Health Privacy Policy

Last Updated: October 29, 2024

TOI LABS’ COMMITMENT TO PRIVACY

At Toi Labs, protecting your personal data is a task we take seriously. Our products are designed to help you to track important aspects of your health – and so we understand that data does not get much more personal than this. That's why we firmly believe that you should be in charge when it comes to your personal data.

This Health Privacy Policy (“Policy”) is designed to provide you with the information you need to take control of your personal data, which is a fundamental aspect of empowering your health journey. Please take a moment to carefully review this Policy.

ABOUT THIS PRIVACY POLICY

This Policy applies to processing of personal data by Toi Labs over its Product and Services (collectively, "Toi Labs") when you visit our web properties (“Sites”); use the TrueLoo, or use other Toi Labs services (“Services”).

WHY DOES TOI LABS PROCESS YOUR PERSONAL DATA?

The sections below explain the categories of personal data we collect and process, as well as the reasons we do so. You will also find information on our legal basis for processing your data, and our data sources.

DEVICE & APPLICATION USERS

PROCESSING PURPOSES

When you use Toi Labs Services, we collect and processes your personal data for the following purposes:

  1. To Provide Toi Labs Services: We process personal data when you use our Product and Services, such as to provide you with personalized insights and other inferences about your health status.

  2. To Provide Customer Service: We process personal data to provide customer service and manage our customer communication. For example, if you contact us with questions regarding your account, we may use the provided information to answer your questions, and for solving any issues you may have.

  3. To Protect Your Privacy: We may process personal data regarding your use of the Services to protect your privacy. This may involve the use of privacy enhancing technologies and other privacy-protective techniques. When information is aggregated or anonymized, it is no longer personal data.

  4. To Improve Our Services: We process personal data regarding your use of our Services to understand how you use our Services and how we can improve them. For example, we may process personal data to improve your user experience with the TrueLoo product or to develop cutting-edge features to provide you with new insights about your health. When feasible, we do this using data that has been processed in a manner to protect your privacy, such as by pseudonymization.

  5. To Perform Analysis: We may process personal data about human performance and wellbeing to benefit our users and improve the cutting-edge insights we provide with our Services. Some features of our Services may use third-party automated technology to provide a more personalized experience, and to give you comprehensive insights about your data. When feasible, we do this using data that has been processed in a manner to protect your privacy.

  6. To Market Services: We process marketing-related personal data to provide online advertising and other marketing communications on behalf of Toi Labs and our partners. You can opt out of direct marketing communications from Toi Labs.

  7. To Enable Third-party Integrations and Services: We process personal data you provide to Toi Labs to enable third party integrations, services, features, and offerings. Toi Labs takes measures to help ensure third-party services protect your personal data, which means that Toi Labs only processes your data with respect to third-party integrations when you choose to integrate them with our Services, or when you provide the necessary consents. We process the data we receive from these third-parties according to applicable terms, as well as relevant third-party developer license agreements, as we become aware of those policies and agreements.

  8. To Comply with Legal Obligations: In certain cases, we must process certain data when it is required by applicable laws and regulations. Such statutory obligations are related, for example, to accounting and tax requirements, legal claims, or other legal purposes. Oura will oppose any request to provide legal authorities with access to user data for surveillance or prosecution purposes. We will notify users if we receive any such request whenever legally permissible.

LEGAL BASIS FOR PROCESSING

Data protection law in Europe and the U.K. requires a "lawful basis" for collecting and retaining personal information from residents of the European Economic Area. Our lawful bases for processing your data depend on the particular processing purposes, including:

  1. Contract: When processing personal data for the purpose of providing our Services, we process personal data on the basis of a user contract, which is formed when you create your account and accept our Terms of Service.

  2. Consent: We process your sensitive personal data only with your consent. In some cases, you can provide your consent to us for processing your data through your actions.

  3. Legitimate Interest: We process your personal data based on our legitimate interests when we process it for the purposes of marketing our Services and Sites, providing our customer service, and improving our Services. When choosing to use your personal data on the basis of our legitimate interests, we carefully weigh our own interests against your right to privacy, in compliance with applicable law.

