Welcome to Oto Health ("Oto," "we," "us," or "our"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our mobile application and related services (collectively, the "Services").

Company Structure: The Services are operated by Oto Health Ltd, a UK limited company. Oto Health Ltd is wholly owned by Oto Health Inc., a Delaware corporation (US holding company).

By using our Services, you agree to the collection and use of information in accordance with this Privacy Policy.

If you have questions about this Privacy Policy, contact us at support@joinoto.com.

Table of Contents

1. Information We Collect
2. How We Use Your Information
3. Legal Basis for Processing (GDPR)
4. Data Retention
5. Third-Party Service Providers
6. International Data Transfers
7. Data Sharing and Disclosure
8. Data Security
9. Your Privacy Rights
10. Children's Privacy
11. State-Specific Privacy Rights (US)
12. Marketing Communications
13. HIPAA Compliance
14. Changes to This Privacy Policy
15. Contact Us

1. Information We Collect

1.1 Information You Provide Directly

• Account Information: Email address, name, date of birth
• Health Information: Tinnitus Functional Index (TFI) assessment responses, journal entries
• Support Communications: Messages you send to customer support

1.2 Information Collected Automatically

• Usage Data: Session starts, session completions, app interactions
• Audio Content Data: Audio selections and playback duration
• Device Information: Device model, OS version, app version
• Analytics Data: Anonymized usage patterns (via Firebase Analytics and Sentry)

1.3 Information from Third Parties

• Healthcare Providers: Your provider may share your name and email when issuing a license

2. How We Use Your Information

We use your information to:

• Provide the Services: Deliver audio-based coping techniques and wellness features
• Track Progress: Calculate TFI scores and monitor wellness journey over time
• Support Your Provider: Share usage data with your healthcare provider (with your consent)
• Communicate: Send service updates, license expirations, and support responses
• Improve Services: Analyze aggregated data to enhance app features and user experience
• Comply with Law: Meet legal obligations and respond to valid legal requests

3. Legal Basis for Processing (GDPR)

For users in the EU/UK, we process your data based on:

• Consent: You consent to data sharing with your healthcare provider when signing up
• Contract Performance: Processing necessary to provide the Services you've requested
• Legitimate Interests: Improving our Services and preventing fraud (balanced against your rights)
• Legal Obligations: Compliance with applicable laws and regulations

4. Data Retention

We retain your information for the following periods:

5. Third-Party Service Providers

We use the following third-party services to operate our platform:

Note: We carefully select providers that comply with GDPR, HIPAA (where applicable), and other data protection laws.

6. International Data Transfers

Oto Health Ltd (UK) operates the Services. Your data is primarily processed in the United Kingdom and European Economic Area (EEA). However, some of our third-party service providers (see Section 5) are based in the United States, which means your information may be transferred to, stored, and processed in the US.

For international data transfers, we ensure adequate protection through:

• Standard Contractual Clauses (SCCs): Approved by the European Commission for data transfers to countries outside the EEA
• US-EU Data Privacy Framework: For US-based service providers certified under the framework
• UK Adequacy Decisions: Where applicable, relying on the UK's recognition of adequate data protection in certain countries

7. Data Sharing and Disclosure

7.1 Healthcare Providers

With Your Consent: When you sign up for Oto through your healthcare provider, you consent to sharing your wellness data with that provider. You can revoke access at any time by contacting support@joinoto.com.

What Providers See:

• Your TFI assessment scores and progress
• Session completion frequency
• Audio content usage
• Last active date

7.2 Service Providers

We share data with third-party vendors who help us operate the Services (see Section 5).

7.3 Legal Requirements

We may disclose your information if required by law or in response to:

• Valid legal process (subpoena, court order)
• Government or regulatory requests
• Protecting rights, property, or safety of Oto, users, or the public

7.4 Business Transfers

If Oto is acquired or merged, your information may be transferred to the new entity. We will notify you before your data is transferred and becomes subject to a different Privacy Policy.

7.5 Aggregated Data

We may share anonymized, aggregated data (e.g., "80% of users completed 5+ sessions") with partners or for research. This data cannot identify you.

7.6 De-Identified Research

We may share de-identified, aggregated data with:

• Academic researchers studying tinnitus wellness
• Healthcare organizations analyzing program effectiveness
• Business partners evaluating wellness outcomes

De-identified data cannot reasonably be used to identify you and is not subject to this Privacy Policy.

8. Data Security

We take the security of your information seriously and implement appropriate technical and organizational measures:

Security Measures:

• Encryption in Transit: All data transmitted between your device and our servers uses TLS 1.2+ encryption
• Encryption at Rest: Health data stored in Firestore is encrypted using AES-256
• Access Controls: Role-based permissions limit who can access your data (only authorized providers and support staff)
• Authentication: Firebase Authentication with secure password hashing (bcrypt)
• Monitoring: Automated alerts for suspicious activity and unauthorized access attempts
• Regular Audits: Periodic security reviews and vulnerability assessments

Important: No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

9. Your Privacy Rights

Depending on your location, you have the following rights regarding your personal information:

9.1 Access

Right to Know: Request a copy of the personal information we hold about you.

How to Exercise: Email support@joinoto.com with "Data Access Request" in the subject line. We will respond within 30 days.

