This Privacy Policy describes in detail how ONU Health Inc. (“ONU Health”, “we”, “us”, or “our”) collects, processes, stores, uses, safeguards, and discloses personal data in connection with the ONU Health mobile application, website, wearable integrations (including the ONU Bracelet), artificial intelligence features, and all related services (collectively, the “Services”).

We recognize that health-related data is among the most sensitive categories of personal information. Accordingly, we process such data with heightened safeguards and in accordance with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”), as well as other applicable international and national privacy laws.

By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy.

Identity of the Controller
The data controller responsible for the processing of personal data under this Privacy Policy is:
ONU Health Inc.
2093 Philadelphia Pike, #2188
Claymont, DE 19703
United States
Operational Office (EU):
Chausseestrasse 37
10115 Berlin, Germany
For privacy-related inquiries, data access requests, or regulatory questions, please contact:
support@onuhealth.com (Subject: Privacy Request)
Where required by applicable law, ONU Health will designate a Data Protection Officer or EU Representative and publish contact details accordingly.

Description of the Services and Regulatory Positioning
ONU Health provides a digital wellness platform designed to help users organize, visualize, and better understand personal health-related information. The Services may integrate wearable data, user-uploaded documents, and AI-generated summaries to present informational wellness insights.
The ONU Bracelet and associated software features are consumer wellness tools. They are not certified or registered as medical devices under:
• Regulation (EU) 2017/745 on medical devices (MDR)
• U.S. Food and Drug Administration (FDA) medical device regulations
• Any other national medical device regulatory framework
The ONU Bracelet is intended for general health and lifestyle monitoring purposes only. It is not intended to diagnose, treat, cure, mitigate, or prevent any disease or medical condition.
The Services do not provide medical advice, medical diagnosis, or medical treatment. Any health metrics, risk indicators, summaries, or AI-generated outputs are informational in nature and are designed to support personal awareness and wellness tracking. They are not clinical assessments and should not be relied upon as a substitute for professional medical evaluation.
Risk indicators or wellness insights generated by the platform are derived from statistical modeling, user-provided data, and general health correlations. They do not constitute medical conclusions and should not be interpreted as a medical determination of disease presence or absence.
Users should always consult a qualified physician or licensed healthcare provider before making medical decisions, starting or stopping treatments, or interpreting laboratory results.
ONU Health does not claim regulatory clearance for medical diagnosis or therapeutic monitoring and does not position the ONU Bracelet as a medical-grade device.
If regulatory classification requirements change in the future, ONU Health will update its compliance position accordingly.

Categories of Personal Data Processed
We process different categories of personal data depending on how you interact with the Services.
When you create an account, we collect account-related information such as your email address, login credentials (stored in encrypted and hashed format), and optional profile data you provide. We also process support communications and any information voluntarily included in correspondence.
When you use the mobile application or website, we automatically collect technical and device-related data necessary to operate and secure the Services. This may include your IP address, device model, operating system version, application version, language preferences, and general geographic region derived from IP address. We may also process diagnostic logs, crash reports, and security-related telemetry to ensure system stability and detect malicious activity.
If you upload health documents, we process the contents of those documents. This may include laboratory test results, biomarker data, prescriptions, diagnoses, symptoms, medical histories, physician notes, medication records, and other health-related content that you voluntarily provide.
If you connect wearable devices or authorize integration with third-party services such as Apple Health, we process wearable wellness data that you explicitly allow us to access. This may include heart rate data, sleep duration and stages, activity levels, estimated calorie expenditure, blood oxygen saturation levels, respiratory rate, skin temperature (if supported), height, weight, and other physiological measurements. We process only the data categories you grant permission to access.
If you enable AI-powered features, we process your prompts, contextual health information selected for analysis, summaries of wearable trends, and the AI-generated responses. Conversation history may be retained within your account to maintain context across interactions.
We may also derive additional insights from your data, including wellness trends, correlations between behavioral and physiological metrics, recovery indicators, estimated risk signals, and educational recommendations. Such derived data remains personal data where it can be associated with your account.

