Privacy Policy

Effective date: April 3, 2023

Laden Sie die deutsche Version der Datenschutzrichtlinie herunter.

PLEASE READ THIS POLICY CAREFULLY BEFORE USING SERVICES FROM OXA AND NANOLEQ AG.

You must be 16 years or older to use our Services.

Protecting your data, privacy and personal data (as defined under Article 4(1) of the General Data Protection Regulation (EU) 2016/679 (hereinafter “GDPR”) and the California Consumer Privacy Act of 2018 (hereinafter “CCPA”)) is very important to Nanoleq AG (“us”, “our” or “we”). It is vitally important to us that our customers (the “users”) feel secure when using our products and services.

This privacy policy (the “Privacy Policy”), together with our Terms & Conditions at shop.oxalife.com/terms and any other documents referred therein, sets out the basis (Art. 13 GDPR) on which any personal data we collect from you, or that you provide to us, will be processed. Please read this Privacy Policy carefully to understand the types of data we collect from you, how we use it, the circumstances under which we will share it with third parties, and your rights in relation to your personal data.

You can use “Oxa” through our mobile application, Oxa Life, (the “App”), or separately from the app, in combination with third-party services. This Privacy Policy describes our data processing when using Oxa or accessing our websites oxalife.com or nanoleq.com (the “Websites”) or any service and/or product we may provide you (Websites together with Oxa and any of our product and services, the “Services”). Where certain processing activities relate only to a specific product such as the App, the websites, or the Oxa sensor, this will be clearly indicated.

1. Who we are

Nanoleq AG is the controller (as defined under Article 4(7) GDPR) responsible for the processing of your personal data in connection with the Services.

In this Privacy Policy, “we”, “our” or “us” refer to:

Nanoleq AG (CH-020.4.061.558-0)
Hofwisenstrasse 50a
8153 Ruemlang, Switzerland
Tel.: 0041 78 975 1072
E-Mail: info@nanoleq.com

If you have any questions or comments about this notice, the ways in which Nanoleq AG collects and uses your information described here and in the Privacy Policy, and End User License Agreement, your choices and rights regarding such use, or wish to exercise your rights, our data protection officer can be contacted at dataprotection@nanoleq.com.

If you need to access this Policy in an alternative format due to having a disability, please contact us at dataprotection@nanoleq.com.

2. General overview of the data processing in connection with the Services

Before starting using our Services, you have to confirm that you have read our Privacy Policy carefully, and to consent to Oxa processing the personal data you supply in order to be provided with our Services.

Oxa interacts with you and your data. We want to inform you about the collection and processing of personal data necessary for the purpose of the Oxa app. This involves the provision of the functional and user-friendly website, including your content and services offered there, and the app functionality in accordance with the Terms of Use.

This section 2 aims at giving you a quick high-level overview of the data processing activities in connection with the Services we provide you.

If you wish to read in detail all the data processing activities we undertake, read the following section 3 relating to each specific data processing activity, and sections 4 to 9 that relate to:

  • our cookies & tracking policy (section 4),
  • where we store your personal data (section 5),
  • when we may disclose your personal data (section 6),
  • our retention policy (section 7),
  • your data subjects’ rights (section 8),
  • your specific rights if you are a resident of a non-GDPR jurisdiction (section 9), and
  • our changes policy (section 10).

Information that you provide to us: we may collect and process personal data that you will be asked to provide when you:

  • fill in forms on our Website, apply for a job offer or otherwise correspond with us by any available means;
  • register to use our Services, subscribe to our newsletter, receive promotional emails or any other marketing materials;
  • use our Services;
  • report a problem with our Services; or
  • complete any surveys or provide any feedback that we may use for research and improvement purposes (although it is optional, and you do not have to respond to these if you do not want to).

The information that we may ask you to provide includes, but is not limited to, your name, gender, date of birth, email address, phone number, address, personal history, goals, or further information required to verify your identity.

Information we collect about you: although we will not use it to identify you, we may collect the following data during each of your visits and use of our Services:

  • Usage data: technical information about your device, including device-specific information such as your hardware model, operating system version, unique device identifiers, and mobile network information; details of your visits, including the full Uniform Resource Locators (“URL”) clickstream to, through and from our Services (including date and time); details of conditions and symptoms searched;
  • Analytics data: your IP address, operating system and browser type; information about which app store you downloaded our App from; length of visits to certain pages, and page interaction information (such as scrolling, finger gestures, clicks, and mouse-overs)
  • Note: the App uses the IP address to estimate the geographical region, but not exact location.

If you are using our Services on behalf of a third party, you must have obtained clear permission from the individuals whose data you provide us with before sharing that data. For the avoidance of any doubt, any reference in this Privacy Policy to “your data” shall include data about other individuals that you have provided us with.

Our Website may contain links to third-party websites. If you follow a link to any of those third-party websites, please note that they have their own privacy policies and that we do not accept any responsibility or liability for their policies or processing of your personal data. Please check these policies before you submit any personal data to such third-party websites.

