Endor wants you to understand how we use, collect, share and protect your personal data. At Endor Global AS (collectively, “Endor”, “we”, “us”, and “our”), we respect and value your privacy and integrity. We therefore ask you to familiarize yourself with this Privacy Policy and its content.

It describes our policies and procedures on the collection, use and disclosure of your Personal Data when you use our Services and otherwise interact with Endor, and tells you about your privacy rights and how the law protects you.

By using the Services, you agree to the collection and use of Personal Data in accordance with this Privacy Policy.

Our Privacy Policy is reviewed on a regular basis and may be updated from time to time.  You will always find the latest version of our Privacy Policy on our webpage https://endor.global/privacy-policy

If we have provided you with another Privacy Policy or notice, then this Policy is intended to supplement, and not override them.

Collecting and Using Your Personal Data

The Types of Data We Collect

Personal Data

While using our Service, we ask you to provide us with certain personally identifiable information that can be used to contact or identify you. Endor processes the following categories of Personal Data when you use our Services:

Contact data: Email address, first name and last name, phone number, delivery address and billing address. If you interact with Endor through a social media platform we may also collect Personal Data that is already associated with your third-party social media service's account, like your social media username. You provide us with this information when you create an Account, place and order or sign up for a subscription or our newsletter. 

Account data: Login details, services purchased and/or subscribed to and customer preferences. 

User provider information: Information you choose to provide us with in your Account, including height, weight, lifestyle information like energy and exercise, nutrition, habits, medications, female health tracking, logging, comments, responding to a questionnaire, queriers and feedback.

Demographic information: Gender/pronoun, age, ethnicity, and approximate location (postcode).

Measured data: Including but not limited to physiological metrics such as heart rate variability, temperature, respiration, movement, sleep and type of physical activity.

Calculated data: Based on the measurements we do, for example, sleep phases, activity, recovery and energy levels throughout the day.

Usage Data: Usage Data is collected automatically when using the Services. Usage Data may include information such as your Device's Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data.

When you access the Service by or through a mobile device, we may collect certain information automatically, including, but not limited to, the type of mobile Device you use, Your mobile device unique ID, the IP address of your mobile device, your mobile operating system, the type of mobile internet browser you use, unique device identifiers and other diagnostic data.

We may also collect information that your browser sends whenever you visit our Service or when you access the Service by or through a mobile device.

Data of children

Endor does not allow children under the age of 18 to purchase our Services or to send us Personal Data, as set out in the Terms of Use for the subscription to the Endor App. 

If we learn that we have collected Personal Data from someone under 18, we will delete the information as soon as possible.

Anonymized data

We may create aggregated and anonymized data from the Personal Data we have collected. Be aware that data that cannot be linked with an identifiable individual is no longer considered Personal Data. We will not try to re-identify the information.

We may use the anonymized data for business purposes, such as analysing results of the content suggestions, developing and enhancing our current and future products and services, as well as to promote our business – so long as the data remains anonymous. The data is not subject to a specific retention schedule, and you should assume that we will retain it.

Retention of Your Personal Data

Endor will retain your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy, based on the amount, sensitivity and nature of the information, the potential risk to harm from unauthorized use of the data and the purposes for which we process the data and to what extent we can achieve that purpose without through other means. In order to provide you with the tracking of biometric data such as heart rate, sleep quality, and activity metrics for the duration of the subscription term, we will keep your data for the subscription period which is one (1) year for Founding Members. To provide you with personalised wellness content we also need to keep your data related to the use of the wellness content for the duration of your subscription term. We will retain and use your Personal Data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.

We will also retain Usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of Our Service, or we are legally obligated to retain this data for longer time periods.

Transfer of Your Personal Data

Your information, including Personal Data, is processed at Endor’s operating offices and in any other places where the parties involved in the processing are located. It means that this information may be transferred to — and maintained on — computers located outside of your country or other governmental jurisdiction where the data protection laws may differ than those from your jurisdiction.

We may share your Personal Data in the following situations:

• With Service Providers: We may share your Personal Data with Service Providers to monitor and analyse the use of our Service, to hosting- and other technology- and communication providers, to advertise on third party websites to you after you visited our Service, for payment processing, for security consultants, or other personnel that provides services to us. 

