Information regarding how we process your personal data may also be found in KRY’s General Terms and Conditions.
2. Who is responsible for the processing of personal data?
KRY International AB, company reg. no. 556967-0820 (“KRY International”), the parent company in the KRY group, owns and makes available the ”KRY” technical platform and application (the “App”) and is the controller of the processing of the personal data, which you register in the App, up until the time at which you commence the actual contact with a healthcare provider for medical advice and follow-up. When you seek healthcare from KRY, it is solely established healthcare providers who are responsible for providing the healthcare, including the processing of personal data which is carried out when you use the Services. In practice, this means that as soon as you begin sharing information about your health via the App, the responsibility for your personal data is transferred to the Healthcare Provider.
In Sweden, it is KRY International’s wholly owned subsidiary, Digital Medical Supply Sweden AB, company reg. No. 559051-2702, which provides the healthcare within the services (the “Healthcare Provider”), unless otherwise clearly communicated to you in connection with your use of the Services. In relation to the healthcare, KRY International acts, in its capacity as a processor of personal data, only as a supplier of the technical platform and hereto related service. This means that your personal data is only processed according to the instructions of the Healthcare Provider. In the event another healthcare provider would join the KRY platform and process your personal data in connection to your use of the Services, we will inform you when you use the Services so that you always know which Healthcare Provider is the controller of your personal data.
If you have any questions or comments regarding the processing of your personal data related to your use of the Services, you are always welcome to contact us and/or our data protection officer via our website at https://www.kry.se/en/contact/, or by sending an email to firstname.lastname@example.org.
3. Where do we collect your personal data which is processed when you use the Services?
3.1 Personal data which is registered via your user account in the App
KRY International and the Healthcare Provider process personal data about you, which you register via your account such as your name, personal ID number, address and email address when you open your user account with us and, any information which you subsequently register when you use the App. In addition, we may automatically collect and process the following information: (i) technical information, including IP address, login information, type and version of operating system and unit, time settings, language settings, cookies, etc.; and (ii) information about the services you use with us, time used in the matters, keystrokes, etc.
We call these categories of personal data, which are provided when you download and use the App as “User Data” below.
3.2 Personal data to and from the Healthcare Provider
When you seek healthcare from us, you are asked to share data linked to your physical and/or mental health. You do this primarily by filling in the relevant symptoms form in the App. This information may include, but is not limited to, information that you are suffering from an illness, your medical history, or your physiological or biomedical condition. The Healthcare Provider with whom you come into contact by using the Services may also transfer personal data about you for the purpose of providing and following up the healthcare you received within the scope of the Services.
Personal data related to your health which the Healthcare Provider uses in order to provide healthcare services is referred to below as “Patient Data”.
3.3 Personal data from third parties including other Healthcare Providers
Your personal data may also be updated and processed by us as Patient Data based on the healthcare you have received from other healthcare providers who are not associated with KRY. In the event this data is considered relevant to the provision of healthcare within the scope of the Services, it may be stored and processed by the Healthcare Provider and transferred to your medical records by the treating clinician.
In addition, KRY International and the Healthcare Provider will regularly obtain updated information regarding you via the Swedish State Personal Address Register (SPAR) in order to be able to provide the Services, so that correct information about you is available at all times.
4. Where is your personal data stored?
The App is a technical platform developed by KRY Intational and is also owned and controlled by KRY Intational. The App is continually being developed and quality-ensured. Most of your personal data which we collect when you use the Services is not stored in your smartphone or tablet. Instead, this personal data is stored by KRY Intational, in infrastructure provided by one of KRY Intational’s subcontracted suppliers. The personal data is processed and stored primarily within the EU/EEA and no sensitive personal data, such as information related to your health, is stored outside of the EU/EEA when you use the Services. The Healthcare Provider is obligated to maintain medical records when performing the Services and relevant patient data is filed and stored in a medical record system (specifically developed in order to fulfil the requirements of the applicable legislation) at the request of the Healthcare Provider. Your personal data in your medical record is processed and stored within the EU/EEA.
