SleepShift
Start free

Legal

Privacy Policy

Last updated: May 2026

We know sleep data is sensitive. This policy explains exactly what we collect, how we use it, who sees it, and how you can control it. We don't sell your data. We don't use it to train AI models. We keep it only as long as we need to.

1. What data we collect

When you use SleepShift, we collect the following categories of data:

Account data

  • Email address
  • First name (for in-app personalization)
  • Program start date and current week
  • Account creation timestamp

Sleep diary data

  • Bedtime (time you got into bed)
  • Sleep onset latency (minutes to fall asleep)
  • Number of nighttime awakenings
  • Total awakening duration
  • Wake time and out-of-bed time
  • Sleep quality rating (1–5)
  • Optional notes (max 200 characters)
  • Calculated metrics: Total Sleep Time, Time In Bed, Sleep Efficiency %

Program progress data

  • Prescribed sleep windows (per week)
  • Weekly sleep efficiency averages
  • Window adjustment history (extended / maintained / reduced)
  • Cognitive restructuring session responses and summaries

Payment data

Payment is processed by Tranzila. SleepShift does not store your payment card number, CVV, or billing details. We receive only confirmation of successful payment.

Technical data

  • IP address (for rate limiting and fraud prevention)
  • Browser and device type (for optimization)
  • Usage logs (features accessed, errors encountered)

2. How we use your data

We use your data to:

  • Deliver the CBT-I program — calculate your sleep window, generate adjustments, track your progress
  • Calculate your sleep efficiency score each morning from your diary entries
  • Generate personalized cognitive restructuring guidance (via AI processing — see Section 4)
  • Send program-related communications (e.g., weekly check-in reminders)
  • Improve the program based on aggregate, anonymized outcome data

We do not use your data for advertising, profiling, or any purpose unrelated to delivering the SleepShift program.

3. Legal basis for processing (GDPR)

If you are located in the European Economic Area, we process your data on the following legal bases:

  • Contract performance: delivering the program you purchased
  • Legitimate interests: improving the service, preventing fraud, technical security
  • Consent: AI processing of sleep diary data for cognitive restructuring guidance

4. AI processing of your data

Your sleep diary data and program context are sent to the OpenAI API to generate personalized cognitive restructuring guidance in the weekly reflect sessions. Specifically:

  • Your recent sleep diary entries (efficiency, quality ratings)
  • Your current program week
  • Your session responses in the reflect module

Important: Per OpenAI's API usage policies, data submitted via the API is not used to train OpenAI's models. Your sleep data is not used to train any AI model. OpenAI's data retention policies apply to API data (currently: data may be stored up to 30 days for abuse monitoring).

5. Third parties

ProviderPurposeData shared
SupabaseDatabase & authenticationAll user and program data
OpenAIAI-assisted cognitive sessionsDiary data, session responses
VercelHosting & edge computeRequest logs, no user data
TranzilaPayment processingPayment info (not stored by us)

We do not sell your data to any third party. We do not share your data with advertisers.

6. Data retention

  • Active account data is retained while your account is active.
  • If you delete your account, we delete your personal data within 30 days.
  • Anonymized, aggregated outcome data (no personal identifiers) may be retained indefinitely for program improvement purposes.
  • Payment transaction records are retained for 7 years for legal and accounting compliance.

7. Your rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: request a copy of the data we hold about you
  • Correction: request correction of inaccurate data
  • Deletion: request deletion of your account and personal data
  • Portability: request your data in a portable format
  • Objection: object to certain types of processing

To exercise any of these rights, contact us at support@sleepshift.app. We will respond within 30 days.

8. Data security

All data is stored on Supabase, which uses AES-256 encryption at rest and TLS 1.2+ in transit. We use row-level security (RLS) to ensure users can only access their own data. Authentication is handled via Supabase Auth.

9. Cookies

We use essential cookies for authentication (session tokens) and preference storage. We do not use advertising or tracking cookies.

10. Changes to this policy

We may update this Privacy Policy. We will notify you of material changes by email. The "last updated" date at the top of this page indicates when the most recent changes were made.

11. Contact

For privacy-related questions, contact our data team at: support@sleepshift.app