  4. Legal Obligation: Toi Labs must process certain information to comply with statutory obligations which may vary in each country. For example, such obligations can relate to consumer protection or tax laws.

PROCESSED DATA AND DATA SOURCE

In most cases, Toi Labs collects personal data directly from you, such as when you register for an account or use your TrueLoo seat. We may also process personal data that is produced from the information you provide to us. Toi Labs may also rely on trusted third-party processors to process data on our behalf, such as our cloud service providers. Toi Labs processes the following personal data categories when you use our Services:

  1. Contact information such as email address or physical address.

  2. User information, such as User ID, and other information you may provide to us about yourself or your account.

  3. Device information such as IP address and location data.

  4. User-provided information.

  5. Measured data captured by the TrueLoo sensors.

Please note that some of the personal data we process, including any data concerning your health, is considered special or sensitive personal data. Under applicable law, such data is processed only if you have given your consent for processing.

DATA RECIPIENTS

Toi Labs allows you to share your TrueLoo data with your doctor, coach, trainer, or other individuals (“Data Recipient”). If you choose to share data in this way, once you consent to sharing your personal data with the Data Recipient, the data will be made available for the Data Recipient.

Once your data is shared, the Data Recipient is responsible for the processing of your personal data according to applicable laws. Your personal data is used by the Data Recipient in accordance with its own privacy policy. Toi Labs is not responsible for the security of personal data that the Data Recipient has obtained.

Once you give consent to share your data with the Data Recipient, the administrators facilitating such data sharing may get access to the following personal data:

Your personal data is disclosed to the Data Recipient only if you give consent to it. You can withdraw your consent at any time. If you withdraw your consent, the Data Recipient can no longer access your data. Please note that withdrawing your consent from the service or changing any other consent settings do not affect the processing of data that the Data Recipient may have extracted while such data sharing was operative.

Toi Labs may use aggregated data for analytics, statistics, research and development purposes. Toi Labs is the controller of such aggregated data, which may no longer qualify as personal data due to the aggregation. For other data Toi Labs processes which are not at the direction of the Data Recipient, the rest of the terms in this Privacy Policy apply.

ONLINE CUSTOMERS & SITE VISITORS

PROCESSING PURPOSES

If you visit or complete orders on Toi Labs’ online store, we process personal data for the following purposes:

  1. To Provide Our Services: We process personal data to power our offerings, which may include when you visit our Sites. For example, this may include processing your data to enable Site performance.

  2. To Complete and Deliver Your Orders: We process personal data to process, handle, and deliver your purchases, and to facilitate your shopping.

  3. To Provide Customer Service: We process personal data to provide customer service and manage customer communication.

  4. To Protect Your Privacy: We may process personal data regarding your use of our Services to protect your privacy. This may involve the use of privacy enhancing technologies and other privacy-protective techniques. When information is aggregated or anonymized, it is no longer personal data.

  5. To Improve Our Sites: We process personal data to analyze and improve our Sites. For example, we may process personal data to analyze Site performance, improve user experience, and optimize the Site's content and layout. When feasible, we will do this using data that has been processed to protect your privacy.

  6. To Advertise and Market Services: We process marketing data to provide online advertising and marketing communications on behalf of Toi Labs and our partners. We may use cookies on our Site to create targeted audiences for online advertisement. You can always opt out of Toi Labs direct marketing communications. In the event you receive Toi-Labs-branded advertising sent to you by one of our third-party partners, please review the third-party's privacy policy for more information, and contact them with regard to any opt-out requests.

  7. To Comply with Legal Obligations: In certain cases, we must process certain personal data when it is required by applicable legislation. Such statutory obligations are related, for example, to accounting and tax requirements, legal claims, or other legal purposes.

LEGAL BASIS FOR PROCESSING

Data protection law in Europe requires a "lawful basis" for collecting and retaining personal information from residents of the European Economic Area. Our lawful bases for processing your data depend on the particular processing purposes, including:

  1. Contract: When processing personal data to handle and deliver your purchases, we rely on the legal basis of a user contract, which is created when you place your order.

