Ada Health’s Privacy Policy

Last modified: April 23, 2021

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

PLEASE READ THIS POLICY CAREFULLY BEFORE USING ADA HEALTH’S SERVICES.

You must be 16 years or older to use our Services.

Protecting your data, privacy and personal data is very important to Ada Health, Inc. (“Ada Health”,“us”, “our” or “we”).  We are bound by two of the world’s most strict data protection laws, the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). References to the GDPR in this Privacy Policy apply only to the extent that the GDPR applies to the data used or processed by us. It is vitally important to us that our customers (the “users”) feel secure when using our products and services.

This privacy policy (the “Privacy Policy”), together with our Terms & Conditions at ada.com/raw/kaiser-permanente/terms-and-conditions/ and any other documents referred therein, sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed. Please read this Privacy Policy carefully to understand the types of data we collect from you, how we use it, the circumstances under which we will share it with third parties, and your rights in relation to your personal data.

When using “Ada” through our web-based application (the “Web-embed”) and our screening tool (the “Screening Tool”), together the “Medical Device”), or any service and/or product we may provide you (the “Services”), you will be asked to indicate your acknowledgment of, and where applicable, give your consent to the processing activities as described in this Privacy Policy.

1. Who we are

This Privacy Policy applies to any personal data processed by Ada Health, Inc., 745 5th Avenue, 5th Floor, New York City, NY 10151, USA being the data controller (as defined under Article 4(7) GDPR) of all processing activities in connection with the Services as well as by our parent company Ada Health GmbH (acting as our sub-processor) (HRB 189710), Karl-Liebknecht-Straße 1, 10178 Berlin, Germany. Ada Health, Inc. has obtained a license from its parent, Ada Health GmbH, to operate the assessment software (as updated by Ada Health GmbH from time to time) in the US.

Questions, comments and requests regarding this Privacy Policy are welcome and should be addressed through our contact form here. Our data protection officer can be contacted at dpo@ada.com.

2. General overview of the data processing in connection with the Services

Before starting using our Services, you should read our Privacy Policy carefully, and to consent to Ada analyzing the personal health data you supply in order to be provided with an assessment and health advice.

If you wish to read in detail all the data processing activities we undertake, we advise you to read the following section 3 relating to each specific data processing activity, and sections 4 to 9 that relate to:

  • where we store your personal data (section 4), 
  • when we may disclose your personal data (section 5),
  • which data we receive from third parties (section 6),
  • our retention policy (section 7), 
  • your data subjects’ rights (section 8), and
  • our changes policy (section 9).

Information that you provide to us: we may collect and process personal data that you will be asked to provide when you:

  • correspond with us by any available means,
  • use our Services, or
  • report a problem with our Services.

The information that we may ask you to provide includes, but is not limited to, your name, gender, date of birth, email address, phone number, symptoms of your illness, potential causes of your illness symptoms, health insurance (optional), medical history, any allergies you have, or further information required to verify your identity.

Information we collect about you: although we will not use it to identify you, we may collect data on certain events during each of your visits and use of our Services, e.g. the fact that you agree to our Terms & Conditions, etc.

If you are using our Services on behalf of a third party, you must have obtained clear permission from the individuals whose data you provide us with before sharing that data. For the avoidance of any doubt, any reference in this Privacy Policy to “your data” shall include data about other individuals that you have provided us with.

3. Which personal data we may collect and process, why and for how long

3.1 Create an assessment case

  • Types of data: profile ID, profile name (when applicable) and related personal health data required to provide the assessment such as age, gender, illness symptoms, potential causes of illness symptoms, allergies, pregnancy status, relevant and/or related medical history, geographic location, time and date of assessment.
  • Purpose of processing: To provide you with our assessment by means of our Medical Device, for example but not limited to, suggest possible causes for the given symptoms (assessment), and track your symptoms.
  • Use justification: Contract performance (Article 6(1)(b) GDPR / Consent (Article 9(2)(a)GDPR) for the processing of your health data. You may revoke/withdraw your consent at any time; however, it is not possible to provide you with our Medical Device (i.e. the assessment) without such consent.
  • Storage duration: As a rule, the storage duration corresponds to the time of use of the services of Kaiser Permanente. In addition, you may request the deletion of your data through Kaiser Permanente. We will retain some of your data (see section 7 for more details) but we will not process the data for any other purposes.

