Ottai Global Privacy Framework

Effective date: 15-August-2026
Last updated: 10-July-2026

Privacy at Ottai

A continuous glucose monitor sees parts of your life that almost nothing else does — your glucose, your meals, your movement, the rhythm of an ordinary day. When you choose Ottai, you place that information in our hands, and safeguarding it is something we treat as part of the product itself, not an afterthought.

Our purpose is to help you understand what your body is doing and act on it with confidence. That only works when the data behind it is handled honestly and kept secure — wherever you live, and whichever Ottai device, app or service you use. The commitments below shape how we do that everywhere we operate.

1. Purpose and scope

This Framework sets out how Ottai structures, publishes and governs its privacy notices across every country and territory where it sells and supports its continuous glucose monitoring (CGM) devices, apps and related services. It defines a single set of global principles, a tiered model of public notices and internal policies, a jurisdiction coverage map, a cross-border transfer and data-localisation model, and the governance that keeps all of it current. The public expression of this Framework is the Global Privacy Policies direction page described in Section 8, which routes each user to the notice for their region.

2. Our global privacy principles

These commitments apply everywhere we operate, regardless of local law. Where a local law is stricter, the stricter standard applies.

  • You stay in control. It is your data — you can view it, correct it, export it where available, and ask us to delete it.
  • We are upfront. We explain in plain language what we collect, why, and who we share it with.
  • We keep it lean. We collect only what a feature genuinely needs and keep it no longer than necessary.
  • We protect it by design. Encryption, access controls and security review are built into our devices, apps and systems from the outset.
  • We do not trade on your health. We never sell personal data and never use glucose or other health information to target advertising.

3. Policy architecture

Privacy documentation is organised in four tiers so that a single global standard cascades into region-specific notices and internal procedures.

Tier 1 — Global standard

  • Documents: Global Privacy Principles (Section 2) and the binding internal Data Protection Standard
  • Applies to: All markets, all staff, all vendors
  • Owner: DPO / Privacy team

Tier 2 — Regional & country notices

  • Documents: Public-facing privacy notices per region, with country addenda where local law requires. A Global / International Privacy Notice is the default for any market without a dedicated notice.
  • Applies to: End users, by location
  • Owner: DPO + local counsel

Tier 3 — Topic & product notices

  • Documents: Cookie Notice (website); in-app / just-in-time notices; CGM health-data notice; customer-service & AI notice; payment notice
  • Applies to: Specific touchpoints
  • Owner: Product + DPO

Tier 4 — Internal policies & procedures

  • Documents: Data Protection Management Programme; retention schedule; breach-response runbook; DPIA process; vendor/DPA register; cross-border transfer governance; Record of Processing Activities (RoPA); staff training
  • Applies to: Internal operations
  • Owner: DPO / Security / Legal

4. Cross-border transfer & data-localisation model

Your personal data may be stored, accessed or processed in countries or regions where we, our group entities, service providers, HCP partners, distributors or business partners operate. The current primary hosting location, service-provider processing locations and international transfer details are listed in the Functions and Data List.

References to overseas processing include storage, hosting, remote access, customer support, technical support, diagnostics, security monitoring, service-operation processing and processing by our group entities, service providers or business partners located outside your country or region. The fact that primary hosting is located in one country or region does not necessarily mean that all support, diagnostic, security, communication or service-operation processing occurs only in that country or region.

Where GDPR or similar international-transfer rules apply, we use appropriate transfer mechanisms such as adequacy decisions, standard contractual clauses, binding corporate rules, recognised certifications, contractual safeguards, transfer assessments, supplementary measures or derogations where permitted. Where other laws apply, we take steps required by those laws to provide comparable or appropriate protection for transferred personal data.

Your personal data may be subject to the laws of the country or region where it is stored, accessed or processed. Where overseas laws permit access by courts, law enforcement, regulators or public authorities, we respond to such requests only where we consider it necessary or appropriate to comply with applicable legal requirements, protect our rights, protect users or others, or otherwise act as permitted by applicable law.

5. Governance and accountability

  • Data Protection Officer (DPO). Single global owner of this Framework; public contact privacy@service.ottai.com.
  • Local representatives / agents. Appoint where local law requires — named in the relevant regional notice.
  • Roles. DPO (policy & rights), Security (protection & breach), Legal/local counsel (jurisdiction validation), Product (in-app notices & consent), Customer service (request intake).
  • Review cadence. Framework and all notices reviewed at least annually and on any material change (new market, new processor, new law). Maintain a version log (Section 9).

6. Individual rights & request handling

A single intake (DPO email + in-app request flow) serves all markets. Requests are identity-verified, then handled to the applicable timeline for that user's jurisdiction (e.g. Singapore/India/POPIA access and correction; GDPR-grade erasure/portability where offered). Responses, refusals and the legal basis for any refusal are logged for accountability.

7. Data-breach response

One central runbook drives detection, assessment, containment and notification, applying the strictest applicable deadline per affected market — for example Singapore's notify-the-PDPC-within-3-days rule, and the 72-hour standard used in GDPR-style regimes — with notification to affected individuals where the harm threshold is met.

8. Ottai Global Privacy Policies direction page

Global Umbrella

Singapore

9. Language Precedence

Where this Agreement is provided in multiple languages, the English version prevails to the extent permitted by applicable law.

10. Maintenance & version control

This Framework is owned by the DPO and version-controlled. Each notice records its own effective and last-updated dates. Material changes are logged below and, where significant, communicated to users.

Contacting us

You can reach our Data Protection Officer at privacy@service.ottai.com with any privacy question or to exercise your rights.

Version: v 6.0

  • Date: 10-July-2026
  • Summary of change: Redesigned Ottai Privacy Framework; Implemented new rules; Clarified fundamental facts and protections for the improvement of user privacy protection.

Version: V 5.0

  • Date: 14-October-2025
  • Summary of change: Added App push notification instructions; Updated the privacy policy to be Ottai Privacy Policy

Version: V 4.0

  • Date: 14-September-2024
  • Summary of change: Added Version Number Information

Version: V 3.0

  • Date: 28-May-2024
  • Summary of change: Added Section 10/11/12

Version: V 2.0

  • Date: 25-December-2023
  • Summary of change: Updated the following term: from: "1. This is an agreement between you and Beijing Synapsor Artificial Intelligence Co., Ltd. (hereinafter referred to as "we") regarding the..." to: "1. This is an agreement between you and Ottai Technology (Wuxi) Co., Ltd. (hereinafter referred to as "we")"

Version: V 1.0

  • Date: 17-November-2023
  • Summary of change: Initial framework set up