Simple Wearable ReportDashboard

Privacy Policy

Last updated: February 15, 2026

Experimental Nature and Risk Disclosure

This is an experimental service. Reports are automatically generated and may contain errors, inaccuracies, or incomplete data. Do not rely on them for health decisions. The system is under active development and is not a finalized product. You understand that health metrics may be misrepresented or misinterpreted. We make no guarantees as to the accuracy of the insights derived from raw Oura data.

Age Requirement and Children's Privacy

This service is intended for users who are at least 16 years old. We do not knowingly collect, use, or disclose personal information from individuals under 16 years of age. By using this service, you confirm that you are at least 16 years old.

If we become aware that we have collected personal data from a child under 16, we will take steps to delete that information as quickly as possible. If you believe we have inadvertently collected information from a child under 16, please contact us at michele@remics.tech.

Data Collection

We collect and store the following data:

  • Account Information: Your email address for account authentication
  • OAuth Credentials: OAuth tokens for accessing your Oura account (stored securely, encrypted)
  • Health-Related Data from Oura Ring:
    • Sleep data: duration, efficiency, latency, REM sleep percentage, deep sleep percentage, light sleep percentage, time in bed
    • Heart rate data: resting heart rate, lowest night-time heart rate, heart rate variability (HRV)
    • Activity data: steps, active calories, sedentary time
    • Oxygenation data: SpO2 (blood oxygen saturation) levels, breathing disturbance index
    • Temperature data: body temperature deviations
    • Stress indicators: high stress days
    • Readiness scores and related metrics
    • Respiratory rate (breathing rate during sleep)
    • Cardiovascular age estimates
    • Menstrual cycle data (if cycle tracking is enabled in your Oura app)
  • Generated Reports: Reports containing your health metrics and analysis
  • Report Metadata: Report titles, dates, and saved report preferences

We collect this data through OAuth2 authorization with your Oura account. You control access through your Oura account settings and can revoke access at any time.

OAuth Authorization

We use OAuth2 to securely connect to your Oura account. You can revoke access at any time through your Oura account settings. We only request the minimal scopes needed to generate your health summaries.

OAuth Scopes We Request:

  • daily: Daily health summaries (sleep, activity, readiness)
  • personal: Age, sex, weight for report context
  • heartrate: Heart rate and HRV data
  • workout: Workout and exercise data
  • session: Session data (e.g., meditation, breathing)
  • tag: User tags associated with daily entries
  • spo2: Blood oxygen saturation data
  • stress: Stress metrics

We only request what's needed to generate your reports.

Purpose and Legal Basis for Processing

We process personal data only for specific, explicit purposes and on the legal bases listed below.

  • Account authentication and access: To create and secure your account and keep you signed in. Legal basis: GDPR Art. 6(1)(b) (performance of a contract).
  • Wearable connection and data sync: To connect to Oura, fetch your wearable metrics, and show them in your dashboard and reports. Legal basis: GDPR Art. 6(1)(a) and Art. 9(2)(a) (explicit consent).
  • Report generation and storage: To generate and save health summaries that you request. Legal basis: GDPR Art. 6(1)(b) (performance of a contract).
  • Weekly newsletter (optional): To send your weekly summary when you opt in. Legal basis: GDPR Art. 6(1)(a) (consent).
  • Security, fraud prevention, and compliance logging: To protect accounts, investigate incidents, and meet legal obligations. Legal basis: GDPR Art. 6(1)(c) (legal obligation) and Art. 6(1)(f) (legitimate interests in service security and integrity).
  • Analytics: Vercel Analytics for anonymized/aggregated service usage and Google Analytics only if you accept analytics cookies. Legal basis: GDPR Art. 6(1)(f) (legitimate interests) for Vercel Analytics and Art. 6(1)(a) (consent) for Google Analytics.
  • AI platform integration (MCP): To provide your data to a platform you explicitly authorize. Legal basis: GDPR Art. 6(1)(a) and Art. 9(2)(a) (explicit consent).
  • Service announcements (infrequent): To inform existing users about significant new features or service improvements. These are infrequent, non-recurring communications. Legal basis: GDPR Art. 6(1)(f) (legitimate interests in keeping users informed about the service they use).

