Privacy Policy

Effective Date: August 1, 2025 | Last Updated: August 11, 2025

📷 Why We Use Your Camera

We use your device's camera to help you manage your health information more easily:

  • Scan Medical Documents: Quickly capture and store your medical records, lab results, and prescriptions
  • Document Medications: Take photos of medication labels for accurate tracking
  • Health Insurance Cards: Store images of your insurance information for easy access
  • Symptom Documentation: Photograph visible symptoms to track changes over time

Your Privacy is Protected: Photos are encrypted and stored securely. They are never shared without your explicit permission, and we never use them for advertising or sell them to third parties.

Complete Privacy Policy

1. Introduction

Techo ("we," "our," or "us") is a Personal Health Record (PHR) application operated by 株式会社Kamily. We are committed to protecting your privacy and ensuring the security of your personal health information through HIPAA-compliant practices and advanced security architecture.

This Privacy Policy explains how we collect, use, store, and protect your information when you use our mobile application and related services. Our system is designed with privacy-by-design principles, including data separation architecture and FHIR compliance for secure health information management.

By using Techo, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our practices, please do not use our services.

2. Information We Collect

2.1 Personal Health Information (PHI)

We collect and store the following health-related information:

  • Medical history and health records
  • Symptoms, conditions, and diagnoses
  • Medications and allergies
  • Vital signs and health measurements
  • Laboratory results and medical test data
  • Healthcare provider visit records
  • Treatment plans and care instructions
  • Health goals and progress tracking

2.2 Personal Identification Information

  • Full name and date of birth
  • Email address (for account verification and communication)
  • Preferred language and communication preferences
  • Emergency contact information (optional)

Data Minimization: We do not collect phone numbers or physical addresses unless explicitly provided by you for specific features (such as emergency contacts). This reduces your privacy risk by limiting the personal identifiers we store.

2.3 Authentication and Account Data

  • Login credentials and authentication tokens
  • Account preferences and settings
  • Security questions and answers
  • Multi-factor authentication data

2.4 Device and Technical Information

  • Device type, model, and operating system
  • IP address and approximate location (city/region level)
  • App usage statistics and interaction patterns
  • Crash reports and error logs
  • Network connection information

2.5 Camera and Media Access

  • Photos of medical documents, prescriptions, or health-related items
  • Scanned documents and reports
  • Voice recordings for symptom input (if feature is enabled)

2.6 Location Data

  • Approximate location for healthcare provider search
  • GPS coordinates for emergency services (only when explicitly authorized)

3. How We Use Your Information

3.1 Primary Health Services

  • Storing and organizing your personal health records
  • Providing AI-powered health insights and risk assessments
  • Generating personalized health recommendations
  • Facilitating communication with healthcare providers
  • Tracking health goals and progress
  • Medication reminders and health alerts

3.2 Service Improvement

  • Analyzing usage patterns to improve app functionality
  • Developing new features based on user needs
  • Troubleshooting technical issues
  • Ensuring service security and reliability

3.3 Healthcare Provider Integration

  • Sharing health data with your chosen healthcare providers (with your explicit consent)
  • Facilitating appointment scheduling and check-ins
  • Supporting clinical decision-making tools

3.4 AI and Analytics

  • Providing personalized health recommendations using your individual data
  • Improving our AI algorithms using anonymized, aggregated population data (not your personal data)
  • Generating anonymized population health insights for research purposes

Important Note: We do not use your personal health data to train our AI models. AI training uses only anonymized, aggregated data that cannot be traced back to individual users.

4. Data Sharing and Disclosure

4.1 No Sale of Personal Data

We do not sell, rent, or trade your personal health information to third parties for commercial purposes.

4.2 Healthcare Providers

We share your health information with healthcare providers only:

  • With your explicit electronic consent (via in-app authorization)
  • When you initiate communication or appointment booking
  • In emergency situations to protect your vital interests

4.3 Service Providers

We may share limited information with trusted service providers who assist in:

  • Cloud infrastructure and data storage (AWS)
  • Authentication services
  • Analytics and crash reporting
  • Customer support services

All service providers are bound by strict confidentiality agreements and comply with applicable privacy laws.

4.4 Legal Requirements

We may disclose your information when required by law, including:

  • Court orders or legal process
  • Government investigations
  • Public health emergencies
  • Protection against fraud or security threats

4.5 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity, subject to the same privacy protections.