  2. Consent: We process your personal data for electronic direct marketing purposes if you have provided your consent for it.

  3. Legitimate Interest: When we process your personal data for customer service purposes, marketing, and developing our Services, we do it on the basis of our legitimate interest to run, maintain, and develop our business and to create and maintain customer relationships. When choosing to use your personal data on the basis of our legitimate interests, we carefully weigh our own interests against your right to privacy under applicable laws.

  4. Legal Obligation: We must process certain information to comply with statutory obligations which may vary in each country. For example, such obligations can relate to consumer protection or accounting legislation.

PROCESSED DATA AND DATA SOURCE

In most cases, Toi Labs collects personal data directly from you if you choose to complete orders in our online store or contact us with a question or complaint. When you visit our Sites, we collect analytical data about you via your device and browser using cookies and various other technologies for service development and advertising purposes. Toi Labs may also rely on trusted third-party processors to collect data on our behalf, such as our payment processor partners.

We process the following personal data categories when you visit our Site:

  1. Contact information such as name, email address and address

  2. Delivery information such as your purchases and chosen payment method

  3. Device information such as IP address, time of visit, and location data

  4. User activity such as browsing patterns on the Site and any communications you have with us.

U.S. STATES WITH ENHANCED PRIVACY REQUIREMENTS NOTICE FOR ALL U.S. CONSUMERS

This notice supplements the information contained in Toi Labs’ Privacy Policy and applies solely to all visitors, users, and others who reside in states within the U.S. with enhanced privacy notice requirements, such as California ("customers" or "you"), and who access Toi Labs’ Sites or Services.

Please be aware that in some instances where Toi Labs is acting as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA), the U.S. state privacy rights outlined in this section may not apply. In those instances and subject to our HIPAA policies, Toi Labs may choose to offer self-serve tools that enable you to access and delete your personal data.

COLLECTION, USE, AND SHARING OF INFORMATION

When a customer interacts with Toi Labs’ Sites or Services, Toi Labs collects information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, device, or household ("personal information" or “personal data”).

CONSUMER RIGHTS If you are a resident of a state with enhanced rights related to the personal information Toi Labs may process about you, you have certain rights:

  1. Right to know about the personal information we collect and share: U.S. State laws may give you the right to request that we disclose the personal information we have collected about you over the past 12 months, which we only provide after we receive and validate your request. Once we receive and confirm your verifiable request, we will disclose to you:

    1. The categories of personal information we collected about you;

    2. The categories of personal information we have disclosed about you (if any);

    3. The categories of sources for the personal information we collected about you;

    4. Our business or commercial purposes for collecting or selling that personal information;

    5. The categories of third parties with whom we share that personal information; and

    6. The specific pieces of personal information we collected about you.

  2. Right of correction: You have the right to request correction of your personal information. After we receive and validate your request, we will correct your personal information, unless an exception applies.

  3. Right of deletion: You have the right to request erasure of your personal information, subject to certain exceptions, such as when we have a legal obligation to retain the data in question. After we receive and validate your request, we will delete your personal information, as well as direct our service providers to delete your personal information unless an exception applies.

  4. How to make disclosure, access, correction, or deletion requests:
    If you reside in a state that provides for enhanced privacy rights, you can request disclosure, access to, correction, and/or deletion of your personal data as described above by submitting a verifiable consumer request to us by sending us an e-mail, including the following information along with your request: your full name, company name (if applicable), address, e-mail address, and a phone number. We may request that you provide additional information if necessary to confirm your identity. This is for security purposes, and is required by law in some cases.

Only you, or a person registered with the appropriate mechanism associated with your state of residency that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.

You have the right to make a free request up to two times in any 12-month period. We will respond to all validated requests within 45 days of receiving your request, unless we request an extension. In the event that we reasonably require an extension in order to respond to your request, we will notify you of any such extension within the initial 45-day period.