9.2 Correction

Right to Rectify: Correct inaccurate or incomplete personal information.

How to Exercise: Update your profile in the app or email support@joinoto.com.

9.3 Deletion

Right to Erasure: Request deletion of your personal information (subject to legal exceptions).

How to Exercise: Go to Settings → Delete Account in the app. This will permanently delete:

• Your account and authentication credentials
• All TFI assessments and session history
• Support messages and communication preferences
• Payment and subscription information

Warning: Account deletion is permanent and cannot be undone.

9.4 Opt-Out

Right to Opt-Out: Unsubscribe from marketing emails (service emails cannot be disabled).

How to Exercise: Click "Unsubscribe" in any marketing email or email support@joinoto.com.

9.5 Portability

Right to Data Portability: Receive your data in a machine-readable format (JSON).

How to Exercise: Email support@joinoto.com with "Data Portability Request" in the subject line.

9.6 Object to Processing

Right to Object: Object to processing based on legitimate interests.

How to Exercise: Email support@joinoto.com explaining your objection. We will evaluate and respond within 30 days.

9.7 Withdraw Consent

Right to Withdraw: Withdraw consent for data sharing with your healthcare provider.

How to Exercise: Email support@joinoto.com. Note: Withdrawing consent may limit your access to certain features.

9.8 Lodge a Complaint

Right to Complain: File a complaint with your data protection authority if you believe we've violated your privacy rights.

• EU/UK: Contact your local Data Protection Authority (DPA)
• US: File a complaint with the FTC at ftc.gov/complaint

10. Children's Privacy

Our Services are not intended for children under 13 (or 16 in the EU). We do not knowingly collect personal information from children.

If we discover we've collected data from a child under the age of 13 (or 16 in the EU), we will delete it immediately.

Parents: If you believe your child has provided us with personal information, contact support@joinoto.com.

11. State-Specific Privacy Rights (US)

If you reside in one of the following US states, you have additional privacy rights:

11.1 California (CCPA/CPRA)

California residents have the right to:

• Know what personal information is collected, used, shared, or sold
• Delete personal information (subject to exceptions)
• Opt-out of the "sale" of personal information (we do not sell your data)
• Non-discrimination for exercising privacy rights

Shine the Light: Request information about personal information shared with third parties for marketing purposes (we do not share for marketing).

11.2 Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA)

Residents have the right to:

• Confirm whether we process their personal data
• Access and obtain a copy of personal data
• Correct inaccuracies
• Delete personal data
• Obtain a copy of data in a portable format
• Opt-out of targeted advertising (we do not engage in targeted advertising)

11.3 Other States with Privacy Laws

We extend similar rights to residents of Oregon, Montana, Texas, Iowa, Tennessee, Indiana, Delaware, Nebraska, New Hampshire, New Jersey, and Minnesota.

How to Exercise State-Specific Rights

Email support@joinoto.com with your state and request type. We will verify your identity and respond within the timeframe required by your state's law (typically 30-45 days).

12. Marketing Communications

We may send you promotional emails about new features, special offers, or wellness tips. You can opt-out anytime by:

• Clicking "Unsubscribe" at the bottom of any marketing email
• Emailing support@joinoto.com with "Unsubscribe" in the subject line

Service Emails: You cannot opt-out of transactional emails (e.g., license expiration notices, security alerts), as they are necessary to provide the Services.

13. HIPAA Compliance

13.1 Are We a Covered Entity?

Oto Health is not a HIPAA-covered entity because we do not bill insurance or conduct electronic healthcare transactions on behalf of providers.

13.2 Are We a Business Associate?

Yes, when healthcare providers use Oto to monitor patient progress, we act as a Business Associate under HIPAA. We sign Business Associate Agreements (BAAs) with provider organizations.

13.3 Protected Health Information (PHI)

We collect and store the following PHI:

• Name and email address
• Date of birth
• TFI assessment scores
• Session usage data
• Journal entries
• Provider-patient relationship

13.4 HIPAA Safeguards

We implement HIPAA-required safeguards:

• Administrative: Staff training, access controls, and incident response procedures
• Physical: Secure cloud infrastructure (Google Cloud Platform HIPAA-compliant data centers)
• Technical: Encryption, audit logs, secure authentication, and automatic session timeouts

13.5 Breach Notification

If a data breach affects your PHI, we will notify you and your healthcare provider within 60 days, as required by HIPAA.

13.6 HIPAA Privacy Rights

If you are a patient receiving care through a HIPAA-covered provider, you have rights to:

• Access: Request a copy of your PHI (contact your provider or support@joinoto.com)
• Amendment: Request corrections to inaccurate PHI
• Accounting: Request a list of PHI disclosures (past 6 years)
• Restriction: Request limits on how your provider uses or shares your PHI

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the updated policy on this page with a new "Last Updated" date
• Sending an email notification to your registered email address
• Displaying an in-app notification when you next open the app

Your Consent: Continued use of the Services after changes take effect constitutes acceptance of the updated Privacy Policy.

Objection: If you do not agree to the updated policy, you must stop using the Services and may request account deletion.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Response Time: We will respond to privacy inquiries within 30 days (or as required by applicable law).