Privacy Policy

1. Data Controller

Salūs Rooms, also known as Salus Rooms, ("we", "us", "our") is the data controller responsible for your personal data. Salūs Rooms is operated as a sole trader.

Data protection contact: [email protected]

We have not appointed a Data Protection Officer as we are a small organisation that does not carry out large-scale processing of special category data. The data protection contact above handles all data protection enquiries.

2. Information We Collect

We collect the following categories of personal data:

• Account information: Name, email address, and password when you create an account.
• Payment information: Payment details are processed securely by PayPal, Apple App Store, or Google Play depending on where you subscribe. We do not store your full card number, expiry date, or CVC.
• Newsletter subscription: Email address when you sign up to our newsletter.
• Usage data: Page views, time spent on pages, scroll depth, audio playback interactions (play, pause, complete), and navigation paths within the site.
• Visitor identifier: An anonymous identifier stored in your browser's local storage to understand how visitors use the site across sessions. This is not a cookie.
• Device information: Browser type (user agent string), truncated to 500 characters.
• Geolocation data: Approximate city-level location derived from your IP address via a third-party geolocation service (see Section 5). The latitude and longitude coordinates stored correspond to the centre of your city or town, not your precise location. Your IP address is sent to the geolocation service to perform this lookup but is not stored by Salūs.
• Marketing parameters: If you arrive via a marketing link, we capture UTM parameters (source, medium, campaign, content, term) and the referring website URL.
• Communications: Information you provide when you contact us.
• Health data (mobile apps only): If you grant permission, the Salūs mobile app reads sleep data — the sleep periods and sleep stages recorded by your device — from Apple Health (iOS) or Health Connect (Android). This data is processed on your device only and is never uploaded to our servers. It is covered in full in Section 6.

The Salūs website does not access any health data. We do not collect special category data such as racial or ethnic origin, political opinions, or religious beliefs. The Salūs mobile apps, with your explicit permission, read sleep data from Apple Health or Health Connect — sleep data is special category health data, and how we access and use it is set out in full in Section 6.

3. Lawful Basis for Processing

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, we process your personal data on the following lawful bases:

• Contract (Article 6(1)(b)): To provide the Salūs service, manage your account, and process transactions.
• Legitimate interests (Article 6(1)(f)): To improve our service, understand usage patterns, ensure security, and administer the website. Our legitimate interest is to operate and improve an effective wellness service. We have assessed that this processing does not override your rights and freedoms given the anonymous nature of the analytics data.
• Consent (Article 6(1)(a)): For marketing emails and newsletter communications. You may withdraw consent at any time by using the unsubscribe link in any email or by contacting us.
• Explicit consent (Article 9(2)(a)): For accessing health (sleep) data in our mobile apps. Sleep data is special category data under UK GDPR. We access it only with your explicit permission, granted through your device's health permission screen, and you can withdraw that permission at any time (see Section 6).

4. How We Use Your Information

We use your information to:

• Provide and operate the Salūs service
• Process subscription payments
• Send service updates and, where you have consented, newsletter communications
• Analyse how visitors use the site so we can improve it
• Display your recent nights and sleep trends inside the mobile app, where you have granted health permission (mobile apps only — see Section 6)
• Detect and prevent misuse or abuse of the service

We do not sell, rent, or trade your personal data. We may display non-intrusive advertisements via Google AdSense to help fund the project (see Section 5). Google may use cookies to serve ads based on your prior visits to this or other websites. You can opt out of personalised advertising at Google Ad Settings. We never use health data for advertising (see Section 6).

