Effective Date: June 1, 2026
Last Updated: June 7, 2026
Ogymber Ltd (referred to as “Ogymber”, “we”, “us”, or “our”) is committed to protecting your personal data. This privacy policy explains how we collect, use, and safeguard your information when you use our mobile application (“App”), website ([www.ogymber.com]), and related services (collectively, the “Platform”).
We are the Data Controller for your information. If you have any questions about this policy, please contact us at:
Email:
privacy@ogymber.com
Postal Address:
Ogymber Ltd, 10 Dorset Street, Sheffield, United Kingdom
Data Protection Officer (DPO): dpo@ogymber.com
1. The Data We Collect About You
We collect several categories of personal data to provide and improve our behavioural wellness services. This includes:
A. Identity and Contact Data
Name, username, email address, date of birth (to verify age eligibility).
Billing address and payment information (processed securely via third-party providers; we do not store full card details).
B. Account and Profile Data
Password, preferences, feedback, survey responses, and support tickets.
Profile picture (optional), fitness goals, and movement preferences (e.g., preferred music genres).
C. Special Category Data (Health & Wellness)
Because Ogymber is a preventive health platform, we process Sensitive Personal Data as defined under Article 9 of the UK GDPR. This includes:
Behavioural Data: Consistency Scores, habit completion rates, sedentary time, movement snack history.
Physical Activity Data: Step counts, active minutes, and movement patterns (if you connect a wearable device).
Wellness Information: Stress levels, energy reports, and journal entries regarding mental or physical wellbeing.
We will only process this health data with your explicit consent, which you provide when you create an account and enable specific wellness tracking features.
D. Technical and Usage Data
IP address, device ID, browser type, operating system, and time zone settings.
Log data: pages viewed, features clicked, session duration, and crash reports.
Cookies and similar tracking technologies (see Section 5).
E. Corporate and B2B Data
If you use Ogymber through an employer or healthcare provider, we may process your work email and organisation name. The employer will receive only anonymised, aggregate data (e.g., “Team Consistency Score averages”) and cannot access your individual health data without your explicit written consent.
2. How We Collect Your Data
We collect data using the following methods:
Direct interactions: You provide data when filling in forms, creating an account, logging habits, or contacting support.
Automated technologies: As you interact with our Platform, we automatically collect Technical and Usage Data via device permissions and cookies.
Connected devices: With your permission, we sync data from third-party wearables (e.g., Apple HealthKit, Google Fit, Fitbit) and health apps.
Third parties: We may receive data from referral partners, corporate sponsors, or analytics providers.
3. How We Use Your Data (Purposes) & Lawful Bases
We rely on specific lawful bases for processing your data. Under UK GDPR, the permitted bases are: Consent, Contract, Legal Obligation, and Legitimate Interests.
Purpose/Activity Type of Data Lawful Basis for Processing
To register you as a user and manage your account Identity, Contact Performance of a contract
To deliver AI behavioural prompts and calculate your Consistency Score Health, Behavioural, Usage Consent (explicit for health data)
To provide sedentary interruption alerts and movement content Health, Technical Consent / Performance of a contract
To manage payments and subscriptions Contact, Transaction Performance of a contract / Legal obligation
To send you service emails (e.g., password reset, billing) Identity, Contact Legitimate Interests (essential service communications)
To send marketing communications (newsletters, tips, offers) Identity, Marketing Preferences Consent (for non-essential marketing)
To improve our AI algorithms and Platform features Usage, Technical, Health (anonymised) Legitimate Interests (to improve service) / Consent
To comply with legal and regulatory obligations Identity, Transaction Legal obligation
Note on Legitimate Interests: Where we rely on Legitimate Interests (e.g., fraud prevention, direct technical support), we have balanced these against your rights and interests. You have the right to object to processing based on Legitimate Interests.
4. Cookies and Tracking Technologies
Our Platform uses cookies and similar technologies to ensure functionality, analyse performance, and support marketing efforts.
Essential Cookies: Required for the App/Website to function (e.g., log-in sessions). These do not require consent.
Analytics/Performance Cookies: Help us count visits and traffic sources (e.g., Google Analytics, Mixpanel).
Functional Cookies: Remember your preferences (e.g., music choices).
Marketing Cookies: Track your activity across devices to deliver relevant ads.
You can manage your cookie preferences via our Cookie Banner when you first visit our site or via your browser settings. Withdrawing consent may affect certain features.
