OURA HEALTH PRIVACY POLICY –  DEVICE AND APPLICATION

Last update: May 23, 2018

1. WHY DOES THIS MATTER?

At Oura Health Oy (“Oura”), we take data protection seriously.

Our products, such as the Oura ring, enable you to track your lifestyle choices and the quality of your sleep. We feel that data does not get much more personal than this, and thus respect of your privacy. Safety of your data is of paramount importance to us. We therefore hope that you take a moment to review this policy.

Please note that certain measurement data collected via the app and device may be regarded as health related data under data protection laws in certain jurisdictions.

2. ABOUT THIS POLICY

This Privacy Policy has been put together to provide our app and Oura ring users (“Users” or “ you”) with transparent information about the privacy of our devices and app. This Privacy Policy aims to answer the following questions:

• What personal data we collect when you use the Oura ring and application

• How we store and process your data

• Your legal rights and how to exercise them

Please note that this privacy policy only applies to the processing of personal data carried out by Oura as a data controller. The App Store privacy guidelines have been taken into account in the drafting of this Privacy Policy.

This Privacy Policy may be updated from time to time. We will not make substantial changes without prior notice. You can determine when this Privacy Policy was last revised by referring to the “LAST UPDATE” date at the top of this page.

3. OUR CONTACT INFORMATION

Oura Health Oy

Business ID: 25427764

Address: Elektroniikkatie 3 90590 Oulu Finland

E-mail address: support@ouraring.com

Website: https://ouraring.com

Data Protection Officer: Markku Koskela, dataprotection@ouraring.com

4. HOW DOES OUR DEVICE AND APP WORK?

When worn, the Oura ring automatically collects data of your body responses during your sleep and daily activity. That data is uploaded wirelessly to your mobile phone via our Oura mobile app. The ring and the app are connected to your computer or a cloud service and your data is made available to you there.

5. WHAT PERSONAL DATA DO WE PROCESS?

When registering an account on the app or during your use of it, we process the following general account data as inserted by you:

• E-mail address

• Gender

• Birth date and year

• Height and weight

• Activities

• Notes and tags

The Oura ring automatically tracks and collects the following measurement data:

• Heart rate

• Movement data

• Temperature data

We also track and generate certain usage related and technical data:

• IP address and high-level location

• User ID (randomly generated)

• Metadata regarding app use

Based on your inserted data and measurement data, the Oura ring and app calculate a variety of parameters, such as:

• Duration of sleep

• Sleep phases (deep, light, REM, awake)

• Activity levels throughout the day

• Body mass index (calculated based on height and weight)

This information is used to produce evaluation data regarding the quality of your sleep, level of your recovery, and balance of your activity.

6. DATA SOURCES

Some of the data are received directly from you in connection with your registration.

Measurement data is collected automatically by the tracking functions of the Oura ring.

Data is also produced by combining the data listed above and by calculating evaluation data regarding quality of sleep, recovery and activity.

7. PURPOSES AND LEGITIMATE GROUNDS FOR PROCESSING OF PERSONAL DATA

Purposes of processing

To provide you the service

We process personal data in the first place to be able to offer the app and service to our Users in accordance with their user contract.

For communication

We may process personal data for the purpose of communicating with Users. If you contact our support with questions regarding your app data, we will use the provided information to answer your questions and for solving any issues you may have.

For analytics and service improvements

We may process aggregated information regarding the use of our Service to improve our app quality. When possible, we will do this using only aggregated, non-personally identifiable data.

For in-app advertising

With your consent we may show or send you advertisements within the app or by using push notifications. We will never use your health-related data for advertising without your explicit consent.

Legal grounds for processing

We process personal data on the basis of a user contract, which is formed in connection with the creation of an account and acceptance of our terms and conditions. We may also process certain information to comply with legal obligations, such as consumer protection legislation.

Furthermore, we process the personal data to pursue our legitimate for aggregated analytics and trend detection. When choosing to use your data on the basis of our legitimate interests, we carefully weigh our own interests against your right to privacy.

Measurement data or any data derived from measurement data is used for advertising only subject to your explicit consent.

8. DATA TRANSFERS TO COUNTRIES OUTSIDE EEA

Oura stores the Users’ personal data primarily within the European Economic Area.

However, we may transfer personal data to, or access it in, jurisdictions outside the European Economic Area or the User’s domicile.

We will take steps to ensure that the Users’ personal data receives an adequate level of protection in the jurisdictions in which it is processed. We provide adequate protection for the transfers of personal data to countries outside of the European Economic Area through a series of agreements with our service providers based on the Standard Contractual Clauses or other similar arrangements.

9. SHARING YOUR PERSONAL DATA

We may share data with our group companies, subsidiaries and affiliates. Otherwise we do not share personal data with third parties outside of our organization unless one of the following circumstances applies:

It is necessary for the purposes set out in this Privacy Policy

To the extent that third parties need access to personal data to enable the offering of the service, Oura has taken appropriate contractual and organisational measures to ensure that personal data are processed exclusively for the purposes specified in this Privacy Policy and in accordance with all applicable laws and regulations.

For legal reasons

We may share personal data with third parties outside Oura’s organization if we have a good-faith belief that access to and use of the personal data is reasonably necessary to: (i) meet any applicable law, regulation, and/or court order; (ii) detect, prevent, or otherwise address fraud, security or technical issues; and/or (iii) protect the interests or safety of Oura or our Users in accordance with the law. Where possible, we will inform Users about such transfer and processing.

