This Privacy Policy explains how Kivira Axis Inc. ("Kivira", "we", "us", "our") collects, uses, discloses, and protects information when you use our websites (including our public website), mobile applications, clinician tools, and related services (collectively, the "Services").
If you are using Kivira through a clinic, health system, employer program, or another organization (a "Customer"), that Customer may control certain settings and data flows in the Services.
This policy covers information processed through the Services, including:
This policy does not cover third party websites, apps, or services that you may access through links in the Services.
We collect information in three main ways: information you provide, information collected automatically, and information received from third parties (including EHR integrations where applicable).
Depending on how you use the Services, you may provide:
When you use the Services, we may automatically collect:
We may receive information from:
The Services may process information that can be considered health information or sensitive personal information (for example, mental health assessment responses). We use this information to provide the Services and for the purposes described below.
When Kivira processes Protected Health Information for a healthcare provider, clinic, or health system that is subject to HIPAA, we act as a HIPAA Business Associate under a Business Associate Agreement with that Customer. In those contexts, the information we process on behalf of the Customer may be Protected Health Information subject to HIPAA protections.
Some public website, account, support, or direct interactions may not be Protected Health Information under HIPAA, even if they relate to health. We still protect that information as described in this policy and as required by applicable privacy and consumer-protection laws.
We use information in ways that depend on how you use the Services and whether you use Kivira through a Customer. In general, we use information to:
We may use information to improve the Services and our clinical decision support capabilities. This can include testing, quality assurance, validation, safety evaluation, and improving our algorithms. Where appropriate and permitted, we may also create de-identified, pseudonymized, limited, or aggregated datasets to conduct analytics (including cohort analysis) and support research projects with partners.
When we use data for analytics, product improvement, validation, or research purposes, we do so in a manner consistent with applicable law, Customer agreements, and any consent or authorization requirements that apply. De-identified data is intended not to identify you. Pseudonymized or limited data is not the same as de-identified data and may still be subject to HIPAA, contractual, privacy, and security safeguards.
If your responses indicate possible risk of self-harm, the Services may route a report, notification, or visibility indicator to your healthcare provider or Clinic according to Customer configuration and workflow.
We do not use personal information for targeted advertising. We do not sell personal information and we do not share personal information with data brokers. We do not link data collected in the Services with third party data about you for advertising or advertising measurement purposes.
If your assessment responses indicate elevated risk of self-harm, we may send a safety outreach email or SMS to the contact information associated with your account that includes crisis hotline numbers and related support resources.
We use this information to provide safety-related support communications and to help connect users to appropriate crisis resources. These emails and SMS messages are not emergency response services and do not mean Kivira is monitoring you in real time.
Depending on applicable law and deployment context, we may process and send these communications based on your consent, to protect vital interests, to provide health-related service operations, or to comply with legal obligations.
Kivira uses software algorithms to analyze assessment responses and available clinical context to generate summaries, screening insights, medication-safety notes, guideline references, and diagnostic considerations or "conditions to consider" for your healthcare provider. These outputs are intended to support clinician review before clinical decisions are made.
Some features may use automated or AI-assisted methods to help generate summaries, insights, or workflow outputs. Where used:
We may use information described in this policy to develop, evaluate, validate, and improve AI-assisted features as part of improving the Services, consistent with applicable law, Customer agreements, and any consent or authorization requirements that apply. When information is Protected Health Information, we use it for these purposes only as permitted by the applicable Business Associate Agreement, Customer arrangement, and HIPAA. We do not permit service providers to use identifiable health information from the Services to train their general-purpose models except where expressly permitted by applicable law, contracts, and required authorizations.
We may update this section as AI-related features evolve.
We share information in the following circumstances:
If you use Kivira through a Customer, we may share information with that Customer and authorized users (for example, clinicians and clinic administrators) as required to deliver the Services and according to Customer configuration and permissions. Detailed clinical reports are intended for authorized clinician review; administrative users may have more limited, top-level workflow visibility depending on their permissions.
We use vetted vendors to provide infrastructure and operations such as hosting, authentication, storage, databases, email, SMS or messaging, monitoring, security, customer support tools, analytics, and integration services. These providers are permitted to process information only to perform services for us, under contractual obligations and Business Associate Agreements where required.
We may use medication-safety or clinical-reference vendors, databases, or resources to help screen for potential interactions, duplicate therapies, allergies, contraindications, and related safety notes. Where used, the ordinary workflow is designed to use only the clinical attributes reasonably needed for the screening, such as age, sex, allergies, diagnoses, current medications, and related clinical attributes, and to omit direct patient identifiers.
Where you or your Customer enable integrations (for example, EHR connectivity), we share and receive data through those integrations based on patient authorization, Customer configuration, applicable EHR controls, and applicable law. Kivira does not control Epic, MyChart, or other EHR consent screens or authorization flows.
We may disclose information if we believe it is necessary to:
If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred as part of that transaction, subject to appropriate safeguards.
We may share limited information with service providers that help us operate the Services, such as hosting, logging, monitoring, analytics, and crash reporting providers. These providers may process data only on our instructions and for the purposes described in this policy. We do not use these tools for targeted advertising, and we do not sell personal information or share it with data brokers.
We retain information for as long as needed to provide the Services and for legitimate business purposes such as security, compliance, dispute resolution, and audit requirements. Retention periods can vary based on:
If you use Kivira through a Customer, the Customer may control certain retention settings.
We use reasonable administrative, technical, and physical safeguards designed to protect information from unauthorized access, use, or disclosure, including encryption in transit and at rest where appropriate. No method of transmission or storage is completely secure, so we cannot guarantee absolute security.
Depending on where you live and how you use the Services, you may have rights to:
If you use Kivira through a Customer, you may need to route certain requests through that Customer. We will respond to requests in accordance with applicable law.
To submit a request, contact us at: hello@kivira.health.
You may opt out of certain non-essential communications, including SMS where supported by the communication channel. However, we may continue to send communications that are necessary for safety, security, legal compliance, or core service-related purposes, as permitted by law.
The Services are not intended for people under 18. If you believe a child has provided us information without appropriate authorization, contact us and we will take appropriate steps.
Kivira may process information in countries other than where you live (for example, where our service providers operate). Where required, we use appropriate safeguards for cross-border transfers.
We may update this Privacy Policy from time to time. We will post the updated version and update the "Last updated" date. If changes are material, we may provide additional notice through the Services or by other means.