← Back to home

Privacy Policy

Experimental Nature and Risk Disclosure

This is an experimental service. Reports are automatically generated and may contain errors, inaccuracies, or incomplete data. Do not rely on them for health decisions. The system is under active development and is not a finalized product. You understand that health metrics may be misrepresented or misinterpreted. We make no guarantees as to the accuracy of the insights derived from raw Oura data.

Data Collection

We collect and store the following data:

  • Account Information: Your email address for account authentication
  • OAuth Credentials: OAuth tokens for accessing your Oura account (stored securely, encrypted)
  • Health-Related Data from Oura Ring:
    • Sleep data: duration, efficiency, latency, REM sleep percentage, deep sleep percentage, light sleep percentage, time in bed
    • Heart rate data: resting heart rate, lowest night-time heart rate, heart rate variability (HRV)
    • Activity data: steps, active calories, sedentary time
    • Oxygenation data: SpO2 (blood oxygen saturation) levels, breathing disturbance index
    • Temperature data: body temperature deviations
    • Stress indicators: high stress days
    • Readiness scores and related metrics
  • Generated Reports: PDF reports containing your health metrics and analysis
  • Report Metadata: Report titles, dates, and saved report preferences

We collect this data through OAuth2 authorization with your Oura account. You control access through your Oura account settings and can revoke access at any time.

OAuth Authorization

We use OAuth2 to securely connect to your Oura account. You can revoke access at any time through your Oura account settings. We only request the minimal scopes needed to generate your lab-style reports.

Cookies and Similar Technologies

We use cookies and similar technologies to provide and secure our service. Cookies are small text files stored on your device that help us authenticate you and maintain your session.

Types of Cookies We Use:

  • Essential Authentication Cookies: These cookies are necessary for the service to function and enable you to log in and maintain your session. They are set by our authentication provider (Supabase) and are required for the service to work. These cookies are typically httpOnly and secure, meaning they cannot be accessed by JavaScript and are only sent over HTTPS in production.
  • OAuth Security Cookies: We use a temporary cookie to store OAuth state information during the Oura account connection process. This cookie is used for security purposes to prevent cross-site request forgery (CSRF) attacks. It is httpOnly, secure, and expires after 10 minutes.
  • PKCE Code Verifier Cookies: During the authentication process, we store a code verifier in cookies as part of the OAuth PKCE (Proof Key for Code Exchange) flow for enhanced security. This is automatically managed by our authentication provider.

Cookie Settings: All cookies we use are essential for the service to function. You cannot disable these cookies without breaking the service functionality. If you do not wish to accept cookies, you should not use this service.

Third-Party Cookies: Our authentication provider (Supabase) may set additional cookies as part of their authentication service. These are governed by Supabase's privacy policy. We do not use third-party advertising or tracking cookies.

Cookie Duration: Authentication cookies persist for the duration of your session and may be stored for longer periods to maintain your login state. OAuth state cookies expire after 10 minutes or when the OAuth flow completes. You can clear all cookies by logging out or clearing your browser cookies.

Data Usage

Your data is used solely to generate lab-style reports. We do not sell, share, or use your data for advertising purposes. We practice data minimization, only collecting what is necessary for the service.

Third-Party Services: We use the following third-party services:

  • Supabase: For database storage, authentication, and file storage. Supabase processes your data according to their privacy policy and security standards.
  • Oura API: We access your Oura data through Oura's official API. Oura may collect usage data related to API access as described in their privacy policy.
  • Vercel: For hosting and deployment. Vercel may process request logs and metadata but does not have access to your health data.

No Analytics or Tracking: We do not use analytics services, tracking pixels, or third-party advertising services. We do not share your data with data brokers or analytics companies.

Sensitive Data Handling: We do not infer, store, or process any diagnoses or mental health conditions. Data processed is limited to raw metrics from the Oura API (sleep duration, heart rate, activity levels, etc.). We do not analyze, interpret, or draw conclusions about your health status beyond presenting the raw metrics in a formatted report. Stress indicators and sleep-related data are processed as numerical metrics only, without any diagnostic or clinical interpretation.

Data Processing, Storage, and Protection

Processing: Your health data is processed to:

  • Calculate 7-day averages and 30-day reference ranges for metrics
  • Generate formatted lab-style reports
  • Store historical data for report generation

AI and Automated Processing: Some parts of report generation may involve automated analysis or AI-assisted summarization. No part of this process involves medical review or professional oversight. All calculations, formatting, and data presentation are automated and have not been reviewed or verified by medical professionals.

