At KRY, healthcare personnel and technical personnel, work jointly to develop the supply of professional healthcare services. For us at KRY, you as an individual and as a patient always come first and this privacy policy (the “Privacy Policy”) explains how we handle your personal data when you seek healthcare or similar services from us (the “Services”).
We explain in more detail in this Privacy Policy how KRY works for you as a “user” and “patient” and who is responsible for the processing of personal data, which is carried out if you use the Services. We also describe which personal data about you is processed when you use the Services, how we process the personal data, and why. We also describe the lawful basis for our processing and which external parties may handle personal data about you in order for us to provide you with the Services. You also receive information about your rights in relation to the processing of your personal data and what you can do to exercise these rights.
Information regarding how we process your personal data may also be found in KRY’s General Terms and Conditions.
KRY International AB, company reg. no. 556967-0820 (“KRY International”), the parent company in the KRY group, owns and makes available the ”KRY” technical platform and application (the “App”) and is the controller of the processing of the personal data, which you register in the App, up until the time at which you commence the actual contact with a healthcare provider for medical advice and follow-up. When you seek healthcare from KRY, it is solely established healthcare providers who are responsible for providing the healthcare, including the processing of personal data which is carried out when you use the Services. In practice, this means that as soon as you begin sharing information about your health via the App, the responsibility for your personal data is transferred to the Healthcare Provider.
In Sweden, it is KRY International’s wholly owned subsidiary, Digital Medical Supply Sweden AB, company reg. No. 559051-2702, which provides the healthcare within the services (the “Healthcare Provider”), unless otherwise clearly communicated to you in connection with your use of the Services. In relation to the healthcare, KRY International acts, in its capacity as a processor of personal data, only as a supplier of the technical platform and hereto related service. This means that your personal data is only processed according to the instructions of the Healthcare Provider. In the event another healthcare provider would join the KRY platform and process your personal data in connection to your use of the Services, we will inform you when you use the Services so that you always know which Healthcare Provider is the controller of your personal data.
If you have any questions or comments regarding the processing of your personal data related to your use of the Services, you are always welcome to contact us and/or our data protection officer via our website at https://www.kry.se/en/contact/, or by sending an email to privacy@kry.se.
KRY International and the Healthcare Provider process personal data about you, which you register via your account such as your name, personal ID number, address and email address when you open your user account with us and, any information which you subsequently register when you use the App. In addition, we may automatically collect and process the following information: (i) technical information, including IP address, login information, type and version of operating system and unit, time settings, language settings, cookies, etc.; and (ii) information about the services you use with us, time used in the matters, keystrokes, etc.
Information regarding our use of cookies may also be found in KRY’s Cookies Policy.
We call these categories of personal data, which are provided when you download and use the App as “User Data” below.
When you seek healthcare from us, you are asked to share data linked to your physical and/or mental health. You do this primarily by filling in the relevant symptoms form in the App. This information may include, but is not limited to, information that you are suffering from an illness, your medical history, or your physiological or biomedical condition. The Healthcare Provider with whom you come into contact by using the Services may also transfer personal data about you for the purpose of providing and following up the healthcare you received within the scope of the Services.
Personal data related to your health which the Healthcare Provider uses in order to provide healthcare services is referred to below as “Patient Data”.
Your personal data may also be updated and processed by us as Patient Data based on the healthcare you have received from other healthcare providers who are not associated with KRY. In the event this data is considered relevant to the provision of healthcare within the scope of the Services, it may be stored and processed by the Healthcare Provider and transferred to your medical records by the treating clinician.
In addition, KRY International and the Healthcare Provider will regularly obtain updated information regarding you via the Swedish State Personal Address Register (SPAR) in order to be able to provide the Services, so that correct information about you is available at all times.
The App is a technical platform developed by KRY Intational and is also owned and controlled by KRY Intational. The App is continually being developed and quality-ensured. Most of your personal data which we collect when you use the Services is not stored in your smartphone or tablet. Instead, this personal data is stored by KRY Intational, in infrastructure provided by one of KRY Intational’s subcontracted suppliers. The personal data is processed and stored primarily within the EU/EEA and no sensitive personal data, such as information related to your health, is stored outside of the EU/EEA when you use the Services. The Healthcare Provider is obligated to maintain medical records when performing the Services and relevant patient data is filed and stored in a medical record system (specifically developed in order to fulfil the requirements of the applicable legislation) at the request of the Healthcare Provider. Your personal data in your medical record is processed and stored within the EU/EEA.