3. Which personal data we may collect and process, why and for how long

3.1 When you use our Website

  • Types of data: webpage(s) visited, IP address of the requesting device (if applicable, in anonymized form), date and time of access, name and URL of the requested file, website from which access is obtained (“Referrer URL”), browser used and, where applicable, your device’s operating system and the identity of your access provider; records and copies of your correspondence (including email addresses) if you contact us; your responses to surveys that we might ask you to complete for research purposes.
  • Purpose of processing: We use the above data to provide you with access to our Website, ensure that the Website can establish an internet connection smoothly and is easy to use, and to analyze the system security and stability, as well as for additional administrative purposes.
  • Use justification: Legitimate interest (Article 6(1)(f)GDPR). Our legitimate interest is based on the data collection purposes listed under “Purpose of processing”. We do not use the data collected for the purpose of identifying you. You are not obliged to provide the above personal data; however, you will not be able to access the Website if such personal data are not provided.
  • Storage duration: Your data is stored for no more than 14 months, unless any security-relevant event occurs (e.g. a DDoS attack). If there is a security-relevant event, server log files are stored until the security-relevant event has been eliminated and clarified in full.

3.2 When you use our Webshop

  • Types of data: Information by which you may be personally identified, such as name, postal address, email address, telephone number, or any other identifier by which you may be contacted online or offline (“personal information”); payment processing information*; IP address of the requesting device, date and time of transaction, name and URL of the requested file, website from which access is obtained (“Referrer URL”), browser used and, where applicable, your device’s operating system and the identity of your access provider. The data required for opening an account can be found in the input mask of the corresponding form on our website. When you choose to create an account in the webshop, you opt to provide a password.
  • Purpose of processing: We collect your name, mailing address, and telephone number so we can process your order and fulfill your purchase. We also process your personal data as part of our fraud detection processes. We process this information to generate an invoice in our systems for tax reporting purposes or upon your request. The legal ground for processing your information for generation of an invoice for tax reporting purposes is fulfillment of a legal obligation. The legal ground for processing your information for generation of an invoice at your request is performance of a contract.
  • Use justification: Legitimate interest (Article 6(1)(f)GDPR). Legal obligation. Our legitimate interest is in performance of a contract and for protecting us and our customers from attempts to engage in fraudulent transactions. Our legal obligation is for generation of an invoice for tax reporting purposes. You are not obliged to provide the above personal data; however, you will not be able to access the Website if such personal data are not provided.
  • Storage duration: We will retain accounting data for ten years in accordance with the commercial and tax law storage obligations (Swiss Code of Obligations Article 958f and the Ordinance for keeping and retaining accounting records (Olico)). Deletion of your webshop account is possible at any time and can be done by sending a message to the above address of the person responsible. After deletion of your webshop account, your account data will be deleted, provided that all contracts concluded via it have been fully processed, no legal retention periods are opposed, and no legitimate interest on our part in the continued storage exists.

* Our webshop offers several different payment options, which may be handled by different service providers. For the specific details of each payment processors’ data handling, refer to our list of service providers.

3.3 When you register or manage a user account in the App

  • Types of data: Email address and password, account ID, device information, profile name (optional), gender (optional), date of birth (optional), date, time and location (estimate of geographical region) of registration.
  • Email: The email is used to log in to the account and is stored in a third-party processing tool, Firebase. The processing in Firebase is used for authentication and notifications.
  • Password: The password is stored in a form that it cannot be recovered
  • Purpose of processing: We use the above data to provide you with a user account and access to our Services. We use the required information for the basic analysis. It is not possible to access our Services if the non-optional data are not provided.
  • Use justification: Contract performance (Article 6(1)(b)GDPR / Consent (Article9(2)(a) GDPR) for the processing of your data.
  • Storage duration: We process your data for the purposes specified above until you request deletion of your account or when you delete your account. Upon request, we will delete your account within 1 month and delete or irreversibly anonymize your data (such that it cannot be associated with a specific natural person). We will further retain your data (see section 7 for more details), e.g. for the purposes of establishing, exercising or defending against legal claims and to comply with necessary standards,but we will not process the data for any other purposes.

3.4 Google Login / Apple Login

  • Types of data: Google ID, Apple user ID, email address (if you authorize Apple to share the address with us), time and date of the login.
  • Purpose of processing: If you choose to use and login with Google or Apple, we will receive the data listed above from Google or Apple with your approval to populate your user data in the App, and to verify your identity. Please note that if you use the Google login or the Apple login, Google or Apple may also process your data (Google ID/ Apple ID, metadata, some app events and device metric). We are not responsible for this data processing; you can learn more about this in Google’s Privacy Policy / Apple’s Privacy Policy.
  • Use justification: Legitimate interest (Article 6(1)(f) GDPR). Our legitimate interest is to provide users who do not have an email account or who wish to log in with their Google account or Apple account the option to use our Services / Contract performance (Article 6 (1)(b) / Consent (Article 6 (1)(a) GDPR).
  • Storage duration: The storage duration of your data for this purpose corresponds to the period of processing in accordance with section 3.2. Data processed by Google or Apple, which we do not control if you choose to use Google login or Apple login, may remain in Google’s servers or Apple’s servers. Should you delete your Google account or stop using your Apple device and wish to use the App, you will be directed to sign-in with an email or other login procedure.

3.5 Oxa breathing exercises

In some instances, some of the personal information that you give to us is considered health-related data. You may decide which personal information, if any, you would like to share with us, but some functions of Oxa may not be available to you without providing us the necessary personal information. Subject to applicable law, by providing personal information to us or consenting to or authorizing the disclosure of health-related data to us, you agree to our methods of collections and use, as well to other terms and provisions of this Policy.