5. Which personal data is processed when you use KRY and why?
5.1 KRY Intational’s processing of your User Data
KRY Intational processes your User Data (as described above in section 3.1) for the following purposes:
- (i) to process your application or terminate your user account in the App;
- (ii) to provide you with authorization to login and use your user account;
- (iii) to verify your identity and age;
- (iv) to maintain correct and updated information about you;
- (v) for you to be able to monitor and administer ongoing care matters;
- (vi) to handle your choice of settings and information about payment; and
- (vii) to otherwise be able to provide the Services to you according to our General Terms and Conditions.
The lawful basis for the processing of your personal data is our “contractual performance” (Article 6.1(b) of the General Data Protection Regulation, “GDPR”), which constitutes our General Terms and Conditions, for the purpose of being able to offer the services, including making possible the Healthcare Provider’s provision of good healthcare when you use the Services.
5.2 The Healthcare Provider’s provision of healthcare services
The Healthcare Provider processes Patient Data (as described above in section 3.2) for the purpose of providing the Services to you in the form of healthcare and other necessary treatment or advice within the scope of providing the healthcare.
As a Healthcare Provider, our operations are governed by national legislation. We therefore process your personal data based on applicable law. The processing of Patient Data regarding you needed to provide the Services also takes place pursuant to your consent and, where applicable, in order to fulfil other legal obligations of the Healthcare Provider. This includes that our clinicians keep medical records, which the Healthcare Provider is obligated to save for a particular period of time.
The Healthcare Provider also retains KRY International in order to ensure the quality of, and develop, the Services. Through this, KRY International may process (technically work on and technically store) sensitive personal data about you for the purpose of ensuring the quality and developing the healthcare within the scope of the Services in accordance with applicable legislation. This processing of your sensitive personal data takes place independent of KRY International and in accordance with the Healthcare Provider’s instructions.
Anonymized data which does not constitute personal data may be shared by the Healthcare Provider with KRY International for the purpose of developing the Services and developing our business.
5.3 Provision of support services related to your use of the Services
KRY International and the Healthcare Provider may communicate with you, in your capacity as a user of the Services. This includes, among other things, responding to inquiries and investigating complaints and support matters (including technical support) through our support service by telephone or via our digital channels. Depending on your matter, you may share additional User Data and Patient Data which we then process to be able to help you use the Services in the best possible manner.
KRY International and the Healthcare Provider provide support as set forth above as a part of the Services (i.e. to be able to perform the contract with you and KRY Intational). To the extent the support services are related to healthcare or processing of Patient Data (or sensitive personal data about you), the processing takes place based on the contract between you and KRY International. The processing of your personal data related to support services may also take place in order for the Healthcare Provider to be able to perform its legal obligations under applicable legislation in the field of healthcare (see also section 5.5 below).
5.4 To be able to market products and services and improve your user experience
KRY International processes some of your User Data (as described above in section 3.1) for the following purposes: direct marketing to you by email and text messages, or other similar electronic channels of communications, for example in the event of campaigns and offers in cooperation with KRY International’s partners. This includes analyses about you as a user of KRY and how you use the Services (for example which web pages you have visited, and which web searches you have made) and your history based on your contact with the Healthcare Provider. Our analysis also includes information about your age and place of residence.
KRY International also uses information about your use of the Services for the purpose of improving the user experience in the App. Information about you as a user is also used for marketing purposes.
Marketing emails are sent to you based on your consent hereto, which you can withdraw at any time in accordance with section 9 below.
5.5 To perform legal obligations
KRY International and the Healthcare Provider may process your User Data and Patient Data (as described above in sections 3.1 – 3.2) on the lawful basis referring to a “legal obligation” (Article 6.1(c) of the GDPR) in order to fulfil legal obligations as set forth in statutes, court judgments, or decisions by public authorities (for example regarding requirements imposed by the Swedish Health and Social Care Inspectorate or the Swedish National Board of Health and Welfare).
We otherwise store and process your personal data to the extent necessary to be able to fulfil our legal obligations and requirements.
5.6 To be able to evaluate, develop and improve the quality of Services
KRY International and the Healthcare Provider may process your personal data for the purpose of developing and improving the Services and the IT systems used to provide the Services. This is done in order to continuously improve the security and our handling of personal data, and in order to make the App more user-friendly, for example by changing the user interface in order to simplify the flow of information, or to highlight functions which are often used by our users.
We only process sensitive personal data about you for the purpose of being able to provide the Services (i.e. in order to be able to perform a contract between you and KRY International) and to be able to ensure the quality and develop the care in accordance with applicable legislation. All other development of our Services takes place using anonymized data.