KRY Intational processes your User Data (as described above in section 3.1) for the following purposes:
The lawful basis for the processing of your personal data is our “contractual performance” (Article 6.1(b) of the General Data Protection Regulation, “GDPR”), which constitutes our General Terms and Conditions, for the purpose of being able to offer the services, including making possible the Healthcare Provider’s provision of good healthcare when you use the Services.
The Healthcare Provider processes Patient Data (as described above in section 3.2) for the purpose of providing the Services to you in the form of healthcare and other necessary treatment or advice within the scope of providing the healthcare.
As a Healthcare Provider, our operations are governed by national legislation. We therefore process your personal data based on applicable law. The processing of Patient Data regarding you needed to provide the Services also takes place pursuant to your consent and, where applicable, in order to fulfil other legal obligations of the Healthcare Provider. This includes that our clinicians keep medical records, which the Healthcare Provider is obligated to save for a particular period of time.
The Healthcare Provider also retains KRY International in order to ensure the quality of, and develop, the Services. Through this, KRY International may process (technically work on and technically store) sensitive personal data about you for the purpose of ensuring the quality and developing the healthcare within the scope of the Services in accordance with applicable legislation. This processing of your sensitive personal data takes place independent of KRY International and in accordance with the Healthcare Provider’s instructions.
Anonymized data which does not constitute personal data may be shared by the Healthcare Provider with KRY International for the purpose of developing the Services and developing our business.
KRY International and the Healthcare Provider may communicate with you, in your capacity as a user of the Services. This includes, among other things, responding to inquiries and investigating complaints and support matters (including technical support) through our support service by telephone or via our digital channels. Depending on your matter, you may share additional User Data and Patient Data which we then process to be able to help you use the Services in the best possible manner.
KRY International and the Healthcare Provider provide support as set forth above as a part of the Services (i.e. to be able to perform the contract with you and KRY Intational). To the extent the support services are related to healthcare or processing of Patient Data (or sensitive personal data about you), the processing takes place based on the contract between you and KRY International. The processing of your personal data related to support services may also take place in order for the Healthcare Provider to be able to perform its legal obligations under applicable legislation in the field of healthcare (see also section 5.5 below).
KRY International processes some of your User Data (as described above in section 3.1) for the following purposes: direct marketing to you by email and text messages, or other similar electronic channels of communications, for example in the event of campaigns and offers in cooperation with KRY International’s partners. This includes analyses about you as a user of KRY and how you use the Services (for example which web pages you have visited, and which web searches you have made) and your history based on your contact with the Healthcare Provider. Our analysis also includes information about your age and place of residence.
KRY International also uses information about your use of the Services for the purpose of improving the user experience in the App. Information about you as a user is also used for marketing purposes.
Marketing emails are sent to you based on your consent hereto, which you can withdraw at any time in accordance with section 9 below.
KRY International and the Healthcare Provider may process your User Data and Patient Data (as described above in sections 3.1 – 3.2) on the lawful basis referring to a “legal obligation” (Article 6.1(c) of the GDPR) in order to fulfil legal obligations as set forth in statutes, court judgments, or decisions by public authorities (for example regarding requirements imposed by the Swedish Health and Social Care Inspectorate or the Swedish National Board of Health and Welfare).
We otherwise store and process your personal data to the extent necessary to be able to fulfil our legal obligations and requirements.
KRY International and the Healthcare Provider may process your personal data for the purpose of developing and improving the Services and the IT systems used to provide the Services. This is done in order to continuously improve the security and our handling of personal data, and in order to make the App more user-friendly, for example by changing the user interface in order to simplify the flow of information, or to highlight functions which are often used by our users.
We only process sensitive personal data about you for the purpose of being able to provide the Services (i.e. in order to be able to perform a contract between you and KRY International) and to be able to ensure the quality and develop the care in accordance with applicable legislation. All other development of our Services takes place using anonymized data.
