Privacy Policy

UNNAP

Privacy Policy

Last updated: November 13, 2025

Data Controller

Legal Bases

  • Contract performance (Art. 6(1)(b)): account management, alarms, subscriptions.
  • Legitimate interests (Art. 6(1)(f)): improvement, security, fraud prevention.
  • Consent (Art. 6(1)(a) / 9(2)(a)): sleep analytics, optional analytics/marketing. Withdraw anytime in Privacy Settings.

Personal Data We Collect

  • Account: email, username, name, optional profile image, subscription status.
  • Health & wake: wake times, alarm response times, consistency scores.
  • Usage & device: alarm events, app interactions, crash reports, device/NFC info.
  • Social: friends list, streak sharing, group participation preferences.

How We Use Your Data

  • Provide alarms, streaks, analytics, and social features you enable.
  • Improve performance, fix bugs, develop new features.
  • Provide support, maintain security, prevent fraud, meet legal obligations.

We do not sell your personal data.

Data Sharing

  • Supabase: database & authentication
  • RevenueCat: subscriptions & receipt validation
  • TelemetryDeck (optional): anonymous analytics

Processors operate under data processing agreements. Friends only see streak stats you choose to share.

Data Retention

  • Account data: until deletion + 30 days
  • Alarm/usage data: 2 years
  • Health data: until consent withdrawn + 30 days
  • Support data: 3 years
  • Purchase records: 7 years

You can export or delete data via Privacy & Data settings.

Your Rights (UK/EU GDPR)

  • Access & portability – export JSON data in-app.
  • Rectification – update data or contact privacy@unnap.com.
  • Erasure – delete account in-app or via email.
  • Restriction & objection – pause processing/analytics in Privacy Settings.
  • Withdraw consent at any time.
  • Lodge a complaint with the UK ICO (ico.org.uk) or your local authority.

CCPA / CPRA

  • Right to know, delete, correct.
  • No data sales; opt-out not required.
  • No discrimination for exercising rights.
  • Authorised agents may submit requests.

International Transfers & Security

Data may be processed in the UK, US (Supabase/RevenueCat), and EU (TelemetryDeck). Transfers rely on the EU–US Data Privacy Framework where applicable and Standard Contractual Clauses. We use encryption, row-level security, access controls, and regular audits. While we take strong measures, no system is 100% secure.

Children’s Privacy

UNNAP isn’t intended for children under 13. If we learn we’ve collected data from someone under 13, we delete it. Parents may contact us to review or remove their child’s data.

Changes & Contact

We’ll notify you of major policy changes via in-app notice or email. Questions? Email privacy@unnap.com or the DPO at dpo@unnap.com.