  • Types of data: heart rate and heart rate variability; breathing rate and breathing pattern; skin temperature; timestamp; app version; user ID.
  • Note that this information is pseudonymized and we do not have any information about your identity, as we do not need it.
  • Purpose of processing: The Oxa app actively records data using your device to analyze an activity and then create a profile for personalized breathing management. This information allows us to continue to improve the quality of Oxa and further enhance the user experience and overall functionality.
  • Use justification: Contract performance (Article 6(1)(b) GDPR / Consent (Article 9(2)(a)GDPR) for the processing of your data. You may revoke/withdraw your consent at any time; however, it is not possible to provide you with Oxa’s exercises and measurements without such consent.
  • Storage duration: As a rule, the storage duration corresponds to the period of processing according to section 3.3. In addition, you may request the deletion of a specific exercise or delete the exercise yourself. We will then delete or irreversibly anonymize your exercise data (such that it cannot be associated with a specific natural person) within 1 month. We will further retain some of your data (see section 7 for more details) but we will not process the data for any other purposes.

3.6 Sensor usage independent from the Oxa app

Our Oxa device and services are designed to be used in conjunction with each other to provide the best possible experience. The Oxa sensor can also be used in standalone mode without using our app and services, and Oxa may be compatible with some existing apps.

Note that not all information, such as respiration, is available when used in standalone mode. Only the Oxa app can display the full information. When you use the sensor in standalone mode, we do not collect any data, but the app you use may do so.

Please read the privacy policy of the other app to understand what personal data is stored. We may receive data about your purchase of Oxa sensors, for example, through a web store.

Note that if you use the sensor in standalone mode, we cannot provide you with software updates and you may not have the latest innovations with the best data quality. Therefore, we recommend that you regularly use the Oxa app to check if a software update is available for the sensor.

3.7 Use of data for statistical and research purposes

3.7.1 Oxa Life App

Oxa is not a medical device. Please note that the App is not designed to diagnose, treat, cure or prevent diseases or medical conditions. The content and services and other information and guidance provided via the App are provided for informational purposes only and should not be used as an alternative to advice given by physicians or other health professionals. You must always consult a physician if you have any questions regarding a medical condition or any changes you wish to make to your activity or sleep based on information or guidance from Oxa. We do not and cannot share any information generated from the App with your physicians or other health professionals. For more information about safety with Oxa, see the Oxa’s Important Safety Information.

  • Types of data: exercise ID, heart rate and heart rate variability; breathing rate and breathing pattern; skin temperature; physical activity; geographic location, time, date of exercise; the app version, operating system information, and information about how the app works (log data).
  • Purpose of processing: The science of breathing, the heart, and the mind are important to Nanoleq. We have consultants and research teams focused on measurements, data extraction, algorithms, and human physiology. We conduct this research to develop new and improved services and products to help you better understand your body.
  • Use justification: The processing is necessary for statistical purposes and we only provide our partners with anonymized and summarized statistics from which the identification of a specific natural person is impossible (Article  9(2)(j) GDPR; Sec. 27 (1) BDSG). Our legitimate interest in processing data for these purposes is to support progress in research in line with our entrepreneurial goals which is also in the public interest to improve the understanding of the human body. You may, for reasons arising from your particular situation, object to such a processing at any time by contacting us (more information about your right to object in Section 8 below).
  • Storage duration: The storage duration of your data on the basis of which we create the statistics corresponds to the period of processing according to section 3.2. When you request deletion of a specific exercise or if you delete an exercise in the App, your exercise data will no longer be used for this purpose. Our staff applies the highest ethical standards when conducting study protocols. The statistics are anonymous. We do not share personal information, and if required, we will ask for your consent before publication, which you may refuse.

3.7.2 Oxa Research Lab

  • Oxa Research Lab is an extension of our services designed to facilitate advanced scientific research in collaboration with qualified research entities. While the Oxa App focuses primarily on providing information for personal use and is not a medical device, the Research Lab aims to assist in research that could contribute to scientific and medical advancements.
    • Types of Data: In addition to the data types outlined in Section 3.7, the Research Lab may collect additional metrics pertinent to specific research studies. This could include session identifiers, responses to questionnaires, and other specialized physiological metrics.
    • Purpose of Processing: Data collected by Oxa Research Lab is intended to aid scientific research that seeks to expand our understanding of human physiology, psychology, or other areas of interest. This data is accessible by Oxa and may contribute to the development of new products, services, or features.
    • Use Justification: Data processing for Oxa Research Lab is conducted in compliance with GDPR Article 9(2)(j) and other relevant laws. It adheres to strict ethical guidelines, including the procurement of informed consent from study participants. Oxa maintains a legitimate interest in the use of this data for scientific research and technological development, which is also in the broader public interest.
    • Storage Duration: The storage period for data collected by Oxa Research Lab will be explicitly outlined in the research study protocol and participant consent form. After this period, or upon a participant's withdrawal from the study, the data will no longer be used for research purposes but may be retained by Oxa for internal purposes, unless otherwise specified.
    • Oxa’s Access to Data: Oxa will have access to the data collected in the Research Lab for the purposes outlined in this section and as specified in participant consent forms.
    • Opting Out: Participants have the right to withdraw from a research study at any time, and this can be executed as described in Section 8 below.
    • Confidentiality: Oxa takes strict measures to ensure the confidentiality and security of all research data, which will only be shared with authorized research entities. Any publication of research findings will be done in a manner that maintains the anonymity and confidentiality of the participants, unless explicit consent for attribution has been obtained.

