×

Privacy Policy

Last updated: March 2026

This policy explains how Absolute Rest ("we," "us," "our") collects, uses, stores, and protects your information when you participate in the Absolute Rest × Waking UpSleep Challenge ("the Challenge") through wearables.absoluterest.com.

We've written this in plain language because you should actually understand what happens with your data.

1. What We Collect

From your wearable provider (Oura, WHOOP, or Fitbit), covering the 60 days before and 14 days during the Challenge:

  • Your name and email address (to deliver your report and send confirmation emails).
  • Age and sex from your wearable profile (to support aggregate sleep research).
  • Sleep data: duration, bedtime, wake time, sleep stages (deep, REM, light), sleep efficiency, sleep latency, time in bed, awakenings, and provider sleep scores.
  • Physiological data: resting heart rate, heart rate variability (HRV), respiratory rate, blood oxygen (SpO2), skin temperature, and provider recovery/readiness scores.
  • The full API response payload from your wearable provider for the data types listed above.

Automatically:

  • Your wearable provider's internal user ID (used to retrieve your data).
  • OAuth access and refresh tokens (used to connect to your wearable provider on your behalf).
  • Approximate location (country), derived from your IP address. This is used to support aggregate sleep research and to provide the correct privacy disclosures for your region.

We do not collect your wearable provider password. We do not track browsing behavior, use advertising cookies, or deploy third-party analytics or tracking pixels.

2. How We Use Your Data

Generating your sleep report. Your sleep and physiological data is used to produce a personalized report comparing your sleep during the Challenge to your baseline before it. This is the primary purpose of the platform.

Sending you emails. Your email address is used to send a confirmation when you connect your wearable and a notification when your report is ready with a secure link to view it.

Aggregate sleep research. After delivering your report, we permanently anonymize your data — stripping all identifying information — and retain only the anonymized version for aggregate research into sleep patterns across populations. See Section 5 for how anonymization works.

Future program notifications (only with your consent). If you opt in, your email address is retained solely to notify you when our advanced wearable analysis becomes available. No additional data is collected for this purpose.

3. How We Protect Your Data

Encryption.OAuth tokens are encrypted at rest using Supabase Vault's Transparent Column Encryption (libsodium-based authenticated encryption). Encryption keys are managed separately from the database — a full database backup cannot reveal your tokens. All data is transmitted over HTTPS.

Access control. Wearable tokens are stored in a private database schema not accessible through any public API. Only essential server-side processes can read or write tokens. Sleep data is accessible only through a secure function that requires your unique report token.

Report security. Your report is accessible via a unique 256-bit cryptographically secure URL token (64 hex characters). Rate limiting prevents automated guessing attempts.

Data storage. Your data is processed and stored on servers in the United States, operated by Amazon Web Services (AWS) and Supabase. Both providers maintain SOC 2 compliance and encrypt data at rest.

4. Who Sees Your Data

Only you. Your individual sleep data, physiological metrics, and report are never shared with, sold to, or disclosed to any third party — including Waking Up, advertisers, data brokers, or researchers.

We may publish aggregate, anonymized statistics (e.g., "participants improved their average sleep duration by 12 minutes") with no individual identification possible.

5. What Happens to Your Data After the Challenge

Your personal data and connection tokens are retained for up to 90 days after the Challenge ends so you can access your report. After that window:

  1. We revoke our access to your wearable account by calling each provider's token revocation endpoint.
  2. We delete your connection tokens from our database.
  3. We delete your personal information — email, name, wearable provider user ID, report token, and all email message IDs.

Within the 90-day window,you may request full deletion of all your data at any time using the self-service deletion tool in Section 6 below. After you confirm via email, your request is reviewed by our team before deletion, and you’ll receive a confirmation email once complete.

Anonymization for research. Your personal information (name, email, date of birth, wearable account ID) is permanently replaced with random placeholders that have no mapping back to you. Your sleep and biometric data is retained in anonymized form — linked only to an internal identifier that cannot be traced to your identity. No mapping between you and the anonymized data is ever stored. Once anonymized, the data cannot be linked back to you by us or anyone else, and it is no longer considered personal data.

