OURABUDDY · PRIVACY
← ourabuddy.com

Privacy Policy

LAST UPDATED · 5 JULY 2026

OuraBuddy ("the app", "we") is a personal dashboard that reads your Oura Ring data through Oura's official API and turns it into a daily morning brief. This policy explains what we access, why, and how it is handled. It is written to be read, not to hide behind boilerplate.

Who we are

OuraBuddy is an independent project operated by Stanislav Ivanov. It is not affiliated with, endorsed by, or sponsored by Oura Health Oy. "Oura" is a trademark of its respective owner. For any privacy question, contact stanio.ivanov@gmail.com.

What we access

When you choose Connect Oura Ring, you authorize us through Oura's OAuth login. We never see your Oura password. With your consent we request these Oura scopes and the data within them:

  • email, personal — your account email and basic profile (e.g. age) used to identify your dashboard.
  • daily, heartrate, spo2 — readiness, sleep, and activity summaries, heart rate, HRV, resting heart rate, temperature deviation, steps, active calories, SpO₂ and stress.
  • workout, tag, session — workouts, tags/notes and guided sessions, used for trends and "what moved your scores".

We only request read access. We do not write anything back to your Oura account.

How your data is used

Your Oura data is used for one purpose: to render your own dashboard and insights — on the web and in the OuraBuddy iOS app. We do not sell, rent, or share your data with third parties, and we do not use it for advertising or cross-site tracking.

What we store, and where

  • OAuth tokens (access + refresh) and your email, stored on our own server so we can fetch your data on your behalf. These are encrypted at rest (AES-256-GCM), with the key held separately from the database. Kept until you disconnect (see below).
  • Session cookies to keep you logged in on the web.
  • API keys for pairing the iOS app — stored only as a one-way hash; the key itself lives in your device's Keychain.
  • A short-lived cache of Oura API responses (roughly 15 minutes) to avoid hammering Oura's servers. This is transient working data, not a long-term health archive.

Data is held on a private server we operate (hosted with Hetzner, in the EU). We do not run third-party analytics or ad SDKs. Web fonts are served by Google Fonts; your browser fetches them directly and we receive no analytics from that.

Your control & deletion

  • Disconnect any time — use "Unpair / log out" in the app, which removes your stored tokens and session. You can also revoke OuraBuddy's access directly in your Oura account settings.
  • Delete on request — email stanio.ivanov@gmail.com and we will erase your stored tokens, email, and keys from our server.
  • Because we only cache data briefly and store no long-term copy of your Oura history, revoking access effectively stops all processing.

Security

All traffic is served over HTTPS (HSTS enforced). Your Oura tokens and email are encrypted at rest with AES-256-GCM, using a key kept outside the database, and are never exposed to the browser or embedded in the app. App-pairing keys are stored only as a one-way hash. The service applies standard hardening — a strict content-security policy, clickjacking and MIME-sniffing protections, and per-IP rate limiting. That said, no system is perfectly secure; you use the app at your own discretion.

Not medical advice

OuraBuddy presents wellness information for your own interest. It is not a medical device and does not provide medical advice, diagnosis, or treatment. Do not rely on it for health decisions — consult a qualified professional.

Children

OuraBuddy is not intended for anyone under 16. We do not knowingly collect data from children.

Changes

If this policy changes, we will update the date above. Continued use after a change means you accept the updated policy.

OURABUDDY · Terms of Service · stanio.ivanov@gmail.com