Sleep Reset Privacy Policy

Effective Date: Jan 31, 2025


At Sleep Reset, we value your privacy and are committed to protecting your personal information. This Privacy Policy explains what information we collect, how we use it, and the steps we take to safeguard your data. By using our website, mobile application, and services (collectively, the "Services"), you agree to the practices outlined in this policy.

1. Information We Collect

We collect various types of information to provide and improve our Services, including:

1.1 Personal Information

  • Account Information: Name, email address, and account credentials.
  • Contact Information: Any communication you send us via email, messages, or other forms of contact.

1.2 Sleep & Health Data

  • Sleep Data: Information about your sleep patterns, duration, quality, and symptoms.
  • Health Information: Data on medication usage, therapy progress, and other health-related details, which may include sensitive data (e.g., mental health information), if voluntarily provided.

1.3 Technical Information

  • Device & Usage Data: IP addresses, device identifiers, browser type, geolocation, log data, and cookies.

1.4 Third-Party Data

  • Connected Devices: Data from connected devices (e.g., wearables).
  • Third-Party Services: Information from social media logins (e.g., Google, Facebook) or other third-party services you link to your account.

1.5 User-Generated Content

  • Community Data: Posts in forums, survey responses, and other content you generate through our platform.

1.6 Derived Information

We may create derived or inferred data from analyzing your use of our Services, including:

  • Predictive health patterns and wellness indicators
  • Behavioral patterns and preferences
  • Service usage patterns and optimization metrics
  • Risk assessments and success indicators
  • Aggregated trend analysis and statistical information

1.7 Business Analytics Data

We collect and generate business analytics data, including but not limited to service performance metrics, feature usage statistics, and operational indicators that help us improve our Services.

1.8 HIPAA Compliance and Protected Health Information (PHI)

When Sleep Reset provides telehealth services through licensed healthcare providers, we comply with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules.

1.8.1 PHI Collection and Use
Protected Health Information (PHI) collected through our telehealth services includes:
- Medical consultations and clinical notes
- Treatment plans and medication information  
- Sleep study results and health assessments
- Communications between patients and providers
1.8.2 HIPAA Rights
For telehealth services involving PHI, you have specific rights under HIPAA including:
- Right to access your medical records
- Right to request corrections to your PHI
- Right to request restrictions on PHI use and disclosure
- Right to receive an accounting of PHI disclosures
- Right to file complaints with HHS Office for Civil Rights
1.8.3 Business Associate Agreements
All third-party vendors who may access PHI through our telehealth platform must execute Business Associate Agreements (BAAs) ensuring HIPAA compliance.

2. How We Use Your Data

We use your information for several purposes, including:

  • Providing Services: To operate and improve our services, including account management and customer support.
  • Research & Development: To conduct research, enhance features, and develop new services.
  • Security: To ensure the security of your account and prevent fraud.
  • Marketing & Communications: To send relevant communications, such as newsletters or product recommendations. You can opt-out of marketing communications at any time.
  • Legal Compliance: To comply with legal requirements and enforce our policies.

2.1 Extended Processing Rights

We may process your information using various technological means, including:

  • Machine learning and artificial intelligence systems
  • Automated decision-making processes
  • Pattern recognition and predictive analytics
  • Data aggregation and anonymization techniques
  • Statistical and mathematical analyses

2.2 Business Purposes

In addition to the previously stated purposes, we may use your information for:

  • Development of new products, services, and features
  • Internal business analytics and operational improvements
  • Creation of aggregated or anonymized data sets
  • Market research and business intelligence
  • Service optimization and personalization
  • Training and improving our artificial intelligence and machine learning systems

2.3 Telehealth-Specific Data Processing

For telehealth services, we process your information under additional legal bases:
- HIPAA-permitted treatment, payment, and healthcare operations
- Legitimate healthcare interests for quality improvement
- Legal obligations for medical record retention
- Patient safety and emergency response requirements

2.3.1 Clinical Decision Support

We may use AI and machine learning for clinical decision support, but acknowledge:
- All clinical decisions remain with licensed healthcare providers
- AI-generated insights are supplemental to provider judgment
- You have the right to opt-out of AI-assisted analysis
- Human oversight is maintained for all automated processing

3. Data Sharing

We do not sell your personal information. However, we may share your data with trusted third parties under certain circumstances:

  • Service Providers: With vendors or partners who assist in providing the Services (e.g., cloud storage providers, customer support tools).
  • Legal Requirements: We may disclose your data if required by law or to protect our legal rights or the rights of others.
  • Business Transfers: If Sleep Reset is involved in a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction.

3.1 Healthcare-Related Sharing

For telehealth services, we may share your PHI only as permitted by HIPAA:

(a) Treatment: With other healthcare providers involved in your care
(b) Payment: With health plans and billing entities for reimbursement
(c) Healthcare Operations: For quality assurance, training, and compliance
(d) Legal Requirements: When required by law or court order
(e) Public Health: For disease prevention and health oversight activities

3.1.1 Minimum Necessary Standard
We limit PHI sharing to the minimum necessary to accomplish the intended purpose, except when:
- Sharing with other healthcare providers for treatment
- Sharing with you about your own healthcare
- Required by law or regulation

3.1.2 Telehealth Platform Sharing
Telehealth sessions may involve approved third-party platforms. We ensure:
- All platforms execute Business Associate Agreements
- End-to-end encryption for all communications
- Audit logs for all PHI access and sharing
- Incident response procedures for security breaches

3.2 Aggregated Data

We may freely use, share, and monetize aggregated or anonymized data that does not identify you personally, without restriction or compensation.

