Privacy Policy
Effective date: 01/10/2025
Who we are: Hypoxic Wellness Pty Ltd (ABN 51685678068), (“Hypoxic Wellness”, “we”, “us”, “our”).
Contact: service@leonyx.com | Postal: 1/730 Pacific Pde, Currumbin, QLD 4223, Australia.
We respect your privacy. This Policy explains what we collect, why we collect it, how we use and share it, and the choices you have. It applies to our websites, the Hypoxic Wellness App, studios, services, events, and any other properties that link to this Policy (together, the “Services”).
We are Australia-based and comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where applicable, we also comply with the EU/UK GDPR and the California CPRA. If we act on behalf of a clinic or other enterprise customer, we generally do so as their processor/service provider.
1) What we collect
We collect information in three ways: you provide it, it’s collected automatically, or we receive it from partners.
A. Information you provide
Account & contact: name, email, phone, postal address, role, organisation.
Profile & preferences: goals, vertical (Health & Longevity / Performance / Adventure), communication preferences.
Studio & session data (user-entered): perceived exertion, symptoms, notes.
Health-adjacent info (optional): conditions, injuries, or goals you choose to share. (We are not a healthcare provider. If we handle clinic data under contract, we act as a processor and follow that clinic’s instructions.)
Content: messages, forms, support requests, survey responses, testimonials, media consent forms.
Payment info: handled by third-party processors (e.g., Stripe); we store tokens/receipts, not full card numbers.
Careers: CV/resume, cover letters, references (if you apply for a role).
B. Information collected automatically
Device & usage: IP address, device IDs, browser type, operating system, app version, language, pages viewed, links clicked, session timestamps, crash/diagnostics.
Cookies & similar tech: pixels, local storage, SDKs for analytics, performance, and marketing. See Cookies below.
C. Studio instrumentation & biometrics (when you train with us or our partners)
Physiological signals: session SpO₂, heart rate, respiration/ventilation proxy, workload metrics, timing of effort/recovery intervals.
Environment data: chamber oxygen percentage, temperature, airflow settings.
Derived insights: recovery time, regulation markers, adherence.
We treat this as sensitive and apply enhanced safeguards.
D. Information from others
Clinics/partners who provide you access.
Marketing/analytics providers (e.g., Google, LinkedIn, Meta) for aggregated insights.
Public sources (e.g., your professional profile/website) where permitted.
2) How we use information (purposes & legal bases)
We use information to:
Provide the Services (create accounts, schedule sessions, run the app, operate studios, maintain safety).
Legal bases: contract; legitimate interests; consent (where required).
Personalise programs & education (surface relevant content, integration pathways, and targets).
Legal bases: legitimate interests; consent for sensitive data.
Safety & clinical governance (screening workflows, adverse-event triage, quality assurance).
Legal bases: legitimate interests; vital interests; legal obligation.
Research & improvement (anonymised/aggregated analytics, performance and reliability).
Legal bases: legitimate interests; consent where required.
Communications & support (service messages, onboarding, updates; with your opt-in, marketing).
Legal bases: legitimate interests; consent for marketing.
Compliance & enforcement (record-keeping, fraud prevention, legal claims).
Legal bases: legal obligation; legitimate interests.
We may create de-identified or aggregated datasets that no longer identify you and use them for benchmarking, product development, or educational content.
3) When we share information
We do not sell your personal information. We share it only with:
Service providers / processors who help operate the Services (hosting, analytics, support, payment, email, CRM, device management). They are bound by confidentiality and data-processing terms.
Clinics, coaches, or your organisation when your access is provided through them (your participation data may be visible to authorised staff).
Professional advisors & compliance (legal, audit, insurance).
Business transfers (merger, acquisition, financing, insolvency).
Authorities where required by law or to protect rights, safety, or security.
With your consent, we may feature testimonials or media that include your name/likeness (managed via a separate media release).
4) International data transfers
We may transfer data outside Australia (e.g., to the US, EU, UK, or other regions) where our providers are located. We implement appropriate safeguards such as Standard Contractual Clauses (SCCs), UK IDTA, and APP-consistent controls. By using the Services, you understand your data may be processed in countries with different data-protection laws.
5) Retention
We keep personal information only as long as necessary for the purposes described, to comply with law, or to resolve disputes. Typical retention:
Account data: while active + 5 years.
Studio/session data: 5 years (or per contract with your clinic).
Marketing consent records: while consent valid + 5 years.
We then delete or de-identify.