3.2 Analysis of case information to guarantee high quality and safety standards of our Medical Device

  • Types of data:  Account ID (when applicable), profile ID (when applicable), case ID, time and date of assessment, geographic location of assessment, data provided in a case (personal health data required to provide the assessment such as age, gender, illness symptoms, potential causes of illness symptoms, allergies, pregnancy status, and relevant and/or related medical history), feedback, assessment result, and data related to software and hardware (such as version numbers, operating system, and device ID).
  • Purpose of processing: To guarantee high quality and safety standards of our Medical Device, it is necessary to review the quality of the assessment results (the “Analysis”). The safety and quality staff (the “Medical Experts”) use pseudonymized data and, when applicable, aggregated data to evaluate the assessment results and determine if any improvement is needed in order for our Medical Device to meet the highest quality and safety standards. 
  • Use justification: The processing is required to comply with the necessary standards of quality and safety of our Medical Device which qualify as a medical device under medical device regulations and as provided in the following legal texts (section 22(1)(1)(c) BDSG, Article 9(2)(i) GDPR), on the basis of Post-Market Surveillance obligations under Sec. 6 (1),(2) MPG in connection with section (7)(4) of the German Medical Device Ordinance in connection with Annexes X, VII, (4) of the EU Medical Devices Directive (93/42/EC) (or directly applicable from 26.05.2021 at the latest, but to be considered as already applicable to ensure high standards of quality and safety of our Medical Device, Article 83 et seq. and Annex III of the EU Medical Devices Regulation (2017/745/EU)).
  • Storage duration: We process your data until no longer necessary for the purposes specified above. The storage duration of your data for this purpose corresponds with our obligation to comply with the necessary standards of quality and safety of our Services. 

3.3 Use of health data for statistical and research purposes

  • Types of data: Account ID (when applicable), case ID, profile ID (when applicable), age, gender, illness symptoms, geographic location, risk factors, assessment results such as potential causes of illness symptoms, medical history, allergies, time and date of assessment, and other relevant and related health data that you may have provided us.
  • Purpose of processing: We process pseudonymized data to carry out aggregate statistics on the geographical prevalence of certain types of illness symptoms and conditions and may present such summarized statistics to our partners, always on an irreversibly anonymized basis.
  • Use justification: The processing is necessary for statistical purposes and we only provide our partners with anonymized and summarized statistics from which the identification of a specific natural person is impossible (Article  9(2)(j) GDPR; Sec. 27 (1) BDSG). Our legitimate interest in processing data for these purposes is to support progress in medical research in line with our entrepreneurial goals which is also in the public interest to improve healthcare such as, but not limited to, analyzing the occurrence and characteristics of diseases. You may, for reasons arising from your particular situation, object to such a processing at any time by writing us here (more information about your right to object in Section 7 below).
  • Storage duration: The storage duration of your data on the basis of which we create the statistics corresponds to the time of use of our services. When you request deletion of a specific case or if you delete a case in the App, your case data will no longer be used for this purpose. The statistics are anonymous.

3.4 Use of health data for public health purposes

  • Types of data: Account ID (when applicable), profile name (when applicable), case ID, device ID, age, gender, illness symptoms, geographic location, risk factors, assessment results such as potential causes of illness symptoms, medical history, allergies, time and date of assessment, and other relevant and related health data that you may have provided us.
  • Purpose of processing: We process pseudonymized data for public health purposes (as defined by GDPR recital 54) such as analyzing case data regarding public health trends, rare diseases and threats, and to identify factors that could improve public health such as finding out about the prevalence of specific conditions, the attributes of specific conditions and get insights in specific aspects of assessments. With these analyses we help identify infectious disease outbreaks and monitor their timely and geographic developments (e.g. during COVID-19 pandemic). As our data is also including people who have not consulted yet the health care system, we can better estimate the true burden of diseases.  We may share and present the results as summarized statistics to our partners, e.g. in the public health and scientific community, always on an irreversibly anonymized basis. We may also process such types of data to provide you with the best guidance possible by, for example, directing you to the most appropriate care facility and help reduce unnecessary burden for you, but also for health care systems.
  • Use justification: The processing is necessary for reasons of public interest in the area of public health (Article 9(2)(i) GDPR, Article 22 (1)(1)(c) BDSG)). Our legitimate interest in processing data for these purposes is to support public health progress by protecting against serious cross- border threats to health. You may, for reasons arising from your particular situation, object to such a processing at any time by writing to us here (more information about your right to object in Section 7 below).
  • Storage duration: The storage duration of your pseudonymized data on the basis of which we create the statistics corresponds to the period of processing according to Section 3.1. When you request deletion your case data will no longer be used for this purpose.

