Notice to Patrons
If you are a patron of one of our Practitioner clinics or practitioners, your clinic or practitioner controls your patient information, including your contact information, billing details and patient records. Please contact your clinic or practitioner for any questions about your patient information. See the section titled Patron Data
below for further information.
Why Karma Well Collects Personal Information
Information Karma Well Collects from You
Contact Information: We collect your contact information, such as your name, email address and organization, when you fill out our online forms or set up your user account for our Offerings. We use your contact information to activate your user account, give you access to the Offerings, and to send you notices about your user account. We may also use your contact information for marketing purposes, such as promotional emails, direct mail and sales contacts. You can opt-out of our marketing communications at any time by unsubscribing. Please note that Karma Well does not collect or manage the contact information of patrons, or any marketing or other communications between a Practitioner and its clients.
Billing Information: When a Practitioner subscribes to our Software as a Services, we also collect credit card information to process payment. Credit card information is provided directly to our payment processor and is processed in a PCI-compliant manner. We do not keep your credit card information. Note that when credit card information is referred to as being “stored”, this means we have a “token”. The token replaces sensitive information and acts as a non-sensitive placeholder that can be used by the payment processor to reference your credit card information when payments need to be processed.
Log and Device Information: When you access and browse our Offerings, we collect information about how you are accessing our Offerings, such as your internet or mobile network connection, your browser or the type of mobile device you are using (if applicable). We use this log and device information to identify how our Offerings are being accessed and used so we can optimize them for the types of connections, browsers and devices being used.This information is not used to market or send promotions at an individual user level.
- To learn about use of our websites, such as user traffic patterns and the effectiveness of our navigational structure
- To identify email open rates in order to gauge the effectiveness of certain communications or marketing campaigns to clinics
- To allow you to login to secure areas of our Services
- To store your login credentials for easy access to our Services
Social Media: If you login to our Services using a third-party sign-in service, such as Google, we will receive personal information from those services, such as your name and email address in order to pre-populate our online forms. We also include social media “Like” and “Share” buttons on our websites. These features may collect your IP address and the page you are visiting on our website. They may also set a cookie to enable the feature to function properly. Your interactions with these features are governed by the privacy policies of the third parties who provide them.
We also use Google Analytics Advertiser Features to optimize our business. Advertiser features include:
- Remarketing with Google Analytics
- Google Display Network Impression Reporting
- DoubleClick Platform integrations
- Google Analytics Demographics and Interest Reporting
By enabling these Google Analytics Display features, we are required to notify our visitors by disclosing the use of these features and that we and third-party vendors use first-party cookies (such as the Google Analytics cookie) or other first-party identifiers, and third-party cookies (such as the DoubleClick cookie) or other third-party identifiers together to gather data about your activities on our Site. Among other uses, this allows us to contact you if you begin to fill out our check-out form but abandon it before completion with an email reminding you to complete your order. The “Remarketing” feature allows us to reach people who previously visited our Site, and match the right audience with the right advertising message.
We abide by Facebook's Data Use Restrictions:
- Any ad data collected, received or derived from our Facebook ad (“Facebook advertising data”) is only shared with someone acting on our behalf, such as our service provider. We are responsible for ensuring that our service providers protect any Facebook advertising data or any other information obtained from us, limit our use of all of that information, and keep it confidential and secure.
- We do not use Facebook advertising data for any purpose (including retargeting, commingling data across multiple advertisers' campaigns, or allowing piggybacking or redirecting with tags), except on an aggregate and anonymous basis (unless authorized by Facebook) and only to assess the performance and effectiveness of our Facebook advertising campaigns.
- We do not use Facebook advertising data, including the targeting criteria for a Facebook ad, to build, append to, edit, influence, or augment user profiles, including profiles associated with any mobile device identifier or other unique identifier that identifies any particular user, browser, computer or device.
- We do not transfer any Facebook advertising data (including anonymous, aggregate, or derived data) to any ad network, ad exchange, data broker or other advertising or monetization related service.
Children's Privacy Statement
This children's privacy statement explains our practices with respect to the online collection and use of personal information from children under the age of thirteen and provides important information regarding their rights under federal law with respect to such information:
- This Site is not directed to children under the age of thirteen and we do NOT knowingly collect personally identifiable information from children under the age of thirteen as part of the Site. We screen users who wish to provide personal information in order to prevent users under the age of thirteen from providing such information. If we become aware that we have inadvertently received personally identifiable information from a user under the age of thirteen as part of the Site, we will delete such information from our records. If we change our practices in the future, we will obtain prior, verifiable parental consent before collecting any personally identifiable information from children under the age of thirteen as part of the Site.
- Because we do not collect any personally identifiable information from children under the age of thirteen as part of the Site, we also do NOT knowingly distribute such information to third parties.
- We do NOT knowingly allow children under the age of thirteen to publicly post or otherwise distribute personally identifiable contact information through the Site.
