Privacy Policy

Last updated: 14 June 2026

The short version: We collect only what we need to run Salūs, and we don't sell your data. With your permission, the mobile apps read your sleep data from Apple Health or Health Connect and the optional Sleep Recorder analyses audio — both stay on your device and are never uploaded. You can delete your account and all associated data at any time.

1. Who We Are

Salūs Rooms is a trading name of Salus Studios Ltd, registered in England and Wales (company number 17268621). We are the data controller for your personal data. For any data protection enquiry, contact [email protected].

2. What We Collect & Why

We collect only what we need to run the service:

  • Account & payment: Name, email, and password to manage your account; payments are handled securely by PayPal, Apple, or Google Play (we never store full card details).
  • Usage & analytics: Anonymous website and in-app activity (pages viewed, playback, sign-ups, purchases) to understand traffic and improve the service.
  • App onboarding: Wellbeing goals and interests you give when setting up the app, stored against your account and deleted with it.
  • Health (sleep) data — mobile apps only: With your explicit permission, sleep data read from Apple Health or Health Connect, processed on your device only (see Section 5).
  • Communications: Anything you send us when you get in touch.

Our lawful bases under the UK GDPR are: contract (to provide the service and process payments), legitimate interests (to run, secure, and improve the service via anonymous analytics), consent (marketing emails, and cookies set by Google Analytics/AdSense), and explicit consent for health data (Article 9(2)(a)).

We do not sell, rent, or trade your personal data, and we never use health data for advertising.

3. Third-Party Services

We rely on a small set of providers to run Salūs, each processing data under its own privacy policy: Supabase (EU, accounts & data storage), Cloudflare (CDN & media), GitHub Pages (website hosting), Resend (email), PayPal / Apple / Google Play (payments), ipbase.com (city-level geolocation), Google Fonts (fonts), Sentry (error monitoring), Plausible (cookie-free analytics), Google Firebase and Google Analytics (analytics), TikTok (privacy-protective install attribution, no advertising ID), and Google AdSense (advertising). Third-party AI services are used for audio narration only and receive no user data.

Some providers are based in the US; where data leaves the UK we rely on the UK-US Data Bridge, Standard Contractual Clauses, or equivalent safeguards. Health (sleep) data is never shared with any third party — it stays on your device.

4. Cookies & Local Storage

Plausible analytics is cookie-free. Cookies from Google Analytics and AdSense are set only after consent. We use your browser's local/session storage for an anonymous visitor ID, your login token, and your analytics opt-out preference. You can clear this any time via your browser, and opt out of analytics by appending ?salus_notrack to any page URL.

5. Health Data (Mobile Apps Only)

This section applies only to the mobile apps; the website accesses no health data.

With your explicit permission, the app reads only sleep data (sleep periods and stages) from Apple Health (iOS) or Health Connect (Android) — no other health data type. It is read-only, processed on your device only, and is never uploaded to our servers, stored in our database, sold, or shared. It is used solely to show you your own recent nights and sleep trends.

The optional Sleep Recorder (iOS) records and analyses overnight audio entirely on your device using Apple's on-device sound recognition; nothing is uploaded or shared, and you can delete recordings at any time.

You can review or withdraw health permission at any time in Apple Health → Sharing → Apps or Health Connect → App permissions; the rest of the app works normally without it. Sleep data is special category data processed on the basis of your explicit consent (Article 9(2)(a)).

6. Storage, Security & Retention

Your data is encrypted in transit (TLS) and at rest, held on secure servers with access limited to those who need it. We will report any qualifying personal data breach to the ICO within 72 hours.

We keep data only as long as needed: account data is deleted within 30 days of account deletion; payment records are kept for 7 years (HMRC); anonymous analytics for up to 24 months; newsletter sign-ups until you unsubscribe. Health (sleep) data is never stored by us — it stays in Apple Health or Health Connect.

7. Your Rights

Under the UK GDPR you have the right to access, correct, delete, restrict, port, or object to the use of your personal data, and to withdraw consent at any time. To exercise any of these, email [email protected] and we will respond within one month.

If you are unhappy with our response you can complain to the Information Commissioner's Office (ICO): ico.org.uk/make-a-complaint or call 0303 123 1113.

8. Children

Salūs is not directed at children under 13 and we do not knowingly collect their data. If you believe we have, contact [email protected] and we will delete it.

9. Changes & Contact

We may update this policy from time to time; the "last updated" date above shows the latest revision, and we will give notice of significant changes. Questions? Email [email protected] or get in touch.