OTO.COACH INC. PRIVACY NOTICE
[Last Updated: October 16, 2023]
OTO.Coach Inc (“OTO”) offers powerful sensor hardware and cloud-based software designed to assess your personal physiological state and offer you related insights based on the OTO’s proprietary algorithms. As this process involves the collection of sensitive data and information, OTO is committed to protecting the privacy and security of your personal data.
To that end, this privacy notice (the “Privacy Notice”) explains how we collect, use and disclose data and information relating to you as an identified or identifiable natural person (“Personal Data”), as informed by the General Data Protection Regulation of the European Union (EC-2016/679) (the “GDPR”), or any other applicable statute or regulations where Services are being provided.
This Privacy Notice applies when you (1) visit our website <https://oto.coach/> (the “Website”), (2) use our applications (including mobile applications or APIs) to assess your physiology (collectively the “Services”), or (3) otherwise contact us or agree to receive communications from us.
However, this Privacy Notice does not apply to:
- Personal Data collected by third parties during your communications/dealings with those third parties or your use of their products or services (for example, where you follow links to third party websites over which we have no control).
- Anonymized data that is generated from your Personal Data connected to your use of the Services, and then relayed on to OTO for aggregation, research, development, or analytics purposes.
1. Collection of Personal Information
We collect different categories of Personal Data from or through the Services. We collect administrative Personal Data when you register for an account, request a demo, or contact us about Services. Some categories relate to your personal biometrics because that is the core function of the Services.
Specifically, collected categories of Personal Data may include:
- Your name, date of birth, gender, height, and weight.
- Your contact information, including email and telephone number, along with your username and password if you are setting up an account.
- Your physiological data, such as electrocardiography and/or DC potential data collected by your OTO sensor and transmitted to your mobile device while you use the Services (“Physiological Data”, which is a subset of your Personal Data). This Physiological Data is essential for us to collect to provide you with the core functionalities of the Services.
- Any data and content you directly transmit to our Services or that is otherwise made available via the Services, including messages you send, communications, documents, or anything else you enter or upload into the Services.
- Telemetry data, i.e. information we collect that tells us how our Services are performing and being used (e.g. information about when and how long Services are used, which features are accessed, and other details gathered related to usage, authentication, diagnostics, errors encountered, or the condition of any hardware device(s) and the Services when an error occurred, etc.).
We need to process your Personal Data to provide and improve our Services, and that the processing is carried out for OTO’s legitimate business purposes, which are further explained in the “Use and Communication of Personal Information” section. We may also collect Personal Data for specific purposes when we ask for it and make those purposes clear.
Sometimes, we may ask for your specific consent to collect, use or share your Personal Data for unique purposes, and we will contact you to explain those circumstances and request permission when that happens.
Collection by OTO Partners
As they are based on collection of Physiological Data via sensors on body-worn hardware, OTO’s Services by nature collect Personal Data and Physiological Data to provide physiological insights into your functional state as part of the Services.
Your Personal Data may be collected when your designated OTO service provider enters data about you into the Services. We will only do this when you have granted your service provider consent to collect and use your Personal Data in order to receive the Services. Should you not have granted such consent please contact us urgently so that we may take steps to cease processing your Personal Data.
If as an OTO partner, you choose to integrate our Services into your product or application for your own commercial uses, and those uses will involve Personal Data or Physiological Data of your end users being collected as part of the Services, then you acknowledge and agree that you are solely responsible for all such data. As such, you will be the one required to obtain valid consents to collect Personal Data from any end users in connection with your use of our Services.
Again, this Privacy Notice does not cover the circumstances when we are acting as data processor for you in your capacity as a data controller as understood in the GDPR.
Data Automatically Collected (Cookies)
We automatically collect certain types of usage data when you visit our Website or use our Services. When you visit the Website, we may send one or more cookies — a small text file containing a string of alphanumeric characters — to your computer that uniquely identifies your browser and lets us help you log in faster and enhance your navigation through the site.
