Last Updated: December 16, 2019
At Expy Health, we believe strongly in transparency, data safety & security, and your partnership to ensure we are stewards of your data. We appreciate that you trust us with information that is important to you, and we want you to know how this information is used by us in service to you.
Below, we describe the privacy practices for our applications, software, websites, APIs, products, and services (the “Services”). You will learn about the data we collect, how we use it, the controls we give you over your information, and the measures we take to keep it safe.
Specifically, we’ll cover:
- Information We Collect
- How We Use Information
- How Information Is Shared
- Your Rights To Access and Control Your Personal Data
- Data Retention
- Analytics and Advertising Services Provided by Others
- Our Policies for Children
- Information Security
- Our International Operations and Data Transfers
- Changes to This Policy
- Who We Are and How To Contact Us
Information We Collect
When you use our Services, we collect the following types of information.
Information You Provide to us
Some information is required to create an account on our Services, such as your name, email address, password, date of birth, gender, height, weight, surgery date, type of surgery, medical conditions, and in some cases your mobile telephone number. This is the only information you have to provide to create an account with us.
If you contact Expy Health through our support system, for instance by sending us an email at [email protected], we also collect your name and email address.
To help improve your experience or enable certain features of the Services, you may choose to provide us with additional information. This may include responses to health surveys that ask questions related to your health. This may also include information collected through interactive exercises you choose to complete such as a range-of-motion measurement or a walking test.
You may also choose to contact our sales team and provide personal information such as your name, email address, phone number, not for the purpose of creating an account with Expy Health, we use this information to contact you and tell you about our services.
Information from Third Party Services
If you choose to connect your account on our Services to your account on another service, we may receive information from the other service. For example, if you connect to Apple HealthKit on your iOS device or GoogleFit on your Android device, we may receive fitness information like your exercise and activity data. You can stop sharing the information from the other service with us by removing our access to that other service.
You may also choose to connect your account on our Services to your account on another service that has an external device. For example, if you connect your FitBit activity tracker, we may receive additional exercise and activity data. You can also stop sharing the information from the external device with us at any time.
Information we collect automatically on our Sites
Browser and device data, such as IP address, device type, operating system and Internet browser type, screen resolution, operating system name and version, device manufacturer and model, language, plug-ins, add-ons and the language version of the Sites you are visiting;
Usage data, such as time spent on the Sites, pages visited, links clicked, language preferences, and the pages that led or referred you to our Sites.
Information We Receive from Your Use of Our Services
Your device, such as your smartphone or wearable, collects data to estimate a variety of metrics like the number of steps you take, your distance traveled, and range of motion. The data collected varies depending on which device you use. When your device syncs with our applications or software, data recorded on your device is transferred from your device to our servers.
The Services include features that use precise location data, including GPS signals, device sensors, Wi-Fi access points, and cell tower IDs. We collect this type of data if you grant us access to your location. You can always remove our access using your mobile device settings. We may also derive your approximate location from your IP address.
When you access or use our Services, we receive certain usage data. This includes information about your interaction with the Services, for example, when you view content, create or log into your account, or pair an external device to your account.
We also collect data about the devices and computers you use to access the Services, including IP addresses, browser type, language, operating system, mobile device information (including device and application identifiers), the referring web page, pages visited, location (depending on the permissions you have granted us), and cookie information.
Health and Other Special Categories of Personal Data
To the extent that information we collect is health data or another special category of personal data subject to the European Union’s General Data Protection Regulation (“GDPR”), we ask for your explicit consent to process the data. We obtain this consent separately when you take actions leading to our obtaining the data, for example, when you pair your device to your account to grant us access to your exercise or activity data from another service. You can use your smartphone account settings to withdraw your consent at any time. To delete your account and all related data, you can send a request to [email protected]
Health Data From Third Parties as a Data Processor
How We Use The Information
We use the information we collect for the following purposes.
Provide and Maintain the Services
Using the information we collect, we are able to deliver the Services to you and honor our Terms of Service contract with you. For example, we need to use your information to provide you with your personal Profile which tracks your progress, activity, physical health measurements, other trends, and to give you customer support. In addition, the information is used to provide you with meaningful feedback about your status and progress through one of the Expy Health programs you are currently using or have used in the past.
