Skip to content

Legal

Privacy Policy

How the Sonopeace Sleep Tracker app collects, uses, protects, and shares your information. This policy applies to the Sonopeace mobile app and connected services — not to purchases made on this store, which are governed by separate policies.

Effective 20 May 2026 Version 3.1 Last updated 20 May 2026

1. Introduction & scope

This policy explains how Sonopeace handles personal data in the Sonopeace Sleep Tracker app — including the mobile app, AI-powered sleep insights, and connected services. By creating an account you agree to the practices described here.

Sleep and health data are treated as special-category data under GDPR Article 9 and are handled only with your explicit consent. Consent is collected differently by region: users in the EU/EEA and UK provide separate, contextual consent for each optional processing activity (AI features, analytics, research sharing); users elsewhere give bundled consent at sign-up. You can review or change any consent at any time in Settings > Privacy & Consent.

2. Information we collect

Personal data

  • Email address
  • Name
  • Encrypted password

Sleep & health data

  • Sleep duration and sleep stages (light, deep, REM, awake)
  • Heart rate and heart rate variability (HRV)
  • Respiratory rate and SpO2 (from connected wearables)
  • Alarm and wake times
  • Manual sleep-diary entries — mood, stress, alcohol, caffeine, exercise, and other factors you log

Wearable-sourced metrics

  • Apple HealthKit (iOS)
  • Android Health Connect
  • Oura Ring (via OAuth)
  • Fitbit and Pixel Watch (via Google Health API, after explicit re-consent)

Device & usage data

  • Device model and operating-system version
  • Notification tokens (for push notifications you have enabled)
  • Anonymous product-usage events — only when you have enabled analytics (see §7)

3. How we use your data

  • Core sleep tracking — record and display your sleep sessions, summaries, trends, and reminders.
  • AI insights and chat coach — only if you have enabled AI features. See §6 for what is sent and to whom.
  • Algorithm improvement — improve sleep-tracking accuracy and recommendation quality.
  • Product analytics — only if you have enabled analytics. Used to understand which features are useful and where the app falls short. See §7.
  • Service operation — account management, security, fraud prevention, error and crash diagnosis.
  • Communications — service messages and, with your consent, product or research-update emails.
  • Push notifications — operating-system push notifications are controlled by your device's permission settings, separately from the consents above.

4. Legal basis for processing

The table below sets out the legal basis under GDPR Articles 6 and 9 for each processing activity.

Purpose Legal basis
Account creation and core service delivery Performance of contract (Art. 6(1)(b))
Health data processing for sleep tracking Explicit consent (Art. 9(2)(a))
AI insights and chat coach (OpenAI) Explicit consent (Art. 9(2)(a)) — opt-in only
Product analytics (PostHog) Consent (Art. 6(1)(a)) — opt-in only
Anonymized research and third-party data sharing Consent (Art. 6(1)(a)) for the anonymization step; post-anonymization use is outside GDPR scope per Recital 26
Security logging and fraud prevention Legitimate interest (Art. 6(1)(f))
Service and account emails Performance of contract (Art. 6(1)(b))
Marketing and research-update emails Consent (Art. 6(1)(a))

5. Third-party data processors

The third-party services below process some of your data on Sonopeace's behalf. Each operates under its own published terms and data-handling policies, and receives only the data it needs to perform its function.

Processor Location Purpose
Supabase Inc. US Primary database hosting, authentication, file storage
OpenAI Inc. US AI sleep analysis and chat coach (only when AI features are enabled — see §6)
PostHog Inc. US (us.i.posthog.com) Product analytics (anonymous usage events). Only when analytics is enabled (see §7)
RevenueCat Inc. US Subscription and in-app purchase management
Apple Inc. US Sign in with Apple, HealthKit data access, App Store billing
Google LLC US Google Sign-In, Android Health Connect data access, Google Health API for Fitbit/Pixel Watch metrics (after explicit re-consent), Google Play billing
Oura Health Oy Finland (third-party wearable provider) Wearable sleep and recovery data via OAuth API (only if you connect an Oura account)
Functional Software Inc. / Sentry US Error monitoring and crash reporting

This list is kept current. If we add a sub-processor we will update this section before sending any data to them.

