Privacy Policy
Last updated: 4 May 2026
Effective date: 4 May 2026
This Privacy Policy explains how WAKEZ HEALTH TECH ECOSYSTEM S.R.L. (“WakeZ”, “we”, “us”, “our”) collects, uses, shares and protects personal data when you use our website at https://wakez.ai, our iOS application available on the Apple App Store, and our beta application distributed through Apple TestFlight (together, the “Services”).
We are the data controller for the personal data described in this Policy.
If you do not agree with this Policy, please do not use the Services.
1. Who we are
Controller: WAKEZ HEALTH TECH ECOSYSTEM S.R.L.
Registered office: Str. Virgil Fulicea 3, Cluj-Napoca, 400022, Cluj County, Romania
Company registration (CUI): 46358350
Contact (general, support and privacy): help@wakez.ai
2. Scope
This Policy covers three surfaces. Each collects different data, so read the section that matches what you use.
- Website (https://wakez.ai). A WordPress site that provides product information, study information and contact forms. We collect basic web analytics and the data you submit through forms.
- Public iOS app. Distributed via the Apple App Store. Performs sleep analysis and baseline computations from sleep stage data read through Apple HealthKit. May include in-app questionnaires. Does not perform haptic interventions and does not perform real-time sleep stage prediction except when you actively use the Smart Alarm feature.
- TestFlight beta app. Distributed via Apple TestFlight to invited users only, under medical supervision. In addition to everything the public app does, the beta app performs real-time sleep stage prediction using extended runtime sessions and delivers haptic interventions in line with our research protocols. Beta users receive separate study consent before any haptic feature is activated.
This Policy does not cover polysomnography (PSG) data, which is collected through a separate device under separate consent and processing arrangements, nor does it cover data collected from study participants, who follow a separate research consent process.
The Services are intended for users 18 years of age or older. We do not knowingly collect personal data from anyone under 18.
3. Personal data we collect
3.1 Website
- Contact form data: name, email address, message content
- Basic technical data: IP address, browser type, pages visited, referral source, timestamps
- Cookies and similar technologies: see our Cookie Notice (link in the website footer) and the consent banner shown on first visit
3.2 iOS app (App Store and TestFlight)
Account data: email address, name (optional), authentication identifiers, account creation date.
Health data read from Apple HealthKit (with your explicit permission, read-only):
- Sleep analysis records (asleep, awake, in bed)
- Sleep stage data (REM and non-REM phases) where available
- Heart rate
- Heart rate variability (HRV)
- Movement and accelerometer-derived data
- Respiratory rate
- Blood oxygen saturation (SpO2)
We read these data only after you grant the corresponding HealthKit permissions in iOS, and only the categories you approve. We do not write data back to HealthKit.
You can revoke any HealthKit permission at any time in iOS Settings → Privacy & Security → Health.
Derived sleep data we compute and store:
- Sleep stage classifications computed from HealthKit inputs
- Aggregate metrics (sleep duration, stage distribution, baseline trends)
- Real-time predictions generated when you use the Smart Alarm feature, or, in the TestFlight beta, during extended runtime prediction sessions
Wearable data: data your paired wearable (such as Apple Watch) surfaces through HealthKit, limited to the categories above.
Questionnaire responses: if we send you in-app questionnaires, the answers you provide.
Device and diagnostic data: device model, operating system version, app version, locale, crash reports, performance traces.
TestFlight beta only: logs and event records related to haptic intervention sessions (when activated, intervention parameters, user response) for the purpose of the underlying research protocol.
3.3 Data we do not collect
We do not collect: precise location, audio or video recordings, environmental sensor data, phone activity data, or clinical diagnoses through the app.
