Privacy Policy

Effective Date: November 28, 2025 | Last Updated: December 13, 2025

Introduction

Welcome to Rhythmicly ("we," "our," or "us"). We are committed to protecting your privacy and ensuring you have a positive experience when using our sleep tracking and circadian rhythm optimization app ("Service").

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application. Please read this privacy policy carefully. If you do not agree with the terms of this privacy policy, please do not access the application.

Information We Collect

Personal Information You Provide

• Account Information: Email address and password when you create an account
• Profile Information: Sleep preferences, wake time targets, chronotype, and other sleep-related preferences you provide during onboarding
• Location Information: Your zip code or general location (only if you grant permission) to provide timezone-appropriate recommendations

Health Data

• Sleep Data: Sleep and wake times, sleep duration, and sleep quality metrics from Apple HealthKit (with your explicit permission)
• Sleep Patterns: Analysis and calculations we perform on your sleep data to generate your Rhythm Stability Score (RSS)

Usage Data

• App Usage: How you interact with the app, features used, and time spent in the app
• Chat Messages: Conversations with our AI assistant to provide personalized sleep recommendations
• Analytics: Technical information about app performance and usage patterns (anonymized)

Automatically Collected Information

• Device Information: Device type, operating system version, app version
• Log Data: IP address, access times, and technical logs for debugging and security purposes

How We Use Your Information

Primary Services

• Sleep Analysis: Calculate your Rhythm Stability Score and provide personalized insights
• Personalized Recommendations: Generate AI-powered sleep advice based on your patterns and preferences
• Progress Tracking: Monitor your sleep consistency improvements over time
• Notifications: Send you helpful reminders and insights (only if you opt-in)

Service Improvement

• App Enhancement: Improve our algorithms and user experience
• Customer Support: Respond to your inquiries and provide technical assistance
• Research: Conduct anonymized research to advance sleep science (only with aggregated, de-identified data)

Legal and Security

• Compliance: Meet legal obligations and protect our legal rights
• Security: Detect and prevent fraud, abuse, and security threats
• Terms Enforcement: Enforce our Terms of Service

How Remi Uses AI

We use OpenAI's services to power Remi, your AI sleep companion. Here's exactly how different types of data are handled:

Your Health Data (Always Anonymized)

Your sleep data from Apple Health is never sent in raw form to any third party. Before any AI processing:

• Exact sleep/wake times → Rounded to 5-minute windows (e.g., 7:13 AM → 7:15 AM)
• Sleep duration → Categorized ("optimal", "short", "long")
• Health metrics → Grouped into ranges ("moderate activity", "elevated heart rate")

Your Conversations with Remi (Processed by OpenAI)

When you talk to Remi via voice or text, your conversation is processed by OpenAI's AI services:

Voice mode:

• Your voice recording → Sent to OpenAI Whisper for transcription
• Your transcribed words + conversation history → Sent to OpenAI GPT for Remi's response
• Remi's response → Converted to speech via OpenAI TTS

Text chat:

• Your messages + conversation history → Sent to OpenAI GPT for Remi's response

Why we do this: Sending your full conversational context allows Remi to understand your unique situation—your family, work schedule, stress factors—and give you genuinely helpful, personalized sleep guidance. A scrubbed, sanitized conversation would make Remi generic and unhelpful.

Your Protection

• OpenAI operates under Zero Data Retention for API customers—your conversations are not stored after processing
• Your full conversational context is preserved to ensure Remi can provide genuinely helpful, personalized guidance
• Your account identity is never linked to OpenAI requests

What Stays Private

• Your account identity is never linked to OpenAI requests
• Your exact HealthKit data never leaves your device except as anonymized patterns
• You can use text mode instead of voice if you prefer
• You can delete your conversation history anytime in Settings

Data Sent to OpenAI

• Voice audio (for transcription via Whisper)
• Text transcripts and chat messages (with your conversational context)
• Sleep patterns described in general terms (e.g., "woke up around early morning")

Data NOT Sent to OpenAI

• Your name, email address, or any account identification
• User IDs, device identifiers, or any linking information
• Your zip code or precise location
• Raw data from Apple HealthKit (exact times, raw metrics)
• Your calculated SRS scores or detailed sleep analytics

OpenAI Data Handling

• OpenAI does not retain API conversation data after processing (Zero Data Retention)
• Voice audio is processed by OpenAI Whisper and not stored after transcription
• Data is processed in the United States under OpenAI's security protocols
• Your data is never used to train OpenAI's models
• Your conversations are not linked to your identity in OpenAI's systems

Your Control

• You can use text mode instead of voice at any time
• You can avoid the AI features entirely and still use all core app functionality
• Chat messages are automatically deleted from our servers after 7 days
• You can request deletion of any AI conversation data at any time

Other Integrated Services

• Apple HealthKit: Sleep data remains on your device and is only accessed with your explicit permission. We never send raw HealthKit data to third parties.
• Supabase: Provides secure data storage and authentication with Row-Level Security policies ensuring you can only access your own data.

