# PRIVACY POLICY
## YourSleep Mobile Application
---
**Effective Date:** April 21, 2026
**Last Updated:** April 21, 2026
---
## TABLE OF CONTENTS
1. [Introduction](#1-introduction)
2. [Definitions](#2-definitions)
3. [Information We Collect](#3-information-we-collect)
4. [How We Use Your Information](#4-how-we-use-your-information)
5. [How We Share Your Information](#5-how-we-share-your-information)
6. [Data Storage and Retention](#6-data-storage-and-retention)
7. [Data Security](#7-data-security)
8. [Your Privacy Rights](#8-your-privacy-rights)
9. [Do Not Sell or Share My Personal Information](#9-do-not-sell-or-share-my-personal-information)
10. [Children's Privacy](#10-childrens-privacy)
11. [Apple HealthKit Data Disclosure](#11-apple-healthkit-data-disclosure)
12. [Third-Party Services](#12-third-party-services)
13. [International Data Transfers](#13-international-data-transfers)
14. [Changes to This Privacy Policy](#14-changes-to-this-privacy-policy)
15. [Contact Us](#15-contact-us)
---
## 1. INTRODUCTION
This Privacy Policy ("Policy") describes how YourSleep ("we," "us," or "our") collects, uses, discloses, and protects your personal information when you use the YourSleep mobile application (the "App"). YourSleep is a sleep analysis and dream journaling application developed and operated by an independent developer.
By downloading, installing, or using the App, you acknowledge that you have read, understood, and agree to the practices described in this Policy. If you do not agree with this Policy, please do not use the App.
This Policy applies to all users of the App, including residents of states with specific privacy legislation such as California, Virginia, Colorado, Connecticut, and other jurisdictions with applicable data protection laws.
---
## 2. DEFINITIONS
For purposes of this Policy, the following terms shall have the meanings set forth below:
- **"Personal Information"** means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, as defined under applicable law including the California Consumer Privacy Act ("CCPA") as amended by the California Privacy Rights Act ("CPRA").
- **"Health Data"** means data obtained from Apple HealthKit, including but not limited to sleep stages, heart rate, blood oxygen saturation, heart rate variability, body temperature, and respiratory rate.
- **"Service Providers"** means third parties that process Personal Information on our behalf for the purposes described in this Policy.
- **"Sale"** means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating a consumer's Personal Information to a third party for monetary or other valuable consideration, as defined under the CCPA/CPRA.
---
## 3. INFORMATION WE COLLECT
### 3.1 Information Collected Automatically
When you use the App, the following information is collected automatically:
| Category | Data Elements | Purpose |
|----------|--------------|---------|
| **Identifiers** | Firebase anonymous user ID (randomly generated, not linked to your real identity) | User identification and service continuity |
| **Device Information** | Device model, operating system version, app version, language setting | Analytics and customer support |
| **Usage Data** | App events, session information, screen views, feature usage patterns | Service improvement and analytics |
| **App Instance ID** | Firebase Analytics anonymous instance identifier | Aggregate usage analytics |
| **Security Tokens** | Firebase App Check token (DeviceCheck-based) | App integrity verification |
| **Service Records** | AI dream analysis daily usage count, subscription status | Usage limit management and subscription verification |
| **Diagnostic Data** | Crash logs and error reports (Firebase Crashlytics) | App stability and bug resolution |
### 3.2 Information You Provide Voluntarily
| Category | Data Elements | Storage Location |
|----------|--------------|-----------------|
| **Dream Diary Entries** | Title (up to 200 characters), content (up to 2,000 characters), date, tags | Device only (local storage) |
| **Voice Input** | Speech-to-text transcription of dream diary entries (original audio is NOT recorded or stored) | Device only (transcribed text) |
| **Caffeine Intake Records** | Daily caffeine consumption logs | Device only (local storage) |
### 3.3 Apple HealthKit Data (With Your Explicit Permission)
We access the following Health Data from Apple HealthKit **only** when you explicitly grant permission:
| Data Type | Description | Purpose |
|-----------|------------|---------|
| **Sleep Stages** | Deep sleep, light sleep (Core), REM sleep, awake time, and duration of each stage | Sleep pattern analysis and sleep score calculation |
| **Heart Rate** | Heart rate readings during sleep | Resting heart rate analysis and sleep scoring |
| **Blood Oxygen Saturation (SpO2)** | Oxygen saturation levels during sleep | Sleep quality assessment |
| **Heart Rate Variability (HRV/SDNN)** | Heart rate interval variability | Stress level estimation |
| **Body Temperature** | Temperature readings during sleep | Health indicator reference |
| **Respiratory Rate** | Breathing rate during sleep | Health indicator reference |
> **Important:** HealthKit data is read in real time for on-screen display and analysis. It is **not** transmitted to any external server, stored in any cloud database, or shared with any third party. See [Section 11](#11-apple-healthkit-data-disclosure) for Apple-required disclosures.
