The essentials
1. About us
This is the privacy policy (“Policy”) of Klinrisk, Inc. (“Klinrisk,” “we,” “us,” or “our”). Our office is registered at 2300 West Sahara Avenue, Suite 800, Las Vegas, Nevada 89102, United States, and operates in the United States, Canada, and all Member States of the European Union.
We are dedicated to safeguarding and honouring your privacy in compliance with our responsibilities under the following rules, acts and applicable laws in the United States, Canada, and European Union:
· Health Insurance Portability and Accountability Act 1996 (HIPAA),
· Health Information Technology for Economic and Clinical Health Act 2009 (HITECH),
· California Consumer Privacy Act 2020 (CCPA)/ California Privacy Rights Act 2023(CPRA),
· Personal Information Protection and Electronic Documents Act 2000 (PIPEDA) and provincial Canadian health laws,
· General Data Protection Regulation 2016 (GDPR).
We will:
take actions to ensure that your information is always secure and confidential in compliance with this policy;
only use your information for the purposes described in the policy;
never sell your information; and
provide you the ability to control and examine your personal data and marketing decisions at any moment.
2. Scope and Applicability
This Privacy Policy describes essential details about how we handle personal information and the rights you have concerning it in relation to:
· Our clinical analytics platforms and decision-support services;
· Application programming interfaces (APIs), clinician portals, and related software services;
· Generation of analytical outputs and clinical reports;
· Communications, contractual engagements, and customer support activities; and
· Our websites and other online services that link to this Privacy Policy (collectively, the “Services”).
This Policy applies globally and is intended to satisfy applicable privacy and data protection requirements in the United States, Canada, and the European Union through a single, unified framework.
We provide its Services exclusively in a business-to-business (B2B) context. Individuals whose personal information may be processed by us typically interact with our Services through their healthcare provider, laboratory, hospital, or institutional partner, rather than directly with us.
We do not currently offer patient-facing consumer applications, mobile apps, or direct-to-patient portals.
Depending on the context and applicable law, we may act as:
· A Business Associate under the Health Insurance Portability and Accountability Act (“HIPAA”) when processing protected health information on behalf of covered entities;
· A data processor under the General Data Protection Regulation (“GDPR”);
· A service provider or processor under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”); and
· A service provider subject to the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and applicable provincial health privacy laws in Canada.
In these roles, we process personal information strictly in accordance with customer instructions, applicable contracts (including data processing agreements and business associate agreements), and applicable law.
Where we act as a processor or service provider, the relevant healthcare provider, laboratory, or institutional partner is responsible for providing primary privacy notices to individuals and for determining the legal basis for processing.
This Privacy Policy does not apply to:
· Personal information processed by us in our capacity as an employer or prospective employer (e.g., employee or job applicant data);
· Information processed outside the scope of the Services, including information governed by separate contractual or research-specific privacy notices; or
· Personal information that has been fully aggregated or de-identified such that it can no longer reasonably be associated with an identifiable individual.
Where we provide additional or “just-in-time” privacy notices for specific activities (such as clinical research or validation studies), those notices will govern the processing of personal information for those activities.
3. Key Terms
The following terms are used in this Policy. Where a term is not defined below, it has the meaning given to it under applicable privacy or health information laws or in our customer agreements.
Personal Information / Personal Data
Information that identifies, relates to, describes, or could reasonably be linked to an individual. This includes information that is identifiable on its own or in combination with other information.
Health Information
Personal Information relating to an individual’s health or healthcare, including diagnostic information, laboratory results, biometric data, and other clinical information. Where applicable, Health Information may constitute protected health information under HIPAA or special category data under the GDPR.
Customer
A healthcare provider, laboratory, hospital, pharmaceutical company, or other institutional entity that has entered into an agreement with Klinrisk for the use of the Services.
Customer Data
Personal Information processed by Klinrisk on behalf of a Customer relating to the Services, as further described in the applicable agreement.
Services
The software platforms, APIs, clinician portals, analytics, reports, and related services provided by Klinrisk under a customer agreement.
Processing
Any operation performed on Personal Information, including collecting, storing, using, analyzing, sharing, or deleting such information.
Controller / Processor / Business Associate
Terms used to describe roles under applicable privacy and health information laws. Depending on the context:
· The Customer acts as the controller (or covered entity under HIPAA); and
· We act as a processor or service provider (or business associate under HIPAA), as set out in the applicable agreement.
De-identified Data
Data that has been processed so that it does not reasonably identify an individual and is no longer treated as personal information under applicable law.
