Privacy Policy

1. Introduction

Kshemetrix Inc. (“Kshemetrix,” “we,” “us,” or “our”) is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, disclose, and safeguard information when you visit our website at kshemetrix.com (the “Site”), use our Enterprise Wellbeing OS platform (the “Platform”), or engage with our services (collectively, the “Services”).

By accessing or using our Services, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not access or use our Services.

2. Information We Collect

2.1 Information You Provide

We collect information you voluntarily provide, including:

• Account Information: Name, email address, phone number, company name, job title, and password when you create an account.
• Profile Information: Demographic information, health goals, and preferences you choose to provide.
• Health Information: Health records, biometric data, fitness metrics, nutrition logs, mental wellness assessments, and other health-related data you enter into the Platform.
• Payment Information: Billing address and payment method details processed through our secure payment providers.
• Communications: Messages, feedback, support tickets, and correspondence with our team.
• Form Submissions: Information provided through contact forms, demo requests, and newsletter sign-ups.

2.2 Information Collected Automatically

When you use our Services, we automatically collect:

• Usage Data: Pages visited, features used, click patterns, session duration, and navigation paths.
• Device Information: Browser type, operating system, device identifiers, screen resolution, and language preferences.
• Network Data: IP address, internet service provider, and general geographic location.
• Cookies and Tracking: Data collected through cookies, web beacons, and similar technologies as described in our Cookie Policy.

2.3 Information from Third Parties

We may receive information from:

• Identity Providers: Authentication data from SSO providers (Azure AD, Okta, Google Workspace).
• Wearable Devices: Health and fitness data from integrated devices (Fitbit, Apple Health, Garmin) with your explicit consent.
• Employer Data: Your employer may provide basic employment information for account provisioning.

3. How We Use Your Information

We use collected information to:

• Provide, maintain, and improve our Services and Platform features.
• Process transactions and manage your account and subscriptions.
• Personalize your experience, including health insights and wellness recommendations.
• Communicate with you about service updates, security alerts, and support requests.
• Generate anonymized, aggregated analytics and population health insights for organizational administrators.
• Ensure platform security, detect fraud, and prevent unauthorized access.
• Comply with legal obligations, including healthcare regulations and data protection laws.
• Conduct research and development to improve our products, using de-identified data only.

4. How We Share Your Information

We do not sell your personal information. We may share information in the following limited circumstances:

• With Your Organization: Aggregated, anonymized reports to your employer or organization administrator. Individual health data is never shared without explicit consent.
• Service Providers: Trusted third-party vendors who process data on our behalf (hosting, payment processing, email delivery) under strict data processing agreements.
• Legal Requirements: When required by law, subpoena, court order, or government request.
• Business Transfers: In connection with a merger, acquisition, or sale of assets, with prior notice to affected users.
• With Your Consent: When you explicitly authorize sharing with specific third parties.

5. Data Security

We implement industry-leading security measures to protect your information, including:

• AES-256 encryption for data at rest and TLS 1.3 for data in transit.
• Application-level encryption for sensitive health information (PHI/PII).
• Multi-factor authentication and role-based access controls.
• Regular third-party security audits and penetration testing.
• SOC 2 Type II and ISO 27001 certified infrastructure.
• 24/7 security monitoring with automated threat detection.

6. Data Retention

We retain personal information for as long as necessary to provide our Services and fulfill the purposes described in this policy. Specific retention periods include:

• Account Data: Retained while your account is active and for 90 days after deletion request.
• Health Records: Retained per applicable healthcare record retention laws (typically 6-10 years).
• Audit Logs: Retained for 7 years for compliance purposes.
• Marketing Data: Retained until you unsubscribe or request deletion.

7. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete information.
• Deletion: Request erasure of your personal data (subject to legal retention requirements).
• Portability: Receive your data in a structured, machine-readable format.
• Restriction: Request limitation of processing in certain circumstances.
• Objection: Object to processing based on legitimate interests.
• Withdraw Consent: Withdraw previously granted consent at any time.

To exercise any of these rights, contact us at privacy@kshemetrix.com.

8. International Data Transfers

We may transfer your information to servers located outside your country of residence. When we do, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission and adherence to applicable data transfer frameworks.

9. Children's Privacy

Our Services are not directed at individuals under 16 years of age. We do not knowingly collect personal information from children. If we learn that we have collected information from a child under 16, we will take steps to delete that information promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our Site with a new “Last Updated” date, and for significant changes, by email notification. Your continued use of the Services after such changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

• Email: privacy@kshemetrix.com
• Mail: Kshemetrix Inc., 100 Enterprise Way, Suite 400, San Francisco, CA 94105, USA
• Data Protection Officer: dpo@kshemetrix.com