• With Affiliates: We may share your information with our Affiliates, in which case we will require those Affiliates to honour this Privacy Policy. 

• With business partners: We may share your information with our business partners to offer you certain products, services or promotions.

• With your consent: We may disclose your Personal Data for any other purpose with your consent.

Your consent to this Privacy Policy followed by your submission of such information represents your agreement to that transfer.

Endor will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy and no transfer of your Personal Data will take place to an organization or a country unless there are adequate controls in place, based on the adequacy of the protections in those countries, such as an adequacy decision or SCCs in place, as well as contractual obligations to comply with GDPR.

Delete Your Personal Data

You have the right to delete or request that We assist in deleting the Personal Data that We have collected about You.

You may update, amend, or delete your information at any time by contacting Us to request access to, correct, or delete any personal information that you have provided to us. Please note that if you decide to delete your data, you will no longer be able to use a personalized version of the services.

You can contact us to access, correct or delete personal information by sending an email to post@endor.global.

Please note, however, that we may need to retain certain information when we have a legal obligation or lawful basis to do so.

Disclosure of your Personal Data

Business Transactions

If Endor is involved in a merger, acquisition or asset sale, your Personal Data may be transferred. We will provide notice before Your Personal Data is transferred and becomes subject to a different Privacy Policy.

Law enforcement

Under certain circumstances, Endor may be required to disclose your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).

Other legal requirements

Endor may disclose your Personal Data in the good faith belief that such action is necessary to:

• Comply with a legal obligation

• Protect and defend the rights or property of Endor

• Prevent or investigate possible wrongdoing in connection with the Service

• Protect the personal safety of Users of the Service or the public

• Protect against legal liability

Security of your Personal Data

Processing of personal data requires strong protections, and We take our responsibility very seriously. All Personal Data is encrypted in transit and governed by strict access controls. Endor continuously assesses the adequacy of the protections in place for the processing of biometric and health data and performs penetration testing on a regular basis.

Remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.

Endor commits to inform users within 72 hours of a security breach in accordance with GDPR.

Detailed Information on the Processing of Your Personal Data

The Service Providers we use may have access to your Personal Data. These third-party vendors collect, store, use, process and transfer information about your activity on our Service in accordance with their Privacy Policies.

Email Marketing

We may use your Personal Data to contact you with newsletters, marketing or promotional materials and other information that may be of interest to you. You may opt-out of receiving any, or all, of these communications from us by following the unsubscribe link or instructions provided in any email we send or by contacting us.

We may use Email Marketing Service Providers to manage and send emails to you.

Mailchimp

Mailchimp is an email marketing sending service provided by The Rocket Science Group LLC.

Pushwoosh

Pushwoosh is a push notification service used for welcome pop-ups in the Endor app, provided by Pushwoosh Inc.

Payments

We will not store or collect your payment card details. That information is provided directly to our third-party payment processors whose use of your personal information is governed by their Privacy Policy.

Stripe

Stripe is a platform for businesses use to accept payments, manage subscriptions and other financial operations.

Hosting services and error tracking

Endor uses third-party service providers to store data and to track errors in the Application. These third-party vendors include:

Fly.io

Fly.io is a hosting platform used to store data.

Metabase

Metabase provides a dashboard for Us to understand the data.

Sentry.io

Sentry is used for de-bugging purposes.

Analytics

We may use third-party Service providers to monitor and analyse the use of our Service.

Google Analytics

Google Analytics is a web analytics service offered by Google that tracks and reports website traffic. Google uses the data collected to track and monitor the use of our Service. This data is shared with other Google services. Google may use the collected data to contextualize and personalize the ads of its own advertising network.