We only process your personal data as long as is necessary for the purposes according to section 5 above. This means as long as it is necessary in order to be able to provide good healthcare or otherwise be able to provide the Services, or in order to fulfil the legal obligations applicable to us. The Healthcare Provider has an obligation to save medical records connected to healthcare meetings with you for a specific period of time. We otherwise have routines for how we store or anonymize personal data in order to regularly ensure that your personal data is always adequate and relevant for our continued provision of the Services. Your User Data is erased or de-identified not later than six (6) months from the time at which you close your user account with us, provided it is not necessary to store the personal data in order for us to fulfil our legal obligations or where the information is otherwise necessary for the establishment, exercise or defence of legal claims.
All information that is no longer needed for the performance and development of the Services, or quality assurance, is anonymized, or erased automatically. User Data which is stored on the basis of your consent is erased by us if you withdraw your consent. You can read more in section 10 about how you exercise your right to withdraw your consent. In this respect, we ask you to please note that KRY International and the Healthcare Provider process your personal data for different purposes (both as a technical supplier of the App but also as a Healthcare Provider). Withdrawal of your consent will not affect the Healthcare Provider’s obligation to keep medical records, or to process your personal data in accordance with applicable law.
In order for us to be able to offer you the Services, we use a number of external suppliers that process personal data in certain cases. Our IT service providers, such as operating and hosting providers, only work at the request of KRY International and according to KRY International’s instructions in its capacity as a processor of personal data.
KRY International also engage the services of suppliers who work independently and who, in this way, are themselves responsible for the processing of your personal data, such as providers of payment solutions. Where applicable, you will be requested to enter into separate agreements directly with such suppliers. We ask you to please note that this Privacy Policy does not apply to the processing of personal data which takes place through these suppliers. For information regarding how other suppliers process your personal data, please contact these suppliers.
The Healthcare Provider keep medical records in accordance with applicable legislation in connection to the provision of healthcare within the scope of the Services. The medical records are saved in the medical record systems outside of the App with a third party, at the request of the Healthcare Provider and according to the Healthcare Provider’s instructions. The Healthcare Provider is responsible for any personal data (Patient Data) which is stored in medical records.
If you have been referred to us by your insurer, in order to handle your specific case, we may disclose information to your insurer that you have used the Services and regarding your health condition, including copies of your medical records. Such a transfer of your personal data is in such case carried out by us in such case at the request of your insurer in our capacity as a processor of personal data. In other words, this requires that you have entered into an agreement with your insurer or otherwise consented to the processing in relation to your insurer. This Privacy Policy does not apply to the processing of personal data which is carried out by your insurer. For more information about how your insurer processes your personal data, please contact your insurer.
If you have been referred to us by your employer, we act as the processor of personal data on behalf of your employer and process your personal data according to instructions given by your employer. However, we do not disclose any sensitive personal data to your employer, i.e. information regarding your health, including whether you have used the Services.
KRY International and the Healthcare Provider use IT suppliers for hosting and operating services with operations outside of Sweden. This means that KRY International and the Healthcare Provider will transfer your personal data outside the EU/EEA, currently to the United States.
Transfers of personal data take place, however, only in exceptional cases to countries outside the EU/EEA and only provided that the transfer is lawful according to the applicable data protection legislation regarding the protection of your privacy in the recipient country with reference to: (i) the EU Commission’s decision regarding adequate levels of protection; (ii) application of the EU Commission’s standard contract clauses for transfers to third parties; (iii) that the recipient is covered by the Privacy Shield rules and thus the requirement of an adequate level of protection (applies to transfers to the United States); or (iv) other applicable safeguards in order to fulfil applicable data protection legislation.
You have the right to receive information regarding what personal information about you that we are processing, for what purpose it is being processed, whether such personal data has been transferred to a third country, and which parties have received your personal data.
In order to clarify this and your other rights as a data subject, you may at any time to contact us in order to:
Should you wish to contact us regarding any of these bullets above, we encourage you to contact us via our website at https://www.kry.se/en/contact/, or by sending an email to privacy@kry.se.
With this Privacy Policy we truly hope that we have made it clear to you how we handle your personal data. However, should you still have any questions, please feel free to contact us. We would also like to inform you that you have the right to file a complaint with the Swedish Data Protection Authority, or any other relevant supervisory authority, should you believe that the processing of your personal data is incorrect or not in compliance with legal requirements.