Privacy Policy

issued in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in connection with the processing of personal data and on the free movement of such data and on the repeal of Directive 95/46/EC (hereinafter referred to as “GDPR”):

 

The user of the operator’s services, as a data subject, by his free decision (by ticking a box, pressing a button) indicates that he is aware of all the facts listed below and agrees to the further processing of his personal data for the purposes of the business activities of the website operator and the interactive online platform www.kardi.ai, its mobile application and the artificial intelligence model associated with such platform (or consent to the processing of personal data for the purpose of sending newsletters, if he has granted special consent). For the purpose of this policy, an ‘AI model’ refers to the machine learning component integrated into the Kardi Ai platform. This model is trained using historical and user-generated ECG and health-related data to identify patterns and improve the Kardi Ai platform’s ability to interpret heart activity. Such AI model is part of a broader AI system developed and deployed by the controller that provides automated outputs to support user health monitoring.

 

Personal data is processed by the controller to the extent that the user has provided it to the controller, for the reason, scope and for the following purposes:

1. For the purpose of establishing and maintaining a user account on the interactive online platform kardi.ai and for the purpose of improving the provider’s services and evaluating the services, and also for the training, development, and fine-tuning of the artificial intelligence model integrated into the Kardi Ai platform, based on the explicit consent the user grants when accepting this Privacy Policy, the controller processes personal data provided by the user in the registration form, within the Kardi Ai platform, or generated through the use of the operator’s equipment and services (e.g. ECG recordings and related health data).

 

The personal data controller mainly processes the following personal data:

 

• identification data (name and surname, title, date of birth),
• contact details (phone number and e-mail),
• financial data (especially bank account number or bank card number),
• gender and age,
• data on the use of the operator’s equipment and physical condition, as well as measured values ​​and other information on the use of the operator’s equipment,
• health data, including data relating to physical or mental health or condition. Personal health data also includes data that can be used to draw conclusions about or ascertain a person’s state of health,
• possibly other data that the user himself provides in the registration form or that will be requested by the controller to enable registration, as well as data that the user himself provides within the Kardi Ai platform.

 

The processing of the personal data that does not reveal health-related information is necessary for the fulfillment of the contract between the user and the operator and for the fulfillment of legal obligations that apply to the operator. The health data (special categories of personal data) are processed by the controller including for the purposes of training and improving the AI model used by the Kardi Ai platform, and/or transferred to third parties (providers of health care services) based on explicit consent. 

Where personal data is collected together with health-related data (e.g. heartbeat or ECG readings), the entire dataset is considered special category data and is processed only on the basis of the user’s explicit consent, in accordance with Articles 6(1)(a) and 9(2)(a) GDPR. The same applies to any transfer of such data to third parties (e.g. healthcare providers). In this context, explicit consent is the sole legal basis for processing personal and health data within the Kardi Ai platform. Without such consent, or if the user withdraws consent, the controller cannot provide the core functionalities of the Kardi Ai platform that rely on health data processing, and access to the platform will accordingly be restricted. The withdrawal of consent shall not affect the lawfulness of any processing carried out prior to such withdrawal.

Certain data that does not reveal the user’s health status or other data that are not considered special categories of personal data may be processed for purposes in which the provider has a legitimate interest, namely for the purpose of improving the provider’s services, namely: i) for internal use by the controller, for the development of products and the controller’s portal; ii) for processing and publishing (including forwarding to contractual partners of the controller) in aggregated or in an anonymous form (e.g. for the purposes of various studies, statistical reports, infographics, case studies, etc.). Health data is not processed for these purposes without the user’s explicit consent, which can be withdrawn at any time. Consent withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

The user is hereby informed that measured values collected via the operator’s services cannot be retrieved or provided to the user after the deactivation of the user account.

2. For the purposes of sending newsletters and other commercial communications, the controller processes personal data based on consent to the extent of:

• e-mail, 
• telephone. 

 

This personal data is also processed for the purpose of presenting customized product offers of the controller and contractual partners of the controller. By granting consent, the user also agrees to the download, processing, storage and use of data by the controller for the following purposes: i) for internal use by the controller, for the development of the controller’s products and presenting the controller’s customized product offer to users; ii) for processing and publishing (including forwarding to contractual partners of the controller) in aggregated or in an anonymous form (e.g. for the purposes of various studies, statistical reports, infographics, case studies, etc.).

The data subject has the right to object at any time to the processing of their personal data for this purpose.

The processing of personal data for this purpose will take place for the duration of the consent granted, at most for the duration of the contractual relationship with the operator. Consent can be revoked at any time at the e-mail address gdpr@kardi.ai or by clicking the unsubscribe link provided in each message. In case of revocation of consent, the user’s personal data will be deleted by the controller.

The processing of personal data for all purposes above is carried out by the controller. Healthcare services providers also have access to health data, if they sell the device with the application to the user. The controller is entitled to transfer personal data to providers of health care services. Providers of health care services are independent controllers of such personal data. 

