at which you close your user account with us, provided it is not necessary to save the personal data in order for us to fulfil our legal obligations or where the information is otherwise necessary in order to enforce legal claims.

After the purpose of the information has been fulfilled, all information which is not needed for the performance and development of the Services, or to ensure quality, is anonymised and saved, or erased automatically. User Data which is stored on the basis of your consent is erased by us if you withdraw your consent. You can read more in section 9 about how you exercise your right to withdraw your consent.

7. Third parties with whom your personal data may be shared when you use the Services

7.1. Subcontractors of Webbhälsa

In order for us to be able to offer you the Services, we use a number of external suppliers that process personal data in certain cases. Our IT service providers, such as operating and hosting providers, only work at the request of Webbhälsa and according to Webbhälsa’s instructions in its capacity as a processor of personal data.

Webbhälsa also retains the services of suppliers who work independently and who, in this way, are themselves responsible for the processing of your personal data, such as providers of payment solutions. Where applicable, you will be requested to enter into separate agreements directly with such suppliers. We ask you to please note that this Privacy Policy does not apply to the processing of personal data which takes place through these suppliers. For information regarding how other suppliers process your personal data, please contact these suppliers.

7.2. Subcontractors of Healthcare Provider

The Healthcare Provider keeps medical records in accordance with applicable legislation in conjunction with the provision of healthcare within the scope of the Services. The medical records are saved in the medical record systems outside of the App with a third party hosting services provider, at the request of the Healthcare Provider and according to the Healthcare Provider’s instructions. The Healthcare Provider is responsible for any personal data (Patient Data) which is stored in medical records.

7.3. Employers and insurance companies

If you have been referred to us by your insurer, in order to handle your specific case, we may disclose information to your insurer that you have used the Services and regarding your health condition, including copies of your medical records. Such a transfer of your personal data as set forth above is carried out by us in such case at the request of your insurer in our capacity as a controller of personal data. [In other words, this requires that you have entered into an agreement with your insurer or otherwise explicitly consented to the processing in relation to your insurer.] This Privacy Policy does not apply to the processing of personal data which is carried out by your insurer. For more information about how your insurer processes your personal data, please contact your insurer.
If you have been referred to us by your employer, we act as the controller of personal data. We do not disclose any sensitive personal data to your employer, i.e. information regarding your health, including whether you have used the Services.

8. Transfers to third countries

Webbhälsa and the Healthcare Provider use IT suppliers for operating services outside of the EU/EEA. This means that Webbhälsa and the Healthcare Provider will transfer your personal data outside the EU/EEA, currently to the United States.

Transfers of personal data take place, however, only in exceptional cases to countries outside the EU/EEA and only provided that the transfer is lawful according to the applicable data protection legislation regarding the protection of your privacy in the recipient country with reference to: (i) the EU Commission’s decision regarding adequate levels of protection; (ii) application of the EU Commission’s standard contract clauses for transfers to third parties; (iii) that the recipient is covered by the Privacy Shield rules and thus the requirement of an adequate level of protection (applies to transfers to the United States); or (iv) other applicable safeguards in order to fulfil applicable data protection legislation.

9. Your rights as a data subject in the App and user of the Services

You have the right to receive information regarding what personal data about you that we are processing, for what purpose it is being processed, whether such personal data has been transferred to a third country, and which parties have received your personal data.

In order to clarify this, you may at any time to contact us in order to:

  • request access to, and information about, the personal data which is being processed in conjunction with your use of the App and/or the Services;
  • ask us to correct any incorrect information about you;
  • request that your personal data be erased (however, we ask you here to note that Healthcare Providers have certain obligations by law to save certain personal data, particularly related to Patient Data, including keeping medical records in connection to use of the Services). At your request, all Patient Data which we do not have a legal obligation to retain will be erased;
  • ask us to restrict the processing of your personal data where you believe such data to be inaccurate; our processing is unlawful; or we no longer need to process such data for a particular purpose unless we are not able to delete the data due to a legal or other obligation or because you do not wish for us to delete it;
  • object to the processing of your personal data where the legal justification for our processing of your personal data is our legitimate interest. We will abide by your request unless we have compelling legitimate grounds for the processing which override your interests and rights, or if we need to continue to process the data for the establishment, exercise or defence of a legal claim;
  • if we use your personal data on the basis of your consent, you have the right to withdraw your consent at any time, free of charge This includes where you wish to opt out from marketing messages. Please note that Webbhälsa and the Healthcare Provider handle your personal data for different purposes (both as a technical supplier of the App but also as a Healthcare Provider). Withdrawal of consent does not affect the Healthcare Provider’s obligation to keep medical records, or to process your personal data in accordance with applicable law; or
  • request that your personal data be moved to another controller of personal data by receiving your personal data, to the extent it has been provided by you, in an electronic format which is generally used in order to be able to transfer it to another party (the right of data portability).

Should you wish to contact us regarding any of these bullets above, we encourage you to contact us by sending an email to privacy@kry.no.

10. Right to file a complaint with the supervisory authority

With this Privacy Policy we truly hope that we have made it clear to you how we handle your personal data. However, should you still have any questions, please feel free to contact us. We would also like to inform you that, should you believe that the processing of your personal data is incorrect or not in compliance with legal requirements, you have the right to file a complaint with the relevant supervisory authority.