Privacy Policy
Effective date: April 16, 2026 | Last updated: April 16, 2026
Supersedes all previous versions, including the version dated December 13, 2025.
TL;DR
Rhythmicly is a personal sleep coach. To coach you well, we send your first name and your sleep data to Anthropic (the company behind Claude) and, when you use voice mode, to ElevenLabs. We do this because generic advice doesn't help people sleep. We do not send your email address, your last name, or your user ID to those AI providers. We do not sell your data. You can export or delete everything any time.
If that trade-off doesn't work for you, please don't use the app.
Who we are
Rhythmicly Inc. (Delaware C-corp, EIN 41-2902472) operates the Rhythmicly iOS app and the AI sleep companion "Remi." Colton Hess is the founder and the data controller under GDPR/UK GDPR for purposes of this policy.
- Support & privacy requests: colton@rhythmicly.com
- Website: https://rhythmicly.com
What we collect
From you, when you sign up or use the app
- Account: email address, a password (or Apple/Google Sign In identifier), first name (sometimes last name).
- Sleep profile: chronotype, wake/bed targets, life context, goals, sleep challenge, disruptors you report, current bedtime and wake time, primary wearable device.
- Conversations: every text message you send to Remi, every transcript from a voice session with Remi.
- Check-ins: morning ratings (how rested, how sharp, how your body feels), factors you select, dream recall and dream text (if you choose to log one).
- Time zone and locale (derived from your device).
From Apple HealthKit (with your explicit HealthKit permission)
We read the following from HealthKit — we do not write to HealthKit:
- Sleep analysis samples (bedtime, wake time, sleep stage categories)
- Heart rate variability (SDNN)
- Resting heart rate
- Oxygen saturation (SpO₂)
- Respiratory rate
- Apple sleeping wrist temperature
- Step count
- Active energy burned
- Time in daylight
You can revoke HealthKit permission any time in iOS Settings → Privacy → Health → Remi.
From your connected wearable (if you connect one)
If you connect Oura, Fitbit, WHOOP, or Garmin, we fetch sleep and heart-rate data from their API using an OAuth token you grant us. Your OAuth token is stored in the iOS Keychain on your device. The token is also stored server-side in Supabase (encrypted) for background sync. We fetch only the data needed for sleep coaching.
From Google Calendar (if you connect it)
If you connect Google Calendar, we read your "primary" calendar's upcoming events to detect early-morning commitments and help Remi adjust your bedtime. We only use the time of your first commitment tomorrow — we do not send event titles, descriptions, attendees, or locations to any AI provider.
Automatically, from the app
- Device info: iOS version, device model, app version.
- Usage events: screen views, feature interactions, session duration, tap patterns. Tagged with your Supabase user ID so we can understand retention.
- Error logs and crash reports.
Local-only (never leaves your device)
- HomeKit home/accessory state used to control bedroom lighting and thermostat.
- Hue bridge and other local-network device identifiers (discovered via Bonjour/mDNS).
- Apple Sign In nonces and session tokens (Keychain).
- Subscription entitlement state.
What we explicitly do not collect
- Precise location (we do not request Core Location permission).
- Contacts, photos, videos, browsing/search history.
- Advertising identifier (IDFA). We do not request App Tracking Transparency.
- Payment card information. If we charge you, Apple handles payment; we never see the card.
How we use your data
- To run Remi (our AI coach): personalize sleep guidance, generate your nightly plan, answer your questions.
- To compute your Sleep Regularity Index (SRI) and other consistency metrics.
- To send the in-app notifications you allow (wind-down, morning, insights).
- To operate smart-home actions you request (dim lights, set thermostat, schedule automations).
- To support your account: authentication, account recovery, responding to your emails.
- For product analytics — measuring retention, finding bugs, figuring out what to build next. Opt out any time in Settings.
- To detect abuse (rate limiting, spam detection).
- When legally required.
We do not use your data to train Anthropic's, ElevenLabs', or any other company's AI models. We have contractual commitments from our AI providers that your data is not used for their model training.
