Privacy Policy

R90 Sleep Pty Ltd is a company that operates the R90 Navigator application and related services. For the purposes of the EU General Data Protection Regulation (GDPR) and the UK GDPR, we are the data controller responsible for your personal data.

Data Protection Contact: privacy@r90navigator.com

Company: R90 Sleep Pty Ltd
Website: www.r90navigator.com

This Privacy Policy is designed to comply with:

• General Data Protection Regulation (GDPR) – European Union and European Economic Area
• UK General Data Protection Regulation (UK GDPR) – United Kingdom
• Australian Privacy Act 1988 and the Australian Privacy Principles (APPs)
• California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA)
• Apple App Store and Google Play Store data disclosure requirements

Where a specific regulation grants you additional rights, those rights are outlined in the relevant section below.

3.1 Account Information

When you create an account, we collect your email address, display name, and authentication credentials. If you sign in via Apple or Google, we receive a unique identifier and, where you consent, your name and email address. We do not receive or store your Apple or Google password.

3.2 Onboarding and Quiz Data

During onboarding or via the Website quiz, you provide information about your sleep habits, wake time, chronotype, activity level, caffeine habits, stress level, lifestyle constraints, and sleep goals. This data is essential to creating your personalized rhythm plan.

3.3 Sleep and Lifestyle Data

You may manually log sleep and wake times, morning energy levels, evening routine check-ins, and other observations. You may also provide information about your work schedule, exercise patterns, nap preferences, and recovery goals.

3.4 Health and Wearable Data

With your explicit permission, the App may access data from Apple HealthKit, including sleep data, heart rate, heart rate variability (HRV), and activity data. In the future, we may support Google Health Connect, Oura, Whoop, and other wearable integrations. Health data is only accessed after you grant explicit permission and is used solely to personalize your sleep rhythm and recovery guidance.

3.5 Calendar Data

With your explicit permission, the App may access calendar event metadata (event titles, start/end times, calendar names) to identify schedule conflicts with your rhythm plan. Calendar access is optional and can be revoked at any time. See our dedicated Calendar Data Usage Policy.

3.6 AI Conversation Data

If you interact with R-Lo, our AI coaching assistant, we process and may store conversation history to provide continuity, improve personalization, and enhance coaching quality. AI conversations are processed using third-party AI service providers (such as OpenAI) under data processing agreements. See our AI Assistant Disclaimer.

3.7 Device and Technical Information

We automatically collect device model, operating system version, app version, timezone, locale, and crash/performance logs. This information is used for debugging, improving app stability, and understanding usage patterns.

3.8 Analytics Data

We collect anonymized usage analytics to understand how the Service is used and to improve the experience. Analytics events are associated with anonymous identifiers and do not include personal health data.

3.9 Subscription Data

Subscription status and purchase history are managed through RevenueCat and the Apple App Store or Google Play Store. We receive subscription status information (active, expired, trial) but do not directly process or store your payment card details.

3.10 Website Data

When you visit the Website, we may collect your IP address, browser type, referring URL, and pages visited. If you complete the Website quiz or submit your email, that data is stored in our database. See our Cookie Policy for details on cookies and similar technologies.

If you are located in the EEA or UK, we process your personal data on the following legal bases:

• Performance of a contract (Art. 6(1)(b)): Processing necessary to provide the Service and its core features as described in our Terms of Use.
• Consent (Art. 6(1)(a)): Where you have given explicit consent, such as opting in to Apple HealthKit integration, calendar access, marketing emails, or analytics.
• Legitimate interests (Art. 6(1)(f)): Improving the Service, preventing fraud, and ensuring security, where these interests are not overridden by your rights.
• Legal obligation (Art. 6(1)(c)): Where processing is required to comply with applicable law.

You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

The Service includes the following AI-powered features:

• R-Lo coaching assistant: An AI-powered companion that provides personalized sleep and rhythm guidance, motivational messages, and contextual suggestions based on your data and preferences.
• Rhythm plan engine: An algorithm that evaluates your sleep signals, lifestyle factors, and preferences to generate a personalized daily rhythm plan.
• Readiness assessment: An automated evaluation of your recent sleep patterns to provide rhythm status updates.