Cookies and Similar Technologies

We use cookies and similar technologies to provide and secure our service. Cookies are small text files stored on your device that help us authenticate you and maintain your session.

Types of Cookies We Use:

  • Essential Authentication Cookies: These cookies are necessary for the service to function and enable you to log in and maintain your session. They are set by our authentication provider (Supabase) and are required for the service to work. These cookies are essential for authentication and may be set with security attributes such as Secure and SameSite (and, where supported by the authentication flow, HttpOnly).
  • OAuth Security Cookies: We use a temporary cookie to store OAuth state information during the Oura account connection process. This cookie is used for security purposes to prevent cross-site request forgery (CSRF) attacks. It is httpOnly, secure, and expires after 10 minutes.
  • PKCE Code Verifier Cookies: During the authentication process, we store a code verifier in cookies as part of the OAuth PKCE (Proof Key for Code Exchange) flow for enhanced security. This is automatically managed by our authentication provider.

Cookie Settings: All cookies we use are essential for the service to function. You cannot disable these cookies without breaking the service functionality. If you do not wish to accept cookies, you should not use this service.

Third-Party Cookies: Our authentication provider (Supabase) may set additional cookies as part of their authentication service. These are governed by Supabase's privacy policy. If you accept analytics cookies, Google Analytics may also set cookies (such as _ga) to distinguish users and track sessions. These cookies are only set after you accept non-essential cookies via our cookie banner. We do not use third-party advertising or tracking cookies.

Cookie Duration: Authentication cookies persist for the duration of your session and may be stored for longer periods to maintain your login state. OAuth state cookies expire after 10 minutes or when the OAuth flow completes. You can clear all cookies by logging out or clearing your browser cookies.

Data Usage

Your data is used solely to generate health summaries. We do not sell, share, or use your data for advertising purposes. We practice data minimization, only collecting what is necessary for the service.

Third-Party Services: We use the following third-party services:

  • Supabase: For database storage, authentication, and file storage. Supabase processes your data according to their privacy policy and security standards.
  • Oura API: We access your Oura data through Oura's official API. Oura may collect usage data related to API access as described in their privacy policy.
  • Vercel: For hosting and deployment. Vercel may process request logs and metadata but does not have access to your health data.
  • Resend: For transactional email delivery (magic link authentication and weekly newsletter). Resend processes your email address solely for email delivery.
  • Upstash: For job queue processing (newsletter delivery scheduling). Upstash processes job metadata but does not store your health data.
  • Anthropic: For AI-generated newsletter highlights. When you subscribe to the weekly newsletter, aggregated weekly health metric summaries (averages only, no raw daily data or personal identifiers) are sent to Anthropic's API to generate a personalized highlight sentence. No data is retained by Anthropic after processing.
  • Google Analytics: For website analytics (consent-based). See the Analytics section below for details on data collection and opt-out options.
  • MCP-Compatible AI Platforms: If you authorize an AI assistant (such as ChatGPT, Claude, or Codex) to access your data via MCP (Model Context Protocol), your health metrics and reports are transmitted to that platform. See the "AI Platform Integration (MCP)" section below for details.

Analytics: We use analytics services to understand how visitors use our site:

  • Vercel Analytics: Collects anonymized, aggregated data such as page views, browser type, and general geographic region. No personally identifiable information is collected.
  • Google Analytics: When you accept analytics cookies, we use Google Analytics to collect anonymized usage data including page views, session duration, and approximate geographic location. We have enabled IP anonymization. Google Analytics may set cookies (such as _ga) to distinguish users and track sessions. Google processes this data according to their Privacy Policy.

Opt-out options: You can reject analytics cookies via our cookie banner, change your preferences at any time using the button below, or use the Google Analytics Opt-out Browser Add-on. Rejecting or withdrawing consent stops future tracking; existing cookies may persist until your browser clears them. We do not use tracking pixels or third-party advertising services.

