SIGH PRIVACY POLICY
Last Updated: 22/12/25
IMPORTANT NOTICE
The Sigh mobile application and related services (the “App”) are general wellness tools designed to help users build awareness of their vaping habits and support behavioural change. The App is not a medical device and is not intended to diagnose, treat, cure, or prevent any disease or medical condition.
Nothing in the App constitutes medical advice. You should always consult a qualified healthcare professional for medical guidance.
1. INTRODUCTION AND DATA CONTROLLER
This Privacy Policy explains how Sigh Ltd (“Sigh”, “we”, “us”, or “our”) collects, uses, discloses, and protects your personal data when you use the App.
We are committed to protecting your privacy and handling your personal data in a lawful, fair, and transparent manner.
Data Controller:
 Sigh Ltd
 Company number: 16584674
 Registered address: 17 New Wharf Road, London, N1 9RW, United Kingdom
 Contact email: contact@sighhealth.com
At this time, Sigh has not appointed a formal Data Protection Officer. For any questions about this Policy or our data practices, please contact us using the details above.
2. DATA WE COLLECT
We collect and process the following categories of personal data when you use the App.
2.1 Account Information
  • Email address (for account creation, login, and communication)
  • Password (stored in hashed/encrypted form)
  • Age confirmation and/or date of birth (for age verification and legal compliance)
  • Display name or nickname (optional)
2.2 Vaping Usage Data (Health-Related Data)
When you connect a compatible device and use the App, we may collect data such as:
  • Timestamps of vaping sessions (date and time of use)
  • Puff count, duration, and intensity patterns
  • Daily/weekly usage summaries
  • Lockouts or limit events (e.g. when you hit a self-imposed limit)
  • Device connection status and identifiers
Because this data relates to your nicotine/vaping behaviours, it may be treated as “data concerning health” under the UK GDPR and EU GDPR. We process such data only with your explicit consent.
2.3 Technical and Log Data
  • Device type, operating system, and version
  • App version and settings
  • Unique device identifiers (where necessary and minimised)
  • IP address (for security and fraud prevention)
  • Crash logs, error reports, and performance metrics (where you allow diagnostics)

    2.4 Support and Communication Data
  • Information you provide when you contact us (e.g. via email or in-app support)
  • Feedback, survey responses, or feature requests
  • Records of our communications with you
Where we use data in an aggregated and anonymised form, such data is no longer considered personal data.
3. LEGAL BASIS FOR PROCESSING
We process your personal data under the UK GDPR, EU GDPR (where applicable), and related data protection laws on the following legal bases:
3.1 Contract (Article 6(1)(b) UK/EU GDPR)
We process Account Information and certain Technical Data as necessary to:
  • create and manage your account;
  • provide you with access to the App;
  • deliver core App functionality you request.

    3.2 Explicit Consent (Articles 6(1)(a) and 9(2)(a) UK/EU GDPR)
We process Vaping Usage Data and other health-related information only where you give explicit consent, for example when you:
  • pair a device and enable data syncing;
  • agree in-app to the collection and display of your vaping usage data;
  • enable specific behavioural or analytics features involving your usage patterns.
You may withdraw your consent at any time via the App settings (where available) or by contacting us (see Section 14). Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
3.3 Legitimate Interests (Article 6(1)(f) UK/EU GDPR)
We may process Technical and Log Data, and limited elements of Account Information, where necessary to:
  • maintain and improve the App and its security;
  • prevent misuse, fraud, or abuse;
  • understand aggregate usage patterns (in an anonymised or pseudonymised form);
  • support business operations (e.g. debugging, capacity planning).
When relying on legitimate interests, we balance our interests against your rights and expectations.
3.4 Legal Obligations (Article 6(1)(c) UK/EU GDPR)
We may process your data to comply with legal obligations, for example:
  • responding to lawful requests from authorities;
  • satisfying record-keeping requirements;
  • complying with applicable consumer or safety laws.

    4. HOW WE USE YOUR DATA
We use your personal data for the following purposes: Providing and Operating the App
    • To display your vaping usage, goals, and progress.
    • To implement features such as lockouts, reminders, and behavioural prompts.
Personal Insights and Behavioural Support
    • To help you understand patterns in your vaping behaviour.
    • To provide charts, statistics, and behavioural nudges.

Account Management and Communications
    • To manage your account and authenticate your identity.
    • To send essential service communications (e.g. security notices, changes to terms).

App Improvement and Analytics
    • To analyse anonymised or aggregated usage data to improve our features, design, and performance.
    • To test and refine new functionality.

Security, Fraud Prevention, and Misuse Detection
    • To protect our users, systems, and services from unauthorised access or abuse.