3.8 Monitor usage to ensure proper use, functioning, maintenance and improvement of the Services and related emails

  • Types of data: Device ID, IP address, operating system and browser type, length of visits to certain pages, and page interaction information such as scrolling, finger gestures, clicks, and mouse-overs, geographic location, time and date, any events while using the exercises such as, but not limited to, started, finished, or favorited exercise.
  • Purpose of processing: We use a limited set of usage data (which does not include personal health data) to ensure the proper use, functioning, maintenance and improvement of our Services for all users.
  • Use justification: Legitimate interest (Article 6(1)(f) GDPR). Our legitimate interest is based on the aforementioned use of that data purposes. Under no circumstances will we use the collected data to determine your identity. We may process the page interaction when you use our Services or receive emails we may send you to ensure proper reception and assess the service in order to improve it. You may, for reasons arising from your particular situation, object to such a legitimate processing at any time by contacting us (more information about your right to object in Section 8 below).
  • Storage duration: The storage duration of your data for this purpose corresponds to the period of processing in accordance with section 3.3.

3.9 Direct marketing for our own similar products and services

If you register for our e-mail newsletter, we will regularly send you information about our offers.

  • Types of data: The only mandatory data for sending the newsletter is your e-mail address. The provision of further data is voluntary and will be used to address you personally.
  • Purpose of processing: To receive direct marketing (products and services) or communication about any survey that we believe will be of interest to you. You can modify your marketing settings at any time by using the link at the bottom of each marketing email, or by sending your un- subscription request.
  • Use justification: We use the so-called double opt-in procedure for sending the newsletter. This means that we will only send you an e-mail newsletter once you have expressly confirmed that you consent to receiving newsletters. We will then send you a confirmation e-mail asking you to confirm that you wish to receive the newsletter in future by clicking on an appropriate link. By activating the confirmation link, you give us your consent for the use of your personal data pursuant to Art. 6 (1) point a GPPR. When you register for the newsletter, we store your IP address entered by your Internet service provider (ISP) as well as the date and time of registration for the purpose of tracing any possible misuse of your e-mail address at a later date. The data collected by us when you register for the newsletter is used exclusively for the promotional purposes by way of the newsletter.
  • Storage duration: The storage duration of your data for this purpose corresponds to the period of processing in accordance with Sections 3.2 and 3.3. You can unsubscribe from the newsletter at any time via the link provided for this purpose in the newsletter or by sending a corresponding message to the responsible person named at the beginning. After unsubscribing, your e-mail address will be deleted from our newsletter distribution list immediately, unless you have expressly consented to further use of your data, or we reserve the right to a more extensive use of your data which is permitted by law and about which we inform you in this declaration.

3.10 Performance reports

  • Types of data: Error, crash reports including device, app and incident specific information (e.g. App Version), IP address, URL, geographic location, time and date.
  • Purpose of processing: We use the above data (which does not include personal health data) both to ensure the functionality of our Services (our Services cannot function properly without this processing) and to prevent any decompiling or otherwise reverse engineering. We only use pseudonymized usage data that we may collect via service of our processor(s). We have agreed on Standard Contractual Clauses and additional contractual obligations with each of these service providers. In addition, we will assess, on a case-by-case basis, the risks for your rights and privacy, together with and the necessity to keep them to provide you with our Services. Should you have any question about the additional measures we put in place please feel free to contact us via email to dataprotection@nanoleq.com.
  • Use justification: Legitimate interest (Article 6 (1) (f) GDPR). Our legitimate interest is based on the aforementioned use of that data purposes. Under no circumstances will we use the collected data to determine your identity.
  • Storage duration: The storage duration of your data for this purpose corresponds to the period of processing in accordance with section 3.2.

3.11 Feedbacks / Surveys

  • Types of data: feedback that you provide (depending on the survey this may contain personal data), contact details (where applicable).
  • Purpose of processing: We use the feedback you may provide us (optional) to analyze whether you are satisfied or dissatisfied with our products and Services, and to assess your general experience with it. This is a fundamental resource for us to improve your user experience and adjust our actions to your needs. We may also use the feedback you may provide us (optional) to guarantee high quality and safety standards of our Symptom Assessment, as described in section 3.6 and 3.10 above.
  • Use justification: Your consent (Article 6(1)(a)/ 9(2)(a) GDPR ) and where applicable our legitimate interest (Article 6(1)(f) GDPR) to improve your user experience and adjust our actions to your needs. Under no circumstances will we use the collected data to determine your identity. You can withdraw your consent at any time by aborting the survey or contacting us.
  • Storage duration: Your data will be stored until it is no longer required for the survey for which it was collected. This depends on the setup of the individual survey you take part in. Where possible we will anonymize any information that might identify you during the evaluation for further processing.

3.12 When you contact us

We use an email ticketing system, a customer service platform, to process customer enquiries.

If users of our websites send contact requests by email, these are stored and organized in the ticket system to enable chronological processing and to improve the service experience. Users can always view the latest status of the processing of their request via the individually assigned ticket number. Only for the organization of requests and their processing, personal data is collected as provided in the request, but in any case, data such as name, first name and email address will be transmitted to our service provider, stored there, and retrieved.

  • Types of data: Which data is collected in the case of a contact form can be seen from the respective contact form.
  • Purpose of processing: When you contact us (e.g. via contact form or e-mail), personal data is collected. This data is stored and used for the purpose of responding to your request or for establishing contact and for the associated technical administration. We use the data collected from your contact to provide you service for our product, to ensure that our service offerings are easy to use, and to analyze the security and stability of our service, as well as for additional administrative purposes.
  • Use justification: our legitimate interest in the efficient design of our customer service, in answering your request as quickly as possible and in optimizing our service offer in accordance with Art. 6 (1) point f GDPR. If your contact is aimed at concluding a contract, the additional legal basis for the processing is Art. 6 (1) point b GDPR.
  • Storage duration: The storage duration of your data for this purpose corresponds to the period of processing in accordance with section 3.2, or at least for the duration of the warranty period. When evaluating the quality, ease-of-use, security, and stability of our Services, we will anonymize any information that might identify you.