3.3 Prohibited Telehealth Disclosures

We will never share your telehealth information for:
- Marketing or advertising purposes without explicit consent
- Sale to data brokers or analytics companies
- Non-healthcare artificial intelligence training
- Social media integration or public posting
- Employment, insurance, or credit decisions (except as legally required)

3.3.1 Emergency Exceptions
We may disclose PHI without authorization only for:
- Immediate threats to health or safety
- Suspected abuse or neglect reporting
- Public health emergencies
- Law enforcement requests with proper legal authority

4. International Data Transfers

Your personal information may be transferred to, and processed in, countries other than the one in which you reside. By using our Services, you consent to these international transfers, including but not limited to the United States and the European Union.

5. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes for which it was collected, resolve disputes, comply with legal obligations, and enforce agreements. Once the information is no longer required, we will securely delete or anonymize it.

6. Security of Your Data

We take reasonable steps to protect your personal data, including using encryption, firewalls, and secure access protocols. However, no data transmission over the internet or storage system is completely secure, and we cannot guarantee the absolute security of your information.

6.1 HIPAA Security Rule Compliance

For telehealth services, we implement HIPAA-required safeguards:

Administrative Safeguards:
- Designated HIPAA Security Officer
- Workforce security training and access management
- Information governance and audit procedures
- Contingency planning and emergency response

Physical Safeguards:
- Secured facilities and workstation security
- Device and media access controls
- Equipment disposal and data destruction procedures

Technical Safeguards:
- Access controls and user authentication
- Audit logs and integrity monitoring  
- Transmission security and encryption
- Automatic logoff and session timeouts

6.1.1 Risk Analysis Requirements
We conduct annual HIPAA Security Rule risk analyses to:
- Identify potential vulnerabilities to ePHI
- Assess current security measures
- Document remediation plans for identified risks
- Maintain continuous compliance monitoring

6.2 Telehealth Privacy Protections

For remote healthcare delivery, we implement additional safeguards:

Session Security:
- End-to-end encryption for all video/audio communications
- Waiting room controls and session authentication
- Automatic session termination after inactivity
- Prohibition on session recording without explicit consent

Environment Protections:
- Patient responsibility for private, secure location during sessions
- Provider responsibility for HIPAA-compliant workspace
- Technology failure protocols that protect PHI
- Emergency escalation procedures for privacy breaches

Data Transmission:
- Secure, HIPAA-compliant communication platforms only
- VPN requirements for provider access
- Audit trails for all PHI transmission
- Real-time monitoring for unauthorized access attempts

6.3 Telehealth Technology Vendor Privacy Management
Third-Party Healthcare Technology Oversight:
- All telehealth technology vendors undergo rigorous privacy assessments
- Regular audits of vendor HIPAA compliance and security practices
- Incident response coordination with healthcare technology partners
- Termination procedures for non-compliant healthcare vendors

Vendor Privacy Requirements:
- Execution of HIPAA-compliant Business Associate Agreements
- Annual security and privacy compliance certifications
- Regular penetration testing and vulnerability assessments
- Staff training on healthcare privacy and security requirements

Technology Integration Privacy Controls:
- API security standards for healthcare system integrations
- Data minimization requirements for third-party healthcare apps
- Encryption standards for all healthcare technology communications
- Audit logging for all third-party access to PHI

7. Your Privacy Rights

You have several rights regarding your personal data, including:

  • Access: You can request a copy of your personal data.
  • Correction: You can request to correct or update your information.
  • Deletion: You can request to delete your personal data, subject to certain legal exceptions.
  • Objection: You may object to the processing of your personal data in certain situations.

To exercise any of these rights, please contact us at help@thesleepreset.com.

7.1 Healthcare-Specific Privacy Rights Limitations
For PHI collected through telehealth services, certain limitations apply:

Medical Record Retention:
- Some PHI cannot be deleted due to medical record retention laws
- Healthcare data may need to be maintained for continuity of care
- Legal and regulatory requirements may prevent some data deletion
- De-identification may be used instead of deletion when legally required

Access and Correction Rights:
- PHI access requests are processed within 15 days (HIPAA requirement)
- Medical record corrections follow healthcare industry standards
- Provider clinical judgment may limit certain correction requests
- Audit trails of PHI access and corrections are maintained

User Rights Request Limitations:
- Requests to exercise healthcare privacy rights are limited to two (2) per year
- Complex PHI requests may require additional processing time
- Technical limitations may affect some healthcare data portability requests
- Emergency medical situations may temporarily suspend some privacy controls

7.2 State Health Privacy Law Compliance

We comply with state-specific health data privacy laws, including:

