Kivira Privacy Policy

This Privacy Policy explains how Kivira Axis Inc. ("Kivira", "we", "us", "our") collects, uses, discloses, and protects information when you use our websites (including our public website), mobile applications, clinician tools, and related services (collectively, the "Services").

If you are using Kivira through a clinic, health system, employer program, or another organization (a "Customer"), that Customer may control certain settings and data flows in the Services.

1. What this policy covers

This policy covers information processed through the Services, including:

• our public website
• patient-facing mobile app features (intake, screening, assessments, questionnaires)
• clinician-facing web features (reviewing results, generating reports, workflow support)
• clinic admin features (user management, configuration)
• integrations with electronic health records ("EHR") and related systems (for example, via SMART on FHIR, HL7, or similar methods)
• communications with us (support requests, emails)

This policy does not cover third party websites, apps, or services that you may access through links in the Services.

2. Information we collect

We collect information in three main ways: information you provide, information collected automatically, and information received from third parties (including EHR integrations where applicable).

2.1 Information you provide

Depending on how you use the Services, you may provide:

• Account and contact information: name, email address, phone number (if provided), organization or clinic affiliation, role (patient, clinician, admin)
• Assessment and questionnaire responses: answers, symptom ratings, free-text responses you enter, and related context you provide
• Communications: messages, emails, feedback, and any information you choose to include
• Files or documents: if the Services allow uploads (for example, forms or supporting documents), we collect the content and metadata of those files

2.2 Information collected automatically

When you use the Services, we may automatically collect:

• Device and app information: device type, operating system, app version, language, time zone, identifiers necessary to operate the app
• Usage and interaction data: app launches, screen views, feature usage, and other interactions. This may be associated with your account to operate the Services, support security, and improve features.
• Diagnostics: crash logs and performance metrics (such as launch time or hang rate). We use this information to maintain reliability and improve performance and, where feasible, collect it in a way that is not linked to your account identity.
• Log data: IP address, event logs, error logs, crash data, performance metrics
• Cookies and similar technologies (web): used for authentication, security, preferences, and analytics (where enabled)

2.3 Information from third parties

We may receive information from:

• Customers (clinics/health systems): enrollment details, identifiers, appointment context, configuration, permissions
• EHR or integration partners: data made available through authorized integrations, which may include demographics, identifiers, and clinical context depending on the integration and Customer settings
• Service providers: fraud prevention, security, analytics, and infrastructure providers may generate signals we receive (for example, security alerts)

3. Health and sensitive information

Important note: Whether certain data is regulated as "Protected Health Information" (PHI) under HIPAA depends on how Kivira is offered and by whom. If you access Kivira through a clinic or health system, additional terms and notices may apply through that organization.

4. How we use information

We use information to:

• Provide and operate the Services (authentication, assessments, reports, clinical workflows, integrations)
• Support clinical and administrative workflows (sharing results with authorized clinicians and Customer administrators)
• Improve and maintain the Services (debugging, performance monitoring, quality assurance)
• Security and fraud prevention (detecting abuse, protecting accounts, auditing access)
• Customer support (responding to requests, troubleshooting)
• Communications (service-related messages like confirmations, security notices; and, where allowed, product updates)
• Compliance and legal obligations (recordkeeping, responding to lawful requests)

We do not use personal information for targeted advertising. We do not sell personal information and we do not share personal information with data brokers. We do not link data collected in the Services with third party data about you for advertising or advertising measurement purposes.

5. AI-assisted features

Some features may use automated or AI-assisted methods to help generate summaries, insights, or workflow outputs. Where used:

• we design these features to support human decision-making, not replace clinical judgment
• we take steps to reduce unnecessary exposure of sensitive information to vendors
• we apply technical and organizational safeguards appropriate to the sensitivity of the data

We may update this section as AI-related features evolve.

6. How we share information

We share information in the following circumstances:

6.1 With your clinic or organization (Customers)

If you use Kivira through a Customer, we may share information with that Customer and authorized users (for example, clinicians) as required to deliver the Services and according to Customer configuration and permissions.

6.2 With service providers

We use vetted vendors to provide infrastructure and operations such as hosting, databases, monitoring, security, customer support tools, analytics, and integration services. These providers are permitted to process information only to perform services for us, under contractual obligations.

6.3 With integration partners

Where you or your Customer enable integrations (for example, EHR connectivity), we share and receive data through those integrations based on authorization and configuration.

6.4 For legal, safety, and compliance reasons

We may disclose information if we believe it is necessary to:

• comply with applicable law, regulation, or legal process
• enforce our agreements and policies
• protect the rights, safety, and security of Kivira, our users, Customers, or the public
• investigate and prevent fraud or security issues

6.5 Business transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred as part of that transaction, subject to appropriate safeguards.

Analytics and Crash tooling

We may share limited information with service providers that help us operate the Services, such as hosting, logging, monitoring, analytics, and crash reporting providers. These providers may process data only on our instructions and for the purposes described in this policy.

7. Data retention

We retain information for as long as needed to provide the Services and for legitimate business purposes such as security, compliance, dispute resolution, and audit requirements. Retention periods can vary based on:

• the type of data
• Customer contracts and configuration
• legal and regulatory obligations

If you use Kivira through a Customer, the Customer may control certain retention settings.

8. Security

We use reasonable administrative, technical, and physical safeguards designed to protect information from unauthorized access, use, or disclosure. No method of transmission or storage is completely secure, so we cannot guarantee absolute security.

9. Your choices and rights

Depending on where you live and how you use the Services, you may have rights to:

• access, correct, or delete certain personal information
• object to, or restrict, certain processing
• request a copy of your information (data portability)
• withdraw consent where processing is based on consent

If you use Kivira through a Customer, you may need to route certain requests through that Customer. We will respond to requests in accordance with applicable law.

To submit a request, contact us at: hello@kivira.health.

10. Children's privacy

The Services are not intended for people under 18. If you believe a child has provided us information without appropriate authorization, contact us and we will take appropriate steps.

11. International users

Kivira may process information in countries other than where you live (for example, where our service providers operate). Where required, we use appropriate safeguards for cross-border transfers.

12. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version and update the "Last updated" date. If changes are material, we may provide additional notice through the Services or by other means.

13. Contact us