Future notifications. If you opted in, your email address is retained separately, completely unlinked from any sleep or health data, solely to notify you when the advanced analysis is available. You can unsubscribe at any time.

6. Your Rights

Regardless of where you live, you have the right to:

  • Access. Request a copy of the data we hold about you by emailing privacy@absoluterest.com.
  • Deletion.Request that we delete all of your data using the deletion tool below. After you confirm via email, your request is reviewed by our team before deletion, and you’ll receive a confirmation email once complete.
  • Withdraw consent.Disconnect our app in your wearable provider's settings (Oura, WHOOP, or Fitbit) to prevent further data access. You may also use the deletion tool below to permanently remove your data.
  • Unsubscribe. If you opted in to future notifications, unsubscribe via the link in any email we send.

Request data deletion

Enter the email address associated with your wearable account to request deletion of all your data. You'll receive a verification email to confirm. After confirmation, your request is queued for review by our team, and we'll email you once the deletion is complete.

Additional rights by region

California residents. Your wearable-derived health metrics are classified as sensitive personal information under California law. You have the right to know the categories and specific pieces of personal information we have collected, the purposes for collection, and the categories of third parties with whom we share it (none). You may request deletion, which we will honor within 30 days. We do not sell or share personal information for advertising or cross-context behavioral advertising. We limit our use of sensitive personal information to what is necessary to provide your sleep report. We will not discriminate against you for exercising your rights.

Washington State residents. Your sleep and physiological data are consumer health data under Washington law. We collect it only with your explicit consent, obtained separately from this policy. We do not sell consumer health data. You may request access or deletion at any time, and you may revoke consent, after which we will cease processing.

Canadian residents. We comply with federal and applicable provincial privacy principles, including accountability, purpose limitation, consent, data minimization, accuracy, safeguards, openness, individual access, and the ability to challenge compliance. Your consent for health data is obtained expressly. You may request access, correction, or deletion. You may withdraw consent at any time; we will inform you of the implications (e.g., we cannot generate your report if consent is withdrawn before delivery). Your data is transferred to and stored in the United States; by consenting, you acknowledge this transfer. If you believe we have not complied, you may file a complaint with the Office of the Privacy Commissioner of Canada.

Quebec residents.In addition to the rights above, you have the right to data portability (a copy of your personal information in a commonly used format) and the right to rectification. All optional data collection defaults to the highest level of privacy — nothing optional is collected unless you take affirmative action. We do not use automated decision-making that produces legal or similarly significant effects; your report is informational, not a diagnosis. Your data is transferred to the United States; we have conducted a Privacy Impact Assessment for this transfer, a summary of which is available on request. If you believe your rights have been violated, you may file a complaint with the Commission d'accès à l'information du Québec.

7. Children

This platform is not intended for anyone under 18. We do not knowingly collect data from minors.

8. Emails We Send

Transactional (not subject to unsubscribe): a confirmation when you connect your wearable, and a notification when your report is ready. These are direct service communications.

Marketing (only with your opt-in): a notification when the advanced wearable analysis is available. These emails contain an unsubscribe link; we will honor opt-out requests within 10 business days or immediately where required by applicable law.

We send emails through Amazon Simple Email Service (AWS SES). We do not share your email address with any third-party email marketing platform.

9. Changes to This Policy

If we make material changes, we will notify affected participants by email before the changes take effect. The "last updated" date at the top reflects the most recent revision.

10. Not Medical Advice

Your sleep report is for informational and educational purposes only. It is not medical advice, a diagnosis, or a substitute for professional consultation. If you have concerns about your sleep or health, consult a healthcare provider.

11. Contact

To exercise your privacy rights, use the self-service data deletion tool in Section 6 above. To disconnect your wearable, visit your provider's app settings (Oura, WHOOP, or Fitbit).

For questions, concerns, or requests that cannot be handled through the self-service tool, contact us at privacy@absoluterest.com.