December 21, 2016.

At Rythm, we want you to know that we take your information and data very seriously. We have taken crucial measures to ensure that your data is protected and not shared with anyone without your permission. Some of our measures and tools are listed below, but we plan on continuously overhauling and updating these tools to help safeguard your data. Please feel free to reach out to us at any point at legal@rythm.co if you have any suggestions, questions or concerns about our Privacy Policy.

Who We Are

Rythm, Inc., and its parents and affiliates (collectively “Rythm”, “we”, “us”, or “our”), are committed to keeping any and all personal information collected from individuals that visit our website and who use our headband and other products (collectively, the “Products”), mobile application and/or software (the “Application”) and services (collectively with the Products and Application, the, “Services”) confidential, secure and private.

By accessing and using our Services, you (“you” or “your”) acknowledge and agree that you accept the policies set forth in this Privacy Policy as a condition of your use of our Services. If your use of the Services is through or on behalf of an organization or corporate entity, you are agreeing to accept the policies set forth in this Privacy Policy on behalf of such organization or entity, and are representing to us that you are authorized to do so.

Information We Collect

We collect and use the following information to provide, improve and protect our Services:

We may collect certain information that you specifically and intentionally provide to us. For example, when you create a user account with us, we may collect personal information about you such as your name, email address, phone number, age, sex, and physical address. We may also collect financial information that you choose to share with us, such as your credit or debit card number, billing address, and other billing information. Other unique information that we may collect includes product and service preferences, contact preferences, educational and employment background, and job interest data.

We also may collect information that you do not specifically and intentionally provide to us. This would include your Internet Protocol address, browser type and language, the device you are using to access the Services, your Internet Service Provider, referring and exit pages, click data, traffic data, log information and your operating system. This information, together with information found in the previous paragraph, shall be referred to as “Personal Information”.

We may also obtain information, including Personal Information, from third parties and sources other than the Services. If we combine or associate information from other sources with Personal Information collected by the Services, we will treat the combined information as Personal Information in accordance with this Privacy Policy, provided that if such third party contractually enforces additional requirements, we will be bound to adhere to such requirements.

In addition, we may collect certain health-related information that you provide to us through your use of the Services. This includes information about your sleep habits, including the time you sleep, your sleep quality, the results of regular electroencephalograms (EEGs) performed by the Product, and other information pertaining to your health and sleep quality (collectively “Health Information”).

WE DO NOT AND WILL NOT KNOWINGLY ALLOW ANYONE UNDER 13 YEARS OF AGE TO PROVIDE US ANY PERSONAL IDENTIFYING INFORMATION. USERS OF THE SERVICES WILL BE DEEMED TO HAVE FULL CONTROL OVER THEIR PRODUCTS AND USER ACCOUNTS, AND MUST ENSURE THAT NO CHILDREN UNDER THE AGE OF 13 USE OUR SERVICES IN ANY MANNER WHICH WOULD PROVIDE US OR ANY THIRD PARTY WITH ANY PERSONAL INFORMATION OF A CHILD. IF WE LEARN THAT WE HAVE COLLECTED PERSONAL INFORMATION FROM A CHILD UNDER AGE 13, WE WILL DELETE THAT INFORMATION AS QUICKLY AS POSSIBLE. IF YOU BELIEVE THAT WE MIGHT HAVE ANY PERSONAL INFORMATION ABOUT A CHILD UNDER AGE 13, PLEASE CONTACT US USING THE CONTACT INFORMATION PROVIDED BELOW.

How We Collect Information

We use various technologies to collect the information described above, and to provide, improve and protect our Services, which may include the use of cookies, device identifiers, and pixel tags. For example, cookies are small data files stored on your computer or device that enable our website to recognize your browser and capture and remember certain information. If we use cookies, we will do so in order to understand and save your preferences for future visits, compile aggregate data about website traffic and interaction so that we can offer a better user experience and tools in the future. You can set your browser to not accept cookies, but this may limit your experience with, and ability to use, the Services.

The Products are engineered to collect any and all Health Information which is or may be covered by this Privacy Policy, and may interact with the Application in connection with such Health Information.

Access to and Control of Information

You can access, review and/or update your user profile and settings on the Site, or within the Application. Both the Site and the Application which will allow you to modify, update, or restrict access to certain information.

You, of course, may choose to limit access and disclosure of your Personal or Health Information. However, this may limit your experience with, and ability to use, the Services.

Use of Information

We use the information that we collect for the express purpose of providing, operating, maintaining and improving the Services. Your Personal and Health Information will not be sold, exchanged, transferred, or given to any other person or entity for any other reason whatsoever, without your consent, except as follows:

HIPAA Compliance and Disclosure of Health Information

Some of the Health Information we collect may constitute “protected health information” (“PHI”) as defined by the Health Insurance Portability and Accountability Act of 1996, and the regulations promulgated thereunder(including, but not limited to, the Privacy Rule and the Security Rule) (collectively, “HIPAA”). Accordingly, we will never disclose any Health Information that we believe to be PHI to your employer, your health plan, any health care provider, or any health care clearinghouse (as such terms are defined in HIPAA).

