SLEEP HAPPIER
We are committed to continuously improving the sleep experience of individuals across the globe in a manner that respects, preserves, and protects the privacy and personal data of our users. The protection of your personal data is important to us, and we want you to feel safe when using our services.
This Privacy Policy shall inform you about the collection, processing, and disclosure of your personal data when you use the Emma Up App and related services (collectively, the “App”) provided by Emma Sleep GmbH (“Emma Sleep”, “we” or “us”).
Should you have any concerns or inquiries about how we are handling your personal data, you may reach out to our data protection officer by contacting us through aurora@emma-sleep.com or by sending us a letter addressed to “Data Protection Officer”.
The primary controller of your personal data is Emma Sleep GmbH, based in Wilhelm-Leuschner-Str. 78 60329 Frankfurt am Main, Germany.
When you use the App, we collect and process certain personal data to provide our services to you, including personal data you provide to us and personal data that we collect automatically. You may choose not to provide certain information, but doing so may prevent you from using the App or accessing certain features. The personal data we collect about you includes:
Where we do not ask for your consent, we may also process the above information based on our legitimate interests to: (i) provide, improve, and develop our App, (ii) communicate with you and address your inquiries, and (iii) measure and improve our advertising and marketing.
Technologies such as pixels and cookies are used by us and our service providers to make the App experience as user-friendly as possible and to allow you to make use of certain functions. Depending on the kind of tool or service, we use these on the legal basis of our legitimate interests to ensure the App operates smoothly and fulfill other administrative purposes or on the basis of your consent.
These technologies are used in analyzing App trends, usage, and demographics among others. Further information about the personal data we may collect from you varies depending on the service provider we use. The details for each service provider are listed below in Annex 1.
We retain your personal data for no longer than is necessary for the purposes stated in this Policy. In the event we do not need your information in order to provide the service to you, we will retain it only for so long as we have a legitimate business purpose in keeping such data under applicable laws and regulations.
We may collect, store, process, disseminate or use your personal data in a manner that causes it to be transferred to or accessed from computer systems owned or operated by or on behalf of us. Your personal data may be transferred and stored in the United States of America through our service providers.
Your personal data will be retained in accordance with the legal and regulatory requirements applicable to your personal data (which is typically the requirements in the country from which you are using the App), and subject to our data retention obligations. We keep your personal data for the period of the user relationship with you or for as long as reasonably necessary for the purposes specified in this Privacy Policy, based on various criteria we take into consideration, including whether we need the information to provide you the Services, resolve a dispute, enforce our contractual agreements, defend against legal claims, protect and enforce our rights, or to comply with laws and regulations.
Depending on your location and subject to local law, you have the following rights under the applicable data protection laws with respect to the personal data concerning you:
You have the right to request information on the data we hold about you from us at any time. This information includes, but is not limited to, the categories of data we process, the purposes for which it is processed, the source of the data if not collected directly from you, and, if applicable, the recipients with whom we have shared your data.
You have the right to request the deletion of your personal data stored with us, unless the processing is necessary to fulfil a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims.
You have the right to object to the processing of your data at any time for reasons that arise from your particular situation, as long as data processing is based on your consent, on our legitimate interests or those of a third party. In this case, we will cease to process your data. This does not apply if we can show that there are compelling legitimate grounds for processing that outweigh your interests, or if we need your data for the establishment, exercise, or defense of legal claims.
You have the right to revoke your consent from us at any time. As a result, we are not allowed to continue the data processing that was based on this consent in the future.