### 3.4 Information We Do NOT Collect
We want to be transparent about what we do **not** collect:
- Real name, date of birth, or any identity-verifying information
- Email address, phone number, or other contact information (unless you voluntarily contact us for support)
- Location data (GPS, Wi-Fi-based, or otherwise)
- Contacts, calendar, or photo library contents (except when you use the share feature to save an image)
- Advertising identifiers (IDFA or equivalent)
- Browser cookies or web tracking technologies
- Passwords (the App uses anonymous authentication with no login credentials)
---
## 4. HOW WE USE YOUR INFORMATION
We use the information we collect for the following purposes:
| Purpose | Data Used | Legal Basis |
|---------|-----------|-------------|
| **Provide sleep analysis** | HealthKit data (sleep stages, heart rate, SpO2, HRV, temperature, respiratory rate) | Your explicit consent (HealthKit permission) |
| **Provide AI dream analysis** | Dream diary title and content | Performance of the service you requested |
| **Manage daily usage limits** | AI analysis usage count, anonymous UID | Legitimate business interest (service management) |
| **Process subscriptions** | Subscription status, purchase verification records | Performance of the subscription contract |
| **Improve the App** | Anonymous analytics data (usage patterns, session info) | Legitimate business interest (product improvement) |
| **Ensure security** | App Check tokens, device attestation data | Legitimate business interest (fraud prevention) |
| **Diagnose and fix issues** | Crash logs, error reports, device information | Legitimate business interest (service reliability) |
| **Provide customer support** | Device model, OS version, app version (included in support emails) | Your request for support |
We do **not** use your information for advertising, profiling, or any purpose unrelated to providing and improving the App.
---
## 5. HOW WE SHARE YOUR INFORMATION
### 5.1 Service Providers
We share information with the following Service Providers who process data on our behalf:
| Service Provider | Data Shared | Purpose | Data Retention |
|-----------------|-------------|---------|----------------|
| **Google LLC (Firebase Authentication)** | Anonymous UID | User identification | Until account deletion |
| **Google LLC (Firebase Firestore)** | AI usage counts, subscription records | Database hosting | Usage counts: auto-expire via TTL; Subscription records: while active |
| **Google LLC (Firebase Cloud Functions)** | Dream diary text (for AI analysis), purchase receipts (for verification) | Serverless processing | Processed in transit; not stored |
| **Google LLC (Firebase Analytics)** | App instance ID, usage events, session data, device info | Usage analytics | Per Google's retention policy (default 14 months) |
| **Google LLC (Firebase Crashlytics)** | Crash logs, error reports, device info | Crash reporting and diagnostics | 90 days |
| **Google LLC (Gemini AI)** | Dream diary title and content (de-identified text) | AI-powered dream analysis | Not retained after processing |
| **Apple Inc. (HealthKit)** | N/A (Apple provides data to the App; we do not send data to Apple) | Health data source | Per Apple's privacy policy |
| **Apple Inc. (StoreKit)** | Purchase transaction data (processed by Apple; not visible to us) | Payment processing | Per Apple's privacy policy |
| **RevenueCat, Inc.** | Purchase history (not linked to user identity) | Subscription management and analytics | Per RevenueCat's privacy policy |
### 5.2 We Do Not Sell Your Information
**We do not sell, rent, or trade your Personal Information to any third party for monetary or other valuable consideration.** We have not sold Personal Information in the preceding twelve (12) months, and we have no plans to do so.
