Privacy Policy (GDPR)

1. Data controller

The controller of personal data is [RAISON_SOCIALE], whose registered office is located at [ADRESSE_SIEGE] (hereinafter KINON, we, or the Provider). The data controller determines the purposes and means of the processing operations described in this policy for the data it processes on its own behalf, such as practitioners' account data, billing data and the technical operating data of the service.

With regard to patients' health data entered by the physiotherapist (assessments, exercise programs, follow-ups, communications), the practitioner or the user practice acts as the controller of that data in connection with the care of its patients, whereas KINON acts as a processor within the meaning of Article 28 of the GDPR, meaning that it processes such data on behalf of and on the instructions of the practitioner. The respective roles and commitments of each party are set out, where applicable, in a data processing agreement (DPA) annexed to the terms of use.

For any question relating to this processing, you may contact KINON at [EMAIL_CONTACT] or by post at the registered office address indicated above.

2. Data Protection Officer (DPO)

Given the nature of the data processed, and in particular the large-scale processing of health data falling within Article 9 of the GDPR, KINON has appointed a Data Protection Officer (DPO), responsible for monitoring compliance with the applicable data protection rules and acting as a point of contact for data subjects and for the supervisory authority.

The Data Protection Officer can be contacted at [DPO_EMAIL] for any question relating to the processing of your personal data or to the exercise of your rights. You may also write to the DPO at the registered office [ADRESSE_SIEGE], for the attention of the Data Protection Officer.

3. Categories of data collected

We collect and process various categories of personal data, depending on whether you are a physiotherapist (practitioner user), a member of a practice, or a patient whose data is entered by a practitioner. We limit ourselves to the data strictly necessary for the purposes described in Section 4, in accordance with the principle of data minimisation.

• Identity and account data: surname, first name, email address, telephone number where applicable, login identifier, password (stored in encrypted and irreversible form), role within the practice, and, for practitioners, professional data such as the professional registration number when provided.
• Health data (Article 9 of the GDPR): this is sensitive data falling within a special category. It includes the information declared and entered as part of physiotherapy assessments, pathologies and medical history, declared pain and symptoms, the body areas concerned, the results of tests and assessment scales, prescribed exercise programs, session reports, progress measurements, and the communications between the patient and their practitioner relating to the patient's care.
• Usage data: information relating to your use of the platform, such as pages viewed, features used, exercises performed, dates and times of connection, the progress of programs, and actions carried out in the application.
• Billing and payment data: for subscribed practitioners and practices, the data needed to bill the subscription (company name, billing address, history of payments and invoices). Payment is processed by our provider Stripe; KINON never has access to your full bank card number.
• Technical data and connection logs: IP address, browser type and version, operating system, device type, session identifiers, as well as the technical access and event logs generated automatically to ensure the operation, security and traceability of the service.
• Cookies and trackers: information collected through cookies and similar technologies, under the conditions set out in Section 16 and in our cookie policy.

4. Purposes of processing

Your personal data is processed for specified, explicit and legitimate purposes. Each purpose corresponds to one or more legal bases detailed in Section 5.

• Provision of the service: creation and management of your account, authentication, and provision of the assessment, prescription, exercise-program follow-up and practitioner-patient messaging features.
• Care and follow-up: enabling the physiotherapist to carry out assessments, design and adapt exercise programs, and follow up on the rehabilitation of their patients.
• Management of the contractual relationship and billing: management of subscriptions, collection of payments, issuance of invoices, monitoring of due dates and management of any unpaid amounts.
• Support and assistance: handling your requests, answering your questions and resolving technical incidents.
• Improvement and security of the service: analysis of the use of the platform using aggregated or anonymised data, maintenance of quality, fraud prevention, detection of security incidents and ensuring the availability of the service.
• Communication: sending service notifications, information relating to the operation of the platform and, subject to your consent where required by law, communications relating to our offers.
• Compliance with our legal obligations: retention of accounting and tax records, response to requests from authorised authorities and compliance with applicable regulations.

5. Legal bases for processing

In accordance with Article 6 of the GDPR, and Article 9 for health data, each processing operation relies on an appropriate legal basis.