Sub-processors: who we share data with, and what we send
Anthropic (Claude) — the brain behind Remi
What goes to Anthropic every time you chat with Remi or generate a plan:
- Your first name.
- Your onboarding preferences (chronotype, wake/bed targets, goals, motivation, sleep challenge).
- Your sleep data: last night's sleep, recent patterns, and your Sleep Regularity Index.
- Health metrics from HealthKit or your connected wearable (heart rate variability, resting heart rate, oxygen saturation, respiratory rate, body temperature deviation).
- Tonight's target bedtime and wake time.
- Current time, date, and time zone.
- Yesterday's activity (steps, active energy).
- Calendar context: the hour of your first commitment tomorrow and a count of this week's events. Never event titles, attendees, locations, or descriptions.
- Your morning check-in responses and any dream you chose to log.
- Your conversation history with Remi.
- Facts Remi has remembered about you (preferences, life events, ongoing goals).
What we do not send to Anthropic: your email address, your last name, your Supabase user ID, your wearable OAuth tokens, your calendar event titles, raw HealthKit sample files.
Why we send this much: without the context, Remi gives generic advice. Sleep coaching is only useful when it's specific to you, tonight.
Anthropic's commitment (via API): your data is not used to train Anthropic's models. Anthropic automatically deletes API inputs and outputs within 30 days. If content is flagged for a Usage Policy violation, Anthropic may retain it for up to 2 years for trust-and-safety review. See Anthropic's privacy policy.
ElevenLabs — voice transcription and Remi's voice
When you use voice mode with Remi, ElevenLabs handles speech-to-text, Remi's text-to-speech response, and the real-time conversational agent.
What goes to ElevenLabs:
- Your live microphone audio during the conversation.
- The same context described in the Anthropic section above (your first name, sleep data, health metrics, goals, memories) so the agent knows who you are.
- Tool-call arguments when the agent does something on your behalf (e.g., "set thermostat to 67").
Retention: We have configured our ElevenLabs agent for zero-retention mode. That means voice audio is processed in real time and not stored, and transcripts are retained only for the duration of the session. ElevenLabs' default account-level terms also apply — you can review them at their privacy policy.
See ElevenLabs privacy policy.
Supabase — our database and authentication provider
Supabase stores your account, your sleep history, your plans, your chat messages, your morning check-ins, your memories, your analytics events. All tables with your data use Row-Level Security — only your authenticated session can read your rows. Supabase hosts on AWS in the United States. SOC 2 Type II certified. See Supabase privacy policy.
Email delivery
We use a third-party email-delivery platform to send onboarding emails, re-engagement emails, and important product updates. They receive your email address and first name for this purpose only, and they do not sell your data or use it for advertising.
You can opt out of product analytics in Settings → Privacy → Analytics.
Google (Sign In with Google, Google Calendar)
If you sign in with Google or connect your Google Calendar, Google processes authentication and calendar data per their privacy policy. We hold the OAuth token; we never see your Google password.
Apple
- Apple Sign In — if you use it, Apple handles authentication. We receive an anonymized Apple user identifier and, optionally, an email alias.
- Apple HealthKit — Apple, not Rhythmicly, governs HealthKit data on your device. We access it with your explicit permission; Apple does not see what we read.
- Apple StoreKit / Payments — if/when we charge, Apple processes the payment; we receive only entitlement state.
- HomeKit — end-to-end encrypted between your devices by Apple. We never see HomeKit state server-side.
Apple HealthKit disclosure (required by Apple)
- Rhythmicly reads sleep and related health data from Apple HealthKit with your explicit permission.
- Rhythmicly does not write to HealthKit.
- We do not use HealthKit data for advertising, marketing, or sale to third parties.
- We do not share raw HealthKit data with third parties.
- Your sleep data and health metrics are sent to Anthropic and ElevenLabs as described above to power Remi.