4. Cookies and Tracking

Our Websites use so-called “cookies”. Cookies are small files or other storage technologies that are stored by your browser on your computer. We use the term “cookies” to refer to all tools that collect data on our Websites (e.g. IP addresses, place and time of the visit). Your data collected in this way is pseudonymized, and is not stored together with your other personal data. This processing is used to make our websites more user-friendly, efficient, and secure and enables us, for example, to display our websites in different languages or to offer a shopping cart function. This processing is carried out on a legal basis (Art. 6 (1) lit. b) GDPR) and, where required by law, based on your consent. If the processing does not serve the initiation or execution of a contract, our legitimate interest lies in improving the functionality of our websites; the legal basis is then Art. 6 para. 1 lit. f) GDPR.

When accessing Oxa’s services online you can set your browser in such a way that you are informed about the setting of cookies and you can decide individually about their acceptance or exclude the acceptance of cookies for certain cases or generally. The functionality of our websites may be limited if cookies are not accepted. Each browser differs in the way it manages the cookie settings. This is described in the help menu of each browser, which explains how you can change your cookie settings. You will find these for the respective browsers under the following links:

When you use the App or Websites, certain third parties may use automatic information collection technologies to collect information about you or your device. These third parties may include:

  • Advertisers, ad networks, and ad servers.
  • Analytics companies.
  • Your computer or mobile device manufacturer.
  • Your internet or wireless service provider.

These third parties may use tracking technologies to collect information about you when you use this app. The information they collect may be associated with your personal information or they may collect information, including personal information, about your online activities over time and across different websites, apps, and other online services websites. They may use this information to provide you with interest-based (behavioral) advertising or other targeted content.

We do not control these third parties’ tracking technologies or how they may be used, including use of your information to serve interest-based advertising. If you have any questions about an advertisement or other targeted content, you should contact the responsible provider directly. You can opt out of receiving targeted ads from members of the Network Advertising Initiative (“NAI”) on the NAI’s website.

5. Where and how we store your data

We have implemented measures designed to secure your personal information from accidental loss and from unauthorized access, use, alteration, and disclosure. All information you provide to us is stored on servers managed by Amazon Web Services located in Frankfurt, Germany (EU-Central-1). Any authentication service offered through the App is provided by Google Firebase.  

This data may, however, be processed by sub- processors operating outside of the European Economic Area (“EEA”) based on a data processing agreement, as long as the additional requirements of Article 44 et seq. GDPR for the processing of personal data in third countries are met (e.g. if the sub-processor can provide appropriate safeguards under Article 46 GDPR , such as but not limited to standard data protection clauses, binding corporate rules, approved code of conduct or exceptional circumstances under Article 49 GDPR) and any necessary additional measures based on case-by-case assessments.

Sensitive information between your browser and our Webshop and App are transferred in encrypted form using Transport Layer Security (“TLS”). When transmitting sensitive information, you should always make sure that your browser can validate our certificate.

All information you provide to us is stored on our secure servers behind firewalls. Any payment transactions will be encrypted by our service providers.

The safety and security of your information also depends on you. Where we have given you (or where you have chosen) a password for access to certain parts of our App and/or Webshop, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.

Please contact us if you would like further details on the specific safeguards applied to the export of your personal data outside the EEA.

6. Disclosure of your personal data

6.1 We use technical service providers to operate and maintain our Services, who act as our processors based on a data processing agreement. A full list of our third-party processors processing your personal data on our behalf and strictly according to section 3 above can be found here. Where we use Service providers who process personal data on our behalf outside the EEA (or “third countries”) we do so with the appropriate safeguards for your data subject rights. To a limited extent, we do use service providers situated in the US. We have reached out to our US-based service providers and decided on alternative safeguards on a case-by-case basis in accordance with the guidance of European Data Protection Board.

More details on service providers and the measures taken to ensure your rights are detailed in the relevant sub-sections of section 3 above and the list of service providers.

6.2 In addition, we do not transfer your personal data to third parties – with the exception, when applicable, of the purposes listed below

  • Use justification: The legal basis for the transfer and processing of your personal data by the processor corresponds to the legal basis on which we, as data controller, rely (always in compliance with section 3 above).
  • We only make these business purpose disclosures under written contracts that describe the purposes, require the recipient to keep the personal information confidential, and prohibit using the disclosed information for any purpose except performing the contract. In the preceding twelve (12) months, Company has not disclosed personal information for a business purpose.
  • Our personal information sales do not include information about individuals we know are under age 16. In the preceding twelve (12) months, Company has not sold personal information.

6.3 If we sell or buy any business or assets, we may disclose your personal data to the prospective seller or buyer of such business or assets.

  • Use justification: Legitimate interest (Article 6(1)(f) GDPR): to sell our business or assets / where required by applicable law: consent (Article 9(2)(a) GDPR): for the processing of special categories of data, i.e. your personal data.

6.4 If we or, substantially, all of our assets are acquired by a third party, personal data about our users will be one of the transferred assets.

  • Use justification: Legitimate interest (Article 6(1)(f) GDPR): to sell our company or assets / where required by applicable law: consent (Article 9(2)(a) GDPR): for the processing of special categories of data, i.e. your personal data.

6.5 If we are required to comply with any court order, law, or legal process, including to respond to any government or regulatory request.

  • Use justification: Legal obligation (Article 6(1)(c) GDPR).