• Explicit consent (Article 9(2)(a)): the processing of health data relies on the explicit consent of the data subject or, where applicable, on the necessity for the purposes of preventive medicine or the provision of health care within the meaning of Article 9(2)(h), carried out under the responsibility of the health professional. Consent may be withdrawn at any time, without that withdrawal affecting the lawfulness of processing carried out before it.
• Performance of the contract (Article 6(1)(b)): the processing of account, usage and billing data is necessary for the performance of the subscription contract to which you are a party or for the performance of pre-contractual measures taken at your request.
• Legitimate interest (Article 6(1)(f)): certain processing operations, such as the security of the service, fraud prevention and the improvement of the platform using aggregated data, rely on KINON's legitimate interest in providing a reliable and secure service, after balancing against your rights and freedoms.
• Legal obligation (Article 6(1)(c)): certain processing operations, in particular the retention of invoices and accounting records, are necessary to comply with legal obligations to which KINON is subject.

6. Recipients of data and processors

Your data is only accessible to authorised persons who need it in the course of their duties. It is not assigned, rented or sold to third parties for commercial purposes.

In the course of operating the service, we use carefully selected processors, who act on our instructions and provide sufficient guarantees within the meaning of Article 28 of the GDPR. Each processor is bound by a contract governing the confidentiality and security of the data.

• Payment provider (Stripe): secure processing of bank card payments in accordance with the PCI-DSS standard. KINON does not store your full card details.
• Health data hosting provider ([HEBERGEUR_HDS]): hosting of the platform and data, including health data, under conditions compliant with health data hosting certification (HDS).
• Email delivery provider (emailing): delivery of transactional and service emails (account verification, notifications, password reset).
• Authorities and authorised third parties: possible transmission to administrative or judicial authorities where required by law or to assert our rights.

7. Hosting and location of health data

In accordance with Article L. 1111-8 of the French Public Health Code, personal health data collected or produced in connection with care activities is hosted with a provider certified for health data hosting (HDS certification). Our hosting provider, [HEBERGEUR_HDS], holds this certification.

The data, and in particular health data, is hosted and stored within the European Union. We ensure that the infrastructure used guarantees a high level of security, availability and confidentiality, and that health data is not transferred outside the European Economic Area without the appropriate safeguards described in Section 8.

8. Transfers of data outside the European Union

In principle, your data, and in particular your health data, is hosted and processed within the European Union. We systematically favour providers and infrastructure located within the European Economic Area.

Should any processing involve a transfer of data to a country located outside the European Economic Area, for example through certain technical providers, such transfer would only be carried out to a country benefiting from an adequacy decision of the European Commission, or framed by appropriate safeguards within the meaning of Articles 44 et seq. of the GDPR, such as the standard contractual clauses adopted by the European Commission, supplemented where appropriate by additional technical and organisational measures. A copy of the safeguards implemented can be obtained on request from our Data Protection Officer.

9. Retention periods

Your personal data is kept for a period not exceeding that necessary in light of the purposes for which it is processed, and is then archived or deleted in accordance with the applicable legal periods.

• Account and usage data: kept for the entire duration of the contractual relationship, then deleted or anonymised within a reasonable time after the account is closed, subject to legal archiving periods.
• Health data: kept for the duration of the care decided by the practitioner acting as controller, in compliance with the rules relating to the patient record and the recommendations applicable to health professionals. At the end of that period, it is securely archived and then deleted.
• Billing data and accounting records: kept for ten (10) years from the close of the accounting year, in accordance with legal accounting and tax obligations.
• Technical data and connection logs: kept for a period generally between six (6) and twelve (12) months for security and traceability purposes, unless a longer legal retention obligation applies.
• Prospect and marketing data: kept for three (3) years from the last contact, where applicable.

10. Data security

KINON implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR, and to protect your data against unauthorised or unlawful destruction, loss, alteration, disclosure or access, whether accidental or unlawful.

