Privacy Policy
Definitions
- "HeartCloud:" the web application residing at https://heartcloud.io
- "HeartCloud Account:" a registered user account on https://heartcloud.io, representing an individual, natural person
- "HeartCloud for Health Practices Accounts:" a registered account on https://practices.heartcloud.io, which includes at least one physician representing their own practice (or a healthcare provider) where that physician is licensed to practice medicine and, potentially, other individuals (e.g., staff members or agents) associated with each physician and/or an employing healthcare provider
- "Service:" collectively, HeartCloud, HeartCloud Sync, and HeartCloud for Health Practices.
- "Company:" HeartCloud, Inc., which makes available the Services
- "User:" A customer of HeartCloud who has a HeartCloud User Account
- "Apple Health Export File:" a file named "export.zip" that is created from the Apple Health app’s option to export all data from HealthKit
- "Data Protection Representative:" HeartCloud, Inc.’s representative for purposes of data protection and privacy is Alex Podobas, JD ((424) 222-9470 and alex@heartcloud.io)
Effective Date Of This Privacy Policy and Notification of Material Changes
This Privacy Policy is effective as of September 8, 2019 ("Initial Effective Date").
The Company will release significant, material changes to this Privacy Policy in versions. This version, which is current and in effect as of the Initial Effective Date, is version 1.0. Any subsequent version will be sequentially numbered in tenths place formatting (e.g., 1.0, then 1.1, then 1.2, and so forth), and changes will be listed at the top of each Privacy Policy version.
From time to time, it may be necessary for the Company to make significant, material changes to a version of this Privacy Policy currently in effect. In such circumstances, the Company will notify each User at the e-mail address used to log into the Service.
What This Privacy Policy Applies To
This webpage contains each version(s), including the currently effective one, of the Company’s privacy policies and practices ("Privacy Policy") regarding the following software applications (all of which comprise the Service, as stated in the Definitions section of this web page):
- The iOS app, which is limited to iPhone devices, named "HeartCloud Sync"
- https://heartcloud.io or https://www.heartcloud.io and any subdomains on either (referred to herein as "HeartCloud.io")
- https://www.heartcloud.io or https://www.practices.heartcloud.io and any subdomains on either (referred to herein as "HeartCloud for Health Practices")
Sharing With Third Parties (Marketing):
HeartCloud, Inc. does not share any mobile information (including cell phone numbers or any personally-identifiable information linked to such a phone number) with any third party or affiliates for marketing, promotional, or advertising purposes.
All other categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties
How Information is Collected
There are multiple ways in which the Service collects various types of information:
- First, HeartCloud Sync collects data available on a User’s iPhone that resides in Apple’s HealthKit platform (see https://developer.apple.com/healthkit/). This data includes what is listed here (as of 9/8/19): https://developer.apple.com/documentation/healthkit/data_types?language=objc. As the HealthKit documentation is updated from time to time, the types of data available for HeartCloud will be updated.
- Second, HeartCloud allows a User to upload data to their HeartCloud Account by creating an Apple Health Export File and subsequently importing that ZIP file into HeartCloud once authenticated. The Company encourages Users to upload data in this fashion if they have Apple Watch-collected electrocardiogram (ECG) readings available through the Health App on their iPhone, as ECG readings cannot be collected by the HeartCloud Sync iOS app.
- Third, HeartCloud for Health Practices does not collect any information directly from a User’s iPhone. There is no ability for any user of a HeartCloud for Health Practices account to exercise any control or invoke any functionality on a User’s iPhone.
What Information Is Collected
Information Natively Collected from Apple Health:
Data and metadata collected by the Apple Watch and third party digital health devices, including, but not necessarily limited to blood pressure cuffs, glucometers, spirometers, and weight scales (which may include both body mass (weight) and BMI, in either pounds, stone, or kilograms)
HealthKit Data Type | Details About Information That Is Or May Be Collected By The Service |
---|---|
Data Related to Heart Rate: |
|
Data From Apple Watch Electrocardiograms (ECGs): |
|
Data Related To Daily Activity: |
|
Data Related to Oxygen Saturation (Note: this data type may be self-entered or automatically saved to Apple Health by certain pulse oximeters): |
|
Data Related to Body Temperature (Note: this data type may be self-entered or automatically saved to Apple Health by certain thermometers): |
|
Data Related to Blood Pressure: |
|
Data Related to Blood Glucose: |
|
Data Related To Apple Watch Series 4/Series 5 Electrocardiograms (ECGs): |
|
Data Related To Pulse Oximeters: |
|
Data Related to Body Temperature |
|
Data Related to Lung and Breathing Physiology Based On Spirometer Readings: |
|
Data Related to VO2 (Volumetric Oxygen) Max: |
|
Data Related to Workout Sessions: |
|
Information Added Or Enhanced By HeartCloud
Depending on the context, the Company may utilize various data listed above under "Information Natively Collected from HealthKit" to acquire data from third party services. Currently, the following data is utilized for the following purposes:
- The Company uses Dark Sky (see https://darksky.net/dev) to obtain historical weather conditions at a particular date, time, and GPS coordinates (longitude and latitude) associated with a User’s workout session captured by their Apple Watch. Any historical weather data result(s) are stored along with the workout session.