- A cookie may also convey information to us about how you use the Website or Services (e.g. the pages you view, the links you click, how frequently you access the Services, and other actions you take on the Services), and allow us to track your usage of the Services over time.
- We may collect log file information from your browser or mobile device each time you access the Services. Log file information may include anonymous information such as your web request, Internet Protocol (“IP”) address, browser type, information about your mobile device, referring/exit pages and URLs, number of clicks and how you interact with links on the Services, domain names, landing pages, pages viewed, and other such information.
- We may employ clear .gifs (also known as web beacons) which are used to anonymously track the online usage patterns of our users. In addition, we may also use clear gifs in HTML-based emails sent to our users to track which emails are opened and which links are clicked by recipients. The information allows for more accurate reporting and improvement of the Services.
- We may also collect analytics data, or use third-party analytics tools, to help us measure traffic and usage trends for the Services. These tools collect information sent by your browser or mobile device, including the pages you visit, your use of third party applications, and other information that assists us in analyzing and improving the Services.
2. Use and Disclosure of Personal Data
We use and disclose your Personal Data mainly: (i) to identify you as a member of OTO; (ii) to provide the relevant Services; (iii) to improve the quality of OTO Website and Services; (iv) to investigate and settle issues you may have; (v) to follow up on any questions or requests for assistance or information; (vi) to communicate with you; and (vii) to comply with legal and regulatory requirements, where applicable.
Importantly, the above uses do not apply to Physiological Data: to be clear, OTO only uses your Physiological Data to the extent necessary to provide the Services to you or the OTO partner you are connected to. However, we may anonymize and aggregate your Physiological Data for research and development purposes (such as to improve the predictive capabilities of the OTO algorithm).
When processing your Personal Data – excluding your Physiological Data – OTO may need to share it with third parties (including its related group of companies) as set out below:
- With third parties assisting OTO in providing our Customers with the Services (“Sub-Processors”). Our Sub-Processors are given access to your account and Personal Data only as reasonably necessary to provide the Services, and will be subject to confidentiality obligations in our contracts with them;
- With third party payment processors who process your credit card and other payment information for OTO but who are otherwise not permitted to store, retain or use your Personal Data;
- With third-party social media networks, advertising networks and websites;
- With professional advisers to the extent necessary to advise and assist us in relation to the lawful and effective management of our organization, and in relation to any disputes we may become involved in;
- With law enforcement, or governmental and regulatory agencies, as required by applicable laws or regulations, including to assist with investigations or to defend our legal rights;
- With corporate entities that we will acquire in the future when they are made part of the OTO group, or if we are involved in a merger, acquisition, reorganization or other fundamental corporate change with a third party and need to share Personal Data as part of due diligence;
When we disclose your Personal Data to third parties, we take reasonable measures to ensure that this Privacy Notice is complied with, and that these third parties provide sufficient guarantees to implement appropriate technical and organizational measures to safeguard your Personal Data.
3. Processing and Security of Personal Data
a) Data Processing and Transfers
When we say we “process” Personal Data, we are talking about any operation (or set of operations) that is performed on your Personal Data, whether or not by automatic means, such as: collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure, alignment or combination, blocking, erasure, or destruction.
Your Personal Data may be stored or processed in any country where we have facilities or where we engage service providers. By using our Website and Services, you consent to the transfer of information to countries outside your country of residence, including the United States, the United Kingdom, the European Economic Area (“EEA”), and in other countries where third parties that we may use are based, which may have different data protection rules than in your country of residence.
While such information is outside of Canada, it is subject to the laws of the country in which it is held, and may be subject to disclosure to the governments, courts or law enforcement or regulatory agencies of such other country, pursuant to the laws of such country. However, our internal practices regarding your Personal Data will at all times continue to be governed by this Privacy Notice and, if applicable, we will comply with the GDPR requirements providing adequate protection for the transfer of Personal Data from the EU/EEA to third countries.
When making any transfers of Personal Data to countries that do not have the same degree of data protection oversight as the GDPR, we will comply with our legal and regulatory obligations in relation to your Personal Data, including having a lawful basis for transferring Personal Data and putting appropriate safeguards in place to ensure an adequate level of protection for the Personal Data. We will take reasonable steps to ensure the security of your Personal Data in accordance with applicable data protection laws.
