Sleep2 logo Sleep2 logo

Privacy Policy

General Information

Nukkuaa GmbH is a limited liability company based in Wals-Siezenheim, registered in the commercial register of the Regional Court of Salzburg FN 581365.

  • Nukkuaa operates the product presentation on the sleep² Website (the “Website”).
  • Nukkuaa operates the sleep² app (the “App”), a sleep analysis & training application in the “Health & Fitness” category.

These privacy policies clarify the nature, scope, and purposes of the collection and use of data from customers (our “Users”) through the “Website” and the “App.” Protecting your personal data is particularly important to us. Therefore, we process your data exclusively based on the legal regulations. In these privacy policies, we inform you about the most important aspects of data processing within the framework of our website and our app.

For what purpose is personal data used?

Data protection and full transparency in handling your data are of core concern to us. Therefore, we want to inform you in detail below about what data we use for what purposes.

In summary, we use your data to provide you with our service, contact you for marketing purposes, inform you about news, and improve your user experience in the app and on the website. Data collected and evaluated via Polar sensors (heart rate variability) can be used for pure research purposes by the University of Salzburg. All data read via Google Fit or Google Health Connect is excluded from this research purpose. Sleep² neither exchanges data nor builds databases in cooperation with external parties.

We only use your data for the purposes specified in this privacy policy and do not share your data with other third parties. This also means that we do not sell or offer your personal data for sale.

You have the option to object to certain purposes and the associated collection of your data by, for example, opting out of newsletter registration, rejecting app tracking in the app, or rejecting cookies on our website.

Provision of our Sleep Analysis & Training Services

To provide our sleep analysis & training services, we collect and process:

  • Your first name
  • Your email address
  • Your birth year
  • Your sleep metrics
  • Your heart rate variability (if available)
  • Information about lifestyle and sleep habits

Our iOS and Android apps are hosted on servers from Hetzner. Hetzner collects technical information such as your IP address and user behavior relevant for error analysis as part of the infrastructure operation.

The analysis of your health data such as sleep habits and heart rate variability is conducted in the Google Cloud in Frankfurt.

The completion of a paid sleep² subscription is processed via the Apple Store for iOS and the Play Store on Android devices. Google or Apple processes data from you that is legally required for payment processing. Furthermore, Apple or Google may collect additional app store or play store relevant data. Further information can be found directly in the Apple App Store Privacy Policy and the Google Play Store Terms of Use and the Google Privacy Policy.

We use the Google Cloud in Frankfurt to provide our website. Google collects technical information such as your IP address and user behavior relevant for error analysis as part of the website operation.

Through our contact form, you can send us messages and questions. We use the data you provide, such as name, email, and optional phone number, as well as information you provide via the free text field, to respond to your inquiries and, if necessary, contact you via available communication channels. You can also sign up for our newsletter via the contact form.

Through our sleep questionnaire on the website, you can provide us with information about your sleep behavior. We use this data to give you a brief analysis of your sleep quality. Furthermore, at the end of the questionnaire, you can leave us your email address so that we can send you further details about your results via email. You also have the option to sign up for the newsletter here.

We use third-party services to send you push notifications that regularly remind you to stay on track with sleep training.

To send you push notifications via the Android app, we use the US service "OneSignal." OneSignal can collect the following data from you as part of the service:

  • How a user used the app (e.g., session duration, timestamps)
  • Purchases made within an app.
  • Information about the end user's transactions and interactions with the app
  • Identifiers of mobile devices or accounts. These mobile IDs can be linked to other information, including data segments.
  • Precise location information, generally the latitude and longitude data of an end user (i.e., GPS-level data) or WiFi information, which we can link to mobile IDs and which can be collected independently of whether an app is used or not. (Location information is only collected if the user has granted the app permission to collect it)
  • IP address and system configuration information
  • Information associated with or related to devices, such as device type (e.g., phone, tablet); operating system type and version (e.g., Android, iOS); network provider; mobile browser (e.g., Safari, Chrome, etc.); language setting; time zone; and network status type (such as WiFi).

Further privacy-relevant information can be found in the OneSignal Privacy Policy.

To send you push notifications via the iOS app, we use the Apple Push Notification Service (APNS). The APNS can collect the following data from you as part of the service:

  • Device Information: The APNS can collect information about the device on which the app is installed, such as device type, operating system version, and device ID.
  • Token: The APNS uses device tokens to send push notifications to the correct device. These tokens can be considered a type of identifier but are not directly linked to personal information.
  • Push Notification Data: The APNS can store information about the sent push notifications, such as the content of the notification, the time of sending, and the recipient.

Data Use for Research Purposes

The University of Salzburg uses data such as your sleep habits (if available), your date of birth, and your gender for purely scientific research purposes. Heart rate variability data is collected exclusively via Polar sensors and read directly into the app. These data are also used for purely scientific research purposes by the university. All data read via Google Fit or Google Health Connect is excluded from this research purpose.

