Privacy policy

General

nukkuaa GmbH is a limited liability company with its registered office in Wals-Siezenheim, registered in the commercial register of the Salzburg Regional Court FN 581365.
- Nukkuaa operates a product website at https://www.sleep2.com/ (the "Website").
- Nukkuaa operates the sleep² app (the "App"), a sleep analysis & training application in the "Health & Fitness" category.
This Privacy Policy clarifies the nature, scope and purpose of the collection and use of data of customers (our "Users") by the "Website" and the "App". The protection of your personal data is of particular concern to us. We therefore process your data exclusively on the basis of the statutory provisions. In this privacy policy, we inform you about the most important aspects of data processing in the context of our website and our app.

For what purpose is personal data used?

Data protection and full transparency in handling your data are core concerns for us. Therefore, we would like to inform you in detail below about what we use which of your data for.
In summary, we use your data to provide you with our service to contact you for marketing purposes and to inform you about news and to improve your user experience in the app and on the website. Data collected and analyzed via Polar sensors (heart rate variability) may be used by the University of Salzburg for research purposes only. All data read in via Google Fit or Google Health Connect is excluded from this research purpose. Sleep² neither exchanges data nor builds databases in co-operation with external parties.

We only use your data for the purposes stated in this privacy policy and do not pass your data on to other third parties. This also means that we do not sell or offer your personal data for sale.

You have the option of objecting to certain purposes and the associated collection of your data, for example by not subscribing to the newsletter, rejecting app tracking in the app or cookies on our website.

Provision of our sleep analysis & training services

To provide our sleep analysis & training services, we collect and process
- Your first name
- Your e-mail address
- Your year of birth
- Your sleep metrics
- Your heart rate variability (if available)
- Information on lifestyle and sleeping habits

Our iOS and Android apps are provided on Hetzner servers. As part of the infrastructure operation, Hetzner collects technical information such as your IP address and user behavior relevant for error analysis.

Your health data such as sleep habits and heart rate variability are analyzed in the Google Cloud in Frankfurt.

The conclusion of a paid sleep² subscription is processed via the Apple Store for iOS and the Play Store on Android devices. Google and Apple process your data here, which is required for payment processing from a legal perspective. Apple and Google may also collect other data relevant to the App Store and Play Store. Further information can be found directly in Apple's App Store Privacy Policy and in the Google Play Store Terms of Use and Google Privacy Policy.

We use the Google Cloud in Frankfurt to make our website available to you. Google collects technical information such as your IP address and user behavior relevant for error analysis as part of website operation.

You can send us messages and questions via our contact form. We use the data you provide, such as your name, email address and optional telephone number, as well as information that you send us via the free text field, to answer your inquiries and, if necessary, to get in touch with you via available communication channels. You can also use the contact form to sign up for our newsletter.

You can use our sleep questionnaire on the website to provide us with information about your sleep behavior. We use this data to give you a brief analysis of your sleep quality. You can also leave us your e-mail address at the end of the questionnaire so that we can send you further details about your results by e-mail. You also have the option to sign up for the newsletter here.

We use third-party services to send you push notifications that regularly remind you to stay on the ball with your sleep training.

To send you push notifications via the Android app, we use the US service "OneSignal". OneSignal can collect the following data from you as part of the service:

- How a user has used the app (e.g. session duration, timestamp)
- Purchases made within an app.
- Information about the end user's transactions and interactions with the app
- Mobile device or account identifiers. These mobile IDs can be linked to other information, including data segments.
- Precise location information, generally an End User's latitude and longitude data (i.e., GPS-level data) or WiFi information, which we may associate with Mobile IDs and which may be collected whether or not an App is used. (Location information is only collected if the user has given the app permission to collect it)
- IP address and system configuration information
- Information associated with or related to devices, such as device type (e.g. cell phone, tablet); operating system type and version (e.g. Android, iOS); network provider; mobile browser (e.g. Safari, Chrome, etc.); language setting; time zone; and network status type (such as WiFi).

You can find further data protection-relevant information in the OneSignal Privacy Policy.

We use the Apple Push Notification Service (APNS) to send you push notifications via the iOS app. APNS can collect the following data from you as part of the service:
- Device information: The APNS can collect information about the device on which the app is installed, such as device type, operating system version and device ID.
- Token: The APNS uses device tokens to send the push notifications to the correct device. These tokens can be seen as a kind of identifier, but are not directly linked to personal information.
- Push notification data: The APNS can store information about the push notifications sent, such as the content of the notification, the time it was sent and the recipient.

Use of data for research purposes

The University of Salzburg uses data such as your sleeping habits (if available), your date of birth and your gender for purely scientific research purposes. Heart variability data is collected exclusively via Polar sensors and read directly into the app. This data is also used by the university for purely scientific research purposes. All data that is read in via Google Fit or Google Health Connect is excluded from this research purpose.