• Encryption: encryption of data in transit (TLS/HTTPS protocol) and encryption at rest of sensitive data; passwords are stored as irreversible hashes.
• Access control: management of authorisations according to the principle of least privilege, user authentication and segregation of data between practices (multi-tenant architecture).
• Logging: recording of accesses and sensitive operations to ensure traceability and to detect any incidents.
• Secure hosting: use of an HDS-certified hosting provider offering guarantees of physical and logical security, backup and business continuity.
• Personal data breach management: in the event of a personal data breach likely to result in a risk to your rights and freedoms, KINON undertakes to notify the competent supervisory authority as soon as possible and, where required by the regulation, to inform the data subjects.

11. Your rights over your data

In accordance with the GDPR and the French Data Protection Act, you have the following rights over your personal data. Where the data concerned is health data entered by a practitioner, certain requests may be handled in connection with the practitioner acting as controller.

• Right of access: obtain confirmation that data concerning you is being processed and receive a copy of it.
• Right to rectification: obtain the correction of inaccurate or incomplete data concerning you.
• Right to erasure: obtain the erasure of your data in the cases provided for by the GDPR, subject to legal retention periods and KINON's obligations.
• Right to restriction of processing: obtain, in certain cases, the temporary suspension of the processing of your data.
• Right to object: object, for reasons relating to your particular situation, to processing based on legitimate interest, as well as to any processing for marketing purposes.
• Right to portability: receive the data you have provided to us, in a structured, commonly used and machine-readable format, and transmit it to another controller where technically possible.
• Right to withdraw your consent: withdraw at any time your consent to processing based on it, in particular for health data, without that withdrawal affecting the lawfulness of prior processing.
• Right to define post-mortem directives: define directives relating to the retention, erasure and communication of your data after your death, in accordance with Article 85 of the French Data Protection Act.

12. How to exercise your rights

You may exercise your rights by sending a request to our Data Protection Officer at [DPO_EMAIL], or by post to the registered office [ADRESSE_SIEGE]. You may also write to [EMAIL_CONTACT].

In order to guarantee the confidentiality of your data and to prevent any fraudulent request, we may need to ask you to prove your identity by any appropriate means. We endeavour to respond to any request within one (1) month of receipt, a period that may be extended by two (2) months in the case of a complex request or a high number of requests, in which case you will be informed.

13. Complaint to the CNIL

If, after contacting us, you consider that your rights are not respected or that the processing of your data does not comply with the regulations, you have the right to lodge a complaint with the French Data Protection Authority (Commission nationale de l'informatique et des libertés, CNIL), the French supervisory authority.

The CNIL can be contacted by post at 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France, or online at www.cnil.fr. We nevertheless invite you to contact us first so that we can address your concerns.

14. Data of minors

KINON is a tool intended for health professionals and is not intended to be used directly and independently by minors. Where a minor is being cared for by a physiotherapist, the data concerning them is processed under the responsibility of the practitioner, in compliance with the rules relating to parental authority and the obtaining of consent.

Consent to the processing of a minor's health data is, where applicable, obtained from the holder or holders of parental authority, in accordance with the applicable regulations. We are not aware of knowingly collecting data from minors outside this care context.

15. Cookies and trackers

We use cookies and similar technologies to ensure the operation of the service, remember your preferences and, where applicable, measure audience. Cookies strictly necessary for the operation of the service are placed without prior consent; other trackers are only placed with your consent.

For more information on the cookies used, their purpose, their retention period and how to configure them, please consult our cookie policy available at /cookies.

16. Changes to this policy

This privacy policy may be amended at any time to take account of legal, regulatory, case-law or technical developments, or developments in the service. The applicable version is the one in force and published on the platform on the date of your consultation.

In the event of a substantial change, in particular concerning the purposes of processing or the categories of data collected, we will inform you by an appropriate means, for example by a notification in the application or by email. The date of the last update appears at the top of this policy.

17. Contact

For any question relating to this privacy policy or to the processing of your personal data, you may contact KINON at [EMAIL_CONTACT], or our Data Protection Officer at [DPO_EMAIL].

You may also write to us by post at our registered office address: [RAISON_SOCIALE], [ADRESSE_SIEGE].