5. Third-Party Services

We use the following third-party services to operate Salūs. Each processes data in accordance with their own privacy policies:

• Supabase (US) — authentication, user data storage, and analytics data storage. Privacy policy.
• Cloudflare (US) — content delivery network (CDN), DNS, and media file hosting. Cloudflare may process your IP address and request metadata to deliver content. Privacy policy.
• Resend (US) — transactional and marketing email delivery. Receives your email address when we send you emails. Privacy policy.
• GitHub Pages (US) — website hosting. GitHub may log IP addresses and request data as part of serving the website. Privacy policy.
• PayPal — subscription payment processing for web purchases. PayPal processes payment details under its own privacy policy. Privacy policy.
• ipbase.com (US) — IP geolocation lookup. When you visit the site, your IP address is sent to ipbase.com to determine your approximate city-level location. ipbase.com processes this request under their own privacy policy. We do not store your IP address.
• Google Fonts (US) — web font delivery. When pages load, your browser connects to Google's servers to download fonts. Google may receive your IP address and browser metadata as part of this request. Privacy policy.
• Third-party AI services — used for content production (audio narration). These services do not receive any user data.
• Plausible Analytics (EU) — cookie-free website analytics. Plausible records anonymous pageview and referral data so we can understand traffic and campaign performance without setting cookies or storing personal profiles. Data policy.
• Google Analytics (US) — website analytics. We use Google Analytics 4 (GA4) with IP anonymisation enabled to understand how visitors use the site. Google Analytics sets cookies (e.g. _ga, _ga_*) to distinguish unique users and sessions. Data is processed in accordance with Google's privacy policy. You can opt out using the Google Analytics Opt-out Browser Add-on.
• Google AdSense (US) — advertising. We may display non-intrusive advertisements to help fund the project. Google AdSense uses cookies to serve ads based on your visits to this and other websites. You can opt out of personalised advertising at Google Ad Settings or visit aboutads.info for broader opt-out options. Google's advertising privacy policy.

Health (sleep) data accessed by our mobile apps is not shared with any of the third-party services listed above, or with any other third party. See Section 6.

6. Health Data (Mobile Apps Only)

This section applies only to the Salūs mobile apps for iOS and Android. The Salūs website does not access, collect, or process any health data.

What we access. With your explicit permission, the Salūs app reads sleep data — the sleep periods and sleep stages recorded by your device. On iPhone and iPad this data comes from Apple Health (HealthKit); on Android it comes from Health Connect. This sleep data is recorded by your phone, smartwatch, or a connected sleep tracker — Salūs does not measure or generate it. This is the only category of health data the app accesses. We do not access steps, heart rate, workouts, mindful minutes, or any other health or fitness data type.

Read-only. Salūs only reads sleep data. The app never writes, edits, or deletes any data in Apple Health or Health Connect.

How we use it. Sleep samples are used solely to display your recent nights and sleep trends within the app, so you can see your own sleep over time. We do not use health data for advertising, marketing, profiling, or any form of automated decision-making.

Where it goes. Health data is processed on your device only. It is not uploaded to Salūs servers, not stored in our database, not sold, and not shared with any third party. It does not leave your phone.

Your consent and control. The app accesses sleep data only after you grant permission through your operating system's health permission screen. You can review or withdraw this permission at any time in Apple Health → Sharing → Apps (iOS) or Health Connect → App permissions (Android). Withdrawing permission stops Salūs reading sleep data immediately and does not affect any other part of the app. You can also decline the permission entirely when first asked — the rest of the app works normally without it.

Lawful basis. Sleep data is special category data under UK GDPR. We process it on the basis of your explicit consent (Article 9(2)(a)), given through your device's health permission screen, alongside our contractual basis under Article 6(1)(b). Because health data never reaches our servers, the rights in Section 11 that depend on data held by us (such as access, rectification, and portability) do not apply to it — the data remains under your control in Apple Health or Health Connect at all times.

7. International Data Transfers

Several of our third-party service providers are based in the United States. Where your data is transferred outside the UK, we rely on the following safeguards in accordance with UK GDPR:

• The UK-US Data Bridge (UK Extension to the EU-US Data Privacy Framework), where the provider is certified
• Standard Contractual Clauses (SCCs) approved by the ICO
• The provider's binding corporate rules or equivalent safeguards

Health (sleep) data is not transferred internationally because it is processed only on your device and never sent to Salūs servers.