4. Why we use your data and our legal bases
We process personal data on the legal bases set out below. For special category health data (sleep, biometric, HealthKit-derived data) we rely on your explicit consent under Article 9(2)(a) GDPR, in addition to the Article 6 basis listed.
| Purpose | Data used | Legal basis (GDPR Art. 6) | Special category basis (Art. 9) where applicable |
| Provide sleep analysis features and account access | Account data, HealthKit-derived data, derived sleep data | Performance of contract (Art. 6(1)(b)) | Explicit consent (Art. 9(2)(a)) |
| Operate the Smart Alarm and (in the beta) real-time prediction | Derived sleep data, device data | Performance of contract | Explicit consent |
| Operate haptic interventions (TestFlight beta only) | Sleep data, intervention session logs | Performance of contract; participation in research under medical supervision | Explicit consent |
| Improve the product, debug crashes, monitor reliability | Device and diagnostic data, derived metrics | Legitimate interests in maintaining a working product (Art. 6(1)(f)) | Not applicable |
| Respond to support requests | Contact data, account data | Legitimate interests; performance of contract | Not applicable, unless you share health data in your message, in which case explicit consent |
| Send service announcements (e.g. terms changes, security notices) | Email address | Legal obligation; legitimate interests | Not applicable |
| Send optional marketing communications | Email address | Consent (Art. 6(1)(a)) | Not applicable |
| Comply with legal obligations | As required | Legal obligation (Art. 6(1)©) | Where required by law |
| Defend or establish legal claims | As relevant | Legitimate interests | Art. 9(2)(f) where applicable |
You can withdraw consent at any time by emailing help@wakez.ai. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal, but it may mean we can no longer provide certain features or the product itself.
5. Apple HealthKit specific terms
We integrate with Apple HealthKit. In line with Apple’s HealthKit requirements:
- We only read HealthKit data. We do not write to HealthKit.
- We do not use HealthKit data, or any data derived from HealthKit data, for advertising, marketing, or other use-based data mining purposes other than improving health management or for the purposes of health research with your explicit consent.
- We do not sell HealthKit data, or data derived from HealthKit data, to any third party.
- We do not disclose HealthKit data to third parties except to the processors listed in Section 6 of this Policy, who act on our behalf to host or operate the Services.
- You control HealthKit permissions in iOS Settings and can revoke them at any time. Revocation will limit or disable sleep analysis features that depend on HealthKit.
6. Who we share data with
We do not sell your personal data. We share it only with the categories of recipients below.
Hosting and infrastructure: Amazon Web Services (AWS) hosts our application backend and data stores. AWS regions used for personal data are within the European Union.
Error monitoring and crash reporting: Sentry, used to capture crash reports and runtime errors so we can fix bugs. Crash payloads are scoped to exclude HealthKit and biometric content.
AI processing (forward-looking): We may, in the future, deploy optional natural language features powered by third-party large language model providers (which may include Anthropic and OpenAI, both based in the United States). Today, no HealthKit data, biometric data, or identifiable user content is sent to these providers. If we enable any feature that sends user content to an LLM provider, we will update this Policy, request your explicit consent where the data is special category data, and put in place appropriate transfer safeguards (see Section 7).
Authorities and legal process: we may disclose personal data where required by law, court order, or to establish, exercise or defend legal claims.
Business transfers: if we are involved in a merger, acquisition or sale of assets, personal data may be transferred. We will notify you and seek consent where required by applicable law.
We do not currently use third-party advertising networks, marketing analytics, or attribution SDKs in the iOS app. The website may use cookies for analytics and marketing as described in our Cookie Notice; those cookies are loaded only after you give consent through the cookie banner.
7. International transfers
Your personal data is stored and processed in the European Union (on our own infrastructure or in EU AWS regions).
If, in the future, we share personal data with a processor outside the European Economic Area (for example, an LLM provider in the United States as described in Section 6), we will rely on a valid transfer mechanism under Chapter V of GDPR, which will normally be the European Commission’s Standard Contractual Clauses (2021/914), supplemented by additional technical and contractual safeguards where required following a transfer impact assessment.
8. How long we keep your data
| Category | Retention |
| Account data | While your account is active |
| HealthKit-derived data and derived sleep metrics | While your account is active |
| Inactive accounts (no login for 36 months) | Account and associated data deleted within 30 days of the inactivity threshold being reached |
| Account closure on request | Account and associated data deleted within 90 days; backups purged within a further 30 days |
| Crash reports and diagnostic logs | 90 days |
| Support correspondence | 24 months from resolution |
| Anonymized aggregate statistics that cannot be linked back to you | May be retained indefinitely for product improvement and research |
| Records required by law (e.g. accounting) | For the period required by Romanian and EU law |
If you participate in a TestFlight study, retention of study-specific data is governed by the separate study consent you sign.