Legal and Regulatory Compliance
    • To comply with legal obligations and to respond to lawful requests or claims.
We do not:
  • sell your personal data to third parties;
  • use your data for third-party advertising or ad tracking;
  • engage in automated decision-making that produces legal or similarly significant effects on you.
5. DATA SHARING AND THIRD PARTIES
We may share your personal data with the following categories of recipients, strictly on a need-to-know basis:
5.1 Service Providers (Processors)
We use trusted third parties to help us deliver the App, such as:
  • Cloud hosting providers (for secure storage and processing of data)
  • Analytics and crash reporting providers (for app performance and stability)
  • Authentication and identity service providers (for secure login)
These providers act as data processors and are bound by contractual obligations to:
  • process data only on our instructions;
  • implement appropriate security measures;
  • not use your personal data for their own purposes.
5.2 Legal and Regulatory Recipients
We may disclose your data where required to:
  • comply with applicable law, regulation, legal process, or governmental request;
  • protect the rights, property, or safety of Sigh, our users, or the public.
5.3 Business Transfers
In the event of a merger, acquisition, restructuring, or sale of assets, your personal data may be transferred to the acquiring entity as part of the transaction. If this occurs, we will ensure that:
  • the receiving party continues to protect your personal data as described in this Privacy Policy; and
  • you are informed of any material changes to processing.
We do not share your identifiable health-related data with third parties for their own marketing or profiling purposes
6. INTERNATIONAL DATA TRANSFERS
Your personal data may be transferred to, or accessed from, countries outside the United Kingdom and European Economic Area, for example where our trusted service providers are based or host data.
Where such transfers occur, we will ensure that appropriate safeguards are in place, such as:
  • an adequacy decision by the UK Government or European Commission;
  • Standard Contractual Clauses (SCCs) approved by the European Commission;
  • the UK International Data Transfer Agreement (IDTA); and/or
  • other legally recognised transfer mechanisms.
You may request further information about these safeguards by contacting us (see Section 14).
7. DATA RETENTION
We retain personal data only for as long as necessary to fulfil the purposes set out in this Policy, or as required by law. As a guideline:
  • Account Information: retained for the life of your account and up to 30 days after you request deletion or close your account.
  • Vaping Usage Data (in identifiable form): retained for up to 24 months from collection, or until you withdraw consent or delete your account, whichever occurs first. Thereafter, it may be retained in anonymised form for analytics.
  • Technical and Crash Logs: typically retained for up to 90 days, unless needed longer for security or diagnostics.
  • Aggregated/Anonymised Data: may be retained indefinitely, as it does not identify you.
If you delete your account, we will delete or irreversibly anonymise your personal data within a reasonable period, subject to legal or regulatory retention requirements
8. YOUR RIGHTS
Under the UK GDPR, EU GDPR (where applicable), and other data protection laws, you have the following rights in relation to your personal data:
  • Right of Access – to obtain confirmation as to whether we process your personal data and to receive a copy.
  • Right to Rectification – to request correction of inaccurate or incomplete personal data.
  • Right to Erasure – to request deletion of your personal data in certain circumstances (the “right to be forgotten”).
  • Right to Restrict Processing – to request that we limit processing where you contest accuracy, object to processing, or where processing is unlawful.
  • Right to Data Portability – to receive certain personal data in a structured, commonly used and machine-readable format and to transmit it to another controller.
  • Right to Object – to object, on grounds relating to your particular situation, to processing based on legitimate interests.
  • Right to Withdraw Consent – where processing is based on your consent, you may withdraw that consent at any time.
You may exercise these rights:
  • via the App, where functionality is available; or
  • by contacting us at contact@sighhealth.com.
We will respond to your request within one month, extendable by a further two months where necessary and permitted by law (we will inform you if an extension is required).
Right to Complain
If you are unhappy with how we handle your personal data, you may contact us in the first instance so we can try to resolve your concerns.
You also have the right to lodge a complaint with a supervisory authority:
  • United Kingdom: Information Commissioner’s Office (ICO) – ico.org.uk
  • EU/EEA: Your local Data Protection Authority
9. DATA SECURITY
We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include, as appropriate:
  • encryption of data in transit and at rest;
  • access controls and authentication;
  • secure configuration of cloud infrastructure;
  • regular monitoring and logging of system activity;
  • internal policies and staff training on data protection and security.
No system can be guaranteed 100% secure. However, we take data security seriously and work continuously to protect your information.
10. CHILDREN’S PRIVACY AND AGE RESTRICTIONS
The App is intended only for users aged 18 years and over.
We do not knowingly collect personal data from anyone under the age of 18. If we become aware that we have inadvertently collected personal data from a person under 18, we will take reasonable steps to delete such data and, if appropriate, close the account.
If you believe that a person under 18 has provided us with personal data, please contact us immediately at contact@sighhealth.com.
11. AUTOMATED DECISION-MAKING AND PROFILING
Certain features of the App (such as usage limits, reminders, or suggested goals) may be generated automatically based on your usage data. These features:
  • are supportive tools to help you understand and manage your habits;
  • do not produce legal effects or similarly significant effects for you;
  • do not amount to automated decision-making within the meaning of Article 22 UK/EU GDPR.
You remain in control of whether to act on these insights, reminders, or recommendations.
12. COOKIES, LOCAL STORAGE AND SIMILAR TECHNOLOGIES
The App may use local storage or similar technologies on your device to:
  • remember your preferences and settings;
  • maintain your session while you are logged in;
  • temporarily store usage data before it is securely transmitted to our servers.

We do not use in-app cookies or similar technologies for third-party advertising tracking.
If we operate a web portal, cookies used there will be explained in a separate Cookie Policy or in the web-based privacy notice.
13. CHANGES TO THIS PRIVACY POLICY
We may update this Privacy Policy from time to time to reflect changes in law, technology, or our data practices.
When we make material changes, we will:
  • post the updated Privacy Policy within the App; and
  • where appropriate, notify you via email or in-app notification.
Where required by law (for example, if we change how we process health-related data), we will seek your renewed consent before continuing affected processing.
14. CONTACT US
If you have any questions, requests, or concerns about this Privacy Policy or our use of your personal data, please contact us:
By email:
 contact@sighhealth.com
By post:
 Sigh Ltd
 17 New Wharf Road
 London
 N1 9RW
 United Kingdom