We interviewed Ravid Israel, founder and CEO of Embie, to understand how GDPR and privacy compliance-by-design can ease the go-to-market of a digital health app.
The main takeaways from this interview:
- You can create and launch a compliant digital health app in just 1 year.
- Choosing the right legal-tech partner from day 0 can make you faster than the companies implementing compliance later on in the project.
- GDPR can help digital health companies build trust with partners and investors to grow faster and sell better.
Data security and privacy are one of the main barriers when developing and launching a digital health solution. Due to the nature of the healthcare industry, compliance regulations should be used as a guide from the very beginning in the implementation and design of digital health solutions. Not getting it means hindering your ability to sell and grow your business in the future.
Users, partners and investors are increasingly aware of privacy and they will demand from you high compliance standards. They will do this because there is an inherent risk for them working with you - or with any other company. This topic will likely pop up in pretty much every meeting you have with potential partners. If you don’t get it right, you can expect a significant impact on client acquisition, partnership deals and user attrition.
We tend to believe that compliance is avoiding fines, but, particularly at an early stage, taking care of this will allow you to sell better and grow less painfully.
At this point, how can we get it right? To find out, read on to learn the experience of Ravid Israel, founder and CEO of Embie, about the challenges and opportunities behind the development of the App and building compliance to launch the solution into the market.
The story behind Embie
Embie is the App that helps women and couples who are going through fertility issues track their cycles. The company has helped over 30.000 women keep track of their medications, appointments and treatment reports.
Pedro: Hello Ravid, thank you for taking the time to do this case study with us. We've been working together in compliance for quite a long time, and you are a great, early customer from Chino.io. Can you tell us a bit about what your company does and your business model?
Ravid: My name's Ravid Israel and I am the founder of Embie, an app that helps women and couples who are going through fertility treatments track their cycles. I was going through fertility issues, and I went through eight IVF cycles, and during that process, I realized that there was a gap in the market. There wasn't a tool to save all of my information for me, to have a new doctor's opinion if I chose to, or just to keep track of what was going on.
When I first conceived of the idea, I was still undergoing treatments. It was in mid-2019 that I started creating the user journey and what the user would go through. We launched our beta in September 2020 and the app became available in the App Store in October 2020.
Within five months, we became the number one app for IVF, IUI and egg freezing and all things related to fertility treatments in both IOS and the Play Store around the world.
We're currently serving over 30.000 women who are using the app on a regular basis and growing month by month. We have had a 30 per cent jump month to month in the last 30 days and continue to grow, no longer solo, and hopefully no longer bootstrapped.
From concept to market
Pedro: So you started thinking about the GDPR and the privacy implications in the research and development phase. How was this for you? Why did you start looking into this so early? Were you part of an incubator?
Ravid: No, I was doing it solo. I've developed products before, mostly in the content and entertainment space, and there we had to have compliance measures. So I knew that there was something that I needed to do, I just didn't know what it was yet. In researching what the steps would be, GDPR came up, and when I looked at Google and searched for compliance, Chino.io came up.
[...] I'm fairly familiar with different privacy laws in the US when it comes to age restrictions or HIPAA, but I had no idea what was going on with GDPR or how I could be compliant. I was completely bootstrapped and as a solo founder who was looking for partners, I wanted to make sure that whoever I was with knew how to get it done. What I found was that smaller developers, and third parties, weren't as familiar with GDPR either. Because of that, Chino.io seemed like a good solution to bring on early in the process even before I hired a developer - so that I had an understanding of what was necessary from a compliance standpoint.
My first conversation with Chino.io was in December of 2019, way, way back to pre-Covid days and before the digital health hype.
From there, we had several conversations and agreed on a game plan. I didn’t even have a developer at that point. I brought them in May 2020, and then we went through the process of testing and doing everything.
The privacy settings that we created just alleviated a lot of legal financial burdens for us. It helped us really understand what we needed. Eventually, Chino.io became our compliance officer, since you need somebody local to be there for you.
Compliance is an asset for strategy
Pedro: I know that we've been talking about certain partnerships that you are looking to develop with very established and mature companies, working in a similar space. How big was compliance, GDPR and data privacy and how big was it in the conversations with them?
Ravid: I think that compliance, when speaking about digital health, comes up in every single meeting that I ever had, whether it's with investors or partners or in marketing events. and also how you market. There have been strategic decisions that we've made up until this point for compliance reasons - for example not having the Facebook marketing SDK on the app because we didn't want to share certain private information. We're not like a normal patient portal.
