Every night, your PAP machine quietly records some of the most intimate health data imaginable: how you breathe, when you stop breathing, how your body responds to obstruction, and even patterns that correlate with sleep stages and body position. It's a remarkably detailed physiological diary. But have you ever stopped to ask: where does all that data go?
The Rise of the Connected PAP Device
Modern PAP machines from ResMed, Philips, and other manufacturers are increasingly connected devices. ResMed's AirSense 10 and 11 models, for instance, come with built-in cellular modems that transmit your sleep data to ResMed's cloud servers every day — automatically, without any action from you.
This data feeds into apps like myAir (for patients) and AirView (for clinicians). On the surface, this sounds convenient: your sleep physician can monitor your therapy remotely, and you get a daily sleep score. But the implications run deeper than most users realize.
What gets transmitted?
- Usage hours and session times
- AHI, leak rates, and pressure data
- Event flags (apneas, hypopneas, flow limitation)
- Device serial number and settings
- Your name, date of birth, and prescriber information (via AirView)
Who Can See Your Sleep Data?
The data chain is longer than you might expect:
The device manufacturer
ResMed, Philips, and others store your data on their cloud infrastructure. Their privacy policies typically allow them to use aggregated or de-identified data for research, product development, and business purposes.
Your DME (equipment provider)
Durable Medical Equipment companies often have AirView access to monitor your compliance. In the US, this is tied to insurance reimbursement — your equipment provider is essentially reporting your usage to your insurer.
Your insurance company
In the US, Medicare and most private insurers require proof of CPAP compliance (typically 4+ hours per night, 70% of nights) to continue covering equipment. Your usage data is used to make these determinations.
Your sleep physician
This is the one party that should have access. But the same data portal they use (AirView) is controlled by the manufacturer, not by you or your healthcare system.
Compliance Monitoring: Health Tool or Surveillance?
The US insurance compliance model creates a unique tension. Patients are told they must use their CPAP for a minimum number of hours to keep their equipment. This well-meaning policy has unintended consequences:
- Patients may wear the mask while awake to log hours, rather than seeking help for discomfort issues
- The focus shifts from "is the therapy working?" to "are you wearing it enough?"
- Data that should empower patients becomes a tool of surveillance, creating anxiety rather than engagement
Outside the US, the compliance monitoring landscape varies. Many European and Australian healthcare systems focus more on clinical outcomes than hourly usage targets. But the data collection infrastructure — cloud-connected devices transmitting to manufacturer servers — is the same everywhere.
The Case for Local-First Analysis
Here's what many PAP users don't know: your machine stores detailed data locally on its SD card, independently of any cloud connection. This SD card data is actually more detailed than what gets transmitted — it includes full flow waveforms, not just summary statistics.
This means you can analyze your own data without it ever touching a third-party server. No manufacturer cloud, no DME portal, no insurance compliance system. Just your data, on your device, under your control.
No Upload
Data stays in your browser. Nothing is sent to any server.
You Control It
Close the tab and the data is gone. No accounts, no tracking.
Open Source
The code is public. Anyone can verify what happens with your data.
Taking Control of Your Data
Regardless of where you live, there are practical steps you can take:
Use your SD card
Always keep an SD card in your machine. This gives you a local copy of your data that no one else controls. Pull it periodically and analyze your data yourself.
Consider disabling wireless
Most machines allow you to turn off cellular/WiFi transmission. The trade-off: you lose remote monitoring convenience, but you gain full control over your data. Discuss this with your physician if insurance compliance is a factor.
Use privacy-respecting analysis tools
Tools that process data locally in your browser — like AirwayLab — let you get insights from your data without creating yet another copy on yet another server.
Know your rights
Under GDPR (EU), you have the right to access, port, and delete your health data. Under HIPAA (US), you have the right to access your medical records, including CPAP data held by providers. Australia's Privacy Act provides similar protections.
Further Reading
Schwab et al. (2020). "Connected health technology and the rise of digital sleep medicine." Journal of Clinical Sleep Medicine, 16(3), 487-492.
Khosla et al. (2018). "Consumer sleep technology: an American Academy of Sleep Medicine position statement." Journal of Clinical Sleep Medicine, 14(5).
European Data Protection Board (2020). "Guidelines on the processing of health data for scientific research purposes in the context of the COVID-19 outbreak."
Analyze Your PAP Data Privately
AirwayLab processes your ResMed SD card entirely in your browser. No accounts, no uploads, no cloud — just you and your data.