4. Categories of Personal Information We Process
We process personal information primarily in relation to the provision of clinical analytics, decision-support services, and associated reporting. The specific categories of personal information processed depend on the nature of the Services provided, the applicable contractual arrangements with our customers and partners, and applicable legal requirements.
The details below outlines the personal information that we gather and utilise.
General Principles
We limit the collection and processing of personal information to what is necessary and proportionate for legitimate healthcare, research, and operational purposes.
In many implementations, we receive personal information in identifiable form where such information is necessary to provide the Services, including for report generation and ongoing service delivery.
Where identifiable personal information is processed and stored, it is done under strict contractual, technical, and organizational safeguards, only to the extent required to perform the Services.
We apply data minimization principles and limits access to personal information to authorized personnel with a legitimate business need.
Identifiers and Administrative Information
In certain implementations, such as laboratory or healthcare system integrations, we may process limited identifiers, which may include:
· Full name
· Date of birth
· Medical reference numbers or internal patient identifiers assigned by healthcare providers or laboratories
The scope of identifiers processed is determined by the applicable customer agreement and data minimization requirements.
Health and Clinical Information
We process health-related information for clinical analytics and decision-support purposes, which may include:
· Diagnostic and clinical assessment data
· Laboratory test results and measurements
· Biometric indicators relevant to risk modelling or outcome analysis
Where applicable, this information may constitute Protected Health Information (PHI) under HIPAA or special category data under GDPR.
Technical, Usage, and Security Information
When customers or partners use the Services, we may process technical and operational information, including:
· System and application logs
· API usage metadata
· Time stamps, error logs, and performance metrics
· Security and audit logs related to access and system integrity
This information is used to operate, secure, monitor, and improve the Services.
Information from Partners and Third Parties
We receive personal information indirectly from:
· Healthcare providers and hospitals
· Laboratories and diagnostic service providers
· Pharmaceutical, research, and academic partners
We do not independently collect personal information directly from patients.
Subjects
The Services are intended for use in professional healthcare and institutional settings involving adults only. We do not knowingly process personal information relating to children.
Or
Our Services are primarily designed to be used in clinical and institutional settings involving adult populations. We may process children’s personal information in limited circumstances. For example, model validation, research activities, or clinical trials conducted by or on behalf of our Customers. We apply relevant law, customer instructions, and appropriate contractual, technical, and organizational safeguards for these types of information processing. We do not offer our services directly to children. We do don’t collect personal information from minors independently outside of clinical contexts, research or customer-directed healthcare.
De-identified and Aggregated Data for Technology Improvement
In limited circumstances, and where permitted by applicable law and contract, we may use de-identified or aggregated customer data for purposes such as:
· Improving system performance and reliability
· Enhancing analytical models or methodologies
· Supporting quality assurance and validation activities
Such use is not routine, is governed by applicable contractual controls (including Business Associate Agreements (BAAs) where PHI is involved), and does not involve the use of identifiable personal information for technology improvement unless expressly permitted.
Aggregated and De-identified Data Outside of Scope
To the extent permitted by applicable law, information that has been fully aggregated or de-identified such that it can no longer reasonably be associated with an identifiable individual is not subject to this Privacy Policy.
5. Sources of Personal Information
We collect and process personal information indirectly and in a limited, purpose-driven manner. The sources of personal information depend on the specific Services provided and the applicable contractual arrangements.
We receive personal information from healthcare providers, hospitals, and health systems that engage us to provide clinical analytics, decision-support services, or related reporting. In these contexts, the healthcare provider or institution determines the scope of information disclosed to us.
We may receive personal information from laboratories and diagnostic service providers, including through secure integrations and APIs. For example, laboratory partners may provide limited identifiers and laboratory results necessary to support analytics and reporting services.
In connection with research, validation, and retrospective analyses, we may process personal information supplied by pharmaceutical companies, academic institutions, or research organizations. Such processing is subject to contractual restrictions, research ethics approvals, and applicable legal requirements.
We may generate or receive technical and operational information automatically through the operation of the Services, including system logs, access records, and security-related data.
We do not independently solicit or collect personal information directly from patients. Individuals seeking information about how their personal information is collected or shared should refer to the privacy notices provided by their healthcare provider, laboratory, or institutional partner.
6. How We Use Information
We use Personal Information only as necessary to provide the Services and to operate our business in a lawful and responsible manner. The specific ways in which Personal Information is used depend on the Services provided and the terms of the applicable customer agreement.