8. Cookies and Local Storage

Plausible Analytics is cookie-free. We use cookies set by Google Analytics and Google AdSense only after consent (see Section 5). We also use your browser's local storage and session storage for the following purposes:

• Visitor identifier (local storage, key: salus_vid) — an anonymous UUID that persists across sessions to help us understand return visits. Contains no personal information.
• Session identifier (session storage, key: salus_sid) — identifies the current browsing session. Deleted when you close the tab or browser.
• Geolocation cache (session storage) — caches the result of the city-level geolocation lookup to avoid repeated requests to ipbase.com during a single session.
• Authentication token (local storage) — if you create an account, your login session is maintained via a token stored in local storage.
• Opt-out flag (local storage, key: salus_notrack) — if you opt out of analytics, this flag is stored to remember your preference.

Third-party services (Cloudflare, PayPal, Apple, Google Play) may set their own cookies or use their own identifiers when you interact with their services. These are governed by their respective privacy policies listed in Section 5.

You can clear all Salūs local storage data at any time via your browser settings. You can also opt out of all analytics by visiting any page on our site with ?salus_notrack appended to the URL (e.g. salus-rooms.com/?salus_notrack).

9. Data Storage & Security

Your data is stored securely using industry-standard encryption in transit (TLS) and at rest. We use secure servers and follow best practices to protect your personal information from unauthorised access, alteration, or destruction. Access to personal data is limited to those who need it to operate the service. In the event of a personal data breach, we will notify the Information Commissioner's Office within 72 hours where required by law, and will notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

10. Data Retention

We retain your personal data only for as long as necessary:

• Account data: Retained while your account is active, and deleted within 30 days of account deletion.
• Payment records: Retained for 7 years as required by UK tax and accounting regulations (HMRC).
• Analytics data: Anonymised usage data is retained for up to 24 months, then permanently deleted.
• Newsletter subscriptions: Retained until you unsubscribe, then deleted within 30 days.
• Communications: Retained for up to 12 months after your last contact.
• Health (sleep) data: Not retained by Salūs. It is processed only on your device for display and is never stored on our servers. It remains in Apple Health or Health Connect, under your control.

11. Your Rights

Under the UK GDPR, you have the following rights:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate data.
• Erasure: Request deletion of your personal data ("right to be forgotten").
• Restriction: Request that we limit how we use your data.
• Portability: Request your data in a structured, commonly used, machine-readable format.
• Objection: Object to processing based on legitimate interests.
• Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing. For health data, you can withdraw consent directly in Apple Health or Health Connect (see Section 6).

To exercise any of these rights, contact us at [email protected]. We will respond within one month. If your request is complex or we receive a large number of requests, we may extend this period by a further two months, in which case we will inform you within the first month. Where requests are manifestly unfounded or excessive, particularly due to their repetitive character, we may charge a reasonable fee or refuse to act on the request, in accordance with UK GDPR Article 12(5).

To reset your anonymous visitor identity, clear your browser's local storage for salus-rooms.com, or use the opt-out method described in Section 8.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk/make-a-complaint or call 0303 123 1113.

12. Children's Data

Salūs is not directed at children under 13. Under the Data Protection Act 2018, the age of consent for data processing in the UK is 13. We do not knowingly collect personal data from children under 13. If you believe we have inadvertently collected data from a child under 13, please contact us at [email protected] and we will delete it promptly.

13. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significant effects on you.

14. AI-Generated Content

Some of our audio content uses AI narration technology. All scripts are written and reviewed by our team. No personal data is used in generating this content.

15. Changes to This Policy

We may update this privacy policy from time to time. For significant changes that affect how we process your personal data, we will notify you via email (if you have an account) or by displaying a prominent notice on the website, with reasonable advance notice before the changes take effect. The "last updated" date at the top of this page indicates when the policy was last revised.

16. Contact

If you have any questions about this privacy policy or how we handle your data, please email [email protected] or get in touch via our contact page.