### 5.3 Other Disclosures
We may disclose your information in the following limited circumstances:
- **Legal Requirements:** When required by law, regulation, subpoena, court order, or other legal process.
- **Protection of Rights:** When we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
- **Business Transfer:** In the event of a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via the App of any such change.
---
## 6. DATA STORAGE AND RETENTION
### 6.1 Local Data (On Your Device)
| Data | Storage Method | Retention Period |
|------|---------------|-----------------|
| Dream diary entries | SharedPreferences (device local storage) | Until you delete them or uninstall the App |
| Caffeine intake records | SharedPreferences (device local storage) | Until you delete them or uninstall the App |
| Sleep analysis results | In-memory processing | Not persisted beyond the current session |
| HealthKit data | Read in real time from Apple Health | Not stored by the App |
When you uninstall the App, all local data is permanently deleted by the operating system.
### 6.2 Server-Side Data
| Data | Storage Location | Retention Period |
|------|-----------------|-----------------|
| Firebase anonymous UID | Firebase Authentication (Google Cloud) | Until app uninstall or deletion request |
| AI analysis usage count | Firebase Firestore | Auto-expires via time-to-live (TTL) policy |
| Subscription verification records | Firebase Firestore | While subscription is active |
| Analytics data | Firebase Analytics (Google Cloud) | Default retention: 14 months |
| Crash reports | Firebase Crashlytics (Google Cloud) | 90 days |
### 6.3 AI Dream Analysis Data
When you use the AI dream analysis feature, the title and content of your dream diary entry are transmitted to Google's Gemini AI API via Firebase Cloud Functions. This data is processed to generate an analysis and is **not retained** by the API after the response is returned. No persistent copy of your dream content is stored on Google's servers beyond the duration of the API call.
---
## 7. DATA SECURITY
We implement commercially reasonable technical and organizational measures to protect your Personal Information against unauthorized access, alteration, disclosure, or destruction. These measures include:
**Technical Safeguards:**
- All network communications are encrypted using TLS/SSL (HTTPS)
- Firebase App Check with DeviceCheck-based device attestation ensures only legitimate app instances can access our services
- Firebase Authentication tokens are required for all server requests
- Google Gemini API keys are stored in Google Cloud Secret Manager and are never exposed in the client application
- Server-side input validation on all data submissions (length and content verification)
- Jailbreak detection (IOSSecuritySuite) to identify compromised device environments
- Firestore security rules restrict data access to authenticated users' own records only
- Cloud Functions execution is rate-limited to maintain service stability
**Organizational Safeguards:**
- Data minimization: we collect only the minimum information necessary to provide the service
- Anonymous authentication: no email, password, or identity-verifying information is collected
- Access to server-side data is restricted to the developer/operator only
- No advertising SDKs or unnecessary third-party tracking libraries are included in the App
**No system is 100% secure.** While we strive to protect your Personal Information, we cannot guarantee absolute security. You use the App at your own risk.
---
## 8. YOUR PRIVACY RIGHTS
### 8.1 Rights Available to All Users
Regardless of where you reside, you may:
- **Delete local data** at any time by removing entries within the App or by uninstalling the App
- **Revoke HealthKit access** through iOS Settings > Privacy & Security > Health > YourSleep
- **Request deletion of server-side data** by contacting us at [email protected]
- **Manage your subscription** through iOS Settings > Apple ID > Subscriptions
- **Limit analytics** through iOS Settings > Privacy & Security > Tracking
### 8.2 California Residents (CCPA/CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:
**(a) Right to Know.** You have the right to request that we disclose the categories and specific pieces of Personal Information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share your Personal Information.
