Legal

Privacy Policy

What we collect when you use Sleepy, how we use it, who we share it with, and the choices and rights you have. Written to actually be read.

EffectiveMay 1, 2026

TL;DR

We collect what's needed to run your account and track your child's sleep. We don't sell data. We don't run ad trackers. Child data is never used to train models. You can export or delete everything from inside the app.

This Privacy Policy explains what personal data Sleepy ("we", "us") collects when you use the Sleepy mobile apps, the website at sleepy.plus, and the backend API (together, the "Service"), how we use and share it, and what choices and rights you have.

Sleepy is a baby- and child-sleep tracking service. We process data about adults who use the app (account holders and caregivers) and, on their instruction, about the children whose sleep they track.

01 Who is responsible

The data controller for personal data processed through the Service is the operator of Sleepy. You can reach us at [email protected] for any privacy question or to exercise your rights.

02 What data we collect

2.1 Account and profile data

Identifiers: email address, authentication provider (email/password, Google, or Apple), provider user ID, whether the email is verified, and (for email accounts) a salted password hash. We never store your plain-text password.
Profile: first name, optional last name, optional avatar image, optional date of birth, role.
Preferences: timezone, locale, push-notification preference, measurement system (metric/imperial).
Session data: refresh tokens (with issue/expiry timestamps, user agent and IP of the issuing device) used to keep you signed in.
Device tokens: push-notification tokens with platform and locale used to deliver reminders.

2.2 Child profile data (entered by you)

Child's name, sex, date of birth, optional avatar, optional timezone.
Birth information you choose to enter: gestational weeks, birth weight, birth height.
Sleep profile: targets for night sleep and number of naps, free-text notes, and selected sleep concerns.
Caregiver list: which of your invited caregivers can access a given child and in which role.

2.3 Sleep and activity data

Sleep sessions: start and end timestamps (with time-zone offsets), durations, type (night/day), and any notes you add.
Derived statistics computed from the above (e.g. weekly totals, comparison with age norms).

2.4 Subscription and purchase data

Information needed to validate and manage in-app purchases: product/plan identifier, store environment, transaction and original-transaction identifiers (Apple), purchase token and package name (Google), subscription status and dates. Card and payment details are handled by Apple or Google — we never see them.

2.5 AI Assistant and chat content

If you use the AI assistant, we store the conversation messages, related child and sleep context you choose to share, and metadata such as timestamps. Messages are sent to a third-party AI provider acting as our subprocessor to generate replies.

2.6 Support and communications

If you contact support, we keep the message, your email, and any attachments you send.
Email verification and password-reset tokens, and logs of password / email change events.

2.7 Technical and diagnostic data

IP address (e.g. for the device that minted a session), device type and operating system, app version, language, crash reports and basic usage events.
Server logs that record requests for security and reliability purposes.

2.8 Data we do not collect

Things you won't find in our database

We do not collect precise GPS location. We do not sell personal data, and we do not run third-party advertising trackers in the apps. We do not knowingly create accounts for minors.

03 Why we use it and legal bases

If you are in the EEA or UK, the legal bases under the GDPR / UK GDPR are listed in brackets.

To create and manage your account, authenticate you, and provide the Service — including child profiles, sleep tracking, and caregiver sharing. [Performance of the contract under these Terms.]
To send transactional messages such as email verification, password resets, security alerts, and important Service notices. [Contract; legitimate interests in account security.]
To deliver in-app reminders and push notifications. [Consent, which you can withdraw in your device or app settings.]
To process subscriptions and prevent purchase fraud. [Contract; legal obligation; legitimate interests.]
To provide the AI Assistant, by transmitting your messages and the chosen context to an AI subprocessor. [Contract; consent where required.]
To keep the Service safe and reliable, debug issues, prevent abuse, and enforce our Terms. [Legitimate interests; legal obligation.]
To improve the Service using aggregated, non-identifying usage data. [Legitimate interests; we do not use child data for model training.]
To comply with law and respond to lawful requests. [Legal obligation.]