If you feel that we have not responded in an appropriate manner to your complaints or you have further concerns, you have the right to complain to the relevant data protection authority. Depending on your location, the responsible authority for us is as follows:
COUNTRY - DATA PROTECTION AUTHORITY
France - Commission Nationale de l'Informatique et des Libertés - CNIL
Germany - Hessische Beauftragte für Datenschutz und Informationsfreiheit
Greece - Hellenic Data Protection Authority
Hungary - Hungarian National Authority for Data Protection and Freedom of Information
Ireland - Data Protection Commission
Latvia - Data State Inspectorate
Lithuania - State Data Protection Inspectorate
Luxembourg - Commission Nationale pour la Protection des Données
Malta - Office of the Information and Data Protection Commissioner
Netherlands - Autoriteit Persoonsgegevens
Poland - Urząd Ochrony Danych Osobowych (Personal Data Protection Office)
Romania - The National Supervisory Authority for Personal Data Processing
Slovakia - Office for Personal Data Protection of the Slovak Republic
Slovenia - Information Commissioner of the Republic of Slovenia
Sweden - Integritetsskyddsmyndigheten
United Kingdom - Information Commissioner's Office
For inquiries regarding your rights as a data subject, you can direct to us through aurora@emma-sleep.com or by post to the Controller’s postal address.
To provide a smooth app experience for you, we may disclose your personal data from time to time with our contracted service providers (“processor” or “processors”). We execute contracts with our service providers, to ensure that they may only process your personal data in a way that we have explicitly instructed them to do so. Furthermore, we ensure that our service providers take the necessary safeguards to process your data securely and store your personal data only for as long as necessary.
We may disclose your personal data to third parties as described in this Privacy Policy, including:
With service providers and vendors (including data analytics vendors, payment processors, security vendors, and website hosting vendors) that assist us in provide the App to you. Service providers who may receive personal data generally fall into the following categories of recipients: IT service providers (to maintain our IT infrastructure), cloud providers, payment service providers, and services providers who help optimize the App services and functions.
For legal and security reasons and to protect our services and business, in our legitimate interests or as required by law. We will share your information with regulators, law enforcement agencies, public authorities, or any other relevant organisations: to comply with applicable law or obligations thereunder, including cooperation with law enforcement, judicial orders, and regulatory inquiries; to protect the interests of, and ensure the safety and security, of us, our users, a third party or the public; to exercise or defend legal claims; and to enforce our terms and conditions or other agreements.
With our affiliates and subsidiaries or otherwise within our corporate group, in our legitimate interests.
With a prospective buyer, seller, new owner, or other relevant third party in connection with or anticipation of an asset sale or purchase, a share sale, purchase or merger, bankruptcy, or other business transaction or re-organisation (including while negotiating or in relation to a change of corporate control), in our legitimate interests.
If your personal data is processed and transferred to third countries outside your country, we will take all steps reasonably necessary to ensure that your personal data is processed in accordance with your country’s data protection requirements. In the absence of an applicable adequacy decision, we only transfer data to third parties from third countries that offer suitable guarantees and put the appropriate safeguards in place, such as standard contractual clauses in place.
Further information about the service providers we engage are in the Annex of this Privacy Policy.
If you contact us via email or other channels, the information you provide will be processed for the purpose of processing the request and in the event that follow up questions arise. The contact form is an additional service form us to enable you to contact us easily. The personal data collected by us in this context will be deleted when the issue associated with the contact has been completely clarified and it is not to be expected that the specific contact will become relevant again in the future, unless there are applicable statutory retention requirements.
Our Privacy Policy does not apply to products and services offered by a third party. Our products and services may include third parties’ products, services, and links to third parties’ websites. When you use such services, they may collect your personal data. As such, we recommend reading the processors’ privacy policies linked above.
We keep this Privacy Policy under regular review and may update this Privacy Policy from time to time to reflect the changes in our services. We encourage you to read and/or review this Privacy Policy periodically for the latest updates on our privacy practices.
