Effective Date: Jan 31, 2025
At Sleep Reset, we value your privacy and are committed to protecting your personal information. This Privacy Policy explains what information we collect, how we use it, and the steps we take to safeguard your data. By using our website, mobile application, and services (collectively, the "Services"), you agree to the practices outlined in this policy.
We collect various types of information to provide and improve our Services, including:
We may create derived or inferred data from analyzing your use of our Services, including:
We collect and generate business analytics data, including but not limited to service performance metrics, feature usage statistics, and operational indicators that help us improve our Services.
When Sleep Reset provides telehealth services through licensed healthcare providers, we comply with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules.
We use your information for several purposes, including:
We may process your information using various technological means, including:
In addition to the previously stated purposes, we may use your information for:
For telehealth services, we process your information under additional legal bases:
- HIPAA-permitted treatment, payment, and healthcare operations
- Legitimate healthcare interests for quality improvement
- Legal obligations for medical record retention
- Patient safety and emergency response requirements
We may use AI and machine learning for clinical decision support, but acknowledge:
- All clinical decisions remain with licensed healthcare providers
- AI-generated insights are supplemental to provider judgment
- You have the right to opt-out of AI-assisted analysis
- Human oversight is maintained for all automated processing
We do not sell your personal information. However, we may share your data with trusted third parties under certain circumstances:
For telehealth services, we may share your PHI only as permitted by HIPAA:
(a) Treatment: With other healthcare providers involved in your care
(b) Payment: With health plans and billing entities for reimbursement
(c) Healthcare Operations: For quality assurance, training, and compliance
(d) Legal Requirements: When required by law or court order
(e) Public Health: For disease prevention and health oversight activities
3.1.1 Minimum Necessary Standard
We limit PHI sharing to the minimum necessary to accomplish the intended purpose, except when:
- Sharing with other healthcare providers for treatment
- Sharing with you about your own healthcare
- Required by law or regulation
3.1.2 Telehealth Platform Sharing
Telehealth sessions may involve approved third-party platforms. We ensure:
- All platforms execute Business Associate Agreements
- End-to-end encryption for all communications
- Audit logs for all PHI access and sharing
- Incident response procedures for security breaches
We may freely use, share, and monetize aggregated or anonymized data that does not identify you personally, without restriction or compensation.
We will never share your telehealth information for:
- Marketing or advertising purposes without explicit consent
- Sale to data brokers or analytics companies
- Non-healthcare artificial intelligence training
- Social media integration or public posting
- Employment, insurance, or credit decisions (except as legally required)
3.3.1 Emergency Exceptions
We may disclose PHI without authorization only for:
- Immediate threats to health or safety
- Suspected abuse or neglect reporting
- Public health emergencies
- Law enforcement requests with proper legal authority
Your personal information may be transferred to, and processed in, countries other than the one in which you reside. By using our Services, you consent to these international transfers, including but not limited to the United States and the European Union.
We retain your personal information for as long as necessary to fulfill the purposes for which it was collected, resolve disputes, comply with legal obligations, and enforce agreements. Once the information is no longer required, we will securely delete or anonymize it.
We take reasonable steps to protect your personal data, including using encryption, firewalls, and secure access protocols. However, no data transmission over the internet or storage system is completely secure, and we cannot guarantee the absolute security of your information.
For telehealth services, we implement HIPAA-required safeguards:
Administrative Safeguards:
- Designated HIPAA Security Officer
- Workforce security training and access management
- Information governance and audit procedures
- Contingency planning and emergency response
Physical Safeguards:
- Secured facilities and workstation security
- Device and media access controls
- Equipment disposal and data destruction procedures
Technical Safeguards:
- Access controls and user authentication
- Audit logs and integrity monitoring
- Transmission security and encryption
- Automatic logoff and session timeouts
6.1.1 Risk Analysis Requirements
We conduct annual HIPAA Security Rule risk analyses to:
- Identify potential vulnerabilities to ePHI
- Assess current security measures
- Document remediation plans for identified risks
- Maintain continuous compliance monitoring
For remote healthcare delivery, we implement additional safeguards:
Session Security:
- End-to-end encryption for all video/audio communications
- Waiting room controls and session authentication
- Automatic session termination after inactivity
- Prohibition on session recording without explicit consent
Environment Protections:
- Patient responsibility for private, secure location during sessions
- Provider responsibility for HIPAA-compliant workspace
- Technology failure protocols that protect PHI
- Emergency escalation procedures for privacy breaches
Data Transmission:
- Secure, HIPAA-compliant communication platforms only
- VPN requirements for provider access
- Audit trails for all PHI transmission
- Real-time monitoring for unauthorized access attempts
6.3 Telehealth Technology Vendor Privacy Management
Third-Party Healthcare Technology Oversight:
- All telehealth technology vendors undergo rigorous privacy assessments
- Regular audits of vendor HIPAA compliance and security practices
- Incident response coordination with healthcare technology partners
- Termination procedures for non-compliant healthcare vendors
Vendor Privacy Requirements:
- Execution of HIPAA-compliant Business Associate Agreements
- Annual security and privacy compliance certifications
- Regular penetration testing and vulnerability assessments
- Staff training on healthcare privacy and security requirements
Technology Integration Privacy Controls:
- API security standards for healthcare system integrations
- Data minimization requirements for third-party healthcare apps
- Encryption standards for all healthcare technology communications
- Audit logging for all third-party access to PHI
You have several rights regarding your personal data, including:
To exercise any of these rights, please contact us at help@thesleepreset.com.