We use Personal Information to:
· Deliver clinical analytics and decision-support services to our Customers;
· Generate clinician-facing reports and analytical outputs;
· Support integrations with laboratories, healthcare systems, and other authorized partners;
· Maintain continuity of service and ongoing customer use of the Services.
Our Services may include research and validation activities requested by our Customers.
Where permitted by applicable law and contract, we may use Personal Information or de-identified data to:
· Validate, test, and improve our models, systems, and methodologies;
· Perform quality assurance and performance monitoring;
· Support outcomes research or retrospective analyses requested by Customers or conducted with research partners.
Use of identifiable health information for these purposes is limited and governed by applicable agreements, including Business Associate Agreements where required. If any paediatric data is employed, it is only used in customer-directed research, validation, or clinical studies under the governance of relevant contracts, ethics approvals, and law.
We also use Personal Information as reasonably necessary to:
· Operate, maintain, and secure the Services;
· Monitor system performance and reliability;
· Detect and respond to security incidents or misuse;
· Provide customer support and manage customer relationships;
· Maintain records required for legal, regulatory, and audit purposes.
We may use Personal Information to comply with applicable laws, regulations, and professional obligations, including responding to lawful requests from regulators, courts, or other authorities, and to protect our legal rights. Our operational use of Personal Information does not expand scope of clinical or research processing, but supports our systems, security, and compliance only.
We do not:
· Sell your Personal Information for monetary consideration to third parties;
· Use Personal Information for cross-context behavioral advertising;
· Use Personal Information for consumer marketing or profiling; or
· Process Personal Information for purposes unrelated to healthcare, research, or the operation of the Services.
Clinical research conducted under applicable law is not restricted.
7. Artificial Intelligence and Automated Processing
We use advanced analytical techniques, including machine-learning models, to support clinical analytics and decision-support services provided to healthcare professionals and institutional partners.
Our Services may incorporate advanced analytical techniques, including statistical methods and machine learning based models, to support clinical and laboratory analytics and improve decision-support services. These outputs are intended to support clinical assessment and professional judgment. We continually enhance our technology and techniques, which may include a variety of modelling approaches related to the clinical or analytical context.
Our models are designed and deployed in accordance with principles of data minimization, transparency, and proportionality.
We do not deploy fully automated decision-making processes that produce legal or similarly significant effects on individuals within the meaning of applicable data protection laws, including Article 22 of the GDPR. The Services function as decision-support tools only.
Healthcare professionals retain responsibility for reviewing, interpreting, and applying analytical outputs in the context of clinical decision-making.
Model training, validation, and improvement activities may involve the use of historical or retrospective datasets provided by academic, healthcare, or research partners. Such activities are subject to:
· Contractual restrictions and data processing agreements;
· Research ethics approvals, where applicable; and
· Applicable data protection and health privacy laws.
Where feasible, model development activities rely on de-identified or aggregated data.
We maintain governance and oversight processes for the development and use of AI-enabled services, including documentation, testing, and monitoring to promote reliability, security, and appropriate use.
8. Disclosure of Personal Information
We only disclose personal information when it is required to deliver the services, run our company, and adhere to relevant legal and contractual requirements. Unless specifically stated herein or as otherwise allowed by law, we do not divulge personal information.
Third-party service providers and subprocessors that carry out tasks on our behalf may receive Personal Information from us, including:
· Providers of cloud infrastructure and hosting;
· Providers of security, monitoring, and information technologies;
· Providers of system support and data analytics;
· Legal, regulatory, audit, and compliance advisers are examples of professional advisors.
These service providers are bound by contractual confidentiality, data protection, and security obligations and are only permitted to process Personal Information when it is required to deliver services for us.
We may share personal information with healthcare providers, laboratories, hospitals, and institutional partners to provide Services, including the delivery of analytical outputs, reports, or integrations requested by those partners.
Such disclosure and sharing of personal information are limited to necessary delivery of relevant services and governed by applicable agreements, including data processing agreements, business associate agreements, or similar contractual obligations.
We may disclose personal information to pharmaceutical companies, academic institutions, or research partners for the purposes of research, validation studies and retrospective analyses, where permitted by law and subject to contractual and ethical safeguards.
We use only aggregated or de-identified data for such purposes.
We may share personal information in relation to a significant proposed or actual corporate transaction, including but not limited to a merger, acquisition, reorganization, financing, or sale of assets. In these instances, personal information will continue to be protected by suitable confidentiality measures.
We may disclose personal information where required to do so by law or where necessary to:
· Respond to lawful requests from courts, regulators, or law enforcement authorities;
· Comply with applicable legal or regulatory obligations;
· Protect and defend the rights, property, interest, or safety of us, our customers, affiliates, users or the public; or
· Enforce contractual terms or investigate potential violations.
