Privacy Policy

1.1 Personal Information

When you create an account, we collect:

• Name and email address
• Account credentials (password stored using industry-standard encryption)
• Profile information you choose to provide

1.2 CPAP Device Data

When you upload your CPAP data, we collect and process:

• Sleep session data (duration, timestamps, therapy hours)
• Device settings and configurations
• Therapy metrics (AHI, pressure levels, leak rates)
• Respiratory event data (apneas, hypopneas)
• Waveform and detailed therapy data
• Device identifiers and model information

1.3 Usage Information

We automatically collect:

• Log data (IP address, browser type, access times)
• Device information (operating system, device type)
• Usage patterns within the application
• Feature interactions and preferences

We use your information to:

• Provide our Service: Process and analyze your CPAP data, display insights, and generate reports
• Generate AI Insights: Use artificial intelligence to analyze patterns in your data and provide educational explanations
• Improve our Service: Understand usage patterns to enhance features and user experience
• Communicate: Send service-related notifications, updates, and support responses
• Ensure Security: Detect, prevent, and address technical issues and security threats
• Legal Compliance: Comply with applicable laws and regulations

Your CPAP data is treated with the highest level of confidentiality and security. We implement industry-standard encryption and security measures to protect this sensitive information.

Our service uses artificial intelligence to analyze your CPAP data:

• Third-Party AI Services: We use Google's Gemini AI (via Vertex AI) to process and analyze your data
• Data Sent to AI: Anonymized and aggregated session metrics (no personal identifiers are sent to AI services)
• Purpose: To generate educational explanations and pattern recognition insights
• No Training: Your data is not used to train AI models

We do not sell your personal information. We may share your information only in these circumstances:

• Service Providers: With trusted third parties who assist in operating our service (cloud hosting, AI processing) under strict confidentiality agreements
• Legal Requirements: When required by law, court order, or governmental authority
• Safety: To protect the rights, safety, or property of SleepLink, our users, or the public
• Business Transfers: In connection with a merger, acquisition, or sale of assets (you will be notified)
• With Your Consent: When you explicitly authorize us to share specific information
• User-Created Share Links: When you create a share link, your CPAP data for that day becomes accessible to anyone with the link URL. This is a user-initiated action and you control who receives the link. Shared data includes session metrics, events, waveforms, and device settings. Machine serial numbers are partially masked. You can revoke share links at any time.

We implement comprehensive security measures:

• Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Controls: Strict role-based access controls and authentication
• Infrastructure: Hosted on secure cloud infrastructure with SOC 2 compliance
• Monitoring: Continuous security monitoring and incident response procedures
• Backups: Regular encrypted backups with geographic redundancy

While we implement industry-standard security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

We retain your data as follows:

• Account Data: Retained while your account is active and for 30 days after deletion request
• CPAP Session Data: Retained while your account is active; deleted upon account deletion
• AI-Generated Insights: Cached temporarily (up to 24 hours) for performance; regenerated as needed
• Log Data: Retained for up to 90 days for security and debugging purposes
• Share Links: Share link metadata (token, access count, timestamps) retained while link is active; deleted when you revoke the link or delete your account. Shared data access ends when the link expires or is revoked.

You have the following rights regarding your data:

• Access: Request a copy of your personal data
• Correction: Update or correct inaccurate information
• Deletion: Request deletion of your account and associated data
• Export: Download your CPAP data in a portable format
• Opt-Out: Disable AI-powered features while still using basic tracking
• Withdraw Consent: Withdraw consent for data processing at any time

To exercise these rights, contact us at privacy@sleeplink.app or use the account settings in your dashboard.

We use essential cookies to:

• Maintain your login session
• Remember your preferences
• Ensure security (CSRF protection)

We do not use third-party advertising cookies or sell data to advertisers. We may use privacy-respecting analytics to understand how our service is used.

Your data may be processed in countries other than your own. We ensure appropriate safeguards are in place for international transfers, including standard contractual clauses and adequacy decisions where applicable.

Our service is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us immediately.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last updated" date. Your continued use of the service after changes constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy or our data practices, contact us: