Privacy Policy

Last Updated: January 21, 2026

This Privacy Policy explains how we collect, use, share, and protect information when you use the Service.

1. What We Collect

1.1 Information you provide

  • Name, email, profile info
  • Account preferences
  • Support messages and feedback

1.2 Data from connected services (e.g., Oura)

If you connect Oura, we may collect and store:

  • Sleep metrics
  • Readiness/activity metrics
  • Heart rate and related physiological signals
  • Tags, sessions, and other wearable-derived data exposed by the integration

(Exact fields depend on what the integration provides and what you authorize.)

1.3 Device + usage data

  • IP address, device type, browser, pages visited
  • Log data, diagnostic events, timestamps
  • Cookies or similar technologies

1.4 Derived data we create

We may generate:

  • Recommendations, summaries, scores, classifications
  • Trend analyses, comparisons, and predictions
  • Aggregated insights across users (de-identified)

2. How We Use Your Data

We use data to:

  • Provide core features and personalized insights
  • Sync wearable data you request
  • Improve and develop new features (including internal analytics and modeling)
  • Maintain security, prevent fraud/abuse, enforce policies
  • Customer support and communications
  • Research and benchmarking in aggregated/de-identified form
  • Legal compliance and dispute resolution

3. Legal Bases

Depending on your location, we process data based on:

  • Consent (especially for wearable/health-related data)
  • Contract (to provide the Service you requested)
  • Legitimate interests (security, analytics, improvement)
  • Legal obligation (compliance)

Consent can be withdrawn anytime. Withdrawal does not affect processing that occurred before withdrawal.

4. How We Share Data

4.1 What we share

We may share your information with:

  • Service providers (hosting, analytics, support, email delivery)
  • Infrastructure providers needed to run the Service
  • Legal authorities if required by law or to protect rights/safety
  • Business transfers (merger/acquisition) subject to this Policy

4.2 Infrastructure providers

We use:

  • Supabase (database/auth/storage)
  • Vercel (hosting, deployments, edge/network delivery)

These vendors process data on our behalf as "service providers / processors."

4.3 What we do NOT do with Oura Data

Even if a user requests it, we do NOT:

  • Sell Oura Data
  • Lease, license, or market it to third parties
  • Provide it to advertisers or data brokers

5. Public Sharing Controls

If the Service offers public sharing:

  • It is off by default
  • You must opt in and choose what is shared
  • You can disable public sharing anytime

When public sharing is enabled, others may view, copy, or re-share your shared content. We cannot control third-party re-posting or caching.

6. Cookies & Tracking

We use cookies/local storage for:

  • Login sessions
  • Preferences
  • Analytics and performance monitoring

You can control cookies via browser settings. Some features may not work without cookies.

7. Data Retention

We keep your data:

  • As long as your account is active
  • And as needed to provide the Service
  • And as needed for legal, security, dispute, and audit purposes

You may request deletion from your profile (or by contacting us). We may retain limited data where required by law or for legitimate business needs.

8. Your Rights & Choices

Depending on where you live, you may have the right to:

  • Access your data
  • Correct your data
  • Delete your data
  • Export your data
  • Object/restrict certain processing
  • Withdraw consent (where applicable)
  • Opt out of "sale/share" under California privacy law if applicable

We will not discriminate against you for exercising privacy rights.

9. Security

We use reasonable technical and organizational safeguards, such as:

  • Encryption in transit (HTTPS/TLS)
  • Access controls and least-privilege
  • Secret management for API keys
  • Monitoring and audit logging

No system is perfectly secure; you use the Service at your own risk.

10. International Data Transfers

If you access the Service from outside the U.S., your data may be processed in the U.S. or other jurisdictions where our vendors operate. We use appropriate safeguards where required.

11. Children's Privacy

The Service is not intended for children under 13 (or older where required by local law). If we learn we collected data from a child unlawfully, we will delete it.

12. Changes to This Policy

We may update this Privacy Policy. If changes are material, we will provide notice through the Service or by email.

13. Contact Us

Email: privacy@sleepladder.com