SLEEP HAPPIER

Emma Up by Emma - Privacy Policy

We are committed to continuously improving the sleep experience of individuals across the globe in a manner that respects, preserves, and protects the privacy and personal data of our users. The protection of your personal data is important to us, and we want you to feel safe when using our services.

This Privacy Policy shall inform you about the collection, processing, and disclosure of your personal data when you use the Emma Up App and related services (collectively, the “App”) provided by Emma Sleep GmbH (“Emma Sleep”, “we” or “us”).

Should you have any concerns or inquiries about how we are handling your personal data, you may reach out to our data protection officer by contacting us through aurora@emma-sleep.com or by sending us a letter addressed to “Data Protection Officer”.

1. Identity and contact details of the controller

The primary controller of your personal data is Emma Sleep GmbH, based in Wilhelm-Leuschner-Str. 78 60329 Frankfurt am Main, Germany.


2. Information we collect and process

When you use the App, we collect and process certain personal data to provide our services to you, including personal data you provide to us and personal data that we collect automatically. You may choose not to provide certain information, but doing so may prevent you from using the App or accessing certain features. The personal data we collect about you includes:

  • App usage information: When you visit and use the App, we automatically collect certain information that your device transmits to our server. The following data may be collected and saved as necessary to satisfy the technical requirements of the App and for security purposes: IP address, date and time of your visit, time zone different to Greenwich Mean Time (GMT), content of the query (specific site visited), access status / HTTP status code, amount of transferred data, operating system, device and its user interface. We process this information because it is in our legitimate interests to ensure the App operates properly and smoothly, to evaluate system security and stability and protect against intrusions, and to fulfill other administrative purposes. If you don’t want the above data to be collected, we will be unable to allow you access to the App.
  • Account information: When you download and use the App and engage in certain functions, such as registering for an account or responding to surveys and questionnaires, we may ask you to provide certain personal data, such as your username or email address.
  • Health data: When using the app, we collect and process certain health-related data, such as your sleep habits, sleep goals, etc. If you are an EU resident, please note that health data falls within the special categories of data pursuant to Article 9 GDPR, and that these data will only be processed on the basis of your express consent (Art. 6(1)(a) GDPR).
  • Feedback survey information: We also collect and process your personal data when you choose to participate in our feedback survey. If you choose to answer the feedback survey, we may ask you to provide certain personal data such as your email address, information regarding your experience using the App, and your opinions on the quality of the App and suggestions for improving the App. We process this personal data to analyze and improve our services, based on your consent.
  • Geo-location: We may collect and process the country in which you are located as well as your approximate location. We may also collect and process your precise location if you choose to share it with us or when you manually input your location in the App.
  • Payment information: We do not collect any credit card information. However, when you choose to subscribe to our App, we will collect responses from our trusted payment service providers. Depending on your chosen payment method, this may include verification data and a subscription ID.

Where we do not ask for your consent, we may also process the above information based on our legitimate interests to: (i) provide, improve, and develop our App, (ii) communicate with you and address your inquiries, and (iii) measure and improve our advertising and marketing.

Technologies such as pixels and cookies are used by us and our service providers to make the App experience as user-friendly as possible and to allow you to make use of certain functions. Depending on the kind of tool or service, we use these on the legal basis of our legitimate interests to ensure the App operates smoothly and fulfill other administrative purposes or on the basis of your consent.

These technologies are used in analyzing App trends, usage, and demographics among others. Further information about the personal data we may collect from you varies depending on the service provider we use. The details for each service provider are listed below in Annex 1.


3. Data storage and retention

We retain your personal data for no longer than is necessary for the purposes stated in this Policy. In the event we do not need your information in order to provide the service to you, we will retain it only for so long as we have a legitimate business purpose in keeping such data under applicable laws and regulations.

We may collect, store, process, disseminate or use your personal data in a manner that causes it to be transferred to or accessed from computer systems owned or operated by or on behalf of us. Your personal data may be transferred and stored in the United States of America through our service providers.

Your personal data will be retained in accordance with the legal and regulatory requirements applicable to your personal data (which is typically the requirements in the country from which you are using the App), and subject to our data retention obligations. We keep your personal data for the period of the user relationship with you or for as long as reasonably necessary for the purposes specified in this Privacy Policy, based on various criteria we take into consideration, including whether we need the information to provide you the Services, resolve a dispute, enforce our contractual agreements, defend against legal claims, protect and enforce our rights, or to comply with laws and regulations.


