SleepyCat

SleepyCat Privacy Policy

1. Scope & Purpose

This Privacy Policy explains how we collect, use, share, and protect your personal information when you interact with SleepyCat. It applies to our website, iOS app, and Android app.

2. What Data We Collect

Category	Examples	Source
Account Data	Name, email address, profile photo, Firebase UID, OAuth provider tokens	You / Firebase Auth
Usage & Device Data	IP address, device model, OS version, app version, language, interaction events	Google Analytics for Firebase, Facebook Pixel
Purchase Data	Transaction ID, product ID, currency, price, status	Paddle (web), RevenueCat (in‑app)
Support Data	Messages, attachments, bug reports	Interactions with support channels

We do not intentionally collect any health data classified as “special‑category” under GDPR.

3. How We Use Your Data

Provide & Maintain the Service – authenticate users, sync data across devices.
Improve & Personalise – analyse aggregated usage to enhance features and recommendations.
Process Transactions – verify purchases, manage subscriptions, and detect fraud.
Communicate – send transactional emails, push notifications, and respond to inquiries.
Marketing (Optional) – with your opt‑in consent, show offers or tips; you may opt‑out at any time.

4. Legal Bases (GDPR)

Purpose	Legal Basis
Account creation & authentication	Performance of a contract (Art. 6 (1)(b))
Analytics & improvement	Legitimate interests (Art. 6 (1)(f))
Marketing communications	Consent (Art. 6 (1)(a))
Compliance & fraud prevention	Legal obligation (Art. 6 (1)(c))

5. Sharing & Disclosure

We share data only with the categories of recipients below and only for the purposes described:

Recipient	Purpose	Safeguards
Google Firebase	Authentication, real‑time database, crash reporting, analytics	EU data centers; SCCs + encryption in transit & at rest
Apple / Google Play (via RevenueCat)	In‑app billing & subscription status	Platform security controls; no payment card details stored by us
Paddle	Web checkout & fulfilment	PCI‑DSS compliant; tokenized payment data
Facebook (Meta)	Advertising attribution via Pixel	IP anonymisation; aggregated reporting
Service Providers (email, customer support)	Operational support	Confidentiality agreements
Legal Authorities	Respond to lawful requests	Verified legal basis required

We do not sell or lease your personal information to third parties. We do not use or transfer Google user data for purposes other than providing or improving user‑facing features. (support.google.com)

6. International Transfers

Data may be transferred outside the EEA/UK. Where we do so, we rely on Standard Contractual Clauses or an adequacy decision (GDPR Art. 45 & 46).

7. Data Retention

We retain your personal data only as long as necessary to fulfil the purposes outlined in this Policy or as required by law. Purchase records are retained for 10 years under Polish accounting regulations. Inactive accounts are deleted after 24 months of inactivity, following a 30‑day notice email. (support.google.com)

8. Your Rights

Under GDPR (and, where applicable, CCPA or other laws) you have the right to:

Access, correct, or delete your data.
Withdraw consent at any time (without affecting prior processing).
Object to or restrict processing.
Data portability (export in JSON/CSV).
Lodge a complaint with a supervisory authority.

To exercise these rights, email suppport@sleepycat.app or use the in‑app “Delete Account” feature.

9. Data Security & Protection of Sensitive Data

We implement industry‑standard technical and organisational measures to protect personal and sensitive data, including:

Encryption in Transit & at Rest – All traffic uses TLS 1.2+; Firebase and Paddle encrypt storage using AES‑256. Access tokens are hashed with bcrypt. (support.google.com)
Access Controls – Role‑based access, principle of least privilege, mandatory 2‑factor authentication for all internal accounts.
Tokenisation & Pseudonymisation – Payment card details handled only by PCI‑DSS‑compliant processors; analytics events are stored with pseudonymous IDs.
Secure Development Lifecycle – Code reviews, dependency scanning (Snyk), CI security tests.
Audit Logging & Monitoring – All admin actions and data‑access events are logged to immutable storage and reviewed.
Regular Penetration Tests & Bug‑Bounty Program – Annual external audits and a public vulnerability disclosure policy.
Data Minimisation & Retention Limits – Collect only data strictly necessary for stated purposes; automated purging routines.
Incident Response Plan – 24‑hour breach notification commitment; documented procedures.

These controls satisfy Google’s requirement that privacy policies disclose concrete data‑protection mechanisms for sensitive data. (support.google.com)

10. Cookies & Tracking

SleepyCat uses cookies or similar technologies solely for:

Essential Functions (authentication, session management).
Analytics (aggregated usage statistics).
Marketing Attribution (Facebook Pixel).

Your first visit displays a consent banner under the EU ePrivacy Directive. You can manage preferences at any time in Settings ➜ Privacy.

11. Third‑Party Links

Our Service may contain links to third‑party sites. We are not responsible for their privacy or security practices. We encourage you to read their policies.

12. Changes to this Policy

We will post any changes on this page and, if changes are material, notify you via email or in‑app message at least 14 days before they take effect.

13. Third‑Party Privacy Policies

14. Contact Us

Email: suppport@sleepycat.app

Effective Date: 19 May 2025
Last Updated: 19 May 2025