End-User Privacy Policy

Kyma Health takes privacy very seriously.

Kyma Health will never intentionally share your information with 3rd party entities unless explicit and clear consent is given. You have the right to access, amend and delete your data, as stated by GDPR policy.

Information about users and logs are stored in secure and encrypted systems, following all modern security practices. No information is collected or stored beyond what is strictly necessary to provide the platform functionalities.

---

Last Updated: Feb. 6 2025

1. Scope and Definitions

This Privacy Policy (“Policy”) applies to the personal data we collect and process when you use our services (collectively, the “Services”). By accessing or using our Services, you acknowledge that you have read this Policy and agree to its terms. If you do not agree, please do not use our Services.

Definitions:
• “Personal Data” means any information that relates to an identified or identifiable living individual.
• “Medical Data” means any personal data concerning health, including blood or urine test results.
• “Processing” means any operation performed on personal data, such as collection, storage, use, disclosure, or erasure.
• “Controller” means the entity (in this case, Kyma Health) that determines the purposes and means of the processing of personal data.

2. Data Controller

Kyma Health (“Kyma,” “we,” “us,” or “our”) is the Controller of your personal data for the purposes of the UK General Data Protection Regulation (“UK GDPR”) and other relevant data protection legislation. We determine the purposes and means of processing your personal data.

3. Personal Data We Collect

3.1 Data You Provide to Us
• Registration Information: Name, email address, phone number, mailing address, and other contact details.
• Medical Data: Information related to your health, including test results from blood and urine tests, or any health-related details you provide or authorize us to obtain from third parties (e.g., partner laboratories).
• Payment Information: If you purchase paid services, we may collect billing details or other financial information necessary to complete the transaction (though typically processed by third-party payment processors).
• Communications: Any correspondence sent to us via email, phone, or our platforms (such as support requests or feedback).

3.2 Data We Automatically Collect
• Usage Data: Information about your use of our websites or apps, such as pages visited, time spent on pages, and referring URLs.
• Device Information: IP address, browser type, operating system, device identifiers, and crash data.
• Cookies and Similar Technologies: We may use cookies or other tracking technologies to collect information about your interactions with our online Services. See our separate Cookies Policy (if applicable) for more details.

3.3 Data We Collect from Third Parties
• Partner Laboratories: We may receive test results and related health data from third-party laboratories or healthcare professionals.
• OpenAI Services: We may forward certain Medical Data to OpenAI via secure channels for data analysis. These third-party services do not store your Medical Data; they only process it transiently before returning results to us.

4. How We Use Your Personal Data

• Service Provision: To facilitate blood/urine test logistics, deliver results, and maintain or improve our Services.
• Communication and Support: To respond to enquiries, provide customer support, and send administrative messages.
• Legal and Compliance: To comply with laws, regulations, or governmental requests, and to enforce our Terms of Service.
• Marketing and Promotion: Where legally permissible and with your explicit consent (if required), to send promotional materials or updates about new services.
• Aggregated or Anonymised Data: We may create anonymised data sets for internal research or analytics, which no longer identify you.

5. Legal Bases for Processing

Under the UK GDPR, we rely on the following legal bases:
• Consent (Art. 6(1)(a)): For certain processing activities, particularly for special category data (Medical Data) and marketing communications.
• Performance of a Contract (Art. 6(1)(b)): Where processing is necessary to fulfil contractual obligations to you.
• Legal Obligation (Art. 6(1)(c)): Where processing is necessary to comply with legal or regulatory requirements.
• Legitimate Interests (Art. 6(1)(f)): For our legitimate interests that do not override your fundamental rights (e.g., improving our services).

For special category data (Medical Data), we generally rely on your explicit consent (Art. 9(2)(a) UK GDPR) or another legally permitted basis.

6. Disclosure of Your Personal Data

• Within Kyma: Shared internally with authorised staff who need access to perform their duties.
• Partner Laboratories: Shared with labs or healthcare professionals for test logistics and analysis.
• OpenAI Services: Medical Data is forwarded via secure channels for analysis. These services do not store your data long-term.
• Service Providers: We engage third parties (e.g., hosting, payment processors) under confidentiality and data protection obligations.
• Legal and Regulatory Compliance: We may disclose data if required by law or to protect our rights, property, or safety.
• Business Transfers: In the event of a merger or acquisition, your data may be transferred, subject to confidentiality requirements.

7. Data Retention

We retain personal data only as long as necessary for the purposes outlined in this Policy, unless a longer retention period is required by law. When no longer needed, data is securely deleted or anonymised.

8. Data Security

• Security Measures: We use encryption, secure servers, access controls, and internal policies to protect data.
• Secure Channels: Medical Data is transmitted to third-party services (e.g., OpenAI) via encrypted protocols (HTTPS, SSL/TLS).
• No Guaranteed Security: While we strive to protect data, no method of transmission or storage is 100% secure.

9. International Data Transfers

We primarily store and process data in the UK or EEA. If data is transferred outside these regions, we implement appropriate safeguards (e.g., Standard Contractual Clauses) to protect your rights.

10. Your Rights

Under the UK GDPR, you have the right to:
• Access your personal data.
• Rectify inaccurate or incomplete data.
• Erase data under certain circumstances.
• Restrict or object to processing.
• Data portability in certain cases.
• Withdraw consent where processing is based on consent.

To exercise these rights, please contact us using the details below. We will respond in accordance with applicable law.

11. Cookies and Similar Technologies

We may use cookies and other tracking technologies to enhance your experience. For details, please see our separate Cookies Policy (if applicable).

12. Children’s Privacy

Our Services are not directed at children under 18. We do not knowingly collect personal data from individuals under 18 without parental consent. If you believe a minor has provided us with data, please contact us immediately.

13. Updates to This Policy

We reserve the right to modify or update this Policy at any time to reflect changes in our practices or legal requirements. If we make material changes, we will notify you by updating the “Last Updated” date and, if appropriate, through other communication methods. Continuing to use our Services after any changes indicates your acceptance of the updated Policy.

14. Complaints and Contact Information

14.1 Complaints: If you have concerns about our data processing, you can lodge a complaint with the Information Commissioner’s Office (ICO) in the UK or your local data protection authority.
14.2 Contact Us: If you have any questions or wish to exercise your rights, please contact us at:

Kyma Health
Solar House, 282 Chase Road,
London, N14 6NZ, United Kingdom
+44 7493 705485