6. AI-powered features

The Sonopeace app offers optional AI-powered features — sleep insights, recommendations, and an in-app chat coach. These features are off by default for users in the EU/EEA and UK and require your explicit opt-in via the AI features screen. Users in other regions consent to AI processing as part of bundled sign-up consent and can withdraw it at any time in Settings > Privacy & Consent.

Sub-processor. AI processing is performed by OpenAI Inc. on its US infrastructure. The prompt and response data sent to OpenAI may include aggregated sleep metrics, sleep-diary entries you have logged, and the messages you send to the chat coach.

What OpenAI does not do. OpenAI's publicly stated API data usage policy says that data sent to its API is not used to train OpenAI's models and is not used for advertising. We rely on that public commitment for any data Sonopeace sends to OpenAI; we do not currently have a separate contractual arrangement with OpenAI.

Cross-border transfers. If you are in the EU/EEA or UK and enable AI features, your data is transferred to OpenAI in the United States. We rely on the data-handling commitments OpenAI publishes for API users; please consider this before enabling AI features.

Withdrawal. Disabling AI features in Settings > Privacy & Consent stops further AI processing and purges any AI requests still queued for sending. Insights already generated and stored in your account remain visible to you until you delete your account; they are not sent to OpenAI again.

Optional ChatGPT app integration. Separately from the in-app AI coach, Sonopeace offers an optional ChatGPT app integration that lets you query your sleep data from inside ChatGPT via OAuth. This integration is off by default and is enabled only by connecting it explicitly. While connected, your sleep data is read by ChatGPT (OpenAI) on your behalf when you ask. The OAuth token granting that access is stored in our database and can be revoked at any time from Settings > Connected Devices, which immediately ends ChatGPT's access.

7. Analytics & product measurement

Sonopeace uses product analytics to understand which features users find valuable and where the app needs work. Analytics is off by default for users in the EU/EEA and UK and is enabled only if you opt in via the Home banner or Settings > Privacy & Consent. Users in other regions consent to analytics as part of bundled sign-up and can withdraw at any time.

Sub-processor. Analytics is provided by PostHog Inc. Data is sent to PostHog's US-hosted endpoint at us.i.posthog.com.

What is tracked. Anonymous usage events — screen views, button taps, and feature usage. No health data, sleep data, sleep-diary entries, or AI conversations are ever included in analytics events.

Withdrawal. Turning analytics off in Settings > Privacy & Consent shuts down PostHog mid-session immediately; no further events are sent until you re-enable it. You can also dismiss the Home banner without enabling, which leaves analytics off.

8. Wearable & health-platform integrations

You can optionally connect Sonopeace to one or more wearable or health platforms so it can read your sleep and physiological metrics directly.

  • Apple HealthKit (iOS) — read access to sleep, heart rate, HRV, and related metrics you authorize via the iOS permission prompt.
  • Android Health Connect — read access to sleep and heart-rate data you authorize via the Health Connect permission prompt.
  • Oura Ring — OAuth read access to sleep stages, heart rate, HRV, and recovery scores.
  • Fitbit and Pixel Watch — OAuth read access via the Google Health API to sleep data, heart rate, HRV, and SpO2, requested with explicit re-consent.

How tokens are stored. OAuth tokens for these integrations are encrypted at rest in our Supabase database and are used only to fetch the metrics the integration is authorized for.

How to disconnect. Disconnect any integration at any time from Settings > Connected Devices. Disconnection deletes the OAuth tokens we hold; we stop receiving new data from that source immediately. Metrics already imported into your account remain in your sleep history until you delete your account.

9. Research & anonymized data sharing

Sonopeace's long-term mission includes contributing to sleep science. To do that responsibly, any data ever shared with research or third-party partners is first irreversibly anonymized — stripped of personal identifiers so it can no longer be linked to you.

Current status. As of the effective date of this policy, there is no active research-sharing or third-party-sharing pipeline. No anonymized data is being sent to external partners today. The consents you may have given for research and third-party sharing are forward-looking and become operative only once a pipeline is in place — at which point this policy will be updated to name the partner categories and the data flow.

