Privacy-First Platform

Security & Privacy

Your sleep data is personal and sensitive. We use industry-standard security practices to protect your information and give you control over your data.

Our Core Commitments

We Never Sell Your Data

Your personal health information is never sold to third parties, advertisers, or data brokers. We make money through subscriptions, not by monetizing your data.

You Control Your Data

You can view, export, or delete your data at any time from your account settings. When you delete your account, we permanently remove your personal information.

Transparent Practices

Our privacy policy is written in plain language. We clearly explain what data we collect, why we collect it, and how we use it—no hidden surprises.

Technical Security Measures

Data Encryption

Encryption in Transit

All data transmitted between your device and our servers is encrypted using TLS 1.3 (Transport Layer Security), the latest industry standard for secure communications.

Encryption at Rest

Your data is encrypted when stored in our database using AES-256 encryption, ensuring protection even in the unlikely event of unauthorized database access.

Authentication & Access Control

Secure Authentication

We use bcrypt password hashing with salting to protect your credentials. Passwords are never stored in plain text.

Session Management

Secure session tokens with automatic expiration prevent unauthorized access. You're automatically logged out after periods of inactivity.

Secure Data Storage

Database Security

We use PostgreSQL with Prisma ORM for secure, parameterized database queries that prevent SQL injection attacks. Database access is restricted to authorized services only.

Regular Backups

Automated daily backups ensure your data can be recovered in case of system failures, while maintaining the same security standards.

Infrastructure Security

Secure Hosting

Our application is hosted on enterprise-grade cloud infrastructure with built-in DDoS protection, firewalls, and intrusion detection systems.

Network Isolation

Database servers are isolated in private networks, accessible only through secure, authenticated connections from our application servers.

Our Data Practices

What Data We Collect

Account Information

  • • Email address (for account creation and communication)
  • • Name (optional, for personalization)
  • • Password (encrypted with bcrypt)

Sleep Data

  • • Sleep tracking data (bedtime, wake time, sleep quality ratings)
  • • Assessment responses (sleep patterns, concerns, goals)
  • • Daily journal entries (optional)
  • • Wearable device data (only if you choose to connect)

Usage Data

  • • App usage patterns (features accessed, session duration)
  • • Technical data (device type, browser, IP address for security)

How We Use Your Data

Personalize your CBT-I program: Your sleep data helps us tailor recommendations, adjust your sleep window, and track your progress.

Improve our platform: Aggregated, anonymized usage data helps us understand which features are most helpful and identify areas for improvement.

Communicate with you: We send program updates, progress reports, and important account notifications. You can opt out of non-essential emails.

Provide customer support: Access to your account data helps our support team troubleshoot issues and answer your questions.

What We DON'T Do With Your Data

Sell or rent your data: We never sell your personal information to third parties, data brokers, or advertisers. Period.

Share identifiable data: Your sleep data and personal information are never shared with third parties without your explicit consent (except as required by law).

Use data for unrelated purposes: We only use your data for sleep improvement services and platform operations—never for unrelated marketing or profiling.

Your Rights & Controls

Access & Export

You can view all your data in your account dashboard and export it at any time in machine-readable format (JSON/CSV).

Manage Your Data →

Deletion & Account Removal

You can delete your account at any time. We permanently remove your personal data within 30 days (some billing records may be retained for legal compliance).

Delete Account →

Correction & Updates

Found incorrect information? You can update your profile, sleep data, and preferences directly in your account settings.

Update Information →

Communication Preferences

Control what emails you receive. Unsubscribe from marketing communications while still getting important account updates.

Manage Preferences →

Privacy Compliance

GDPR Compliance

For users in the European Economic Area, we comply with the General Data Protection Regulation (GDPR), including:

  • • Right to access and portability
  • • Right to correction and deletion
  • • Right to withdraw consent
  • • Data minimization practices
  • • Transparent privacy policies

CCPA Compliance

For California residents, we comply with the California Consumer Privacy Act (CCPA), including:

  • • Right to know what data is collected
  • • Right to delete personal information
  • • Right to opt-out of data sales (we don't sell data)
  • • Non-discrimination for exercising privacy rights

Third-Party Services We Use

We use carefully selected third-party services to operate our platform. Each is chosen for security and privacy standards.

Payment Processing

Stripe: We use Stripe for secure payment processing. Qumfy never stores your full credit card information. Stripe is PCI-DSS Level 1 certified.

Analytics

Google Analytics & PostHog: We use privacy-focused analytics to understand usage patterns. IP addresses are anonymized, and no personal health data is sent to these services.

Wearable Integration

Oura, Fitbit, Apple Health: If you connect a wearable, we only access sleep data you explicitly authorize. You can disconnect at any time.

Questions About Privacy or Security?

We're committed to transparency. If you have questions about our privacy practices or security measures, we're here to help.

Read Full Privacy PolicyContact Privacy Team

Last updated: November 21, 2025