Privacy Policy

Version 1.4 - February 2025

As part of our activities, KOR is required to process personal data concerning you. This policy allows you to be informed about how we use your data, why we use it, and what we do with it.

1. Objectives and Scope of the Policy

KOR, a company with its registered office at 1 impasse du Palais 37000 Tours (« KOR »), is committed to proactive health and aims in particular to facilitate the completion of health assessments. To this end, KOR has developed a platform for the management and monitoring of health assessments, including the management of computerized patient medical records (the « KOR Platform »). KOR is committed to ensuring the protection of personal data and the privacy of KOR Platform users.

This KOR data protection policy (the « Policy ») defines the conditions under which KOR processes personal data (hereinafter referred to as « Personal Data ») of KOR Platform users as a data controller. This Policy applies to healthcare professional users (e.g., doctors, nurses) and patients (hereinafter collectively referred to as « Users »).

KOR complies with the provisions of European Regulation 2016/679 of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the « GDPR »), Law No. 78-17 of January 6, 1978, relating to data processing, files, and freedoms, as amended (the « LIL »), and this Policy.

Healthcare professional users of the KOR Platform:
- Remain responsible for the processing of patients' personal data within the scope of their medical care;
- Act as joint data controllers with KOR for certain processing purposes, as described in this Policy.

2. Collection of Personal Data

Personal data collected within the KOR Platform comes from:

- The patient user, for example when they answer questionnaires made available on the KOR Platform; Healthcare professional users involved in the patient's care as part of their journey within the KOR Platform (e.g., doctors, nurses)
- The staff of the Center or any other establishment where medical examinations are carried out for the health assessment, subject to medical confidentiality, either directly during an in-person reception, a telephone reception, or via the online appointment booking module, Doctolib, when the patient is cared for by the Center.

3. Data Processed, Purposes, and Legal Bases

KOR processes Users' Personal Data:

- for the performance of the contract concluded with the User (in particular the KOR Platform Terms of Use) (Art. 6(1) b) of the GDPR);
- to comply with its legal and regulatory obligations (Art. 6(1) b) of the GDPR);
- to pursue its legitimate interests (Art. 6(1) f) of the GDPR);
- based on their consent (Art. 6(1) b) and 9(2) a) of the GDPR);
- for assistance in conducting health assessments (Art. 9(2) h) of the GDPR).

The provision of Personal Data is not mandatory, but without some of it, the User will not be able to use all the functionalities of the KOR Platform.

a. KOR processes the following Personal Data as an independent data controller:

Finalité	Données Personnelles traitées	Base légale du traitement
Création et gestion du compte utilisateur professionnel de santé	Nom, prénom, adresse email, mot de passe, spécialité, n°RPPS	Exécution du contrat
Organisation de consultations de télé-expertise par les professionnels de santé	Tout ou partie des questionnaires complétés par le patient, du profil médical et/ou des analyses biologiques du patient, dans la mesure des éléments nécessaire à la réalisation de la télé-expertise	Consentement de l’Utilisateur au traitement de ses données, y compris ses données de santé
Amélioration de l’expérience Utilisateur et analyse de l’utilisation de la Plateforme KOR à l’aide de cookies ou autres traceurs	Adresse IP, type de navigateur, taille d’écran, historique de navigation entre pages	Consentement de l’Utilisateur lorsque celui-ci est requis par la loi
Répondre aux demandes d’information sur la Plateforme KOR	Adresse email	Intérêt légitime de KOR à informer ses utilisateurs ou futurs utilisateurs
Assurer le support et la sécurité de la Plateforme KOR	Nom, prénom, adresse email, adresse IP	Intérêt légitime de KOR d’assurer le support de la Plateforme KOR et d’assister les Utilisateurs

b. KOR processes the following Personal Data as joint controllers within the meaning of Article 26 of the GDPR with the healthcare professionals involved in the care of the User patient:

N.B.: Healthcare professionals remain responsible for processing within the scope of their patients' medical care. However, KOR is a joint controller with these professionals for certain purposes pursued through the use of the KOR Platform.

