ŌURA Health Privacy Policy

Processing Purposes

When you use Oura Services, we collect and processes your personal data for the following purposes:

1. To Provide Oura Services
   We process personal data when you use our Services, such as to provide you with personalized insights about your readiness, sleep, activity, and other inferences about your health status.
2. To Provide Customer Service
   We process personal data to provide customer service and manage our customer communication. For example, if you contact our Support with questions regarding your Oura App data, we may use the provided information to answer your questions, and for solving any issues you may have.
3. To Protect Your Privacy
   We may process personal data regarding your use of the Services to protect your privacy. This may involve the use of privacy enhancing technologies and other privacy-protective techniques. When information is aggregated or anonymized, it is no longer personal data.
4. To Improve Our Services
   We process personal data regarding your use of our Services to understand how you use our Services and how we can improve them. For example, we may process personal data to improve your user experience in the Oura App or to develop cutting-edge features to provide you with new insights about your health. When feasible, we do this using data that has been processed to protect your privacy.
5. To Perform Analysis
   We may process personal data about human performance and wellbeing to benefit our users and improve the cutting-edge insights we provide with our Services. When feasible, we do this using data that has been processed to protect your privacy.
6. To Market Our Services
   We process marketing-related personal data to provide online advertising and Oura marketing communications. For example, as explained more fully in our Cookie Policy, we use cookies and similar technologies on our website to create audiences for online advertisement. You can opt out of direct marketing communications.
7. To Enable Third-party Integrations and Services
   We process personal data you provide to Oura to enable third party integrations, services, features, and offerings. For example, with your permission, our Services may integrate with third party services like Google Health Connect and Apple HealthKit, or our partners. Oura takes measures to help ensure third-party services protect your personal data, which means that Oura only processes your data with respect to third-party integrations when you choose to integrate them with our Services, or when you provide the necessary consents. We process the data we receive from these third-parties according to applicable terms, such as the Google Health Connect Permissions policy and Google Limited Use requirements, as well as relevant third-party developer license agreements, as we become aware of those policies and agreements.
8. To Comply with Legal Obligations
   In certain cases, we must process certain data when it is required by applicable laws and regulations. Such statutory obligations are related, for example, to accounting and tax requirements, legal claims, or other legal purposes. Oura will oppose any request to provide legal authorities with access to user data for surveillance or prosecution purposes. We will notify users if we receive any such request whenever legally permissible.

Legal basis for processing

Data protection law in Europe and the U.K. requires a "lawful basis" for collecting and retaining personal information from residents of the European Economic Area. Our lawful bases for processing your data depend on the particular processing purposes, including:

1. Contract
   When processing personal data for the purpose of providing our Services, we process personal data on the basis of a user contract, which is formed when you create your account and accept our Terms of Use.
2. Consent
   We process your sensitive personal data only with your consent. In some cases, you can provide your consent to us for processing your data through your actions, such as by adding sensitive personal data into your notes, or by adding health related tags in the Oura App.
3. Legitimate Interest
   We process your personal data based on our legitimate interests when we process it for the purposes of marketing our Services and Sites, providing our customer service, and improving our Services. When choosing to use your personal data on the basis of our legitimate interests, we carefully weigh our own interests against your right to privacy, in compliance with applicable law.
4. Legal Obligation
   Oura must process certain information to comply with statutory obligations which may vary in each country. For example, such obligations can relate to consumer protection or tax laws.

Processed data and data source

In most cases, Oura collects personal data directly from you, such as when you register for an account, tag your data in the Oura mobile or web app, or use your Oura Ring. We may also process personal data that is produced from the information you provide to us. Oura may also rely on trusted third-party processors to process data on our behalf, such as our cloud service providers.

Oura processes the following personal data categories when you use our Services:

1. Contact information such as email address or physical address.
2. User information such as gender, height and weight, User ID, and other information you may provide to us about yourself or your account.
3. Device information such as IP address and location data.
4. User-provided activity and contextual information such as the activities, notes, comments, user feedback, and tags you provide within the app.
5. Measured data such as heart rate, movement data, temperature data, and respiration data.
6. Calculated user, sleep, health, and activity data such as sleep phases (deep, light, REM, awake), activity levels throughout the day, readiness level, and body mass index (calculated based on height and weight).

Please note that some of the personal data we process, including any data concerning your health, is considered special or sensitive personal data. Under applicable law, such data is processed only if you have given your consent for processing. If you access or use any of Oura's location-based services, such as by enabling GPS-based activity tracking through our Services, Oura may process the approximate or precise location of your device while the service is active. This data may be obtained via your device's service provider network ID, GPS, and/or Wi-Fi data. Oura does not process such location data without first obtaining your consent. You may disable such location processing at any time using your device's location permission settings.

