Privacy Policy

CardioX, Inc. (“CardioX,” “we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains what Personal Data we collect, how we use it, how we share it, and the rights and choices you have. It applies to our websites, mobile apps, wearable devices, dashboards, and any other products or services that link to or reference this Privacy Policy (collectively, the “Services”).

If you do not agree with this Privacy Policy, please do not use the Services. By using the Services, you acknowledge that you have read and understand this Privacy Policy.

1. Key Definitions

  • Personal Data:Any information that identifies or can be used to identify an individual.
  • Health Data / Biometric Data: Information related to your physiological signals, activity levels, sleep, recovery, cardiovascular indicators, or other wellness metrics collected through our devices or apps.
  • De-identified or Aggregated Data:Data that has been stripped of identifiers so that it cannot reasonably be used to identify an individual.
  • Device Data:Information from your CardioX device(s), such as sensor readings, firmware versions, and device identifiers.
  • Usage Data:Information about how you access and use the Services (e.g., app interactions, log files, crash reports).

2. Personal Data We Collect

We collect the following categories of Personal Data:

2.1 Information You Provide Directly

  • Account information: Name, email address, password, username/handle, profile photo, preferred language, and other registration details.
  • Contact details:Mailing address, phone number, communication preferences.
  • Payment information: Billing address, payment method details (processed by our third-party payment processors; we do not store complete payment card numbers).
  • Surveys and feedback: Information you provide when participating in research, beta programs, community forums, or contacting support.

2.2 Information Collected Automatically

  • Device data: Device serial number, hardware model, firmware version, and event logs.
  • Sensor & health metrics: Heart rate variability, resting heart rate, ECG/PPG signals, respiration rate, body temperature trends, activity/movement metrics, sleep patterns, strain/recovery scores, hydration assessments, posture-change responses, etc.
  • App & web usage data:IP address, browser type, operating system, referring URLs, pages viewed, links clicked, and timestamps.
  • Cookies and tracking technologies: Cookies, pixels, software development kits (SDKs), and similar technologies to recognize you and personalize your experience (see Section 10).

2.3 Information From Third Parties

  • Corporate or team programs:If your employer, club, or healthcare provider sponsors a CardioX program, they may provide us limited data (e.g., eligibility, email address) to onboard you.
  • Integration partners: If you connect CardioX to third-party apps or services (e.g., Apple Health, Google Fit), we may receive data as permitted by each service’s terms.
  • Marketing partners & analytics providers:We may receive demographic or interest-based data to improve our outreach. We do not receive your third-party health data for advertising purposes.

3. How We Use Personal Data

We use Personal Data to:

  • Provide and maintain the Services: Operate the app, device firmware, and backend infrastructure; process payments; provide customer support; and manage your account.
  • Analyze, personalize, and improve: Calculate health and fitness insights; provide recommendations and coaching; debug and optimize performance; develop new features.
  • Communicate with you: Send service messages, security alerts, and administrative emails; respond to your inquiries; deliver newsletters and marketing (with your consent where required).
  • Research and development: Conduct internal analytics and studies; develop algorithms; publish aggregated and de-identified findings.
  • Security and compliance: Detect, prevent, and investigate fraud, abuse, or security incidents; comply with legal obligations, enforce our Terms of Use, and protect our rights.

4. Legal Bases For Processing (EEA/UK/Other Jurisdictions Requiring a Legal Basis)

Where required by law, we rely on one or more of the following legal bases:

  • Consent: For certain health metrics, marketing communications, or optional integrations, we rely on your explicit consent.
  • Contractual necessity: We process data to perform under our contract with you (e.g., to provide the Services you requested).
  • Legitimate interests: We process data to improve our Services, support customers, conduct research, and secure our systems, provided these interests do not override your rights and freedoms.
  • Legal obligations: We may process or retain data to comply with applicable laws, regulations, or lawful requests.

5. How We Share Personal Data

We do notsell your Personal Data. We may share Personal Data as follows:

  • Service providers:Vendors that host our infrastructure, process payments, send emails, provide analytics, or support our operations.
  • Program sponsors (if applicable): Employers, teams, or organizations that subsidize your membership may receive aggregated or de-identified reports. We only share identifiable data with them if you give explicit authorization.
  • Business transfers: If we undergo a merger, acquisition, financing, or sale of assets, Personal Data may be transferred as part of that transaction.
  • Legal and safety reasons:We may disclose data to comply with legal process, protect users and the public, or enforce our agreements.
  • With your direction or consent:If you choose to connect third-party services or share data (e.g., export your reports), we will do so according to your instructions.

We require third parties to use Personal Data only for the purposes specified and to protect the data according to applicable laws and agreements.

6. International Data Transfers

CardioX is headquartered in Aventura, FL and may process data in the United States and other countries. Where we transfer Personal Data internationally, we implement appropriate safeguards (such as standard contractual clauses or equivalent mechanisms) to protect your data and comply with applicable laws.