All AI-generated content is informational and educational only. It does not constitute medical advice. R-Lo is an automated system, not a human coach or healthcare professional. See our full AI Assistant Disclaimer.

We share data with the following categories of service providers, each acting as a data processor on our behalf under appropriate data processing agreements:

We do not sell your personal data to any third party.

We do not use personal data for third-party advertising unless explicitly stated and consented to.

We do not share HealthKit data with any third party.

We do not use HealthKit data for advertising or cross-app tracking.

Your data may be transferred to and processed in:

• United States – Cloud infrastructure (Supabase, Sentry, PostHog, OpenAI, Vercel)
• European Union – Where EU-region infrastructure is available
• Australia – Company operations and support

For transfers from the EEA or UK to countries that the European Commission has not deemed to provide an adequate level of data protection, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, the UK International Data Transfer Agreement (IDTA), or other lawful transfer mechanisms.

• Active account: We retain your data for as long as your account is active and as needed to provide the Service.
• Local storage: The App caches sleep data and preferences locally on your device for up to 90 days to ensure offline functionality.
• AI conversations: Conversation history may be retained for the duration of your account to maintain coaching continuity. You may request deletion at any time.
• Analytics data: Anonymized analytics are retained for up to 24 months for product improvement.
• Crash logs: Crash reports are retained for up to 90 days for debugging purposes.
• Subscription records: Subscription history may be retained as required by tax and accounting obligations.
• Account deletion: When you delete your account, we will remove or anonymize your personal data within 30 days, except where retention is required by law.
• Inactive accounts: Accounts that have been inactive for 24 months may be flagged for deletion. We will notify you before taking action.
• Aggregated data: We may retain anonymized, aggregated data indefinitely for research and product improvement purposes.

We implement appropriate technical and organizational measures to protect your data, including:

• TLS encryption for all data in transit
• Encrypted local storage for sensitive data on your device
• JWT-based authentication with short-lived access tokens and secure refresh mechanisms
• Role-based access controls limiting internal access to personal data on a need-to-know basis
• Row-level security in the database ensuring users can only access their own data

No method of transmission or storage is 100% secure. If you become aware of a security vulnerability, please contact us immediately at privacy@r90navigator.com.

11.1 All Users

Regardless of your location, you have the right to:

• Access the personal data we hold about you
• Correct inaccurate or incomplete data
• Delete your account and associated data
• Export your data in a portable format
• Withdraw consent for optional data processing at any time

11.2 Additional Rights under GDPR / UK GDPR (EEA/UK)

If you are in the European Economic Area or United Kingdom, you also have the right to:

• Restrict processing of your data in certain circumstances
• Object to processing based on legitimate interests
• Data portability – receive your data in a structured, commonly used, machine-readable format
• Withdraw consent at any time without affecting the lawfulness of prior processing
• Lodge a complaint with your local data protection supervisory authority
• Not be subject to solely automated decision-making with legal or significant effects

11.3 Additional Rights under CCPA (California)

• Know what personal information we collect, use, and disclose
• Request deletion of your personal information
• Opt out of the sale or sharing of personal information (we do not sell personal information)
• Non-discrimination for exercising your privacy rights

11.4 Australian Privacy Act

• Access your personal information held by us
• Request correction of inaccurate information
• Complain about a breach of the Australian Privacy Principles to us or to the Office of the Australian Information Commissioner (OAIC)

To exercise any of these rights, contact us at privacy@r90navigator.com. We will respond within 30 days (or sooner where required by law).

The Service is not intended for anyone under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at privacy@r90navigator.com.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy in the App and on the Website, and by updating the “Last updated” date above. If changes are significant, we may also notify you via email or in-app notification. Your continued use of the Service after changes are posted constitutes acceptance of the revised policy.

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

• Privacy inquiries: privacy@r90navigator.com
• General support: hello@r90navigator.com
• Company: R90 Sleep Pty Ltd
• Website: www.r90navigator.com