Please also note that if you give your opt-in consent through our Services, you may share limited personal information like your sleep and readiness scores with other Oura users of your choice. You can make changes to what data you share with other Oura users, including opting out of sharing any data. Depending on your use of our services, you may also choose to communicate with and react to other users' information and scores. Please remember to always maintain a respectful and supportive environment when communicating with other users. Please see Oura's Terms of Use for more information.

Processing purposes

If you visit Oura's Sites or complete orders on Oura's online store, we process personal data for the following purposes:

1. To Provide Oura Services
   We process personal data to power our offerings, which may include when you visit our Sites. For example, this may include processing your data to enable Site performance.
2. To Complete and Deliver Your Orders
   We process personal data to process, handle, and deliver your purchases, and to facilitate your shopping.
3. To Provide Customer Service
   We process personal data to provide customer service and manage communication with our customers. For example, if you contact our Support with questions regarding our Sites or Services, we will use the provided information to answer your questions, and to help solve any issues you may have.
4. To Protect Your Privacy
   We may process personal data regarding your use of our Services to protect your privacy. This may involve the use of privacy enhancing technologies and other privacy-protective techniques. When information is aggregated or anonymized, it is no longer personal data.
5. To Improve Our Sites
   We process personal data to analyze and improve our Sites. For example, we may process personal data to analyze Site performance, improve user experience, and optimize the Site’s content and layout. When feasible, we will do this using data that has been processed to protect your privacy.
6. To Advertise and Market Our Services
   We process marketing data to provide online advertising and Oura marketing communications. Oura does not target people with online advertising based on their health data in the Oura App. As explained more fully in our Cookie Policy, we use cookies on our Site to create targeted audiences for online advertisement. You can always opt out of marketing communications.
7. To Comply with Statutory Obligations
   In certain cases, we must process certain data when it is required by applicable legislation. Such statutory obligations are related, for example, to accounting and tax requirements, legal claims, or other legal purposes.

Legal basis for processing

Data protection law in Europe requires a "lawful basis" for collecting and retaining personal information from residents of the European Economic Area. Our lawful bases for processing your data depend on the particular processing purposes, including:

1. Contract
   When processing personal data to handle and deliver your purchases, we rely on the legal basis of a user contract, which is created when you place your order.
2. Consent
   We process your personal data for electronic direct marketing purposes if you have provided your consent for it.
3. Legitimate Interest
   When we process your personal data for customer service purposes, marketing, and developing our Services, we do it on the basis of our legitimate interest to run, maintain, and develop our business and to create and maintain customer relationships. When choosing to use your personal data on the basis of our legitimate interests, we carefully weigh our own interests against your right to privacy under applicable laws.
4. Legal Obligation
   Oura must process certain information to comply with statutory obligations which may vary in each country. For example, such obligations can relate to consumer protection or accounting legislation.

Processed data and data source

In most cases, Oura collects personal data directly from you if you choose to complete orders in our online store or contact us with a question or complaint. When you visit our Sites, we collect analytical data about you via your device and browser using cookies and various other technologies for service development and advertising purposes. Oura may also rely on trusted third-party processors to collect data on our behalf, such as our payment processor partners.
We process the following personal data categories when you visit our Site:

1. Contact information such as name, email address and address
2. Delivery information such as your purchases and chosen payment method
3. Device information such as IP address, time of visit, and location data
4. User activity such as browsing patterns on the Site and any communications you have with us.

NOTICE FOR ALL U.S. CONSUMERS

This notice supplements the information contained in Oura's Privacy Policy and applies solely to all visitors, users, and others who reside in states within the U.S. with enhanced privacy notice requirements, such as California ("customers" or "you"), and who access Oura's Sites or Services.

Please be aware that in some instances where Oura is acting as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA), the U.S. state privacy rights outlined in this section may not apply. In those instances and subject to our HIPAA policies, Oura may choose to offer self-serve tools that enable you to access and delete your personal data from the Oura App.

Collection, use, and sharing of information

When a customer interacts with Oura's Sites or Services, Oura collects information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, device, or household ("personal information" or “personal data”).
Information about the categories of personal information we collect, the purposes for which your personal information is processed, and any sharing of your personal information can be found from relevant sections of this Policy:

1. Device and Application User: categories of collected personal information and processing purposes
2. Online Store and Website Visitor: categories of collected personal information and processing purposes
3. Sharing of personal data

In the preceding twelve (12) months, Oura has not sold personal information to third parties, including data aggregators, as it is against our policies. We have collected and disclosed only the categories of personal information processed by Oura under this Policy as described in the Data Sharing and Disclosures section.

