Privacy Policy
Effective date: March 23, 2026
Yevgeniy Kovalev, ul. Siedmiogrodzka 1/99, 01-204 Warszawa, Poland ("Data Controller," "we," "us," or "our") operates the Wakeo mobile application ("the App"). This Privacy Policy explains what personal data we collect, how we use it, with whom we share it, and the choices available to you.
We collect only the data necessary to provide and improve the App. Where we rely on your consent as a legal basis, we will ask for it separately through the App. Where we rely on other legal bases, they are set out below.
We have not appointed a Data Protection Officer because we do not meet the conditions set out in GDPR Article 37 (our core activities do not involve large-scale monitoring or processing of special category data). For all privacy inquiries, contact us at WakeoApp@proton.me.
1. Information We Collect
Information You Provide
- Name — your first name, used to personalize your coaching message.
- Goals — personal goals you set during onboarding (e.g., "exercise more," "be more productive").
- Preferences — tone preference (calm, energetic, focused, tough love), alarm times, and selected missions.
- Onboarding quiz answers — age range, gender, sleep habits, morning routine questions. These help us personalize your experience. Sleep-related data may be considered health-related; we process it on the basis of your explicit consent given during onboarding (GDPR Article 9(2)(a)).
- Signature image — an optional commitment signature captured during onboarding, stored locally on your device only.
Information Collected Automatically
- Device identifier — a pseudonymous UUID generated on first launch. This is device-linked personal data (not anonymous). It is stored in your device's secure Keychain and used to authenticate with our servers.
- Device metadata — iOS version, app version, device timezone, and whether your device supports AlarmKit (iOS 26+).
- Subscription status — whether you have an active premium subscription, managed through RevenueCat and the App Store.
- Usage analytics — app events such as onboarding completion, alarm setup, alarm firing, mission completion, and audio generation. Collected via AppsFlyer and PostHog.
- Crash reports — error data and stack traces collected via Sentry.
- Advertising identifier (IDFA) — collected only if you grant permission through the App Tracking Transparency prompt.
Sensor and Camera Data
- Camera photos — certain alarm dismissal missions require you to take a photo. Photos are compressed, sent to our server, forwarded to OpenAI's Vision API for automated verification, and deleted from our systems within seconds of the verification response. We do not retain your photos.
- Microphone and speech — voice missions use on-device speech recognition (Apple's Speech framework) to transcribe spoken text. Audio is processed on your device. For text-based mission verification, the resulting transcribed text (not audio) may be sent to our server for AI-based verification.
- Motion data — exercise missions (push-ups, squats) and shake-to-dismiss use your device's accelerometer. Motion data is processed in real time and is not stored or transmitted.
2. How We Use Your Information and Legal Basis
| Purpose | Data used | Legal basis (GDPR) |
|---|---|---|
| Generate personalized coaching messages | Goals, tone preference | Contract performance (Art. 6(1)(b)) |
| Convert coaching messages to audio | Generated message text, tone preference | Contract performance (Art. 6(1)(b)) |
| Verify alarm dismissal missions | Photos (temporarily), transcribed text | Contract performance (Art. 6(1)(b)) |
| Authenticate your device | Device UUID, auth token | Contract performance (Art. 6(1)(b)) |
| Manage your subscription | RevenueCat user ID, subscription status | Contract performance (Art. 6(1)(b)) |
| Fix bugs and maintain security | Crash reports, error logs | Legitimate interest (Art. 6(1)(f)) — maintaining service reliability and security |
| Improve the App (product analytics) | Usage analytics (PostHog) | Consent (Art. 6(1)(a)) |
| Measure advertising effectiveness | IDFA, attribution data (AppsFlyer) | Consent (Art. 6(1)(a)) |
| Personalize onboarding experience | Name, quiz answers including sleep habits | Contract performance (Art. 6(1)(b)); explicit consent for health-related data (Art. 9(2)(a)) |
3. Third-Party Data Processors
As Data Controller, we engage the following third-party data processors. We have Data Processing Agreements in place with each processor as required by GDPR Article 28.
