Privacy Policy

1. Data Collection

Ease is a migraine tracking application operated by Ease Health ("we", "us", "our"). We are committed to protecting your privacy and handling your data with care. Because migraine tracking involves sensitive health information, we apply the highest standards to its protection.

1.1 Health Data

When you use Ease, you may voluntarily provide the following categories of personal data:

• Migraine logs: date, time, duration, severity (mild / moderate / severe), symptom onset, prodrome and postdrome phases, and free-form notes.
• Trigger information: predefined and custom trigger selections (e.g., stress, weather, sleep, hormones, food, alcohol, medication).
• Medication usage: name, dosage, and timing of any medications or supplements you record.
• Daily journals: optional check-in responses about sleep quality, hydration, mood, activity level, and other wellness indicators.
• Device and usage data: device type, operating system version, app version, session timestamps, and interaction events within the app.

Health data is classified as special category data (Article 9 GDPR) and is subject to the explicit consent and enhanced safeguards described in this policy.

1.2 Wearables & Health Platform Integration

Ease may integrate with third-party health platforms and wearable devices to enrich your tracking data:

• Apple HealthKit: With your explicit permission, Ease may read and write health data categories including heart rate variability (HRV), sleep analysis, step count, and mindful minutes.
• Other platforms: Any future integrations (e.g., Oura, Fitbit, Google Health Connect) will be disclosed in this policy at the time of integration release.

Data received from wearables is processed solely for the purposes described in Section 2 and is not shared with the wearable platform providers unless you expressly authorize such sharing.

2. Purposes of Processing

We process your personal data (including special category health data) for the following purposes:

• Migraine logging: To record, store, and display your migraine attack history and associated triggers, symptoms, and medications.
• Personalized insights: To analyze your patterns over time and surface trigger correlations and risk factors specific to you.
• Predictive features: To calculate personalised migraine risk scores (planned Phase 2 feature, not yet active).
• App functionality: To operate core features including daily check-ins, reminders, data export, and account management.
• Communication: To send you service-related notifications, updates, and beta programme communications if you have opted in.
• Aggregated analytics: To generate de-identified, aggregated statistics about migraine prevalence and triggers for product improvement purposes.

We do not use your personal data for advertising, profiling, or any purpose unrelated to migraine health tracking.

3. Legal Basis (GDPR Art. 9)

Because the data we process includes special category data (health data), we rely on the following legal bases under GDPR:

3.1 Explicit Consent — Article 9(2)(a)

The primary legal basis for processing your migraine health data is your explicit, freely given, specific, and informed consent. When you first launch Ease and create an account, you will be presented with a clear consent request explaining:

• The categories of data collected
• The purposes of processing
• Your rights (including the right to withdraw consent at any time)
• How to contact us with questions

Consent is obtained via an affirmative action (checking a box or tapping "I agree"). Consent must be given again if we introduce new data processing activities beyond the scope originally disclosed.

3.2 Vital Interests — Article 9(2)(c)

In the event that processing is necessary to protect your vital interests or that of another natural person, and you are physically or legally incapable of giving consent, we may process limited data on this basis. This basis is invoked only in exceptional circumstances.

3.3 Public Health — Article 9(2)(i)

Where aggregated, de-identified migraine prevalence data is contributed to public health research or epidemiological studies, processing may additionally be based on Article 9(2)(i) GDPR, subject to appropriate safeguards.

4. Third-Party Data Sharing

Ease does not sell, rent, or trade your personal data to third parties. We share data only in the following limited circumstances:

4.1 Service Providers

We use trusted third-party service providers to host data, deliver push notifications, and operate our infrastructure. These processors are contractually bound to:

• Process data only on our documented instructions
• Apply appropriate technical and organisational security measures
• Not disclose data to further third parties without our consent

4.2 Apple HealthKit

When you authorise Ease to read or write to Apple HealthKit, that data is subject to Apple's Privacy Policy in addition to this Privacy Policy. We recommend reviewing Apple's privacy practices alongside this policy.

4.3 Legal Requirements

We may disclose your data if required to do so by law, court order, or other governmental authority, but only to the extent strictly necessary and only after confirming that the request is legally valid.

4.4 Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all of our assets, your data may be transferred to the acquiring entity under the same protections described in this policy. We will notify you via email or prominent in-app notice prior to any such transfer.

5. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes described in this policy:

• Active account data: Retained while your account is active. You may request deletion at any time (see Section 6).
• After account deletion: Data is permanently deleted within 30 days of your deletion request, unless we are legally required to retain it for longer (e.g., tax or accounting obligations).
• Aggregated analytics: Any de-identified aggregated data derived from your records that is retained for product improvement is never re-identifiable and is not subject to deletion requests, as it no longer constitutes personal data.

When your account is deleted, we delete all associated personal data from our active systems and backups within the 30-day window. Complete erasure from all backup media may take up to 90 days in total.

6. Your Rights Under GDPR

As a user located in the European Economic Area (EEA) or a country with equivalent data protection laws, you have the following rights regarding your personal data:

6.1 Right of Access — Art. 15

You may request a copy of all personal data we hold about you, including health logs, trigger data, and account information.

6.2 Right to Rectification — Art. 16

You may request correction of inaccurate or incomplete personal data. Within the Ease app, you can edit your migraine logs and profile information at any time.

6.3 Right to Erasure ("Right to be Forgotten") — Art. 17

You may request permanent deletion of all your personal data. To exercise this right, use the in-app delete account function or contact us at [email protected]. Deletion will be completed within 30 days.

6.4 Right to Restriction of Processing — Art. 18

You may request that we restrict processing of your data in certain circumstances (e.g., while a data accuracy dispute is resolved).

6.5 Right to Data Portability — Art. 20

You may request an export of your data in a machine-readable format (JSON). We are working to make this available directly in the app settings. In the interim, contact [email protected].

6.6 Right to Object — Art. 21

You may object to processing based on our legitimate interests or for research/statistical purposes. We will cease such processing unless we have compelling legitimate grounds that override your interests.

6.7 Right to Withdraw Consent — Art. 7(3)

Because our primary legal basis for health data processing is your explicit consent, you may withdraw that consent at any time via the app settings or by contacting us. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

6.8 Right to Lodge a Complaint — Art. 77

If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local data protection authority (DPA). A list of EEA DPAs is available at edpb.europa.eu.

7. Contact

For any questions about this Privacy Policy, to exercise your data rights, or to report a data protection concern, please contact us:

• Email: [email protected]
• Data Protection Officer: We have appointed a privacy contact who can be reached at the email above.
• Mailing Address:
  Ease Health
  Data Protection
  Ease Health HQ
  123 Health Way
  San Francisco, CA 94105

We aim to respond to all privacy-related requests within 30 days of receipt.