CONSUMER RIGHTS

If you are a resident of a state with enhanced rights related to the personal information Oura may process about you, you have certain rights:

1. Right to know about the personal information we collect and share

   U.S. State laws may give you the right to request that we disclose the personal information we have collected about you over the past 12 months, which we only provide after we receive and validate your request. Once we receive and confirm your verifiable request, we will disclose to you:

   1. The categories of personal information we collected about you;
   2. The categories of personal information we have disclosed about you (if any);
   3. The categories of sources for the personal information we collected about you;
   4. Our business or commercial purposes for collecting or selling that personal information;
   5. The categories of third parties with whom we share that personal information; and
   6. The specific pieces of personal information we collected about you.
2. Right of correction

   You have the right to request correction of your personal information. After we receive and validate your request, we will correct your personal information, unless an exception applies.

   Please note that you can correct and update some of your basic information via the Oura App and via Oura on the Web.

3. Right of deletion

   You have the right to request erasure of your personal information, subject to certain exceptions, such as when we have a legal obligation to retain the data in question. After we receive and validate your request, we will delete your personal information, as well as direct our service providers to delete your personal information unless an exception applies.

4. How to make disclosure, access, correction, or deletion requests

   If you reside in a state that provides for enhanced privacy rights, you can request disclosure, access to, correction, and/or deletion of your personal data as described above by submitting a verifiable consumer request to us by:

   Sending an e-mail to [email protected], including the following information along with your request: your full name, company name (if applicable), address, e-mail address, and a phone number. We may request that you provide additional information if necessary to confirm your identity. This is for security purposes, and is required by law in some cases.

   Only you, or a person registered with the appropriate mechanism associated with your state of residency that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.

   You have the right to make a free request up to two times in any 12-month period. We will respond to all validated requests within 45 days of receiving your request, unless we request an extension. In the event that we reasonably require an extension in order to respond to your request, we will notify you of any such extension within the initial 45-day period.

5. Non-Discrimination

   Oura does not discriminate against users who request to exercise their privacy rights. Unless an exception applies, this includes our promise not to:

   1. Deny you goods or services;
   2. Charge you different prices or rates for goods or services, including granting discounts or other benefits, or imposing penalties;
   3. Provide you a different level or quality of goods or services; or
   4. Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

Personal data sharing

Oura does not sell or rent your personal information, and only shares your personal data with certain trusted service providers and partners so that we can provide and improve our services, to provide partner services and other offerings, and to operate our business. Whenever we share data with third-party service providers, we require that they use your information only for the purposes we've authorized, and for the limited reasons explained in this Policy. We also require these service providers to protect your personal information to at least the same standards that we do.

Like most companies, Oura uses service providers for purposes such as:

1. Providing and improving our online service platform;
2. Storing our users' data;
3. Providing customer services;
4. Managing and organizing our marketing activities. Oura only shares website usage data with our advertising network partners for the purposes of analyzing and optimizing our marketing. Oura does not share Service data with third-party advertisers; and
5. Analyzing information regarding the use of our Sites and Services to improve our service quality.

We use industry standard data protection measures to safeguard all international transfers of personal data through data protection agreements with our service providers.

LEGAL FRAMEWORKS FOR INTERNATIONAL TRANSFERS

Oura is a global company with servers around the world, and your personal data may at times be processed on servers located outside of the country where you live. Although data protection laws vary among countries, regardless of where your personal data is processed, we apply the same protections described in this Policy. We also comply with certain legal frameworks relating to the transfer of personal data, such as the frameworks described below.

Oura participates in the EU-US Data Privacy Framework, the UK Extension to the EU-US Data Privacy Framework, and the Swiss-US Data Privacy Framework (collectively, the “Data Privacy Frameworks”) as set forth by the US Department of Commerce regarding the processing of personal data from the European Economic Area, the United Kingdom and Gibraltar, and Switzerland. Oura has further certified that we adhere to the principles of the Data Privacy Frameworks.

Click https://www.dataprivacyframework.gov/ to learn more about the Data Privacy Frameworks. If there is any conflict between the terms in this Policy and the Data Privacy Frameworks principles, the principles shall govern.

If Oura transfers personal information received under the Data Privacy Frameworks to a third-party, the third-party’s processing of the personal data must also be in compliance with our Data Privacy Frameworks obligations, and we will remain liable under the Data Privacy Frameworks for any failure to do so by the third-party, unless we prove we are not responsible for the event giving rise to the damage.

Oura is subject to the investigatory and enforcement powers of the US Federal Trade Commission. In certain situations, Oura may be required to disclose the personal information we process under the Data Privacy Frameworks in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.