SleepSync is a research program and digital health tool developed at Monash University that applies biomathematical modelling and machine learning to generate personalised, evidence-based recommendations for shift workers and people with circadian rhythm conditions. This Privacy Policy explains what information we collect through the SleepSync website, application and associated research studies, how we use and protect that information, and the choices you have.

SleepSync is operated as a research initiative of Monash University. While SleepSync is presented as a distinct program and product, Monash University is the data custodian and is responsible for the handling of personal information collected through SleepSync in accordance with this policy.

This policy is written to closely align with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), the Health Records Act 2001 (Vic), and the National Statement on Ethical Conduct in Human Research (2023).

1. Who we are

SleepSync is a research and digital health program led by researchers in the School of Psychological Sciences, Monash University. The program is delivered in collaboration with academic partners and is governed by one or more Human Research Ethics Committees (HRECs), including Monash University HREC and, where applicable, HRECs at partner research sites.

Data custodian: Monash University

2. Scope of this policy

This policy applies to personal information collected through:

•       the SleepSync website;

•       the SleepSync application (mobile and web);

•       any SleepSync-linked research study in which you are enrolled; and

•       communications you send to us (e.g., email correspondence, support requests).

Where you participate in a specific research study using SleepSync, additional study-specific Participant Information and Consent Forms (PICFs) will apply. Those documents sit alongside this policy and, where they are more specific, they take precedence for that study.

3. Information we collect

The categories of information we collect depend on how you interact with SleepSync. We only collect information that is reasonably necessary for our research and to deliver personalised recommendations.

3.1 Information you provide directly

•       Demographic information, including age, sex, and general location (e.g., time zone, country/state);

•       Sleep diary and sleep log entries (e.g., bedtime, wake time, sleep quality ratings);

•       Shift roster and work schedule information;

•       Behavioural inputs relevant to circadian modelling, such as caffeine consumption and light exposure;

•       Responses to validated survey instruments (e.g., Insomnia Severity Index, PROMIS Sleep Disturbance/Sleep-Related Impairment, Sleep Hygiene Index, PHQ-4) where these form part of a study in which you are enrolled;

•       Account and contact information required to create an account and communicate with you.

3.2 Information from wearable devices

With your consent, SleepSync can import data from wearable devices and health platforms (for example, Oura, Fitbit, Apple Watch and similar). This may include sleep stages, heart rate, activity, and light exposure metrics. You choose which device to connect and you can disconnect it at any time from within the application.

3.3 Information collected automatically

•       Technical information needed for the app to function, such as device type, operating system, app version, and error logs;

•       Limited usage information needed to evaluate and improve the product (e.g., feature use, session duration);

•       Timestamps associated with your entries, including local time zone offset.

3.4 Sensitive information

Sleep data and data derived from wearable devices can be considered health information under Australian privacy law. We treat all SleepSync data as sensitive and apply appropriate safeguards, even where the information might not strictly meet the legal definition.

SleepSync does not ask you to provide clinical diagnoses, medication lists, or medical history as part of the core app. If a specific linked research study collects such information, it will be clearly described in the study's Participant Information and Consent Form, and additional consent will be sought.

4. How we use your information

We use your information for the following purposes:

4.1 Providing you with personalised recommendations

Your data is processed by SleepSync's algorithms to generate personalised sleep, light, and caffeine recommendations tailored to your shift pattern and circadian profile.

4.2 Research

De-identified data is used for approved research purposes, including to understand sleep and circadian health in shift workers and people with circadian rhythm conditions, to publish scientific findings, and to inform public health guidance. All research conducted using SleepSync data is governed by one or more Human Research Ethics Committees (HRECs).

4.3 Product improvement and algorithm training

De-identified data is also used to evaluate, validate, and improve the SleepSync algorithms and recommendation logic (including machine learning model training). This is done to make the product safer and more accurate for future users.

