Privacy Policy

1. Data Controller

The data controller for your personal data is:

KEORA Health SAS
10 Rue Ternaux, 93400 Saint-Ouen, France
Email: privacy@keora.co

2. Data We Collect

We collect the following categories of personal data:

• Account data: name, email address, password (hashed), shipping address, phone number
• Transaction data: order history, payment method (we do not store full card numbers), billing address
• Health data: biometric data collected by your KEORA (see Section 3)
• Usage data: app interactions, feature usage, device information
• Communication data: support tickets, feedback, email interactions

3. Health & Biometric Data

The KEORA collects special category data (Article 9, GDPR) including:

• Heart rate and heart rate variability (HRV)
• Blood oxygen saturation (SpO2)
• Sleep phases (deep, light, REM) and sleep quality metrics
• Skin temperature variations
• Stress level indicators
• Daily activity and step count

This data is collected only with your explicit consent (Article 9(2)(a), GDPR). You can withdraw consent at any time by disconnecting your ring in the app settings.

Health data is used exclusively to:

• Generate your personalized health dashboard
• Recommend the appropriate supplement formula
• Track your wellness trends over time

We never sell your health data to third parties. We never use your health data for advertising.

4. Legal Basis for Processing

• Contract performance (Art. 6(1)(b)): processing your orders, managing your monthly delivery, delivering products
• Explicit consent (Art. 9(2)(a)): collecting and processing health/biometric data
• Legitimate interest (Art. 6(1)(f)): improving our products, preventing fraud, analytics
• Legal obligation (Art. 6(1)(c)): tax records, regulatory compliance

5. Data Sharing

We share personal data only with:

• Payment processors (Shopify Payments / Stripe) — for transaction processing
• Shipping partners — name and address for delivery
• Cloud infrastructure (EU-based servers) — for data storage and processing
• Analytics tools — anonymized/aggregated usage data only

All processors are bound by data processing agreements (DPAs) compliant with GDPR Article 28.

6. Data Retention

• Account data: retained while your account is active, plus 3 years after deletion
• Health data: retained while your account is active. Deleted within 30 days of account closure or upon request
• Transaction data: retained for 10 years as required by French tax law
• Analytics data: anonymized and retained indefinitely

7. Your Rights

Under GDPR, you have the following rights:

• Right of access (Art. 15) — request a copy of your personal data
• Right to rectification (Art. 16) — correct inaccurate data
• Right to erasure (Art. 17) — request deletion of your data
• Right to restrict processing (Art. 18)
• Right to data portability (Art. 20) — receive your data in machine-readable format
• Right to object (Art. 21) — object to processing based on legitimate interest
• Right to withdraw consent — at any time, without affecting prior processing

To exercise any right, email privacy@keora.co. We respond within 30 days.

You also have the right to lodge a complaint with the French data protection authority (CNIL): www.cnil.fr.

8. Security Measures

We implement appropriate technical and organizational measures including:

• End-to-end encryption for health data in transit and at rest
• Access controls and authentication for all systems
• Regular security audits and penetration testing
• Employee training on data protection
• Incident response procedures

9. International Transfers

All personal data is stored on servers located within the European Union. We do not transfer personal data outside the EEA unless adequate safeguards are in place (Standard Contractual Clauses or adequacy decisions per Article 45/46 GDPR).

10. Contact & DPO

For any privacy-related questions or to exercise your rights:

Data Protection Officer
KEORA Health SAS
10 Rue Ternaux, 93400 Saint-Ouen, France
Email: privacy@keora.co