5. Data Protection and Security

5.1 Technical Safeguards

  • Encryption: All data is encrypted both in transit (TLS 1.3) and at rest (AES-256)
  • AWS Infrastructure: We use HIPAA-compliant AWS services with enterprise-grade security
  • FHIR Compliance: Health data is stored and managed according to FHIR R4 standards for healthcare interoperability
  • Data Separation: We implement a dual-database architecture that separates:
    • Personal identification data (stored in secured relational database)
    • Clinical health data (stored separately in FHIR-compliant document database)

    This separation provides an additional layer of security by ensuring that even in the unlikely event of a breach, personal identifiers and health data remain isolated

  • Access Controls: Multi-factor authentication and role-based access controls
  • Network Security: Secure VPC configuration with private subnets and security groups
  • Screen Protection: Prevention of screenshots and screen recording within the app

5.2 Administrative Safeguards

HIPAA Compliance: We follow HIPAA privacy and security rules, including:

  • Business Associate Agreements with all service providers
  • Minimum necessary standards for data access
  • Employee background checks and access authorization
  • Regular risk assessments and security evaluations

FHIR Standards: All health data management follows HL7 FHIR R4 specifications for:

  • Standardized data formats and structures
  • Secure health information exchange
  • Interoperability with healthcare systems
  • Employee Training: Regular privacy and security training for all staff
  • Access Monitoring: Comprehensive audit logging of all data access
  • Incident Response: Established procedures for security incident management
  • Regular Audits: Periodic security assessments and penetration testing

5.3 Physical Safeguards

  • Secured Data Centers: AWS data centers with physical security controls
  • Device Security: Secure development and testing environments
  • Workstation Controls: Secured employee workstations with encryption

5.4 Data Retention

  • Health records are retained as long as your account is active
  • Account data is deleted within 30 days of account termination (unless legally required to retain)
  • Anonymized analytics data may be retained for service improvement
  • Backup data is securely deleted according to our data retention schedule

6. Your Privacy Rights

6.1 Access and Portability

  • View Your Data: Access all personal information we have about you
  • Data Export: Download your health records in standard formats (FHIR, PDF)
  • Data Correction: Update or correct inaccurate information

6.2 Control and Consent

  • Consent Management: Withdraw consent for specific data uses
  • Sharing Controls: Manage which healthcare providers can access your data
  • Communication Preferences: Control marketing and promotional communications

6.3 Data Deletion

  • Account Deletion: Delete your account and associated data
  • Selective Deletion: Remove specific health records or data categories
  • Right to be Forgotten: Complete removal from our systems (subject to legal requirements)

6.4 Analytics Opt-Out

  • Usage Analytics: Opt out of app usage and performance analytics
  • Population Health Research: Opt out of contributing anonymized, aggregated data to population health research (your personal data is never used for AI training regardless of this setting)

6.5 Notification Rights

  • Data Breach Notification: Immediate notification of any security incidents affecting your data
  • Policy Changes: Advance notice of material changes to this Privacy Policy
  • Account Activity: Alerts for unusual account activity or access

7. International Data Transfers

As we use AWS infrastructure, your data may be processed and stored in AWS data centers located in Japan and other countries. All international transfers comply with applicable privacy laws and are protected by:

  • AWS Data Processing Agreements
  • Standard Contractual Clauses
  • Adequate protection measures equivalent to Japanese privacy laws

8. Children's Privacy

Techo is primarily intended for use by individuals 18 years of age and older. We do not knowingly collect personal information directly from minors under 18.

Future Parental Access Feature: We may introduce features that allow parents or legal guardians to create and manage health records for their minor children (under 18). If implemented, such features will:

  • Require verified parental consent
  • Comply with applicable laws regarding children's privacy
  • Include appropriate safeguards for minors' health information
  • Be subject to updated privacy terms specific to minors' data

If we become aware that we have collected information from a minor without proper parental consent, we will delete such information immediately.

9. Third-Party Services

9.1 Healthcare Provider Systems

When you connect with healthcare providers, their own privacy policies may apply to how they handle your shared information.

9.2 App Store and Device Platforms

Your use of app stores (Google Play, Apple App Store) and mobile device platforms is governed by their respective privacy policies.

9.3 AI and Machine Learning Services

We use AI services (Amazon Bedrock) to provide health insights. These services process your data according to strict confidentiality and security requirements.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will:

  • Notify you of material changes via email or in-app notification
  • Post the updated policy on our website with the effective date
  • Provide a summary of key changes
  • Request renewed consent where required by law

Continued use of Techo after policy changes constitutes acceptance of the updated terms.

11. Contact Information

11.1 Privacy Officer

For privacy-related questions or concerns:

Email: support@kamily.co

11.2 Customer Support

For general support and account issues:

11.3 Data Protection Requests

To exercise your privacy rights:

11.4 Company Information

株式会社Kamily

東京都新宿区四谷坂町11-5

法人番号:9010001238381

12. Governing Law

This Privacy Policy is governed by the laws of Japan, including:

  • Personal Information Protection Act (PIPA)
  • Act on Protection of Personal Information Held by Administrative Organs
  • Relevant healthcare data protection regulations

For international users, we also comply with applicable privacy laws in your jurisdiction, including GDPR where applicable.

13. Dispute Resolution

In case of privacy-related disputes:

  • Contact our Privacy Officer for initial resolution
  • File a complaint with the Personal Information Protection Commission of Japan
  • Seek resolution through alternative dispute resolution services
  • Pursue legal remedies as available under applicable law

Acknowledgment:

By using Techo, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you have questions about this policy or our privacy practices, please contact us using the information provided above.

Document Version: 1.0

Language: This policy is originally written in English. Japanese translations are provided for convenience, but the English version governs in case of conflicts.