Privacy Policy

1. Introduction

Zomni ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our sleep improvement service ("Service").

We comply with:

• General Data Protection Regulation (GDPR) for users in the European Union
• UK GDPR for users in the United Kingdom
• California Consumer Privacy Act (CCPA) for users in California
• Lei Geral de Proteção de Dados (LGPD) for users in Brazil
• Privacy Act 1988 and Australian Privacy Principles (APPs) for users in Australia
• Personal Information Protection and Electronic Documents Act (PIPEDA) for users in Canada
• Federal Act on Data Protection (FADP) for users in Switzerland

2. Information We Collect

2.1 Information You Provide

We collect information you voluntarily provide when using our Service:

• Account Information: Email address, password
• Quiz Responses: Sleep patterns, bedtime habits, sleep quality assessments
• Progress Data: Sleep tracking data, program completion status
• Communications: Messages sent to customer support

2.2 Automatically Collected Information

When you use our Service, we automatically collect certain information:

• Usage Data: Pages viewed, features used, time spent in app
• Device Information: Device type, operating system, browser type
• Analytics Data: Session recordings, interaction patterns (via PostHog)
• Cookies: Essential cookies for authentication and preferences

2.3 Payment Information

Payment information is processed by Stripe. We do not store your full credit card details. Stripe may collect billing address, card details, and payment metadata. See Stripe's Privacy Policy for details.

3. How We Use Your Information

We use your information for the following purposes:

• Provide the Service: Deliver personalized sleep recommendations and track your progress
• Improve the Service: Analyze usage patterns to enhance features and user experience
• Authentication: Verify your identity and manage your account
• Customer Support: Respond to your inquiries and provide assistance
• Analytics: Understand how users interact with our Service (via PostHog and Firebase)
• Legal Compliance: Comply with applicable laws and regulations
• Security: Detect and prevent fraud, abuse, and security incidents

4. Third-Party Services

We use the following third-party services that may collect your information:

4.1 PostHog (Analytics & Session Replay)

PostHog provides analytics and session replay functionality. This helps us understand how users interact with our Service.

Data Collected by PostHog:

• Device Identifiers: Unique device IDs, browser fingerprints
• IP Addresses: Your IP address for geolocation and analytics
• Behavioral Patterns: Page views, clicks, scrolling, feature usage
• Session Recordings: Visual recordings of your interactions with our Service
• Technical Data: Browser type, operating system, screen resolution, device type

Data Processing Location: PostHog processes data on servers located in the United States and European Union. Your data may be transferred internationally depending on your location.

Data Sharing: PostHog may share data with sub-processors as disclosed in their privacy policy. You can review the list of PostHog's sub-processors at https://posthog.com/privacy.

Your Control: You can opt out of PostHog analytics and session recordings via our cookie consent banner displayed when you first visit our Service. Opting out will disable all PostHog tracking.

Privacy Policy: https://posthog.com/privacy

4.2 Firebase (Authentication & Database)

Firebase provides authentication services and secure data storage. Firebase may collect authentication data and usage information.

Privacy Policy: https://firebase.google.com/support/privacy

4.3 Stripe (Payment Processing)

Payment information is processed by Stripe, Inc., a payment processor located in the United States. We do not store your full credit card details on our servers.

Data Collected by Stripe:

• Payment Card Information: Card number, expiration date, CVV (encrypted)
• Billing Information: Billing address, cardholder name
• Transaction Data: Transaction history, payment amounts, timestamps
• Device Information: IP address, device type for fraud prevention

Data Processing Location: Stripe processes payment data on servers located in the United States and may transfer data internationally to comply with payment card industry standards.

Payment Card Industry (PCI) Compliance: Stripe is PCI DSS Level 1 certified, the highest level of payment security certification. Your payment information is encrypted and securely transmitted.

You can review Stripe's privacy policy for additional details about Stripe's data processing practices at stripe.com/privacy.

5. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to improve your experience:

• Essential Cookies: Required for authentication and basic functionality (always active)
• Analytics Cookies: PostHog and Firebase analytics (opt-in via consent banner)
• Preference Cookies: Remember your language and consent choices

You can manage cookie preferences through our cookie consent banner. Note that disabling certain cookies may limit Service functionality.

