within Back to dashboard

The fine print, in plain language

Privacy policy

Your health data is deeply personal. This policy explains what Within touches, why it needs it, and the boundaries we place around its use.

Effective July 11, 2026

Contents

  1. 01Scope
  2. 02Information we process
  3. 03How we use information
  4. 04How information is shared
  5. 05Retention and deletion
  6. 06Your choices and rights
  7. 07Security
  8. 08International processing
  9. 09Children
  10. 10Changes and contact
01

Scope

This Privacy Policy applies to the Within health dashboard available at health.crob.ca (the “Service”). Within is an independent application and is not affiliated with, endorsed by, or sponsored by Oura Health Oy or its affiliates (“Oura”). Oura’s own services and handling of information are governed by Oura’s policies.

By authorizing the Service to access your Oura information, you direct Oura to provide the categories of data you approve. You can change or withdraw that authorization through Oura at any time.

02

Information we process

Oura information

Depending on the permissions you grant, the Service processes daily readiness, sleep, and activity scores; sleep duration, stages, efficiency, and timing; steps and active calories; resting heart rate; heart rate variability; and related dates and timestamps. The Service also uses an OAuth access token to request this information from Oura on your behalf.

Technical information

Our hosting provider may automatically process limited technical information needed to deliver and secure the Service, such as IP address, browser and device type, request time, referring page, error information, and similar server logs. We do not use advertising cookies or third-party behavioral analytics.

03

How we use information

We process information only as needed to:

  • request the Oura information you authorized and present it in your dashboard;
  • calculate simple summaries and trends for your own review;
  • operate, secure, troubleshoot, and improve the reliability of the Service;
  • comply with law and enforce our Terms of Service; and
  • respond to privacy, security, or support requests.
What we do not do

We do not sell your information, use it for advertising or marketing profiles, train artificial intelligence models on it, combine it with other people’s data, or disclose it to data brokers.

04

How information is shared

We disclose information only in these limited circumstances:

  • Oura. We communicate with Oura’s API at your direction to retrieve your authorized data.
  • Infrastructure and identity providers. Vercel hosts and delivers the Service, WorkOS manages account authentication, and Convex stores account-linked connection and metric records. These providers may process data on our behalf under their applicable terms.
  • Legal and safety reasons. We may disclose information when reasonably necessary to comply with law, protect rights or safety, investigate abuse, or respond to valid legal process.
  • Business changes. If responsibility for the Service changes, information may transfer as part of that transaction, subject to this Policy and applicable law.
05

Retention and deletion

Within stores normalized daily Oura metrics in Convex so your history remains associated with your authenticated account and can be shown during temporary Oura outages. We retain only the fields used by the dashboard rather than raw Oura API responses. Platform caches, request handling systems, and security logs may also retain limited information for their ordinary operational periods.

Oura OAuth credentials are encrypted before they are stored and retained only for as long as needed to provide the Service or until access is revoked. When you disconnect Oura, request deletion, or withdraw authorization, we will stop processing your Oura data and delete Oura user data under our control within 72 hours, except where retention is legally required.

06

Your choices and rights

You may revoke the Service’s access from your Oura account at any time. Depending on where you live, you may also have rights to request access to, correction of, deletion of, or a portable copy of personal information; object to or restrict processing; withdraw consent; or complain to a privacy regulator.

To exercise a right, email privacy@crob.ca. We may need to verify your identity before fulfilling a request. We will not discriminate against you for exercising a privacy right.

07

Security

We use administrative and technical safeguards designed for the sensitivity of health information, including encrypted transport, restricted secret access, and managed hosting controls. No online service can guarantee absolute security. If you believe your information or access token may be at risk, revoke access through Oura and contact us promptly.

08

International processing

Oura and our infrastructure providers may process information outside your province, state, or country, including in the United States. Those locations may have different data protection laws. Where required, we use lawful safeguards for cross-border processing.

09

Children

The Service is intended for adults and is not directed to children under 18. We do not knowingly request Oura information from a child. If you believe a child’s information has been provided, contact us so it can be removed.

10

Changes and contact

We may update this Policy to reflect changes to the Service, providers, or law. We will post the revised Policy here and change its effective date. Material changes will be highlighted where reasonably practicable.

Questions, complaints, and privacy requests may be sent to privacy@crob.ca.

Within · A private window into your wellbeing.

PrivacyTerms