Skip to content
AirwayLab

Privacy Policy

Last updated: 12 March 2026

AirwayLab is privacy-first by design. All core analysis runs in your browser.

1. Who We Are

AirwayLab (“we”, “us”, “our”) is an open-source sleep and airway analysis tool operated under the domain airwaylab.app. AirwayLab is not a medical device and is not cleared or approved by the FDA, CE, TGA, or any regulatory body. It is provided for educational and informational purposes only.

For privacy questions, contact us via our contact form.

2. How AirwayLab Processes Data

AirwayLab uses a two-tier architecture designed to keep your health data under your control:

Tier 1 — Browser-Only (Default)

All core analysis runs entirely in your browser using Web Workers. Your EDF files are parsed, flow data extracted, and all four analysis engines execute without any network request. No data leaves your device. This is the default for all users, including those without an account.

Tier 2 — Server-Enhanced (Opt-In Only)

Certain features require server communication and are only activated with your explicit, informed consent. These include AI-powered insights, cloud file storage, and anonymised data contribution. Every server interaction requires a separate consent action — we never bundle or pre-select consent.

3. What Personal Data We Collect

3.1 Account Data (if you create an account)

  • Email address (for authentication and account communications)
  • Display name (optional, for supporter acknowledgement)
  • Subscription tier and billing status (via Stripe)

3.2 Payment Data

Payment processing is handled entirely by Stripe . We never see or store your credit card number, CVV, or full billing details. We receive only your Stripe customer ID and subscription status.

3.3 Health Data (only with your explicit consent)

If you opt in to specific features, we process the following health-related data:

  • AI Insights: Aggregate analysis metrics (Glasgow Index, WAT, NED, oximetry scores), machine settings, and optional night notes. Raw waveforms and per-breath data are never sent.
  • Data Contribution: Anonymised aggregate metrics, device model, and your self-reported sleep quality rating (1–5 scale). Used for community insights, AI model improvement, and research. No dates, timestamps, names, or identifiers are included.
  • Cloud Storage: Encrypted raw SD card files stored in EU-region servers, accessible only to your account.

3.4 Automatically Collected Data

  • Page views: Collected by Plausible Analytics — a privacy-first, cookie-free analytics service. No personal data, no IP tracking, no fingerprinting.
  • Error reports: Collected by Sentry when errors occur. May include browser type, page URL, and error stack traces. Does not include health data.
  • Product analytics: Collected by PostHog for feature usage patterns. No health data is included.

3.5 What We Do NOT Collect

  • Cookies (we use none)
  • Browser fingerprints
  • IP addresses for tracking (Plausible does not store IPs)
  • Raw sleep waveforms (never transmitted to any server)
  • Per-breath analysis data
  • Device serial numbers or user names from PAP machines

4. Legal Basis for Processing (GDPR)

If you are in the European Economic Area, we process your data under:

  • Contract (Art. 6(1)(b)): Account creation, subscription management, and service delivery.
  • Consent (Art. 6(1)(a)): AI insights, data contribution, cloud storage, and email communications. You can withdraw consent at any time.
  • Legitimate interest (Art. 6(1)(f)): Error monitoring (Sentry), anonymous usage analytics (Plausible), and security protections.

5. Data Retention

  • Browser localStorage: Analysis results auto-expire after 30 days. You can clear them at any time.
  • Shared analysis links: Expire after 30 days and are then permanently deleted.
  • Account data: Retained until you request deletion.
  • Contributed data: Retained indefinitely for research purposes. Since it is fully anonymised, it cannot be traced back to you.
  • Cloud-stored files: Retained until you delete them or request account deletion.
  • Analytics (Plausible): Aggregate data only, no personal data retained.
  • Error logs (Sentry): Retained for 90 days.

6. Service Providers & Data Processors

We use the following third-party services. Each processes only the minimum data required for its function:

ServicePurposeData RegionData Processed
SupabaseDatabase & authenticationEU (West)Account data, subscriptions, contributed metrics
Anthropic (Claude)AI-powered insightsUSAggregate metrics only (opt-in)
StripePayment processingUS/EUPayment and subscription data
VercelHosting & CDNGlobal edgeHTTP requests (no health data)
PlausiblePrivacy-first analyticsEUPage views only, no personal data
SentryError monitoringUSError traces, browser type, page URL
PostHogProduct analyticsEUFeature usage patterns, no health data
ResendTransactional emailUSEmail address, message content

7. Client-Side Storage (localStorage)

AirwayLab uses your browser’s localStorage (not cookies) to persist analysis results and preferences locally on your device. All keys are prefixed with airwaylab_.

  • Analysis results (auto-expire after 30 days, 4MB cap)
  • Disclaimer dismissal state
  • Consent preferences (contribution, storage, AI insights)
  • Feature gate state

This data never leaves your browser. You can clear it at any time via your browser settings or by clearing the AirwayLab analysis data from the dashboard.

8. Your Rights

Under GDPR, CCPA/CPRA, and similar data protection laws, you have the right to:

  • Access: Request a copy of the personal data we hold about you.
  • Portability: Export your analysis data as CSV, JSON, or PDF at any time from the dashboard — no request needed.
  • Rectification: Update your account details via your profile settings.
  • Erasure: Request deletion of your account and all associated data. We process deletion requests within 30 days.
  • Withdraw consent: Disable any opt-in feature (AI insights, data contribution, cloud storage) at any time via the dashboard.
  • Opt out of analytics: Plausible respects your browser’s Do Not Track setting. You can also use a browser extension to block analytics.

To exercise these rights, contact us via our contact form. We will respond within 30 days.

9. Children’s Privacy

AirwayLab is intended for adults aged 18 and over who have been diagnosed with sleep-disordered breathing. We do not knowingly collect personal data from children under 16 (or 13 in jurisdictions where COPPA applies). If you believe a child has provided us with personal data, please contact us via our contact form and we will promptly delete it.

10. Data Breach Notification

In the event of a data breach affecting your personal data, we will:

  • Notify the relevant supervisory authority within 72 hours (as required by GDPR)
  • Notify affected users without undue delay via email
  • Publish a notice on this page with details of the breach, data affected, and remediation steps

To report a security vulnerability, use our contact form.

11. International Data Transfers

Our primary database is hosted in the EU (Supabase EU-West region). Some services (Anthropic, Sentry, Resend) process data in the US. For EU users, these transfers are governed by Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework where applicable.

AI insights are opt-in. If you choose not to use AI features, no health-related data is transferred outside the EU.

12. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the CCPA/CPRA:

  • Right to know what personal information we collect and how we use it
  • Right to delete your personal information
  • Right to opt out of the sale of personal information — we do not sell your data
  • Right to non-discrimination for exercising your privacy rights

Categories of personal information collected in the preceding 12 months: identifiers (email), commercial information (subscription status), and internet activity (anonymous page views). We do not sell or share personal information for cross-context behavioural advertising.

13. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be communicated via a notice on the site and, for account holders, via email. The “Last updated” date at the top of this page indicates when the policy was last revised.

14. Contact

For privacy questions, data requests, or concerns:

← Back to AirwayLab