Last update: May 23, 2018
1. WHY DOES THIS MATTER?
At Oura Health Oy (“Oura”), we take data protection seriously.
Our products, such as the Oura ring, enable you to track your lifestyle choices and the quality of your sleep. We feel that data does not get much more personal than this, and thus respect of your privacy. Safety of your data is of paramount importance to us. We therefore hope that you take a moment to review this policy.
Please note that certain measurement data collected via the app and device may be regarded as health related data under data protection laws in certain jurisdictions.
2. ABOUT THIS POLICY
• What personal data we collect when you use the Oura ring and application
• How we store and process your data
• Your legal rights and how to exercise them
3. OUR CONTACT INFORMATION
Oura Health Oy
Business ID: 25427764
Address: Elektroniikkatie 3 90590 Oulu Finland
E-mail address: firstname.lastname@example.org
Data Protection Officer: Markku Koskela, email@example.com
4. HOW DOES OUR DEVICE AND APP WORK?
When worn, the Oura ring automatically collects data of your body responses during your sleep and daily activity. That data is uploaded wirelessly to your mobile phone via our Oura mobile app. The ring and the app are connected to your computer or a cloud service and your data is made available to you there.
5. WHAT PERSONAL DATA DO WE PROCESS?
When registering an account on the app or during your use of it, we process the following general account data as inserted by you:
• E-mail address
• Birth date and year
• Height and weight
• Notes and tags
The Oura ring automatically tracks and collects the following measurement data:
• Heart rate
• Movement data
• Temperature data
We also track and generate certain usage related and technical data:
• IP address and high-level location
• User ID (randomly generated)
• Metadata regarding app use
Based on your inserted data and measurement data, the Oura ring and app calculate a variety of parameters, such as:
• Duration of sleep
• Sleep phases (deep, light, REM, awake)
• Activity levels throughout the day
• Body mass index (calculated based on height and weight)
This information is used to produce evaluation data regarding the quality of your sleep, level of your recovery, and balance of your activity.
6. DATA SOURCES
Some of the data are received directly from you in connection with your registration.
Measurement data is collected automatically by the tracking functions of the Oura ring.
Data is also produced by combining the data listed above and by calculating evaluation data regarding quality of sleep, recovery and activity.
7. PURPOSES AND LEGITIMATE GROUNDS FOR PROCESSING OF PERSONAL DATA
Purposes of processing
To provide you the service
We process personal data in the first place to be able to offer the app and service to our Users in accordance with their user contract.
We may process personal data for the purpose of communicating with Users. If you contact our support with questions regarding your app data, we will use the provided information to answer your questions and for solving any issues you may have.
For analytics and service improvements
We may process aggregated information regarding the use of our Service to improve our app quality. When possible, we will do this using only aggregated, non-personally identifiable data.
For in-app advertising
With your consent we may show or send you advertisements within the app or by using push notifications. We will never use your health-related data for advertising without your explicit consent.
Legal grounds for processing
We process personal data on the basis of a user contract, which is formed in connection with the creation of an account and acceptance of our terms and conditions. We may also process certain information to comply with legal obligations, such as consumer protection legislation.
Furthermore, we process the personal data to pursue our legitimate for aggregated analytics and trend detection. When choosing to use your data on the basis of our legitimate interests, we carefully weigh our own interests against your right to privacy.
Measurement data or any data derived from measurement data is used for advertising only subject to your explicit consent.
8. DATA TRANSFERS TO COUNTRIES OUTSIDE EEA
Oura stores the Users’ personal data primarily within the European Economic Area.
However, we may transfer personal data to, or access it in, jurisdictions outside the European Economic Area or the User’s domicile.
We will take steps to ensure that the Users’ personal data receives an adequate level of protection in the jurisdictions in which it is processed. We provide adequate protection for the transfers of personal data to countries outside of the European Economic Area through a series of agreements with our service providers based on the Standard Contractual Clauses or other similar arrangements.
9. SHARING YOUR PERSONAL DATA
We may share data with our group companies, subsidiaries and affiliates. Otherwise we do not share personal data with third parties outside of our organization unless one of the following circumstances applies:
For legal reasons
We may share personal data with third parties outside Oura’s organization if we have a good-faith belief that access to and use of the personal data is reasonably necessary to: (i) meet any applicable law, regulation, and/or court order; (ii) detect, prevent, or otherwise address fraud, security or technical issues; and/or (iii) protect the interests or safety of Oura or our Users in accordance with the law. Where possible, we will inform Users about such transfer and processing.