5. Data Sharing and Third Parties
We do not sell your personal data. However, we may share data with the following categories of recipients under strict confidentiality:
Service Providers: We engage third parties to perform functions on our behalf, including cloud hosting (AWS/Azure), analytics, payment processing (Stripe), customer support tools, and email distribution. These providers act as Data Processors and are bound by Data Processing Agreements (DPAs).
Corporate Clients (Employers): If you access Ogymber via a corporate wellness plan, we share only anonymised, aggregate metrics (e.g., “average sedentary reduction for the team”) with your employer. We never share your individual Consistency Score or personal health data without your explicit, separate consent.
Professional Advisers: Lawyers, accountants, and auditors where necessary to establish, exercise, or defend legal claims.
Regulators and Law Enforcement: If required to comply with a legal obligation (e.g., court order, ICO investigation).
6. International Data Transfers
Your data may be transferred to, and processed in, countries outside the United Kingdom, including the European Economic Area (EEA) and the United States (for cloud storage).
Where we transfer your data internationally, we ensure a similar degree of protection is afforded by implementing appropriate safeguards, such as:
The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (SCCs) .
Transferring only to countries that the UK Government has deemed adequate (e.g., EEA countries).
7. Data Security
We have implemented appropriate technical and organisational measures to protect your personal data against accidental loss, unauthorised access, alteration, or disclosure. These include:
Encryption: Data is encrypted in transit (TLS 1.2/1.3) and at rest (AES-256).
Access Controls: Strict need-to-know access for employees (engineers, support staff).
Data Minimisation: We anonymise or pseudonymise health data for AI training where possible.
Vendor Management: We perform due diligence on all third-party processors.
While we strive to protect your data, no method of transmission over the internet is 100% secure. You are responsible for keeping your login credentials confidential.
8. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy.
Active Accounts: Health and behavioural data is retained while your account is active to provide personalised coaching and track your Consistency Score history.
Inactive Accounts: If you stop using the Platform for 24 consecutive months, we will anonymise your personal health data (removing identifiers) and retain only anonymised usage statistics for research and platform improvement.
Financial Records: Transaction data is retained for 6 years to comply with HMRC tax obligations.
Account Deletion: When you request deletion, we will delete or anonymise your personal data within 30 days, except where we are required to retain it for legal compliance.
9. Your Legal Rights
Under the UK GDPR, you have the following rights regarding your personal data. You can exercise these rights by contacting us at privacy@ogymber.com . We will respond within one month.
Right Description
Right to Access Request a copy of the personal data we hold about you (Subject Access Request).
Right to Rectification Request correction of inaccurate or incomplete data.
Right to Erasure (Right to be Forgotten) Request deletion of your data, subject to legal retention obligations (e.g., financial records).
Right to Restriction Request restriction of processing if you contest the accuracy of the data.
Right to Data Portability Request transfer of your data to another service provider in a structured, machine-readable format.
Right to Object Object to processing based on Legitimate Interests (e.g., direct marketing).
Right to Withdraw Consent Withdraw your consent at any time where we rely on consent to process health or marketing data. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
Right to Lodge a Complaint: If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) , the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to address your concerns first.
10. Children’s Privacy
Ogymber is not intended for children under the age of 13. Users aged 13 to 15 may use the Platform only with verified parental or guardian consent. We do not knowingly collect health data from children under 13. If you believe we have collected such data, please contact us to delete it.
11. Direct Marketing
We may send you promotional emails about new features, movement challenges, or wellness tips if you have opted-in to receive marketing communications.
Opting Out: You can unsubscribe at any time by clicking the “unsubscribe” link in any marketing email or by updating your preferences in Account Settings.
Service Communications: Note that we will still send you essential service emails (e.g., subscription renewal confirmations, security alerts) even if you opt out of marketing.
12. Third-Party Links
The Platform may contain links to third-party websites, plug-ins, or applications (e.g., music streaming services, social media). Clicking those links may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements.
13. Updates to this Privacy Policy
We may update this policy from time to time to reflect changes in our practices, technology, legal requirements, or regulatory guidance.
Minor changes: We will notify you via in-app notification or email.
Material changes (e.g., new data sharing practices): We will seek your explicit consent where required by law.
The “Last Updated” date at the top of this policy indicates when it was last revised. Please review it periodically.
14. Contact Us
If you have any questions about this privacy policy, our data practices, or wish to exercise any of your legal rights, please contact our Data Protection Officer (DPO):
Email: dpo@ogymber.com
Post: Data Protection Officer, Ogymber Ltd, 10 Dorset Street, Sheffield, United Kingdom
© 2026 Ogymber Ltd. All rights reserved.