Privacy Policy
1. Data Controller
The data controller responsible for the processing of your personal data is:
Hiatus Holding GmbH
Kortumstraße 75, D-44787 Bochum, Germany
Commercial Register: Bochum HRB16203
Managing Director: Tim Kahrmann
For all privacy-related inquiries, please reach us via our contact form.
2. Three promises.
Your thoughts never train an AI. Ever.
Not Tonight’s models. Not anyone else’s. Not anonymized, not aggregated, not “for safety.” We sign data-processing agreements with every model provider that contractually exclude training. If a provider can’t offer that, we don’t use them.
Every voice is a Whisperer — a carefully curated AI voice.
No actor hears what you say. Every voice is synthetic and tuned. We disclose this on the homepage, in the app, in the press kit, here. EU AI Act requires it. We’d disclose it anyway.
By morning, what you said tonight is gone.
Your One Thought is encrypted at rest, lives only as long as it is useful, and is deleted at your local sunrise.
3. Data We Collect
We collect and process the following categories of personal data:
Account Data
- Email address (required for account creation and authentication)
- Name (optional, used for personalized greetings)
- Timezone and bedtime preference (to deliver sessions at the right time)
Content Data
- Daily reflections (your text inputs about your day)
- Session ratings and feedback (optional)
Technical Data
- Device and browser information (for service delivery)
- Push notification tokens (if enabled)
- Session and usage logs (for service improvement)
Payment Data
- Stripe customer ID (we never store card details directly)
- Subscription status and billing history
4. Lawful Basis for Processing
We process your personal data under the following legal bases (GDPR Article 6):
| Purpose | Legal Basis |
|---|---|
| Account creation & authentication | Contract performance (Art. 6(1)(b)) |
| Generating personalized sleep sessions | Contract performance (Art. 6(1)(b)) |
| Processing payments | Contract performance (Art. 6(1)(b)) |
| Sending transactional emails | Legitimate interest (Art. 6(1)(f)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
| Email open/click tracking | Consent (Art. 6(1)(a)) |
| Analytics (Mixpanel) | Consent (Art. 6(1)(a)) |
| Service improvement & debugging | Legitimate interest (Art. 6(1)(f)) |
5. Data Retention
We retain your data only as long as necessary for its purpose:
| Data Type | Retention Period |
|---|---|
| Daily reflections (raw text, encrypted at rest) | Until the next sunrise in your timezone (deleted within 15 minutes of expiry) |
| Theme tags (work, grief, body, etc. — no raw text) | 45 days |
| Monthly reflection summaries (counts & intensity stats — no raw text) | 13 months |
| Generated audio sessions | 24 hours (auto-deleted after expiration) |
| Safety event audit log (SHA-256 hash only, never text) | 24 months |
| Account data (email, name, preferences) | Until account deletion |
| Session metadata & ratings | Until account deletion |
| Payment records | 7 years (legal requirement) |
| Marketing consent records | Until consent withdrawn + 3 years |
6. Ephemerality by Design
Nothing of what you write is kept overnight. The sentence you type during a One Thought ritual lives in encrypted form only until the next sunrise in your timezone, when it is permanently deleted.
What we do keep is the theme you carried — short tags like work, grief, body, or a person — without any of your words. Themes from the last 7 nights gently inform the next ritual so the experience feels remembered, not surveilled. Granular theme entries are deleted after 45 days.
At the end of each month we roll those themes up into a small structured summary (which themes appeared, average intensity, dominant emotional tone) so we can offer a “This was your February” reflection ritual in the future. These monthly summaries are kept for 13 months and contain no text. You can turn off memory or delete all of it — granular and monthly — in Privacy Settings, anytime.
We do not use any of this data to train AI models, and we do not share it with third parties beyond the subprocessors disclosed in Section 7.
6a. Safety event logging
When our safety system intercepts a One Thought submission that contains content suggesting active crisis (self-harm, suicide, violence), we record a small audit entry so we can verify our protective response after the fact. The entry contains a one-way SHA-256 hash of the matched phrase (never reversible to your words), the severity our classifier assigned, which layer of the system fired, what we did in response, and a timestamp.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operating a safe wellness service) combined with Art. 9(2)(g) (substantial public interest in suicide prevention). Records are accessible only to our compliance team and are retained for 24 months. You may request a copy of any safety events recorded against your account via our DSAR process.
7. Subprocessors & Data Transfers
We share your data with the following service providers:
| Provider | Purpose | Location | Safeguards |
|---|---|---|---|
| Supabase | Database, authentication | EU/US | EU-US Data Privacy Framework |
| Stripe | Payment processing | US | EU-US Data Privacy Framework |
| Resend | Transactional emails | US | Standard Contractual Clauses |
| Mixpanel | Analytics (with consent) | US | EU-US Data Privacy Framework |
| OpenAI | AI session generation | US | Data Processing Addendum |
| Anthropic | AI session generation | US | Data Processing Addendum |
| ElevenLabs | Voice generation | US | Data Processing Addendum |
| Firebase (Google) | Push notifications | EU/US | EU-US Data Privacy Framework |
| Cloudflare | Security, CDN | US | EU-US Data Privacy Framework |
We have Data Processing Agreements with all providers. For transfers outside the EEA, we rely on Standard Contractual Clauses (SCCs), the EU-US Data Privacy Framework, or equivalent safeguards approved by the European Commission.
8. Cookies & Tracking
We use cookies and similar technologies. For detailed information, please see our Cookie Policy.
Marketing emails may contain tracking pixels that record when you open an email and click links. This tracking is only used when you have consented to marketing communications.
9. Your Rights
Under GDPR, you have the following rights regarding your personal data:
- Right of Access — Request a copy of your personal data
- Right to Rectification — Correct inaccurate or incomplete data
- Right to Erasure — Request deletion of your data (“right to be forgotten”)
- Right to Restriction — Limit how we process your data
- Right to Data Portability — Receive your data in a machine-readable format
- Right to Object — Object to processing based on legitimate interest
- Right to Withdraw Consent — Revoke consent at any time (without affecting prior processing)
To exercise any of these rights, please use our contact form. We will respond within 30 days.
10. Account Deletion
You can delete your account at any time through the app settings (Heart menu → Delete Account). This will permanently remove all associated data including your profile, session history, and any stored preferences. Some data may be retained for legal compliance (e.g., payment records for 7 years).
11. Data Security
We implement appropriate technical and organizational measures to protect your data:
- All data transmitted via HTTPS/TLS encryption
- Database encryption at rest
- Row-level security policies restricting data access
- Regular security audits and access reviews
- Minimal data collection principle
12. Children’s Privacy
Tonight is not intended for children under 16 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.
13. Changes to This Policy
We may update this policy periodically. Significant changes will be communicated via email or in-app notification. Continued use of the service after changes constitutes acceptance of the updated policy.
14. Supervisory Authority
You have the right to lodge a complaint with a data protection authority. For Hiatus Holding GmbH, the relevant authority is:
Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)
Graurheindorfer Str. 153
53117 Bonn, Germany
www.bfdi.bund.de
You may also contact your local data protection authority if you prefer.
15. Contact
For any questions about this policy or your personal data, please reach us via our contact form.