Consumer Health Data Privacy Policy

This Consumer Health Data Privacy Policy supplements the KLNR Privacy Policy and explains how KLNR Labs P.S.A. collects, uses, discloses, and otherwise processes "consumer health data." It addresses specific obligations under United States state privacy and consumer-health laws (including the Washington My Health My Data Act, the Nevada Consumer Health Data Privacy law, and the Connecticut Data Privacy Act), as well as the treatment of health-related information as special-category data under the EU General Data Protection Regulation (GDPR). Effective date: [effective date]. — DRAFT, pending legal review.

WORKING DRAFT — modeled on industry best practice and adapted for KLNR; pending legal review before publication as binding. Fields [...] are completed by KLNR. English is the authoritative language of these documents.
These documents are provided in English, the authoritative language.

1. Overview and relationship to our Privacy Policy

KLNR Labs P.S.A. ("KLNR", "we", "us", "our") provides a suite of products under the KLNR brand, including Search, Lexor, FRRE.ai, Sign, Comms, CoLab, AgentOS, and Bill, accessed through a single sign-on ("klnr-gate"). KLNR Labs P.S.A. is the single data controller for the KLNR group, seated in Gdańsk, Poland ([address]; [KRS]; [NIP]; [REGON]; share capital [share capital]).

This Consumer Health Data Privacy Policy (the "Health Policy") provides supplemental disclosures that apply where we act as a controller and process information that constitutes "consumer health data" or, in the European Union and European Economic Area, special categories of personal data concerning health. It is designed to satisfy specific obligations under United States state laws addressing consumer health data, and to clarify how health-related information is treated under EU law.

This Health Policy must be read together with, and forms part of, our general Privacy Policy. Terms defined in our Privacy Policy have the same meaning here unless stated otherwise. To the extent of any conflict between this Health Policy and the general Privacy Policy, this Health Policy prevails with respect to consumer health data, where and to the extent applicable law so requires.

KLNR is built around an evidence-first philosophy ("evidence, not words"): our AI assists, while a qualified human authors content and makes decisions; our systems are designed to abstain rather than hallucinate; we do not train our models on client or legal content; and we respect professional secrecy and attorney-client privilege. These principles also govern how we handle any health-related information.

2. What we mean by "consumer health data"

"Consumer health data" means personal data that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status. Consistent with applicable United States laws, this may include, by way of example:

  • medical conditions, symptoms, diagnoses, illnesses, injuries, surgeries, procedures, testing, or treatments;
  • health-related interventions and the use, purchase, or acquisition of medications;
  • vital signs, bodily functions, measurements, or other information that reveals a health status;
  • biometric data and genetic data, where they reveal health information;
  • health-care services a person seeks or receives, including reproductive or sexual health, mental or behavioural health, and gender-affirming care;
  • bodily or health-related information derived or inferred from non-health data; and
  • precise geolocation data that could reasonably indicate a consumer's attempt to acquire or receive health-care services.

In the European Union and European Economic Area, information "concerning health" is a special category of personal data under Article 9 GDPR. Where this Health Policy refers to consumer health data, EU/EEA users should read it together with the special-category provisions described in Section 9 below and in our general Privacy Policy.

This Health Policy does not apply to information governed exclusively by other frameworks, such as protected health information processed under the U.S. Health Insurance Portability and Accountability Act (HIPAA), employment records, or information processed solely on behalf of a business customer where that customer is the controller (in which case the customer's privacy notice and our data processing terms govern).

3. We are not a health-care provider

KLNR products are professional and productivity tools. They are not intended to diagnose, treat, cure, or prevent any disease or health condition, and they do not provide medical, psychological, or other health-care advice. Outputs of our AI features are not a substitute for advice from a qualified health-care professional. We generally do not seek out health information, but consumers may choose to provide it (for example, in the text of a legal matter handled in FRRE.ai or a document processed through our tools), and in that case it may be processed as described in this Health Policy.