Purpose of Processing
We process personal data for clearly defined and limited purposes.
We process account and authentication data to create and maintain your user account and provide access to the Services.
We process health-related data and wearable data to display metrics, generate trends, and provide wellness-oriented insights. These processing activities are strictly limited to supporting user-requested features.
If AI features are enabled, we process selected health information and contextual data to generate summaries, explanations, and wellness insights using ONU Health’s internal AI system and, for certain features, an external AI service provider (OpenAI), only after explicit user consent.
We process technical and usage data to maintain security, prevent unauthorized access, detect fraud, debug errors, and ensure reliable system performance.
We may use aggregated or de-identified data for internal research, analytics, product development, and improvement of the Services. Such aggregated data cannot reasonably identify individual users.
We do not use health data for advertising purposes, behavioral profiling for marketing, or sale to third parties.

AI Consent and User Control
AI-powered features within ONU Health are optional and require explicit user activation.
Before AI processing is enabled, users are presented with a clear in-app explanation describing:
• The categories of health and contextual data that may be processed
• The purpose of AI processing
• The location of data processing infrastructure
• The informational nature of AI-generated outputs
AI processing does not begin unless the user affirmatively provides consent through the application interface.
Users may withdraw consent at any time in the application settings (Settings → Privacy → AI Chat). Upon withdrawal, no further AI processing will occur
Users may withdraw consent at any time in the application settings. Upon withdrawal, no further AI processing will occur. Withdrawal does not affect processing that occurred prior to consent withdrawal. Read more ONU AIs Terms of Service.

Legal Basis for Processing
For users located in the European Economic Area, we rely on the following legal bases under GDPR.
For processing necessary to provide the Services (such as account management and storage of uploaded content), we rely on Article 6(1)(b) GDPR (performance of a contract).
For optional wearable integrations, document uploads containing health data, and AI-powered analysis of health information, we rely on Article 6(1)(a) GDPR (consent) and Article 9(2)(a) GDPR (explicit consent for special category data).
For platform security, fraud prevention, and system integrity, we rely on Article 6(1)(f) GDPR (legitimate interests), balanced against user rights and expectations.
For compliance with legal obligations, we rely on Article 6(1)(c) GDPR.
You may withdraw consent at any time via the app settings. Withdrawal does not affect prior lawful processing.

AI Processing and Infrastructure Transparency
ONU Health operates its own proprietary artificial intelligence system (“ONU AI”) hosted on ONU-controlled infrastructure.
For certain AI features, user inputs may also be processed by an external AI service provider (OpenAI) solely to generate the requested AI output.
External AI processing occurs only after explicit user consent and follows data minimization principles
For users located in the European Union, health data processed through AI features is handled within Amazon Web Services (AWS) infrastructure located in Frankfurt, Germany (eu-central-1 region). Where OpenAI is used for an AI feature, relevant user inputs may be processed in OpenAI’s locations (see Data Sharing and Subprocessors) with appropriate transfer safeguards. This includes document summaries, wearable trend analysis, contextual health explanations, and other AI-supported features.
Users may withdraw consent at any time in the application settings (Settings → Privacy → AI Chat). Upon withdrawal, no further AI processing will occur
ONU Health also operates AWS infrastructure in the United States for limited operational purposes such as redundancy, infrastructure monitoring, system administration, and security tooling. Where personal data is transferred outside the European Economic Area, such transfers are protected by legally recognized safeguards, including Standard Contractual Clauses approved by the European Commission.
When AI features are enabled, the following categories of data may be processed by ONU AI:
• Health documents explicitly selected by the user for analysis
• Wearable wellness data summaries (e.g., recent sleep trends, heart rate averages)
• Self-reported symptoms and health history entries
• User-submitted prompts and contextual interaction data
• Previously generated AI conversation history (if conversation continuity is enabled)
AI processing follows strict data minimization principles. Only the information necessary to generate the requested output is processed.
AI features are strictly optional. Before enabling AI functionality, users are presented within the application with a clear explanation of AI data processing and must provide explicit consent. AI processing does not occur unless this consent is granted. Users may withdraw consent at any time in the application settings, which will disable future AI processing.
ONU AI systems are not trained in a manner that would make individual user health records publicly available or retrievable by other users. Health data submitted for AI processing is not used to train publicly accessible models.
AI-generated responses are probabilistic and may contain inaccuracies. They are intended solely for educational and wellness-support purposes and do not constitute medical advice.
Operational logs related to AI processing may be retained for up to thirty (30) days for debugging, abuse prevention, and security auditing purposes, after which they are deleted or anonymized unless longer retention is required by law. Read more ONU AIs Terms of Service.