You may opt-out of certain Google Analytics features through your mobile device settings, such as your device advertising settings or by following the instructions provided by Google in their Privacy Policy: https://policies.google.com/privacy

GDPR Privacy

Processing purposes under GDPR 

Endor will only process your Personal Data for the purposes informed in this Privacy Policy and to the extent we have lawful basis to do so. Endor may use your Personal Data for the following purposes:

• To provide Endor Services: We process Personal Data to provide you with our Services, to process orders, memberships and other transactions, including to satisfy the reason you provided the information to us. The development, fulfilment and execution of the purchase of products, items or services that you have bought from us, or any other contract you have entered into with us through the Service.

• To create and manage your Account:  Your registration as a user of the Service and other user profiles. 

• To contact you and provide you with news: To contact you via email, phone, SMS, or similar electronic means—such as app push notifications—regarding updates, product or service information, and necessary security notices as well as providing support and assistance for the Services.

• To deliver targeted advertising: We may use your information – along with trusted third-party partners – to develop and deliver content and advertising tailored to your interests and location and to measure its effectiveness.

• To improve our Services: to provide, operate, evaluate, develop, understand, improve and personalize the Services, our business and our product, including data analysis, identifying usage trends and determining the effectiveness of our promotional campaigns.

• For analyses and research: We process personal data related to performance and well-being to enhance our Services and deliver personalized insights and to understand the effect of biometric tracking and wellness activities better. Some features use third party automated technologies to tailor your experience based on your responses. Where possible, we ensure data is processed in ways that protect your privacy.

• To comply with legal obligations: In some cases, we must process certain data to comply with laws and regulations, such as accounting, taxes or legal claims. Endor will reject any request for user data that’s meant for surveillance or prosecution and will notify users of any such request where the law allows.

• For protection of your privacy: To protect your privacy, as well as protect against harmful or fraudulent actions and to maintain the security of the Services.

Legal Basis for Processing Personal Data under GDPR

We may process Personal Data under the following conditions:

• Consent: To the extent we collect Personal Data that is considered health data or other special category of data under GDPR, such as biometric data collected by the Device, we ask for your explicit consent to process the data in the Application. We also request your consent to collect your Personal Data for marketing purposes. When we process data based on your consent, you can withdraw the consent at any time. You can do this by contacting Endor at post@endor.global.

• Performance of a contract: We process Personal Data to create, maintain and manage Endor accounts and to provide our Services, in accordance with the agreement we have with you and/or for any pre-contractual obligations thereof.

• Legal obligations: Processing Personal Data is necessary for compliance with a legal obligation to which Endor is subject.

• Legitimate interests: Processing Personal Data is necessary for the purposes of the legitimate interests pursued by Endor, such as to contact you and provide you with information, to analyse the use of our Services, for research and development, for the protection of your privacy and to maintain the security of the Services, and to the extent consent is not required by law, for marketing our business. 

In any case, the Company will gladly help to clarify the specific legal basis that applies to the processing, and whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.

Your Rights under the GDPR

The Company undertakes to respect the confidentiality of your Personal Data and to guarantee you can exercise your rights.

You have the right under this Privacy Policy, and by law if you are within the EU, to:

• Request access to your Personal Data. The right to access, update or delete the information we have on you. Whenever made possible, you can access, update or request deletion of your Personal Data directly within your Account settings section. If you are unable to perform these actions yourself, please contact us to assist you. This also enables you to receive a copy of the Personal Data we hold about you.

• Request correction of the Personal Data that we hold about you. You have the right to have any incomplete or inaccurate information we hold about you corrected.

• Object to processing of your Personal Data. This right exists where we are relying on a legitimate interest as the legal basis for our processing and there is something about your particular situation, which makes you want to object to our processing of your Personal Data on this ground. You also have the right to object where we are processing your Personal Data for direct marketing purposes.

• Request erasure of your Personal Data. You have the right to ask us to delete or remove Personal Data when there is no good reason for us to continue processing it.

• Request the transfer of your Personal Data. We will provide to you, or to a third-party you have chosen, your Personal Data in a structured, commonly used, machine-readable format. Please note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

• Withdraw Your consent. You have the right to withdraw your consent on using your Personal Data. If you withdraw your consent, we may not be able to provide you with access to certain specific functionalities of the Service.

Exercising of Your GDPR Data Protection Rights

You may exercise your rights of access, rectification, cancellation and opposition by contacting us. Please note that we may ask you to verify your identity before responding to such requests. If you make a request, we will try our best to respond to you as soon as possible.