6. Data Sharing and Disclosure

We do not sell your personal information. We may share your information in the following circumstances:

• Service Providers: Third-party services that help us operate (PostHog, Firebase, Stripe)
• Legal Compliance: When required by law or to protect our rights
• Business Transfers: In connection with a merger, acquisition, or sale of assets
• With Your Consent: When you explicitly authorize us to share information

7. Your Privacy Rights

7.1 GDPR Rights (EU Users)

If you are in the European Union, you have the following rights:

• Right to Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your personal data ("right to be forgotten")
• Right to Restrict Processing: Limit how we use your data
• Right to Data Portability: Receive your data in a portable format
• Right to Object: Object to processing of your data
• Right to Withdraw Consent: Withdraw consent for data processing at any time

7.2 CCPA Rights (California Users)

If you are in California, you have the following rights:

• Right to Know: Request disclosure of personal information collected
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: Opt-out of sale of personal information (we do not sell data)
• Right to Non-Discrimination: Equal service regardless of privacy choices

7.3 UK GDPR Rights

UK users have the same rights as EU users under UK GDPR.

7.3 LGPD Rights (Brazilian Users)

If you are in Brazil, you have the following rights under LGPD:

• Right to Confirmation and Access: Confirm whether we process your data and request access
• Right to Correction: Request correction of incomplete, inaccurate, or outdated data
• Right to Anonymization, Blocking, or Deletion: Request anonymization, blocking, or deletion of unnecessary or excessive data
• Right to Data Portability: Receive your data in a structured, commonly used format
• Right to Deletion: Request deletion of data processed with your consent
• Right to Information: Request information about third parties with whom we share your data
• Right to Withdraw Consent: Withdraw consent at any time
• Right to Object: Object to processing based on legitimate interest

7.4 Australian Privacy Principles Rights (Australian Users)

If you are in Australia, you have the following rights under the Privacy Act:

• Right to Access: Request access to your personal information
• Right to Correction: Request correction of inaccurate or outdated information
• Right to Complain: Lodge a complaint with the Australian Information Commissioner if you believe we have not handled your information appropriately

7.5 PIPEDA Rights (Canadian Users)

If you are in Canada, you have the following rights under PIPEDA:

• Right to Access: Request access to your personal information
• Right to Correction: Challenge the accuracy and completeness of your information
• Right to Withdraw Consent: Withdraw consent for data processing at any time
• Right to Complain: File a complaint with the Office of the Privacy Commissioner of Canada

7.6 FADP Rights (Swiss Users)

If you are in Switzerland, you have the following rights under FADP:

• Right to Access: Request information about whether and what personal data we process about you
• Right to Rectification: Request correction of inaccurate data
• Right to Erasure: Request deletion of your personal data in certain circumstances
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to automated decision-making

7.7 Exercising Your Rights - Response Timeframes

To exercise any of these rights, contact us at welcome@zomni.app.

We will respond to your request within the following timeframes, as required by applicable law:

• EU/UK Residents (GDPR/UK GDPR): Within 30 days (may be extended by 60 additional days for complex requests)
• Brazilian Residents (LGPD): Within 15 days
• California Residents (CCPA): Within 45 days (may be extended by 45 additional days)
• Australian Residents (Privacy Act): Within a reasonable period, typically 30 days
• Canadian Residents (PIPEDA): Within a reasonable period, typically 30 days
• Swiss Residents (FADP): As soon as possible, typically within 30 days

8. Data Retention

We retain your personal information only as long as necessary to provide the Service and comply with legal obligations. Our retention periods are based on data minimization and necessity principles required by GDPR, LGPD, PIPEDA, and other applicable privacy laws.

8.1 Retention Periods and Justifications

Account Data (Email Address, Password):

• Active Accounts: Retained while your account is active
• Deleted Accounts: Retained for 90 days after account deletion
• Justification: The 90-day retention period is necessary to:
  • Respond to user inquiries about account deletion
  • Enable account recovery if deletion was accidental
  • Process any pending support tickets or refund requests
  • Comply with payment processor requirements for dispute resolution
  • Maintain service integrity and prevent abuse

Sleep Quiz Responses and Progress Data:

• Active Accounts: Retained while your account is active
• Deleted Accounts: Permanently deleted immediately upon account deletion request
• Justification: Sleep data is not retained after deletion because it serves no legitimate purpose once you have deleted your account. This aligns with data minimization requirements under GDPR, LGPD, and PIPEDA.

Analytics Data (PostHog):

• Individual Data: Retained for 90 days, then aggregated and anonymized
• Aggregated Data: Retained indefinitely after anonymization
• Justification: The 90-day retention period is necessary to:
  • Analyze short-term user behavior patterns to improve the Service
  • Identify and fix bugs based on session recordings
  • Maintain service performance baselines
  After 90 days, individual analytics data is aggregated and anonymized, meaning it can no longer identify you and is not subject to data protection laws.