7. Third-Party Processors

Our carefully selected partners and service providers may process personal information about you on our behalf as described below:

7.1 “Digital Marketing Service Providers"

  • We periodically appoint digital marketing agents to conduct marketing activity on our behalf, such activity may result in the compliant processing of personal information.  Our appointed data processors include:
  • (i)Prospect Global Ltd (trading as Sopro) Reg. UK Co. 09648733. You can contact Sopro and view their privacy policy here: http://sopro.io.  Sopro are registered with the ICO Reg: ZA346877 their Data Protection Officer can be emailed at: dpo@sopro.io.”
  • (ii) Klaviyo, Inc Reg. USA EIN 460989964. You can contact Klaviyo and view their privacy policy here: https://www.klaviyo.com/legal/privacy/privacy-notice
  • (iii) Shopify, Inc Reg. USA EIN 8558163857. You can contact Shopify and view their privacy policy here: https://www.shopify.com/legal/privacy

8. Retention of your personal data

We will hold your personal data for as long as it is necessary or required by law or by any relevant regulatory body, and always in compliance with the data minimization principle. Specific storage periods for the respective processing activities are detailed in section 3 above.

We will retain accounting data for ten years in accordance with the commercial and tax law storage obligations (Swiss Code of Obligations Article 958f and the Ordinance for keeping and retaining accounting records (Olico)).

If personal data is processed on the basis of an express consent pursuant to Art. 6 (1) point a GDPR, this data is stored until the data subject revokes his consent. If there are legal storage periods for data that is processed within the framework of legal or similar obligations on the basis of Art. 6 (1) point b GDPR, this data will be routinely deleted after expiry of the storage periods if it is no longer necessary for the fulfillment of the contract or the initiation of the contract and/or if we no longer have a justified interest in further storage.

When processing personal data on the basis of Art. 6 (1) point f GDPR, this data is stored until the data subject exercises his right of objection in accordance with Art. 21 (1) GDPR, unless we can provide compelling grounds for processing worthy of protection which outweigh the interests, rights and freedoms of the data subject, or the processing serves to assert, exercise or defend legal claims.

If personal data is processed for the purpose of direct marketing on the basis of Art. 6 (1) point f GDPR, this data is stored until the data subject exercises his right of objection pursuant to Art. 21 (2) GDPR.

If your personal data is used for more than one purpose, we will retain it until the purpose with the longest period expires, but we will stop using it for the purpose with the shorter period as soon as the shorter period expires (to comply with the purpose limitation principle). We restrict access to your personal data to the persons who need to use it for the relevant purpose(s), always in compliance with the integrity and confidentiality principle.

After the processing of your data is no longer necessary for the purposes outlined in section 3 or your account is deleted (see sections 3.2 and 3.3) we will securely and separately store some of your data in accordance with statutory retention obligations applicable to us and reasonable business needs.

If the processing of your personal data is no longer necessary for any purpose it is either irreversibly anonymized (and the anonymized data may be retained), or securely erased.

9. Your data subject’s rights

You have various rights in relation to your personal data (as listed below). All of these rights can be exercised by contacting us via dataprotection@nanoleq.com.

Residents of certain jurisdictions may have additional personal information rights and choices. Please see sections 9 and 10 for more information.

Verification: in order to verify your request, we will take reasonable steps such as asking you to send us a confirmation from the email address associated with your account, so that we can verify that you are the owner of this email account. If there is no email address associated with your account, we may ask you for proof of ID.

