SLEEP HAPPIER

Emma Up by Emma

Privacy Policy 

We are committed to continuously improve the sleep experience of individuals across the globe in a manner that respects, perseveres, and protects privacy and personal data. The protection of your personal data is important to us, and we want you to feel safe when using our app. 

This Privacy Policy (“Policy”) shall inform you about the collection, processing, and utilization of your personal data when you use the Emma Up (“app”) and services provided by Emma Sleep GmbH (“Emma Sleep”, “we” or “us”). 

Should you have any concerns or inquiries about how we are handling your personal data, you may reach out to our data protection officer by contacting us through [email protected] or by sending us a letter addressed to “Data Protection Officer”. 

1. Identity and contact details of the controller 

Controller as per the EU and UK General Data Protection Regulation (GDPR) is:

Emma Sleep GmbH

Wilhelm-Leuschner-Street 78

60329 Frankfurt on the Main

Germany

You can reach our Data Protection Officer ("DPO") through the following details:

Emma Sleep GmbH

Datenschutzbeauftragter

Wilhelm-Leuschner-Street 78

60329 Frankfurt am Main

Germany

[email protected]

2.Collection and processing of personal data

We collect and process your personal data to provide our app services to you. When visiting and using the app, your personal data which your device transmits to our server is automatically saved. In order to fulfill technical requirements for you to use the app and provide for security purposes, the following data may be saved: IP address, date and time of your visit, time zone different to Greenwich Mean Time (GMT), content of the query (specific site visited), access status / HTTP status code, amount of transferred data, operating system, device and its user interface. 

The types of data mentioned above gets processed for our legitimate interests and to ensure you a smooth and comfortable use of the app and to evaluate system security and stability, as well as for other administrative purposes. We will process these data for security reasons and for protection against intrusions under the legal basis of Art. 6(1)(f) GDPR. 

When you visit and use the app, the data mentioned above is automatically recorded without your intervention and stored until it is manually deleted. If you don’t want the above data to be collected, we will be unable to allow you access to the app without such data. 

When you download and use the app and engage in certain functions, such as registering for an account or responding to surveys and questionnaires, we may ask you to provide certain personal data, such as your username or email address, and health data (concerning your sleep habits, etc.). Please note that health data fall within the special categories of data pursuant to Article 9 of the GDPR, and that these data will only be processed on the basis of your express consent (Art. 6(1)(a) GDPR).

We also collect and process your personal data when you choose to participate in our feedback survey. If you choose to answer the feedback survey, we may ask you to provide certain personal data such as your email address. We will process these personal data to analyze and improve our services and these will be processed under the legal basis of your consent (Art. 6(1)(a) GDPR).

Technologies such as pixels and cookies are used by us and our service providers to make the app experience as user-friendly as possible and to allow you to make use of certain functions. Depending on the kind of tool or service, we use these on the legal basis of our legitimate interests (Art. 6(1)(f) GDPR) or on the basis of your consent (Art. 6(1)(a) GDPR). 

These technologies are used in analyzing app trends, usage, and demographics among others. Further information about the personal data we may collect from you varies depending on the service provider we use. The details for each service provider are listed below in section 5. 

3.Data storage and retention

We retain your personal data for no longer than is necessary for the purposes stated in this Policy. In the event we do not need your information in order to provide the service to you, we will retain it only for so long as we have a legitimate business purpose in keeping such data under applicable laws and regulations. 

We may collect, store, process, disseminate or use your personal data in a manner that causes it to be transferred to accessed from computer systems owned or operated by or on behalf of us. Your personal data may be transferred and stored in the United States of America through our service providers. 

Your personal data will be retained in accordance with local legal and regulatory requirements applicable to the country you are using the website from, and subject to our data retention obligations. We keep your personal data for the period of the user relationship with you or for the legally required period after termination of such relationship in order to defend our legal claims, to protect and enforce our rights, or to comply with laws and regulations. 

