Sauna Score — Privacy Policy
Last updated: May 30, 2026
Introduction
Sauna Score is a product of Gaialab ("Gaialab", "we", "us", or "our"). We respect your privacy and is committed to handling your information with the smallest reasonable footprint. This Privacy Policy explains what information the Sauna Score mobile application ("the Service") collects, how it is used, and the choices you have.
The Service is designed to keep your health and practice data on your device by default. We do not maintain a copy of your Apple Health data on our servers and we do not sell or share it. Where the Service does collect anything beyond the device, that processing is described below.
By installing or using the Service you agree to this Privacy Policy. If you do not agree, do not use the Service.
1. What Information Do We Collect?
1.1 Information you provide directly
The Service operates without an account in its current release. Information you actively provide is limited to:
- Sauna sessions you save: duration, sauna type (Dry / Infrared / Steam), optional cold-immersion flag, optional cabin temperature, your post-session feeling rating, optional confounder tags (e.g., "Hard workout", "Alcohol", "Poor sleep", "Illness", "Travel", "Cycle"), and any free-text notes you add.
- Preferences: protocol selection, temperature unit (°F / °C), rest-mode toggle, and onboarding survey answers (current frequency, sauna access types, cold-exposure habits).
- Support correspondence: if you contact us, we will see the email address and message content you send.
All of the above is persisted in the operating system's local on-device storage (AsyncStorage on iOS). It is not transmitted to our servers.
1.2 Apple Health (HealthKit) data
With your permission, the Service reads the following data types from Apple Health to compute the Sauna Score, the Response score, the Sleep Score, and the Readiness chip:
- Heart Rate Variability (SDNN)
- Heart Rate and Resting Heart Rate
- VO₂ Max
- Apple Watch overnight Wrist Temperature
- Body Temperature
- Blood Pressure (systolic and diastolic)
- Step Count
- Sleep Analysis
Apple HealthKit reads happen on your device. The Service does not transmit your Apple Health data to our servers or any third party. Computations against this data run locally inside the app.
The Service also writes the following back to Apple Health:
- A Preparation & Recovery workout for each saved session (so it appears in Apple Fitness / Health → Workouts).
- A Mindful Session for each saved session (so it appears in Apple Health → Mindfulness).
You can grant or revoke any of these permissions at any time from Settings → Health → Data Access & Devices → Sauna Score on your iOS device.
1.3 Information automatically collected
The Service uses Firebase Analytics (operated by Google) to understand which features are used and to improve the product. The SDK is configured to collect:
- Device information: iOS version, device model, app version, locale, time zone.
- Aggregated usage events: anonymous events recording which features are used. Events do not include Apple Health values, the contents of your session notes, or any other identifying information you've entered.
- A pseudo-random installation identifier generated by Firebase. It is not your Apple ID and is not linked to any other account.
- IP address (used by Firebase for approximate country-level geography, then dropped).
We have disabled Firebase's collection of the Apple Advertising Identifier (IDFA) and we do not use Firebase Analytics audiences, advertising features, or Google Signals.
App Store crash reports come to us in the aggregated, anonymized form Apple chooses to surface. We do not run a third-party crash-reporting SDK.
1.4 What we do NOT collect
- We do not collect precise location.
- We do not collect contact lists, photo libraries, or microphone audio.
- We do not use third-party advertising SDKs.
- We do not send Apple Health data to Firebase or any other third party.
- We do not sell personal information to anyone.
2. How Do We Process Your Information?
Your information is processed only for:
- Running the Service on your device — computing scores, presenting your history, scheduling the end-of-session alarm.
- Maintaining and improving the Service — diagnosing crashes and understanding which features are used.
- Communicating with you when you contact support.
- Complying with legal obligations.
3. Legal Bases for Processing
Where the GDPR or equivalent regimes apply, we rely on the following legal bases:
- Your explicit consent for Apple Health access and for any optional analytics.
- Contract performance for delivering the Service and any paid subscription you purchase.
- Legitimate interests in improving the Service, diagnosing defects, and protecting against abuse.
- Legal obligations where applicable.
4. Sharing Your Information
The Service is built so that we do not need to share your data in order to operate.