4.4 What we do NOT do

•       We do not sell your personal information. SleepSync data is not, and will not be, sold to advertisers, data brokers, insurers, or any commercial third party.

•       We do not use your personal information for advertising or marketing by third parties. SleepSync is not a commercial advertising product.

•       We do not use identifiable data for commercial profiling. Algorithm training and product improvement are carried out using de-identified data only.

•       We do not share your individual data with your employer. Where SleepSync is offered through a workplace partnership, employers receive only aggregated or de-identified group-level reporting that cannot reasonably be used to identify any individual.

5. Legal basis and consent

We collect and process your information on the basis of:

•       your explicit consent, provided at sign-up and, where applicable, through a study-specific Participant Information and Consent Form;

•       the performance of a research activity approved by one or more Human Research Ethics Committees; and

•       Monash University's obligations and functions as a research institution under Australian law.

You may withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal, and de-identified data that has already been incorporated into research analyses or aggregated datasets may not be retrievable.

6. Where your data is stored

SleepSync data is stored within Australia. For more information about data centres, please contact a research team member.

Access to identifiable data is restricted to authorised members of the SleepSync research team and authorised technical staff at Monash University, under confidentiality obligations and on a need-to-know basis.

Where a third-party sub-processor is used to provide specific technical services (for example, authentication, error monitoring, or wearable device integration), we take reasonable steps to ensure that provider offers appropriate security and privacy protections, and that any data transfer complies with Australian Privacy Principles.

7. Sharing with third parties

We share information only in the following limited circumstances:

•       With academic research collaborators, in de-identified form, for the purposes of approved joint research projects. Any such sharing is governed by a formal data sharing or collaboration agreement and HREC approval.

•       With technical service providers who host or support the SleepSync infrastructure, under contractual confidentiality and data protection obligations and only to the extent necessary to deliver the service.

•       Where we are required to do so by Australian law, by a court, or by a regulator with jurisdiction.

We do not share identifiable data with employer partners, wearable device companies, insurers, or commercial advertisers.

8. Retention

Research data collected through SleepSync is retained for the duration of the relevant research study and for a minimum of 5 years after study completion, consistent with the National Health and Medical Research Council (NHMRC) Australian Code for the Responsible Conduct of Research and Monash University's Research Data Management Policy. Some data may be retained for longer where required by a specific HREC-approved study protocol or by law.

Account information is retained for as long as your account is active. If you delete your account, identifiable account information is removed; de-identified research data already incorporated into analyses may be retained as described above.

9. Your rights

You have the right to:

•       request access to the personal information we hold about you;

•       request correction of inaccurate or out-of-date personal information;

•       request deletion of your personal information (subject to our legal and research retention obligations);

•       withdraw your consent to participation in SleepSync or in a specific research study at any time; and

•       make a complaint about how we have handled your personal information.

To exercise any of these rights, please contact the SleepSync research team via the Monash University Office of Research Ethics and Integrity (see Section 12).

10. Security

We take the security of your information seriously and use a combination of technical and organisational safeguards, including:

•       encryption of data in transit (TLS) and at rest;

•       role-based access controls and authentication;

•       separation of identifying information from research data wherever feasible;

•       audit logging of access to sensitive systems;

•       regular review of security practices consistent with Monash University's information security standards.

No system is perfectly secure. In the event of a data breach that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches scheme.

11. Children

SleepSync is intended for adults aged 18 years or over. We do not knowingly collect personal information from individuals under 18. If you believe a minor has provided information to SleepSync, please contact us so that we can delete it.

12. Contact and complaints

For questions about this policy, to exercise your privacy rights, or to raise a concern about how your information has been handled, you can contact:

SleepSync research team (data access, correction, withdrawal) at info@sleepsync.com.au or base.sleepsync@monash.edu

13. Changes to this policy

We may update this policy from time to time to reflect changes to SleepSync, to our research activities, or to applicable law. When we do, we will update the "Last reviewed" date at the top of this page and, for material changes, we will notify active users through the application or by email.