Privacy Policy

Privacy Policy

Laden Sie die deutsche Version der Datenschutzrichtlinie herunter.


You must be 16 years or older to use our Services.

Protecting your data, privacy and personal data (as defined under Article 4(1) of the General Data Protection Regulation (EU) 2016/679 (hereinafter “GDPR”) and the California Consumer Privacy Act of 2018 (hereinafter “CCPA”)) is very important to Nanoleq AG (“us”, “our” or “we”). It is vitally important to us that our customers (the “users”) feel secure when using our products and services.

This privacy policy (the “Privacy Policy”), together with our Terms & Conditions at and any other documents referred therein, sets out the basis (Art. 13 GDPR) on which any personal data we collect from you, or that you provide to us, will be processed. Please read this Privacy Policy carefully to understand the types of data we collect from you, how we use it, the circumstances under which we will share it with third parties, and your rights in relation to your personal data.

You can use “Oxa” through our mobile application, Oxa Life, (the “App”), or separately from the app, in combination with third-party services. This Privacy Policy describes our data processing when using Oxa or accessing our websites or (the “Websites”) or any service and/or product we may provide you (Websites together with Oxa and any of our product and services, the “Services”). Where certain processing activities relate only to a specific product such as the App, the websites, or the Oxa sensor, this will be clearly indicated.

1. Who we are

Nanoleq AG is the controller (as defined under Article 4(7) GDPR) responsible for the processing of your personal data in connection with the Services.

In this Privacy Policy, “we”, “our” or “us” refer to:

Nanoleq AG (CH-
Hofwisenstrasse 50a
8153 Ruemlang, Switzerland
Tel.: 0041 78 975 1072

If you have any questions or comments about this notice, the ways in which Nanoleq AG collects and uses your information described here and in the Privacy Policy, and End User License Agreement, your choices and rights regarding such use, or wish to exercise your rights, our data protection officer can be contacted at

If you need to access this Policy in an alternative format due to having a disability, please contact us at

2. General overview of the data processing in connection with the Services

Before starting using our Services, you have to confirm that you have read our Privacy Policy carefully, and to consent to Oxa processing the personal data you supply in order to be provided with our Services.

Oxa interacts with you and your data. We want to inform you about the collection and processing of personal data necessary for the purpose of the Oxa app. This involves the provision of the functional and user-friendly website, including your content and services offered there, and the app functionality in accordance with the Terms of Use.

This section 2 aims at giving you a quick high-level overview of the data processing activities in connection with the Services we provide you.

If you wish to read in detail all the data processing activities we undertake, read the following section 3 relating to each specific data processing activity, and sections 4 to 9 that relate to:

Information that you provide to us: we may collect and process personal data that you will be asked to provide when you:

The information that we may ask you to provide includes, but is not limited to, your name, gender, date of birth, email address, phone number, address, personal history, goals, or further information required to verify your identity.

Information we collect about you: although we will not use it to identify you, we may collect the following data during each of your visits and use of our Services:

If you are using our Services on behalf of a third party, you must have obtained clear permission from the individuals whose data you provide us with before sharing that data. For the avoidance of any doubt, any reference in this Privacy Policy to “your data” shall include data about other individuals that you have provided us with.

Our Website may contain links to third-party websites. If you follow a link to any of those third-party websites, please note that they have their own privacy policies and that we do not accept any responsibility or liability for their policies or processing of your personal data. Please check these policies before you submit any personal data to such third-party websites.

3. Which personal data we may collect and process, why and for how long

3.1 When you use our Website

3.2 When you use our Webshop

* Our webshop offers several different payment options, which may be handled by different service providers. For the specific details of each payment processors’ data handling, refer to our list of service providers.

3.3 When you register or manage a user account in the App

3.4 Google Login / Apple Login

3.5 Oxa breathing exercises

In some instances, some of the personal information that you give to us is considered health-related data. You may decide which personal information, if any, you would like to share with us, but some functions of Oxa may not be available to you without providing us the necessary personal information. Subject to applicable law, by providing personal information to us or consenting to or authorizing the disclosure of health-related data to us, you agree to our methods of collections and use, as well to other terms and provisions of this Policy.

3.6 Sensor usage independent from the Oxa app

Our Oxa device and services are designed to be used in conjunction with each other to provide the best possible experience. The Oxa sensor can also be used in standalone mode without using our app and services, and Oxa may be compatible with some existing apps.

Note that not all information, such as respiration, is available when used in standalone mode. Only the Oxa app can display the full information. When you use the sensor in standalone mode, we do not collect any data, but the app you use may do so.