4.Your rights as a data subject 

You have the following rights under the GDPR with respect to the personal data concerning you:

• Right to access by the data subject You have the right to request information on the data we hold about you from us at any time. This information includes, but is not limited to, the categories of data we process, the purposes for which it is processed, the source of the data if not collected directly from you, and, if applicable, the recipients with whom we have shared your data. 

• Right to erasure  You have the right to demand the deletion of your personal data stored with us, unless the processing is necessary to fulfil a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims.

• Right to object  You have the right to object to the processing of your data at any time for reasons that arise from your particular situation, as long as data processing is based on your consent, on our legitimate interests or those of a third party. In this case, we will cease to process your data. This does not apply if we can show that there are compelling legitimate grounds for processing that outweigh your interests, or if we need your data for the establishment, exercise, or defense of legal claims.

• Right to withdraw consent  In accordance with Art. 7(3) GDPR, you have the right to revoke your consent from us at any time. As a result, we are not allowed to continue the data processing that was based on this consent in the future. 

If you feel that we have not responded in an appropriate manner to your complaints or you have further concerns, you have the right to complain to the relevant data protection authority. Depending on your location, the responsible authority for us is as follows: 

For inquiries regarding your rights as a data subject, you can direct to us through

5.Transfers and categories of recipients of personal data 

We share your personal data to our service providers to help us ensure the functionality of the app. We may also share information with our analytics service providers to help us for the optimization of the app. Within the scope of our activities and services, it may become necessary for us to disclose the personal data stored about you to natural persons, legal entities, or public authorities. We may share your personal data as described in this Policy to comply with our legal obligations and to protect and defend our rights.

To provide a smooth experience for you, we may disclose your personal data from time to time with our contracted service providers (“processor” or “processors”). We execute contracts with our service providers, to ensure that they may only process your personal data in a way that we have explicitly instructed them to do so. Furthermore, we ensure that our service providers take the necessary technical and organizational measures to process your data securely and store your personal data only for as long as necessary. 

External service providers who may receive personal data generally fall into the following categories of recipients: 

• Emma Sleep GmbH’s subsidiaries and affiliates
• IT service providers to maintain our IT infrastructure 
• Cloud providers
• Service providers for the optimization of the app services and functions 

If your personal data is processed and transferred to third countries outside the European Economic Area (“EEA”) and United Kingdom, we will ensure that your personal data is processed in accordance with your country’s data protection level. In the absence of an adequacy decision, we only transfer data to service providers from third countries that offer suitable guarantees and put the appropriate data processing agreements and standard contractual clauses in place.

To be able to run the app and provide you a seamless experience, we engaged the following service providers listed below. When you choose to use the app, we may transfer your personal data to our service providers in the United States of America, where these services are hosted. 

(1) Amazon Web Services RDS 

We use Amazon Web Services – Redshift, as our backend database and is provided by Amazon Web Services Inc., which is based in 410 Terry Ave N Seattle, WA, 98109-5210 United States, to enable services related to setup, manage and manipulate databases in cloud.

• Location of the data processing: United States of America
• Data collected: email, full name, profile picture, age, gender, sleep score (sleep quality index)
• Legal basis: Article 6(1)(f) GDPR, legitimate interest
• Retention period: Emma would keep the data from the user until the user deletes the account and reclaims to delete every data related to the profile 
• Processor’s privacy policy: 
  AWS Privacy (amazon.com)
   

You can reach out to the data protection officer of the processing company through 

(2) Amazon Web Services Cognito 

We use Amazon Web Services – Cognito, as our user data database and is provided by Amazon Web Services Inc., which is based in 410 Terry Ave N Seattle, WA, 98109-5210 United States, to enable services related to user identification and data synchronization in app.  

• Location of the data processing: United States of America
• Data collected: email, full name, profile picture
• Technologies used: cookies
• Legal basis: Article 6(1)(f) GDPR, legitimate interest 
• Retention period: Emma would keep the data from the user until the user deletes the account and reclaims to delete every data related to the profile
• Processor’s privacy policy: 
  AWS Privacy (amazon.com)
   

You can reach out to the data protection officer of the processing company through https://console.aws.amazon.com/support/home.