We do not sell your personal information for monetary benefits to third parties. Where applicable under laws such as the CCPA/CPRA, we do not share personal information for cross-context behavioral advertising.
9. International Data Transfers and Cross-Border Processing
We may process personal information across national and regional boundaries due to our global operations. All international data transfers are conducted in accordance with applicable data protection and health privacy laws and are subject to appropriate safeguards.
We use reputable third-party cloud infrastructure and hosting providers. Personal information may be processed or stored in the following regions, depending on the specific service and customer arrangement:
· United States;
· Canada;
· Other jurisdictions where we or our service providers operate, depending on the provided services and applicable customer agreements.
We can provide information about our subprocessors and infrastructure providers to our Customers upon request or as part of applicable agreements.
In certain implementations, personal information may be transferred:
· Between regions for operational resilience, security, or availability purposes; and
· From healthcare providers or laboratories located in the United States or Europe to cloud infrastructure located in Canada, where contractually and legally permitted.
We transfer personal information originated in the European Union outside the European Economic Area (EEA) only where these transfers are allowed under applicable data protection law and covered by appropriate safeguards such as:
· Standard Contractual Clauses (SCCs) approved by the European Commission;
· Data Processing Agreements incorporating GDPR Article 28 requirements;
· Research or clinical trial agreements;
· Supplementary technical and organizational measures, such as encryption and access controls, where required.
Transfers are limited to what is required to provide the Services and are not made for independent or unrelated purposes.
Our Services involve cross-border data processing between the United States and Canada. This includes the use of cloud infrastructure and integrations with healthcare providers and laboratories.
These transfers are governed by the applicable customer agreements, including Business Associate Agreements where required, and are subject to contractual and technical safeguards consistent with applicable U.S. and Canadian privacy and health information laws.
We do not transfer Personal Information across borders unless such transfer is necessary for service delivery or operational support and permitted under the applicable agreement.
When we need to transfer Personal Information, it is done only in relation to customer-directed healthcare, research, or clinical activities subject to applicable ethics approvals and agreements.
We regularly review our data transfer practices and contractual safeguards to ensure continued compliance with evolving legal requirements. Transfers are limited to what is necessary for the provision, security, and operation of the Services.
10. Data Retention and Deletion
We will retain personal information only for as long as necessary to fulfill the purposes for which it was collected and processed, and in accordance with applicable laws, contractual obligations, and ethical requirements.
Data retention periods vary depending on:
· The nature of the Services provided;
· The terms of applicable customer, partner, or research agreements;
· Legal, regulatory, and professional obligations; and
· Research ethics approvals, where applicable.
In many commercial implementations, we are contractually required to delete raw patient-level data after the completion of permitted processing activities.
Data used for model training, validation, or research purposes may be retained for longer periods where permitted and required, including:
· Historical training data retained by academic or research partners under ethics approvals;
· Validation datasets hosted by institutional partners in accordance with their regulatory and governance requirements.
Where feasible, such data is de-identified or pseudonymized.
We may be retain analytical outputs, summary statistics, model artifacts, and aggregated results derived from personal information for analytical, quality assurance, compliance, or audit purposes, subject to contractual and legal constraints.
Personal information contained in system backups is retained only until completion of the applicable backup rotation cycle, in accordance with our Data Backup Policy. Backup data is subject to the same security and access controls as live production data.
Upon expiration of the applicable retention period or upon valid request where required by law and contract, personal information is securely deleted or destroyed using methods designed to prevent unauthorized access or reconstruction.
11. Individual Rights and Choices
We provide individuals or their authorized representatives with the ability to perform the following actions with our use of personal information, subject to applicable laws and any relevant limitations or exemptions:
· Access personal information we process about them;
· Correct inaccurate or incomplete personal information;
· Request deletion or erasure of personal information;
· Request restriction of processing or object to certain processing activities;
· Receive a copy of personal information in a portable format, where applicable; and
· Withdraw consent, where processing is based on consent.
Individuals or their authorized representatives may have certain rights regarding their personal information under applicable data protection and health privacy laws. The availability and scope of these rights depend on the jurisdiction and the context in which the information is processed.
Subject to applicable law and any relevant limitations or exemptions, individuals or their authorized representatives may have the right to:
· Access personal information processed about them;
· Correct or rectify inaccurate or incomplete personal information;
· Request deletion or erasure of personal information;
· Request restriction of processing or object to certain processing activities;
· Receive a copy of personal information in a portable format, where applicable; and
· Withdraw consent, where processing is based on consent.
