Privacy
Last updated: 11 May 2026
This page describes what data NightCue collects, why, and what you can do
about it. It applies to the NightCue iPhone app (currently in private
beta) and to this website at nightcue.app.
NightCue is run by a single person. This policy is written in plain English on purpose. If anything here is unclear, email developer@nightcue.app and I'll explain.
1. Who runs NightCue
NightCue is operated by Product Analytics Consulting Ltd, a private limited company registered in England and Wales (company number 16303100). For the purposes of UK and EU data protection law, Product Analytics Consulting Ltd is the data controller for any personal data processed by NightCue.
Contact: developer@nightcue.app
2. What data NightCue collects
2.1 When you sign in
- Your email address, so I can authenticate you and send sign-in links / codes.
- An encrypted password if you choose to set one (handled by Supabase; I never see the plaintext).
2.2 When you connect your Oura ring
- An OAuth access token issued by Oura, stored so the app can fetch your sleep data on your behalf.
- Your sleep data from Oura โ total sleep, sleep stages, heart-rate variability, restfulness, sleep timing, and similar metrics that Oura makes available through its API.
You authorise this access explicitly when you tap "Connect Oura" in the app, and you can revoke it at any time by disconnecting from inside NightCue or from Oura's own settings.
2.3 When you use the app day-to-day
- Your daily check-in answers โ adherence, alcohol, stress, illness, travel, side effects, free-text notes, and similar inputs.
- Your experiment history โ which interventions you chose, when you started and stopped, what outcomes the engine recorded.
- Your baseline snapshot โ the summary of your "normal" sleep that NightCue uses as a comparison point.
2.4 Operational events
- Basic app events like "completed onboarding," "synced sleep data," "logged check-in," and "sync failed" โ used so I can debug what testers run into.
- Error logs from inside the app, where they help me identify and fix bugs.
2.5 What NightCue does NOT collect
- No third-party advertising or marketing SDKs.
- No location data.
- No contacts, photos, microphone, or camera access.
- No cross-app or cross-site tracking.
- No data from Apple Health.
- No data used to train AI models.
3. Why NightCue collects it (lawful basis)
Under UK GDPR and EU GDPR, every kind of personal data needs a lawful basis. NightCue relies on three:
- Performance of a contract (Article 6(1)(b)) โ to give you the service you signed up for. This covers your email, your check-ins, your experiment history, your baseline, and the Oura sync plumbing.
- Legitimate interests (Article 6(1)(f)) โ to keep the app reliable. This covers basic app events and error logs. The interest balanced against your rights is "the app works and bugs get fixed."
- Explicit consent for health-related data (Article 9(2)(a)) โ sleep data, heart-rate variability, side-effect logs and similar are considered "data concerning health" under Article 9 GDPR, which has stricter rules. You give explicit consent when you connect Oura and when you complete each daily check-in. You can withdraw consent at any time โ see Section 7.
4. Who else sees your data
NightCue is private. Your data is not sold, not shared with advertisers, and not used to suggest experiments to anyone else. A small number of service providers process data on NightCue's behalf, strictly to make the app work:
4.1 Supabase
What: hosts the database where all your data lives,
handles authentication, and stores encrypted backups.
Where: Supabase operates from data centres in the EU and
the US. NightCue's project is configured in the EU region where
possible.
Privacy policy:
supabase.com/privacy
4.2 Oura Health Ltd
What: the source of your sleep data. NightCue requests
data from Oura's API using the OAuth token you authorise. Oura is the
source of this data and remains its own data controller for
what you store inside Oura's app; NightCue is a separate controller for
the copy stored in NightCue's database.
Where: Oura is a Finnish company; their privacy policy
covers EU and US processing.
Privacy policy:
ouraring.com/privacy-policy
4.3 Cloudflare
What: serves this website (nightcue.app),
provides DNS, and provides TLS certificates. Cloudflare does not see
your in-app data โ only requests to this marketing site.
Privacy policy:
cloudflare.com/privacypolicy
4.4 Google Workspace
What: hosts developer@nightcue.app email.
Used only for correspondence โ not connected to the app or its data.
Privacy policy:
workspace.google.com/terms/dpa_terms.html
5. International transfers
Some processors (Supabase, Cloudflare, Google) may transfer data outside the UK and EEA โ typically to the United States. Where this happens, transfers rely on the EU Standard Contractual Clauses and, where applicable, the UK International Data Transfer Addendum. These are standard safeguards that bind the processor to UK/EU-level data protection regardless of where the servers physically sit.
6. How long NightCue keeps your data
- While you're using the app: indefinitely, so you can see your history and the engine can use past experiments to suggest future ones.
- If you ask to delete it: within 30 days, with rare exceptions only for data we must keep for legal reasons (e.g. tax records relating to any payments โ currently none).
- If you stop using the app without deleting: data is kept until you ask for deletion. There's no automatic purge โ that decision is yours.
- Error logs and app events: kept up to 12 months for debugging, then deleted.
7. Your rights
Under UK GDPR and EU GDPR, you have the right to:
- Access the personal data NightCue holds about you.
- Correct data that's inaccurate or incomplete.
- Erase your data (the "right to be forgotten").
- Restrict or object to processing in certain circumstances.
- Withdraw consent for health-related processing at any time. This stops future processing but doesn't affect past processing that was lawful at the time.
- Receive your data in a portable format (JSON export available on request).
- Complain to the UK Information Commissioner's Office (ico.org.uk) or your local EEA data protection authority.
To exercise any of these rights, email developer@nightcue.app. I aim to respond within 7 days and complete the action (export / deletion / correction) within 30 days. There's no fee.
8. Security
Data in transit is protected by TLS (HTTPS). Data at rest in Supabase is encrypted. Access to NightCue's database is restricted to a single operator account protected by two-factor authentication. There is no "support team" or contractor with access to your data.
No system is perfectly secure. If a data breach occurs that's likely to affect your rights, you'll be notified within 72 hours, as required by GDPR.
9. Children
NightCue is not intended for and not knowingly used by anyone under 18. The app is not on a public store and access is by personal invitation only. If you believe a minor has been given access, contact developer@nightcue.app.
10. Changes to this policy
I'll update this policy as NightCue evolves. Material changes โ anything that affects what data is collected or who it's shared with โ will be communicated to active testers by email before they take effect. The "Last updated" date at the top reflects the current version.
11. Contact
For any privacy question, data request, or complaint:
developer@nightcue.app
Postal: Product Analytics Consulting Ltd, London, United Kingdom.
(Email is faster; postal address available on request.)
You can also complain to the UK Information Commissioner's Office at ico.org.uk at any time without contacting me first.