Please read the privacy policy of the other app to understand what personal data is stored. We may receive data about your purchase of Oxa sensors, for example, through a web store.

Note that if you use the sensor in standalone mode, we cannot provide you with software updates and you may not have the latest innovations with the best data quality. Therefore, we recommend that you regularly use the Oxa app to check if a software update is available for the sensor.

3.7 Use of data for statistical and research purposes

Oxa is not a medical device. Please note that the App is not designed to diagnose, treat, cure or prevent diseases or medical conditions. The content and services and other information and guidance provided via the App are provided for informational purposes only and should not be used as an alternative to advice given by physicians or other health professionals. You must always consult a physician if you have any questions regarding a medical condition or any changes you wish to make to your activity or sleep based on information or guidance from Oxa. We do not and cannot share any information generated from the App with your physicians or other health professionals. For more information about safety with Oxa, see the Oxa’s Important Safety Information.

3.8 Monitor usage to ensure proper use, functioning, maintenance and improvement of the Services and related emails

3.9 Direct marketing for our own similar products and services

If you register for our e-mail newsletter, we will regularly send you information about our offers.

3.10 Performance reports

3.11 Feedbacks / Surveys

3.12 When you contact us

We use an email ticketing system, a customer service platform, to process customer enquiries.

If users of our websites send contact requests by email, these are stored and organized in the ticket system to enable chronological processing and to improve the service experience. Users can always view the latest status of the processing of their request via the individually assigned ticket number. Only for the organization of requests and their processing, personal data is collected as provided in the request, but in any case, data such as name, first name and email address will be transmitted to our service provider, stored there, and retrieved.

4. Cookies and Tracking

Our Websites use so-called “cookies”. Cookies are small files or other storage technologies that are stored by your browser on your computer. We use the term “cookies” to refer to all tools that collect data on our Websites (e.g. IP addresses, place and time of the visit). Your data collected in this way is pseudonymized, and is not stored together with your other personal data. This processing is used to make our websites more user-friendly, efficient, and secure and enables us, for example, to display our websites in different languages or to offer a shopping cart function. This processing is carried out on a legal basis (Art. 6 (1) lit. b) GDPR) and, where required by law, based on your consent. If the processing does not serve the initiation or execution of a contract, our legitimate interest lies in improving the functionality of our websites; the legal basis is then Art. 6 para. 1 lit. f) GDPR.

When accessing Oxa’s services online you can set your browser in such a way that you are informed about the setting of cookies and you can decide individually about their acceptance or exclude the acceptance of cookies for certain cases or generally. The functionality of our websites may be limited if cookies are not accepted. Each browser differs in the way it manages the cookie settings. This is described in the help menu of each browser, which explains how you can change your cookie settings. You will find these for the respective browsers under the following links:

When you use the App or Websites, certain third parties may use automatic information collection technologies to collect information about you or your device. These third parties may include:

These third parties may use tracking technologies to collect information about you when you use this app. The information they collect may be associated with your personal information or they may collect information, including personal information, about your online activities over time and across different websites, apps, and other online services websites. They may use this information to provide you with interest-based (behavioral) advertising or other targeted content.

We do not control these third parties’ tracking technologies or how they may be used, including use of your information to serve interest-based advertising. If you have any questions about an advertisement or other targeted content, you should contact the responsible provider directly. You can opt out of receiving targeted ads from members of the Network Advertising Initiative (“NAI”) on the NAI’s website.

5. Where and how we store your data

We have implemented measures designed to secure your personal information from accidental loss and from unauthorized access, use, alteration, and disclosure. All information you provide to us is stored on servers managed by Amazon Web Services located in Frankfurt, Germany (EU-Central-1). Any authentication service offered through the App is provided by Google Firebase.  

This data may, however, be processed by sub- processors operating outside of the European Economic Area (“EEA”) based on a data processing agreement, as long as the additional requirements of Article 44 et seq. GDPR for the processing of personal data in third countries are met (e.g. if the sub-processor can provide appropriate safeguards under Article 46 GDPR , such as but not limited to standard data protection clauses, binding corporate rules, approved code of conduct or exceptional circumstances under Article 49 GDPR) and any necessary additional measures based on case-by-case assessments.

Sensitive information between your browser and our Webshop and App are transferred in encrypted form using Transport Layer Security (“TLS”). When transmitting sensitive information, you should always make sure that your browser can validate our certificate.

All information you provide to us is stored on our secure servers behind firewalls. Any payment transactions will be encrypted by our service providers.

