Privacy Policy
Last updated: 12 April 2026 Last updated: 16 April 2026
1. Who We Are
AirwayLab (“we”, “us”, “our”) is an open-source sleep and airway analysis tool operated under the domain airwaylab.app. AirwayLab is not a medical device and is not cleared or approved by the FDA, CE, TGA, or any regulatory body. It is provided for educational and informational purposes only.
For privacy questions, contact us via our contact form.
2. How AirwayLab Processes Data
AirwayLab uses a two-tier architecture designed to keep your health data under your control:
Tier 1 — Browser-Only (Default)
All core analysis runs entirely in your browser using Web Workers. Your EDF files are parsed, flow data extracted, and all four analysis engines execute without any network request. No data leaves your device. This is the default for all users, including those without an account.
Tier 2 — Server-Enhanced (Registration Consent)
When you create an account, you consent to: storage of your EDF files on our servers (Supabase, EU-West), processing of analysis scores and per-breath data by AI (Anthropic Claude), and storage of analysis data for service improvement. This is a single consent covering all data processing. You can delete all server-stored data at any time from Account Settings.
3. What Personal Data We Collect
3.1 Account Data (if you create an account)
- Email address (for authentication and account communications)
- Display name (optional, for supporter acknowledgement)
- Subscription tier and billing status (via Stripe)
3.2 Email Communications (Opt-In)
If you opt in to email updates, we send periodic emails about your analysis activity and new features. These include:
- Post-upload tips (after your first analysis)
- Feature education (how to use AI insights, exports, and reports)
- Re-engagement reminders (if you haven’t uploaded in 14+ days)
No health data is ever included in emails. Emails contain only general tips and links back to the app. Emails are sent via Resend. You can unsubscribe at any time via the link in each email or from your dashboard.
3.3 Payment Data
Payment processing is handled entirely by Stripe . We never see or store your credit card number, CVV, or full billing details. We receive only your Stripe customer ID and subscription status.
3.4 Health Data (registered users)
When you create an account, you consent to the following data processing:
- Cloud Storage: EDF files and analysis data are stored on servers in the EU (Supabase, EU-West). Storage is unlimited. All data is linked to your account and can be deleted at any time from Account Settings.
- AI Insights:When you generate AI insights, analysis data is sent to Anthropic’s Claude for processing. Free accounts send aggregate scores. Paid accounts send per-breath summary data for deeper analysis. Raw waveform samples are never sent to the AI model.
- Analysis Data: Aggregate scores and per-breath summaries are stored to enable AI insights and service improvement.
- Data Contribution (Aggregate):Anonymised aggregate metrics, device model, and your self-reported sleep quality rating (1–5 scale). Used for community insights and research. No dates, timestamps, names, or identifiers are included.
- Waveform & Oximetry Trace Contribution: If you explicitly choose to contribute, flow waveform samples (up to 5 MB) and oximetry traces (up to 2 MB) are uploaded to our servers (Supabase, EU-West) for research purposes. Contributions are anonymised -- no dates, timestamps, names, or identifiers are included. This requires a separate, affirmative consent action each time.
- Symptom Contribution:If you explicitly choose to contribute, your self-reported symptom rating (1–5 scale) is collected alongside anonymised aggregate analysis metrics (device model, PAP mode, pressure range). No dates, timestamps, names, or identifiers are included.
3.5 Automatically Collected Data
- Page views & conversion events: Collected by Plausible Analytics (privacy-first, cookie-free, no personal data) and PostHog (product analytics and session replay). PostHog session recording is disabled on all health-data pages. No health data is included in any analytics event.
- Error reports & session replay: Collected by Sentry when errors occur. Includes browser type, page URL, and error stack traces. On errors, an anonymised session replay may be captured (all text is masked and all media is blocked). Does not include health data.
- Performance monitoring: Collected by Vercel Speed Insights for page load performance (Core Web Vitals). No personal data or health data is included.
- Analysis session tracking: When you complete an analysis, we record anonymous session metrics (number of nights analysed, whether oximetry data was present, analysis duration, and which engines were used). No personal data, health data, or identifiers are included.
3.6 What We Do NOT Collect
- Cookies (we use none)
- Browser fingerprints
- IP addresses for tracking (Plausible does not store IPs)
- Raw sleep waveforms (never transmitted unless you explicitly contribute them for research -- see section 3.4)
- Device serial numbers or user names from PAP machines
4. Legal Basis for Processing (GDPR)
If you are in the European Economic Area, we process your data under:
- Contract (Art. 6(1)(b)): Account creation, subscription management, and service delivery.
- Consent (Art. 6(1)(a)): AI insights, data contribution, cloud storage, and email communications. You can withdraw consent at any time.
- Legitimate interest (Art. 6(1)(f)): Error monitoring (Sentry), anonymous usage analytics (Plausible), and security protections.
5. Data Retention
- Browser localStorage: Analysis results auto-expire after 30 days. You can clear them at any time.
- Shared analysis links: Expire after 30 days and are then permanently deleted.
- Account data: Retained until you request deletion.
- Contributed data: Retained indefinitely for research purposes. Since it is fully anonymised, it cannot be traced back to you.