To our authorized service providers

We may share personal data to authorized service providers who perform services for us (including data storage, sales, marketing and other support function services). Our agreements with our service providers include commitments that the service providers agree to limit their use of personal data and to comply with privacy and security standards at least as stringent as the terms of this Privacy Policy. Please bear in mind that if you provide personal data directly to a third party, such as through a link on our website, the processing is typically based on their policies and standards.

For other legitimate reasons

If Oura is involved in a merger, acquisition or asset sale, we may transfer personal data to the third party involved. However, we will continue to ensure the confidentiality of all personal data. We will give notice to all Users concerned when the personal data are transferred or become subject to a different privacy policy as soon as reasonably possible.

With your explicit consent

We may share personal data with third parties outside Oura’s organization for other reasons than the ones mentioned before, when we have the User’s explicit consent to do so. The User has the right to withdraw this consent at all times.

10. ANONYMIZED DATA

We may aggregate and anonymize data collected via the application. Such data will be anonymous and cannot be connected to an individual User, therefore no longer qualifying as personal data. We may use this type of anonymous data for analytics, statistics, research, communications and PR  purposes as well as for trend detection and for benchmark data.

11. HOW LONG DO WE KEEP YOUR DATA?

Oura does not store personal data longer than is legally permitted and necessary for the purposes specified above. The storage period generally depends on the duration an account lifecycle, unless data has been deleted upon request.

Backups are deleted as soon as reasonably possible, typically within 6 months.

12. YOUR RIGHTS

Right to access

You have the right to access your personal data processed by us. You may contact us and we will inform you what personal data we have collected and processed regarding you.

Right to withdraw consent

In case the processing is based on your consent, you may withdraw the consent at any time. Withdrawing a consent may lead to fewer possibilities to use our Service. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Right to correct

Users have the right to have incorrect or incomplete personal data we have stored about the User corrected or completed. You can correct or update some of your personal data through your user account in the Service.

Right to erasure

Users may also ask us to erase the User’s personal data from our systems. We will comply with such request unless we have a legitimate ground to not delete the data.

Right to object

Users may object to the processing of personal data if such data are processed for other purposes than purposes necessary for the performance of our Service to the User or for compliance with a legal obligation. In case we do not have legitimate grounds to continue processing such personal data, we shall no longer process the personal data after your objection.

Right to restriction of processing

Users may request us to restrict processing of personal data for example when your data erasure, rectification or objection requests are pending and/or when we do not have legitimate grounds to process your data. This may however lead to fewer possibilities to use our Service.

Right to data portability

Users have the right to receive their personal data from us in a structured and commonly used format and to independently transmit those data to a third party.

How to use the rights

The above mentioned rights may be used by sending a letter or a secured e-mail to us on the addresses set out above, including the following information: the full name, company name, address, e-mail address and a phone number. We may request the provision of additional information necessary to confirm the identity of the User. We may reject requests that are unreasonably repetitive, excessive or manifestly unfounded.

13. DIRECT MARKETING AND PUSH NOTIFICATIONS

Notwithstanding any consent granted beforehand for the purposes of direct marketing, you have the right to prohibit us from using your personal data for direct marketing purposes by contacting us or by using the unsubscribe possibility offered in connection with our newsletter.

We will ask your explicit consent if we wish to send you push notifications or to use any health related data for marketing purposes.

14. DATA OF CHILDREN

We do not knowingly process data of children under the age of 18.

Please note that according to our terms and conditions we reserve the right to delete accounts of children, in particular if no proof of parental consent is provided.

15. SAFEGUARDING YOUR DATA

We do our best to keep your data safe and secure.

We use administrative, organizational, technical, and physical safeguards to protect the personal data we collect and process. Measures may include, for example, where appropriate, encryption, pseudonymization and access right systems. Our security controls are designed to maintain an appropriate level of data confidentiality, integrity, availability, resilience and ability restore the data. We regularly test our Service, systems, and other assets for security vulnerabilities.

We will take all reasonable precautions to ensure that our staff and employees who have been specifically granted access to information about you have received adequate training to ensure that they process that information only in accordance with this policy and with our obligations under applicable legislations.

Should despite of the security measures, a security breach occur that is likely to have negative effects to your privacy, we will inform you and relevant authorities as required by applicable data protection laws.

16. SOCIAL MEDIA AND PUBLIC FORUMS

The application enables you to publish certain information from your application related to your Oura experience or sleep data on social media sites such as Facebook, Instagram and Twitter, online blogs and forums.

Please think carefully before deciding what information you share, in connection with your User Content. Please note that we do not control who will have access to the information that you choose to make public in such forums, and cannot ensure that parties who have access to such information will respect your privacy or keep it secure. We are not responsible for the privacy or security of any information that you make publicly available on social media, online blogs or public forums – or what others do with information you share.

17. LODGING A COMPLAINT

In case you consider our processing of personal data to be inconsistent with the applicable data protection laws, a complaint may be lodged with the data protection supervisory authority.

National Winner Nordic Startup Awards 2017 Reddot Award 2018 Winner European Union - European Regional Development Fund leverage from the EU 2014-2020