Payment Records (Stripe):

• Retention Period: 7 years from transaction date
• Justification: Required by:
  • Tax and accounting regulations (IRS requirements in the United States)
  • Payment Card Industry (PCI) data retention standards
  • Fraud prevention and chargeback dispute resolution
  • Legal obligations to maintain financial records

8.2 Data Deletion Requests

You can request deletion of your data at any time by contacting welcome@zomni.app. Upon receiving your deletion request:

• Sleep quiz responses and progress data will be permanently deleted immediately
• Your email address and account credentials will be deleted after 90 days
• Analytics data will be anonymized within 90 days
• Payment records will be retained for 7 years as required by law, but will be disassociated from your identity

9. Data Security

We implement appropriate technical and organizational measures to protect your personal information:

• Encryption of data in transit (HTTPS/TLS)
• Encryption of data at rest (Firebase)
• Secure authentication (Firebase Auth)
• Regular security audits and updates
• Access controls and employee training

However, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security of your information.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws.

For EU/UK users, we ensure adequate protection through:

• Standard Contractual Clauses approved by the European Commission
• Services certified under EU-U.S. Data Privacy Framework (where applicable)

11. Data Breach Notification

If we discover or are notified of unauthorized access to, use of, or disclosure of personal information that presents a risk to your rights and freedoms, we will notify you and applicable regulatory authorities as required by law.

11.1 Jurisdiction-Specific Breach Notification Procedures

EU/UK Residents (GDPR/UK GDPR):

• We will notify the relevant supervisory authority within 72 hours of becoming aware of a breach
• We will notify affected individuals without undue delay if the breach presents a high risk to your rights
• Notification will include: nature of the breach, categories of data affected, likely consequences, and measures taken

Brazilian Residents (LGPD):

• We will notify the Brazilian National Data Protection Authority (ANPD) within a reasonable timeframe
• We will notify affected individuals when the breach presents significant risk
• Notification will include: description of personal data affected, security measures in place, risks, and measures to mitigate consequences

California Residents (CCPA):

• We will notify affected individuals without unreasonable delay
• Notification will be provided via email, written letter, or substitute notice if contact information is insufficient

Australian Residents (Privacy Act):

• We will assess whether the breach is an "eligible data breach" (unauthorized access/disclosure likely to result in serious harm)
• If eligible, we will notify the Office of the Australian Information Commissioner and affected individuals as soon as practicable
• Notification will include: identity and contact details, description of the breach, kinds of information involved, and recommendations for individuals

Canadian Residents (PIPEDA):

• We will notify the Office of the Privacy Commissioner of Canada if the breach presents a real risk of significant harm
• We will notify affected individuals as soon as feasible
• Notification will include: circumstances of the breach, date or time period, personal information involved, steps taken to reduce risk, and steps individuals can take

Swiss Residents (FADP):

• We will notify the Federal Data Protection and Information Commissioner (FDPIC) as soon as possible if the breach is likely to result in a high risk to data subjects
• We will notify affected individuals if necessary to protect their interests

11.2 Breach Prevention and Response

We maintain incident response procedures including:

• 24/7 security monitoring and intrusion detection systems
• Immediate containment and investigation protocols
• Forensic analysis to determine breach scope and affected data
• Notification to affected individuals and regulatory authorities as required
• Remediation measures to prevent future breaches
• Documentation and reporting to management and regulators

12. Children's Privacy

Our Service is intended for individuals 18 years of age and older. We do not knowingly collect, use, or disclose personal information from children under 18 years of age.

We comply with children's privacy protection requirements under:

• GDPR: Requires parental consent for children under 16 (or younger, depending on member state)
• UK GDPR: Requires parental consent for children under 13
• CCPA: Requires parental consent for minors under 16
• COPPA (USA): Requires parental consent for children under 13
• LGPD (Brazil): Requires special protections for minors
• Privacy Act (Australia): Includes children's privacy protections
• PIPEDA (Canada): Includes children's privacy principles
• FADP (Switzerland): Includes children's privacy protections

Age Verification: During account registration, users must confirm they are 18 years of age or older. If we discover that a user is under 18, we will immediately suspend their account and delete all personal information associated with that account.

Parental Notice: If you are a parent or guardian and believe that your child under 18 has provided personal information to us, please contact us immediately at welcome@zomni.app. We will:

• Verify your identity as the parent or guardian
• Immediately delete all personal information associated with the child's account
• Permanently suspend the account to prevent future use
• Notify you within 48 hours of completing the deletion

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the new Privacy Policy on this page
• Updating the "Last Updated" date
• Sending you an email notification (for significant changes)

Your continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.

13. Contact Us

If you have questions about this Privacy Policy or want to exercise your privacy rights, contact us:

• Email: welcome@zomni.app

14. Data Protection Officer

For GDPR-related inquiries, you can contact our Data Protection Officer at welcome@zomni.app.

15. Supervisory Authority

If you are in the EU or UK and believe we have not addressed your privacy concerns adequately, you have the right to lodge a complaint with your local data protection supervisory authority.