Storage: All data is stored securely using Supabase, a SOC 2 Type II certified platform. Data is stored in encrypted databases with the following protections:

  • OAuth tokens are encrypted and stored server-side only (never exposed to client)
  • Health metrics are stored in a private database with row-level security (RLS) policies
  • PDF reports are stored in private, encrypted storage buckets
  • All data is encrypted at rest and in transit

Protection: We implement industry-standard security measures including:

  • Encryption of data in transit (HTTPS/TLS) and at rest
  • Row-level security policies ensuring users can only access their own data
  • Secure authentication via Supabase Auth
  • Regular security updates and monitoring

Data Deletion and Your Rights

Right to Deletion: You can request deletion of your account and all associated data at any time. This includes:

  • All health metrics and daily data
  • OAuth tokens and connection data
  • Generated PDF reports
  • Account information and email address

How to Delete: You can delete your data in two ways:

  • Use the "Delete All Data" feature in the app dashboard
  • Use the "Delete Account" feature to remove your entire account
  • Contact us at info@simplewearablereport.com to request deletion

Data Export: You can export all your data in JSON format using the "Export All Data (GDPR)" feature in the app before deletion.

Processing Time: Deletion requests are processed immediately. Backups may be retained for up to 30 days for disaster recovery purposes, after which they are permanently deleted.

Disclaimers

Informational only. Not medical advice. This service provides formatted reports of your Oura data for informational purposes only. It is not intended to diagnose, treat, or prevent any medical condition.

Health Data Risk Disclaimer: We disclaim liability for any consequences resulting from inaccurate or misinterpreted health metrics. The information provided is informational only and must not be used to make medical or health-related decisions.

Not affiliated with Oura. This service is not affiliated with, endorsed by, or sponsored by Oura.

Oura Usage Data Collection

Oura may collect certain use data and information related to your use of the Oura API Materials and Oura Platform in connection with this application. Oura may use such Usage Data for any business purpose, internal or external, including providing enhancements to the Oura API Materials or Oura Platform, providing developer or user support, or otherwise.

GDPR and Data Protection Rights

If you are located in the European Economic Area (EEA), United Kingdom, or other jurisdictions with similar data protection laws, you have the following rights:

  • Right to Access: You can request a copy of all personal data we hold about you
  • Right to Rectification: You can request correction of inaccurate data
  • Right to Erasure: You can request deletion of your data (as described above)
  • Right to Data Portability: You can export your data in a machine-readable format
  • Right to Object: You can object to processing of your data
  • Right to Restrict Processing: You can request we limit how we process your data

Legal Basis for Processing: We process your health data based on your explicit consent, which you provide when connecting your Oura account. By connecting your Oura account, you explicitly consent to the collection, processing, and storage of your health-related data as described herein, solely for the purpose of generating personal reports. You can withdraw consent at any time by disconnecting your Oura account or deleting your data.

Data Retention: We retain your data only as long as necessary to provide the service. You can request deletion at any time, and we will comply within 30 days.

Data Transfers: Your data may be processed and stored in servers located outside the EEA (including the United States). We ensure appropriate safeguards are in place through our use of Supabase, which maintains appropriate data protection measures.

HIPAA Compliance

This service is not HIPAA-compliant. We are not a covered entity or business associate under HIPAA. If you require HIPAA-compliant health data processing, you should not use this service. We do not enter into Business Associate Agreements (BAAs).

Data Sharing with Oura

We do not share data with Oura unless required by the functioning of the API.You control your data sharing through OAuth, and we do not independently transmit your personal health data to third parties outside those necessary to deliver the service (Supabase for storage, Vercel for hosting).

When you connect your Oura account via OAuth, Oura may collect certain usage data and information related to your use of the Oura API in connection with this application, as described in Oura's privacy policy. This data sharing is controlled by your OAuth authorization, which you can revoke at any time through your Oura account settings.

If our use of the Oura API Materials or Personal Data requires or will likely result in the provision of Personal Data directly to Oura, we have obtained all necessary consents and authorizations from you to provide such Personal Data to Oura. Oura will treat Personal Data obtained from us through our use of the Oura API Materials in accordance with Oura's then-current Privacy Policy.

Contact

If you have questions about this privacy policy or data handling, please contact us at:

Email: info@simplewearablereport.com

Website: https://simplewearablereport.com