04 Children's data

The Service is intended for use by adults — parents, legal guardians, and authorized caregivers — and is not directed to children. We do not knowingly allow children under 16 (or the minimum digital-consent age in your country) to create their own accounts.

The Service is designed for you to record information about your child. You are responsible for entering only the information you consider appropriate and for the lawfulness of that processing. You are the parent or guardian acting on behalf of your child and can review, export, or delete your child's data at any time from within the app.

Consistent with Apple App Store and Google Play family policies and applicable laws (including COPPA in the United States and GDPR in the EEA/UK), we do not show third-party advertising, do not sell personal data, and limit child data processing to what is necessary to provide the Service to you. If you believe a child has independently created an account, please contact us at [email protected] and we will delete the account.

05 Who we share it with

Caregivers you authorize within the Service can view (and, depending on role, edit) the child profiles and sleep entries you share with them.
Service providers (subprocessors) acting on our behalf under written contracts, including:
- cloud hosting and managed database providers;
- identity providers (Apple, Google) when you sign in with them;
- app stores (Apple, Google) for purchase processing and receipt validation;
- push-notification gateways (e.g. Firebase Cloud Messaging, Apple Push Notification service);
- email delivery providers for transactional email;
- an AI provider for the AI Assistant feature;
- crash-reporting and error-monitoring providers (e.g. Sentry).
Authorities when required by law, regulation, court order, or to protect rights, safety, or property.
Successors in connection with a merger, acquisition, financing, or sale of assets, in which case we will require the recipient to honor this Policy or notify you of any material change.

We do not sell or rent personal data, and we do not share it for cross-context behavioral advertising.

06 International transfers

Sleepy may store and process data in countries other than the one where you live, including the European Economic Area and the United States. When we transfer personal data out of the EEA, UK, or Switzerland to a country that has not been deemed to provide an adequate level of protection, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses.

07 How long we keep it

Account, profile, child, sleep dataKept while your account is active. Removed or anonymized within 30 days of account deletion, except where the law requires longer.

Refresh tokens & sessionsUntil they expire or are revoked.

Support correspondenceTypically up to 24 months after the case is closed.

Purchase & tax recordsRetained for the period required by tax and accounting law (often 6–10 years), in a minimized form.

Security & abuse logsTypically up to 12 months.

BackupsDeleted records may persist in routine encrypted backups for up to 35 days before being overwritten.

08 How we protect it

We use industry-standard safeguards, including encryption in transit (TLS), encryption of credentials at rest, salted password hashing, strict access controls, audit logging, and isolation between environments. No method of transmission or storage is 100% secure; if we become aware of a breach affecting your personal data, we will notify you and the competent authorities as required by law.

09 Your rights

Subject to applicable law, you have the right to:

Access the personal data we hold about you and request a copy in a portable format (you can self-serve this through the in-app data export, which uses the /api/v1/user/me/export endpoint).
Rectify inaccurate or incomplete data — most fields are editable in the app.
Erase your account and personal data (see Delete Account and Delete Data).
Restrict or object to processing based on legitimate interests.
Withdraw consent at any time, without affecting processing carried out before withdrawal.
Lodge a complaint with your local data-protection authority. If you are in the EEA/UK, that is the supervisory authority of your habitual residence.
California / US state rights: if applicable, you may request to know, delete, or correct your personal information, and to opt out of "sale" or "sharing" — we do not "sell" or "share" personal information as those terms are defined under the CCPA/CPRA.

To exercise rights, email [email protected] from the address associated with your account. We may need to verify your identity before acting on a request.

10 Cookies and similar technologies

The mobile apps do not use browser cookies. The website uses only strictly necessary cookies needed to operate the site (for example, for security and load balancing). We do not use advertising cookies or third-party analytics cookies on the public pages.

11 Changes to this policy

We may update this Privacy Policy from time to time. When changes are material, we will notify you in the app, by email, or by prominent notice on this page, and update the effective date above.

12 Contact

For privacy questions, requests, or complaints, email [email protected].