**(b) Right to Delete.** You have the right to request deletion of Personal Information we have collected from you, subject to certain exceptions permitted by law.
**(c) Right to Correct.** You have the right to request correction of inaccurate Personal Information that we maintain about you.
**(d) Right to Opt-Out of Sale or Sharing.** You have the right to opt out of the sale or sharing of your Personal Information for cross-context behavioral advertising. **We do not sell or share your Personal Information as defined under the CCPA/CPRA; therefore, no opt-out is necessary.**
**(e) Right to Non-Discrimination.** We will not discriminate against you for exercising any of your CCPA/CPRA rights.
**(f) Categories of Personal Information Collected (Preceding 12 Months):**
| CCPA Category | Data Elements | Sold? | Shared for Advertising? |
|---------------|--------------|-------|------------------------|
| **A. Identifiers** | Firebase anonymous UID, app instance ID | No | No |
| **B. Personal Information (Cal. Civ. Code 1798.80(e))** | None collected | N/A | N/A |
| **F. Internet or Electronic Network Activity** | App usage events, session data, crash logs | No | No |
| **H. Health Information** | HealthKit data (read-only, not stored on servers) | No | No |
| **K. Inferences** | Sleep scores and analysis derived from health data | No | No |
**(g) How to Submit a Request.** To exercise any of the above rights, please contact us at **[email protected]** with the subject line "CCPA Request." We will verify your identity by matching the information you provide with the information we have on file. Because we use anonymous authentication, we may ask you to provide your Firebase anonymous UID (available in the App's settings) to verify your request.
**(h) Response Timeline.** We will acknowledge your request within ten (10) business days and respond substantively within forty-five (45) calendar days. If additional time is needed, we will notify you of the extension and the reason.
**(i) Authorized Agents.** You may designate an authorized agent to submit a request on your behalf by providing written authorization. We may still require you to verify your identity directly.
### 8.3 Virginia, Colorado, Connecticut, and Other State Residents
If you reside in a state with applicable consumer privacy legislation (including but not limited to the Virginia Consumer Data Protection Act, Colorado Privacy Act, Connecticut Data Privacy Act, Texas Data Privacy and Security Act, or Oregon Consumer Privacy Act), you may have the following rights:
- **Access** your Personal Information
- **Correct** inaccurate Personal Information
- **Delete** your Personal Information
- **Obtain a portable copy** of your Personal Information
- **Opt out of targeted advertising** (not applicable; we do not serve targeted advertising)
- **Opt out of sale of Personal Information** (not applicable; we do not sell Personal Information)
- **Opt out of profiling** in furtherance of decisions that produce legal or similarly significant effects (not applicable)
- **Appeal** a denial of a privacy rights request by contacting us at [email protected] with the subject line "Privacy Rights Appeal"
---
## 9. DO NOT SELL OR SHARE MY PERSONAL INFORMATION
Pursuant to the CCPA/CPRA and other applicable state privacy laws:
- **We do not sell your Personal Information** to any third party for monetary or other valuable consideration.
- **We do not share your Personal Information** for cross-context behavioral advertising.
- **We do not use advertising identifiers** (IDFA) or participate in advertising networks.
- **We do not engage in profiling** for decisions that produce legal or similarly significant effects.
Because we do not sell or share Personal Information, no opt-out mechanism is required. However, if you have any questions or concerns, please contact us at **[email protected]**.
---
## 10. CHILDREN'S PRIVACY
The App is **not directed at children under the age of thirteen (13)**. We do not knowingly collect Personal Information from children under 13, in compliance with the Children's Online Privacy Protection Act ("COPPA").
Because the App uses anonymous authentication, we do not collect age-verifying information. If we learn that we have inadvertently collected Personal Information from a child under 13 without verifiable parental consent, we will:
1. Delete such information promptly from our systems, and
2. Take reasonable steps to restrict the child's access to the App.
**Parents and Guardians:** If you believe that your child under the age of 13 has used the App and that we may have collected their information, please contact us immediately at **[email protected]**. We will take prompt action to investigate and delete any such information.