- Because we do not collect any personally identifiable information from children under the age of thirteen as part of the Site, we do NOT condition the participation of a child under thirteen in the Site's online activities on providing personally identifiable information.
Canada's Anti-Spam Legislation (CASL)
CASL came into force in three phases, the last of which became effective on July 1, 2017. CASL establishes rules for the sending of commercial electronic messages. We operate our business in compliance with CASL. Therefore, we will only send newsletters and other email communications to users who have opted-in to receive our messaging. If you are currently receiving emails from us, it is because you have given us your express consent (either orally, in writing, or by opting in on our site) or implied consent (such as by purchasing or inquiring about our products or services). Your express consent is valid until revoked, whereas your implied consent may expire after a certain period of time, in accordance with the law.
All of our emails will contain an unsubscribe link. In all of our emails to you, we include our business name, postal address and a telephone number and/or email address, and it will be easy for you to identify us as the sender. To ensure that we are compliant with CASL, we keep a record of your consent, namely, when, where and how you provided (or revoked) your consent. We respect your unsubscribes, the expiration of your consent, and any actions taken on your part to revoke consent to receive messaging from Karma Well.
For personal information that is subject to the General Data Protection Regulation (GDPR), we rely on the following legal bases for collecting and using your personal information:
- Your consent.
- Our legitimate interests (which are not overridden by your privacy rights), such as operating our business, understanding and improving our Offerings, direct marketing related to our Offerings, communicating with our Practitioners and Patrons about our Offerings, events or related resources, improving our websites and protecting our legal rights and interests.
You may withdraw your consent at any time. Where we are using your personal information for our legitimate interests, you have the right to object to that use. See below under Your Rights
for how to withdraw consent or object.
If you are a client of one of our Practitioners clinics, please contact your clinic or practitioner if you have any questions about the legal basis for collecting and using your personal information. Our Practitioners may have a different legal basis for collecting and using a patient's personal information, such as providing health care or treatments as a regulated healthcare professional.
Practitioners use our gifting wellness platform to collect personal information from their clients and create wellness health records. These records may include a client's name, address, health insurance and billing information, medical charts, appointment history and other patient data (“Patron Data”). This information is sometimes referred to as “personal health information”, “protected health information”, “data concerning health” or “sensitive data'' depending on the location of the Practitioner and the privacy laws applicable to them. If you are a Patron, Patron Data is collected from you when you visit your Practitioner clinic or spa or retreat center and when you set up an account with the Practitioner clinic through their online booking website.
Practitioner's Role: Practitioners retain sole control over Patron Data and may be referred to as a “health information custodian”, a “covered entity” or a “controller” depending on their location and the privacy laws applicable to them.
- What Patron Data to collect;
- How the Practitioner will use the Patrons Data;
- Who has access to Patrons Data;
- How long the Practitioner will store Patron's Data; and
- On what basis the Practitioner may delete Patrons Data.
Practitioners are responsible for complying with laws and regulations governing the use of Patrons Data, and for determining the legal basis for such use.
Karma Wells Role: Karma Well is a service provider to Practitioners and may be referred to as an “agent”, “business associate” or “processor” of the Practitioner. Karma Well stores Patron Data in its secure data centers and makes it available to Practitioners and their users through our gifting health benefits membership platform. Karma Well otherwise has no control over Patron Data.
Storage Location: Patron Data is stored in the regional data center for the location chosen by the Practitioner during the sign-up process. We currently have regional data centers in Canada, the United States, UK, and Australia, though this may change from time to time. If we do not have a data center in the Practitioner's region, Patrons Data will be stored in our Canadian data center, unless otherwise requested by the Practitioner. Please note that we use US-based service providers for appointment reminders sent by email or SMS and, therefore, Patrons Data contained in appointment reminders will go through and may be stored temporarily in the United States. All our data centers and service providers maintain a high level of security and are compliant with applicable privacy laws.
Patrons Rights: Patrons have certain rights with respect to their Patron Data, which may include knowing what information your Practitioner, clinic, spa and retreat center has about you, correcting any inaccurate Patron Data, obtaining a record of your Patron Data and, in certain circumstances, deleting or removing your Patron Data. Please note that Regulated Practitioners have strict legal and regulatory obligations around Patrons Data and may not always be permitted to delete or remove Patrons Data.
Questions about Patron Data: If you have any questions about your Patient Data or wish to exercise any or your patient rights, please contact your Practitioner's clinic, spa or retreat center. If your Practitioner clinic or practitioner has any questions about the management of Patrons Data in the Offerings, they may contact us and we will support them as needed to respond to your request. Please note that, in order to maintain strict security of your Patrons Data, we can only access Patron Data upon instruction from the Practitioner.