Improve, Personalize, and Develop New Services
We use the information we collect to improve and personalize the Services and to develop new ones. For example, we use the information to troubleshoot and protect against errors; perform data analysis and testing; conduct research and surveys; and develop new features and Services.
We also use your information to make inferences and show you more relevant content. For example, information like your height, weight, gender, and age allows us to improve the accuracy of your daily assigned activities.
Communicate With You
We use your information when needed to send you Service notifications and respond to you when you contact us. We also use your information to promote new features or products that we think you would be interested in. You can control marketing communications and most Service notifications by using your notification preferences or via the “Unsubscribe” link in an email.
Promote Safety and Security
We use the information we collect to promote the safety and security of the Services, our users, and other parties. For example, we may use the information to authenticate users, facilitate secure payments, protect against fraud and abuse, respond to a legal request or claim, conduct audits, and enforce our terms and policies.
For personal data subject to the GDPR, we rely on several legal bases to process the data. These include when you have given your consent, which you may withdraw at any time by sending a request to [email protected]; when the processing is necessary to perform a contract with you, like the Terms of Service; and our legitimate business interests, such as in improving, personalizing, and developing the Services, marketing new features or products that may be of interest, and promoting safety and security as described above.
How Information is Shared
We do not share your personal information except in the limited circumstances described below.
When You Agree or Direct Us to Share
You may direct us to disclose your information to others, such as with your doctor’s office or a member of your family.
You may also authorize us to share your information with others, for example, with a third-party application when you give it access to your account, or with your employer when you choose to participate in an employee program. Remember that their use of your information will be governed by their privacy policies and terms. You can revoke your consent to share with third-party applications or employee wellness programs using your account settings.
For External Processing
We transfer information to our corporate partners, service providers, and others who process it for us, based on our instructions, and in compliance with this policy and any other appropriate confidentiality and security measures. These partners provide us with services globally, including for customer support, information technology, payments, sales, marketing, data analysis, research, and surveys.
For Legal Reasons or to Prevent Harm
We may preserve or disclose information about you to comply with a law, regulation, legal process, or governmental request; to assert legal rights or defend against legal claims; or to prevent, detect, or investigate illegal activity, fraud, abuse, violations of our terms, or threats to the security of the Services or the physical safety of any person.
Please note: Our policy is to notify you of legal process seeking access to your information, such as search warrants, court orders, or subpoenas, unless we are prohibited by law from doing so. In cases where a court order specifies a non-disclosure period, we provide delayed notice after the expiration of the non-disclosure period. Exceptions to our notice policy include exigent or counterproductive circumstances, for example, when there is an emergency involving a danger of death or serious physical injury to a person.
We may share non-personal information that is aggregated or de-identified so that it cannot reasonably be used to identify an individual. We may disclose such information publicly and to third parties, for example, in public reports about health behavior, to partners under agreement with us, or as part of the community benchmarking information we provide to users of our services.
If we are involved in a merger, acquisition, or sale of assets, we will continue to take measures to protect the confidentiality of personal information and give affected users notice before transferring any personal information to a new entity.
Your Rights to Access and Control Your Personal Data
We give you account settings and tools to access and control your personal data, as described below, regardless of where you live. If you live in the European Economic Area, United Kingdom, and Switzerland (the “Designated Countries”), you have a number of legal rights with respect to your information, which your account settings and tools allow you to exercise, as outlined below.
Accessing and Exporting Data. By logging into your account, you can access much of your personal information, including your Profile with your activity statistics. By sending a request to [email protected], you can receive a link to download information in a commonly used file format.
Editing and Deleting Data. If you find errors in your data, this can be corrected either through the account settings in the Application or by sending a request to [email protected]
If you choose to delete your account, please note that while most of your information will be deleted within 30 days, it may take up to 90 days to delete all of your information, like the data recorded by your device and other data stored in our backup systems. This is due to the size and complexity of the systems we use to store data. We may also preserve data for legal reasons or to prevent harm, including as described in the How Information Is Shared section.
Objecting to Data Use. We give you account settings and tools to control our data use.
If you live in a Designated Country, in certain circumstances, you can object to our processing of your information based on our legitimate interests, including as described in the How We Use Information section. You have a general right to object to the use of your information for direct marketing purposes. Please contact us at [email protected] to control our marketing communications to you about Expy Health products and services.
