Privacy Policy

Effective Date: 10 October 2025

Last Updated: 10 October 2025

1. Introduction

SPN Health Ltd ("we", "us", "our", or "Company") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use SPNsync ("the Service").


Company Details:

  • Company Name: SPN Health Ltd

  • Registered Address: Bartle House, Manchester, M2 3WQ, United Kingdom

  • Contact Email: jack@spn.health

  • Data Controller: SPN Health Ltd acts as the Data Controller for your account and contact information. For health data obtained from your Oura Ring via Oura's API, we act as a Data Processor on your behalf

This Privacy Policy should be read in conjunction with our Terms and Conditions. By using SPNsync, you agree to the practices described in this Privacy Policy.

1.1 Who This Policy Applies To

This Privacy Policy applies to:

  • All users of SPNsync, regardless of location

  • Visitors to our website and landing pages

  • Anyone who provides personal information to us

1.2 Our Commitment

We are committed to:

  • Transparency about how we handle your data

  • Giving you control over your personal information

  • Protecting your sensitive health data

  • Complying with UK GDPR and applicable data protection laws

  • Respecting your privacy rights

2. Information We Collect

2.1 Personal Information You Provide

When you register for and use SPNsync, we collect:

Account Information:

  • Full name

  • Email address

  • Country of residence


Oura Ring Connection:

  • Authorization to access your Oura Ring data through Oura's API

  • Oura account identifier (not your password)


Explicit Consent for Health Data: By creating an account and using SPNsync, you explicitly consent to our processing of your health data obtained from your Oura Ring. This consent is required under Article 9 of UK GDPR as health data is classified as special category personal data.

2.2 Health and Biometric Data from Oura Ring

When you connect your Oura Ring, we access and process:

  • Sleep data (duration, stages, quality, patterns)

  • Activity data (steps, movement, exercise)

  • Heart rate and heart rate variability

  • Body temperature

  • Respiratory rate

  • Readiness and recovery scores

  • Any other metrics available through the Oura API


Important: We only access this data with your explicit consent and authorization through Oura's official API.

2.3 Automatically Collected Information

Technical Data:

  • IP address

  • Browser type and version

  • Device type and operating system

  • Time zone and location data

  • Usage data (features used, time spent, interactions)


Website Analytics (Landing Page Only):

  • We use PostHog analytics on our landing page to understand visitor behavior

  • Cookie identifiers and session data

  • Referring website information

  • Pages viewed and navigation patterns


Application Analytics:

  • We use PostHog within the SPNsync application to optimize user interface and experience

  • Usage patterns and feature interaction data

  • Error logs and performance metrics

2.4 Cookies and Tracking Technologies

Landing Page: We use cookies and similar tracking technologies on our landing page, including:

  • Essential Cookies: Required for website functionality

  • Analytics Cookies: PostHog analytics to understand visitor behavior

  • Marketing Cookies: We may use advertising pixels (such as Facebook Pixel, Google Ads) for marketing purposes


You can control cookie preferences through your browser settings. However, disabling certain cookies may limit website functionality.


Within SPNsync Application: We use PostHog analytics within the application to optimize user experience and understand feature usage. This helps us improve the product and identify technical issues.

For more information about cookies and how to manage them, visit www.allaboutcookies.org.

2.5 Information We Do NOT Collect

  • Payment card information (the Service is currently free)

  • Social security numbers or government ID numbers

  • Precise real-time location tracking

  • Any data from your Oura Ring without your explicit authorization

3. How We Use Your Information

3.1 Primary Purposes

We use your personal data to:

Provide the Service:

  • Generate AI-powered health insights and analysis

  • Display your Oura Ring data overview and historical trends

  • Identify areas for improvement in Sleep, Psychology, Activity, and Nutrition

  • Deliver personalized recommendations based on your health patterns over time

  • Enable progress tracking and comparative analysis

  • Store your health data and insights for your ongoing access through your account


Service Administration:

  • Create and manage your account

  • Authenticate your identity

  • Respond to your inquiries and support requests

  • Send service-related notifications (e.g., analysis completion, technical issues)


Communications:

  • Send product updates and feature announcements (with consent)

  • Send marketing communications about SPNsync (with explicit consent)

  • Notify you of important changes to our Terms or Privacy Policy

3.2 Analytics and Improvement

We use your data to:

  • Understand how users interact with SPNsync

  • Optimize user interface and experience

  • Identify and fix technical issues

  • Improve our AI algorithms and analysis quality

  • Conduct internal research and development

3.3 Legal Compliance

We may use your information to:

