Privacy Policy

Last updated: 2026-04-18

This Privacy Policy describes how Oura MCP at https://oura.dsdoes.com collects, uses, stores, and deletes personal data.

1) Data we process

• Connection data: OAuth client/application metadata and account linkage records needed to run the integration.
• Credentials: Oura OAuth tokens (including refresh flow data where applicable) required to call Oura APIs for your account.
• Requested health data: Oura API responses only when you invoke MCP tools (for example, sleep, readiness, activity, stress, SpO2, resilience).
• Operational telemetry: limited request/error counters and minimal logs for reliability, debugging, and abuse prevention.

2) Legal basis and purpose

• Provide the service you requested (OAuth connection and Oura data retrieval).
• Maintain reliability and security of the integration.
• Comply with legal obligations when required.

3) Data sharing

We do not sell personal data. Data may be processed by hosting/infrastructure providers solely to operate the service, and by Oura when API calls are made on your behalf.

4) Retention

• OAuth credentials and linkage records are retained until disconnected, revoked, or deleted.
• Operational logs/metrics are retained only as needed for service operation and troubleshooting.
• Requested API response payloads are processed for delivery and not intentionally retained as long-term user profiles.

5) Your rights and choices

• Disconnect from Oura at any time in your Oura account settings.
• Request access, correction, revocation, or deletion by emailing dave@vexti.co.
• For deletion requests, include your Oura account email or identifying details needed to locate records.

6) Security

We use transport encryption (HTTPS), OAuth access controls, and reasonable safeguards intended to protect credentials and data. No system can guarantee absolute security.

7) International transfers

Infrastructure providers may process data in jurisdictions outside your location. We use commercially reasonable safeguards for such processing.

8) Children

This service is not directed to children under 13 (or higher age where required by local law).

9) Changes to this policy

We may update this Privacy Policy by posting a revised version on this page with an updated effective date.

10) Controller and contact

Service operator: Vexti LLC, 11523 Hidden Spring Trail, Dewitt, MI 48820, USA.

Privacy contact: dave@vexti.co.