---
## 11. APPLE HEALTHKIT DATA DISCLOSURE
This section provides required disclosures regarding our use of Apple HealthKit data, in compliance with Apple's developer guidelines.
1. **Purpose Limitation.** We access Apple HealthKit data solely to provide the sleep analysis features of the App. HealthKit data is used for no other purpose.
2. **No External Storage.** We do **not** store HealthKit data on any external server, cloud database, or storage system. HealthKit data is read in real time and processed on your device.
3. **No Sale.** We do **not** sell HealthKit data to any third party, including advertising platforms, data brokers, or analytics providers.
4. **No Advertising Use.** We do **not** use HealthKit data for advertising, marketing, or any promotional purpose.
5. **No Third-Party Sharing.** We do **not** share HealthKit data with third parties for purposes unrelated to providing health or fitness services directly to you through the App.
6. **No Disclosure to Third Parties.** HealthKit data is **not** disclosed to any third party, including Google, Firebase, or any other service provider used by the App.
7. **User Control.** You may revoke the App's access to HealthKit data at any time through **iOS Settings > Privacy & Security > Health > YourSleep**. Revoking HealthKit access will disable sleep analysis features but will not affect other App functionality.
---
## 12. THIRD-PARTY SERVICES
The App uses the following third-party services. Each service has its own privacy policy governing its use of data:
| Service | Provider | Privacy Policy |
|---------|----------|---------------|
| Firebase (Authentication, Firestore, Cloud Functions, Analytics, Crashlytics, App Check) | Google LLC | <https://policies.google.com/privacy> |
| Gemini AI API | Google LLC | <https://ai.google.dev/gemini-api/terms> |
| Apple HealthKit | Apple Inc. | <https://www.apple.com/legal/privacy/> |
| Apple StoreKit | Apple Inc. | <https://www.apple.com/legal/privacy/> |
| RevenueCat | RevenueCat, Inc. | <https://www.revenuecat.com/privacy/> |
| Apple Speech Recognition | Apple Inc. | <https://www.apple.com/legal/privacy/> |
We encourage you to review the privacy policies of these third-party services to understand how they handle your data.
---
## 13. INTERNATIONAL DATA TRANSFERS
Our Service Providers, including Google LLC and RevenueCat, Inc., are headquartered in the United States and may process data in the United States or other countries. While our primary Firebase server region is located in Seoul, South Korea (asia-northeast3), Google LLC is a U.S.-based company.
By using the App, you acknowledge and consent to the transfer of your information to the United States and other jurisdictions, which may have data protection laws that differ from those in your jurisdiction. We ensure that all Service Providers maintain appropriate safeguards for the protection of your Personal Information.
---
## 14. CHANGES TO THIS PRIVACY POLICY
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.
- The "Last Updated" date at the top of this Policy will be revised accordingly.
- **Material changes** (including changes to the categories of Personal Information collected, new purposes of use, or new third-party disclosures) will be communicated through in-app notification at least **thirty (30) days** before they take effect.
- **Non-material changes** (such as formatting or clarification updates) will take effect upon posting.
- Your continued use of the App after the effective date of an updated Policy constitutes your acceptance of the changes.
We encourage you to review this Policy periodically.
---
## 15. CONTACT US
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
| | |
|---|---|
| **Email** | [email protected] |
| **In-App** | Settings > Inquiry / Policies > Contact Us |
| **Response Time** | We will acknowledge your request within ten (10) business days and respond substantively within forty-five (45) calendar days. |
For CCPA/CPRA requests, please include "CCPA Request" in the subject line of your email.
For privacy rights appeals, please include "Privacy Rights Appeal" in the subject line.
---
*This Privacy Policy is effective as of April 21, 2026.*
*YourSleep is developed and operated by an independent developer. YourSleep is not affiliated with Apple Inc., Google LLC, or RevenueCat, Inc.*