  • Comply with legal obligations and regulatory requirements

  • Respond to lawful requests from authorities

  • Enforce our Terms and Conditions

  • Protect our rights, property, and safety

  • Prevent fraud and abuse

3.4 Future Uses

Research and Development: We may use anonymised, aggregated data (that cannot identify you individually) for:

  • Healthcare and wellness research

  • Scientific publications and presentations

  • Partnerships with academic or research institutions

  • Industry reports and insights


AI Model Training: We may use anonymised data to train and improve our own AI models for future service enhancements. This data will never include personally identifiable information or information that could be traced back to you.

3.5 Legal Basis for Processing (UK GDPR)

We process your personal data under the following legal bases:

  • Explicit Consent (Article 9): For processing your health data from your Oura Ring, which constitutes special category data under UK GDPR. You provide explicit consent when you create your account and connect your Oura Ring

  • Consent: For marketing communications and certain analytics

  • Contractual Necessity: To provide the Service you requested, including storing your health data and insights for your ongoing access

  • Legitimate Interest: For improving the Service, security, and business operations

  • Legal Obligation: To comply with applicable laws and regulations

4. How We Share Your Information

4.1 Third-Party Service Providers

We share your data with trusted third-party service providers who assist us in operating SPNsync:

AI Processing Services:

  • OpenAI: For AI-powered analysis and insights (servers may be located in the United States)

  • Anthropic: For AI-powered analysis and insights (servers may be located in the United States)

  • Important: We send only anonymized health metrics to these AI providers. We do NOT share your name, email address, or any information that would allow OpenAI or Anthropic to identify you personally. These providers process your health data solely to generate your analysis and are contractually required to comply with applicable data protection laws including UK GDPR. Data is encrypted in transit and deleted immediately after processing


Infrastructure Providers:

  • Google Cloud Platform: For hosting and data storage (servers located in London, UK)


Analytics Providers:

  • PostHog: For website and application analytics (used on both landing page and within the SPNsync application)


Oura Health:

  • We access your data through Oura's API but do not share your data back with Oura unless required by their API terms

4.2 Data Sharing Limitations

We DO NOT:

  • Sell your personal data to third parties

  • Rent your personal data to third parties

  • Share your identifiable health data with advertisers

  • Share your data with third parties for their own marketing purposes

  • Share your name, email, or any personally identifiable information with our AI providers (OpenAI and Anthropic)

4.3 Legal Requirements

We may disclose your information if required to:

  • Comply with legal obligations, court orders, or government requests

  • Enforce our Terms and Conditions or other agreements

  • Protect the rights, property, or safety of SPN Health Ltd, our users, or others

  • Prevent or investigate fraud, security issues, or illegal activities

4.4 Business Transfers

If SPN Health Ltd is involved in a merger, acquisition, sale of assets, or bankruptcy, your personal data may be transferred to the acquiring entity. We will notify you of any such change in ownership or control of your personal data.

4.5 Anonymized Data Sharing

We may share anonymized, aggregated data (that cannot identify you) with:

  • Research partners and academic institutions

  • Healthcare industry organizations

  • The public (e.g., in research publications or reports)


This anonymised data cannot be used to identify you personally.

5. International Data Transfers

5.1 Where Your Data is Processed

Your data may be transferred to and processed in:

  • United Kingdom: Primary data storage and application hosting via Google Cloud Platform (London)

  • United States: AI processing via OpenAI and Anthropic

  • Other Jurisdictions: As required by our service providers


These countries may have data protection laws that differ from those in your home country.

5.2 Safeguards for International Transfers

When we transfer data internationally, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses approved by the UK ICO

  • Service providers' own privacy and security commitments

  • Compliance with UK GDPR requirements for international data transfers

5.3 Your Consent

By using SPNsync, you explicitly consent to the international transfer and processing of your data as described in this Privacy Policy.

5.4 US Users - HIPAA Notice

If you are a US resident, please note that SPNsync is NOT subject to the Health Insurance Portability and Accountability Act (HIPAA) and does not provide HIPAA-compliant services. Your health data is protected under this Privacy Policy and UK GDPR, but not under HIPAA.

5.5 EU/EEA Users

For users in the European Union or European Economic Area, we process your data in accordance with UK GDPR, which maintains adequacy with EU GDPR standards.