If and when we do transfer PHI we have collected to any of the above entities, we will be required to execute a business associate agreement with such entity.

Except as expressly set forth in this section, we may disclose Health Information in accordance with this Privacy Policy.

Do Not Track Requests

RYTHM DOES NOT HONOR “DO NOT TRACK ME” REQUESTS, ALTHOUGH INDIVIDUAL BROWSERS MAY EMPLOY SUCH POLICIES AND USERS CAN, THEREFORE, INVOKE SUCH MEASURES.

Third Party Websites

Rythm may link to third party websites, applications, products and services, and may allow you to publish content on or through third party websites. We are not responsible for the practices employed by third party websites linked to or provided through the Services, nor the information or content contained therein. Please remember that when you use a link to another website, our Privacy Policy is no longer in effect. Your browsing and interaction on any other website, including those to which we link, is subject to that third party website’s own rules and policies. Please make sure to read over those rules and policies before proceeding. Additionally, you are solely responsible for any content which you elect to publish on or through any third party websites, and Rythm is not responsible for maintaining the privacy of anything contained therein.

Security

Rythm employs certain physical, administrative, and technical safeguards to help protect your Personal and Health Information. Please note, however, that this is not a guarantee that your information will remain secure. We cannot guarantee or warrant the security of any information you transmit to Rythm, and you transfer such information at your own risk.

Rythm uses reasonable security controls to protect your data and information from loss, misuse, unauthorized access, disclosure, alteration and destruction. The personal information you provide us is stored on computer systems located in controlled facilities which have limited access, and only carefully selected, authorized personnel have access to unencrypted user information. When collecting or transferring sensitive information such as credit card information, we use a variety of additional security technologies and procedures to help protect your personal information from unauthorized access, use, or disclosure. When we transmit sensitive information over the internet, we protect it through the use of advanced encryption techniques, such as the Secure Socket Layer (SSL) protocol, and firewall.

Additionally, as part of real-time payment processing, Rythm may subscribe to fraud management services, and require any vendors or partners who process and store financial information for Rythm to comply with the Payment Card Industry Data Security Standard (PCI-DSS). These services and protocols provide Rythm with an extra level of security to guard against credit card fraud and to protect your financial data. Despite these precautions, no security safeguards guarantee 100% security all of the time, and no guarantees are made with respect to the same.

Rythm limits access to personal information about you to those employees who we reasonably believe need to come into contact with that information to provide products or services to you in order to do their jobs.

If we learn of a security breach, we may attempt to notify you electronically so that you can take appropriate protective steps. By providing information to us via the Services, you agree that we can communicate with you electronically regarding security, privacy, and administrative issues relating to your use of the Services. We may post a notice on our Site if a security breach occurs. We may also send you an email to the address you have provided us.

Enforcement and Dispute Resolution

If you have any questions, complaints or disputes regarding the manner in which we use or protect your information, please contact us using the contact information provided below. We will investigate and attempt to resolve any complaints and disputes in a reasonable time and in a manner that complies with the principles described in this Policy.

We want to address your concerns without a formal legal claim. Before filing a claim against us, you agree to try to resolve the dispute informally by contacting us in accordance with these Terms. We’ll try to resolve the dispute informally by contacting you via email. If a dispute is not resolved within thirty (30) days of submission, either you or Rythm may begin formal legal action, subject to the terms of this Privacy Policy.

The validity, performance, construction, and interpretation of this Privacy Policy shall be governed by the laws of the state of California. With respect to any disputes which cannot be resolved by our internal processes, you agree that jurisdiction for any state and federal courts located in San Francisco County, California. The parties hereby consent to the personal jurisdiction of such courts as described above.

In any legal action hereunder, the prevailing party shall be entitled to attorney’s fees and costs.

International Users

The information collected from United States users are hosted in the United States. The information collected from European Union users are hosted in Ireland. The information collected from users from any other region is hosted in Ireland.

If you are visiting from the United States, by providing your Personal and Health Information, you consent to the use of such information for the purposes identified above, in accordance with the terms of this Privacy Policy.

If you are visiting from other regions than the European Union or the United States, please note that you are transferring your data to Ireland, which may not have the same data protection laws as your jurisdiction. If you are visiting from other regions than the European Union or the United States, by providing your Personal and Health Information, you consent to (i) the use of such information for the purposes identified above, in accordance with the terms of this Privacy Policy; and (ii) the transfer of your Personal and Health Information to the Ireland, as indicated herein.

Changes to this Policy

This Privacy Policy is effective as of the effective date provided above. We reserve the right to amend and revise our Privacy Policy at any time, with or without notice. For example, we may amend or revise our Privacy Policy to comply with local, state, or Federal laws or to accommodate changes in technology, or to accommodate the needs of our users. This Privacy Policy may therefore be amended from time to time, consistent with applicable data protection and privacy laws and principles. If we make any material changes to this Privacy Policy, we will post a notice on our Site for 30 days from the date of any such material changes.

Contacting Us

Any questions or complaints about this Privacy Policy should be addressed to legal@rythm.co.