ANNEX 1 – App Service Providers
To be able to run the app and provide you with a seamless experience, we engage the following service providers:
Amazon Web Services RDS
We use Amazon Web Services – Redshift as our backend database, which is provided by Amazon Web Services Inc., located at 410 Terry Ave N Seattle, WA, 98109-5210 United States, to enable services related to setup, manage and manipulate databases in cloud. You can reach out to the data protection officer of this service provider through https://console.aws.amazon.com/support/homeLegal Basis: Legitimate Interest
Data Collected: email address, full name, profile picture, age, gender, sleep score (sleep quality index)
Retention Period: Data is kept until the user deletes their accounts and requests for their data deleted
Location of Processing: USA
Amazon Web Services Cognito
We use Amazon Web Services – Cognito, as our user data database, which is provided by Amazon Web Services Inc., located at 410 Terry Ave N Seattle, WA, 98109-5210 United States, to enable services related to user identification and data synchronization in the App. You can reach out to the data protection officer of this service provider through https://console.aws.amazon.com/support/home
Legal Basis: Legitimate Interest
Technologies Used: Cookies
Data Collected: Email address, full name, profile picture
Retention Period: Data is kept until the user deletes their accounts and requests for their data deleted
Location of Processing: USA
Service Provider’s Privacy Policy: AWS Privacy (amazon.com)
We use Mixpanel, an online analytics service provided by Mixpanel, Inc., which is located at 405 Howard Street San Francisco, CA 94105 United States, to enable services related to the operation and internal analytics and reporting of the App. You can reach out to the data protection officer of this service provider through dpo@mixpanel.com.
Legal Basis: Consent
Technologies Used: SDK, cookies, pixels
Data Collected: The type of information collected includes, but is not limited to, personal information such as email address, location and tracking behaviors within the App such as open app, screen views and clicks
Retention Period: We retain personal data for as long as necessary to provide the service and fulfill the transaction you have requested, comply with our legal obligations, resolve disputes, enforce our agreements, and other legitimate and lawful business purposes. Accordingly, Mixpanel’s retention periods can vary significantly based on criteria such as user expectations or consent, the sensitivity of the information, the availability of automated controls that enable users to delete data, and our legal or contractual obligations
Location of Processing: EU
Service Provider’s Privacy Policy: https://www.mixpanelcom/legal/privacy-policy
RevenueCat
We use RevenueCat which is operated by RevenueCat, Inc., located at 1032 E Brandon Blvd #3003 Brandon, FL 33511 United States, to enable services related to in-app subscription management. You can reach out to the data protection officer of this service provider through compliance@revenuecat.com.
Legal Basis: Legitimate Interest
Technologies Used: SDK
Data Collected: Identifiable contact information including a unique identifier, and purchase history which includes first purchase, re-occurring purchase
Retention Period: Personal data will be retained until termination of the agreement or until requested
Location of Processing: USA
Service Provider’s Privacy Policy: https://www.revenuecat.com/privacy/
Typeform
We use Typeform, an online form and questionnaire service provided by TYPEFORM SL which is located at Bac de Roda, 163 Barcelona 08019, to enable services related to the sleep feature of the App. You can reach out to the data protection officer of this service provider through dpo@typeform.com.
Legal Basis: Legitimate interest
Data Collected: User demographics, username, email address, sleep pain, frequency of pain, sleep data, sleep environment
Retention Period: The data will be deleted as soon as it is no longer needed for the stated processing purposes
Location of Processing: USA, EU
Service Provider’s Privacy Policy: https://www.admin.typeform.com/to/dwk6gt?typeform-source=www.google.com
Mailchimp
We use Mailchimp, a customer relationship management tool provided by The Rocket Science Group, LLC located at 675 Ponce de Leon Ave NUE Suit 5000 Atlanta, GA 30308, for email marketing purposes such as product feedback and newsletters. You can reach out to the data protection officer of this service provider through privacy@mailchimp.com.
Legal Basis: Consent
Technologies Used: Cookies
Data Collected: Name, email address, open rates on email, email clicks
Retention Period: The data will be deleted as soon as it is no longer needed for the stated processing purposes
Location of Processing: USA
Service Provider’s Privacy Policy: https://www.intuit.com/privacy/statement/
OneSignal
We use OneSignal, an online messaging service provided by OneSignal, Inc., located at 2850 S Delaware St Suite 201, San Mateo, CA 94403, to enable services related to in-app messages. You can reach out to the data protection officer of this service provider through privacy@onesignal.com.