Data Storage and Security Measures
Personal data is stored within Amazon Web Services (AWS) infrastructure.
For EU users, core health and account data is primarily stored and processed within AWS Frankfurt. Access to production systems is restricted to authorized personnel under strict access controls based on the principle of least privilege.
We implement encryption in transit using TLS protocols and encryption at rest where applicable. Internal access to health data is logged and monitored. Administrative access requires authentication safeguards and is limited to authorized personnel with a legitimate operational need.
Despite these measures, no system can guarantee absolute security. Users are encouraged to maintain strong passwords and safeguard account credentials.

Data Sharing and Subprocessors
ONU Health does not sell, rent, trade, or monetize personal data or health data.
We share personal data only where necessary to operate, secure, and improve the Services. This includes sharing data with carefully selected service providers (“Subprocessors”) who process personal data on our behalf under written data processing agreements that require confidentiality, security safeguards, and compliance with applicable data protection laws.

Third-Party Integrations
If you choose to connect Apple Health, ONU Health may receive and process the health and activity data you authorize through your device permissions. Apple Health data access is controlled by your device permissions, and you can enable or disable access at any time in your iOS settings. Apple Health is an optional integration you choose to connect. Apple is not a subprocessor that ONU Health engages to process data on our behalf.
Below is the list of Subprocessors and how we use their services.


Subprocessors act solely under ONU Health’s instructions and may not use personal data for their own independent purposes.
We may disclose personal data if required by applicable law, valid court order, subpoena, or governmental request. We may also disclose personal data where necessary to protect the rights, safety, or security of ONU Health, our users, or the public.
In the event of a corporate transaction such as a merger, acquisition, restructuring, or sale of assets, personal data may be transferred as part of the transaction, subject to continued protection consistent with this Privacy Policy.

Data Retention and Deletion
We retain personal data only as long as necessary to provide the Services and fulfill the purposes described herein.
Account data is retained while your account remains active. Upon deletion of your account, personal data is deleted or irreversibly anonymized within thirty (30) days unless legal retention obligations apply or retention is required for security investigations or dispute resolution.
Users may request deletion at any time by contacting support@onuhealth.com.

International Transfers
Where personal data is transferred outside the European Economic Area, we implement appropriate safeguards under GDPR, including Standard Contractual Clauses or other legally approved transfer mechanisms.
You may request further details regarding international transfer safeguards by contacting us.

Your Rights
If you are located in the EEA, you have rights under GDPR including access, rectification, erasure, restriction of processing, data portability, objection, and the right to lodge a complaint with a supervisory authority.
Requests may be submitted to support@onuhealth.com. We may require identity verification before responding.

Children
The Services are not directed to children below the age required by applicable law. We do not knowingly collect personal data from children. If such data is identified, it will be deleted promptly.

Updates to this Policy
We may update this Privacy Policy to reflect changes in technology, law, or business operations. Material updates will be communicated where required by law.
Continued use of the Services constitutes acknowledgment of the updated Privacy Policy.

Contact
For privacy inquiries, please contact:
support@onuhealth.com
Subject: Privacy Request

Last Updated: March 5, 2026