- Cloud-stored files: Retained until you delete them or request account deletion.
- Analytics (Plausible): Aggregate data only, no personal data retained.
- Error logs (Sentry): Retained for 90 days.
6. Service Providers & Data Processors
We use the following third-party services. Each processes only the minimum data required for its function:
| Service | Purpose | Data Region | Data Processed | ||||
|---|---|---|---|---|---|---|---|
| Supabase | Database & authentication | EU (West) | Account data, subscriptions, EDF files, analysis data, contributed metrics, waveforms, and traces | ||||
| Anthropic (Claude) | AI-powered insights | US | Aggregate metrics (free tier), per-breath summaries (paid tier) | ||||
| Stripe | Payment processing | US/EU | Payment and subscription data | ||||
| Vercel | Hosting & CDN | Global edge | HTTP requests (no health data) | ||||
| Plausible | Privacy-first analytics | EU | Page views only, no personal data | ||||
| PostHog | Product analytics & session replay | US | Page views, conversion events, and anonymised session recordings. Session recording is disabled on all health-data pages (/analyze routes). | ||||
| Sentry | Error monitoring & session replay | US | Error traces, browser type, page URL. Session Replay captures anonymised interaction recordings on errors (all text masked, all media blocked). No health data is included. | ||||
| Vercel | Speed Insights (RUM) | Global edge | Core Web Vitals (LCP, CLS, INP), no personal data | ||||
| Upstash | Rate limiting | US | User IDs and hashed IP addresses (transient, rate-limit windows only) | ||||
| Resend | Transactional & drip email | US | Email address, message content (no health data) | ||||
| Discord | Community (opt-in, paid subscribers only) | US | Discord user ID and username only. No health data is sent to Discord. | ||||
| Upstash | Rate limiting (Redis) | US | IP-derived request counters only. No personal data or health data. | ||||
| GitHub API | Repository metadata (star count) | US | Server-side only. No user data is sent to GitHub. | GitHub API | Repository star count display | US | No personal data. Server-side fetch of public repository metadata only. |
7. Client-Side Storage (localStorage)
AirwayLab uses your browser’s localStorage (not cookies) to persist analysis results and preferences locally on your device. All keys are prefixed with airwaylab_.
- Analysis results (auto-expire after 30 days, 4MB cap)
- Disclaimer dismissal state
- Consent preferences (contribution, storage, AI insights)
- Feature gate state
This data never leaves your browser. You can clear it at any time via your browser settings or by clearing the AirwayLab analysis data from the dashboard.
8. Your Rights
Under GDPR, CCPA/CPRA, and similar data protection laws, you have the right to:
- Access: Request a copy of the personal data we hold about you.
- Portability: Export your analysis data as CSV, JSON, or PDF at any time from the dashboard — no request needed.
- Rectification: Update your account details via your profile settings.
- Erasure: Delete all server-stored data instantly from Account Settings. This removes EDF files, analysis data, and contributed metrics. Account deletion requests are processed within 30 days.
- Withdraw consent: Delete all your data at any time from Account Settings. Unsubscribe from emails via the link in each email or from your dashboard. You can also contact us to request full account deletion.
- Opt out of analytics:Plausible respects your browser’s Do Not Track setting. You can also use a browser extension to block analytics.
To exercise these rights, contact us via our contact form. We will respond within 30 days.
9. Children’s Privacy
AirwayLab is intended for adults aged 18 and over who have been diagnosed with sleep-disordered breathing. We do not knowingly collect personal data from children under 16 (or 13 in jurisdictions where COPPA applies). If you believe a child has provided us with personal data, please contact us via our contact form and we will promptly delete it.
10. Data Breach Notification
In the event of a data breach affecting your personal data, we will:
- Notify the relevant supervisory authority within 72 hours (as required by GDPR)
- Notify affected users without undue delay via email
- Publish a notice on this page with details of the breach, data affected, and remediation steps
To report a security vulnerability, use our contact form.
11. International Data Transfers
Our primary database is hosted in the EU (Supabase EU-West region). Some services (Anthropic, Sentry, Resend, Upstash) process data in the US. For EU users, these transfers are governed by Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework where applicable. (Anthropic, Sentry, Resend, Upstash) process data in the US. For EU users, these transfers are governed by Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework where applicable.
AI insights are opt-in. If you choose not to use AI features, no health-related data is transferred outside the EU.
12. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have additional rights under the CCPA/CPRA:
- Right to know what personal information we collect and how we use it
- Right to delete your personal information
- Right to opt out of the sale of personal information — we do not sell your data
- Right to non-discrimination for exercising your privacy rights
Categories of personal information collected in the preceding 12 months: identifiers (email), commercial information (subscription status), and internet activity (anonymous page views). We do not sell or share personal information for cross-context behavioural advertising.
13. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be communicated via a notice on the site and, for account holders, via email. The “Last updated” date at the top of this page indicates when the policy was last revised.
14. Contact
For privacy questions, data requests, or concerns:
- Contact form(select “Privacy & data request”)
- GitHub: airwaylab-app/airwaylab