| Processor | Purpose | Data shared |
|---|---|---|
| OpenAI (USA) | Generate coaching messages; verify mission photos via AI | Goals, tone preference, mission photos (deleted after verification), transcribed text |
| ElevenLabs (USA) | Convert text to speech audio | Generated message text, tone preference |
| RevenueCat (USA) | Subscription management | Pseudonymous user ID, purchase events |
| AppsFlyer (USA/Israel) | Attribution and marketing analytics | App events, device metadata, IDFA (with consent) |
| PostHog (USA) | Product analytics | Pseudonymous usage events |
| Sentry (USA) | Crash reporting | Error data, stack traces |
| Tigris / Fly.io (USA) | Audio file storage, backend hosting | Generated audio files (keyed by device UUID) |
| Supabase (USA) | Database hosting | Device records, generation logs, mission verification logs |
Device-linked identifiers, user-provided content (goals, photos, transcribed text), and usage data constitute personal data under applicable law. This data is shared with the processors listed above solely to provide the service.
Each processor operates under its own privacy policy:
- OpenAI Privacy Policy
- ElevenLabs Privacy Policy
- RevenueCat Privacy Policy
- AppsFlyer Privacy Policy
- PostHog Privacy Policy
- Sentry Privacy Policy
4. International Data Transfers
Your data is transferred to and processed in the United States by the third-party processors listed above. These transfers are safeguarded by:
- EU–US Data Privacy Framework — where the processor is certified under the DPF (OpenAI, Sentry, and others maintain active certifications).
- Standard Contractual Clauses (SCCs) — where the processor is not DPF-certified, we rely on the European Commission's Standard Contractual Clauses adopted under Decision 2021/914.
You may request a copy of the applicable transfer safeguards by contacting us at WakeoApp@proton.me.
5. Data Storage and Retention
On your device
- Device UUID and auth token — iOS Keychain (encrypted by OS). Persists until app deletion.
- Profile, alarms, audio cache — local SwiftData database. Persists until app deletion.
- Generated audio files —
Library/Sounds/. Overwritten on each generation cycle. - Preferences — UserDefaults. Persists until app deletion.
On our servers
| Data category | Retention period |
|---|---|
| Device records (UUID, metadata, subscription status) | Until you request deletion, or 24 months after last activity |
| Generation logs (message text, latency, errors) | 12 months from creation |
| Mission verification logs (result, AI feedback, latency) | 12 months from creation |
| Audio files (Tigris cloud storage) | 7 days (presigned URL expiry), then deleted |
| Mission photos | Deleted within seconds of verification — not stored |
| Crash reports (Sentry) | 90 days (Sentry default retention) |
| Analytics events (PostHog, AppsFlyer) | Subject to each processor's retention policy |
6. Data Security
- All communication between the App and our servers is encrypted using HTTPS (TLS).
- Auth tokens are hashed (SHA-256) before storage in our database.
- API keys for third-party services are stored server-side only.
- Rate limiting is enforced to prevent abuse.
7. Automated Decision-Making
The App uses AI-powered automated processing in two areas:
- Mission photo verification — OpenAI's Vision API evaluates whether a submitted photo meets the mission criteria (e.g., "bed is made"). The result is a binary verified/rejected decision. If rejected, you may retake the photo. This does not produce legal or similarly significant effects.
- Coaching message generation — OpenAI generates personalized text based on your goals and tone preference. This is content creation, not a decision about you.
You are not subject to decisions based solely on automated processing that produce legal effects or similarly significantly affect you within the meaning of GDPR Article 22.
8. Your Rights (EEA/UK)
If you are in the European Economic Area or UK, you have the following rights under GDPR:
- Access (Art. 15) — request a copy of data we hold about your device.