  1. Non-Discrimination

Toi Labs does not discriminate against users who request to exercise their privacy rights. Unless an exception applies, this includes our promise not to:

1. Deny you goods or services;

2. Charge you different prices or rates for goods or services, including granting discounts or other benefits, or imposing penalties;

3. Provide you a different level or quality of goods or services; or

4. Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

DATA SHARING AND TRANSFERS PERSONAL DATA SHARING

Toi Labs does not sell or rent your personal information, and only shares your personal data with certain trusted service providers and partners so that we can provide and improve our services, to provide partner services and other offerings, and to operate our business. Whenever we share data with third-party service providers, we require that they use your information only for the purposes we've authorized, and for the limited reasons explained in this Policy. We also require these service providers to protect your personal information to at least the same standards that we do.

Like most companies, Toi Labs uses service providers for purposes such as:

  1. Providing and improving our online service platform;

  2. Storing our users' data;

  3. Providing customer services;

  4. Managing and organizing our marketing activities. Toi Labs only shares website usage data with our advertising network partners for the purposes of analyzing and optimizing our marketing. Toi Labs does not share Service data with third-party advertisers; and

  5. Analyzing information regarding the use of our Sites and Services to improve our service quality.

We use industry standard data protection measures to safeguard all international transfers of personal data through data protection agreements with our service providers. In certain limited cases, you may be asked for consent to share your Toi Labs user personal data with a third-party partner of your choice, such as a medical provider or health care insurer that you select. If you choose to do this, you should carefully review the third-party consent language and privacy notices that are available to you from the third-party, which will control the use of your personal data.

LEGAL FRAMEWORKS FOR INTERNATIONAL TRANSFERS

Toi Labs is a global company, and your personal data may at times be processed on servers located outside of the country where you live. Although data protection laws vary among countries, regardless of where your personal data is processed, we apply the same protections described in this Policy. We also comply with certain legal frameworks relating to the transfer of personal data, such as the frameworks described below.

If Toi Labs transfers personal information received under the Data Privacy Frameworks to a third-party, the third-party’s processing of the personal data must also be in compliance with our Data Privacy Frameworks obligations, and we will remain liable under the Data Privacy Frameworks for any failure to do so by the third-party, unless we prove we are not responsible for the event giving rise to the damage. Toi Labs is subject to the investigatory and enforcement powers of the US Federal Trade Commission. In certain situations, we may be required to disclose the personal information we process under the Data Privacy Frameworks in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

PERSONAL DATA DISCLOSURES

We also reserve the right to disclose personal data under certain specific circumstances, including:

  1. When we have your express consent to do so;

  2. When it is reasonably necessary for our legitimate interests in conducting our business, such as in the event a merger, acquisition, or sale;

  3. To protect Toi Labs’ legal rights and property; and

  4. To comply with valid legal requirements. Toi Labs will oppose any request to provide legal authorities with access to user data for surveillance or prosecution purposes; we will notify users if we receive any such request, whenever legally permissible.

Otherwise, your personal data is never shared with any individual or other organization.

SAFEGUARDING YOUR DATA

Toi Labs uses technical and organizational safeguards to keep your data safe and secure. When appropriate, these safeguards include measures such as anonymization or pseudonymization of personal data, strict access control, and the use of encryption to protect the data we process.

Our personnel receive adequate training to ensure personal data is processed only in accordance with our internal policies, consistent with our obligations under applicable law. We also limit access to your sensitive personal data to personnel that have specifically been granted such access.

Online services that we provide via our Site protect your personal data in-transit using encryption and other security measures. We also regularly test our service, systems, and other assets for possible security vulnerabilities.

We update our Services regularly to protect your personal data. We recommend that you make sure that you always have the latest app and firmware versions installed in order to maximize protection of your data.

DATA RETENTION

The retention period for your personal data generally depends on the duration of your Toi Labs account lifecycle. Your personal data will be deleted when it is no longer needed for the purpose for which it was originally collected, unless we have a legal obligation to retain data for a longer period of time. For example, your measurement data regarding your sleep, readiness, and activity is stored only so long as your Toi Labs account is active.

