Privacy Policy
Our commitment: KAIRO is built on the principle that your health data belongs to you. We employ HIPAA-aligned safeguards, encrypt all data at rest and in transit, never sell your information, and give you full control over your records.
Contents
1. Scope & Applicability
This Privacy Policy applies to the KAIRO platform operated by FFP Group ("KAIRO," "we," "us," or "our"), including the web application at app.kairoquantum.ai, the marketing website at www.kairoquantum.ai, and all associated services, tools, and APIs.
This policy describes how we collect, use, store, and protect information from practitioners, patients, and website visitors. If you are a patient whose practitioner uses KAIRO, this policy also applies to data your practitioner enters or uploads on your behalf.
2. Information We Collect
2.1 Account Information
When you create an account or request access, we collect:
- Name, email address, and contact information
- Practice name, type, and professional credentials (practitioners)
- Referring practitioner name (patients)
- Authentication credentials (securely hashed; never stored in plaintext)
2.2 Health & Wellness Data
Through the KAIRO platform, practitioners and patients may provide or generate:
- Bioresonance scan data, frequency readings, vitals, chakra scores, meridian assessments, and related diagnostic outputs
- Voice biofeedback data, derived spectral features (FFT analysis, formant frequencies, autonomic markers). Raw audio is never transmitted or stored; only computed features leave your device.
- Iridology data, iris images and pattern analysis results
- Constitutional profiles, astrological birth data, dosha assessments, and elemental profiles
- Intake and history, symptoms, medical history, allergies, medications, family history, and lifestyle information submitted through intake forms
- Lab results, uploaded laboratory reports and extracted biomarker values
- Treatment data, frequency protocols, herbal recommendations, and session records
2.3 Usage & Technical Data
- Browser type, device type, and operating system
- Pages visited, features used, and session duration
- IP address and approximate geographic location
- Error logs and performance metrics
3. How We Use Your Information
We use the information we collect to:
- Provide the platform, process scans, generate analyses, deliver frequency protocols, and display health insights
- Improve clinical intelligence, build confidence metrics from aggregated, de-identified scan patterns to improve diagnostic accuracy across the platform
- Personalize your experience, adapt recommendations based on your constitutional profile and scan history
- Communicate with you, send account notifications, respond to inquiries, and provide support
- Ensure security, detect, prevent, and respond to security incidents
- Meet legal obligations, comply with applicable laws, regulations, and legal processes
We never use your individually identifiable health data for advertising, marketing to third parties, or any purpose unrelated to your care and the operation of the platform.
4. HIPAA Compliance
KAIRO maintains administrative, physical, and technical safeguards consistent with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule and Privacy Rule.
4.1 Protected Health Information (PHI)
We treat all individually identifiable health information entered into or generated by the KAIRO platform as Protected Health Information (PHI). This includes scan results, intake data, treatment records, and any data that can be linked to a specific patient.
4.2 Business Associate Agreements
KAIRO is available to enter into Business Associate Agreements (BAAs) with covered entities (healthcare practitioners and clinics) as required under HIPAA. If your practice requires a BAA, please contact us at privacy@kairoquantum.ai.
4.3 Minimum Necessary Standard
We limit access to PHI to the minimum necessary to accomplish the intended purpose. Platform personnel access patient data only when required for support, debugging, or at the explicit direction of the treating practitioner.
4.4 Breach Notification
In the event of a breach of unsecured PHI, we will notify affected individuals and the U.S. Department of Health and Human Services (HHS) in accordance with the HIPAA Breach Notification Rule. Notification will be made without unreasonable delay and no later than 60 days following discovery of the breach.
4.5 De-Identification
When we use aggregated data to improve platform intelligence (e.g., confidence scoring from historical scan patterns), we de-identify data in accordance with HIPAA Safe Harbor or Expert Determination methods. De-identified data cannot reasonably be used to identify any individual.
5. Data Security
We implement comprehensive security measures to protect your data:
- Encryption at rest, all data stored in our databases is encrypted using AES-256 encryption
- Encryption in transit, all communications between your device and our servers use TLS 1.2 or higher
- Infrastructure, hosted on AWS with SOC 2 Type II certified data centers, in the United States
- Access controls, role-based access controls (RBAC) with multi-factor authentication for administrative access
- Audit logging, all access to PHI is logged with timestamps, user identity, and action performed
- Session security, authenticated sessions use secure, HTTP-only cookies with expiration limits
- Vulnerability management, regular security scanning, dependency auditing, and container image analysis
6. Data Sharing & Third Parties
We never sell your personal information or health data.
We may share information only in the following limited circumstances:
- With your practitioner, patient data is accessible to the practitioner who manages your care within the platform
- Service providers, we use trusted third-party service providers (cloud hosting, email delivery) who process data on our behalf under contractual obligations to protect it. These providers do not have independent rights to use your data.
- AI analysis providers, scan data may be processed by AI language model providers to generate clinical analyses. Data sent to these providers does not include direct patient identifiers (name, email, date of birth) and is not used to train third-party AI models.
- Legal requirements, we may disclose information when required by law, regulation, subpoena, court order, or government request
- Safety, we may disclose information when necessary to protect the safety of any person or to address fraud or security issues
7. Your Rights
You have the following rights regarding your data:
- Access, you may request a copy of all personal and health data we hold about you
- Correction, you may request correction of inaccurate or incomplete data
- Deletion, you may request deletion of your account and associated data, subject to legal retention requirements
- Restriction, you may request that we restrict certain processing of your data
- Portability, you may request your data in a structured, machine-readable format
- Accounting of disclosures, you may request a record of certain disclosures of your PHI
- Withdraw consent, you may withdraw consent for optional data processing at any time
To exercise any of these rights, contact us at privacy@kairoquantum.ai. We will respond to verified requests within 30 days.
8. Data Retention
We retain your data for as long as your account is active or as needed to provide services. Specifically:
- Account data, retained while the account is active; deleted within 90 days of account closure upon request
- Health & scan data, retained for the duration of the practitioner-patient relationship and for a minimum of 7 years thereafter to comply with healthcare record-keeping requirements
- De-identified aggregate data, may be retained indefinitely for platform improvement purposes
- Audit logs, retained for a minimum of 6 years as required by HIPAA
Upon account deletion, we will remove or de-identify your data within the timeframes above unless a longer retention period is required by law.
9. Cookies & Tracking
9.1 Marketing Website (www.kairoquantum.ai)
This marketing website does not currently use analytics cookies or third-party tracking technologies. We do not track your browsing behavior across other websites.
9.2 Application (app.kairoquantum.ai)
The KAIRO application uses the following cookies:
- Session cookies (essential), maintain your authenticated session. These are strictly necessary and cannot be disabled.
- Preference cookies (functional), remember your display preferences, selected patient context, and interface settings
We do not use advertising cookies, social media tracking pixels, or behavioral retargeting technologies.
10. Children's Privacy
KAIRO is not directed to children under 13. We do not knowingly collect information from children under 13. Practitioners who enter pediatric patient data are responsible for obtaining appropriate parental or guardian consent. If we learn that we have collected information from a child under 13 without proper consent, we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will update the "Last Updated" date and, where appropriate, notify you via email or an in-application notice. Your continued use of the platform after changes become effective constitutes acceptance of the updated policy.
12. Contact Us
For questions about this Privacy Policy, to exercise your data rights, or to request a Business Associate Agreement:
- Email: privacy@kairoquantum.ai
- Mail: FFP Group, Thousand Oaks, California
For HIPAA-related complaints, you may also file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights at hhs.gov/ocr.