7. Data Retention

We retain Personal Data for as long as needed to provide the Services, comply with legal obligations, resolve disputes, and enforce agreements. Retention periods may vary based on data type and purpose. When data is no longer needed, we will delete or de-identify it.

8. Your Rights and Choices

Depending on your location, you may have some or all of the following rights:

How to Exercise Your Rights

  • Access / Portability:Request a copy of the Personal Data we hold about you.
  • Correction: Ask us to correct inaccurate or incomplete Personal Data.
  • Deletion: Request deletion of your Personal Data (subject to legal or contractual limitations).
  • Restriction / Objection: Restrict or object to certain processing activities.
  • Withdraw consent:Where we rely on consent, you can withdraw it at any time.
  • Opt-out of marketing:You can opt out of receiving marketing emails by using the unsubscribe link or contacting us.

How to Exercise Your Rights

Submit requests via hello@cardiox.com. We will verify your identity before fulfilling certain requests and respond within the timeframe required by applicable law.

9. Region-Specific Notices

9.1 California (CPRA/CCPA)

California residents have the right to:

  • Know the categories of Personal Data collected, sources, purposes, and categories of third parties to whom it is disclosed.
  • Access specific pieces of Personal Data.
  • Delete Personal Data, subject to exceptions.
  • Correct inaccurate Personal Data.
  • Opt-out of the “sale” or “sharing” of Personal Data (as defined by California law). CardioX does not sell Personal Data.
  • Limit use of sensitive Personal Data (we only use sensitive data as necessary to provide the Services).

To exercise these rights, please see Section 8. We will not discriminate against you for exercising your rights.

9.2 Colorado, Connecticut, Utah, Virginia, and Other U.S. States

Residents of certain states have additional privacy rights, including rights to access, correct, delete, and opt out of targeted advertising or profiling. We honor these rights consistent with applicable laws.

9.3 European Economic Area (EEA), United Kingdom (UK), and Switzerland

You have the rights described in Section 8. You may also lodge a complaint with your local supervisory authority. Our representative and Data Protection Officer details (if applicable) are provided in Section 16.

9.4 Brazil (LGPD)

Brazilian residents have rights to confirm processing, access, correct, anonymize, delete, and port data, among others. Requests may be made via Section 8 contact details.

9.5 India

Indian residents have rights under applicable data protection laws, including access, correction, and grievance redressal. See Section 16 for our grievance officer contact information.

9.6 Other Regions

We will comply with local laws granting privacy rights in other jurisdictions and will provide region-specific disclosures upon request.

10. Cookies and Tracking Technologies

We and our partners use cookies and similar technologies to:

  • Keep you logged in and remember your preferences.
  • Understand usage to improve performance and features.
  • Provide analytics and, where permitted, interest-based advertising.

You can manage cookies through your browser or system settings. Some features of the Services may not function properly without certain cookies.

11. Children’s Privacy

The Services are not directed to children under 18. We do not knowingly collect Personal Data from children without appropriate parental or guardian consent. If you believe we have collected data from a child without consent, please contact us so we can take appropriate action.

12. Security

We use technical, administrative, and organizational measures to protect Personal Data, including encryption, access controls, intrusion detection, monitoring, and regular security assessments. However, no system is completely secure, and we cannot guarantee absolute security.

13. De-Identified and Aggregated Data

We may de-identify Personal Data or aggregate it to produce analytics and insights that no longer identify you. We may use and share such data for research, product development, trend analysis, or other purposes.

14. Automated Decision-Making and Profiling

We may use algorithms to analyze your data and provide personalized insights (e.g., recovery scores, training recommendations). These processes are designed to assist—not replace—human decision-making. You can contact us to request information about significant automated decisions that produce legal or similarly significant effects.

15. Third-Party Links and Services

The Services may link to third-party websites, apps, or services. We are not responsible for the privacy practices of those third parties. Please review their policies before submitting Personal Data to them.

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your Personal Data, contact us at:

CardioX, Inc. Attn: Privacy Team

Email: hello@cardiox.com

17. Changes To This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via the Services or by other reasonable means and indicate the “Last updated” date at the top. Your continued use of the Services after the effective date of any changes constitutes your acceptance of the revised policy.

18. Additional Disclosures for Research Participants (If Applicable)

If you participate in a formal research study run or sponsored by CardioX, you may receive a separate informed consent form or notice that describes additional data practices specific to that study.

19. Your Responsibilities

You are responsible for maintaining the confidentiality of any account credentials and for all activities that occur under your account. Please notify us immediately of any unauthorized access or use.

20. Language

Where we provide a translated version of this Privacy Policy, the English version will govern if there are inconsistencies.

Thank you for trusting CardioX with your data.