BioAlign Pro Documentation

Privacy Policy

How KinovaAI Technologies ("BioAlign Pro") collects, uses, and protects your data.

Last Updated: March 2026  |  Effective Date: March 2026

1. Introduction

KinovaAI Technologies ("we," "us," "our"), operating as BioAlign Pro, is committed to protecting the privacy of our users. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the BioAlign Pro system, including our edge servers, progressive web application, cloud analytics platform, and related services (collectively, the "Service").

By using the Service, you consent to the data practices described in this policy. If you do not agree, please discontinue use of the Service.

Contact: [email protected]

2. Information We Collect

Personal Information

When you create an account or are enrolled by a facility administrator, we may collect:

  • Name, email address, and phone number
  • Date of birth and gender
  • Height, weight, and age
  • Room number or resident identifier (institutional deployments)
  • Billing information (processed securely via Stripe; we do not store full card numbers)

Health and Movement Data

The BioAlign Pro system collects movement-related data through computer vision, including:

  • Joint angle measurements and body pose coordinates
  • Gait metrics (stride length, cadence, symmetry scores, postural sway)
  • Functional Movement Screen (FMS) scores
  • Exercise session data (movement type, repetition counts, range of motion)
  • Activity level, exercise preferences, injury history, and current issues

Important: Raw video and images are processed locally on the edge server at your facility. Raw video is NEVER transmitted to or stored on KinovaAI servers.

Usage Data

  • Login timestamps and IP addresses
  • Feature usage patterns and session duration
  • Device type and browser information
  • Error logs and performance data

3. How We Use Your Data

Service Delivery

  • Providing real-time movement analysis and audio coaching
  • Generating personalized corrective exercise plans
  • Displaying dashboards, progress reports, and fall risk assessments
  • Authenticating users and managing accounts

Analytics and AI Improvement

  • Training and refining machine learning models for movement analysis accuracy
  • Improving fall risk prediction and exercise form detection algorithms
  • Generating aggregate facility-level insights

Research

  • Contributing to aging and longevity research using fully anonymized data
  • Understanding movement patterns across populations
  • Identifying early indicators of mobility decline
  • Advancing the scientific understanding of human movement

Billing

  • Processing subscription payments through Stripe
  • Managing trial periods and plan changes
  • Sending billing-related communications

4. Data Anonymization

All data undergoes irreversible anonymization before leaving the edge server. The anonymization process includes:

  • Cohort identifiers: Resident identities are replaced with cryptographic cohort IDs that cannot be reversed to reveal identity
  • Age buckets: Exact ages are grouped into broad demographic ranges (e.g., 65-74, 75-84) rather than exact values
  • PII removal: All names, room numbers, facility-specific identifiers, and any other personally identifiable information are stripped
  • Metadata stripping: All metadata that could potentially identify individuals is removed

No personally identifiable information (PII) ever leaves the edge server. Only fully anonymized, derived data is transmitted to our central analytics platform.

5. Data Sharing

We do NOT sell your personal data to third parties.

  • Anonymized research data: Aggregated, anonymized findings may be published in scientific journals or presented at academic conferences. Individual facility or cohort-level data is never disclosed.
  • Service providers: We use Stripe for payment processing and may use infrastructure providers (cloud hosting) that process data on our behalf under strict contractual obligations.
  • Legal requirements: We may disclose information if required by law, subpoena, or court order.
  • Business transfers: In the event of a merger, acquisition, or sale, user data may be transferred as part of the business assets, subject to the same privacy protections.

6. Data Retention

  • Edge server data: Retained according to each facility's own policies. Facility administrators control local data retention and deletion.
  • VPS / Cloud analytics data: Anonymized data is retained indefinitely to support longitudinal aging and movement research.
  • Account data: Personal account information is retained while your account is active and for 90 days after account closure to handle any outstanding matters.
  • Backups: Daily backups are retained for 7 days.

Customers may request deletion of all anonymized data associated with their facility's cohort identifiers upon account termination, subject to a 90-day processing period.

7. Your Rights

You have the right to:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate or incomplete personal data
  • Deletion: Request deletion of your personal data, subject to legal retention obligations
  • Opt-out of research: Individual residents may opt out of research data contribution through the enrollment process (the consent_for_research flag). Opted-out residents' data is processed locally only and never transmitted to KinovaAI servers.
  • Data export: Request a CSV export of your data by contacting support

To exercise any of these rights, email [email protected].

8. Cookies and Tracking

  • Authentication cookies: We use JWT (JSON Web Token) authentication cookies to maintain your login session. These are essential for the Service to function.
  • No third-party tracking: We do not use third-party analytics trackers, advertising cookies, or social media tracking pixels.
  • No cross-site tracking: Your activity on BioAlign Pro is not shared with advertising networks or data brokers.

9. Security Measures

We implement industry-standard security measures to protect your data:

  • Encryption at rest: All sensitive data is encrypted using AES-256 encryption
  • Encryption in transit: All communications use TLS 1.3 encryption
  • Password hashing: User passwords are hashed using bcrypt with appropriate salt rounds
  • EMR credential encryption: EMR integration credentials are encrypted with Fernet symmetric encryption
  • Access control: Role-based access control limits data visibility to authorized personnel
  • Audit logging: All administrative actions are logged for accountability
  • Rate limiting: Login endpoints are protected against brute-force attacks

While we strive to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

10. Children's Privacy

The BioAlign Pro Service is not intended for use by individuals under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected data from a child under 13, we will take steps to delete that information promptly.

If you believe a child under 13 has provided us with personal information, please contact us at [email protected].

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to you via:

  • Email notification to the address associated with your account
  • A prominent notice on the admin dashboard

Continued use of the Service after notification constitutes acceptance of the updated policy. We encourage you to review this page periodically.

12. HIPAA Compliance

BioAlign Pro is designed with healthcare data privacy in mind. For covered entities subject to the Health Insurance Portability and Accountability Act (HIPAA):

  • A Business Associate Agreement (BAA) is available upon request for covered entities
  • Edge servers process and store PHI locally at the facility, under the facility's control
  • Only fully anonymized, de-identified data (per HIPAA Safe Harbor guidelines) leaves the edge server
  • We maintain appropriate administrative, physical, and technical safeguards

To request a BAA, contact [email protected].

13. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to know: You may request details about the categories and specific pieces of personal information we collect
  • Right to delete: You may request deletion of your personal information, subject to certain exceptions
  • Right to opt-out of sale: We do not sell personal information. No opt-out is necessary, but you may still submit a request for confirmation.
  • Right to non-discrimination: We will not discriminate against you for exercising your privacy rights
  • Right to correct: You may request correction of inaccurate personal information
  • Right to limit use of sensitive information: You may limit our use of sensitive personal information to what is necessary for the Service

To exercise these rights, email [email protected] with the subject "CCPA Request." We will respond within 45 days.

14. Contact Information

If you have questions or concerns about this Privacy Policy or our data practices, please contact us: