ZENCORA PRIVACY POLICY

Last Updated: December 12, 2024
Effective Date: January 1, 2025

Zencora Neuro Holdings Inc. ("Zencora," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, share, and protect your personal information when you use our sensory delivery platform and services.

Our Address:
Zencora Neuro Holdings Inc.
2400 Lakeside Blvd, #145
Richardson, TX 75082
United States

Contact Us:
Email: info@zencoraneuro.com

1. INFORMATION WE COLLECT

1.1 Personal Information You Provide

When you create an account or use our services, we collect:

  • Account Information: Name, email address, password

  • Payment Information: Billing details (processed securely through Stripe - we never store your complete credit card information)

  • Profile Information: Session preferences, goals (sleep, clarity, recovery, reset), tone preferences (warm, minimal, direct)

  • Optional Information: Calm triggers (pet names, places, people), current concerns or challenges

1.2 Biometric and Health Data (With Your Explicit Consent)

Oura Ring Integration (Optional): When you choose to connect your Oura Ring account, we access:

  • Sleep metrics: total sleep, deep sleep, REM sleep, sleep score, restfulness

  • Readiness score and recovery metrics

  • Heart rate variability (HRV)

  • Resting heart rate

  • Activity levels and stress indicators

  • Body temperature deviations

Important: You control this integration. You can disconnect your Oura Ring at any time, and we will delete all associated data within 24 hours.

1.3 Session Data We Generate

  • Voice Recordings: Personalized audio guidance generated for your sessions (automatically deleted after 60 days unless you save them)

  • Session Parameters: Frequency ranges used, duration, ambient selections

  • Response Data: Your self-reported feedback (ratings, feeling descriptions)

  • Usage Patterns: Session timing, frequency of use, completion rates

1.4 Technical Information

  • Device Information: Hardware model, operating system, browser type

  • Log Data: IP address, access times, pages viewed, referring URLs

  • Cookies: Session management, preferences (see Cookie Policy)

1.5 Communications

  • Support Requests: Messages you send us

  • Feedback: Survey responses, testimonials (only published with your permission)

2. HOW WE USE YOUR INFORMATION

2.1 To Provide and Personalize Our Services

  • Generate personalized voice guidance using your name and preferences

  • Adapt session parameters based on your Oura Ring data (if connected)

  • Optimize session timing and intensity based on your recovery state

  • Create custom frequency protocols for your hardware profile

  • Remember your preferences and settings

2.2 To Improve Our Services

  • Analyze session efficacy and user outcomes

  • Develop better therapeutic protocols

  • Optimize frequency delivery methods

  • Improve AI personalization algorithms

  • Test new features and session types

2.3 To Communicate With You

  • Send session confirmations and receipts

  • Provide customer support

  • Send important service updates

  • Share educational content (if you opt in)

  • Request feedback (you can opt out anytime)

2.4 To Ensure Safety and Compliance

  • Monitor for potential adverse effects

  • Comply with legal obligations

  • Prevent fraud and abuse

  • Enforce our Terms of Service

2.5 For Business Operations

  • Process payments and manage subscriptions

  • Provide customer support

  • Conduct internal analytics

  • Maintain and improve platform security

3. HOW WE SHARE YOUR INFORMATION

We do NOT sell your personal information to anyone. We share your information only in these limited circumstances:

3.1 Service Providers (Data Processors)

We work with trusted third-party service providers who process data on our behalf:

Oura Health Oy

  • What: Biometric data (only when you connect your ring)

  • Why: To fetch your sleep, readiness, and HRV data

  • Control: You authorize this connection and can revoke it anytime

  • Their Privacy Policy: https://ouraring.com/privacy-policy

ElevenLabs (Voice Generation)

  • What: Your name, selected tone, session goal, text scripts

  • Why: To generate personalized voice guidance

  • Retention: Voice files are deleted from their systems after delivery

  • Their Privacy Policy: https://elevenlabs.io/privacy

Stripe (Payment Processing)

  • What: Billing information, payment details

  • Why: To process subscription payments securely

  • Note: We never see your complete credit card number

  • Their Privacy Policy: https://stripe.com/privacy

Amazon Web Services (Hosting)

  • What: All data stored on our platform

  • Why: Secure cloud infrastructure

  • Location: US data centers

  • Their Privacy Policy: https://aws.amazon.com/privacy/

3.2 Legal Requirements

We may disclose information if required by law, such as:

  • Court orders or subpoenas

  • Legal investigations

  • Protection of rights, property, or safety

  • Fraud prevention

3.3 Business Transfers

If Zencora is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your information becomes subject to a different privacy policy.

3.4 With Your Consent

We may share information in other ways with your explicit consent.

3.5 Aggregated/De-identified Data

We may share anonymized, aggregated statistics that cannot identify you:

  • "40% of users report improved sleep quality"

  • "Average HRV improvement is 18% after sessions"

  • Research publications (with all identifying information removed)

4. YOUR RIGHTS AND CHOICES

4.1 Access and Portability

You can:

  • View all your personal data in your account settings

  • Download your data in JSON or CSV format

  • Request a complete copy of your information

4.2 Correction and Updates

You can update your information anytime through your account settings, or contact us to make changes.

4.3 Deletion

You have the right to delete your account and all associated data:

  • How: Account Settings → Delete Account

  • Effect: Permanent deletion within 30 days

  • Exception: We may retain some information as required by law (e.g., financial records for 7 years)

4.4 Oura Ring Disconnection

You can disconnect your Oura Ring at any time:

  • How: Account Settings → Connected Devices → Disconnect Oura

  • Effect: All Oura data deleted within 24 hours

  • Note: Historical session data (not containing Oura data) is preserved unless you delete your account

4.5 Marketing Opt-Out

You can opt out of marketing communications:

  • Click "Unsubscribe" in any email

  • Update preferences in Account Settings

  • Note: You'll still receive essential service emails (receipts, security alerts)

4.6 Cookie Controls

You can control cookies through your browser settings. Note that disabling cookies may affect functionality.

4.7 Do Not Sell My Personal Information (CCPA)

We do not sell personal information. If our practices change, we will update this policy and provide opt-out mechanisms.

5. DATA SECURITY

5.1 Technical Measures

We protect your information using industry-standard security measures:

  • Encryption: All data encrypted in transit (TLS/HTTPS) and at rest (AES-256)

  • Access Controls: Limited employee access on need-to-know basis

  • Authentication: Secure login with password requirements

  • Monitoring: 24/7 security monitoring and alerts

  • Backups: Encrypted, geographically distributed backups

5.2 Data Retention

  • Active Accounts: Data retained while your account is active

  • Generated Voice Files: Auto-deleted after 60 days (unless saved by you)

  • Oura Data Cache: Maximum 60 days (per Oura API requirements)

  • Deleted Accounts: Most data deleted within 30 days

  • Legal Requirements: Financial records retained for 7 years

5.3 Breach Notification

In the unlikely event of a data breach:

  • We will notify you within 72 hours

  • We will notify Oura within 24 hours (if Oura data affected)

  • We will provide details and remediation steps

  • We will report to authorities as required by law

6. INTERNATIONAL DATA TRANSFERS

6.1 Data Location

Your data is primarily stored in United States data centers (AWS US regions).

6.2 European Users (GDPR)

If you are in the European Economic Area (EEA), UK, or Switzerland:

  • We are the data controller

  • Your data may be transferred to the US for processing

  • We use Standard Contractual Clauses (SCCs) for protection

  • You have additional rights under GDPR (see Section 7)

6.3 California Users (CCPA/CPRA)

California residents have specific rights under the California Consumer Privacy Act (see Section 7.3).

7. SPECIFIC REGIONAL RIGHTS

7.1 GDPR Rights (European Users)

Under the General Data Protection Regulation, you have the right to:

  • Right to Access: Request a copy of your personal data

  • Right to Rectification: Correct inaccurate data

  • Right to Erasure ("Right to be Forgotten"): Request deletion

  • Right to Restriction: Limit how we process your data

  • Right to Data Portability: Receive your data in machine-readable format

  • Right to Object: Object to processing based on legitimate interests

  • Right to Withdraw Consent: Withdraw consent for Oura data access

  • Right to Lodge a Complaint: File complaint with supervisory authority

Legal Basis for Processing:

  • Contract Performance: To provide services you requested

  • Consent: For Oura Ring integration and marketing

  • Legitimate Interests: To improve services and ensure safety

EU Representative: [To be appointed when serving EU customers]

7.2 UK GDPR

UK users have similar rights under UK GDPR. Contact us at privacy@zencora.com.

7.3 CCPA/CPRA Rights (California Users)

California residents have the right to:

  • Know: What personal information we collect and how we use it

  • Access: Request a copy of your information (twice per year)

  • Delete: Request deletion of your information

  • Opt-Out: Opt out of "sales" (we don't sell data, but you can still request this)

  • Non-Discrimination: Not be discriminated against for exercising rights

  • Correct: Request correction of inaccurate information

  • Limit: Limit use of sensitive personal information

Categories of Information We Collect:

  • Identifiers (name, email)

  • Financial information (payment details)

  • Biometric information (Oura data, with consent)

  • Internet activity (usage logs)

  • Sensory data (session preferences)

Sensitive Personal Information: We collect precise geolocation (if you enable it), health data (Oura Ring), and account login credentials.

To exercise your rights, email privacy@zencora.com or call [to be added].

7.4 Other US States

Residents of Virginia, Colorado, Connecticut, and Utah have similar privacy rights. Contact us to exercise them.

8. CHILDREN'S PRIVACY

Zencora is not intended for children under 18. We do not knowingly collect information from children. If you are under 18, do not use our services.

If we learn we have collected information from a child under 18, we will delete it immediately. If you believe we may have information from a child, contact us at privacy@zencora.com.

9. THIRD-PARTY LINKS

Our services may contain links to third-party websites (e.g., Oura Ring website, educational resources). We are not responsible for their privacy practices. Please review their privacy policies.

10. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the new policy on our website

  • Sending you an email (for significant changes)

  • Requiring you to accept changes on next login (for material changes)

Your continued use of our services after changes constitutes acceptance of the updated policy.

Version History:

  • v1.0 - December 12, 2024: Initial version

11. OURA API COMPLIANCE

This policy is designed to comply with the Oura API Agreement. Specifically:

  • We are an independent data controller (not Oura's data processor)

  • We obtain your explicit consent before accessing Oura data

  • We use Oura data only to personalize your Zencora sessions

  • We cache Oura data for maximum 60 days

  • We delete Oura data within 24 hours of disconnection

  • We notify Oura within 24 hours of any data breach affecting their data

  • We do not sell, lease, or transfer Oura data to third parties

  • We comply with GDPR requirements for Oura data processing

12. CONTACT US

For Privacy Questions or to Exercise Your Rights:

Email: info@zencoraneuro.com
Mail:
Zencora Neuro Holdings Inc.
Attn: Privacy Officer
2400 Lakeside Blvd, #145
Richardson, TX 75082
United States

Response Time: We aim to respond to all privacy requests within 30 days (GDPR) or 45 days (CCPA).

13. DATA PROTECTION OFFICER

For GDPR-related inquiries:
Email: info@zencoraneuro.com
[Or designated DPO when appointed]

By using Zencora, you acknowledge that you have read and understood this Privacy Policy and agree to its terms.

This Privacy Policy is effective as of January 1, 2025 and was last updated on December 12, 2024.

© 2025 Zencora Neuro Holdings Inc. All rights reserved.