sleepcast .pro

Privacy Policy

Last updated: April 26, 2026

This describes how sleepcast.pro (“we”) collects, uses, and protects your data. We try to collect the minimum needed to run the Service.

What we collect

  • Email address — to sign you in and to send account-related messages (sign-in links, receipts, cancellations, failed-payment notices).
  • Sign-in credentials — magic-link tokens (short-lived) and passkey public keys (WebAuthn). We never see your private key or password.
  • Subscription status — your current plan and renewal date, mirrored from RevenueCat. We do not store your card details; those stay with the payment processor.
  • Playback events — which track was played, when, and (optionally) whether it completed. Used to show you a “recent plays” list and for aggregate analytics. For unauthenticated visitors we hash your IP (SHA-256, truncated) so we can rate-limit without storing the IP itself.
  • Waitlist email — if you opt in on the home page, we keep your email until you ask us to delete it.

What we don’t collect

  • Card numbers, CVCs, or any payment-method details.
  • Voice recordings or microphone input from your device.
  • Cross-site tracking pixels or third-party ad cookies.

Service providers

We rely on a small set of vendors. They process data only on our behalf and under their own privacy commitments:

  • Fly.io — application hosting + Postgres database
  • Tigris — audio file storage
  • Resend — transactional email delivery
  • RevenueCat — subscription management
  • Stripe — payment processing (via RevenueCat)
  • OpenAI — text-to-speech generation (no user data sent — content is generated server-side at our request)

Cookies & local storage

  • One essential session cookie set after sign-in to keep you logged in.
  • A localStorage entry that remembers your subscription identity (anonymous before sign-in, then your account id after).

We do not use third-party advertising or analytics cookies.

How long we keep data

  • Account data: until you delete your account. Then deleted within 30 days, except billing records retained as required by law (typically 7 years for tax purposes).
  • Magic-link tokens: 10 minutes, then deleted.
  • Sessions: 30 days of inactivity, then expired.
  • Playback events older than 12 months are aggregated and the individual rows deleted.

Your rights

You can request the data we hold on you, ask us to correct it, or ask us to delete it — including under GDPR (EU/UK) and CCPA (California). Email hi@sleepcast.pro and we’ll respond within 30 days.

Children

The Service isn’t directed to children under 13 and we don’t knowingly collect data from them. If you believe a child has signed up, contact us and we’ll delete the account.

International transfers

Our hosting and most vendors operate in the United States. By using the Service you consent to your data being processed in the US.

Security

Data is encrypted in transit (HTTPS) and at rest (managed Postgres + S3-compatible storage). We don’t store passwords. We use passwordless auth (magic links and passkeys) to reduce credential risk.

Changes

If we materially change this policy we’ll update the date above and email registered users. Minor edits (typos, clarifications) may be made silently.

Contact

Email hi@sleepcast.pro.