6. Data Retention and Deletion

6.1 Health Data from Oura Ring

Retention Purpose: We retain your Oura Ring health data for as long as you maintain an active account to enable:

  • Access to your historical health insights and analysis

  • Trend analysis and progress tracking over time

  • Personalised recommendations based on your historical patterns

  • Comparative analysis across different time periods


Data Minimisation: We only collect and retain the minimum data necessary to provide these features and historical analysis.


Storage Details:

  • Raw health metrics from your Oura Ring (sleep data, heart rate, activity levels, etc.)

  • AI-generated insights and analysis derived from your health data

  • Aggregated summaries and trend data

6.2 Account Inactivity and Automatic Deletion

If your account remains inactive (no login or access to the Service) for 6 consecutive months, we will automatically and permanently delete:

  • All of your health data from your Oura Ring

  • All AI-generated insights and analysis

  • All personal information (name, email, country)

  • All account information and history


This deletion is permanent and irreversible.

6.3 Personal Information (Name, Email, Country)

Retention Period: We retain your name, email address, and country for as long as you maintain an active account and for service-related communications.

Marketing Communications: If you have provided explicit consent for marketing communications, we will retain your contact information for marketing purposes until you withdraw consent.

Deletion Upon Request: You may request deletion of your personal information at any time (see Section 8 for instructions).

6.4 Technical Logs and Analytics Data

IP Addresses: Logged for security and technical purposes; typically retained for 90 days unless required for longer for security investigations.

Usage Analytics: Aggregated analytics data that cannot reasonably identify individual users may be retained indefinitely for service improvement purposes.

Error Logs: Retained for up to 12 months for debugging and service improvement.

6.5 Marketing Communications Data

If you have consented to marketing communications, we retain your email preferences until you withdraw consent or request deletion.

We retain records of your consent (but not your personal data) for 3 years after consent withdrawal for legal compliance and audit purposes.

6.6 Account Deletion Upon Request

When you request account deletion:

  • All of your health data from your Oura Ring will be permanently deleted

  • All AI-generated insights and analysis will be permanently deleted

  • Your personal information (name, email, country) will be deleted within 30 days

  • All account information and history will be permanently deleted

  • Backup systems will be purged according to our standard backup retention schedule (maximum 90 days)


This deletion is permanent and cannot be undone. After deletion, we cannot recover your data or insights.

Some anonymised analytics data that cannot reasonably identify you may be retained for statistical purposes.

6.7 Legal Retention Requirements

We may retain certain data longer if required by law, regulation, or to defend legal claims. For example, we retain records of consent for 3 years after withdrawal for compliance purposes.

7. Data Security

7.1 Security Measures

We implement appropriate technical and organizational measures to protect your data, including:

Technical Safeguards:

  • Encryption of data in transit (TLS/SSL)

  • Encryption of data at rest

  • Secure access controls and authentication

  • Regular security assessments and vulnerability testing

  • Automated data deletion systems

  • Firewalls and intrusion detection systems


Organisational Safeguards:

  • Limited employee access to personal data (need-to-know basis)

  • Confidentiality agreements with staff and contractors

  • Regular security training for team members

  • Incident response procedures

  • Vendor security assessments

7.2 Third-Party Security

We require our third-party service providers (OpenAI, Anthropic, Google Cloud) to maintain appropriate security standards and comply with data protection laws.

7.3 No Guarantee of Absolute Security

While we strive to protect your personal data, no system is completely secure. We cannot guarantee absolute security of your information. You use SPNsync at your own risk.

7.4 Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms:

  • We will notify the UK Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach (as required by UK GDPR)

  • We will notify affected users without undue delay

  • We will take immediate steps to mitigate the breach and prevent future incidents


If you believe your data has been compromised, please contact us immediately at jack@spn.health.

8. Your Privacy Rights

8.1 Rights Under UK GDPR

You have the following rights regarding your personal data:

Right of Access: You can request a copy of the personal data and health data we hold about you.

Right to Rectification: You can request correction of inaccurate or incomplete personal data.

Right to Erasure ("Right to be Forgotten"): You can request deletion of your personal data and health data at any time.

Right to Restrict Processing: You can request that we limit how we use your personal data.

Right to Data Portability: You can request a copy of your health data and insights in a structured, machine-readable format (such as JSON or CSV).

Right to Object: You can object to our processing of your personal data based on legitimate interests.

Right to Withdraw Consent: You can withdraw consent for health data processing at any time without affecting the lawfulness of processing based on consent before its withdrawal. Withdrawing consent will result in deletion of your health data and termination of the Service, as we cannot provide personalized health insights without processing your health data.