Washington My Health My Data Act:
- Enhanced consent requirements for consumer health data
- Geofencing protections around healthcare facilities
- Restrictions on health data sharing for non-medical purposes

Nevada Consumer Health Data Privacy:
- Specific protections for health-related consumer information
- Enhanced security requirements for health data processing
- Consumer rights to health data correction and deletion

Connecticut Consumer Health Data Protection:
- Special safeguards for healthcare-related personal information
- Breach notification requirements specific to health data
- Limitations on health data use for advertising purposes

California Health Data Protections:
- CCPA/CPRA enhanced protections for health-related information
- Sensitive personal information categories include health data
- Right to limit use and disclosure of sensitive health information

Multi-State Compliance Framework:
- We apply the most protective privacy standard when laws conflict
- State-specific health privacy rights are honored based on patient location
- Regular monitoring of evolving state health privacy legislation
- Clear documentation of applicable privacy law requirements

8. Cookies & Tracking Technologies

We use cookies and similar tracking technologies to enhance your user experience. You can control cookie settings through your browser, and you may opt-out of interest-based advertising by adjusting your device settings or using industry opt-out tools (e.g., NAI or DAA). For more information, see our Cookie Policy.

9. Data Breaches

While we implement security measures to protect your personal information, no system is completely immune from risks. If we experience a data breach that affects your personal data, we will notify affected users as required by applicable laws.

HIPAA Breach Notification and Response

9.1 Breach Definition and Assessment

A breach is an impermissible use or disclosure of PHI that compromises its security or privacy. We conduct immediate risk assessments for all potential breaches to determine notification requirements.

9.2 Breach Notification Timeline

For confirmed breaches involving PHI:
- Individual notification: Within 60 days of breach discovery
- HHS OCR notification: Within 60 days of breach discovery  
- Media notification: Within 60 days if breach affects 500+ individuals
- Business associate notification: Without unreasonable delay

9.3 Breach Response Procedures

Our breach response includes:
- Immediate containment and mitigation measures
- Forensic investigation to determine scope and cause
- Risk assessment for potential harm to individuals
- Remediation to prevent future similar incidents
- Documentation of all response activities

9.4 Patient Support Services
For individuals affected by PHI breaches, we provide:
- Clear explanation of what information was involved
- Steps taken to mitigate harm and prevent recurrence
- Resources for identity monitoring when appropriate
- Direct contact information for questions and concerns

10. Children's Privacy

Our Services are not intended for children under the age of 14. If we learn that we have collected personal information from a child under 14, we will take steps to delete that information. Parents or guardians who believe we may have collected such data may contact us at help@thesleepreset.com.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you through our platform or by email. Your continued use of our Services after changes are made constitutes your acceptance of those changes.

12. Limitation of Liability and Indemnification

12.1 Limitation of Liability

To the maximum extent permitted by law, Sleep Reset shall not be liable for any indirect, incidental, special, consequential, or punitive damages, or any loss of profits or revenues, whether incurred directly or indirectly, or any loss of data, use, goodwill, or other intangible losses resulting from: (a) your use or inability to use our Services; (b) any unauthorized access to or use of our servers and/or any personal information stored therein; (c) any interruption or cessation of transmission to or from our Services; (d) any bugs, viruses, trojan horses, or the like that may be transmitted to or through our Services.

12.2 Indemnification

You agree to defend, indemnify, and hold harmless Sleep Reset and its officers, directors, employees, and agents from and against any claims, liabilities, damages, losses, and expenses, including without limitation reasonable attorney fees and costs, arising out of or in any way connected with your access to or use of the Services.

13. Dispute Resolution

13.1 Arbitration Agreement

By using our Services, you agree that any dispute, claim, or controversy arising out of or relating to these terms or the breach, termination, enforcement, interpretation, or validity thereof or the use of the Services shall be resolved by binding arbitration between you and Sleep Reset, rather than in courts.

13.2 Class Action Waiver

You agree that any proceedings to resolve or litigate any dispute in any forum will be conducted solely on an individual basis. Neither you nor Sleep Reset will seek to have any dispute heard as a class action or in any other proceeding in which either party acts or proposes to act in a representative capacity.

13.3 Choice of Law

This Privacy Policy and any disputes relating to your data shall be governed by and construed in accordance with the laws of the State of California, without regard to its conflict of law provisions.

13.4 Venue

Any legal action or proceeding relating to this Privacy Policy shall be instituted exclusively in the federal or state courts located in San Francisco County, California. You and Sleep Reset agree to submit to the jurisdiction of, and agree that venue is proper in, these courts in any such legal action or proceeding.

14. Contact Information

If you have any questions or concerns about this Privacy Policy, or if you wish to exercise your privacy rights, please contact us at:

  • Email: help@thesleepreset.com
  • Mail: Sleep Reset, Inc., Attention: Privacy, 2261 Market Street #4408, San Francisco, CA 94114
  • You may also file complaints directly with:U.S. Department of Health and Human Services

By using our Services, you acknowledge that you have read, understood, and agree to this Privacy Policy.

Last Updated: Jan 31, 2025

Start Sleeping
Better Today!

Take Your Sleep Quiz