4. Collection of consumer health data

We may collect consumer health data in the following ways:

  • Directly from you. When you type, paste, upload, or otherwise submit content into a KLNR product (for example, prompts, documents, matter files, messages, or invoices) that happens to contain health-related information.
  • From integrations you authorise. When you connect a third-party application, account, or service to a KLNR product (for example, through AgentOS, CoLab, or Comms), and that integration transfers information that includes health-related data. You control these connections and may revoke them at any time in your account settings.
  • Automatically, in limited cases. Technical and usage data (such as device, log, and approximate location data) collected as described in our Privacy Policy could, in narrow circumstances, reveal health-related information; we do not use such technical data to infer health status.
  • Through inference. Health-related information may be derived or inferred from other data you provide. We minimise this and do not deliberately generate health inferences for advertising or profiling.

We apply data minimisation: we seek to collect only what is necessary for the requested feature, and we do not require you to provide health data to use our core services.

5. How we use consumer health data

We use consumer health data only for purposes permitted by applicable law and consistent with the reason it was provided, including to:

  • Provide and operate the services you request — for example, processing a prompt, generating evidence-cited output, executing a signing ceremony, sending communications, or producing an invoice — including where your input incidentally contains health information;
  • Enable integrations you have connected, so that the relevant KLNR product can work with the third-party service you chose;
  • Maintain security and integrity — to prevent, detect, investigate, and respond to fraud, abuse, security incidents, violations of our terms or usage policies, unlawful activity, and unauthorised access, and to protect the rights, property, and safety of KLNR, our users, and the public;
  • Comply with legal obligations and respond to lawful requests, and to establish, exercise, or defend legal claims;
  • Improve and develop our services, using de-identified or aggregated information that no longer identifies you; and
  • Other purposes you specifically consent to, where applicable law requires consent.

Consistent with our model-training commitments, we do not use consumer health data to train our or third parties' AI models, and we do not use it for cross-context behavioural advertising. We may seek your additional consent for any use of consumer health data that requires it under applicable law.

6. How we disclose consumer health data

We disclose consumer health data only as described below and in the "How We Disclose Personal Data" section of our general Privacy Policy:

  • To service providers and processors who process data on our behalf and under contract (for example, hosting, infrastructure, and security providers), subject to confidentiality and data-protection obligations and only on our documented instructions;
  • To third parties you direct or connect — when you integrate, share with, or transmit information to a third-party website, application, or service, you provide that information to the third party directly, and its handling is governed by that third party's terms and privacy notice;
  • For legal and safety reasons — to comply with law, legal process, or enforceable governmental requests, to enforce our terms, and to protect rights, property, and safety; and
  • In a business transfer — in connection with a merger, acquisition, financing, reorganisation, or sale of assets, subject to this Health Policy.

We do not "sell" consumer health data, and we do not "share" it for cross-context behavioural advertising, as those terms are defined under U.S. state privacy laws. Where applicable law requires your valid authorisation before we may sell or share consumer health data, we will not do so without first obtaining that separate, specific authorisation.

7. Service providers, processors, and security

Where we engage service providers or processors to handle consumer health data, we require them by written contract to limit their use to the services they provide to us, to protect the data, and to comply with applicable consumer-health and data-protection laws. We restrict access to consumer health data to the personnel and processors who need it to perform the functions described in this Health Policy.

We maintain technical and organisational safeguards designed to protect consumer health data against unauthorised access, disclosure, alteration, and destruction, including access controls, encryption in transit and at rest where appropriate, logging, and confidentiality obligations. Where information is subject to professional secrecy or attorney-client privilege, we apply additional protections and do not access or disclose it except as permitted by law and our agreements.

8. Your rights and choices

Depending on where you live and the law that applies to you, you may have the right to:

  • Know and access the consumer health data we have collected about you, and the categories of third parties to whom it has been disclosed;
  • Delete consumer health data we have collected from you, subject to legal exceptions;
  • Withdraw consent to our collection, use, or sharing of consumer health data, where processing is based on consent;
  • Correct inaccurate consumer health data; and
  • Appeal a decision we make about your request, where applicable law provides an appeal right.

You can manage many choices directly in your account settings — for example, revoking third-party integrations, deleting content, and adjusting privacy controls. To exercise a right that is not available in-product, contact us at [privacy@klnr.ai]. We will verify your request as required by law and respond within the timeframes applicable to you. We will not discriminate against you for exercising your rights. You may use an authorised agent where the law permits, subject to verification.

