​

effective date: October 1st, 2024

 

Thank you for reading our Privacy Policy. Together with our Terms of Service, this establishes the legal relationship of individuals like you with Nymble Health Inc. (“nymble”, “us”, “we”). This policy applies to information collected through our nymble AI-powered chat services (collectively, the “Services”).

 

Before accessing or using the Services, please ensure you have read and understood our commitments regarding the collection, storage, use, and disclosure of your personal information described in this Privacy Policy. By accessing or using the Services, you are accepting and consenting to the practices described in this privacy policy.  If you have any questions, please contact privacy@nymble.health. 

​

how we make money

​

1. To begin earning your trust, we feel that it is important to explain how we make money. Transparency is at the core of our privacy practices.

 

2. nymble is a paid service. While you may not pay directly, nymble’s user-based subscription costs are paid by Subscriber Organizations, who in turn authorize your access to the Services. nymble does not rely on advertising nor do we sell your personal information to third-parties. Where nymble participates in clinical trials, including those that offer nymble financial incentives, these initiatives are subject to specific opt-in measures through our commitment to Consent by Design.

 

3. We will always prioritize patient safety. This includes your privacy. This means we are committed to delivering the Services in accordance with the best practices of evidence-based healthcare. Founded by medical doctors, our pursuit of commercial interests will always be subject to our duty to do no harm.

​

responsible AI

​

4. We believe that the Services offer immediate opportunities to improve health outcomes through artificial intelligence. We also acknowledge that introducing new technology in the healthcare context may introduce a real risk of significant harm to individual users. To mitigate these risks, nymble has adopted the Canadian Guardrails for Generative AI - Code of Practice. These guardrails inform nymble’s Responsible AI Policy and will evolve in parallel to this Privacy Policy with a focus on user safety.

 

privacy by design

​

5. The Services are following a Privacy by Design methodology in which foundational privacy principles inform functionality of the Services throughout the software development lifecycle.

 

An example of our Privacy by Design practices is your use of date-of-birth on account registration. We need to confirm this detail to validate your eligibility to use the Services. We do not need to keep this information. Your date-of-birth is used to confirm your age on your device, but it is not collected by nymble and never stored with your account.

 

6. The Services also follow Consent by Design principles. Rather than imposing a one-size-fits-all approach to privacy, we establish our general expectations within this Privacy Policy and then offer the ability for users to customize their preferences on a contextual basis. For example, you can change privacy-related preferences at any time by accessing your account settings. Where we have initiatives that depart from our standard privacy commitments or require further explanation, we will ask you specifically by a) explaining what personal information we want to collect, use, or disclose, b) explain why we think you should consent to this initiative, and c) give you the option to consent by opting-in. An example of our approach to Consent by Design would be where we ask you to participate in a clinical trial. You can always change your mind and modify your consent preferences in the account settings. In such cases, certain functionality may be lost or your ability to continue using the Services may be limited.  

​

personal information we collect

​

7. Information You Give Us. We collect your personal information through your interaction with the Services. This includes information you provide when you register to use the Services. At a minimum, this includes your name, email address, and phone number. This may also include personal information provided through contextual chats within the Services. You can choose not to provide additional information, but the required account creation elements are needed to validate a paid account through your Subscribing Organization and you may be unable to access the Services without providing this information.

 

8. Information Generated Automatically. We automatically collect your personal information through your use of the Services. This includes technical information about how you use the Services such as your IP address. We use cookies in very limited circumstances to recognize your device for authentication purposes. You can manage your cookies through your browser settings. 

 

9. Information Collected from Other Sources. We may also collect information about you from other sources. This includes information from your Subscribing Organization confirming that you are entitled to access the Services.

 

10. We may link or combine your personal information that we collect or receive. This allows us to manage your account and personalize your user experience.

 

11. We may anonymize and aggregate any of the personal information we collect. Our anonymization efforts follow industry standards with the goal of limiting any risk of re-identification. While anonymization constitutes both a collection and use of your personal information, the output ceases to contain your personal information. Examples include user engagement analytics data or data anonymized for the purposes of training AI-models. 

​

how we use your personal information

​

12. We use your personal information to operate and improve the Services. These purposes include our ability to communicate with you in relation to the Services as well as our ability to comply with applicable laws.

 

13. Your personal information may be used for the training of our AI models. Consistent with our Responsible AI Policy, we take steps to anonymize data prior to training. While this may not be possible in certain situations, our models do not contain personally identifiable information from our users.

​

how we share your personal information

​

14. We do not sell your personal information. It is never used for advertising and our disclosures of your personal information to third-parties are limited to the circumstances described below:

 

• To Our Affiliates: We may share your personal information between our corporate entities. For example, if we operate different corporate entities in different global jurisdictions. 

