Legal/Privacy Policy

Core legal

Privacy Policy

Effective: June 27, 2026Last updated: June 27, 2026

Draft — pending attorney review

This document is a working draft maintained by RestPilot AI. It is not a substitute for legal advice and will be reviewed and finalized by qualified counsel before launch.

What data we collect, why, how long we keep it, and your rights.

This Privacy Policy explains how RestPilot AI ("we," "us," or "our") collects, uses, and protects information when you use our website, applications, and related services (the "Service"). For an overview of the companies we share data with, see Subprocessors & Integrations.

1. Information we collect

Information you provide

  • Account: email address, display name, password hash (or OAuth identifier if you sign in with Google).
  • Profile & preferences: target sleep hours, wind-down preferences, employers, role, notification preferences.
  • Shifts & planning data: shifts you log, trips, time-zone events, manual feedback you give the AI coach.
  • Wearable data (optional): if you connect Fitbit or Oura, we receive the sleep, readiness, and activity metrics those services share with us.

Information collected automatically

  • Device & usage: browser type, operating system, coarse approximate timezone, and basic diagnostic info.
  • Location (only on request): if you tap "Detect," we read approximate latitude/longitude in your browser to compute sunrise/sunset for your light plan. We do not continuously track location.
  • Storage on your device: we use browser storage (cookies, localStorage, IndexedDB, service-worker cache) to keep you signed in and to enable offline mode.

Information generated by the Service

  • AI memory: short structured facts the AI extracts from your interactions, with your control. See "AI memory" below.
  • AI logs & recommendations: records of AI decisions and the inputs used to make them.

2. How we use information

  • To operate, secure, and improve the Service.
  • To generate your circadian schedule, alarms, and recovery plan.
  • To send notifications you opt into.
  • To process payments through our payment processor.
  • To comply with law and enforce our agreements.

We do not sell your personal information and we do not use it for third-party advertising.

3. Legal bases (EEA/UK users)

Where the GDPR applies, we process personal data under the following bases: performance of a contract (operating the Service), legitimate interests (security, product improvement, fraud prevention), consent (location, push notifications, wearables, optional AI memory), and compliance with legal obligations.

4. Local & offline storage

RestPilot AI is designed to work offline. We cache a copy of your current plan and recent recommendations on your device using your browser's storage so the app remains useful without a connection. You can clear this data at any time by signing out, clearing site data in your browser, or uninstalling the installed app.

5. AI memory

With your permission, the AI maintains a small set of structured memories about you (such as "prefers caffeine cutoff at 14:00") to personalize recommendations. You can view, edit, delete, export, and disable AI memory entirely from the Memory page. The AI does not generate memories about your health or other sensitive categories.

6. Retention

CategoryRetention
AccountUntil you delete your account
Shifts, trips, preferencesUntil you delete them or delete your account
Wearable readingsRolling 365 days; deleted on disconnect
AI logs90 days for diagnostics
AI recommendations & feedback365 days, then aggregated/anonymized
Billing recordsAs required by tax law (typically 7 years)
BackupsRolling 30 days

7. Sharing

We share data with the third-party providers listed in our Subprocessors & Integrations registry only as needed to operate the Service, and with authorities when required by law.

8. International transfers

Our infrastructure may process data in the United States and the European Union. Where required, we rely on Standard Contractual Clauses or equivalent safeguards.

9. Your rights

Depending on where you live, you may have the right to access, correct, port, delete, restrict, or object to processing of your personal data, and to withdraw consent at any time. You can exercise most of these rights directly from Profile: download your data, manage AI memory, or delete your account. Account deletion is permanent and removes associated personal data within 30 days, except where we are required to retain it.

California residents: under the CCPA/CPRA, you have rights to know, delete, correct, and limit use of sensitive personal information. We do not "sell" or "share" personal information as defined by the CCPA/CPRA.

10. Security

Data is transmitted over HTTPS and stored on encrypted servers operated by our infrastructure provider. See our Security & Responsible Disclosure page for our security practices and how to report a vulnerability.

11. Children

The Service is not directed to children under 16, and we do not knowingly collect personal information from them. If you believe a child has provided us personal information, contact privacy@restpilot.ai.

12. Changes

We will post any changes to this Policy here with an updated "Effective" date. Material changes will be highlighted in the app.

13. Contact

Email privacy@restpilot.ai for questions or to exercise your rights.