6) Security
We use administrative, technical, and physical safeguards, including encryption in transit, access controls, least-privilege, logging, and staff training. No system is perfect; if a data breach occurs that is likely to cause serious harm, we will follow the Notifiable Data Breaches scheme (Australia) and applicable laws (e.g., GDPR 72-hour notice) to notify regulators and affected individuals.
7) Your rights & choices
Global choices
Access, correction, deletion: email us at jana@hypoxicwellness.com.
Withdraw consent: where processing is based on consent (e.g., certain biometrics or marketing).
Marketing opt-out: click “unsubscribe” or adjust preferences in the app.
Cookies: manage in our cookie banner or your browser/device settings.
AU (APPs)
You may request access/correction; we respond within a reasonable time. If you’re unsatisfied, you may complain to the Office of the Australian Information Commissioner (OAIC).
EU/UK GDPR
You may request access, rectification, erasure, portability, restriction, or object to processing (including legitimate-interests profiling). You can lodge a complaint with your Data Protection Authority. If we rely on legitimate interests, we’ll explain those interests on request.
California (CPRA)
California residents have rights to know/access, correct, delete, opt-out of “sharing” (for cross-context behavioural advertising), and limit use of sensitive personal information. We do not “sell” personal information for money. See Appendix A for CPRA category disclosures.
We will verify identity before fulfilling requests and respond within the required timeframe. You won’t be discriminated against for exercising rights.
8) Children
Our Services are not directed to children under 13 (or the relevant minimum age in your country). If we learn a child has provided personal information without parental consent, we will delete it. For teen participants training through clinics/guardians, we require appropriate consents.
9) Cookies, analytics & ads
We use:
Strictly necessary cookies (security, load balancing, session).
Performance/analytics (e.g., GA4) to understand usage.
Functional (remember preferences).
Advertising pixels (e.g., LinkedIn, Google, Meta) for measurement/retargeting where permitted.
You can manage preferences via our cookie banner or your browser/device. We currently do not respond to Do Not Track signals.
10) Clinics, coaches & enterprise customers
When you access the Services through a clinic, team, employer, or partner, they may be the controller for certain data, and we act as their processor/service provider under a data-processing agreement (and, where applicable, a HIPAA Business Associate Agreement in the US). Your use may also be subject to their privacy notices.
11) Third-party links & integrations
Our Services may link to third-party sites/apps (e.g., scheduling, payments, video). Their privacy practices are their own; review their policies before using those services.
12) Changes to this Policy
We’ll update this Policy when needed and post the new date at the top. If changes are material, we’ll notify you by email, in-app message, or banner. Continued use after the effective date means you accept the updated Policy.
13) How to contact us
Email: jana@hypoxicwellness.com
Postal: Hypoxic Wellness Pty Ltd, 1/730 Pacific Pde, Currumbin, QLD, 4223, Australia.
EU/UK matters (if applicable): same as above.
Complaints (Australia)
If you believe we’ve breached the APPs, contact us first. If unresolved, you can contact the OAIC: www.oaic.gov.au, 1300 363 992.
Appendix A — California CPRA “Notice at Collection”
Categories collected: identifiers (name, email, device IDs), commercial info (transactions), internet activity (usage, analytics), geolocation (coarse IP), professional/employment info (B2B), inferences (preferences), sensitive data (studio biometrics such as SpO₂/HR where you participate).
Purposes: provide Services; personalisation; safety; analytics; research; marketing with consent; compliance.
Sources: you; your organisation/clinic; devices; service providers; public sources.
Disclosed for business purposes: service providers (hosting, analytics, support, payments), clinics/teams you train with, professional advisors.
Selling/Sharing: we do not sell personal information. We may share limited usage data for cross-context advertising where permitted; you can opt-out via cookie settings.
Retention: see Section 5.
Sensitive information use: only to provide Services (e.g., training safety and insights), not for marketing except with explicit consent.
Appendix B — Key definitions
Personal information / personal data: information that identifies or can reasonably identify you.
Sensitive information: includes health-adjacent biometrics captured during training, if linked to you.
Processing: any operation performed on personal data (collect, store, use, disclose, etc.).
Controller / Processor: under GDPR, the controller decides why/how data is processed; the processor acts on the controller’s instructions.
Appendix C — Data map (illustrative third parties)
Hosting & infrastructure: [AWS/GCP/Azure], Webflow.
Analytics & diagnostics: Google Analytics 4, Sentry/Crashlytics.
Comms & CRM: Klaviyo/SendGrid/Customer.io/HubSpot.
Scheduling & forms: Calendly/Typeform/Webflow Forms.
Payments: Stripe (tokenised).
Advertising: Google/LinkedIn/Meta pixels (where permitted).
Exact providers may change; we maintain processor agreements and appropriate safeguards.