Data retention
| Data | How long we keep it |
|---|---|
| Account profile, sleep history, plans, memories | Until you delete your account |
| Remi chat messages | Until you delete your account (Remi remembers your history so guidance compounds over time) |
| Voice audio sent to ElevenLabs | Zero days (deleted immediately after processing) |
| Voice session transcripts | Duration of the session; then deleted |
| Conversation data at Anthropic | Not retained for training; transient cache up to 30 days for trust-and-safety |
| Analytics events | Up to 24 months |
| Server logs | Up to 90 days |
| Email-delivery contact record | Until you delete your account or unsubscribe |
When you delete your account, we delete all account-linked data from our systems within 30 days. AI provider retention follows their published policies.
Your rights
You have the right to:
- Access the data we hold about you. We provide a JSON export in Settings → Privacy → Export my data.
- Delete your account and all associated data. Settings → Privacy → Delete my account.
- Correct your profile data. Edit it in Settings.
- Port your data. The export is a structured JSON file.
- Object to processing for analytics. Settings → Privacy → Analytics → Off.
- Withdraw consent for any optional data source (HealthKit, Calendar, connected wearable, voice mode, notifications) — in each case, revoke in iOS Settings or in our Settings → Integrations.
- Lodge a complaint with a data protection authority (e.g., your national DPA in the EU/UK, or the California Attorney General in the US).
To exercise any of these rights by email, contact colton@rhythmicly.com. We respond within 30 days.
California residents (CCPA/CPRA)
California residents have the additional rights under the California Consumer Privacy Act / California Privacy Rights Act:
- Right to know what personal information we collect and share.
- Right to delete personal information.
- Right to correct inaccurate personal information.
- Right to opt out of the "sale" or "sharing" of personal information.
- Right to limit use of sensitive personal information.
- Right not to be retaliated against for exercising these rights.
We do not sell personal information. We do not share personal information for cross-context behavioral advertising. Health data you provide or that we read from HealthKit is treated as sensitive personal information and used only to provide the service.
To exercise your CCPA rights, email colton@rhythmicly.com. You may designate an authorized agent.
EU/UK/EEA residents (GDPR / UK GDPR)
Our legal bases for processing:
- Contract (Article 6(1)(b)): running the app you signed up for, including Remi's AI coaching. Without the data we list above, we cannot provide the service.
- Consent (Article 6(1)(a), Article 9(2)(a) for health data): HealthKit access, wearable connections, Google Calendar access, voice mode, push notifications. You can withdraw consent any time.
- Legitimate interests (Article 6(1)(f)): product analytics, abuse detection, security. You can object in Settings.
- Legal obligation (Article 6(1)(c)): compliance with laws.
International transfer: our primary providers (Supabase, Anthropic, ElevenLabs, our email-delivery provider, Google for Sign In / Calendar) are US-based. Transfers rely on Standard Contractual Clauses where required.
Data controller: Rhythmicly Inc. (Delaware, USA). Contact: colton@rhythmicly.com. We are below the size threshold for a mandatory EU representative; contact us directly.
HIPAA
Rhythmicly is not a HIPAA-covered entity and does not sign Business Associate Agreements. Your health data is protected under this privacy policy and the terms of our sub-processor agreements; it is not protected under HIPAA's specific rules.
Security
- All data in transit uses TLS 1.2 or higher.
- Supabase encrypts data at rest.
- We use Row-Level Security so your rows are only readable by your authenticated session.
- OAuth tokens for connected wearables are stored in the iOS Keychain (
kSecAttrAccessibleAfterFirstUnlock) on your device. - We do not store your password — Supabase handles authentication and never shares plaintext passwords.
- We have no sub-processor outside those listed above.
No system is perfectly secure. If you see or suspect a security issue, please email colton@rhythmicly.com so we can fix it.
Children
Rhythmicly is for adults. The app is not directed to children under 13 and we do not knowingly collect data from children under 13. If you believe a child under 13 has used the app, please email us and we will delete the data.
How we communicate changes
We will post updates to this page with a new "Last updated" date. For material changes (new sub-processor that receives personal data, new categories of data collected, changes to your rights), we will also notify you in the app and by email before the change takes effect. Continued use of the app after the effective date means you accept the updated policy.
Contact
Privacy questions, access requests, deletion requests, complaints:
colton@rhythmicly.com
Mailing address: Rhythmicly Inc., Delaware, USA (full mailing address available on request).