(3) Mixpanel

We use Mixpanel, an online analytics service provided by Mixpanel, Inc. which is based in 405 Howard Street San Francisco, CA 94105 United States, to enable services related to the operation and internal analytics and reporting of the App.

• Location of the data processing: EU
• Data collected: The type of information collected but not limited to includes personal information such as email address, location and tracking behaviors within the app such as open app, screen views and clicks.
• Technologies used: SDK, pixels, cookies
• Legal basis: Article 6(1)(f) GDPR
• Retention period: We retain personal data for as long as necessary to provide the service and fulfill the transaction you have requested, comply with our legal obligations, resolve disputes, enforce our agreements, and other legitimate and lawful business purposes. Accordingly, Mixpanel’s retention periods can vary significantly based on criteria such as user expectations or consent, the sensitivity of the information, the availability of automated controls that enable users to delete data, and our legal or contractual obligations.
• Processor’s privacy policy: 
  https://www.mixpanelcom/legal/privacy-policy
     

You can reach out to the data protection officer of the processing company through 

(4) RevenueCat

We use RevenueCat which is operated by RevenueCat, Inc., which is based in 1032 E Brandon Blvd #3003 Brandon, FL 33511 United States, to enable services related to in-app subscription management. 

• Location of the data processing: United States of America
• Data collected: Identifiable contact information including a unique identifier, and purchase history which includes first purchase, re-occurring purchase. 
• Technologies used: SDK
• Legal basis: Article 6(1)(a) GDPR, consent  
• Retention period: Personal data will be retained until termination of the agreement or until requested. 
• Processor’s privacy policy: 
  https://www.revenuecat.com/privacy/
   

You can reach out to the data protection officer of the processing company through 

(5) Typeform

We use Typeform, an online form and questionnaire service provided by TYPEFORM SL which is based in Bac de Roda, 163 Barcelona 08019, to enable services related to the sleep feature of the app. 

• Location of the data processing: United States of America, European Union
• Data collected: User demographics, username, email address, sleep pain, frequency of pain, sleep data, sleep environment 
• Technologies used: Cookies
• Legal basis: Article 6(1)(a) GDPR, consent 
• Retention period: The data will be deleted as soon as it is no longer needed for the stated processing purposes. 
• Processor’s recipients of the data collected: Amazon Web Services
• Processor’s privacy policy: https://www.admin.typeform.com/to/dwk6gt?typeform-source=www.google.com  

You can reach out to the data protection officer of the processing company through 

(6) Mailchimp

We use Mailchimp, a customer relationship management tool provided by The Rocket Science Group, LLC which is based in 675 Ponce de Leon Ave NUE Suit 5000 Atlanta, GA 30308, for email marketing purposes such as product feedback and newsletters. 

• Location of the data processing: United States of America
• Data collected: Name, email address, open rates on email, email clicks 
• Technologies used: Cookies
• Legal basis: Article 6(1)(a) GDPR, consent 
• Retention period: The data will be deleted as soon as it is no longer needed for the stated processing purposes. 
• Processor’s recipients of the data collected: Akamai, Amazon, CodeScience, E-Hawk, El Camino, Finc3, FiveTran, Google, Looker, Percona, R.R. Donnelley, SC Wedis Company SRL, Slack, TaskUs, TaxJar, Two Bulls, Tyrannosaurus Tech, Vextras LLC, Zendesk
• Processor’s privacy policy: 
  https://www.intuit.com/privacy/statement/
   

You can reach out to the data protection officer of the processing company through 

(7) OneSignal

We use OneSignal, an online messaging service provided by OneSignal, Inc., which is based in 2850 S Delaware St Suite 201, San Mateo, CA 94403, to enable services related to in-app messages. 