6. How long do we store your personal data?
We only process your personal data as long as is necessary for the purposes according to section 5 above. This means as long as it is necessary in order to be able to provide good healthcare or otherwise be able to provide the Services, or in order to fulfil the legal obligations applicable to us. The Healthcare Provider has an obligation to save medical records connected to healthcare meetings with you for a specific period of time. We otherwise have routines for how we store or anonymize personal data in order to regularly ensure that your personal data is always adequate and relevant for our continued provision of the Services. Your User Data is erased or de-identified not later than six (6) months from the time at which you close your user account with us, provided it is not necessary to store the personal data in order for us to fulfil our legal obligations or where the information is otherwise necessary for the establishment, exercise or defence of legal claims.
All information that is no longer needed for the performance and development of the Services, or quality assurance, is anonymized, or erased automatically. User Data which is stored on the basis of your consent is erased by us if you withdraw your consent. You can read more in section 10 about how you exercise your right to withdraw your consent. In this respect, we ask you to please note that KRY International and the Healthcare Provider process your personal data for different purposes (both as a technical supplier of the App but also as a Healthcare Provider). Withdrawal of your consent will not affect the Healthcare Provider’s obligation to keep medical records, or to process your personal data in accordance with applicable law.
7. Third parties with whom your personal data may be shared when you use the Services
7.1 Subcontractors of KRY International
In order for us to be able to offer you the Services, we use a number of external suppliers that process personal data in certain cases. Our IT service providers, such as operating and hosting providers, only work at the request of KRY International and according to KRY International’s instructions in its capacity as a processor of personal data.
7.2 Subcontractors of Healthcare Provider
The Healthcare Provider keep medical records in accordance with applicable legislation in connection to the provision of healthcare within the scope of the Services. The medical records are saved in the medical record systems outside of the App with a third party, at the request of the Healthcare Provider and according to the Healthcare Provider’s instructions. The Healthcare Provider is responsible for any personal data (Patient Data) which is stored in medical records.
7.3 Employers and insurance companies
If you have been referred to us by your employer, we act as the processor of personal data on behalf of your employer and process your personal data according to instructions given by your employer. However, we do not disclose any sensitive personal data to your employer, i.e. information regarding your health, including whether you have used the Services.
8. Transfers to third countries
KRY International and the Healthcare Provider use IT suppliers for hosting and operating services with operations outside of Sweden. This means that KRY International and the Healthcare Provider will transfer your personal data outside the EU/EEA, currently to the United States.
Transfers of personal data take place, however, only in exceptional cases to countries outside the EU/EEA and only provided that the transfer is lawful according to the applicable data protection legislation regarding the protection of your privacy in the recipient country with reference to: (i) the EU Commission’s decision regarding adequate levels of protection; (ii) application of the EU Commission’s standard contract clauses for transfers to third parties; (iii) that the recipient is covered by the Privacy Shield rules and thus the requirement of an adequate level of protection (applies to transfers to the United States); or (iv) other applicable safeguards in order to fulfil applicable data protection legislation.
9. Your rights as a data subject in relation to the App and as a user of the Services
You have the right to receive information regarding what personal information about you that we are processing, for what purpose it is being processed, whether such personal data has been transferred to a third country, and which parties have received your personal data.
In order to clarify this and your other rights as a data subject, you may at any time to contact us in order to:
- request access to, and information about, the personal data which is being processed when you use the App and/or the Services;
- ask us to correct any incorrect information about you;
- request that your personal data be erased (however, we ask you here to note that Healthcare Providers have certain obligations by law to store certain personal data, particularly related to Patient Data, including keeping medical records in relation to your use of the Services). At your request, all Patient Data which we do not have a legal obligation to retain will be erased;
- ask us to restrict the processing of your personal data;
- object to the processing of your personal data and thereby also requesting writing that the data ceases to be used for direct marketing purposes; or
- request that your personal data be moved to another controller of personal data by receiving your personal data, to the extent it has been provided by you, in an electronic format which is generally used in order to be able to transfer it to another party (the right to data portability).
Should you wish to contact us regarding any of these bullets above, we encourage you to contact us via our website at https://www.kry.se/en/contact/, or by sending an email to email@example.com.
10. Right to file a complaint with the supervisory authority