Restricting or Limiting Data Use. If you reside in a Designated Country, you can seek to restrict our processing of your data in certain circumstances. Please submit a request to [email protected] Please note that you can always ask to delete your account at any time.
If you need further assistance regarding your rights, please contact our Data Protection Officer at [email protected], and we will consider your request in accordance with applicable laws. If you reside in a Designated Country, you also have a right to lodge a complaint with your local data protection authority or with the Irish Data Protection Commissioner, our lead supervisory authority, whose contact information is available here.
We keep your account information, like your name, email address, and password, for as long as your account is in existence because we need it to operate your account. In some cases, when you give us information for a feature of the Services, we delete the data after it is no longer needed for the feature. We keep other information, like your activity or health data, until you request to delete the data or your account because we use this data to provide you with personal statistics and other aspects of the Services. We also keep information about you and your use of the Services for as long as necessary for our legitimate business interests, for legal reasons, and to prevent harm, including as described in the How We Use Information and How Information Is Shared sections.
Analytics and Advertising Services Provided by Others
Our Policies for Children
We appreciate the importance of taking additional measures to protect children’s privacy.
Persons under the age of 13, or any higher minimum age in the jurisdiction where that person resides, are not permitted to create accounts unless their parent has consented in accordance with applicable law. If we learn that we have collected the personal information of a child under the relevant minimum age without parental consent, we will take steps to delete the information as soon as possible. Parents who believe that their child has submitted personal information to us and would like to have it deleted may contact us at [email protected]
We work hard to keep your data safe. We use a combination of technical, administrative, and physical controls to maintain the security of your data. This includes using Transport Layer Security (“TLS”) to encrypt many of our Services. No method of transmitting or storing data is completely secure, however. If you have a security-related concern, please contact Customer Support.
To protect sensitive information such as your fitness or health data, we follow guidelines for securing protected health information as outlined in the HIPAA/HITECH security rules.
Our International Operations and Data Transfers
We operate internationally and transfer information to the United States and other countries for the purposes described in this policy.
We rely on multiple legal bases to lawfully transfer personal data around the world. These include your consent, the EU-US and Swiss-US Privacy Shield, and EU Commission approved model contractual clauses, which require certain privacy and security protections. You may obtain copies of the model contractual clauses by contacting us. Expy Health complies with the Privacy Shield principles regarding the collection, use, sharing, and retention of personal information as described in our Privacy Shield certifications. Learn more about Privacy Shield here.
Expy Health, Inc. is subject to the oversight of the US Federal Trade Commission and remains responsible for personal information that we transfer to others who process it on our behalf as described in the How Information Is Shared section. If you have a complaint about our Privacy Shield compliance, please contact us. You can also refer a complaint to our chosen independent dispute resolution body JAMS, and in certain circumstances, invoke the Privacy Shield arbitration process.
Please note that the countries where we operate may have privacy and data protection laws that differ from, and are potentially less protective than, the laws of your country. You agree to this risk when you create a Expy Health account and click “I agree” to data transfers, irrespective of which country you live in. For a list of the locations where we have offices, please see our company information here. If you later wish to withdraw your consent, you can delete your Expy Health account as described in the Your Rights To Access and Control Your Personal Data section.
Changes to This Policy
We will notify you before we make material changes to this policy and give you an opportunity to review the revised policy before deciding if you would like to continue to use the Services. You can review previous versions of the policy in our archive.
Who We Are and How to Contact Us
If you have questions, suggestions, or concerns about this policy, or about our use of your information, please contact us at [email protected]
Expy Health as a data controller and a data processor
EU data protection law makes a distinction between organisations that process Personal Data for their own purposes (known as “data controllers”) and organisations that process Personal Data on behalf of other organisations (known as “data processors”). As noted above, we are not always a data controller of the data in our possession, but are sometimes a data processor for other companies such as our customers or partners. In such cases, we may direct your inquiry to the relevant data controller, since data controllers are the ones with primary responsibility for your Personal Data.
If you reside elsewhere, then Expy Health, Inc., a US company, is the data controller that provides you with the Services. You may contact us at:
Expy Health, Inc.
3415 S Sepulveda Blvd 10th Floor,
Los Angeles, CA 90034