- Rectification (Art. 16) — request correction of inaccurate data.
- Erasure (Art. 17) — request deletion of your data.
- Restriction (Art. 18) — request that we limit processing.
- Portability (Art. 20) — request your data in a machine-readable format.
- Objection (Art. 21) — object to processing based on legitimate interests.
- Withdraw consent — at any time, without affecting the lawfulness of prior processing. For analytics/IDFA, revoke tracking permission in iOS Settings.
To exercise these rights, contact us at WakeoApp@proton.me. We will respond within one month. This period may be extended by two further months for complex or numerous requests, in which case we will notify you within the first month.
Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is the President of the Personal Data Protection Office (PUODO): Urząd Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warszawa, Poland — uodo.gov.pl. You may also contact the supervisory authority in your country of residence.
9. Your Rights (United States)
California (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act and its amendments provide you with specific rights regarding your personal information.
Categories of personal information we collect: Identifiers (device UUID), internet or electronic network activity (usage events, crash data), sensory data (photos for verification — not retained), inferences (AI-generated coaching preferences).
We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising, except for IDFA-based attribution through AppsFlyer when you have granted App Tracking Transparency consent. You may opt out of this sharing by denying or revoking ATT permission in iOS Settings > Privacy & Security > Tracking.
Your rights:
- Right to know what personal information we collect, use, and disclose.
- Right to delete your personal information.
- Right to correct inaccurate personal information.
- Right to opt out of the sale or sharing of personal information.
- Right to non-discrimination for exercising your rights.
- Right to limit use of sensitive personal information (sleep habits, health-related quiz answers).
To exercise these rights, contact WakeoApp@proton.me. You may also designate an authorized agent to make a request on your behalf.
Virginia, Colorado, Connecticut, Texas, and Other States
If you reside in a US state with a comprehensive privacy law (including Virginia CDPA, Colorado CPA, Connecticut CTDPA, and Texas TDPSA), you may have rights to access, correct, delete, and port your personal data, and to opt out of targeted advertising, sale of personal data, and profiling.
To exercise these rights, contact WakeoApp@proton.me. If we decline your request, you may appeal by emailing us with the subject line "Privacy Rights Appeal." We will respond to appeals within the timeframe required by your state's law (typically 45–60 days).
10. Children's Privacy
The App is not directed at children under 13 years of age. We do not knowingly collect personal data from children under 13. The App requires users to confirm they are 13 or older before any data collection begins. If a user indicates they are under 13, the App will block access and no data will be collected or retained.
If you are a parent or guardian and believe your child has provided us with personal data, contact us at WakeoApp@proton.me and we will delete the information promptly.
In the European Union, users under 16 must have parental or guardian consent to use the App, in accordance with GDPR Article 8. In California, users aged 13–15 are not subject to sale or sharing of personal information unless they have affirmatively opted in.
11. Tracking and Advertising
The App uses AppsFlyer for mobile attribution. On first launch, the App requests your permission through Apple's App Tracking Transparency framework before collecting your IDFA or initializing advertising-related analytics. You can change this permission at any time in iOS Settings > Privacy & Security > Tracking.
Crash reporting (Sentry) is initialized to maintain service reliability and security, which we consider a legitimate interest. Product analytics (PostHog) are initialized only after you proceed past the age verification screen.
If you deny tracking, the App functions normally. No IDFA is collected and attribution data is limited.
12. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will notify you through the App or by other appropriate means before the changes take effect. Where a change introduces new processing that requires your consent, we will obtain that consent separately. Continued use of the App after you have been notified of non-consent-based changes constitutes acknowledgment of the updated policy.
13. Contact Us
If you have questions about this Privacy Policy or wish to exercise your data rights:
Yevgeniy Kovalev (Data Controller)
ul. Siedmiogrodzka 1/99, 01-204 Warszawa, Poland
VAT ID: PL5272991183
Email: WakeoApp@proton.me