4. Your rights as a data subject

Depending on your location and subject to local law, you have the following rights under the applicable data protection laws with respect to the personal data concerning you:

  • Right to access by the data subject

You have the right to request information on the data we hold about you from us at any time. This information includes, but is not limited to, the categories of data we process, the purposes for which it is processed, the source of the data if not collected directly from you, and, if applicable, the recipients with whom we have shared your data.

  • Right to erasure

You have the right to request the deletion of your personal data stored with us, unless the processing is necessary to fulfil a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims.

  • Right to object

You have the right to object to the processing of your data at any time for reasons that arise from your particular situation, as long as data processing is based on your consent, on our legitimate interests or those of a third party. In this case, we will cease to process your data. This does not apply if we can show that there are compelling legitimate grounds for processing that outweigh your interests, or if we need your data for the establishment, exercise, or defense of legal claims.

  • Right to withdraw consent

You have the right to revoke your consent from us at any time. As a result, we are not allowed to continue the data processing that was based on this consent in the future.

If you feel that we have not responded in an appropriate manner to your complaints or you have further concerns, you have the right to complain to the relevant data protection authority. Depending on your location, the responsible authority for us is as follows:

COUNTRY - DATA PROTECTION AUTHORITY 

For inquiries regarding your rights as a data subject, you can direct to us through aurora@emma-sleep.com or by post to the Controller’s postal address.  


5. Transfers and categories of recipients of personal data 

 

To provide a smooth app experience for you, we may disclose your personal data from time to time with our contracted service providers (“processor” or “processors”). We execute contracts with our service providers, to ensure that they may only process your personal data in a way that we have explicitly instructed them to do so. Furthermore, we ensure that our service providers take the necessary safeguards to process your data securely and store your personal data only for as long as necessary.  

 We may disclose your personal data to third parties as described in this Privacy Policy, including: 

  • With service providers and vendors (including data analytics vendors, payment processors, security vendors, and website hosting vendors) that assist us in provide the App to you. Service providers who may receive personal data generally fall into the following categories of recipients: IT service providers (to maintain our IT infrastructure), cloud providers, payment service providers, and services providers who help optimize the App services and functions.    

  • For legal and security reasons and to protect our services and business, in our legitimate interests or as required by law. We will share your information with regulators, law enforcement agencies, public authorities, or any other relevant organisations: to comply with applicable law or obligations thereunder, including cooperation with law enforcement, judicial orders, and regulatory inquiries; to protect the interests of, and ensure the safety and security, of us, our users, a third party or the public; to exercise or defend legal claims; and to enforce our terms and conditions or other agreements.  

  • With our affiliates and subsidiaries or otherwise within our corporate group, in our legitimate interests.  

  • With a prospective buyer, seller, new owner, or other relevant third party in connection with or anticipation of an asset sale or purchase, a share sale, purchase or merger, bankruptcy, or other business transaction or re-organisation (including while negotiating or in relation to a change of corporate control), in our legitimate interests. 

If your personal data is processed and transferred to third countries outside your country, we will take all steps reasonably necessary to ensure that your personal data is processed in accordance with your country’s data protection requirements. In the absence of an applicable adequacy decision, we only transfer data to third parties from third countries that offer suitable guarantees and put the appropriate safeguards in place, such as standard contractual clauses in place. 

Further information about the service providers we engage are in the Annex of this Privacy Policy. 


6. Contact Form and Newsletters 

When you choose to subscribe, we will send you newsletters by e-mail containing promotional information. Our newsletters may contain sleep tips, results of your sleep habits, information about our products, offers, editorial content, and articles about our company. 

To subscribe to the newsletter, it is sufficient to enter your email address. The provision of further personal data is voluntary and will be used to address you personally. After your registration, we will save your email address for the purpose of sending the newsletter. The purpose of this procedure is to be able to prove your registration, and if necessary, clarify any possible misuse of your personal data. 
To stop receiving the newsletter, you can withdraw your consent to or object to receiving the same at any time, by clicking the unsubscribe link provided in every newsletter or by sending a data subject request to aurora@emma-sleep.com

If you contact us via email or other channels, the information you provide will be processed for the purpose of processing the request and in the event that follow up questions arise. The contact form is an additional service form us to enable you to contact us easily. The personal data collected by us in this context will be deleted when the issue associated with the contact has been completely clarified and it is not to be expected that the specific contact will become relevant again in the future, unless there are applicable statutory retention requirements.