Third-Party Privacy Policies

We recommend reviewing these third-party privacy policies:

• Apple HealthKit: Apple Privacy Policy
• OpenAI: OpenAI Privacy Policy
• Supabase: Supabase Privacy Policy

Information Sharing and Disclosure

We DO NOT Sell Your Data

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

Limited Sharing

We may share your information only in these specific circumstances:

Service Providers: With trusted third-party providers who help us operate our service:

• Cloud hosting (secure, encrypted storage)
• AI recommendation services (OpenAI - as detailed above)
• Analytics providers (anonymized data only)
• Customer support tools

Legal Requirements: When required by law, regulation, or legal process, or to protect the rights, property, or safety of Rhythmicly, our users, or others.

Business Transfers: In connection with a merger, acquisition, or sale of assets (users will be notified of any changes).

With Your Consent: Any other sharing will only occur with your explicit consent.

Data Security

Security Measures

We implement industry-standard security measures to protect your information:

• Encryption: All data transmitted between your device and our servers is encrypted using TLS/SSL
• Database Security: Your data is stored in encrypted databases with Row-Level Security (RLS) policies
• API Security: All API endpoints are secured and authenticated
• Regular Security Audits: We regularly review and update our security practices

Your Health Data

• Apple HealthKit: Sleep data from HealthKit never leaves your device without your explicit permission
• Data Isolation: Our database ensures you can only access your own data
• Data Minimization: We only collect and store data necessary for providing our service

Your Privacy Rights

Access and Control

You have the right to:

• Access: View all personal data we have about you
• Correction: Update or correct your personal information
• Deletion: Request deletion of your account and associated data
• Portability: Receive a copy of your data in a structured format
• Opt-out: Disable AI features or unsubscribe from communications at any time

How to Exercise Your Rights

Contact us at colton@rhythmicly.com to exercise any of these rights. We will respond within 30 days.

AI and Chat Data Controls

You can:

• Use the app without AI features entirely
• Delete individual chat conversations from within the app
• Request immediate deletion of all AI conversation data
• View exactly what data has been shared with OpenAI (available in app settings)

Data Retention

Retention Periods

• Account Data: Retained until you delete your account
• Sleep Data: Retained for up to 2 years or until account deletion
• Chat Messages: Automatically deleted from our servers after 7 days
• OpenAI Data: Not retained by OpenAI after processing (Zero Data Retention policy)
• Analytics Data: Anonymized and retained for up to 2 years
• Log Data: Retained for up to 90 days for security and debugging

Voice Check-Ins

When you use voice features with Remi:

• Audio Recordings: Voice is temporarily recorded on your device, sent to OpenAI for transcription, then immediately discarded. We do not store audio recordings.
• Text Transcripts: The text from your voice input is stored as part of your chat history (automatically deleted after 7 days).
• Structured Insights: Sentiment analysis and emotional context extracted from check-ins may be retained as part of your sleep data.
• Your Control: You can delete your chat history at any time from the app, or request immediate deletion of all data by contacting us.

Account Deletion

When you delete your account:

• All personal data is permanently deleted within 30 days
• OpenAI does not retain your data after processing (Zero Data Retention policy)
• Some anonymized, aggregated data may be retained for research purposes
• Cached data may persist for up to 90 days in our backup systems

Children's Privacy

Our service is not intended for children under 13 years old. We do not knowingly collect personal information from children under 13. If we learn we have collected information from a child under 13, we will delete it immediately.

International Data Transfers

Your information may be processed in countries other than your own, including:

• United States: Where OpenAI processes AI requests and Supabase stores data
• Your Country: Where Apple HealthKit data remains on your device

We ensure appropriate safeguards are in place to protect your data during international transfers.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will:

• Notify you of any material changes via email or app notification
• Post the updated policy with a new "Last Updated" date
• Continue to protect your data in accordance with the updated policy

Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

• Email: colton@rhythmicly.com
• Website: https://rhythmicly.com
• App Support: Use the "Contact Support" feature in the app settings

Regulatory Compliance

CCPA (California)

California residents have additional rights under the California Consumer Privacy Act (CCPA). Contact us for details about exercising these rights.

GDPR (European Union)

EU residents have rights under the General Data Protection Regulation (GDPR). We are committed to compliance with GDPR requirements.

HIPAA

While we handle health-related data, we are not a covered entity under HIPAA. However, we apply similar security and privacy standards to protect your health information.