Scope
This Privacy Policy applies to the Within health dashboard available at health.crob.ca (the “Service”). Within is an independent application and is not affiliated with, endorsed by, or sponsored by Oura Health Oy or its affiliates (“Oura”). Oura’s own services and handling of information are governed by Oura’s policies.
By authorizing the Service to access your Oura information, you direct Oura to provide the categories of data you approve. You can change or withdraw that authorization through Oura at any time.
Information we process
Oura information
Depending on the permissions you grant, the Service processes daily readiness, sleep, and activity scores; sleep duration, stages, efficiency, and timing; steps and active calories; resting heart rate; heart rate variability; and related dates and timestamps. The Service also uses an OAuth access token to request this information from Oura on your behalf.
Technical information
Our hosting provider may automatically process limited technical information needed to deliver and secure the Service, such as IP address, browser and device type, request time, referring page, error information, and similar server logs. We do not use advertising cookies or third-party behavioral analytics.
How we use information
We process information only as needed to:
- request the Oura information you authorized and present it in your dashboard;
- calculate simple summaries and trends for your own review;
- operate, secure, troubleshoot, and improve the reliability of the Service;
- comply with law and enforce our Terms of Service; and
- respond to privacy, security, or support requests.
We do not sell your information, use it for advertising or marketing profiles, train artificial intelligence models on it, combine it with other people’s data, or disclose it to data brokers.
How information is shared
We disclose information only in these limited circumstances:
- Oura. We communicate with Oura’s API at your direction to retrieve your authorized data.
- Infrastructure and identity providers. Vercel hosts and delivers the Service, WorkOS manages account authentication, and Convex stores account-linked connection and metric records. These providers may process data on our behalf under their applicable terms.
- Legal and safety reasons. We may disclose information when reasonably necessary to comply with law, protect rights or safety, investigate abuse, or respond to valid legal process.
- Business changes. If responsibility for the Service changes, information may transfer as part of that transaction, subject to this Policy and applicable law.
Retention and deletion
Within stores normalized daily Oura metrics in Convex so your history remains associated with your authenticated account and can be shown during temporary Oura outages. We retain only the fields used by the dashboard rather than raw Oura API responses. Platform caches, request handling systems, and security logs may also retain limited information for their ordinary operational periods.
Oura OAuth credentials are encrypted before they are stored and retained only for as long as needed to provide the Service or until access is revoked. When you disconnect Oura, request deletion, or withdraw authorization, we will stop processing your Oura data and delete Oura user data under our control within 72 hours, except where retention is legally required.
Your choices and rights
You may revoke the Service’s access from your Oura account at any time. Depending on where you live, you may also have rights to request access to, correction of, deletion of, or a portable copy of personal information; object to or restrict processing; withdraw consent; or complain to a privacy regulator.
To exercise a right, email privacy@crob.ca. We may need to verify your identity before fulfilling a request. We will not discriminate against you for exercising a privacy right.
Security
We use administrative and technical safeguards designed for the sensitivity of health information, including encrypted transport, restricted secret access, and managed hosting controls. No online service can guarantee absolute security. If you believe your information or access token may be at risk, revoke access through Oura and contact us promptly.
International processing
Oura and our infrastructure providers may process information outside your province, state, or country, including in the United States. Those locations may have different data protection laws. Where required, we use lawful safeguards for cross-border processing.
Children
The Service is intended for adults and is not directed to children under 18. We do not knowingly request Oura information from a child. If you believe a child’s information has been provided, contact us so it can be removed.
Changes and contact
We may update this Policy to reflect changes to the Service, providers, or law. We will post the revised Policy here and change its effective date. Material changes will be highlighted where reasonably practicable.
Questions, complaints, and privacy requests may be sent to privacy@crob.ca.