The safety and security of your information also depends on you. Where we have given you (or where you have chosen) a password for access to certain parts of our App and/or Webshop, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.

Please contact us if you would like further details on the specific safeguards applied to the export of your personal data outside the EEA.

6. Disclosure of your personal data

6.1 We use technical service providers to operate and maintain our Services, who act as our processors based on a data processing agreement. A full list of our third-party processors processing your personal data on our behalf and strictly according to section 3 above can be found here. Where we use Service providers who process personal data on our behalf outside the EEA (or “third countries”) we do so with the appropriate safeguards for your data subject rights. To a limited extent, we do use service providers situated in the US. We have reached out to our US-based service providers and decided on alternative safeguards on a case-by-case basis in accordance with the guidance of European Data Protection Board.

More details on service providers and the measures taken to ensure your rights are detailed in the relevant sub-sections of section 3 above and the list of service providers.

6.2 In addition, we do not transfer your personal data to third parties – with the exception, when applicable, of the purposes listed below

6.3 If we sell or buy any business or assets, we may disclose your personal data to the prospective seller or buyer of such business or assets.

6.4 If we or, substantially, all of our assets are acquired by a third party, personal data about our users will be one of the transferred assets.

6.5 If we are required to comply with any court order, law, or legal process, including to respond to any government or regulatory request.

7. Retention of your personal data

We will hold your personal data for as long as it is necessary or required by law or by any relevant regulatory body, and always in compliance with the data minimization principle. Specific storage periods for the respective processing activities are detailed in section 3 above.

We will retain accounting data for ten years in accordance with the commercial and tax law storage obligations (Swiss Code of Obligations Article 958f and the Ordinance for keeping and retaining accounting records (Olico)).

If personal data is processed on the basis of an express consent pursuant to Art. 6 (1) point a GDPR, this data is stored until the data subject revokes his consent. If there are legal storage periods for data that is processed within the framework of legal or similar obligations on the basis of Art. 6 (1) point b GDPR, this data will be routinely deleted after expiry of the storage periods if it is no longer necessary for the fulfillment of the contract or the initiation of the contract and/or if we no longer have a justified interest in further storage.

When processing personal data on the basis of Art. 6 (1) point f GDPR, this data is stored until the data subject exercises his right of objection in accordance with Art. 21 (1) GDPR, unless we can provide compelling grounds for processing worthy of protection which outweigh the interests, rights and freedoms of the data subject, or the processing serves to assert, exercise or defend legal claims.

If personal data is processed for the purpose of direct marketing on the basis of Art. 6 (1) point f GDPR, this data is stored until the data subject exercises his right of objection pursuant to Art. 21 (2) GDPR.

If your personal data is used for more than one purpose, we will retain it until the purpose with the longest period expires, but we will stop using it for the purpose with the shorter period as soon as the shorter period expires (to comply with the purpose limitation principle). We restrict access to your personal data to the persons who need to use it for the relevant purpose(s), always in compliance with the integrity and confidentiality principle.

After the processing of your data is no longer necessary for the purposes outlined in section 3 or your account is deleted (see sections 3.2 and 3.3) we will securely and separately store some of your data in accordance with statutory retention obligations applicable to us and reasonable business needs.

If the processing of your personal data is no longer necessary for any purpose it is either irreversibly anonymized (and the anonymized data may be retained), or securely erased.

8. Your data subject’s rights

You have various rights in relation to your personal data (as listed below). All of these rights can be exercised by contacting us via

Residents of certain jurisdictions may have additional personal information rights and choices. Please see sections 9 and 10 for more information.

Verification: in order to verify your request, we will take reasonable steps such as asking you to send us a confirmation from the email address associated with your account, so that we can verify that you are the owner of this email account. If there is no email address associated with your account, we may ask you for proof of ID.

Asking us to stop processing your personal data or deleting your personal data will likely mean that you are no longer able to use our Services, or at least those aspects of the Services which require the processing of the types of personal data you have asked us to delete, which may result in you no longer being able to use the Services.

9. Specific rights if you are a resident of a non-GDPR jurisdiction

9.1 Privacy information for Swiss residents

In addition to the data protection regulations of the General Data Protection Regulation, national regulations on data protection apply in Switzerland. These include, in particular, the Federal Data Protection Act (Bundesgesetz zum Datenschutz – DSG). The DSG applies in particular if no EU/EEC citizens are affected and, for example, only data of Swiss citizens is processed.

