Legal
Privacy Policy
Effective date: May 9, 2026 · Last updated: May 9, 2026
SleepVigil ("we," "us," "our") is a product of Deploy Holdings, Inc. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the SleepVigil website, platform, and associated services.
1. Information we collect
Information you provide
- Contact information: Name, email address, phone number, ZIP / postal code.
- Treatment details: Current therapy type, mask type, treatment interests, journey stage.
- Provider information: Practice name, provider name, NPI, state licensure, EHR system (for physician enrollment).
- Free-text notes: Any additional context you type into the intake form.
Information collected automatically
- Camera-derived vitals (rPPG): If you grant camera access during the patient intake, our browser-based remote photoplethysmography (rPPG) engine estimates heart rate, respiratory rate, and SpO₂. These are indicative estimates only — not FDA-cleared, not for clinical use.
- Device and browser data: IP address, browser type, operating system, screen size, referral URL, and page interaction timestamps.
- Cookies: We use essential cookies for session state. We do not use third-party advertising cookies.
Information from wearable devices
If you connect a wearable (Withings, Wellue, Oura, Apple Health, etc.), we receive overnight SpO₂ data, heart rate, and related metrics as authorized by you through the device manufacturer's API.
2. How we use your information
- To process your intake and connect you with our care coordination team.
- To provide continuous overnight SpO₂ monitoring and therapy verification.
- To communicate with you about your enrollment, device setup, and results.
- To improve our platform, algorithms, and user experience.
- To comply with legal obligations and protect our rights.
3. HIPAA status
Pre-enrollment: SleepVigil is not a HIPAA-covered entity during the initial intake process. Do not include sensitive protected health information (PHI) in the intake form.
Post-enrollment: Once you are formally enrolled and your data is managed under a physician's order, SleepVigil operates as a Business Associate under a signed BAA with your provider. At that point, all applicable HIPAA protections apply.
See our Business Associate Agreement for details.
4. Camera & rPPG data
The camera-based vitals capture during intake is entirely optional. If you grant camera access:
- Video frames are processed locally in your browser. No video is recorded, stored, or transmitted to our servers.
- Only the derived numeric estimates (HR, RR, SpO₂) are included in the intake payload.
- These estimates are labeled "indicative only" and are never used for clinical decision-making.
- You may dismiss the camera widget at any time without affecting your enrollment.
5. Data sharing
We do not sell your personal information. We share data only with:
- Your designated care team: The SleepVigil physicians and care coordinators handling your case.
- Your referring provider: If you enrolled through a physician partner, we share relevant clinical data per the BAA.
- Service providers: Email delivery (Resend), hosting (Vercel), and analytics — under data processing agreements.
- Legal requirements: If required by law, court order, or regulatory authority.
6. Data security
- All data in transit is encrypted via TLS 1.3.
- Intake submissions are transmitted over HTTPS and processed in isolated serverless functions.
- Post-enrollment clinical data is stored in HIPAA-compliant infrastructure with access controls, audit logging, and encryption at rest.
- We conduct regular security reviews and limit data access to authorized personnel.
7. Data retention
Intake form data is retained for 24 months unless you request deletion. Post-enrollment clinical data is retained per medical records requirements (typically 7 years) and per your provider's retention policy.
8. Your rights
Depending on your jurisdiction, you may have the right to:
- Access the personal data we hold about you.
- Correct inaccurate or incomplete data.
- Delete your data (subject to legal retention requirements).
- Withdraw consent at any time for optional data processing (e.g., camera capture).
- Port your data in a machine-readable format.
To exercise any of these rights, email privacy@sleepvigil.com.
9. Children's privacy
SleepVigil is not intended for individuals under 18. We do not knowingly collect information from minors. If you believe a minor has submitted data through our platform, contact us for immediate removal.
10. Changes to this policy
We may update this Privacy Policy periodically. Material changes will be posted here with an updated effective date. Continued use of SleepVigil after changes constitutes acceptance.
11. Contact
For privacy questions or concerns:
SleepVigil — Deploy Holdings, Inc.
Email: privacy@sleepvigil.com
Web: sleepvigil.com