9. Security
We use technical and organizational measures appropriate to the sensitivity of the data, including encryption in transit and at rest, access controls and least-privilege access for our team, logging and monitoring, vendor security reviews, and routine backup and recovery procedures. No system is perfectly secure; if we become aware of a personal data breach affecting you, we will notify you and the relevant supervisory authority in line with our obligations under GDPR.
10. Your rights under GDPR
You have the following rights in respect of your personal data, free of charge in most cases:
- Access the personal data we hold about you and obtain a copy
- Rectification of inaccurate or incomplete data
- Erasure (“right to be forgotten”) in defined circumstances
- Restriction of processing in defined circumstances
- Data portability for data you have provided to us, in a structured machine-readable format
- Object to processing based on legitimate interests, including profiling
- Withdraw consent at any time, where processing is based on consent
- Not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects on you (see Section 11)
To exercise any of these rights, including account deletion, email help@wakez.ai. The app does not currently include in-app self-service deletion; all deletion and data subject requests are handled by our team through this email. We may need to verify your identity before responding. We will respond within 30 days, extendable by a further 60 days for complex requests, and will tell you why if we cannot fulfill a request in whole or in part.
You also have the right to lodge a complaint with the Romanian supervisory authority:
Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, București
anspdcp@dataprotection.ro
https://www.dataprotection.ro
If you are based in another EU/EEA country, you may also lodge a complaint with your local supervisory authority.
11. Automated decision-making
The Services classify sleep stages and produce sleep insights using algorithms. These outputs are informational, intended to support your awareness of your own sleep, and do not produce legal effects or similarly significant effects on you. We do not use them to make decisions that affect your access to services, employment, credit, insurance or similar.
In the TestFlight beta, haptic interventions are delivered automatically based on real-time sleep stage prediction, but only after a clinician has activated the feature for you under medical supervision and you have given study-specific consent.
12. Children
The Services are intended for users 18 years of age or older. We do not knowingly collect personal data from anyone under 18. If you believe we have collected data from a person under 18, contact help@wakez.ai and we will delete it.
13. Research participation
Some users participate in research studies, clinical investigations, or supervised beta programs run by or with WakeZ. Research participation is opt-in and follows a separate path from ordinary use of the Services.
If you take part in a study, you will receive separate study-specific materials, which may include a participant information sheet, an informed consent form, eligibility criteria, the study protocol, the ethics approval reference, and the contact details of the study investigators. Those materials describe in detail what additional data is collected, why, how long it is retained, who has access to it, what your withdrawal rights are, and how to contact the investigators or the relevant ethics committee.
The TestFlight beta features that involve haptic interventions are activated for you only after a clinician has authorized them and you have signed the corresponding study consent.
If anything in a study-specific consent document conflicts with this Privacy Policy, the study consent document governs the study-specific processing it describes. This Privacy Policy continues to govern your ordinary use of the Services outside the scope of the study.
You can withdraw from a study at any time, in line with the procedures described in the study consent document, without affecting your continued use of the Services.
14. Cookies
Our website uses cookies and similar technologies. Non-essential cookies (analytics, marketing) are loaded only after you give consent through the cookie banner. You can change your preferences at any time through the cookie settings link in the website footer. See our separate Cookie Notice for a full list of cookies in use.
The iOS app does not use cookies. It uses standard iOS identifiers (app installation identifier, push notification token) which are scoped to the app and are not used for cross-app tracking. We do not request App Tracking Transparency (ATT) permission because we do not track you across apps and websites owned by other companies.
15. Changes to this Policy
We may update this Policy from time to time. When we do, we will:
- Update the “Last updated” date at the top of this page
- For material changes (for example, new categories of data, new processors that receive personal data, new purposes), give you at least 30 days’ advance notice by email and through the Services before the changes take effect, and obtain renewed consent where required by law
- For non-material changes (for example, clarifications, contact updates), the changes take effect when posted
If you do not agree with a change, you can close your account before it takes effect.
16. Contact
For any question, request, or complaint about this Policy or your personal data, contact:
WAKEZ HEALTH TECH ECOSYSTEM S.R.L.
CUI: 46358350
Email: help@wakez.ai (general, support, privacy and DPO)