Data use for marketing purposes

If you sign up for the sleep² newsletter, we will use your email address to send you regular updates about sleep². The newsletter is sent via the European marketing cloud provider "Brevo". Brevo also allows us to analyze the behavior of newsletter recipients. Among other things, this allows us to determine who has opened a newsletter or clicked on a link. You can find more information in the Brevo privacy policy.

Use of data to improve the user experience

We use Google Analytics and Google Tag Manager to analyze your user behavior on our website and to improve your user experience. Google Analytics and Google Tag Manager collect data such as:

- Device information: Google Analytics and Google Tag Manager collect information about the device the user is using, such as the device type, operating system and browser type.
- IP address: The user's IP address is collected by Google Analytics to determine the user's geographic location and to provide general information about the user's location. Important: Your IP address is not stored or logged.

- Usage data: Google Analytics collects information about the user's interaction with a website, including the pages visited, the time spent on the pages and the actions taken by the user on the website.
- Cookies: Google Analytics and Google Tag Manager use cookies to store information about the user. These cookies contain a unique identifier that is used to recognize the user on repeat visits to the website.
- Event data: Google Tag Manager can record events on the website, such as clicks on certain elements, filling out forms or completing a purchase.
- Conversion data: Google Tag Manager can capture data about conversions, such as completing a purchase, filling out a form or signing up for a newsletter.

Further information on data protection in connection with Google Analytics can be found on the Google support website.

Google Tag Manager is a tool that allows us to manage tags on our website. Tags are code snippets that are used to implement various functions on a website, such as tracking user activity, collecting conversion data or integrating advertising materials.

You can find out more about data processing using Google services in the Google privacy policy.


Similar to the recording of user behavior on the website, we use "Firebase Analytics" to record user behavior on our iOS and Android app. Firebase Analytics is based on Google Analytics and collects data such as

- App usage data: Firebase Analytics collects information about app usage, such as the number of installs, number of active users, screen views and interactions within the app.
- Device information: Information is collected about the device on which the app is used, such as the operating system, device make and model.
- Location data: Firebase Analytics may collect the user's geographic location to provide general information about the geographic distribution of app users.
- Event data: Events that occur in the app are captured, such as opening a specific feature, completing a purchase or filling out a form.
- User flow: Firebase Analytics can track the user flow within the app to understand how users navigate through the different screens and functions of the app.

Why are we allowed to use personal data?

By using the website, the app and our services, you consent to the use of your personal data for the agreed purpose. According to the General Data Protection Regulation (GDPR), Article 6, paragraph 1, point a), this is the legal basis for the use of your data.

Where no explicit consent is obtained (e.g. use of the website), there is a legitimate interest in processing your data in accordance with Article 6, paragraph 1, point f) of the General Data Protection Regulation (GDPR) in order to provide you with the services we offer.

What personal data is collected and used?

For the newsletter, your e-mail address is recorded when you register and, if you receive newsletters, your behavior during interaction with these newsletters is recorded.

When you use our contact form, we collect your name, email address and optional telephone number as well as information that you send us via the free text field.

To analyze user behavior on the website, we collect device information, IP address, location data, event data, conversion data, user flow data and a unique user ID.

To analyze user behavior in our apps, we collect app usage data, device information, location data, event data and user flow.

To process subscription purchases, billing data and payment data are collected and processed in accordance with the statutory provisions. As these purchases are processed via the Apple App Store or the Google Play Store, further data may be collected by the respective providers as part of the provision of the services.

To provide our sleep analysis & training service via our app, we collect (if available) the first name, year of birth, email, information on lifestyle and sleeping habits as well as heart rate variability (HRV). The HRV data is converted into sleep indicators (time to fall asleep, time to wake up, sleep stages). In addition to determining sleep metrics via HRV, these metrics are also recorded via manual entries in the app. The user can also choose to link their Google Fit or Google Health Connect or Apple Health account with the sleep² app. In this case, the following data is transferred to us from the aforementioned services:

- How long you have been in bed and at what times you have slept (always)
- Apple Watch also provides the sleep stages in combination with the Oura Ring.

There is no obligation to provide your personal data, although certain services cannot be offered if it is not provided. sleep²'s use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements.

How is your personal data collected?

Your personal data is collected either

  • via third-party services such as Google Health Connect, Google Fit, Google Analytics or heart rate sensors,
  • via your entries in the app or the website, or
  • via other communication channels that you use to communicate with us collected.

How do we protect your personal data?

We protect your personal data using appropriate technical and organizational measures that comply with current industry practices. This includes, in particular, the encryption of your personal data during transmission and storage and, where possible, the pseudonymization of your personal data.


Who has access to personal data and who is responsible for processing it?

Nukkuaa GmbH, based in Hauptstraße 18, 5071 Wals-Siezenheim, Austria, is responsible for the processing of your personal data within the meaning of the GDPR.