Sharing Your Information
We do not sell or distribute personal information to third parties for their own commercial or marketing purposes. We will only share personal information we collect in the following circumstances:
Suppliers and Service Providers: In order to operate our business and provide the Services to our Subscribers and their users, we may need to share a limited amount of personal information, including Patient Data, with our third-party suppliers and service providers. Before sharing personal information, we ensure that the third parties receiving the personal information have provided appropriate safeguards, and that privacy rights are protected and preserved. Some of the areas where we use third-party suppliers and service providers include:
- Our data centers where all platform data is stored
- Customer support services to help us collect feedback and manage our support services
- Communication services to send out email and SMS notices or reminders
- Payment processors
Corporate Transactions: We may share personal information in connection with negotiating or carrying out a financing or acquisition of our business, a merger or amalgamation with another business, or a sale of all or part of our company assets. Before sharing personal information, we will ensure that appropriate confidentiality and non-disclosure undertakings are in place. We will not share Patient Data in these circumstances.
Compliance with Laws: We may disclose personal information to a third party if we are required to do so by applicable law, government request, court order or regulatory body. We may also be required to disclose personal information to enforce our legal rights, to enforce security requirements, or to respond to an emergency which we believe, in good faith, requires us to disclose personal information. In such instances, if permissible, we will make every reasonable effort to give you as much notice as possible regarding the disclosure of your personal information, what information was disclosed and why. We will not disclose Patient Data unless legally required to do so.
Anonymized/Aggregated Data: Karma Well may use computer-generated algorithms to gather anonymous and aggregated information from our Subscribers and their Patient Data in order to assist in our continued development and improvement of the Services, and for research, data analysis, benchmarking, statistics or trend analysis. We will ensure that none of the information we gather identifies, or could be used to identify, any user or patient. Karma Well may share such anonymized information with Subscribers and others, for example, by providing insights into most common conditions, most popular treatments or benchmarking fees against industry or regional norms.
We protect your personal information, including Patient Data stored in our platform, by:
- Using industry standard security controls such an encryption and an SSL (Secured Sockets Layers) certificate to ensure information is transmitted over a secured connection between your browser and our web server.
- Using state-of-the-art data centres with appropriate security and compliance certifications, such SOC 2 and EU-US Privacy Shield that are HIPAA compliant.
- Having our personnel sign strict confidentiality agreements to ensure they understand the confidential nature of the data we process, and only accessing your account when you request assistance from us.
- Requiring password protection of your user account with a password set by you. We cannot access or identify your password. The only way to recover a password is for you to initiate a reset via the email address or mobile phone number you use for the Services.
While we employ industry standard measures to protect your information, no electronic communication can ever be completely secure. You share responsibility for protection of your personal information by setting a strong password and by keeping your username and password confidential.
We retain personal information only for as long as necessary to achieve our stated purposes, or as required by applicable law. For example, Contact and Billing information is kept for as long as a Subscriber account is active and for a reasonable period after it has been deactivated in the event you or your Subscriber wish to re-activate the account. User account information may also be retained as necessary to comply with our legal obligations, resolve disputes or maintain our relationship with your Subscriber organization. Credit card information is never kept or stored by us.
If you are a patient of one of our Subscriber clinics, please contact your clinic or practitioner for information regarding the storage period for your Patient Data.
Individuals have certain rights with respect to their personal information. These rights are set out below. If you are a patron of one of our Practitioners clinics, spa's or retreat centres, please contact your clinic or practitioner to exercise any of these rights with respect to your Patron Data.
Correction and Deletion: We will make reasonable efforts to ensure that the personal information we collect from you is accurate and complete. You may update, correct or delete your account information at any time by logging into your user account and modifying your personal information, including your preferences to receive messages from us. You may also update, correct or delete your personal information by contacting us as noted below.
Withdrawing Consent: Where we have relied on your consent to use your personal information, you have the right to withdraw that consent at any time by contacting us as noted below. In addition, all our marketing email messages contain the ability to automatically “opt-out” or unsubscribe from our mailing lists and marketing messages.
Access and Portability:
You have the right to request a record of the personal information that we have collected about you and to ask that the information be provided in a structured, used electronic format (where applicable and technically feasible). There may be some cases where we cannot provide you with certain information about you if it would mean disclosure of personal information of another person or other confidential information, or if it would compromise our security systems. If you require access to your personal information, please Contact Us
. We will respond to you within thirty (30) days of receiving your request. We may charge a fee where permitted by applicable law.
Restriction and Objection:
In certain limited circumstances, individuals in the EU may request that we restrict our use of their personal information and, where we rely on legitimate interests as the legal basis for using your personal information, you have the right to object to such use. In these cases, we can be required to no longer use your personal information; however, this may mean that certain components of our Services cannot be made available to you. If you wish to exercise your right to restrict or object, please Contact Us
You have the right to lodge a complaint with a supervisory authority (i.e., the independent public authority responsible for monitoring data protection laws in your country). You may also contact the Information and Privacy Commissioner of British Columbia (for British Columbia matters) (http://www.oipc.bc.ca/
) or the Privacy Commissioner of Canada (for international matters and inter-provincial matters) ( http://www.priv.gc.ca/
Karma Well Health Technologies Inc.
3919 21st Ave
Attention: Privacy Officer
Updated: January 13, 2023