Sensitive Data Handling: We do not infer, store, or process any diagnoses or mental health conditions. Data processed is limited to raw metrics from the Oura API (sleep duration, heart rate, activity levels, etc.). We do not analyze, interpret, or draw conclusions about your health status beyond presenting the raw metrics in a formatted report. Stress indicators and sleep-related data are processed as numerical metrics only, without any diagnostic or clinical interpretation.

Weekly Newsletter

If you opt in to our weekly newsletter via your account settings:

  • Purpose: We send a weekly health summary email every Monday containing your key health metrics from the past week.
  • Email Usage: Your email address is used solely for delivering the newsletter and is not shared with third parties for marketing purposes.
  • Delivery Tracking: We track newsletter delivery status to ensure successful delivery and to troubleshoot any issues.
  • AI-Generated Highlights: Each newsletter may include a short personalized highlight sentence generated by an AI model (Anthropic Claude). Only aggregated weekly averages (e.g., average sleep duration, average heart rate) are sent to the AI — no raw daily data, email addresses, or personal identifiers are transmitted.
  • Opt-out: You can unsubscribe at any time via your account settings. Your preference is respected immediately.

Data Processing, Storage, and Protection

Processing: Your health data is processed to:

  • Calculate 7-day averages and 30-day reference ranges for metrics
  • Generate formatted health summaries
  • Store historical data for report generation

AI and Automated Processing: Some parts of report generation may involve automated analysis or AI-assisted summarization. No part of this process involves medical review or professional oversight. All calculations, formatting, and data presentation are automated and have not been reviewed or verified by medical professionals.

Storage: All data is stored securely using Supabase, a SOC 2 Type II certified platform. Data is stored in encrypted databases with the following protections:

  • OAuth tokens are encrypted and stored server-side only (never exposed to client)
  • Health metrics are stored in a private database with row-level security (RLS) policies
  • Reports are stored in private, encrypted storage buckets
  • All data is encrypted at rest and in transit

Protection: We implement industry-standard security measures including:

  • Encryption of data in transit (HTTPS/TLS) and at rest
  • Row-level security policies ensuring users can only access their own data
  • Secure authentication via Supabase Auth
  • Regular security updates and monitoring

Data Deletion and Your Rights

Right to Deletion: You can request deletion of your account and all associated data at any time. This includes:

  • All health metrics and daily data
  • OAuth tokens and connection data
  • Generated reports
  • Account information and email address

How to Delete: You can delete your data in two ways:

  • Use the "Delete All Data" feature in the app dashboard
  • Use the "Delete Account" feature to remove your entire account
  • Contact us at michele@remics.tech to request deletion

Data Export: You can export all your data in JSON format using the "Export All Data (GDPR)" feature in the app before deletion.

Processing Time: Deletion requests are processed immediately. Backups may be retained for up to 7 days for disaster recovery purposes, after which they are permanently deleted.

Disclaimers

Informational only. Not medical advice. This service provides formatted reports of your Oura data for informational purposes only. It is not intended to diagnose, treat, or prevent any medical condition.

Health Data Risk Disclaimer: We disclaim liability for any consequences resulting from inaccurate or misinterpreted health metrics. The information provided is informational only and must not be used to make medical or health-related decisions.

Not affiliated with Oura. This service is not affiliated with, endorsed by, or sponsored by Oura.

Oura API Agreement Compliance

This service operates in compliance with the Oura API Agreement. Key compliance points include:

  • Data Retention Limit: Oura health data is automatically deleted after 59 days (safety margin for Oura API Agreement Section 7 requirement).
  • No Data Sales: We never sell, license, lease, or share Oura Data with third parties, advertisers, or data brokers, even with user consent (prohibited by Section 2).
  • User Authorization: We only access your Oura data after you explicitly authorize the connection via OAuth.
  • Data Deletion on Disconnect: When you disconnect your Oura account, all Oura-sourced data is immediately and permanently deleted.
  • Security Measures: We implement appropriate administrative, technical, and physical measures as described in GDPR Article 32(1) to protect your data.
  • Breach Notification: We will notify Oura within 24 hours of discovering any security breach involving Oura Data.
  • User Data Access: You can access, export, and delete your data at any time through the application dashboard.