3.5 Monitor and improve our Medical Device safety

  • Types of data: Symptoms of your disease, possible causes of your disease symptoms, account ID (when applicable), profile name (when applicable), age, gender, geographic location (country), IP address, device ID, any events while using the Medical Device such as, but not limited to, started assessment or finished assessment.
  • Purpose of processing: We use a limited set of usage data (that may include personal health data) both to monitor usability to ensure that our Medical Device complies with high safety and security standards required for medical devices, and to detect any potential malfunctions, incorrect assessments, or issues with availability or usability. For example, if you finish an assessment and mark it as ‘unhelpful’, then indicate it was unhelpful because it gave you the wrong result, access to this data helps our doctors check the assessment and decide if changing the question flow could improve medical safety. 
  • Use justification: The processing is required to comply with the necessary standards of quality and safety of our Medical Device which qualify as a medical device under medical device regulations and as provided in the following legal texts (section 22(1)(1)(c) BDSG, Article 9(2)(i) GDPR), on the basis of Post-Market Surveillance obligations under section 6(1)(2) MPG in connection with section (7)(4) of the German Medical Device Ordinance in connection with Annexes X, VII, (4) of the EU Medical Devices Directive (93/42/EC) (or directly applicable from 26.05.2021 at the latest, but to be considered as already applicable to ensure high standards of quality and safety of our Medical Device, Article 83 et seq. and Annex III of the EU Medical Devices Regulation (2017/745/EU)).
  • Storage duration: The storage duration of your data for this purpose corresponds with our obligation to comply with the necessary standards of quality and safety of our Medical Device.

3.6 Monitor usage to ensure proper use, functioning, maintenance and improvement of the Services and related emails

  • Types of data: Device ID, IP address, operating system and browser type, length of visits to certain pages, and page interaction information such as scrolling, finger gestures, clicks, and mouse-overs, geographic location, time and date, any events while using the Medical Device such as, but not limited to, started assessment or finished assessment.
  • Purpose of processing: We use a limited set of usage data (which does not include personal health data) to ensure the proper use, functioning, maintenance and improvement of our Services for all users.
  • Use justification: Legitimate interest (Article 6(1)(f) GDPR). Our legitimate interest is based on the aforementioned use of that data purposes. Under no circumstances will we use the collected data to determine your identity. We may process the page interaction when you use our Services or receive emails we may send you to ensure proper reception and assess the service in order to improve it. You may, for reasons arising from your particular situation, object to such a legitimate processing at any time by writing us here (more information about your right to object in Section 7 below).
  • Storage duration: Your data is removed after 15 days, unless a security-relevant event occurs (e.g. a DDoS attack). If a security-relevant event occurs, log files of the servers are stored until the security-relevant event has been completely eliminated and clarified.

3.7 Performance reports

  • Types of data: Error, crash reports including device and incident specific information, IP address, URL, geographic location, time and date.
  • Purpose of processing: We use the above data (which does not include personal health data) both to ensure the functionality of our Services (our Services cannot function properly without this processing) and to prevent any decompiling or otherwise reverse engineering. We may send pseudonymized usage data to our processor Sumo Logic, a corporation headquartered at 305 Main Street, Redwood City, CA 94063, US. The data collected in the context is not used to link any usage profile with your personal data. Your personal data may be transmitted and stored into the servers of Sumo Logic. Further information can be found in Sumo Logic’s Privacy Statement here.
    We also transfer the personal data to our processor Hound Technology, Inc., 548 Market Street, 25362 San Francisco, CA 94104-5401 (“Honeycomb”). The data processed in this context is pseudonymized and cannot be linked to you by Honeycomb. Ada does not link any usage profile with your personal data. Further information can be found in Honeycomb’s Privacy Policy here.
    We have agreed on Standard Contractual Clauses and additional contractual obligations with each of these service providers. In addition, we will assess, on a case-by-case basis, the risks for your rights and privacy, together with and the necessity to keep them to provide you with our Services. Should you have any question about the additional measures we put in place please feel free to contact us via email to dpo@ada.com.
  • Use justification: Legitimate interest (Article 6 (1) (f) GDPR). Our legitimate interest is based on the aforementioned use of that data purposes. Under no circumstances will we use the collected data to determine your identity.
  • Storage duration: Your data is removed after 60 days, unless a security-relevant event occurs (for example, a Distributed Denial of Service attack). If a security-relevant event occurs, log files of the servers are stored until the security-relevant event has been completely eliminated and clarified.