 

• Third-Party Service Providers: We share your personal information with our third-party service providers (or “subprocessors”) in order to deliver the Services. See nymble Third-Party Service Providers. We ensure protections for your personal information from these third-parties consistent with this Privacy Policy. We remain responsible for your data and cannot outsource our privacy obligations.

 

• Business Transfer: nymble is growing and we may disclose your personal information in connection with a business transaction. In such transactions, customer information may be transferred within business assets, but remains subject to our pre-existing privacy commitments to you. In the event that we are involved in a merger, acquisition, or sale of all or substantially all of our business assets, you will be notified of the change in ownership and the impacts on your personal information.

 

• Applicable Laws: We may be required to disclose personal information in response to lawful requests by public authorities, including local law enforcement requirements. 
   

where your data is stored
 

15. In the interests of transparency, we disclose the location of your personal information within our list of Third-Party Service Providers. As we expand global availability of the Services, we will offer increased flexibility to regionalize the Services on behalf of Subscribing Organizations.

 

16. We retain personal information for as long as necessary to fulfill its purpose. In circumstances where retention terms are prescribed by law, Subscribing Organizations are responsible for defining retention terms. 

​

security safeguards

​

17. nymble maintains information security safeguards spanning administrative, physical, and technical controls to protect your personal information from unauthorized access or disclosure. Our security controls include, without limitation, the following:

 

• Encryption of all personal information in transit and at rest;

• Limiting access to systems on a least-privilege basis;

• Maintaining an information security management system in accordance with industry standards;

• Adopting contractual confidentiality measures in employment and contractor agreements;

• Requiring privacy and security training of all nymble personnel, including both contractors and employees;

• Prohibiting the transfer of personal information outside of production environments; and

• Subjecting all third-party service providers to risk-based vendor assessments and contractual confidentiality obligations.
   

incident management
 

18. nymble maintains privacy incident management practices activated in the event of the unauthorized access of personal information. We will provide reasonable assistance to Subscriber Notifications for the investigation of suspected breaches. Notification of users will be performed in accordance with applicable laws and in consultation with Subscriber Organizations.

​

information for minors

​

19. We do not knowingly collect personal information from users under the age of 18.

​

privacy rights

​

20. Accuracy & Correction. You have the right to request details about the personal information we have collected about you and the right to correct this information. You can exercise your right by contacting us at privacy [a] nymble.health.

 

21. Opt-out. To opt-out of the optional collection of your personal information, please make changes within your account settings or opt-out within specific chat workflows on a case-by-case basis. While you can always change your mind, your ability to continue using the Services may be limited by these choices.

 

22. Deletion Requests. You have the right to request deletion of your data, subject to our compliance with applicable laws. For example, we may not delete your information where it is pending litigation or regulatory investigation. We will also retain at least one unique identifier for the purposes of billing from your Subscribing Organization and this information may be retained for the duration of the tax audit retention term. Pursuant to our Privacy by Design practices, we limit retention terms to those necessary to fulfill the purposes of the collection.

 

23. Appeals. You may have the right to appeal our responses regarding your privacy rights. Where these options apply, we will provide you with the necessary information to submit an appeal at that time.

​

accountability & contacting nymble

​

24. We are responsible to you for your personal information in our custody, including information that has been transferred to us for processing as a service provider. We have designated a Privacy Officer within our executive leadership team who is accountable for privacy compliance and oversight. All employees are required to complete privacy training within our onboarding practices and annually thereafter. 

 

25. Inquiries about how we or our service providers treat your personal information can be made to our privacy team at privacy@nymble.health. Our physical mailing address is:

 

Nymble Health Inc.
329 Howe St #1021

VANCOUVER, BC V6C3N2

Canada

 

26. We maintain procedures for addressing and responding to all inquiries or complaints. 

​

changes to this policy

​

27. We may periodically update this Privacy Policy. If there are material changes within the revisions, we will provide at least 30 days notice by updating our website or sending you an email.

​

jurisdiction-specific commitments

​

28. The personal information we have collected from users in the twelve months prior to the effective date fall into the following categories:

 

• identifiers such as your name, alias, address, phone numbers, IP address, or email address; and

• internet or other electronic network activity information such as chat logs and text messages.

 

29. The personal information we have disclosed for a business purpose in the last twelve months prior to the effective date fall into the following categories:

 

• identifiers such as your name, alias, address, phone numbers, IP address, or email address; and

• internet or other electronic network activity information such as chat logs and text messages.

 

These categories do not include “sensitive personal information” as defined under the California Privacy Rights Act.

 

30. We have not sold any personal information of our users as those terms are defined under the California Privacy Rights Act.

 

31. We do not discriminate against any users for exercising their rights under the California Privacy Rights Act.

 

32. We may use de-identified data in some circumstances. Where data is de-identified, we either apply controls to prevent re-identification as described in this Privacy Policy and our Responsible AI Policy, or we treat such data as containing your personal information.

 

33. We do not engage in any profiling of users or apply automated screening with legal or significant effects.