All processors and their involvement in the provision of our services are listed below:

- The newsletter service is operated by Brevo (Sendinblue GmbH), Köpenicker Straße 126, 10179 Berlin, Germany.
- To track user behavior on the website and the app and to host the website, services of Google and its European subsidiary Google Ireland Limited, Gordon House, Barrow Street Dublin 4, Ireland, are used.
- The University of Salzburg, located at Kapitelgasse 4/6, 5020 Salzburg, Austria, uses collected data for research purposes.
- The sleep² app is hosted by Hetzner Online GmbH, based in Industriestraße 25, 91710 Gunzenhausen, Germany.
- For push notifications on Android apps, services of OneSignal, Inc. based in 2850 S Delaware St Suite 201, San Mateo, CA 94403, USA are used.

- For push notifications on iOS devices, we use the Apple Push Notification Service from Apple with the EU branch Apple Distribution International Limited in Hollyhill Industrial Estate, Hollyhill, Cork, Ireland.
- aaa - all about apps GmbH, Mollardgasse 70C / TOP 5, A-1060 Vienna, Austria is responsible for the operation of the sleep² app.
- The sleep² website is operated by dotsandlines GmbH, Mollardgasse 70c/Top 5, 1060 Vienna.
- For the payment processing of subscription purchases, we use the App Store services of Google or its European subsidiary Google Ireland Limited, Gordon House, Barrow Street,
Dublin 4, Ireland or Apple with the EU branch Apple Distribution International Limited in Hollyhill Industrial Estate, Hollyhill, Cork, Ireland.


How long will personal data be stored and used?

Your personal data will be stored and used for the duration of the service provision. You also have the option of deleting your account and thus your personal data via the sleep² app. If there is an active subscription, the data will be deleted after the subscription expires. Please note: Deleting your account does not cancel your subscription (if you have one). You must do this via the Apple App Store or Google Play Store.
Your personal data will be stored and used to receive the newsletter until you unsubscribe from the newsletter via "Unsubscribe".

Please note that we have a legal obligation to retain certain data (e.g. billing data) and must store it until the end of this retention period.

You can delete your app account by contacting us and requesting the deletion of your account at hello@sleep2.com. You can also delete your app account directly via the app by opening the app, logging in and deleting your account in the More section under “Delete account”. Your app account will be deleted within 30 days of your request. If we discover that you have created more than one App Account and/or have provided us with false, incomplete or misleading information and/or an App Account is being used fraudulently or without authorization and/or contrary to these Terms, we reserve the right to terminate the account immediately at our absolute discretion. We will block the account immediately if unlawful use is detected. We will not be liable to you for any direct or indirect, existing or future losses associated with the termination or deletion of the App Account. In the event of termination and deletion of the account, the member is obliged to immediately stop using any programs and remove the account.

Irrespective of the deletion of your accounts or the termination of the provision of services, your date of birth, your gender and your sleep data or heart rate variability will be made available to the University of Salzburg for research purposes as long as the data is relevant for research purposes. If you do not agree to this continued use, please send us a deletion request to hello@sleep2.com.

What rights can you exercise in relation to personal data?

Right to information

You have the legal right to request information about your personal data stored by us at any time and to receive a copy of this information. You also have the right to request confirmation as to whether personal data concerning you is being processed.

Right to rectification

If your data is incorrect or incomplete, we will correct it on request.

Right to portability

If we process your personal data automatically with your consent or on the basis of a corresponding agreement, you have the right to request a copy of your data in a structured, commonly used and machine-readable format, which will be sent to you or another party. This only applies to the personal data that you have provided to us.

Right to restriction of processing

You have the right to request that we restrict the processing of your personal data under certain circumstances.

Right to erasure

You have the right to have personal data processed by us erased, insofar as this is permitted by law. The following cases in particular are excluded

a. You have outstanding payments with us.
b. You have misused our services in the past five years or there is a suspicion of such misuse.
c. If you have made purchases, we will retain your personal data relating to your transaction in accordance with accounting regulations.

You can also withdraw your consent to the use of your data and object to the processing at any time. The processing of your personal data remains lawful until you withdraw your consent.
We will also notify you without undue delay of any personal data breach where the breach is likely to result in a high risk to your rights and freedoms.
If you believe that we are not processing your personal data correctly, you can contact us. You also have the right to lodge a complaint with a supervisory authority.
You can assert your rights with us by sending an email to hello@sleep2.com.

Who can help you with questions about data use and data protection?

If you have any questions about the storage or use of your personal data, simply write to us with your request:
Nukkuaa GmbH
Main street 18
5071 Wals-Siezenheim,
Austria
Or by e-mail to hello@sleep2.com

If we are unable to help you, you are welcome to contact the relevant data protection authority. For Austria this is:

Data Protection Authority
Barichgasse 40-42
1030 Vienna
E-mail: dsb@dsb.gv.at
Phone: (+43) 1 52 152-0