Privacy Policy

OxyRemote ("we", "our", or "us") is a mobile application designed to connect to Bluetooth pulse oximeters and provide real-time and remote health monitoring. This Privacy Policy explains what information we collect, how we use it, and the choices you have regarding your information. By using OxyRemote you agree to the practices described in this policy. If you do not agree, please discontinue use of the app.

Account Information When you register, we collect your email address to create and manage your account. We do not collect your name, phone number, or payment card details directly. Health & Biometric Data OxyRemote reads data transmitted by your Bluetooth pulse oximeter, including: • Blood oxygen saturation (SpO₂) percentage • Heart rate (beats per minute) • Device battery level (when available) This data is stored in your personal account and used solely to provide the monitoring features described below. Bluetooth Device Identifiers To pair with your oximeter, the app reads the device's Bluetooth identifier (UUID) and manufacturer advertisement data. These identifiers are stored locally and in your account to enable automatic reconnection. Usage Data We collect anonymised, aggregated technical information (app version, OS version, crash reports) to improve reliability. This data cannot be used to identify you personally. Subscription Data Purchase status and entitlement information is managed by RevenueCat on our behalf. We do not receive or store your payment card details at any time.

We use collected information to: • Deliver real-time SpO₂ and heart rate monitoring within the app • Enable remote monitoring by authorised viewers you designate • Send in-app threshold alerts when readings fall outside safe ranges • Synchronise historical readings across your devices • Diagnose and resolve technical issues • Verify subscription entitlements and enforce plan limits We do not use your health data for advertising, do not sell it to third parties, and do not use it to train machine-learning models outside your device.

Your health data is stored in Supabase, a cloud database with the following protections: • End-to-end TLS encryption for all data in transit • Row-Level Security (RLS) policies so each user can access only their own records • Your account credentials are never stored in plain text Real-time monitoring data is transmitted over encrypted WebSocket connections (TLS 1.2+) hosted on Fly.io infrastructure. While we implement industry-standard security measures, no system is completely immune to breaches. We will notify you promptly if a breach affecting your data occurs.

We share your data only in the following limited circumstances: Authorised Viewers If you choose to share a device through the app, the designated viewer can see live and historical readings for that device. You can revoke sharing at any time from the device settings. Service Providers We use the following sub-processors to operate the app: • Supabase — cloud database and authentication • Fly.io — real-time WebSocket server • RevenueCat — subscription management Each service provider is contractually obligated to protect your data and use it only for the purposes we specify. Legal Requirements We may disclose data if required by applicable law, regulation, or valid legal process, and where permitted will notify you in advance.

We retain your health readings for as long as your account is active. Historical readings older than 12 months may be automatically archived or deleted to manage storage costs; you will be notified in advance of any such policy change. You may request deletion of your account and all associated data at any time (see Section 8). Upon verified deletion we remove your data from live databases within 30 days. Backup copies are purged within 90 days.

OxyRemote is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us and we will delete it promptly.

Depending on your jurisdiction, you may have the right to: • Access a copy of the personal data we hold about you • Correct inaccurate data • Request deletion of your account and all associated data • Object to or restrict certain processing • Data portability (receive your data in a machine-readable format) To exercise any of these rights, contact us at the address in Section 10. We will respond within 30 days. You can export your SpO₂/HR history from the History screen at any time, without contacting us.

We may update this Privacy Policy from time to time. We will notify you of material changes via an in-app notice at least 14 days before they take effect. Continued use of OxyRemote after the effective date constitutes acceptance of the revised policy. The "Last updated" date at the bottom of this screen always reflects the current version.

If you have questions about this Privacy Policy or want to exercise your data rights, please contact: OxyRemote Privacy Email: support@oxyremote.com We will acknowledge your request within 5 business days and resolve it within 30 days.