To our authorized service providers
For other legitimate reasons
With your explicit consent
We may share personal data with third parties outside Oura’s organization for other reasons than the ones mentioned before, when we have the User’s explicit consent to do so. The User has the right to withdraw this consent at all times.
10. ANONYMIZED DATA
We may aggregate and anonymize data collected via the application. Such data will be anonymous and cannot be connected to an individual User, therefore no longer qualifying as personal data. We may use this type of anonymous data for analytics, statistics, research, communications and PR purposes as well as for trend detection and for benchmark data.
11. HOW LONG DO WE KEEP YOUR DATA?
Oura does not store personal data longer than is legally permitted and necessary for the purposes specified above. The storage period generally depends on the duration an account lifecycle, unless data has been deleted upon request.
Backups are deleted as soon as reasonably possible, typically within 6 months.
12. YOUR RIGHTS
Right to access
You have the right to access your personal data processed by us. You may contact us and we will inform you what personal data we have collected and processed regarding you.
Right to withdraw consent
In case the processing is based on your consent, you may withdraw the consent at any time. Withdrawing a consent may lead to fewer possibilities to use our Service. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
Right to correct
Users have the right to have incorrect or incomplete personal data we have stored about the User corrected or completed. You can correct or update some of your personal data through your user account in the Service.
Right to erasure
Users may also ask us to erase the User’s personal data from our systems. We will comply with such request unless we have a legitimate ground to not delete the data.
Right to object
Users may object to the processing of personal data if such data are processed for other purposes than purposes necessary for the performance of our Service to the User or for compliance with a legal obligation. In case we do not have legitimate grounds to continue processing such personal data, we shall no longer process the personal data after your objection.
Right to restriction of processing
Users may request us to restrict processing of personal data for example when your data erasure, rectification or objection requests are pending and/or when we do not have legitimate grounds to process your data. This may however lead to fewer possibilities to use our Service.
Right to data portability
Users have the right to receive their personal data from us in a structured and commonly used format and to independently transmit those data to a third party.
How to use the rights
The above mentioned rights may be used by sending a letter or a secured e-mail to us on the addresses set out above, including the following information: the full name, company name, address, e-mail address and a phone number. We may request the provision of additional information necessary to confirm the identity of the User. We may reject requests that are unreasonably repetitive, excessive or manifestly unfounded.
13. DIRECT MARKETING AND PUSH NOTIFICATIONS
Notwithstanding any consent granted beforehand for the purposes of direct marketing, you have the right to prohibit us from using your personal data for direct marketing purposes by contacting us or by using the unsubscribe possibility offered in connection with our newsletter.
We will ask your explicit consent if we wish to send you push notifications or to use any health related data for marketing purposes.
14. DATA OF CHILDREN
We do not knowingly process data of children under the age of 18.
Please note that according to our terms and conditions we reserve the right to delete accounts of children, in particular if no proof of parental consent is provided.
15. SAFEGUARDING YOUR DATA
We do our best to keep your data safe and secure.
We use administrative, organizational, technical, and physical safeguards to protect the personal data we collect and process. Measures may include, for example, where appropriate, encryption, pseudonymization and access right systems. Our security controls are designed to maintain an appropriate level of data confidentiality, integrity, availability, resilience and ability restore the data. We regularly test our Service, systems, and other assets for security vulnerabilities.
We will take all reasonable precautions to ensure that our staff and employees who have been specifically granted access to information about you have received adequate training to ensure that they process that information only in accordance with this policy and with our obligations under applicable legislations.
Should despite of the security measures, a security breach occur that is likely to have negative effects to your privacy, we will inform you and relevant authorities as required by applicable data protection laws.
16. SOCIAL MEDIA AND PUBLIC FORUMS
The application enables you to publish certain information from your application related to your Oura experience or sleep data on social media sites such as Facebook, Instagram and Twitter, online blogs and forums.
Please think carefully before deciding what information you share, in connection with your User Content. Please note that we do not control who will have access to the information that you choose to make public in such forums, and cannot ensure that parties who have access to such information will respect your privacy or keep it secure. We are not responsible for the privacy or security of any information that you make publicly available on social media, online blogs or public forums – or what others do with information you share.
17. LODGING A COMPLAINT
In case you consider our processing of personal data to be inconsistent with the applicable data protection laws, a complaint may be lodged with the data protection supervisory authority.