We take your privacy very seriously and this Privacy Notice explains how Nothing Technology Limited or its affiliated companies (collectively, "we", "us", or "our") collect, use, share and process your Personal Data when you are using the Nothing X app and relevant products and services. We are the “data controller” in respect of processing your Personal Data. Please read the following carefully to understand our practices regarding your personal data and how we will treat it.

1. What Personal Data we collect
To provide our services, we may collect, use, store and process the following types of data:
Identity and Contact Data:Email address, password, region, language, avatar/profile photo, birthday, gender.
Health and fitness data:heart rate, blood oxygen, sleep data, stress level, vitality score, training load, VO₂max, menstrual cycle information, body height, step count, calories burned, exercise type and duration.
Audio Data: When you record content with speech, the audio is processed locally on your device using offline speech-to-text technology. For the avoidance of doubt, your audio remains on your device and is not uploaded to our servers.
Multimedia data:screenshots, screen recordings, customer service messages.
Device information:device ID, device model, OS version, serial number, MAC address, firmware version, app version, region, device language.
Network and usage data:IP address, public IP, crash logs, diagnostic logs, usage behavior, app interactions.
Location data: GPS location (if authorized), time zone, device region.
Third-party login data: Apple ID, Google login profile (email, username, profile picture).
News preferences: your chosen news categories or topics of interest.

2. How We Use Your Data
We use your data to:
set up and connect your headphones, and smartwatches with the Nothing X app;
download a software update;
provide, personalize and improve your experience with the Nothing X app, headphones, and smartwatches;
allow device pairing and personalized sound experience;
rack and present fitness and health data to you (e.g. heart rate trends, sleep history, step count, calories burned);
troubleshoot issues and improve product performance through diagnostic logs and crash reports;
provide localized services, content, and customer support based on your region, language, and device usage;
process requests and orders and provide customer support;
conduct surveys, hearing tests, and improvement programs you voluntarily participate in;
comply with applicable legal obligations (e.g., tax, consumer rights, cybersecurity, or health data protection laws).

Your data will not be used for advertising purposes or shared with third parties beyond what is necessary to provide the Services. This may include our service providers who help provide some of the functionality that is part of the Services.

We require all third parties to respect the security of your data and to treat it in accordance with the law. We do not allow our third-party service providers to use your data for their own purposes and only permit them to process your data for specified purposes and in accordance with our instructions.

To provide you with a full range of functions and services, we may cooperate with third-party service providers (SDKs or APIs) that collect and process Personal Data either directly or through us.

These third parties are contractually obligated to process your Personal Data in accordance with applicable privacy laws and solely for the purposes we authorize.

Third-party SDK	Purpose	Purpose Data collected directly by the SDK
Google Maps SDK	Location-based services	GPS location, IP address, app info
Google Sign-In SDK	Account login	Email, user ID, profile image
Firebase Crashlytics	Crash monitoring	Device model, OS version, crash logs, IP address
Firebase RemoteConfig	Dynamic app configuration	Device info, user region, usage pattern
Firebase Messaging	Push notifications	Device ID, push token, IP address
Mimi SDK	Hearing test / sound personalization	Headphone ID, IP, timestamp, logs, hearing test results
Audiodo SDK	Personalized sound experience	Audio profiles, device info
Gomore SDK	Fitness tracking (heart rate, steps, etc.)	Health data: heart rate, step count, calories, exercise info

In some cases, we collect and share Personal Data with the following third parties based on your authorization:

Third-party SDK / API	Purpose	Data Shared
Apple Health SDK	Syncing wearable health data	Heart rate, sleep, blood oxygen, menstrual cycle, calories
Health Connect SDK	Android health data integration	Same as above (Android version)
Strava API	Workout sync and activity sharing	Step count, distance, calories, GPS path, timestamps
Apple Sign-In	Login	Email address, Apple ID (anonymized if chosen), profile photo

3. Data Storage and Transfer
3.1 Retention period
Data sent to our servers is temporarily stored for processing. Once processing is complete, all data is permanently deleted. We will store your data only to the extent as necessary for the proper business needs of our company (e.g., for the purposes of providing the Services to you, except where we are complying with applicable laws or regulations.