3.8 Feedbacks

  • Types of data:  feedback that may contain some personal data, email address (optional), data provided in the case (only if you provide us with your email address and have created an account with us, which allows us to identify you, only for the purposes listed below).
  • Purpose of processing: We use the feedback you may provide us (optional) to analyze whether you are satisfied or dissatisfied with our products and Services, and to assess your general experience with it. This is a fundamental resource for us to improve your user experience and adjust our actions to your needs. We may also use the feedback you may provide us (optional) to guarantee high quality and safety standards of our Medical Device, as described in section 3.5 above.
  • Use justification: Legitimate interest (Article 6(1)(f) GDPR): to improve your user experience and adjust our actions to your needs. Under no circumstances will we use the collected data to determine your identity.
  • Storage duration: Your data will be stored until it is no longer required for the purpose for which it was collected. The storage duration of your data for this purpose corresponds to the period of processing in accordance with Section 3.2.

4. Cookies

Our Services use so-called “cookies”. Cookies are text files that are stored in the Internet browser or by the Internet browser on your device (computer, tablet, or phone). We use the term “cookies” to refer to all tools that collect data in our Services (e.g. IP addresses, place and time of the visit). Your data collected in this way is pseudonymized, and is not stored together with your other personal data. This processing is carried out on a legal basis and, where required by law, based on your consent.

The following cookies are being used: Necessary cookies. Necessary cookies  are essential to provide you with our Services.  It enables basic functions like page navigation and access to secure areas of the Services..

In addition to your right to object under Article 21 GDPR, you may object to the collection and processing of tracking information by following the opt-out instructions of the relevant provider as described above.

Further, if you do wish to disable cookies then you can do so by amending the settings within your browser or mobile device. Please remember that if you do choose to disable cookies, you may find that certain sections of the Website do not work properly.

5. Where do we store your personal data

The personal data that we collect from you is stored in the USA on Cloud Servers of of Microsoft Azure by the Microsoft Corporation One Microsoft Way Redmond, WA 98052-6399. USA.

Sensitive information between your browser and our Service is transferred in encrypted form using Transport Layer Security (“TLS”). When transmitting sensitive information, you should always make sure that your browser can validate our certificate.

6. Disclosure of your personal data

6.1 We use technical service providers to operate and maintain our Services, who act as our processors based on a data processing agreement. A full list of our third-party processors processing your personal data on our behalf and strictly according to section 3 above can be found here:

  • Microsoft Corporation One Microsoft Way Redmond, WA 98052-6399. USA, (“Microsoft Azure”)
  • MongoDB, Building Two Number One Ballsbridge, Dublin 4, Ireland
  • Hound Technology, Inc., 548 Market Street, 25362 San Francisco, CA 94104-5401, USA (“Honeycomb”)
  • Sumo logic Inc., 305 Main Street, Redwood City, CA 94063, USA

  • Use justification: The legal basis for the transfer and processing of your personal data by the processor corresponds to the legal basis on which we, as data controller, rely (always in compliance with section 3 above).

6.2 If we sell or buy any business or assets, we may disclose your personal data to the prospective seller or buyer of such business or assets.

  • Use justification: Legitimate interest (Article 6(1)(f) GDPR): to sell our business or assets / where required by applicable law: consent (Article 9(2)(a) GDPR): for the processing of special categories of data, i.e. your personal health data.

6.3 If we or, substantially, all of our assets are acquired by a third party, personal data about our users will be one of the transferred assets.

  • Use justification: Legitimate interest (Article 6(1)(f) GDPR): to sell our company or assets / where required by applicable law: consent (Article 9(2)(a) GDPR): for the processing of special categories of data, i.e. your personal health data.