Oura Usage Data Collection

Oura may collect certain use data and information related to your use of the Oura API Materials and Oura Platform in connection with this application. Oura may use such Usage Data for any business purpose, internal or external, including providing enhancements to the Oura API Materials or Oura Platform, providing developer or user support, or otherwise.

Your Data Protection Rights

Under the EU General Data Protection Regulation (GDPR), UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL), and other applicable data protection laws, you have the following rights:

  • Right to Access: You can request a copy of all personal data we hold about you
  • Right to Rectification: You can request correction of inaccurate data
  • Right to Erasure: You can request deletion of your data (as described above)
  • Right to Data Portability: You can export your data in a machine-readable format
  • Right to Object: You can object to processing of your data
  • Right to Restrict Processing: You can request we limit how we process your data
  • Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority (data protection authority) in your country of residence if you believe your data protection rights have been violated

Legal Basis for Processing: We process your health data based on your explicit consent, which you provide when connecting your Oura account. By connecting your Oura account, you explicitly consent to the collection, processing, and storage of your health-related data as described herein, solely for the purpose of generating personal reports. You can withdraw consent at any time by disconnecting your Oura account or deleting your data.

International Data Transfers: Your data is transferred from the UAE to the United States for processing and storage. We ensure appropriate safeguards are in place through Data Processing Agreements (DPAs) incorporating Standard Contractual Clauses (SCCs) with each processor:

  • Supabase (database, authentication, storage) — US (AWS us-east-1)
  • Vercel (hosting, analytics) — US
  • Resend (email delivery) — US
  • Upstash (job queue, rate limiting) — US
  • Google (analytics, consent-based only) — US
  • Anthropic (AI newsletter highlights, aggregated data only) — US

By using this service, you explicitly consent to the transfer of your personal data, including health data, to the United States as described above, in accordance with GDPR Chapter V and UAE PDPL Article 22.

UK Users: If you are located in the United Kingdom, UK GDPR may apply. We do not currently target UK users specifically; if UK representation becomes required, we will update this policy accordingly.

Data Retention Policy

In compliance with the Oura API Agreement and GDPR data minimization principles, we enforce the following data retention limits:

  • Oura Health Data: Daily health metrics (sleep, activity, heart rate, etc.) are automatically deleted after 59 days (safety margin for Oura API Agreement Section 7).
  • Generated Reports: Reports you save are retained until you delete them or delete your account.
  • Account Data: Your account information is retained until you delete your account.
  • Backup Retention: Backups may be retained for up to 7 days for disaster recovery purposes, after which they are permanently deleted.

Automatic Cleanup: We run automated data retention processes daily to ensure compliance with the 59-day limit for Oura data. You do not need to take any action for this cleanup to occur.

Data Deletion on Disconnect: When you disconnect your Oura account from this service, all Oura-sourced data (health metrics, personal profile information, and OAuth tokens) is immediately and permanently deleted in compliance with the Oura API Agreement.

Security Breach Notification

We take data security seriously and have implemented appropriate technical and organizational measures to protect your data. In the event of a security breach:

  • Oura Notification: We will notify Oura within 24 hours of discovering any security breach involving Oura Data, as required by the Oura API Agreement Section 2.6.
  • User Notification: We will notify affected users without undue delay if the breach is likely to result in a high risk to your rights and freedoms.
  • Supervisory Authority: We will notify the relevant data protection supervisory authority within 72 hours as required by GDPR Article 33.
  • Documentation: We maintain records of any personal data breaches, including the facts, effects, and remedial actions taken.