  • Right to withdraw consent: Where the processing of your data relies on your prior consent, you have the right to withdraw such a consent at any time by notifying us via email to dataprotection@nanoleq.com or a contact request to support.oxalife.com. By withdrawing your consent, the lawfulness of the processing based on consent up until the point of withdrawal will not be affected.
    — Tracking Technologies and Advertising. You can set your browser to refuse all or some browser cookies, or to alert you when cookies are being sent. To learn how you can manage your Flash cookie settings, visit the Flash player settings page on Adobe’s website. If you disable or refuse cookies, please note that some parts of this site may then be inaccessible or not function properly.
    — Promotional Offers from the Company. If you do not wish to have your contact information used by the Company to promote our own or third parties’ products or services, you can opt-out by sending us an email stating your request to dataprotection@nanoleq.com. If we have sent you a promotional email, you may send us a return email asking to be omitted from future email distributions. This opt out does not apply to information provided to the Company as a result of a product purchase, warranty registration, product service experience or other transactions.
  • Right to object: You have a right to object under the conditions of Article 21 GDPR. Below you will find more detailed information:
    — Right to object where the processing is based on legitimate interests: As a data subject, you have the right to object on grounds relating to your particular situation, at any time, to the processing of your personal data which is based on Article 6(1)(e) or (f) GDPR, including profiling based on those provisions. In the event of an objection relating to your particular situation, we will no longer process your personal data, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defense of legal claims.
    — Right to object where we process your personal data for statistical purposes: If we process your personal data for statistical purposes pursuant to Article 9(2)(j) GDPR / section 27(1) BDSG, you have the right to object to such processing for reasons arising from your particular situation. In the event of such an objection, we will no longer process the personal data concerned for this purpose, unless the processing is necessary to fulfill a task in the public interest, or if the discontinuation of such a processing is likely to make it impossible or seriously impair the realization of statistical purposes and the continuation of processing is necessary for the fulfillment of statistical purposes.
    — Right to object to direct marketing: Where your personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing. If you object to processing for direct marketing purposes, we no longer process your personal data for these purposes. To exercise your rights of objection, you may reply by email to the direct marketing email you receive from us, or contact us at any time.
  • Right to be informed / ‘Right to know’: As a data subject, you have a right to obtain access and information under the conditions provided in Article 15 GDPR or or in Article 1798.110 (a) CCPA. This means in particular that you have the right to obtain confirmation from us as to whether we are processing your personal data or not. If so, you also have the right to obtain access to the personal data and the information listed in Article 15(1) GDPR and in Article 1798.110 (a) CCPA. This includes information:
  • regarding the purposes of the processing,
  • the categories of personal data that are being processed,
  • the categories of sources for the personal information we collected about you,
  • our business or commercial purpose for collecting or selling that personal information,
  • the recipients or categories of recipients (including third parties) to whom the personal data have been or will be disclosed,
  • if we sold or disclosed your personal information for a business purpose, two separate lists disclosing:
  • (a) sales, identifying the personal information categories that each category of recipient purchased; and
  • (b) disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained,
  • and the specific pieces of personal information we collected about you (also called a data portability request).
  • Right to erasure / ‘Right to be forgotten’ / ‘Right to delete’: As a data subject, you have a right to erasure (“right to be forgotten,” “Right to Delete”) under the conditions provided in Article 17 GDPR and Article (1798.105) CCPA, respectively. This means that you generally have the right to obtain from us the erasure of your personal data and we are obliged to erase your personal data without undue delay when one of the reasons listed in Article 17(1) GDPR applies or except when Article 1798.105 (d) CCPA is applicable. You can do this by deleting your account, in the App, at any time. If we have made the personal data public and are obliged to erase it, we are also obliged, taking account of available technology and the cost of implementation, to take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of those personal data (Article 17(2) of the GDPR. The right to erasure (“right to be forgotten”) does not by exception apply if the processing is necessary for one of the reasons listed in Article 17(3) GDPR. This can be the case, for example, if the processing is necessary for compliance with a legal obligation or for the establishment, exercise or defense of legal claims (Article 17(3)(b) and (e) GDPR).
  • Right to restriction of processing: As a data subject, you have a right to restriction of processing under the conditions provided in Article 18 GDPR. This means that you have the right to obtain from us the restriction of processing if one of the conditions provided in Article 18(1) GDPR applies. This can be the case, for example, if you contest the accuracy of the personal data. In such a case, the restriction of processing lasts for a period that enables us to verify the accuracy of the personal data (Article 18(1)(a) GDPR). Restriction means that stored personal data are marked with the goal of restricting their future processing (Article 4(3) GDPR).
  • Right to data portability: As a data subject, you have a right to data portability under the conditions provided in Article 20 GDPR. This means that you generally have the right to receive your personal data with which you have provided us in a structured, commonly used and machine-readable format, and to transmit those data to another controller without hindrance from us where the processing is based on consent (pursuant to Article 6(1)(a) or Article 9(2)(a) GDPR or on a contract (pursuant to Article 6(1)(b) GDPR), and where the processing is carried out by automated means (Article 20(1) GDPR). In exercising your right to data portability, you also generally have the right to have your personal data transmitted directly from us to another controller where technically feasible (Article 20(2) GDPR).
  • Right to Rectification: As a data subject, you have the right to rectification under the conditions provided in Article 16 GDPR. This means in particular that you have the right to receive from us, without undue delay, the rectification of inaccuracies in your personal data and completion of incomplete personal data.
  • Right to complain: As a data subject, you have a right to lodge a complaint with a supervisory authority under the conditions provided in Article 77 GDPR. The supervisory authority responsible for us is the Datenschutzstelle, Address: Beckenhofstrasse 59, 8006 Zürich, Switzerland; Telephone: +41 44 412 16 00; Contact: https://www.stadt-zuerich.ch/portal/de/index/politik_u_recht/datenschutzstelle/kontakt.html

Asking us to stop processing your personal data or deleting your personal data will likely mean that you are no longer able to use our Services, or at least those aspects of the Services which require the processing of the types of personal data you have asked us to delete, which may result in you no longer being able to use the Services.

10. Specific rights if you are a resident of a non-GDPR jurisdiction

10.1 Privacy information for Swiss residents

In addition to the data protection regulations of the General Data Protection Regulation, national regulations on data protection apply in Switzerland. These include, in particular, the Federal Data Protection Act (Bundesgesetz zum Datenschutz – DSG). The DSG applies in particular if no EU/EEC citizens are affected and, for example, only data of Swiss citizens is processed.

10.2 Privacy information for US residents

By accessing or using Nanoleq’s or Oxa’s services (including but not limited to accessing or using this website, downloading, installing, registering with, or using the Oxa Life App), you agree to this privacy policy. This policy may change from time to time (see Changes to Our Privacy Policy). Your continued access and/or use of Oxa after we make changes is deemed to be acceptance of those changes, so please check the policy periodically for updates. If you do not agree with our policies and practices, do not download, install, register with, or continue using our Services.

This policy does not apply to information collected by:

  • Us offline or through any other means; or
  • Any third party, including through any application or content (including advertising) that may link to or be accessible from or through the Website.

10.2.1 State consumer privacy laws

State consumer privacy laws may provide their residents with additional rights regarding our use of their personal information.

Colorado, Connecticut, Virginia, and Utah each provide their state residents with rights to:

  • Confirm whether we process their personal information.
  • Access and delete certain personal information.
  • Data portability.
  • Opt-out of personal data processing for targeted advertising and sales.