Finalité	Données Personnelles traitées	Base légale du traitement
Dépistage de maladies et identification de facteurs de risque et participation à l’amélioration de ce dépistage	Réponses aux questionnaires, liste des examens à réaliser, ordonnances pour réaliser des examens (par exemple prise de sang, analyse d’urine), Résultats d’analyses biologiques sur les différents marqueurs prescrits par le médecin, comptes rendus d’examens cliniques données qualitatives et quantitatives suite aux examens cliniques réalisés lors du checkup (e.g., examen cardiaque et respiratoire, palpation abdominale, impédancemétrie, constantes, etc.), compte rendu suite aux consultations réalisées par l’équipe médicale de Kor et partenaires, les professionnels de santé en physique ou en téléconsultation, compte rendu et scan des examens d’imagerie (scanner, IRM, échographie, etc.) réalisés par ordonnance des professionnels de santé, médecins Kor, bilan de santé, plan d’actions de santé	Consentement de l’Utilisateur au traitement de ses données, y compris ses données de santé Réalisation de diagnostics médicaux, prise en charge sanitaire ou sociale, gestion des systèmes et des services de soins de santé ou de protection sociale
Gestion du parcours de soin du patient Utilisateur	Nom, prénom, adresse email, dates de rendez-vous.	Exécution du contrat

A summary of the joint controller agreement is available upon request, as specified in section 10 of the Policy.

4. Security of Personal Data

KOR implements technical and organizational security measures to ensure the security of Personal Data and to protect it against unauthorized access, loss, or disclosure.

Personal Data processed within the KOR Platform is hosted by AWS France, certified as a health data host (HDS). The servers are located in French territory. Below are KOR's main security measures for the platform:

Data Security
- Use of AWS VPC to create an isolated network, with private subnets for databases and public subnets for load balancers.
- Encryption of sensitive data using AES-256 for storage (S3, EBS) and TLS 1.2 or higher for transit.

Identity and Access Management
- IAM policies implementing the principle of least privilege, audited quarterly.
- Multi-factor authentication (MFA) required for all administrative access, using authentication applications or physical tokens.
- Semi-annual review of access policies to ensure their adequacy with operational needs.

Backup and Disaster Recovery
- Automated daily backups with Amazon RDS, and EBS snapshots taken every 6 hours, retained for 90 days.
- Bi-annual testing of the disaster recovery plan, with Recovery Point Objectives (RPO) of 4 hours and Recovery Time Objectives (RTO) of 24 hours.

Security Training and Awareness
- Mandatory annual security training for all employees, supplemented by quarterly sessions on current threat trends.

5. International Transfers of Personal Data

Users' Personal Data is processed and stored within the territory of the European Union or in a country whose legislation is recognized as adequate by a decision of the European Commission in accordance with Article 45 of the GDPR. When Personal Data is subject to an international transfer to a country not covered by an adequacy decision, KOR undertakes to implement mechanisms to frame these transfers in accordance with the GDPR, such as the conclusion of standard contractual clauses of the European Commission.

6. Retention of Personal Data

Users' Personal Data is retained by KOR for the period strictly necessary to achieve the purposes for which it was collected. KOR also complies with any applicable retention periods under relevant laws and regulations.

7. Recipients of Personal Data

Personal Data may be disclosed to the following recipients for the purposes described in the Policy:

- KOR's subcontractors involved in the processing of Personal Data.
- KOR personnel on a need-to-know basis.
- External healthcare professionals and biology laboratories.

8. User Rights

In accordance with applicable legislation, Users have the right to access, rectify, and delete their Personal Data. Users also have the right to object to their processing, request restriction of their processing, and request their portability. You have the right to lodge a complaint with the supervisory authority, in France: the National Commission for Information Technology and Liberties (CNIL): CNIL - Service des Plaintes - 3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07.

Users can exercise their rights by contacting KOR's Data Protection Officer, by mail at 1 impasse du Palais 37000 Tours or by email at [email protected]

9. Cookies and Tracking Technologies

We use cookies and other tracking technologies to improve your user experience and analyze the use of our service. The use of some of these cookies or other technologies requires your consent. You can modify your preferences within the specific consent tool implemented on the KOR Platform.

10. Policy Modifications and Contact