Notice of Privacy Policy and Practices

Introduction

This Notice of Privacy Practices (this “Notice”) applies to the software and information services we offer through our website located at https://kestramedical.com, our devices, applications, platform, software, websites, APIs, products, services, and communications sent as part of, in connection with, or relating to such software and information services (our “Services). We have developed this Notice from industry guidelines and standards, and national and international laws and requirements. We are committed to protecting the privacy of patients, customers, and partners.

About Kestra Medical Technologies, Inc.

At Kestra Medical Technologies, Inc. (“Kestra”), it is our mission to provide innovative, intuitive medical technologies to protect and support at-risk patients. At the heart of Kestra is an uncompromising commitment to the highest quality our customers expect and patients trust.

Throughout this Notice, “Kestra” refers to Kestra Medical Technologies, Inc., including its affiliated companies and subsidiaries (also referred to as “we” and “us”). You can find information on how to contact us below in Section “Contact Information”. You can also find additional contact and location information on our website at: https://kestramedical.com/contact/.

Information We Collect and How We Collect It

When you use our Services, Kestra collects information about you, including:

• Name, date of birth, and contact information, such as your postal address, email address, and phone number;

• Demographic information such as age and gender;

• Health insurance information such as current coverages including co-pays, premiums and plan

  identification numbers;

• Health condition and treatment information, such as medications, prescription identifiers, diagnoses, and medical history;

• Characteristics of protected classifications under state or federal/national law, such as race or nationality;

• Individual preferences and characteristics, such as smoker status and physical activity;

• Device and online identifiers;

• Electronic Funds Transfer (EFT) information and banking information; and,

• Any other information you choose to provide, such as during telephone interviews with our agents.

Kestra collections information in the following ways:

• Directly from you, for example, when you submit information through our Services, complete one of our webforms or applications, or communicate with a Kestra agent;

• Passively collected from a device used to access Kestra Services, including websites and webforms; and,

• From insurance and patient support organizations. 

Information You Submit

We collect information from you when you:

• Enter information on our Services, such as when you register for our Services, use our Services to send a message to someone else, or complete a form;

• Upload a document, image, or other data file on our Services;

• Contact us; or

• Make a customer service request or attend one of our training sessions.

Contact Information

To provide our Services and communicate with customers, patients, care providers, and others, we need to collect certain personal data identifying who you are, including information such as your e-mail address, phone number, and your mailing address. If you contact us, we may keep a record of that correspondence.

Emergency Contact Information

Some Kestra Services present an option to provide contact information in the event of an emergency. The information requested includes data identifying who they are, such as their name, relation to you, e-mail address, residence address, and phone number(s).

Payment Information

Some Kestra Services support payments and transactions with third parties requiring you to provide certain information for identification and verification of billing and payment. Depending on the Services you use, we may also collect information including credit or debit card account information, or other forms of payment ("Payment Card Information"). By submitting your Payment Card Information, you expressly consent to the sharing of your information with third-party payment processers and other third-party services (including but not limited to vendors who provide fraud detection services to us and other third parties). These third parties may store your Payment Card Information for future use in our Services. We do not store your Payment Card Information, nor do we have direct control or responsibility for your Payment Card Information. The third-party services that we utilize are contractually obligated to keep your Payment Card Information secure and confidential.

Health Insurance Information

To provide Services, Kestra collects health insurance information such as current coverages including co- pays, premiums, and plan identification numbers. This information may be provided by insurance support organizations. In such cases, the insurance support organization may retain the information and disclose it to other persons in accordance with their own privacy policies and terms.

Career Data

Kestra partners with Workable to aid career registrants and Kestra in identifying, recruiting, and hiring qualified candidates. You can find the Workable Privacy Policy here: 

https://www.workable.com/privacy.

Surveys, Feedback, and Informational Programs

You may be contacted for surveys, feedback, or information programs to help improve your experience or certain features of our Services. You may choose to provide us with additional information while participating. Participation in surveys and like requests are voluntary.

Automatically or Passively Collected Information

Device Information

Some Kestra Services collect data to record health and product data. Examples of data collected are steps you take, heart rate, and active minutes. The data collected varies depending on which device you use. When your device syncs with our applications or software, data recorded on your device is transferred from your device to our servers. You should have received detailed information on what data is collected on your device. If you need this information, please contact us.

Cookies and Similar Technologies

We and our partners collect information about you and your Devices through cookies, web beacons, and similar technologies. A "cookie" is a small data file sent from a website and stored on your Device to identify your Device in the future and allow for an enhanced personalized user experience based on your previous activity on the website. A "session cookie" disappears after you close your web browser or may expire after a fixed period. A "persistent cookie" remains after you close your web browser and may be accessed every time you use our Services. We and our partners may use both session and persistent cookies on our Services. You should consult your web browser to modify your cookie settings.