Where we use certain service providers, we may use specific, standardized contracts approved by data protection authorities that give Personal Data essentially the same degree of protection as it has under the GDPR.
b) Data Security
OTO has implemented various physical, administrative, and technical safeguards designed to protect the confidentiality and security of Personal Data under our control. Our safeguards, as implemented, are periodically reviewed as part of internal and external audits.
We take all reasonable precautions to ensure that OTO’s employees and contractors who have been specifically granted access to Personal Data (including Physiological Data) have received proper training to ensure that they handle Personal Data only in accordance with this Privacy Notice (and with our obligations under applicable laws).
However, no security measures are absolute or wholly guaranteed, and you must be aware that there is always a certain level of risk that the Personal Data you provide to us will be accessed or disclosed without your consent and without fault on the part of OTO. If you believe your Personal Data has been compromised, please contact us as set forth in the “Contact Person” section. If we learn of a security systems breach, we will follow our incident response procedures, and will also inform you and the authorities of the occurrence of the breach if and as required by applicable law.
c) Data Retention
We will only keep your Personal Data for as long as reasonably necessary to fulfil the relevant purposes set out in this Privacy Notice and in order to comply with our legal and regulatory obligations. After that time, we will delete it. If you would like further information regarding the periods for which your Personal Data will be kept, please contact us as set forth in the “Contact Person” section.
4. Rights Regarding Personal Information
You have many rights when it comes to accessing or correcting your Personal Data that is stored with us:
- On written request (and subject to proof of identity), you may access the Personal Data that we hold and ask that any necessary corrections be made, where applicable, to the extent authorized or required by law. Please inform us immediately of any change in your Personal Data by e-mail.
- Under the GDPR and other data protection laws, you may be entitled to specific rights, including:
o the right to withdraw consent to processing (where consent is the basis of processing);
o the right to access your Personal Data and certain other supplementary information, under certain conditions;
o the right to object to unlawful data processing, under certain conditions;
o the right to erasure of Personal Data about you, under certain conditions;
o the right to demand that we restrict processing of your Personal Data, under certain conditions, if you believe we have exceeded the legitimate basis for processing, processing is no longer necessary, or believe your Personal Data is inaccurate;
o the right to data portability of Personal Data that you provided us in a structured, commonly used, and machine-readable format, under certain conditions;
o the right object to decisions being taken by automated means which produce legal effects concerning you or similarly significantly affect you, under certain conditions;
o the right to lodge a complaint with data protection authorities.
If you have any questions about asserting these rights, please contact us using the contact information below. Keep in mind that if you choose to restrict our collection, use, or disclosure of your Personal Data as described in this Privacy Notice, we may not be able to properly provide you the Services, and reserve the right to refuse to provide you with the Service if that is the case.
5. Children’s Privacy
The Services are not directed to children under the age of 16, and we do not knowingly collect Personal Data from children under the age of 16 without obtaining verifiable parental consent. If we learn that Personal Data has been collected on the Services from persons under 16 years of age and without verifiable parental consent, then we will take the appropriate steps to delete this information. If you are a parent or guardian and discover that your child under 16 years of age has provided Personal Data, then you may alert us as set forth in the “Contact” section and request that we delete that child’s Personal Data from our systems.
6. Updates to Privacy Notice
We will update this Privacy Notice from time to time to reflect changes to our practices, technologies, legal requirements and other factors. When changes are made to this Privacy Notice, they will become immediately effective when published. For major changes to this Privacy Notice, we will contact you about the changes. Your use of the Website and Services following these changes indicates your consent to the practices described in the updated Privacy Notice.
If you have any concerns about our practices or policies in this Privacy Notice, or want to make an access or correction request, exercise any applicable rights, make a complaint, or obtain information about our privacy practices, we can be reached as follows:
5-45B, West Wilmot Street, Richmond Hill, ON, L4B 2P3