9. EU/EEA supplement — health data under the GDPR

If you are in the European Union or European Economic Area, information concerning your health is a special category of personal data under Article 9 GDPR. We process such data only where a condition in Article 9(2) applies — typically your explicit consent, or where processing is necessary for the establishment, exercise, or defence of legal claims, or for another lawful basis recognised under EU or Member State law. Our general lawful bases, retention periods, international transfer safeguards (such as Standard Contractual Clauses), and your full set of GDPR rights are described in our Privacy Policy.

Your GDPR rights include access, rectification, erasure, restriction, portability, objection, and the right to withdraw consent at any time (without affecting prior lawful processing). You also have the right to lodge a complaint with a supervisory authority — in Poland, the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych, UODO).

The KLNR group data controller is KLNR Labs P.S.A., [address], Gdańsk, Poland. You can contact our Data Protection Officer at [dpo@klnr.ai].

10. United States supplement — state consumer-health and privacy laws

If you are a U.S. resident, the following state-specific disclosures apply in addition to the rest of this Health Policy. We honour the rights described below to the extent the relevant state law applies to you and to our processing.

Washington — My Health My Data Act (MHMDA). This Health Policy serves as our consumer health data privacy notice. We describe the categories of consumer health data we collect (Section 4), the purposes for which we collect and use them (Section 5), the categories of sources, the categories we share and the categories of recipients/affiliates and processors (Sections 6 and 7), and how to exercise your rights (Section 8). We do not collect, use, or share consumer health data beyond what is necessary to provide a service you requested or without your consent. We will obtain your separate, valid consent before collecting or sharing consumer health data not necessary to provide a requested product or service, and a separate authorisation before any "sale" of consumer health data. You may withdraw consent at any time at [privacy@klnr.ai].

Nevada — Consumer Health Data Privacy law (SB 370 / NRS Chapter 603A). We provide the same categories of disclosure and choices described above for Nevada consumers, including the right to confirm, access, and delete consumer health data, to withdraw consent, and our commitment not to sell consumer health data without the consumer's affirmative, voluntary consent.

Connecticut — Data Privacy Act (as amended for consumer health data). Connecticut consumers have rights to access, correct, delete, and obtain a portable copy of their data, to opt out of targeted advertising, sale, and certain profiling, and we obtain consent before processing consumer health data.

California — CCPA/CPRA. Sensitive personal information, including health information, is subject to additional protections. California residents have rights to know, access, delete, and correct personal information, to opt out of sale/sharing, and to limit the use of sensitive personal information. We do not sell or share consumer health data, and we limit our use of sensitive personal information to permitted purposes. We honour Global Privacy Control signals as an opt-out where required.

Other U.S. states. We extend comparable rights to residents of other states with applicable comprehensive privacy or consumer-health laws (for example, Colorado, Virginia, Oregon, Texas, and similar jurisdictions), to the extent those laws apply.

11. Retention

We retain consumer health data only for as long as necessary to fulfil the purposes described in this Health Policy, to provide the services you request, to comply with our legal and professional obligations, and to establish, exercise, or defend legal claims. When the data is no longer needed, we delete it or de-identify it in accordance with our retention practices and applicable law. You can delete much of your content directly in your account settings.

12. Children

Our services are not directed to children, and we do not knowingly collect consumer health data from children below the age set by applicable law. If you believe a child has provided us with consumer health data, please contact us at [privacy@klnr.ai] so we can take appropriate action.

13. Changes to this Health Policy

We may update this Health Policy from time to time to reflect changes in our practices or in applicable law. When we make material changes, we will update the effective date below and, where required, provide additional notice or seek your consent. We encourage you to review this Health Policy periodically.

14. How to contact us

For questions about this Health Policy or to exercise your rights regarding consumer health data, you can reach us at:

PurposeContact
ControllerKLNR Labs P.S.A., [address], Gdańsk, Poland ([KRS], [NIP], [REGON])
General inquiries[kontakt@klnr.ai]
Privacy / rights requests[privacy@klnr.ai]
Data Protection Officer[dpo@klnr.ai]
Security[security@klnr.ai]

Effective date: [effective date]. This document is a working draft and is subject to legal review before publication.

KLNR Labs P.S.A. · Gdańsk, Poland · Home · DRAFT · 2026-06-13