On our generally public websites (e.g., https://kestramedical.com), we specifically use Google Analytics cookies which enables us to collect certain data about your visits to our website, including:

• Your IP address;

• The pages on our website that you visit;

• The time you spend on certain pages on our website; and

• Various other statistics such as user agent string, browser version, and OS version.

Google’s ability to share and use your information collected via Google Analytics is restricted by the commitments made in the Google Analytics Terms of Service and the Google Privacy Policy. Some third parties may allow you to opt-out of targeted advertising based on this information. You can find more information about these opt-outs from the Network Advertising Initiative (NAI) and the Digital Advertising Alliance (DAA).

Information from Other Sources

We may receive or proactively gather information about you from other sources and add it to information we otherwise have about you for any purpose described in this Notice. This may include situations where a third party seeks to communicate with you through the Services or establish an "Integration".

Children’s Information

Kestra Services are not directed to minors. We do not knowingly collect or solicit Personal Data from children under 18. If you are a child under 18, please do not attempt to register for or otherwise use the Services or send us any Personal Data. If we learn we have collected Personal Data from a child under 18, we will delete that information as quickly as possible. If you believe that a child under 18 may have provided us Personal Data, please contact us immediately.

How We Use or Share Your Information

We collect and process personal data about you where we have lawful basis. We may use the information we collect for the following purposes:

• To develop, operate, improve, deliver, maintain, and protect our Services including new Services functionality and features;

• Responding to questions and communications, or obtaining your feedback about our Services;

• Administering and logging your participation in informational programs, including webinars and

  other classes, and any product or support matters that may arise from our Services or Programs;

• Preparing and delivering announcements about features, functionality, terms of use, or other aspects of our Services or your interests and informing you about offers for services or products we believe may be of interest to you, including from third parties;

• Providing you with more relevant content, including clinical support tools, assessments or medical-related information or services, patient support programs, advertising, or other programs appearing on our Services or third-party services;

• Analyzing usage trends and patterns and measuring the effectiveness of content, programs, advertising, or the features or functionality of the Services, including emails that may be sent by us to you;

• Preparing reports for any of the purposes described in this Notice, including for current or future sponsors, providers, or other partners to show utilization or trends about the use of our products and Services. Such reports may include demographic or other general user information, but will not include personally identifiable information unless the recipient has agreed to confidentiality obligations;

• Safeguarding, protecting, and securing our Services, the information we collect, and the rights of us, our users or third parties, and to comply with legal requirements, including applicable laws, rules, regulations, contractual obligations, Terms of Use and our policies;

• Use of your Payment Card Information as stated in the "Payment Information" Section above;

• Verify your identity and detect and prevent fraud or other unauthorized or illegal activity;

• Any other purpose described in this Notice or your User Agreement; or

• When we otherwise have your permission.

De-identified Information

Section 164.514(a) of the HIPAA Privacy Rule provides the standard for de-identification of protected health information. Under this standard, health information is not individually identifiable if it does not identify an individual and if the covered entity has no reasonable basis to believe it can be used to identify an individual. The HIPAA Privacy Rule does not restrict the use or disclosure of de-identified health information, as it is no longer considered protected health information.

Kestra reserves the right to use de-identified information for the purposes of research and conducting business in compliance with Section 164.514(a) of the HIPAA Privacy Rule as the minimum efforts taken, using either Expert Determination §164.514(b)(1) or Safe Harbor §164.514(b)(2), to de-identify information. You can find more information about these practices on the US Health and Human Services Website: https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de- identification/index.html.

How We Protect Your Information

The privacy and security of your nonpublic personal information and data while using our Services is very important to us. Our Services employ a variety of reasonable technical safeguards to protect the confidentiality, integrity, and availability of this information. We conduct robust risk and security assessments for partners and providers we work with.

Third-party Websites and Integrations

Our Services may provide, or third parties may provide, links to other websites or resources. This Privacy Notice applies only to our websites. It does not apply to services offered by third parties, including websites and other online services to which our websites may display links. When you click on such links, you may be visiting websites or interactive services operated by third parties, who have their own information collection practices. We do not have control over how any third party collects or uses information, so we recommend that you review their privacy policies to learn of their practices.

How Long We Retain Your Information

We keep your personal information for no longer than necessary for the business need for which the personal information is processed. The length of time for which we retain personal information depends on the purposes for which we collect and use it and/or as required to comply with applicable laws and to establish, exercise, or defend our legal rights.

We may be required under applicable laws or regulations to retain information about you for extended periods of time or indefinitely. We may also have independent obligations under applicable laws or regulations to retain some information indefinitely. For disaster recovery and business continuity purposes, we retain copies of data for those purposes in compliance with our Disaster Recovery and Business Continuity Plans.

Your Rights Over Your Information

Accessing and Exporting Your Data. You have the right to request inspection and to receive a copy of a record of your personal information. If we maintain the record electronically, you have the right to request the copy be in the electronic format of your choice. If we cannot readily provide your record in that format, we will provide your record in an electronic format that you and we have agreed to.