7. Third Party Terms and Conditions  

Our Privacy Policy does not apply to products and services offered by a third party. Our products and services may include third parties’ products, services, and links to third parties’ websites. When you use such services, they may collect your personal data. As such, we recommend reading the processors’ privacy policies linked above.  


8.Updates to Privacy Policy

We keep this Privacy Policy under regular review and may update this Privacy Policy from time to time to reflect the changes in our services. We encourage you to read and/or review this Privacy Policy periodically for the latest updates on our privacy practices.  

 

ANNEX 1 – App Service Providers 

To be able to run the app and provide you with a seamless experience, we engage the following service providers:  

Amazon Web Services RDS 

We use Amazon Web Services – Redshift as our backend database, which is provided by Amazon Web Services Inc., located at 410 Terry Ave N Seattle, WA, 98109-5210 United States, to enable services related to setup, manage and manipulate databases in cloud. You can reach out to the data protection officer of this service provider through https://console.aws.amazon.com/support/home
  • Legal Basis: Legitimate Interest 

  • Data Collected: email address, full name, profile picture, age, gender, sleep score (sleep quality index) 

  • Retention Period: Data is kept until the user deletes their accounts and requests for their data deleted 

  • Location of Processing: USA 

Amazon Web Services Cognito 

We use Amazon Web Services – Cognito, as our user data database, which is provided by Amazon Web Services Inc., located at 410 Terry Ave N Seattle, WA, 98109-5210 United States, to enable services related to user identification and data synchronization in the AppYou can reach out to the data protection officer of this service provider through https://console.aws.amazon.com/support/home

  • Legal Basis: Legitimate Interest 

  • Technologies Used: Cookies 

  • Data Collected: Email address, full name, profile picture 

  • Retention Period: Data is kept until the user deletes their accounts and requests for their data deleted 

  • Location of Processing: USA 

 Mixpanel 

We use Mixpanel, an online analytics service provided by Mixpanel, Inc., which is located at 405 Howard Street San Francisco, CA 94105 United States, to enable services related to the operation and internal analytics and reporting of the App. You can reach out to the data protection officer of this service provider through dpo@mixpanel.com. 

  • Legal Basis: Consent 

  • Technologies Used: SDK, cookies, pixels 

  • Data Collected: The type of information collected includes, but is not limited to, personal information such as email address, location and tracking behaviors within the App such as open app, screen views and clicks 

  • Retention Period: We retain personal data for as long as necessary to provide the service and fulfill the transaction you have requested, comply with our legal obligations, resolve disputes, enforce our agreements, and other legitimate and lawful business purposes. Accordingly, Mixpanel’s retention periods can vary significantly based on criteria such as user expectations or consent, the sensitivity of the information, the availability of automated controls that enable users to delete data, and our legal or contractual obligations 

  • Location of Processing: EU 

RevenueCat 

We use RevenueCat which is operated by RevenueCat, Inc., located at 1032 E Brandon Blvd #3003 Brandon, FL 33511 United States, to enable services related to in-app subscription management. You can reach out to the data protection officer of this service provider through compliance@revenuecat.com 

  • Legal Basis: Legitimate Interest 

  • Technologies Used: SDK 

  • Data Collected: Identifiable contact information including a unique identifier, and purchase history which includes first purchase, re-occurring purchase 

  • Retention Period: Personal data will be retained until termination of the agreement or until requested 

  • Location of Processing: USA 

Typeform 

We use Typeform, an online form and questionnaire service provided by TYPEFORM SL which is located at Bac de Roda, 163 Barcelona 08019, to enable services related to the sleep feature of the App. You can reach out to the data protection officer of this service provider through dpo@typeform.com 

  • Legal Basis: Legitimate interest 

  • Data Collected: User demographics, username, email address, sleep pain, frequency of pain, sleep data, sleep environment 

  • Retention Period: The data will be deleted as soon as it is no longer needed for the stated processing purposes 

  • Location of Processing: USA, EU 

Mailchimp 

We use Mailchimp, a customer relationship management tool provided by The Rocket Science Group, LLC located at 675 Ponce de Leon Ave NUE Suit 5000 Atlanta, GA 30308, for email marketing purposes such as product feedback and newsletters. You can reach out to the data protection officer of this service provider through privacy@mailchimp.com 