When I have conversations with investors, media or with partners, we are able to have a very knowledgeable conversation about where we stand from a compliance and privacy standpoint.
Pedro: And regarding the type of data that you're processing, what sort of data, if you're willing to share, do you collect from users that you think is the most sensitive?
Ravid: This is a very sensitive topic in fertility or when you're trying to have kids. It's very important to you. We're collecting everything from your diagnostic and medical information to the reports and outcomes of treatments. We know if someone's getting pregnant, including reports along the way, from failed cycles for example. These are all, and also from an emotional standpoint, very sensitive medical information.
Pedro: When it comes to communicating with your users, have you identified privacy being something like a key decision factor in order to sign up for your application? Also, how much do you highlight throughout the users' sign-up process?
Ravid: When we first launched, it was right around the same time that there was a lawsuit against a big period tracker, that was sharing private information about women's menstrual cycles with Facebook. Because of that, we did get a lot of questions about compliance in the very beginning. It was definitely a topic of conversation, and I think it just really depends on what's happening in the news cycle, how people treat their data and the information that's available. We've made it very clear both in our sign-up and onboarding process and on our website that users' information is secure. We take every effort possible to make sure that even if there was by any means some sort of breach, we're keeping the information anonymised and separate so that it is not possible to attach it to users personally.
Pedro: You mentioned that from the moment we started working together to the moment you launched it was less than a year and all the measures were in place. You also told me that when you were basically starting this project and in the research and development phase, you knew you had to do something compliance-wise, but not sure what it was. What was that? What would you say is tougher to do? Can you define what you actually had or implement?
Ravid: GDPR was not as big of a mystery, but everything that was happening around MDR was. For instance, with the new certification for digital health tools, nobody had any idea and I don't think they still do. I've had conversations with 20 different consultants, and everybody had a different opinion about the type of level that my app needs or what we need to do moving forward. It's one of those things that is not very clear. But eventually, when something has been in the works and in the system for a while, then people will have a better understanding of it.
It is a pain to act on GDPR at first. But it was a very seamless process for us because we were working with Chino.io to get that done. I wish that with MDR partners it would have been as clear and easy.
Pedro: I totally understand - MDR is also a challenge for multiple customers. By the way, are you classified as a medical device under MDR?
Ravid: No, we're still considered level one, and even in our new product, when we launch it in the EU, we don't offer assessments. We're only offering research resources that users can look up, but we're not actually assessing and giving them information about their data.
Pedro: Are you offering data sharing with doctors currently?
No. That's something that we're going to be working towards for next year, alongside our HIPAA certification in the next 12 months.
Next steps: expanding the markets
Pedro: What are the plans for the future? What are you targeting? I'm guessing that if you're looking into HIPAA that you will be targeting the U.S. market
Ravid: We are. The U.S. market is definitely our biggest and largest target. It accounts for almost half of our users. We are working now on taking all of this data that we've been able to gather, and we're building machine learning algorithms that will be predictive and be able to help monitor and give assessments on diagnostics and on treatment protocols. That's our big task for 2022. And then we'll be able to take those learnings for 2023 and expand our markets. Right now, we're completely B2C, and that's why we'll need HIPAA compliance. And then also we'll be getting the MDR to a level four. It is our holy grail to be able to lower the time that it takes to get to your healthy baby and that has a lot to do with a correct diagnosis and choosing the right protocol.
Pedro: And how will communicating with the doctor be like? Are you looking to integrate more within the healthcare system?
Ravid: We are looking to work with clinics and self-insured employers. Our focus is on empowering the patient to make the best decisions and to be a part of this process.
Pedro: Thank you very much for taking the time. I really personally love your story. I think it's a very inspirational and original story.
Ravid: You were there when I was in treatment and still coming up with the idea. And then when I was pregnant. And ten days after the app came to the world. For me personally, it has been fantastic working along with you all this journey, and I really look forward to all the challenges that we'll hopefully face together in the future.
The one stop shop for solving all digital health privacy and security compliance aspects.
As a partner of our clients, we combine regulatory and technical expertise, with a modular IT platform that allows digital health applications to eliminate compliance risks, save costs and time.
Chino.io makes compliant-by-design Digital Health happen faster, combining legal know-how and data security technology for innovators.
To learn more, book a call with our experts.