Privacy Policy

Effective date: 21 March 2026 · Last updated: 18 April 2026 · Version 2.1

Short version: Your personal sleep and recovery data stays encrypted on your device. We cannot read it, sell it, or lose it in a breach — because personal sleep logs are not readable by us. The only data on our servers is the minimum needed to run your account.

1. Introduction

Dozepeak is a sleep and performance recovery app designed for athletes and high performers. We understand that recovery data is sensitive. That has shaped every architectural decision in how Dozepeak is built.

This Privacy Policy explains what data is collected, where it lives, and your rights under Australian law. Dozepeak is a brand of Sleep Portfolio, Queensland, Australia.

2. Zero-Knowledge Architecture

Your personal sleep and recovery data stays encrypted on your device.

All your personal data lives on your device only. Sleep entries, recovery scores, bedtimes, wake times, training load notes, and wearable data are stored in an encrypted database on your device — we never hold the key.
Our servers are stateless AI endpoints. When you use the AI Recovery Coach, your device sends only anonymous context. No user ID, no name, no sleep history travels to our server. The server processes the request and returns a response. It stores nothing.
We cannot read your data. Even if a court ordered us, even if a hacker breached our servers — we do not hold your recovery data.
Sync is encrypted end-to-end. If you enable optional backup via iCloud or Google Drive, your data is encrypted on your device before it leaves. We hold no encryption keys.

3. Data We Collect and Store

3.1 On-Device Data (Never Transmitted to Our Servers)

Sleep entries: bedtime, wake time, duration, sleep score, recovery score, notes
Streak counts and historical sleep/recovery statistics
Training load annotations (if you use this feature)
Notification preferences and scheduled reminders
App settings and personalisation choices
Wearable-synced sleep and recovery data
Any health data imported from Apple Health or Google Health Connect

This data is never transmitted to Dozepeak servers. We have no access to it.

3.2 Data Transmitted to Our Servers

Data	When	Why	Stored?
Anonymous AI Coach request (no PII — e.g. "athlete, recovery focus, Day 5 streak")	When you use AI Coach	To generate a response	No — discarded after response
Anonymous analytics event (e.g. "sleep_logged")	During app use	To understand feature usage	Yes — no PII attached
Push notification device token	When you enable push notifications	To send reminders	Yes — token only
Account email address	At account creation (optional)	For account recovery	Yes — encrypted at rest
Website waitlist: email, first name, last name, country, and city or region	When you submit the join-waitlist form on dozepeak.com	To send launch and beta updates and for light-touch regional planning	Yes — in our secure database (encrypted at rest). Not used for AI Coach prompts and not sold to third parties
Subscription status	Via RevenueCat/Apple/Google	To unlock premium features	No — RevenueCat is source of truth

3.3 Analytics

Analytics events contain: a random session identifier (not linked to your identity), event type, timestamp, device type and app version. They do not contain your name, email, sleep data, or any personally identifiable information.

4. On-Device Storage and Encryption

Your data is stored in an encrypted SQLite database using AES-256 encryption. The encryption key is held in your device's secure enclave (iOS) or Android Keystore (Android) and is never transmitted anywhere. Deleting the app permanently deletes all on-device data. We hold no copy.

5. Optional Encrypted Backup

Backup is opt-in only — disabled by default
Your data is encrypted on your device before upload
We do not hold, access, or manage the encryption keys
Your backup is in your cloud account — Apple/Google privacy policies govern that storage
You can disable backup and delete your cloud backup at any time

6. AI Recovery Coach

The AI Recovery Coach is powered by the Anthropic API (Claude). When you interact with the Coach:

Your device sends only anonymous context: your athlete role, a general phase indicator, and the anonymised text of your question
No personal identifiers are included: no name, email, user ID, sleep history, or health data
Dozepeak does not store the content of your conversations
Dozepeak stores only a SHA-256 hash of each message for abuse detection — this cannot be reversed

Anthropic's privacy policy: anthropic.com/privacy

7. Push Notifications

If you enable push notifications, we store your device push token to send reminders. Push tokens are not linked to your personal identity. You can disable them at any time — disabling notifications triggers deletion of your push token from our servers.

8. Payments

Consumer subscriptions are processed entirely through Apple App Store or Google Play, managed by RevenueCat. Dozepeak never sees or stores your payment card details.

Apple Privacy Policy: apple.com/legal/privacy
Google Privacy Policy: policies.google.com/privacy
RevenueCat Privacy Policy: revenuecat.com/privacy

9. Third-Party Services

Service	Purpose	Data Shared
Anthropic (Claude API)	AI Coach responses	Anonymised, non-identifying request text
Apple APNs	Push notifications (iOS)	Device push token
Google FCM	Push notifications (Android)	Device push token
RevenueCat	Subscription management	Anonymous user ID, subscription events
Apple App Store / Google Play	In-app purchases	Governed by Apple/Google policies
Resend	Transactional email (e.g. waitlist confirmation)	Your email address; standard template content only
Sentry	Error reporting	Anonymous error logs, stack traces (no PII)

10. Your Rights

Because your personal data is stored exclusively on your device, you already have complete control. You can view, export, and delete all your data directly within the app.

Australian Privacy Act 2024

Access: Request a copy of personal information we hold
Correction: Request correction of inaccurate personal information
Deletion: Request deletion of your account and server-side data
Complaint: Lodge a complaint with the OAIC at oaic.gov.au

Dozepeak acknowledges the Privacy Act 2024 statutory tort for serious invasions of privacy and is committed to compliance with the Australian Privacy Principles (APPs).

GDPR (EU and UK users)

You have rights under GDPR/UK GDPR including access, rectification, erasure, data portability, restriction, and objection. Contact sleepportfolio@gmail.com — we respond within 30 days.

11. Right to Erasure — Account Deletion

To request deletion of your account and all server-side data:

Use the Delete Account option within the app (Settings → Account → Delete Account), or
Email sleepportfolio@gmail.com with the subject line "Deletion Request"
For website waitlist data only, email sleepportfolio@gmail.com from the address you used on the form and ask to be removed from the waitlist.

We will process deletion requests within 30 days.

12. Data Retention

Data Type	Retention Period
On-device sleep and recovery data	Indefinite — you control this; deleted when you delete the app
Account email	Until account deletion request
Website waitlist (email, name, country, city)	Until you request removal or unsubscribe from waitlist email; contact sleepportfolio@gmail.com
Push notification token	Until you disable notifications or delete your account
Anonymous analytics events	24 months (rolling), then automatically deleted
AI Coach message hashes	12 months, then automatically deleted

13. Children

Dozepeak is designed for users aged 18 and over. We do not knowingly collect personal information from individuals under 18. If you believe a person under 18 has created an account, please contact sleepportfolio@gmail.com

14. Security

On-device: AES-256 encrypted SQLite; device secure enclave / Android Keystore
In transit: TLS 1.3 for all server communications
Server-side: Minimal data holdings; Row Level Security on all database tables
Annual third-party security review
Breach notification: Within 72 hours under the Privacy Act 2024 notifiable data breach scheme

15. Changes to This Policy

We will notify you of material changes via in-app notification at least 30 days before the change takes effect.

16. Contact

Privacy enquiries and rights requests:
sleepportfolio@gmail.com

Postal address:
Dozepeak Privacy Officer (Sleep Portfolio)
Queensland, Australia

OAIC: oaic.gov.au · 1300 363 992