• Location of the data processing: European Union
• Data collected: Unique ID (randomized unidentifiable), sleep data (e.g. chronotype), user programID, user app engagement (e.g. session duration, time stamp), purchases within the app, information about end user’s transactions and interactions with the app, mobile device or account identifiers (these mobile IDs may be associated with other information such as data segments), precise location information – generally an end user’s lat/long data (e.g. GPS-level data) or WiFi information which we may associate with mobile IDs and which may be collected whether or not an app is in use (location information is only collected if the user has granted permission to the App to collect this and if the App chooses to send this data to OneSignal), information associated with or related to devices such as device type (e.g. mobile, tablet); type and version of operating system (e.g. Android, iOS); network provider; mobile browser (e.g. Safari, Chrome, etc.); language setting; time zone; and network status type. 
• Technologies used: SDK
• Legal basis: Article 6(1)(a) GDPR, consent 
• Retention period: Emma will keep the data from the user until the user deletes the account and reclaims to delete every data related to the profile. Messages sent through OneSignal’s API and Automation are kept around for 30 days before being removed from OneSignal’s servers. All User Data and Messages sent through the OneSignal Dashboard are kept for the lifetime of the OneSignal App unless manually deleted. The Notification History is available for seven (7) days and includes the list of devices that were sent or clicked the push.  
• Processor’s recipients of the data collected:

• Processor’s privacy policy:

  https://onesignal.com/privacy_policy
   

You can reach out to the data protection officer of the processing company through 

(7) Pixel

We use Facebook Pixel, a tracking technology offered by Meta Platforms Ireland Ltd., which is based in 4 Grand Canal Harbour, Dublin, D02, Ireland, to enable tracking and analytics within the App.  

• Location of the data processing: European Union  
• Data collected: Ads viewed, content viewed, device information, geographic location, HTTP-header, interactions with advertisement, services and products, IP address, items clicked, marketing information, pages visited, pixel ID, referrer URL, usage data, user behavior, Facebook cookie information, Facebook user ID, usage/click behavior, browser information, device operating system, device ID, user agent, browser type, cookie from Facebook used for website analytics, ad targeting and ad measurement 
• Technologies used: Cookies, pixel  
• Purpose of data processing: Analytics, marketing, retargeting, advertisement, conversion tracking, personalization  
• Legal basis: Article 6(1)(a) GDPR, consent  
• Retention period: User’s interactions tracked on websites will not be stored longer than for two (2) years. However, the data will be deleted as soon as they are no longer needed for the processing purposes. Maximum age of cookie storage is one (1) year.  
• Transfer to Third Countries: Singapore, United States of America, Worldwide 
• Processor’s recipients of the data collected: Meta Platforms Ireland Ltd., Meta Platforms Inc. 
• Processor’s privacy policy: 
  https://facebook.com/privacy/explanation

You can reach out to the data protection officer of the processing company through 

6.Contact Form and Newsletters

When you choose to subscribe we will send you newsletters by e-mail containing promotional information. Our newsletters may contain sleep tips, results of your sleep habits, information about our products, offers, editorial content, and articles about our company.

 To subscribe to the newsletter, it is sufficient to enter your email address. The provision of further personal data is voluntary and will be used to address you personally. After your registration, we will save your email address for the purpose of sending the newsletter. The purpose of this procedure is to be able to prove your registration, and if necessary, clarify any possible misuse of your personal data.

 To stop receiving the newsletter, you can withdraw your consent to or object to receiving the same at any time, by clicking the unsubscribe link provided in every newsletter or by sending a data subject request to 

 If you contact us via email or other channels, the information you provide will be processed for the purpose of processing the request and in the event that follow up questions arise. The contact form is an additional service form us to enable you to contact us easily. The personal data collected by us in this context will be deleted when the issue associated with the contact has been completely clarified and it is not to be expected that the specific contact will become relevant again in the future, unless there are applicable statutory retention requirements.

7.Third Party Terms and Conditions 

Our Privacy Policy does not apply to products and services offered by a third party. Our products and services may include third parties’ products, services, and links to third parties’ websites. When you use such services, they may collect your personal data. As such, we recommend reading the processors’ privacy policies linked above. 

8.Updates to this Privacy Policy

We keep this Privacy Policy under regular review and may update this Privacy Policy from time to time to reflect the changes in our services. We encourage you to read and/or review this Privacy Policy periodically for the latest updates on our privacy practices.