7.1 Healthcare-Specific Privacy Rights Limitations
For PHI collected through telehealth services, certain limitations apply:
Medical Record Retention:
- Some PHI cannot be deleted due to medical record retention laws
- Healthcare data may need to be maintained for continuity of care
- Legal and regulatory requirements may prevent some data deletion
- De-identification may be used instead of deletion when legally required
Access and Correction Rights:
- PHI access requests are processed within 15 days (HIPAA requirement)
- Medical record corrections follow healthcare industry standards
- Provider clinical judgment may limit certain correction requests
- Audit trails of PHI access and corrections are maintained
User Rights Request Limitations:
- Requests to exercise healthcare privacy rights are limited to two (2) per year
- Complex PHI requests may require additional processing time
- Technical limitations may affect some healthcare data portability requests
- Emergency medical situations may temporarily suspend some privacy controls
We comply with state-specific health data privacy laws, including:
Washington My Health My Data Act:
- Enhanced consent requirements for consumer health data
- Geofencing protections around healthcare facilities
- Restrictions on health data sharing for non-medical purposes
Nevada Consumer Health Data Privacy:
- Specific protections for health-related consumer information
- Enhanced security requirements for health data processing
- Consumer rights to health data correction and deletion
Connecticut Consumer Health Data Protection:
- Special safeguards for healthcare-related personal information
- Breach notification requirements specific to health data
- Limitations on health data use for advertising purposes
California Health Data Protections:
- CCPA/CPRA enhanced protections for health-related information
- Sensitive personal information categories include health data
- Right to limit use and disclosure of sensitive health information
Multi-State Compliance Framework:
- We apply the most protective privacy standard when laws conflict
- State-specific health privacy rights are honored based on patient location
- Regular monitoring of evolving state health privacy legislation
- Clear documentation of applicable privacy law requirements
We use cookies and similar tracking technologies to enhance your user experience. You can control cookie settings through your browser, and you may opt-out of interest-based advertising by adjusting your device settings or using industry opt-out tools (e.g., NAI or DAA). For more information, see our Cookie Policy.
While we implement security measures to protect your personal information, no system is completely immune from risks. If we experience a data breach that affects your personal data, we will notify affected users as required by applicable laws.
HIPAA Breach Notification and Response
A breach is an impermissible use or disclosure of PHI that compromises its security or privacy. We conduct immediate risk assessments for all potential breaches to determine notification requirements.
For confirmed breaches involving PHI:
- Individual notification: Within 60 days of breach discovery
- HHS OCR notification: Within 60 days of breach discovery
- Media notification: Within 60 days if breach affects 500+ individuals
- Business associate notification: Without unreasonable delay
Our breach response includes:
- Immediate containment and mitigation measures
- Forensic investigation to determine scope and cause
- Risk assessment for potential harm to individuals
- Remediation to prevent future similar incidents
- Documentation of all response activities
9.4 Patient Support Services
For individuals affected by PHI breaches, we provide:
- Clear explanation of what information was involved
- Steps taken to mitigate harm and prevent recurrence
- Resources for identity monitoring when appropriate
- Direct contact information for questions and concerns
Our Services are not intended for children under the age of 14. If we learn that we have collected personal information from a child under 14, we will take steps to delete that information. Parents or guardians who believe we may have collected such data may contact us at help@thesleepreset.com.
We may update this Privacy Policy from time to time. If we make material changes, we will notify you through our platform or by email. Your continued use of our Services after changes are made constitutes your acceptance of those changes.
To the maximum extent permitted by law, Sleep Reset shall not be liable for any indirect, incidental, special, consequential, or punitive damages, or any loss of profits or revenues, whether incurred directly or indirectly, or any loss of data, use, goodwill, or other intangible losses resulting from: (a) your use or inability to use our Services; (b) any unauthorized access to or use of our servers and/or any personal information stored therein; (c) any interruption or cessation of transmission to or from our Services; (d) any bugs, viruses, trojan horses, or the like that may be transmitted to or through our Services.
You agree to defend, indemnify, and hold harmless Sleep Reset and its officers, directors, employees, and agents from and against any claims, liabilities, damages, losses, and expenses, including without limitation reasonable attorney fees and costs, arising out of or in any way connected with your access to or use of the Services.
By using our Services, you agree that any dispute, claim, or controversy arising out of or relating to these terms or the breach, termination, enforcement, interpretation, or validity thereof or the use of the Services shall be resolved by binding arbitration between you and Sleep Reset, rather than in courts.
You agree that any proceedings to resolve or litigate any dispute in any forum will be conducted solely on an individual basis. Neither you nor Sleep Reset will seek to have any dispute heard as a class action or in any other proceeding in which either party acts or proposes to act in a representative capacity.
This Privacy Policy and any disputes relating to your data shall be governed by and construed in accordance with the laws of the State of California, without regard to its conflict of law provisions.
Any legal action or proceeding relating to this Privacy Policy shall be instituted exclusively in the federal or state courts located in San Francisco County, California. You and Sleep Reset agree to submit to the jurisdiction of, and agree that venue is proper in, these courts in any such legal action or proceeding.
If you have any questions or concerns about this Privacy Policy, or if you wish to exercise your privacy rights, please contact us at:
By using our Services, you acknowledge that you have read, understood, and agree to this Privacy Policy.
Last Updated: Jan 31, 2025
Start Sleeping
Better Today!