Right to Lodge a Complaint: You can complain to the UK Information Commissioner's Office if you believe we've mishandled your data.

8.2 How to Exercise Your Rights

Submitting Requests: To exercise any of these rights, please email us at: jack@spn.health


Include in your request:

  • Your full name

  • The email address associated with your SPNsync account

  • A clear description of your request

  • Any relevant details to help us locate your data


Response Time: We will respond to your request within 30 days. If your request is complex, we may extend this period by an additional 30 days and will notify you of the extension.

Verification: We may request additional information to verify your identity before fulfilling your request to protect your data from unauthorized access.

No Fee: We will not charge a fee for your request unless it is manifestly unfounded, excessive, or repetitive.

8.3 Specific Actions You Can Take

Revoke Oura Ring Access: You can revoke SPNsync's access to your Oura Ring at any time through your Oura account settings.

Withdraw Consent for Health Data Processing: You can withdraw your consent for health data processing at any time by:

  • Deleting your account through your account settings (when available)

  • Contacting us at jack@spn.health

  • This will result in permanent deletion of all your health data and insights


Export Your Data: You can request a copy of your health data and AI-generated insights in a portable format (JSON or CSV) by contacting us at jack@spn.health.


Manage Email Preferences: You can manage your email communication preferences by:

  • Clicking "unsubscribe" in any marketing email we send

  • Contacting us at jack@spn.health

  • Adjusting preferences in your SPNsync account settings (when available)


Note: Even if you unsubscribe from marketing emails, we may still send you essential service-related communications.

Delete Your Account: Contact us at jack@spn.health to request full account deletion. All data will be permanently deleted within 30 days.

8.4 Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority:

UK Users:

  • Authority: UK Information Commissioner's Office (ICO)

  • Website: https://ico.org.uk

  • Phone: 0303 123 1113

  • Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF


Non-UK Users: If you are located outside the UK, you may also have the right to lodge a complaint with your local data protection authority.

9. Children's Privacy

9.1 Age Restriction

SPNsync is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children under 18.

9.2 Parental Notice

If you are a parent or guardian and believe your child under 18 has provided personal data to SPNsync, please contact us immediately at jack@spn.health. We will take steps to delete such information as quickly as possible.

9.3 Age Verification

By using SPNsync, you represent and warrant that you are at least 18 years old.

10. Marketing and Communications

10.1 Types of Communications

We may send you the following types of communications:

Service Communications (Non-Marketing):

  • Account creation confirmations

  • Analysis completion notifications

  • Service updates and important changes

  • Security alerts

  • Responses to your inquiries

  • Terms or Privacy Policy updates

These communications are essential to the Service and you cannot opt out of them while maintaining an active account.


Marketing Communications:

  • Product updates and new features

  • Tips for using SPNsync

  • Health and wellness content

  • Special offers or promotions (if applicable in the future)

  • Company news and announcements


You must provide explicit consent to receive marketing communications.

10.2 Consent and Opt-Out

Opt-In: We will only send you marketing communications if you have explicitly consented (checked a box, opted in).

Opt-Out: You can opt out of marketing communications at any time by:

  • Clicking "unsubscribe" in any marketing email

  • Emailing us at jack@spn.health with "Unsubscribe" in the subject line

  • Adjusting your email preferences in your account settings (when available)

Separate Preferences: You can opt out of marketing emails while still receiving essential service communications.

10.3 Third-Party Marketing

We do NOT share your email address or contact information with third parties for their marketing purposes.

11. Cookies and Tracking Technologies

11.1 What Are Cookies?

Cookies are small text files stored on your device when you visit a website. They help websites remember your preferences and understand how you use the site.

11.2 How We Use Cookies

On Our Landing Page: We use cookies on our landing page for:

Essential Cookies:

  • Maintaining your session

  • Remembering your preferences

  • Ensuring website functionality


Analytics Cookies:

  • PostHog analytics to understand visitor behavior

  • Tracking page views, time on site, and navigation patterns

  • Helping us improve website design and content

  • We use analytics based on our legitimate interest in understanding and improving our service, balancing this with your privacy rights


Marketing/Advertising Cookies:

  • We may use advertising pixels (e.g., Facebook Pixel, Google Ads conversion tracking)

  • These help us measure the effectiveness of our marketing campaigns

  • They may track your visits across other websites


Within SPNsync Application: We use PostHog analytics within the application to optimize user experience and understand feature usage. This helps us improve the product and identify technical issues.