Security Measures: We implement commercially reasonable and appropriate administrative, technical, and physical measures in accordance with GDPR Article 32(1), including:

  • Encryption of data at rest and in transit (TLS 1.2+)
  • Row-level security policies ensuring data isolation between users
  • Secure OAuth 2.0 with PKCE for Oura authentication
  • Server-side token storage (never exposed to client)
  • Regular security monitoring and access logging

HIPAA Compliance

This service is not HIPAA-compliant. We are not a covered entity or business associate under HIPAA. If you require HIPAA-compliant health data processing, you should not use this service. We do not enter into Business Associate Agreements (BAAs).

Data Sharing with Oura

We do not share data with Oura unless required by the functioning of the API.You control your data sharing through OAuth, and we do not independently transmit your personal health data to third parties outside those necessary to deliver the service (Supabase for storage, Vercel for hosting).

When you connect your Oura account via OAuth, Oura may collect certain usage data and information related to your use of the Oura API in connection with this application, as described in Oura's privacy policy. This data sharing is controlled by your OAuth authorization, which you can revoke at any time through your Oura account settings.

If our use of the Oura API Materials or Personal Data requires or will likely result in the provision of Personal Data directly to Oura, we have obtained all necessary consents and authorizations from you to provide such Personal Data to Oura. Oura will treat Personal Data obtained from us through our use of the Oura API Materials in accordance with Oura's then-current Privacy Policy.

AI Platform Integration (MCP)

This service supports MCP (Model Context Protocol), an open standard that allows AI assistants to access your data with your permission. MCP-compatible platforms include ChatGPT, Claude, Codex, and other AI tools that implement the protocol.

How it works:

  • User-initiated only: No AI platform can access your data unless you explicitly authorize it through an explicit connection/authorization step for each MCP client or platform you choose to use.
  • What is shared: When you use an AI assistant with this service, the following data may be transmitted to that platform: health metrics (sleep, heart rate, HRV, activity, SpO2, temperature, stress), generated health reports, wearable connection status, and sync results.
  • No automatic sharing: Data is only transmitted in response to your direct requests within the AI assistant. We do not proactively send data to any AI platform.
  • Revocation: You can revoke an AI platform's access at any time. Revoking access stops all future data transmission to that platform.
  • Third-party policies: Each AI platform has its own privacy policy governing how they handle data received via MCP. We are not responsible for how AI platforms process, store, or use your data after it is transmitted to them.

Legal Basis: Processing is based on your explicit consent (GDPR Art. 6(1)(a) and Art. 9(2)(a)), which you provide when authorizing an AI platform to access your data.

Data Controller

The data controller for this service is:

Remics Software Technologies - FZCO
DSO-IFZA, IFZA Properties, Dubai Silicon Oasis
United Arab Emirates
Email: michele@remics.tech

Data Protection Contact

For any questions or requests regarding the processing of your personal data, please contact:

Michele Rexha (Director)
Remics Software Technologies - FZCO
DSO-IFZA, IFZA Properties, Dubai Silicon Oasis, United Arab Emirates
Email: michele@remics.tech
Tel: +971 58 505 9465

EU Representative (GDPR Article 27)

In accordance with GDPR Article 27, we have appointed the following representative in the European Union:

Instant EU GDPR Representative Ltd
Contact: Adam Brogden
Office 2, 12A Lower Main Street, Lucan
Co. Dublin K78 X5P8, Ireland
Tel: +353 015 549 700
Email: contact@gdprlocal.com
Web: www.gdprlocal.com

EU residents may submit privacy-related requests via: Privacy Request Submission Page

Contact

If you have questions about this privacy policy or data handling, please contact us at:

Email: michele@remics.tech

Website: https://simplewearablereport.com

Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our processing practices, product features, processors, or legal requirements.

We keep our privacy notice under regular review to make sure it is up to date and accurate.

For material changes, we will provide prominent notice (such as email and/or an in-app notice, where reasonably possible) before changes take effect. Minor updates (for example, clarifications or contact detail updates) may become effective when posted on this page. The date at the top of this notice shows when it was last updated.