  • Legal Basis: Consent 

  • Technologies Used: Cookies 

  • Data Collected: Name, email address, open rates on email, email clicks 

  • Retention Period: The data will be deleted as soon as it is no longer needed for the stated processing purposes 

  • Location of Processing: USA 

OneSignal 

We use OneSignal, an online messaging service provided by OneSignal, Inc., located at 2850 S Delaware St Suite 201, San Mateo, CA 94403, to enable services related to in-app messages. You can reach out to the data protection officer of this service provider through privacy@onesignal.com 

  • Legal Basis: Consent 

  • Technologies Used: SDK 

  • Data Collected: Unique ID (randomized unidentifiable), sleep data (e.g. chronotype), user programID, user app engagement (e.g. session duration, time stamp), purchases within the app, information about end user’s transactions and interactions with the app, mobile device or account identifiers (these mobile IDs may be associated with other information such as data segments), precise location information – generally an end user’s lat/long data (e.g. GPS-level data) or WiFi information which we may associate with mobile IDs and which may be collected whether or not an app is in use (location information is only collected if the user has granted permission to the App to collect this and if the App chooses to send this data to OneSignal), information associated with or related to devices such as device type (e.g. mobile, tablet); type and version of operating system (e.g. Android, iOS); network provider; mobile browser (e.g. Safari, Chrome, etc.); language setting; time zone; and network status type 

  • Retention Period: We keep the data from the user until the user deletes the account and reclaims to delete every data related to the profile. Messages sent through OneSignal’s API and Automation are kept around for 30 days before being removed from OneSignal’s servers. All user data and messages sent through the OneSignal Dashboard are kept for the lifetime of the OneSignal App unless manually deleted. The notification history is available for seven (7) days and includes the list of devices that were sent or clicked the push 

  • Location of Processing: EU 

Bugsnag 

We use Bugsnag, offered by SmartBear Software Inc., located at 450 Artisan Way Somerville, MA 02145, for services related to error reporting within the App. You can reach out to the data protection officer of this service provider through

 

  • Legal Basis: Legitimate Interest 

  • Technologies Used: Cookies, local storage, web beacons, pixel tags, analytic tools 

  • Data Collected: IP address, Pages visited, Browser information, Selected personal information, ID-identified information, Cookie identifiers, Mobile advertising identifiers, Media Access Control (MAC) address, Mobile device's unique identifier, International Mobile Equipment Identity, Platform cookie ID, Frequency and duration of activities, User agent, Device identifier, Geographic location, Browser language, Hardware type, Device operating system, Internet Service Provider, Preferences, Information from third party sources 

  • Retention Period: The data is retained as long as necessary to fulfill the purpose(s) for which it was collected 

  • Location of Processing: USA 

Google Firebase 

We use Google Firebase, offered by Google LLC, which is based in 1600 Amphitheatre Parkway Mountain View, CA 94043 United States, for services related to tracking analytics, reporting, and app functionality such as changing the behavior and appearance of the app without requiring users to download an app update. You can reach out to the data protection officer of this service provider through https://firebase.google.com/support/privacy/dpo. 

  • Legal Basis: Legitimate Interest 

  • Technologies Used: Cookies 

  • Data Collected: IP address, attestation material from supported attestation providers, app check tokens from successful attestations, users’ names, email addresses, iOS UDIDs, secure Android IDs, Firebase installation IDs, phone numbers, passwords, user agents, Crashlytics Installation UUIDs, crash traces, breakpad minidump formatted data, device specs, uploaded images, installation auth tokens. Further information can be found through https://firebase.google.com/support/privacy#data_processing_information

  • Retention Period: Cloud functions only saves IP addresses temporarily, to provide the service. installation auth tokens remain valid until their expiration date. The default token lifetime is one week. Performance Monitoring keeps installation and IP-associated events for 30 days and de-identified performance data for 90 days. Firebase retains Firebase installation IDs until the Firebase customer makes an API call to delete the ID. After the call, data is removed from live and backup systems within 180 days. Further information on Firebase retention periods can be accessed through: https://firebase.google.com/support/privacy 

Facebook SDK 

We use Facebook SDK, offered by Meta Platforms, Inc., located at 1601 Willow Road Menlo Park, CA 90425, to enable the integration of the App with Facebook and measuring the success of marketing campaigns, targeting and sending app events. You can reach out to the data protection officer of this service provider through https://www.facebook.com/help/contact/507739850846588. 