Colorado, Connecticut, and Virginia also provide their state residents with rights to:

  • Correct inaccuracies in their personal information, taking into account the information’s nature processing purpose.
  • Opt-out of profiling in furtherance of decisions that produce legal or similarly significant effects.

To exercise any of these rights please send an email to dataprotection@nanoleq.com.

Nevada provides its residents with a limited right to opt-out of certain personal information sales. Residents who wish to exercise this sale opt-out rights may submit a request to dataprotection@nanoleq.com.

10.2.2 Privacy information for California residents

We adopt this notice to comply with the California Consumer Privacy Act of 2018 (hereinafter “CCPA”) and any terms defined in the CCPA have the same meaning when used in this Policy.  California residency is defined in section 17014 of Title 18 of the California Code of Regulations. California’s “Shine the Light” law (Civil Code Section § 1798.83) permits users of our App that are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please send an email to dataprotection@nanoleq.com.

We collect information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, household, or device (“personal information”).

Personal information does not include:

  • Publicly available information from government records.
  • Deidentified or aggregated consumer information.
  • Information excluded from the CCPA’s scope, like:
  • health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA), clinical trial data, or other qualifying research data;
  • personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.

In particular, we have collected the following categories of personal information from consumers within the last twelve (12) months:

Category Examples Collected

A. Identifiers.

A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.

YES

B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).

A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.Some personal information included in this category may overlap with other categories.

YES

C. Protected classification characteristics under California or federal law.

Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).

YES

D. Commercial information.

Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

YES

E. Biometric information.

Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.

YES

F. Internet or other similar network activity.

Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.

YES

G. Geolocation data.

Physical location or movements.

YES

H. Sensory data.

Audio, electronic, visual, thermal, olfactory, or similar information.

YES

I. Professional or employment-related information.

Current or past job history or performance evaluations.

NO

J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).

Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.

NO

K. Inferences drawn from other personal information.

Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

YES

Your Rights and Choices

The CCPA provides consumers (California residents) with specific rights (which does not interfere with GDPR) regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.

  • Right to Know and Data Portability: You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months (the “right to know,” Article (1798.100) (a) CCPA). Once we receive your request and confirm your identity, we will disclose to you:the categories of personal information we collected from you, together with the categories of sources from which it was collected, the purpose of the collection, the categories of third parties with whom we shared your personal information, and the specific pieces of personal information that have been collected (Article 1798.110 (a) CCPA).
  • Right to Delete: You have the right to request deletion of any personal information that we collected from you (Article (1798.105) CCPA). After we have verified your request to delete your personal information, we shall delete it from our records and direct any service providers to delete your personal information from their records, except when Article 1798.105 (d) CCPA is applicable. We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:
  • Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, or otherwise perform our contract with you.
  • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
  • Debug products to identify and repair errors that impair existing intended functionality.
  • Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
  • Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
  • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
  • Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
  • Comply with a legal obligation.
  • Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
  • We will delete or deidentify personal information not subject to one of these exceptions from our records and will direct our service providers to take similar action.

Exercising Your Rights to Know or Delete

To exercise your rights to know or delete described above, please submit a request by emailing us at dataprotection@nanoleq.com. Only you, or someone legally authorized to act on your behalf, may make a request to know or delete related to your personal information.  You may also make a request to know or delete on behalf of your child by emailing us at dataprotection@nanoleq.com.

You may only submit a request to know twice within a 12-month period. Your request to know or delete must:

  • Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.
  • Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you.  You do not need to create an account with us to submit a request to know or delete. However, we do consider requests made through your password-protected account sufficiently verified when the request relates to personal information associated with that specific account. We will only use personal information provided in the request to verify the requestor’s identity or authority to make it.

Response Timing and Format

We will confirm receipt of your request within ten (10) business days. If you do not receive confirmation within the 10-day timeframe, please contact us.

We endeavor to substantively respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to another 45 days), we will inform you of the reason and extension period in writing.

If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.

Any disclosures we provide will only cover the 12-month period preceding our receipt of your request. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily usable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Personal Information Sales Opt-Out and Opt-In Rights

If you are age 16 or older, you have the right to direct us to not sell your personal information at any time (the “right to opt-out”). We do not sell the personal information of consumers we actually know are less than 16 years old, unless we receive affirmative authorization (the “right to opt-in”) from either the consumer who is between 13 and 15 years old, or the parent or guardian of a consumer less than 13 years old. Consumers who opt-in to personal information sales may opt-out of future sales at any time.

To exercise the right to opt-out, you (or your authorized representative) may submit a request to us by emailing us at: dataprotection@nanoleq.com.

Once you make an opt-out request, we will wait at least twelve (12) months before asking you to reauthorize personal information sales. However, you may change your mind and opt back in to personal information sales at any time by emailing us at: dataprotection@nanoleq.com.

You do not need to create an account with us to exercise your opt-out rights. We will only use personal information provided in an opt-out request to review and comply with the request.

Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:

  • Deny you goods or services.
  • Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
  • Provide you a different level or quality of goods or services.
  • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

11. Changes to this policy

We reserve the right to amend this Policy at our discretion and at any time. It is our policy to post any changes we make to this Policy on this page, and where appropriate, notified to you by email, notifications via the App, or by any other available means. If we make material changes to how we treat our users’ personal information, we will notify you by email to the email address specified in your account and/or through a notice on the website and/or the App.

This policy was last revised on 16 January 2023. You can view the previous versions here.

You are responsible for ensuring we have an up-to-date active and deliverable email address for you, and for periodically visiting our Websites and this privacy policy to check for any changes. We therefore encourage you to review it from time to time to stay informed about the way we are processing your data.