Privacy Policy

Last Updated: May 10, 2026

Introduction

SaunaMind is a wellness app that helps you track training, sauna, cold exposure, hydration, and recovery using available session and heart-rate data. The app is currently in pre-launch testing on Apple's TestFlight and is not yet on the App Store. This policy covers both the SaunaMind website (sauna-mind.com) and the iOS app once it's installed on your device.

We've written this in plain English because health data deserves a straight answer, not a wall of legalese.

Information We Collect

Website. If you join the waitlist or use the contact form, we collect the email address and any message you submit. Netlify, which hosts the site, keeps basic request logs (IP address, user agent, timestamp) for security and abuse prevention.

iOS app (when installed). When you create a SaunaMind account and use the app, we collect and store:

• Account identifiers: email address and a password hash (managed by Supabase Auth — we never see or store your plaintext password).
• Profile data you enter: age, sex, resting heart rate, sauna type preference, and optional goals.
• Session data: heart rate time series, Sauna Load, heat-zone estimates, session duration, sauna room temperature, training phase data, hydration entries, and cold exposure data including water temperature and recovery heart rate.
• Heart rate variability: RMSSD and related HRV metrics captured live during cold-plunge recovery from a connected Bluetooth chest strap.
• Wearable integration tokens: OAuth access and refresh tokens for Oura, Garmin, and Whoop; HealthKit read authorisation on iOS. These tokens let the app fetch your own data on your behalf — they don't give us access to anyone else's account.
• AI coach conversation history: the messages you send to the in-app coach and the responses generated for you.
• Purchase and subscription data: receipts and entitlement status via RevenueCat and Apple's in-app purchase system. We do not see or store your credit card details — Apple handles payment directly.
• Crash and error reports: stack traces and technical diagnostics captured by Sentry when the app crashes or throws an unhandled error.

A note on wellness estimates. SaunaMind outputs such as Sauna Load, heat zones, cold recovery, hydration prompts, and readiness are proprietary wellness estimates. They are not direct clinical measurements and should not be treated as medical readings.

How We Use Your Information

We use the data we collect to:

• Run the app's core functionality — estimate wellness context, track sessions, display history, and power the dashboard.
• Sync data from wearables you've authorised so your session context is as complete as possible.
• Generate general wellness responses and app explanations from the AI coach when you ask it a question.
• Process and validate your subscription purchase.
• Send you product updates if you've opted in — never otherwise.
• Debug crashes and fix bugs via anonymised error reports.
• Comply with legal obligations and respond to lawful requests.

Health Data — Special Protections

SaunaMind processes wellness and health-related data: heart rate, HRV/RMSSD where available, hydration entries, and your session history. We treat this category of data with extra care.

• We do not sell your health data. Ever. To anyone.
• We do not share it with advertisers or data brokers. SaunaMind contains no advertising SDKs and no third-party tracking pixels.
• We do not use your data to target marketing. Your session history is yours, not a signal for us to sell against.
• Apple HealthKit data stays on your device. When you grant HealthKit read permission, the app reads values like resting heart rate and workout heart rate from HealthKit to power the session experience. We do not write SaunaMind's computed values back into HealthKit or copy HealthKit data to our servers without explicit consent.
• SaunaMind is general wellness information, not a medical device. It is not cleared by the FDA, MHRA, or any other regulator. The zone estimates, coaching messages, and session summaries are for general educational and self-tracking purposes only. They are not a diagnosis, treatment, or medical advice. Do not use SaunaMind to make medical decisions — talk to a qualified clinician instead.
• SaunaMind is not HIPAA-covered. We are not a covered entity or a business associate under the US Health Insurance Portability and Accountability Act. US users should not assume HIPAA protections apply.

Sub-processors

We use a small number of third-party services to run the app. Each one sees a specific slice of data for a specific purpose:

• Supabase — hosts our Postgres database, authentication, and edge functions. Account records, profile data, and session data live here.
• Apple — App Store distribution, Sign in with Apple (if used), in-app purchase processing, and HealthKit as an on-device bridge to your health data.
• RevenueCat — validates Apple subscription receipts and tracks your entitlement status.
• OpenAI — generates AI coaching responses via the GPT-4o model. Messages are sent per-request. As of 9 May 2026, OpenAI's API terms state that API inputs and outputs are not used to train OpenAI's models. We rely on those terms but do not control them.
• Anthropic — generates AI coaching responses via Claude for certain workflows. As of 9 May 2026, Anthropic's API terms state that API inputs and outputs are not used to train Anthropic's models. We rely on those terms but do not control them.
• Oura, Garmin, and Whoop — wearable providers you can optionally connect. When you authorise one of them through OAuth, SaunaMind uses the resulting token to fetch your readiness, HRV, sleep, and workout data.
• Sentry — collects crash reports and unhandled-error diagnostics. Personally identifying information is scrubbed where possible.
• Netlify — hosts the sauna-mind.com website and handles contact-form submissions.