11.3 Managing Cookies

Browser Settings: You can control and delete cookies through your browser settings. Visit your browser's help section for instructions.

Opt-Out Tools:

  • PostHog: You can opt out of PostHog tracking by enabling "Do Not Track" in your browser

  • Advertising cookies: Use browser extensions or industry opt-out tools (e.g., Network Advertising Initiative opt-out)

Impact of Disabling Cookies: Disabling cookies may limit website functionality and your ability to use certain features.

11.4 Do Not Track

Some browsers have a "Do Not Track" (DNT) feature. We respect DNT signals for analytics cookies where technically feasible.

12. Third-Party Links and Services

12.1 External Links

SPNsync or our landing page may contain links to third-party websites (such as Oura's website). We are not responsible for the privacy practices or content of these external sites.

12.2 Third-Party Privacy Policies

We encourage you to read the privacy policies of any third-party services you interact with:

  • Oura Health: https://ouraring.com/privacy-policy

  • OpenAI: https://openai.com/privacy

  • Anthropic: https://www.anthropic.com/privacy

  • PostHog: https://posthog.com/privacy

12.3 No Control Over Third Parties

We do not control how third parties collect, use, or share your data. Your interactions with third-party services are governed by their own privacy policies.

13. Changes to This Privacy Policy

13.1 Right to Modify

We reserve the right to modify this Privacy Policy at any time to reflect changes in:

  • Our data practices

  • Legal or regulatory requirements

  • Service features or functionality

  • Business operations

13.2 Notification of Changes

If we make material changes to this Privacy Policy, we will notify you by:

  • Posting the updated Privacy Policy on our website with a new "Last Updated" date

  • Sending an email notification to your registered email address

  • Displaying a prominent notice within SPNsync

13.3 Acceptance of Changes

Your continued use of SPNsync after we post changes constitutes your acceptance of the updated Privacy Policy.

13.4 Material Changes

For material changes that significantly affect your rights, we may require you to actively consent to the changes before continuing to use the Service.

13.5 Reviewing Updates

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

13.6 Archived Versions

Previous versions of this Privacy Policy are available upon request. Contact us at jack@spn.health.

14. California Privacy Rights (CCPA) - For US Users

14.1 Applicability

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA).

14.2 Your CCPA Rights

California residents have the right to:

  • Know what personal information we collect, use, and disclose

  • Request deletion of personal information

  • Opt out of the "sale" of personal information (Note: We do NOT sell your personal information)

  • Non-discrimination for exercising CCPA rights

14.3 Exercising CCPA Rights

To exercise your CCPA rights, email us at jack@spn.health with "CCPA Request" in the subject line.

14.4 Verification

We will verify your identity before fulfilling CCPA requests to protect your data from unauthorized access.

15. Contact Us

15.1 Data Protection Inquiries

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

SPN Health Ltd
Bartle House
Manchester, M2 3WQ
United Kingdom

Email: jack@spn.health

Data Controller: SPN Health Ltd

15.2 Response Time

We aim to respond to all inquiries within 5 business days for general questions and within 30 days for formal data rights requests.

15.3 Complaints

If you are not satisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) or your local data protection authority. ---

16. Summary of Key Points

What data we collect:

  • Name, email, country

  • Oura Ring health data (sleep, activity, heart rate, etc.)

  • AI-generated insights from your health data

  • IP addresses and usage analytics


How we use your data:

  • Generate AI-powered health insights

  • Store your health data and insights for your ongoing access

  • Enable historical trend analysis and progress tracking

  • Improve the Service

  • Send communications (with consent)

  • Comply with legal obligations


How long we keep your data:

  • Health data and insights: For the duration of your active account

  • Automatic deletion after 6 months of inactivity

  • Immediate deletion available upon request

  • Personal info deleted within 30 days of account deletion


How we protect your data:

  • Encryption and security measures

  • Limited employee access

  • No selling of your data

  • Anonymized data sent to AI providers (no personal identifiers)


Your rights:

  • Access, correct, or delete your data at any time

  • Export your data in portable format

  • Withdraw consent for health data processing

  • Opt out of marketing emails

  • Lodge complaints with ICO


Contact us: jack@spn.health


Last Updated: 10 October 2025

Version: 1.0

Governing Law: This Privacy Policy shall be governed by and construed in accordance with the laws of England and Wales.


© 2025 SPN Health Ltd. All rights reserved.