Data Use for Marketing Purposes

If you sign up for the sleep² newsletter, we use your email address to regularly inform you about news regarding sleep². The newsletter is sent via the European marketing cloud provider "Brevo." Brevo also allows us to analyze the behavior of newsletter recipients. For example, it can be determined who opened a newsletter or clicked a link. Further information can be found in the Brevo Privacy Policy.

Data Use to Improve User Experience

We use Google Analytics and Google Tag Manager to analyze your user behavior on our website and improve your user experience. Google Analytics and Google Tag Manager collect data such as:

  • Device Information: Google Analytics and Google Tag Manager collect information about the device the user is using, such as device type, operating system, and browser type.
  • IP Address: The user's IP address is collected by Google Analytics to determine the user's geographic location and provide general information about the user's location. Important: Your IP address is not stored or logged.
  • Usage Data: Google Analytics collects information about the user's interaction with a website, including the pages visited, the time spent on the pages, and the actions the user takes on the website.
  • Cookies: Google Analytics and Google Tag Manager use cookies to store information about the user. These cookies contain a unique identifier used to recognize the user during repeated visits to the website.
  • Event Data: Google Tag Manager can capture events on the website, such as clicks on certain elements, form submissions, or purchase completions.
  • Conversion Data: Google Tag Manager can capture data about conversions, such as completing a purchase, submitting a form, or signing up for a newsletter.

Further information on data protection in connection with Google Analytics can be found on the Google Support website.

Google Tag Manager is a tool that allows us to manage tags on our website. Tags are code snippets used to implement various functions on a website, such as tracking user activities, capturing conversion data, or embedding advertising materials.

Through the Google Privacy Policy, you can learn more about data processing using Google services.

Analogous to capturing user behavior on the website, we use "Firebase Analytics" for capturing user behavior on our iOS and Android app. Firebase Analytics is based on Google Analytics and collects data such as:

  • App Usage Data: Firebase Analytics collects information about app usage, such as the number of installations, the number of active users, screen views, and interactions within the app.
  • Device Information: Information about the device on which the app is used is collected, such as the operating system, device brand, and model.
  • Location Data: Firebase Analytics can capture the user's geographic location to obtain general information about the geographic distribution of app users.
  • Event Data: Events occurring in the app are captured, such as opening a specific feature, completing a purchase, or filling out a form.
  • User Flow: Firebase Analytics can track user flow within the app to understand how users navigate through the various screens and features of the app.

Why are we allowed to use personal data?

By using the website, the app, and our services, you consent to the use of your personal data for the agreed purpose. According to the General Data Protection Regulation (GDPR), Article 6, paragraph 1, point a), this constitutes the legal basis for using your data.

Where no explicit consent is obtained (e.g., use of the website), there is a legitimate interest in processing your data to provide you with the services we offer, according to the General Data Protection Regulation (GDPR), Article 6, paragraph 1, point f).
 

What personal data is collected and used?

For the newsletter, your email address is collected upon registration, and the behavior during interaction with these newsletters is recorded when receiving newsletters.

When using our contact form, we collect your name, email, and optional phone number, as well as information you provide via the free text field.

To analyze user behavior on the website, we collect device information, IP address, location data, event data, conversion data, user flow data, and a unique user identifier.

To analyze user behavior in our apps, we collect app usage data, device information, location data, event data, and user flow.

For processing subscription purchases, billing data and payment data are collected and processed within the legal framework. Since these purchases are processed via the Apple App Store or the Google Play Store, additional data may be collected by the respective providers as part of service delivery.

To provide our sleep analysis & training services via our app, we collect (if available) first name, birth year, email, information about lifestyle and sleep habits, and heart rate variability (HRV). HRV data is converted into sleep metrics (time to fall asleep, wake-up time, sleep stages). In addition to determining sleep metrics via HRV, these metrics are also captured through manual input in the app. The user can also choose to link their Google Fit or Apple Health account with the sleep² app. In this case, the following data is transferred to us from the mentioned services:

  • How long you stayed in bed and at what times you slept (always)
  • Apple Watch, in combination with the Oura Ring, additionally provides sleep stages.

There is no obligation to provide your personal data, although certain services cannot be offered in the event of non-provision. The use and transfer of information that sleep² receives from Google APIs to other applications are subject to the Google API Services User Data Policy, including the requirements for limited use.

How is your personal data collected?

Your personal data is collected either

  • via third-party services such as Google Health Connect, Google Fit, Google Analytics, or heart rate sensors,
  • via your input in the app or the website,
  • or via other communication channels you use to communicate with us

collected.

How do we protect your personal data?

We protect your personal data using appropriate technical and organizational measures that correspond to current industry practices. This includes, in particular, the encryption of your personal data during transmission and storage, as well as, where possible, the pseudonymization of your personal data.

Who has access to personal data and who is responsible for processing?

Responsible under the GDPR for processing your personal data is Nukkuaa GmbH, located at Hauptstraße 18, 5071 Wals-Siezenheim, Austria.