- The Company uses LocationIQ (see https://locationiq.com/) to obtain geopolitical location information associated with a latitude and longitude (such as a country, city, postal code, which is generally known as "reverse geocoding") to update a User’s workout session with information about where exactly that workout session started and ended. This may include geolocation information, political designation of a place (e.g., township, hamlet, unincorporated, etc.), city, state, country, postal code, type of terrain, and other characteristics about a place.
- The Company uses Mapbox, Leaflet, and Apple Maps to provide visualizations of location and route data on different styles of maps associated with a User’s workout session (if GPS data were collected during that workouts session).
Other Information
In addition to information collected from HealthKit or subsequently added by HeartCloud, individual, natural persons may manually input data into the Service.
- A HeartCloud User may input their first name last name, height, weight, units of weight and height, whether they are a smoker, any health conditions or medications that they are taking, and notes on their workout sessions.
- A HeartCloud for Health Practices user may view all information provided by a HeartCloud User if that user has consented to sharing their data with that HeartCloud for Health Practices account. Subsequently, a HeartCloud for Health Practices user may enter notes on a patient's data, add ICD-10 diagnosis data or medication data from the U.S. National Library of Medicine's Clinical Table Search Service.
What We Do With the Information Collected
Once a User has synchronized data into their HeartCloud account through the iOS app or imported it manually through the HeartCloud website, their health, fitness, and activity data is stored in various database tables and linked to their User Account through one or more unique identifiers.
Each ECG reading’s data is contained within a single CSV file in the ZIP file exported from a User’s Health app on their iPhone. After ECG data has been processed and stored into HeartCloud’s database and associated with a User Account for the logged in account which uploaded one or more ECG readings, each CSV file is promptly deleted by HeartCloud.
Given the extraordinary sensitivity of User data uploaded to the Service, the Company does not make data available to third parties, with one important exception: that third party is a HeartCloud for Health Practices Account and a physician-patient relationship has been established between (1) a User and (2) a healthcare provider using a HeartCloud for Health Practices Account.
The Company does not utilize the Service or User data for any advertising purposes, nor does the Company allow third parties to utilize the Service or User data for any advertising purposes. The Company is aware of the extraordinarily sensitive nature of the data uploaded to, or made accessible through, the Service by means of the functionality offered by HeartCloud Sync, HeartCloud, and HeartCloud for Health Practices. The Company does not permit or otherwise facilitate third party access to User data on the Service, nor does the company facilitate any such access, with one exception: that third party is a physician or healthcare provider practice that has been explicitly authorized by a HeartCloud User under a physician-patient relationship.
From time to time, the Company may need to consult with its outside counsel (attorneys who do not work directly for the Company, but rather practice independently, such as at a law firm) regarding specific uses of User data in light of changes to statutory law, common law, regulations, or various types of government requests. The Company may also have its data reviewed from time to time by U.S. government officials (e.g., from the Food and Drug Administration) for compliance with U.S. law and regulations.
Where We Store Your Information
The Company does not use its iOS app to make or to store separate copies of information shown in Apple’s iOS Health and Activity apps. HeartCloud Sync stores a limited amount of information on a user’s iPhone:
-
HeartCloud Sync (iOS App):
- An authentication token. This changes each time you log into your HeartCloud User Account from HeartCloud Sync.
- Once signed into a HeartCloud User Account, the HeartCloud Sync app will ask HeartCloud for the date and time of the chronologically last result for a particular data type (for example, the date and time of the most recent synchronized heart rate). If a result is returned that contains a date and time result, then both the date and time and the type of data it relates to are stored on a User’s iPhone. This data may be overwritten should HeartCloud inform HeartCloud Sync that a more recent result is available.
- HeartCloud and HeartCloud for Health Practices: Data synced to HeartCloud by HeartCloud Sync or uploaded to HeartCloud manually from an Apple Health Export File is stored in a database and associated, through the use of one or more unique identifiers, with a User and their HeartCloud Account. That database physically resides within the borders of the United States of America in various data centers in at least one state.
- Backups: From time to time, authorized personnel at the Company may create and encrypt backups of the contents of HeartCloud databases, which are then subsequently stored on external, physical storage media within one or more digital containers, each of which may be encrypted and protected by other authentication mechanisms.
To Modify Or Delete Your Data
A User can make changes to their name and other medically-informative information by signing into HeartCloud and then clicking or tapping the "Me" link on the sidebar.
A User can delete their data from the HeartCloud by signing into HeartCloud and then clicking or tapping the "Manage My Data" link under the settings page of their account to delete data which they have uploaded to their HeartCloud Account.
Each jurisdiction has its own laws and regulations regarding the duration for which data created as a result of, made available under, or otherwise associated with a physician-patient relationship must be held. Therefore, a healthcare provider with which you are currently, or have in the past, shared your HeartCloud Account data with may be required to retain data as part of their patient record-keeping requirements, even if you have made a request of the Company to delete such information or have deleted that information yourself from your own HeartCloud Account.
Changes
The Company may, from time to time, update this Privacy Policy. We encourage our users and prospective users to periodically review this Privacy Policy. Use of the Service requires consent to this Privacy Policy.