Legal Basis: Consent
Technologies Used: SDK
Data Collected: Unique ID (randomized unidentifiable), sleep data (e.g. chronotype), user programID, user app engagement (e.g. session duration, time stamp), purchases within the app, information about end user’s transactions and interactions with the app, mobile device or account identifiers (these mobile IDs may be associated with other information such as data segments), precise location information – generally an end user’s lat/long data (e.g. GPS-level data) or WiFi information which we may associate with mobile IDs and which may be collected whether or not an app is in use (location information is only collected if the user has granted permission to the App to collect this and if the App chooses to send this data to OneSignal), information associated with or related to devices such as device type (e.g. mobile, tablet); type and version of operating system (e.g. Android, iOS); network provider; mobile browser (e.g. Safari, Chrome, etc.); language setting; time zone; and network status type
Retention Period: We keep the data from the user until the user deletes the account and reclaims to delete every data related to the profile. Messages sent through OneSignal’s API and Automation are kept around for 30 days before being removed from OneSignal’s servers. All user data and messages sent through the OneSignal Dashboard are kept for the lifetime of the OneSignal App unless manually deleted. The notification history is available for seven (7) days and includes the list of devices that were sent or clicked the push
Location of Processing: EU
Service Provider’s Privacy Policy: https://onesignal.com/privacy_policy
Bugsnag
We use Bugsnag, offered by SmartBear Software Inc., located at 450 Artisan Way Somerville, MA 02145, for services related to error reporting within the App. You can reach out to the data protection officer of this service provider through
.Legal Basis: Legitimate Interest
Technologies Used: Cookies, local storage, web beacons, pixel tags, analytic tools
Data Collected: IP address, Pages visited, Browser information, Selected personal information, ID-identified information, Cookie identifiers, Mobile advertising identifiers, Media Access Control (MAC) address, Mobile device's unique identifier, International Mobile Equipment Identity, Platform cookie ID, Frequency and duration of activities, User agent, Device identifier, Geographic location, Browser language, Hardware type, Device operating system, Internet Service Provider, Preferences, Information from third party sources
Retention Period: The data is retained as long as necessary to fulfill the purpose(s) for which it was collected
Location of Processing: USA
Service Provider’s Privacy Policy: https://smartbear.com/privacy/
Google Firebase
We use Google Firebase, offered by Google LLC, which is based in 1600 Amphitheatre Parkway Mountain View, CA 94043 United States, for services related to tracking analytics, reporting, and app functionality such as changing the behavior and appearance of the app without requiring users to download an app update. You can reach out to the data protection officer of this service provider through https://firebase.google.com/support/privacy/dpo.
Legal Basis: Legitimate Interest
Technologies Used: Cookies
Data Collected: IP address, attestation material from supported attestation providers, app check tokens from successful attestations, users’ names, email addresses, iOS UDIDs, secure Android IDs, Firebase installation IDs, phone numbers, passwords, user agents, Crashlytics Installation UUIDs, crash traces, breakpad minidump formatted data, device specs, uploaded images, installation auth tokens. Further information can be found through https://firebase.google.com/support/privacy#data_processing_information
Retention Period: Cloud functions only saves IP addresses temporarily, to provide the service. installation auth tokens remain valid until their expiration date. The default token lifetime is one week. Performance Monitoring keeps installation and IP-associated events for 30 days and de-identified performance data for 90 days. Firebase retains Firebase installation IDs until the Firebase customer makes an API call to delete the ID. After the call, data is removed from live and backup systems within 180 days. Further information on Firebase retention periods can be accessed through: https://firebase.google.com/support/privacy
Location of Processing: Worldwide (they could process data at any of the Google Cloud Platform locations or Google data center locations)
Service Provider’s Privacy Policy: https://firebase.google.com/support/privacy
Facebook SDK
We use Facebook SDK, offered by Meta Platforms, Inc., located at 1601 Willow Road Menlo Park, CA 90425, to enable the integration of the App with Facebook and measuring the success of marketing campaigns, targeting and sending app events. You can reach out to the data protection officer of this service provider through https://www.facebook.com/help/contact/507739850846588.