  • Legal Basis: Consent 

  • Technologies Used: SDK 

  • Data Collected: Ads viewed, content viewed, device information, geographic location, HTTP-header, interactions with advertisement, services and products, IP address, items clicked, marketing information, pages visited, pixel ID, referrer URL, usage data, user behavior, Facebook cookie information, Facebook user ID, usage/click behavior, browser information, device operating system, device ID, user agent, browser type, cookie from Facebook used for website analytics, ad targeting and ad measurement, app events 

  • Retention Period: User’s interactions tracked in the app will not be stored longer than for two (2) years. However, the data will be deleted as soon as they are no longer needed for the processing purposes. Maximum age of cookie storage is one (1) year 

Sentry 

We use Sentry, offered by Functional Software, Inc. d/b/a Sentry, for services related to error reporting within the App. You can reach out to the data protection officer of this service provider through legal@sentry.io 

  • Legal Basis: Legitimate Interest 

  • Technologies Used: Mobile SDKs 

  • Data Collected: Personal data that is submitted by the App, which may include IP address, email address, and other types of identifiable data configured by the App 

  • Retention Period: The data is retained as long as necessary to fulfill the purpose(s) for which it was collected 

  • Location of Processing: USA 

  • Service Provider’s Privacy Policy: https://sentry.io/privacy   

Appsflyer 

We use Appsflyer, a marketing attribution tool provided by AppsFlyer Ltd. You can reach out to the data protection officer of this service provider through privacy@appsflyer.com 

  • Legal basis: Consent 

  • Technologies used: mobile SDKs 

  • Data collected: Browser type, device type and model, CPU, system language, memory, OS version, Wi-Fi status, time stamp and zone, device motion parameters an carrier, IDFA, Android ID, Google Advertiser ID, app ID, IP address, user agent, clicks on customer ads, ad impressions viewed, audiences or segments to which an ad campaign is attributed, the type of ads and the webpage or application which such ads were displayed, webpages on Emma’s website visited by the app user, the URL from the referring website, downloads and installations of applications, other interactions, events and actions Emma chose to measure and analyze within the App (e.g. in-app purchases, clicks, engagement time, etc.)   

  • Retention period: The data will be deleted as soon as it is no longer needed for the stated processing purposes 

  • Location of the data processing: USA, EU 

Nami ML 

We use NamiML, which is operated by [x], for services related to payment for the app. You can reach out to their data protection officer through privacy@namiml.com 

  • Legal Basis: Legitimate Interest 

  • Technologies Used: Payment paywall 

  • Data Collected: Name, email address, commercial history (purchases made through NamiML), phone number, debit or credit card information 

  • Retention Period: Data deleted upon request. NamiML may retain the data required to audit invoices for up to two (2) years 

  • Location of Processing: USA 

Stripe 

 We use Stripe, which is operated by Stripe Payments Europe Limited (“SPEL”) and Stripe Technology Europe Limited (“Stripe PSP”), for payment processing, analytics, and other business services. Stripe collects transaction and personally identifying information, which it analyses and uses to operate and improve the services it provides to us, including for fraud detection. You can learn more about Stripe and read its privacy policy here.

  

In the event that we have access to any Verification Data as part of Stripe Identity Services, we will do so in accordance with the following: 

  • Emma and Stripe are independent controllers of the Verification Data;  

  • Stripe will process the Verification Data in accordance with Stripe’s Privacy Policyand Stripe’s Identity Terms; 

 

Verifiable Individuals can submit data subject requests (including data deletion and data access) by sending an email to aurora@emma-sleep.com; 

We will only use Verification Data to validate and process your in-app payment, and to comply with applicable legal obligations; 

In accordance with California Consumer Privacy Act (“CCPA”), we will not sell your Verification Data; and 

If required under applicable laws, we may conduct alternative verification methods in case you do not consent to be verified by the Stripe Identity Services. 

 

By using Stripe, we may transmit Verification Data outside of our jurisdiction, including to the United States, and the Verification Data may be submitted to third-party service providers, including government authorities, for the purpose of verifying the identity of the Verifiable Individual.