The following are all processors and their involvement in providing our services:

  • The newsletter service is operated by Brevo (Sendinblue GmbH) based at Köpenicker Straße 126, 10179 Berlin, Germany.
  • To track user behavior on the website and the app and host the website, services from Google and their European subsidiary Google Ireland Limited, located at Gordon House, Barrow Street Dublin 4, Ireland, are used.
  • The University of Salzburg, located at Kapitelgasse 4/6, 5020 Salzburg, Austria, uses collected data for research purposes.
  • The sleep² app is hosted in the Google Cloud Region "europe-west3," located in Frankfurt am Main (Germany).
  • For push notifications on Android apps, services from OneSignal, Inc. based at 2850 S Delaware St Suite 201, San Mateo, CA 94403, USA, are used.
  • For push notifications on iOS devices, we use the Apple Push Notification Service from Apple with the EU subsidiary Apple Distribution International Limited at Hollyhill Industrial Estate, Hollyhill, Cork, Ireland.
  • The aaa – all about apps GmbH, Mollardgasse 70C / TOP 5, A-1060 Vienna, Austria, is responsible for operating the sleep² app.
  • The sleep² website is operated by dotsandlines GmbH, Mollardgasse 70c/Top 5, 1060 Vienna, Austria.
  • For processing subscription purchases, we use the App Store services from Google and their European subsidiary Google Ireland Limited, located at Gordon House, Barrow Street, 
    Dublin 4, Ireland, and Apple with the EU subsidiary Apple Distribution International Limited at Hollyhill Industrial Estate, Hollyhill, Cork, Ireland.

How long is personal data stored and used?

Your personal data is stored and used for the duration of service delivery. You also have the option to delete your account and thus your personal data via the sleep² app. Note: Deleting the account does not cancel your subscription (if any). You must do this via the Apple App Store or Google Play Store.

For receiving the newsletter, your personal data is stored and used until you unsubscribe from the newsletter via “Unsubscribe.”

Please note that for certain data (e.g.: invoice data), we have a legal retention obligation and must store this data until the end of this retention obligation.

You can delete your app account by contacting us and requesting the deletion of your account at hello@sleep2.com. You can also delete your app account directly via the app by opening the app, logging in, and deleting your account in the more section under "Delete account." Your app account will be deleted within 30 days of your request. If we find that you have created more than one app account and/or provided us with false, incomplete, or misleading information and/or an app account is used in a fraudulent or unauthorized manner and/or contrary to the present conditions, we reserve the right to terminate the account immediately at our absolute discretion. We will block the account immediately if illegal use is detected. We are not liable to you for any direct or indirect, existing, or future losses associated with the termination or deletion of the app account. In the event of termination and deletion of the account, the member is obliged to immediately cease using any programs and remove the account.
 

 

Regardless of the deletion of your accounts or the termination of service delivery, your date of birth, gender, and sleep data or heart rate variability will be made available to the University of Salzburg for research purposes as long as the data is relevant for research purposes. If you do not agree to this continued use, please send us a deletion request to hello@sleep2.com.

What rights can you exercise concerning personal data?

Right to Access

You have the legal right to request information about your personal data stored with us at any time and to receive a copy of this information. Furthermore, you have the right to request confirmation of whether your personal data is being processed.

Right to Rectification

If your data is incorrect or incomplete, we will correct it upon request.

Right to Data Portability

If we process your personal data automatically with your consent or based on a corresponding agreement, you have the right to request a copy of your data in a structured, commonly used, and machine-readable format to be sent to you or another party. This only applies to the personal data you have provided to us.

Right to Restrict Processing

You have the right to request that we restrict the processing of your personal data under certain circumstances.

Right to Erasure

You have the right to have personal data processed by us deleted, provided this is legally permissible. Exceptions include, in particular, the following cases:

  • You have outstanding payments with us.
  • You have misused our services in the past five years, or there is suspicion of such misuse.
  • If you have made purchases, we retain your personal data related to your transaction according to accounting regulations.

You can also withdraw your consent to the use of your data at any time and object to processing. The processing of your personal data remains lawful until the time of your withdrawal.

We will also notify you immediately of any breaches of the protection of your personal data if the breaches are likely to result in a high risk to your rights and freedoms.

If you believe that we are not processing your personal data correctly, you can contact us. You also have the right to file a complaint with a supervisory authority.

You can exercise your rights with us by notifying the email address hello@sleep2.com.

Who can help you with questions about data use and privacy?

If you have questions about the storage or use of your personal data, simply write your concern to:

Nukkuaa GmbH

Hauptstraße 18
5071 Wals-Siezenheim,
Austria

 

Or by email to hello@sleep2.com

 

If we cannot help you, you can contact the respective data protection authority. For Austria, this is:

Data Protection Authority

Barichgasse 40–42

1030 Vienna

Email: dsb@dsb.gv.at

Phone: (+43) 1 52 152-0