Legal Basis: Consent
Technologies Used: SDK
Data Collected: Ads viewed, content viewed, device information, geographic location, HTTP-header, interactions with advertisement, services and products, IP address, items clicked, marketing information, pages visited, pixel ID, referrer URL, usage data, user behavior, Facebook cookie information, Facebook user ID, usage/click behavior, browser information, device operating system, device ID, user agent, browser type, cookie from Facebook used for website analytics, ad targeting and ad measurement, app events
Retention Period: User’s interactions tracked in the app will not be stored longer than for two (2) years. However, the data will be deleted as soon as they are no longer needed for the processing purposes. Maximum age of cookie storage is one (1) year
Location of Processing: United States of America, Ireland, Denmark, Sweden. Further information can be found via https://www.facebook.com/privacy/policy/?subpage=9.subpage.2-WhereIsInformationTransferred
Service Provider’s Privacy Policy: https://www.facebook.com/privacy/policy/?
entry_point=data_policy_redirect&entry=0
Sentry
We use Sentry, offered by Functional Software, Inc. d/b/a Sentry, for services related to error reporting within the App. You can reach out to the data protection officer of this service provider through legal@sentry.io.
Legal Basis: Legitimate Interest
Technologies Used: Mobile SDKs
Data Collected: Personal data that is submitted by the App, which may include IP address, email address, and other types of identifiable data configured by the App
Retention Period: The data is retained as long as necessary to fulfill the purpose(s) for which it was collected
Location of Processing: USA
Service Provider’s Privacy Policy: https://sentry.io/privacy
Appsflyer
We use Appsflyer, a marketing attribution tool provided by AppsFlyer Ltd. You can reach out to the data protection officer of this service provider through privacy@appsflyer.com.
Legal basis: Consent
Technologies used: mobile SDKs
Data collected: Browser type, device type and model, CPU, system language, memory, OS version, Wi-Fi status, time stamp and zone, device motion parameters an carrier, IDFA, Android ID, Google Advertiser ID, app ID, IP address, user agent, clicks on customer ads, ad impressions viewed, audiences or segments to which an ad campaign is attributed, the type of ads and the webpage or application which such ads were displayed, webpages on Emma’s website visited by the app user, the URL from the referring website, downloads and installations of applications, other interactions, events and actions Emma chose to measure and analyze within the App (e.g. in-app purchases, clicks, engagement time, etc.)
Retention period: The data will be deleted as soon as it is no longer needed for the stated processing purposes
Location of the data processing: USA, EU
Service Provider’s Privacy Policy: https://www.appsflyer.com/legal/services-privacy-policy/
Nami ML
We use NamiML, which is operated by [x], for services related to payment for the app. You can reach out to their data protection officer through privacy@namiml.com.
Legal Basis: Legitimate Interest
Technologies Used: Payment paywall
Data Collected: Name, email address, commercial history (purchases made through NamiML), phone number, debit or credit card information
Retention Period: Data deleted upon request. NamiML may retain the data required to audit invoices for up to two (2) years
Location of Processing: USA
Service Provider’s Privacy Policy: https://www.namiml.com/legal/privacy
Stripe
We use Stripe, which is operated by Stripe Payments Europe Limited (“SPEL”) and Stripe Technology Europe Limited (“Stripe PSP”), for payment processing, analytics, and other business services. Stripe collects transaction and personally identifying information, which it analyses and uses to operate and improve the services it provides to us, including for fraud detection. You can learn more about Stripe and read its privacy policy here.
In the event that we have access to any Verification Data as part of Stripe Identity Services, we will do so in accordance with the following:
Emma and Stripe are independent controllers of the Verification Data;
Stripe will process the Verification Data in accordance with Stripe’s Privacy Policyand Stripe’s Identity Terms;
Verifiable Individuals can submit data subject requests (including data deletion and data access) by sending an email to aurora@emma-sleep.com;
We will only use Verification Data to validate and process your in-app payment, and to comply with applicable legal obligations;
In accordance with California Consumer Privacy Act (“CCPA”), we will not sell your Verification Data; and
If required under applicable laws, we may conduct alternative verification methods in case you do not consent to be verified by the Stripe Identity Services.
By using Stripe, we may transmit Verification Data outside of our jurisdiction, including to the United States, and the Verification Data may be submitted to third-party service providers, including government authorities, for the purpose of verifying the identity of the Verifiable Individual.