Editing and Deleting Your Data. If you feel the personal information that we maintain about you is incorrect or incomplete, you have the right to request amendment to your personal information. You may also request the deletion of your data. It may take up to 90 days to delete all of your information. We may preserve data for legal reasons as outlined in section “How We Use or Share Your Information.”

Objecting to Data Use. You have a right to request a restriction or limitation on the personal information we use or disclose about you for treatment, payment, and health care operations activities or disclosures to individuals involved in your care. It may take up to 90 days to reasonably accommodate the restriction or limitations request.

Locale Specific Law Privacy Rights

California Privacy Disclosures

Your browser may offer you a “Do Not Track” option, which allows you to signal to operators of websites and web applications and services that you do not wish such operators to track certain of your online activities over time and across different websites. Our Services do not currently support Do Not Track requests. To find out more about “Do Not Track,” you can visit www.allaboutdnt.com.

Categories of Information We Collect, Use, and Disclose for Business Purposes

As described in the “Information We Collect and How We Collect It” section, we collect the categories of personal information listed below. We receive this information from you, your use of our Services, third parties (such as your physician or insurance company), and as otherwise described in this policy. We use and disclose these categories of information for the business purposes described in the “Information We Collect and How We Collect It” section. The categories are:

• Identifiers, like your name or username, email address, mailing address, phone number, IP address, account ID, device ID, cookie ID, emergency contact information, and other similar identifiers.

• Demographic information, such as your gender, age, health information, and physical characteristics or description, which may be protected by law.

• Commercial information, including your payment information and records of the Services or devices you use, obtained, or considered including insurance information.

• Biometric information, such as your active minutes or health data, including the number of steps you take, heart rate, and any similar information to which you grant us access. This also includes physical characteristics and measurements required for proper device fitting.

• Internet or other electronic network activity information, such as the usage data we receive when you access or use our Services. This includes information about your interactions with the Services and about the devices and computers you use to access the Services.

• Location data, including GPS signals, device sensors, Wi-Fi access points, and cell tower IDs, if you have granted us access to that information.

• Electronic, visual, or similar information, such as your profile photo, graphs, or charts of recorded data.

• Professional or employment related information, including any information (like your name, email address, or similar information) related to recruiting or seeking employment with Kestra.

• Other information that you provide, including emergency contact information; information for

  features of the Services, for example, an alarm; messages on the Services; and information recorded by your device which may vary depending on the device you use.

• Inferences drawn from any of the above, including distance you traveled, sleep insights, health, and activity goals.

Sale of Data

The following list contains the types of personal identifiers that we may have sold in the previous 12 months:

• None

Response Timing and Format

• We will respond to a request within forty-five (45) days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing.

• Any disclosures we provide will only cover the 12-month period preceding the verifiable individual’s request’s receipt. If applicable, the response we provide will include reasons we cannot comply with a request. For data portability requests, we will select a format to provide your personal information that is usable and should allow you to transmit the information from one entity to another entity.

• We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

European Economic Area and UK Disclosure

Kestra is headquartered in the United States and, regardless of where you use our Services or otherwise provide information to us, your information will usually be transferred to, maintained, and processed by Kestra and our service providers in the United States or other jurisdictions in which we or they operate. Please note that privacy laws, regulations, and standards in the jurisdictions in which your information may be maintained and processed may not be equivalent to the laws in your country of residence and such information may be subject to lawful access by U.S. or other foreign courts, law enforcement, and governmental authorities.

If you are based in the UK or the EU, if we provide any personal information about you to any non- European Economic Area (“EEA”) or UK members of our group or suppliers, we will take appropriate measures to ensure that the recipient protects your personal information adequately in accordance with this Privacy Notice. These measures will include the following permitted in Articles 45 and 46 of the EU’s General Data Protection Regulation:

• in the case of US based entities, entering into European Commission approved standard contractual arrangements with them; or

• in the case of entities based in other countries outside the EEA, entering into European Commission approved standard contractual arrangements with them.

Contact Information

If you have questions or are concerned that any of your privacy rights have been violated, wish to exercise any of your rights described in this Notice, or ask questions about those rights, please contact us at:

Phone: (800) 957-0028
Email: privacy@kestramedical.com 
Mailing:

ATTN: PRIVACY OFFICER
KESTRA MEDICAL TECHNOLOGIES, INC. 3933 LAKE WASHINGTON BLVD., SUITE 200 KIRKLAND, WA 98033
UNITED STATES OF AMERICA

You also have the right to complain to the Secretary of Health and Human Services at:

OFFICE OF CIVIL RIGHTS
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES 2201 SIXTH AVENUE
SEATTLE, WA 98121
UNITED STATES OF AMERICA

Changes to This Notice

We may update this Notice from time to time, and so you should review this page periodically. When we change this Notice in a material way, we will update the “last modified” date below with a brief description of the material change. Changes to this Notice are effective when they are posted on this page.

Privacy Notice Updates

Effective April 16, 2021

80295-001_B