Toi Labs also has legal obligations to retain certain personal data for a specific period of time, such as for tax purposes. These required retention periods may include, for example, accounting and tax requirements, legal claims, or for any other legal purposes. Please note that obligatory retention periods for personal data vary based on the relevant law.

If you wish, you may request deletion of your Oura account by contacting us.

USE OF COOKIES

We use cookies and various other technologies to collect and store analytics and other information when customers use our Site, as well as for personalization and advertising purposes. The cookies we use include both first-party and third-party cookies.

Cookies are small text files sent and saved on your device that allows us to identify visitors of our Site, facilitate the use of our Site, and to create aggregate information of our visitors. This helps us to improve our service and better serve our customers, and will not harm your device or files. We use cookies and similar technologies to tailor our Site and the information we provide in accordance with the individual interests of our customers. Cookies are also used for tracking your browsing habits and for targeting and optimizing advertising, both on our Site as well as on other sites you may visit. We also use cookies and similar technologies for integrating our social media accounts on our Site.

YOUR RIGHTS AS A DATA SUBJECT

Whenever Toi Labs processes your personal data, you have certain rights that enable you to control how your personal data is being processed. This section provides you with information about each of those rights. If you wish to exercise your rights as a data subject, please contact us with your request to do so.

  1. Right to access data

You have the right to know what personal data is processed about you. You may contact us to request access to the personal data we have collected about you, and we will confirm whether we are processing your data, and provide you with information about the personal data we have collected and processed.

  1. Right to erasure

You have the right to request the deletion of your personal data in certain circumstances. We will comply with such requests unless we have a valid legal basis not to do so, or a legal obligation to preserve the data.

  1. Right to rectification (of inaccurate data)

You have the right to request correction of any incorrect or incomplete personal data we have stored about you.

  1. Right to data portability

You have the right to request receipt of the personal data you have provided to us in a structured and commonly used format. The right to data portability only applies when we process your personal data for certain reasons, such as by contract or by your consent.

  1. Right to object to processing

You have the right to object to the processing of your personal data under certain circumstances. In the event that we do not have legitimate grounds to continue processing such personal data, we will no longer process your personal data after we have received and verified your objection. You also have the right to object to the processing of your personal data for direct marketing purposes at any time.

  1. Right to restrict processing

You have the right to request that we restrict processing some types of personal data under certain circumstances. For example, if you contest the accuracy of your data, you can make a restriction request that we do not process your data until Toi Labs has verified the accuracy of your data.

  1. Right to withdraw consent

If we have requested your consent in order to process your personal data, you have the right to withdraw your consent for such processing at any time where this right is provided by local law. It should be noted, however, that withdrawing your consent may lead to issues or restrictions on your ability to fully utilize our Services.

Toi Labs strives to address your privacy concerns. If you have contacted us about your issue and are still unhappy with our response, subject to applicable law, you may contact your local supervisory authority regarding your issue. However, we urge you to first contact us so that we can more quickly resolve your issue before escalating the issue.

If you have a question or complaint about our handling of your personal information under the Data Privacy Frameworks, please contact us.

Please read the section in this Policy titled “U.S. STATES WITH ENHANCED PRIVACY REQUIREMENTS” if you are a resident of a U.S. state that provides enhanced privacy requirements and you would like to know more about your rights under those laws.

CONTROLLER CONTACT INFORMATION Toi Labs Inc. is the data controller of user personal data processed for marketing purposes. Please find our contact details below:

Toi Labs Inc. Address: 1960 Folsom Street, San Francisco, CA 94103 United States  Data Protection Officer: legal@toilabs.com

CHANGES TO THIS PRIVACY NOTICE

We reserve the right to update this Policy from time to time at our sole discretion. We strive to let you know about any material changes by notifying you on our Site or by sending you an email or push notification. If you keep using our Sites or Services after a change to this Policy, your continued use means that you accept any such changes.

In the case of any conflict between the English language version and translations in other languages, the English language will control, unless and except as required by applicable local law.