You have the right to complain to a Data Protection Authority about our collection and use of your Personal Data. For more information, if you are in the European Economic Area (EEA), please contact your local data protection authority in the EEA.

Links to Other Websites

Our Service may contain links to other websites that are not operated by Us. If You click on a third party link, You will be directed to that third party's site. We strongly advise You to review the Privacy Policy of every site You visit.

We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.

Changes to this Privacy Policy

We may update Our Privacy Policy from time to time. We will notify You of any changes by posting the new Privacy Policy on this page.

We will let You know via email and/or a prominent notice on Our Service, prior to the change becoming effective and update the "Last updated" date at the top of this Privacy Policy.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

Contact Us

If you have any questions about this Privacy Policy, and we will respond as soon as possible, and at the latest within one month, with possible extensions, as per GDPR. You can contact us:

By email: post@endor.global

Facebook Fan Page

Data Controller for the Facebook Fan Page

Endor is the Data Controller of your Personal Data collected while using the Service. As operator of the Facebook Fan Page https://www.facebook.com/profile.php?id=61570727520686, Endor and the operator of the social network Facebook are Joint Controllers.

The Company has entered into agreements with Facebook that define the terms for use of the Facebook Fan Page, among other things. These terms are based on the Facebook Terms of Service: https://www.facebook.com/terms.php

Facebook Insights

We use the Facebook Insights function in connection with the operation of the Facebook Fan Page and on the basis of the GDPR, in order to obtain anonymized statistical data about Our users.

For this purpose, Facebook places a Cookie on the device of the user visiting Our Facebook Fan Page. Each Cookie contains a unique identifier code and remains active for a period of two years, except when it is deleted before the end of this period.

Facebook receives, records and processes the information stored in the Cookie, especially when the user visits the Facebook services, services that are provided by other members of the Facebook Fan Page and services by other companies that use Facebook services.

For more information on the privacy practices of Facebook, please visit Facebook Privacy Policy here: https://www.facebook.com/privacy/explanation

Interpretation and Definitions

Interpretation

The words of which the initial letter is capitalized have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.

Definitions

For the purposes of this Privacy Policy:

Account means a unique account created for You to access our Service or parts of our Service.

Affiliate means an entity that controls, is controlled by or is under common control with a party, where "control" means ownership of 50% or more of the shares, equity interest or other securities entitled to vote for election of directors or other managing authority.

Application refers to Endor Global, the software program provided by the Company.

"Us" or "Our" in this Agreement) refers to Endor Global AS, Fru Kroghs brygge 2, 0252 Oslo, Norway.

For the purpose of the GDPR, the Company is the Data Controller.

Data Controller, for the purposes of the GDPR (General Data Protection Regulation), refers to the Company as the legal person which alone or jointly with others determines the purposes and means of the processing of Personal Data.

Device means any device that can access the Service such as a computer, a cellphone or a digital tablet.

Facebook Fan Page is a public profile named Endor Global specifically created by the Company on the Facebook social network, accessible from https://www.facebook.com/profile.php?id=61570727520686

GDPR refers to EU General Data Protection Regulation.

Personal Data is any information that relates to an identified or identifiable individual.

For the purposes of GDPR, Personal Data means any information relating to You such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity.

Service refers to the Endor Application, the Endor strap or any other Endor wearable, subscribe to the Endor newsletter, participate in an Endor study, or to any Endor feature, content or a visit to Endor’s webpage.

Service Provider means any natural or legal person who processes the data on behalf of the Company. It refers to third-party companies or individuals employed by the Company to facilitate the Service, to provide the Service on behalf of the Company, to perform services related to the Service or to assist the Company in analysing how the Service is used. For the purpose of the GDPR, Service Providers are considered Data Processors.

Third-party Social Media Service refers to any website or any social network website through which a User can log in or create an account to use the Service.

Usage Data refers to data collected automatically, either generated by the use of the Services or from the Services infrastructure itself (for example, the duration of a page visit).

You means the individual accessing or using the Services.