The controller is entitled to transfer personal data to other entities (processors) with whom he has concluded a contract for the processing of personal data, in particular to external specialists (accountant, lawyer, doctor) and persons participating in the provision of the controller’s services.

The controller declares that all entities to which personal data may be made available respect the data subjects’ right to privacy protection and are obliged to proceed in accordance with applicable legal regulations regarding the protection of personal data.

Personal data of the citizens of countries within the European Economic Area are not transferred to countries outside the European Union. 

 

Personal data of the citizens of third countries (outside the European Economic Area) may be transferred to companies in third countries (outside of the European Economic Area). In such cases, if the transfer is performed from the European Economic Area to the third country, the controller transfers the data only if one of the following conditions apply: (i) there is an adequate level of protection in the country in question, as determined by the European Commission, or (ii) the receiving company/importer of data is registered under the EU – U.S. Data Privacy Framework, or (iii) standard contractual clauses (EU model-clauses) approved by the European Commission and additional supplementary measures to regulate the data transfer are implemented. 

The controller applies appropriate technical and organizational measures for the protection of personal data that correspond to the nature and type of relevant personal data or categories and the risks associated with their processing.

As a subject of personal data, the user has the following rights in accordance with the GDPR:

• Right to withdraw consent. Where the user’s consent is required for the purposes of processing personal data, the user is entitled to withdraw consent at any time, in particular by sending an email from the user’s email address or by clicking on the unsubscribe link in the newsletter. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.
• Right of access. The user has the right to access the personal data that is processed about him, and at the same time the right to information about what personal data is processed about him, for how long, what are the purposes of its processing, to whom it is made available and whether it is used for automated decision-making (or how this automated decision-making works).
• Right to rectification. If the user discovers that incomplete or incorrect personal data are being processed about him, he has the right to correct personal data or, if the purpose of processing such personal data requires it, to supplement them.
• Right to erasure. The right of the user is also the right to delete personal data that is stored and processed about him. In any case, when there is no legal basis for processing or processing violates the principles set out in the GDPR, within one month of becoming aware, the controller returns the data, or if this is impossible or requires disproportionate effort, deletes or destroys it. 
• Right to portability. Another right that the user can exercise is the so-called right to portability. On the basis of this right, the user can request the provision of personal data that was provided to the controller based on the user’s consent and that is processed automatically by the controller. Upon request, the controller will provide user personal data that meet these conditions in a commonly used, structured and machine-readable format, or based on the user’s request, it will be transferred to another controller as determined, if it is technically feasible.
• Right to restriction of processing. In cases where the user feels that his personal data processed by the controller are incorrect, he has the right to request that the controller limit the processing of personal data to the time necessary to verify the accuracy of the user’s personal data and correct them if necessary.
• The right to object to the processing of personal data. The user has the right to object to the controller processing personal data for the purpose of direct marketing and other purposes as well (e.g., for the purpose of sending commercial messages). In such a case, the controller will immediately stop processing personal data for this purpose.
• Right to complain. If any data subject has any questions regarding its specific personal data processed or retained by the controller about the data subject, or if a data subject wants to exercise any of the above rights, please contact the controller at the e-mail address: gdpr@kardi.ai. Controller will respond to such data subjects’ requests within one month, but has the right under GDPR to extend this period by two months. If controller will extend the response period, it will inform the applicants within one month of their request. If any data subject considers that controller has failed to resolve the data subject’s request satisfactorily, the data subject has the right to file a complaint with the data protection authority: 

 

Czech Republic:

The Office for Personal Data Protection 

Pplk. Sochora 27, 170 00 Praha 7, Czech Republic

https://uoou.gov.cz/en/consultation/contact

 

depending on the data subject place of habitual residence, place of work, or the place of the alleged infringement.

 

The data subjects shall further have the right to an effective judicial remedy where the data protection authority does not handle their complaint or does not inform them within three months on the progress or outcome of the complaint lodged. Proceedings against shall be brought before the local competent courts where the supervisory authority has its registered address.

 

Without prejudice to any available administrative or non-judicial remedy, including the above mentioned right to lodge a complaint with a data protection authority, data subjects shall also have the right to an effective judicial remedy against the controller where they consider that their rights under the GDPR have been infringed as a result of the processing of their personal data in breach of GDPR. Such proceedings shall be brought before the courts of the EU Member State where the controller has an establishment. Alternatively, the data subject may bring the action before the local courts, if the particular country is the data subject’s place of habitual residence.

 

The controller notes that it is not possible to request the deletion of personal data that the controller is legally obliged to collect based on a statutory obligation.

If the user wishes to correct personal data that the operator processes about him, or exercise any of the above-mentioned rights, he may contact the controller at the e-mail address: gdpr@kardi.ai.

 

Date: 1 October 2025