9.2 Privacy information for US residents

By accessing or using Nanoleq’s or Oxa’s services (including but not limited to accessing or using this website, downloading, installing, registering with, or using the Oxa Life App), you agree to this privacy policy. This policy may change from time to time (see Changes to Our Privacy Policy). Your continued access and/or use of Oxa after we make changes is deemed to be acceptance of those changes, so please check the policy periodically for updates. If you do not agree with our policies and practices, do not download, install, register with, or continue using our Services.

This policy does not apply to information collected by:

9.2.1 State consumer privacy laws

State consumer privacy laws may provide their residents with additional rights regarding our use of their personal information.

Colorado, Connecticut, Virginia, and Utah each provide their state residents with rights to:

Colorado, Connecticut, and Virginia also provide their state residents with rights to:

To exercise any of these rights please send an email to

Nevada provides its residents with a limited right to opt-out of certain personal information sales. Residents who wish to exercise this sale opt-out rights may submit a request to

9.2.2 Privacy information for California residents

We adopt this notice to comply with the California Consumer Privacy Act of 2018 (hereinafter “CCPA”) and any terms defined in the CCPA have the same meaning when used in this Policy.  California residency is defined in section 17014 of Title 18 of the California Code of Regulations. California’s “Shine the Light” law (Civil Code Section § 1798.83) permits users of our App that are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please send an email to

We collect information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, household, or device (“personal information”).

Personal information does not include:

In particular, we have collected the following categories of personal information from consumers within the last twelve (12) months:


  1. Identifiers, for example: A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.
  2. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)), for example: A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories.
  3. Protected classification characteristics under California or federal law, for example: Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).
  4. Commercial information, for example: Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
  5. Biometric information, for example: Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.
  6. Internet or other similar network activity, for example: Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.
  7. Geolocation data, for example: Physical location or movements. 
  8. Sensory data, for example: Audio, electronic, visual, thermal, olfactory, or similar information.
  9. Inferences drawn from other personal information, for example: Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

NOT Collected:

  1. Professional or employment-related information, for example: Current or past job history or performance evaluations.
  2. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)), for example: Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.

Your Rights and Choices

The CCPA provides consumers (California residents) with specific rights (which does not interfere with GDPR) regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.

Exercising Your Rights to Know or Delete

To exercise your rights to know or delete described above, please submit a request by emailing us at Only you, or someone legally authorized to act on your behalf, may make a request to know or delete related to your personal information.  You may also make a request to know or delete on behalf of your child by emailing us at

You may only submit a request to know twice within a 12-month period. Your request to know or delete must:

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you.  You do not need to create an account with us to submit a request to know or delete. However, we do consider requests made through your password-protected account sufficiently verified when the request relates to personal information associated with that specific account. We will only use personal information provided in the request to verify the requestor’s identity or authority to make it.

Response Timing and Format

We will confirm receipt of your request within ten (10) business days. If you do not receive confirmation within the 10-day timeframe, please contact us.

We endeavor to substantively respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to another 45 days), we will inform you of the reason and extension period in writing.

If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.

Any disclosures we provide will only cover the 12-month period preceding our receipt of your request. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily usable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Personal Information Sales Opt-Out and Opt-In Rights

If you are age 16 or older, you have the right to direct us to not sell your personal information at any time (the “right to opt-out”). We do not sell the personal information of consumers we actually know are less than 16 years old, unless we receive affirmative authorization (the “right to opt-in”) from either the consumer who is between 13 and 15 years old, or the parent or guardian of a consumer less than 13 years old. Consumers who opt-in to personal information sales may opt-out of future sales at any time.

To exercise the right to opt-out, you (or your authorized representative) may submit a request to us by emailing us at:

Once you make an opt-out request, we will wait at least twelve (12) months before asking you to reauthorize personal information sales. However, you may change your mind and opt back in to personal information sales at any time by emailing us at:

You do not need to create an account with us to exercise your opt-out rights. We will only use personal information provided in an opt-out request to review and comply with the request.


We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:

10. Changes to this policy

We reserve the right to amend this Policy at our discretion and at any time. It is our policy to post any changes we make to this Policy on this page, and where appropriate, notified to you by email, notifications via the App, or by any other available means. If we make material changes to how we treat our users’ personal information, we will notify you by email to the email address specified in your account and/or through a notice on the website and/or the App.

This policy was last revised on 16 January 2023. You can view the previous versions here.

You are responsible for ensuring we have an up-to-date active and deliverable email address for you, and for periodically visiting our Websites and this privacy policy to check for any changes. We therefore encourage you to review it from time to time to stay informed about the way we are processing your data.