6.4 If we are required on the basis of EU law or the law of a Member State to disclose or share your personal data.

  • Use justification: Legal obligation (Article 6(1)(c) GDPR).

6.5 We may disclose certain data to organizations involved in clinical trials and other types of research where you have explicitly authorized us to do so.

  • Use justification: Consent (Article 9(2)(a) GDPR).

7. Data we receive from other Parties

We do receive some information on you from the partners in whose service Ada Platform is integrated. In all instances, this data was already collected by our partner and is shared with us, so that we do not have to ask you for it again in order to use our services. This includes your date of birth, name gender and major health risk factors.

8. How long do we retain your personal data

We will hold your personal data for as long as it is necessary or required by law or by any relevant regulatory body, and always in compliance with the data minimization principle. Specific storage periods for the respective processing activities are detailed in section 3 above.

If your personal data is used for more than one purpose, we will retain it until the purpose with the longest period expires, but we will stop using it for the purpose with the shorter period as soon as the shorter period expires (to comply with the purpose limitation principle). We restrict access to your personal data to the persons who need to use it for the relevant purpose(s), always in compliance with the integrity and confidentiality principle. 

After the processing of your data is no longer necessary for the purposes outlined in section 3 we will securely and separately store some of your data in accordance with statutory retention obligations applicable to us and reasonable business needs. 

We will retain Post-Market-Surveillance data (incl. health data) in accordance with our storage obligations according to the medical device law.

We will retain data (incl. health data) in relation to your use of our Services for three or ten years in accordance with our business needs for the purposes of establishing, exercising or defending against legal claims. 

If the processing of your personal data is no longer necessary for any purpose it is either irreversibly anonymized (and the anonymized data may be retained), or securely erased.

9. Your data subject’s rights

Under GDPR you have the rights according to Art. 15  - 20 GDPR in relation to your personal data. Please be aware that Ada cannot identify you as a user and therefore cannot provide you these rights according to Art. 11 GDPR. Please contact Kaiser Permanente directly to exercise your rights. Ada will fully assist in the processing of any such inquiries.

  • Right to withdraw consent: Where the processing of your data relies on your prior consent, you have the right to withdraw such a consent at any time by stopping to use the Ada Platform or notifying us here. By withdrawing your consent, the lawfulness of the processing based on consent up until the point of withdrawal will not be affected. 
  • Right to object: You have a right to object under the conditions of Article 21 GDPR. Below you will find more detailed information:
    Right to object where the processing is based on legitimate interests: As a data subject, you have the right to object on grounds relating to your particular situation, at any time, to the processing of your personal data which is based on Article 6(1)(e) or (f) GDPR, including profiling based on those provisions. In the event of an objection relating to your particular situation, we will no longer process your personal data, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defense of legal claims. 
    Right to object where we process your personal data for statistical purposes: If we process your personal data for statistical purposes pursuant to Article 9(2)(j) GDPR / section 27(1) BDSG, you have the right to object to such processing for reasons arising from your particular situation. In the event of such an objection, we will no longer process the personal data concerned for this purpose, unless the processing is necessary to fulfil a task in the public interest, or if the discontinuation of such a processing is likely to make it impossible or seriously impair the realization of statistical purposes and the continuation of processing is necessary for the fulfilment of statistical purposes.
    Right to object where we process your personal data for public health purposes: If we process your personal data for public health purposes pursuant to Article 9(2)(i) GDPR, / section 22 (1)(1)(c) BDSG, you have the right to object to such processing for reasons arising from your particular situation. In the event of such an objection, we will no longer process the personal data concerned for this purpose, unless the processing is necessary to fulfil a task in the public interest, or if the discontinuation of such a processing is likely to make it impossible or seriously impair the realization of public health purposes and the continuation of processing is necessary for the fulfilment of public health purposes.

Asking us to stop processing your personal data or deleting your personal data will mean that you are no longer able to use our Services, or at least those aspects of the Services which require the processing of the types of personal data you have asked us to delete, which may result in you no longer being able to use the Services.

10. Changes to this policy

Any changes we make to our Privacy Policy in the future will be posted on this page. We therefore encourage you to review it from time to time to stay informed about the way we are processing your data.