Because we provide Services in a business-to-business healthcare context, requests to exercise individual rights are typically initiated through the relevant healthcare provider, laboratory, or institutional partner that acts as the controller or covered entity. We process personal information according to the instructions of these entities and do not define how rights requests are carried out.
Where we receive a request directly from an individual or their authorized representatives, we will:
· Verify the request in accordance with applicable law; and
· Coordinate with the relevant customer or partner, as required, to facilitate a lawful and appropriate response.
You can request access to, correct, delete your personal information, as well as object to or restrict processing of your information, or obtain additional information about our privacy practices by sending an email to:
privacy@klinrisk.com
We may request additional information to verify identity or authority before responding to a request.
We respond to verified requests within the timeframes required by applicable law. Please note that the complexity of the request and what actions we need to take to respond to your request may influence on the response time.
We do not discriminate against individuals or their authorized representatives for exercising their rights under applicable data protection or privacy laws, although the availability of certain Services may depend on the processing of personal information.
12. Security of Personal Information
We have established a security program aimed at safeguarding personal information from unauthorized access, use, disclosure, alteration, or destruction. We designed our security protocols to be suitable for the type of information we handle and the associated risks linked to our Services.
We implement a blend of administrative, technical, and organizational safeguards, which encompass:
· Encryption of Personal Information both during transmission and while stored;
· Access controls that ensure Personal Information is accessible solely to authorized personnel with a legitimate business requirement;
· Monitoring and logging of system activities to facilitate security oversight and incident detection;
· Regular evaluations of systems and processes, including security assessments and audits; and
· Security requirements and due diligence for service providers and subprocessors.
Our security measures are periodically reviewed and updated as necessary to accommodate advancements in technology, evolving risks, and regulatory expectations.
We have established incident response protocols designed to enable us to identify, investigate, and address security incidents involving Personal Information promptly.
When mandated by applicable law or contractual obligations, we will inform Customers of a confirmed security incident and collaborate with them to assist in any necessary notifications or remediation actions.
Access to Personal Information is restricted to personnel who need such access to fulfill their job duties. Personnel granted access to Personal Information are bound by confidentiality obligations and receive training that is appropriate for their responsibilities.
Although we take reasonable measures to protect Personal Information, no system or transmission method can be assured to be entirely secure. Customers should be aware of this inherent risk when utilizing electronic systems and transmitting information.
13. Cookies and Similar Technologies
We use cookies and similar technologies to analyse, operate, maintain, and improve our websites and online services that link to this Privacy Policy. We and our third-party partners gather information from your device or browser when you use our Services. By using our Services, you consent to our user of cooking and similar technologies.
The following categories of cookies and similar technologies are used on our Services:
Essential cookies
These cookies are necessary for the operation of our websites and services, including enabling core functionality, maintaining security, and supporting system administration. If you disable these cookies, certain features may not function properly.
Analytics and performance cookies
These cookies collect information about how you interact with our websites, for example, pages visited, response times, and error events. The information is used to understand usage patterns, improve performance, and enhance the reliability of our services. If you switch off these cookies, our Services may not remember your previous selections, for example, language choices, or provide you with personalized browsing experience and relevant details. These cookies may store information about your devices so that you provide your information only once, and then it is used for your next sessions.
Limited marketing cookies
Where permitted by law, these cookies may be used to support limited marketing or informational communications related to our services. We do not use cookies for cross-context behavioral advertising.
We provide appropriate cookie consent mechanisms that allow you to manage your preferences for non-essential cookies. You may also manage or disable cookies through your browser settings. Please note that disabling certain cookies may affect the functionality or availability of some features of our websites.
Your browser may transmit “Do Not Track” or similar signals. Currently, we do not respond to Do Not Track requests due to lack of consistent industry standard for responding to such signals.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, services, legal requirements, or regulatory guidance.
When we make material changes to this Privacy Policy, we will update the “Effective Date” at the top of the Policy and, where appropriate, provide notice through reasonable means, such as by posting an updated version on our website or notifying our customers and partners through established communication channels.
We encourage you to review this Privacy Policy periodically to remain informed about how we process and protect personal information.
15. Contact Information
If you have questions, concerns, or requests regarding this Policy or our data protection practices, you may contact us using the details below.
Klinrisk
Attn: Data Protection Officer
Email: privacy@klinrisk.com
Individuals or their authorized representatives may also have the right to lodge a complaint with a relevant data protection or privacy authority in their jurisdiction.