Legal Basis for Processing (GDPR / EEA / UK users)

If you're in the European Economic Area or the United Kingdom, the legal bases we rely on are: (a) performance of a contract — for running the app functionality you signed up for; (b) legitimate interest — for crash reporting, debugging, security, and fraud prevention; and (c) your consent — for optional marketing emails and for connecting optional wearable integrations. You can withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

Your Rights

Depending on where you live, you may have the right to:

• Access a copy of the personal data we hold about you.
• Correct data that's inaccurate or incomplete.
• Delete your account and associated data.
• Export your data in a portable format.
• Withdraw consent for processing based on consent.
• Object to processing based on legitimate interest.
• Lodge a complaint with your local data protection supervisory authority.

To exercise any of these rights, email privacy@sauna-mind.com. We'll respond within a reasonable timeframe and may ask for information to verify your identity before we act on a request.

Data Retention

Account data is retained for the life of your account plus 30 days after you request deletion, to give us time to complete the removal and handle any reversal request. Session data, wellness estimates, hydration entries, cold exposure data, and AI Coach conversation history are deleted alongside your account. Crash reports and error diagnostics are retained for 90 days. Contact-form submissions are retained for 12 months.

International Transfers

Several of our sub-processors are based in the United States or the European Union, so your data may be transferred across borders. Where this happens, we rely on the sub-processors' own standard contractual clauses and equivalent transfer safeguards. By using SaunaMind you understand that your data may be processed outside your country of residence.

Children's Privacy

SaunaMind is not intended for users under 18. We do not knowingly collect personal data from minors. If you believe a child has created an account, please contact privacy@sauna-mind.com and we'll delete the account and associated data.

Data Security

We use reasonable technical and organisational safeguards to protect your data. In practice that means: TLS encryption for all network traffic between the app, the website, and our backend; at-rest encryption on our Postgres database via Supabase; password hashing via Supabase Auth using modern industry-standard algorithms (bcrypt/scrypt family) so we never store plaintext passwords; operational discipline around logging — user credentials and secrets are never written to application logs; row-level access controls; and restricted administrative access.

Honest caveat: no system is perfectly secure, and no provider can promise otherwise. If a notifiable data breach affects your personal information, we will notify affected users and relevant supervisory authorities, including the OAIC in Australia or the relevant EEA/UK authority where applicable, within the timeframes required by law.

Cookies

The sauna-mind.com website uses Netlify's functional cookies only — needed for the site to work and for form submissions. There are no third-party analytics cookies, advertising pixels, or cross-site trackers. You can clear cookies through your browser at any time.

Changes to This Policy

We may update this Privacy Policy from time to time as the app evolves or the law changes. Updates will be posted on this page with a new Last Updated date. Material changes will be flagged clearly.

Australian Privacy Principles (APP)

Australian users: SaunaMind is an Australian-registered company and handles personal information in accordance with the Australian Privacy Principles (APP) under the Privacy Act 1988 (Cth). Health data is treated as sensitive information under APP 3 and collected with your consent. To make a complaint, you may contact us at privacy@sauna-mind.com, or escalate to the Office of the Australian Information Commissioner (oaic.gov.au).

EEA / UK Representative

SAUNAMIND PTY LTD is based in Australia. During pre-launch, EEA and UK privacy requests should be sent to privacy@sauna-mind.com. If our processing requires appointment of an EU or UK representative as the service expands, we will list that representative here before actively offering the service in those markets.

California Residents

California residents may have rights to know, access, correct, delete, and receive a portable copy of personal information, and to opt out of sale or sharing of personal information. SaunaMind does not sell personal information and does not share health data for cross-context behavioural advertising. To exercise California privacy rights, email privacy@sauna-mind.com.

Contact Us

Questions about this Privacy Policy, requests to access or delete your data, or concerns about how SaunaMind handles your information: email privacy@sauna-mind.com.

SAUNAMIND PTY LTD
Seaforth, NSW, Australia
ACN: 696 358 497 · ABN: 85 696 358 497