When a pipeline becomes active, anonymized, aggregated datasets may be shared with research partners (such as universities, academic institutions, and sleep-research facilities) and with vetted health-technology partners advancing sleep science. Sonopeace may receive compensation for licensing anonymized datasets to such partners.

Because any data shared in this way is fully anonymized, it is no longer personal data under GDPR Recital 26 or personal information under CCPA/CPRA. No personally identifiable information is ever shared with external parties.

You can review or withdraw research-sharing consent at any time in Settings > Privacy & Consent.

10. Data retention

We retain your data only for as long as necessary to provide our services or as required by law.

Data category Retention period
Account data (email, name) Until account deletion
Sleep session and diary data Until account deletion
AI insights and recommendations Until account deletion
Wearable OAuth tokens Until you disconnect the wearable or delete your account
Analytics events (only if enabled) Until you disable analytics or delete your account
Audit logs Intended minimum of 6 years
Error and crash logs 30 days
Sync logs 30 days
Anonymized research data (once a pipeline is active) Up to 25 years post-anonymization

Where we retain anonymized data beyond account deletion, it has no link to your identity and cannot be used to re-identify any individual.

11. Account deletion

You may delete your account at any time via Settings > Delete Account. On deletion, your personal identifiers — including email address, name, and device tokens — are removed or obfuscated, and your account-level data is handled according to our deletion procedure.

Account history cannot be recovered after deletion.

12. Cookies & similar technologies

We use only essential cookies and similar technologies in the app and on any connected web surfaces. No advertising or tracking cookies are set.

  • Authentication — Supabase Auth tokens to keep you logged in securely
  • Security — CSRF tokens and related mechanisms to prevent attacks
  • Preferences — Storing your chosen theme and language settings

13. Your privacy rights

Under GDPR Articles 15–22 you have the following rights. Comparable rights apply under CCPA/CPRA for California residents and under similar laws elsewhere.

  • Right of access (Art. 15) — Export your data via Settings > Export My Data.
  • Right to rectification (Art. 16) — Update your profile information in the app.
  • Right to erasure (Art. 17) — Delete your account via Settings > Delete Account.
  • Right to restrict processing — Withdraw specific consents via Settings > Privacy & Consent.
  • Right to data portability (Art. 20) — Export data in machine-readable JSON format via Settings > Export My Data.
  • Right to withdraw consent (Art. 7(3)) — Manage all consents in Settings > Privacy & Consent. Withdrawing analytics stops PostHog mid-session; withdrawing AI features stops further OpenAI requests and purges any pending AI sync jobs.
  • Right to lodge a complaint — Contact your local Data Protection Authority.

14. Cross-border data transfers

Your data is processed primarily in the United States. If you are located in the EU/EEA or another region, your data is transferred to and processed in the United States.

For each transfer we rely on the receiving processor's published data-handling commitments. Where required to lawfully transfer data, we will execute Standard Contractual Clauses or rely on the EU-US Data Privacy Framework with the relevant processor; such arrangements will be listed in §5 as they are put in place. We do not currently claim that signed SCCs are in place with every processor.

15. Children's privacy

The Sonopeace app is not directed to and may not be used by individuals under the age of 16. We do not knowingly collect personal data from children. If we learn that we have inadvertently collected data from a child under 16, we will delete it promptly. If you believe we may have collected such data, please contact us at privacy@sonopeace.com.

16. Subscriptions & billing

Sonopeace offers optional paid subscriptions. Billing is handled entirely by the platform you purchased on and by our subscription processor — Sonopeace does not store your payment card details.

See also §6 of our Terms of Service for subscription terms.

17. Changes to this policy

We may update this policy from time to time. Material changes will be communicated in-app or by email before they take effect, and the effective date shown at the top of this page will be revised. Continued use of the Sonopeace app after an update constitutes acceptance of the revised policy.

18. Contact us

For privacy inquiries, contact us at privacy@sonopeace.com. We aim to respond within 24 hours.

A Data Protection Officer appointment is currently under assessment per GDPR Article 37 requirements.

EU/EEA residents may also contact their local Data Protection Authority if they have concerns about how we handle their data.

Questions about your privacy?

Reach our privacy team directly — we typically respond within 24 hours.

Email Privacy Team Terms of Service