3.2 Regional Processing:
For users in the United Kingdom (UK), all data is processed on servers located in Franklin, Germany.
For users in the European Union (EU), all data is processed on servers located in Franklin, Germany, in compliance with GDPR.
For users in India, all data is processed on servers located in Mumbai, India.
For users outside the EU, data is processed on servers located in Franklin, Germany.

We may transfer your personal data to service providers that carry out certain functions on our behalf. This may involve transferring personal data outside the UK to countries which have laws that do not provide the same level of data protection as the UK law.

Whenever we transfer your personal data out of the UK to service providers, we ensure a similar degree of protection is afforded to it by ensuring that adequate safeguards are in place as required under UK data protection law

4. Legal Basis for Processing
4.1 We will only use your personal data when we have a lawful basis to do so. Our lawful basis for which we use your personal data is specified as follows:

4.1.1 Consent: You have freely consented before the processing in a specific informed and unambiguous indication of what you want. If you consent, you should select the appropriate consent option at the pop up.

4.1.2 Performance of a contract: we need to process your personal data or any data that you input into Nothing X to provide the Services and therefore perform a contract with you.

4.1.3 Compliance with law: We may use your personal data where it is necessary for compliance with a legal obligation that we are subject to. We will identify the relevant legal obligation when we rely on this legal basis.

5. Your Data Rights
You have the following rights under data protection laws in relation to your personal data. These include:

Right to access your data: request access to and / or a copy of the personal data we process about you (commonly known as a data subject access request).

Right to correct your data: request correction of any incomplete or inaccurate data we hold about you.

Right to request to delete your data: request us to delete or remove your personal data where there is no good reason for us continuing to process it.

Right to object: object to us processing your personal data where (a) we are relying on legitimate interests as the lawful basis and you feel the processing impacts on your fundamental rights and freedoms, or (b) the processing is for direct marketing purposes. In some cases, we may refuse your objection if we can demonstrate that we have compelling legitimate grounds to continue processing your information which override your rights and freedoms.

Right to request restriction; request that we restrict or suspect our processing of your personal data.

Data portability: request we transfer certain of personal data to you or your chosen third party in a commonly used, machine readable format.

Withdraw consent: Withdraw your consent at any time where we are relying on consent to process your personal data. Please know that this does not affect the lawfulness of any processing carried out before you withdraw your consent, and after withdrawal, we will be unable to provide the Services to you. We will advise you of this at the time you withdraw your consent.

Complaint: If you are unhappy with how we process your personal data, we ask that you contact us first using the details below so that we have the chance to put it right. However, you also have the right to make a complaint to the Information Commissioner’s Office (ICO), the UK regulator for data protection issues (www.ico.org.uk).

We will handle any request to exercise your rights in accordance with applicable law and any relevant legal exemptions. If you wish to exercise any of these rights at any time by contacting us using the contact details provided in this Privacy Policy.

6. Data Security
All information you provide to us is stored on our secure servers. We also implement robust measures to protect your personal data, including:
Encryption during data transmission.
Immediate deletion of data after processing.
Access controls to prevent unauthorized access.

We use appropriate technical and organizational measures to protect your data that we collect and process. The measures we use are designed to provide a level of security appropriate to the risk of processing your data. Please be aware and understand that we cannot ensure an absolute secure network.

7. Children's Privacy
Our Services are not intended for individuals under the age of [18]. We do not knowingly collect personal data from children without parental consent.

8. Changes to This Privacy Policy
We keep this Privacy Policy under regular review and we may update this policy to reflect changes in our practices or regulatory requirements. Updates will be communicated via the app or widget. You may be required to read and acknowledge the changes to continue your use of Nothing X.

9. Contact Us
If you have any questions regarding this Privacy Policy or its implementation, here is how you can reach us:
Email Address: iotservice@nothing.tech.

At all times, data collected by us will be treated in accordance with our official website’s Privacy Policy, which can be found at https://hk.nothing.tech/pages/privacy-policy.