4.1 Apple Health remains with you
Apple Health data read by the Service is processed on your device. It is not transmitted to our servers or shared with any third party by us.
4.2 Third-party service providers (limited)
Two third parties process information for the Service:
- Apple, Inc. — App Store distribution, In-App Purchase processing, push notification delivery, HealthKit access. Their processing is governed by Apple's own privacy terms.
- Google LLC (Firebase) — Firebase Analytics for product-usage understanding and Firebase App Distribution for beta builds. Receives the device/event data described in §1.3 only. Does not receive Apple Health data or session contents.
We do not sell information to third parties.
4.3 Business transfers
If we are involved in a merger, acquisition, or sale of assets, your information may transfer to the successor entity. Where required by law, we will notify you in advance and you will be free to delete the app before the transfer takes effect.
4.4 Legal requirements
We may disclose information when required by law or in response to valid legal process. We will challenge requests we believe to be overbroad.
5. Cookies and Tracking Technologies
The Service is a native mobile application and does not use cookies. We do not employ cross-site tracking, cross-app tracking, or advertising identifiers.
6. Social Login
The current release does not require an account. Future releases may offer Sign in with Apple or Google sign-in. If introduced, that provider will share only the minimum profile information you authorize, and this Policy will be updated accordingly before the feature ships.
7. International Data Transfers
Two limited transfer paths exist:
- Apple — App Store and In-App Purchase processing, handled by Apple under its own data-transfer mechanisms.
- Google (Firebase) — Firebase Analytics events and App Distribution metadata, processed in the United States and potentially other regions where Google operates. Google relies on Standard Contractual Clauses for transfers out of the EEA / UK.
By using the Service you consent to such limited transfers. We will not transfer Apple Health data internationally because we do not transmit it at all.
8. How Long Do We Keep Your Information?
- On-device data (sessions, preferences, notes, HealthKit cache) is retained on your device for as long as the app is installed. Uninstalling the app removes this data from the device.
- Subscription records are retained by Apple for as long as required by tax and accounting law.
- Firebase Analytics events are retained per the retention setting we configure in the Firebase console (currently the shortest available — 2 months — for individual event data; aggregated reports persist longer per Google's terms).
- Firebase App Distribution metadata (tester emails, build install logs) is retained while the beta program is active and deleted within 30 days of the program ending.
- Support correspondence is retained for up to 24 months from the last interaction.
Deleting your data
Because your sessions and preferences live on your device, deleting them is a single action:
- In-app: open Profile → Saved sessions to clear local session data.
- Per-permission: revoke any Apple Health permission in Settings → Health → Data Access & Devices → Sauna Score.
- Full removal: uninstall the app from your device.
- Subscription records held by Apple: manage these in your Apple ID account settings; we do not hold them.
9. How Do We Keep Your Information Safe?
We use commercially reasonable measures to protect information, including:
- Storing on-device data inside the iOS app sandbox.
- Encrypted transport (TLS) for any network call we do make.
- Limiting third-party SDKs to those needed to operate the Service.
- Routine review of dependencies and access controls.
No method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.
10. Your Privacy Rights
10.1 General rights
Subject to applicable law you may:
- Access the information we hold about you (in practice almost all of it sits on your device and is visible to you in the app).
- Correct any inaccurate information by editing it in the app.
- Delete information by clearing local data in Profile or uninstalling the app.
- Withdraw consent for Apple Health access through iOS Settings.
- Object to or restrict certain processing where the law gives you that right.
For any question about these rights, contact hello@gaialab.io.
10.2 California residents (CCPA / CPRA)
You have the right to know what personal information we collect, request deletion, opt out of "sales" (we do not sell), and not be discriminated against for exercising these rights.
10.3 European Economic Area, UK, and Switzerland (GDPR / UK GDPR)
You have GDPR rights of access, rectification, erasure, restriction, data portability, and objection, and the right to lodge a complaint with your local data protection authority.
11. Do-Not-Track Signals
The Service is a native mobile application and does not currently respond to browser Do-Not-Track signals.
12. Children's Privacy
The Service is not directed to children under 13 and we do not knowingly collect information from children under 13. Sauna practice carries real physiological risk and should be supervised by a responsible adult for any minor. If you believe a child has provided us with information, contact hello@gaialab.io and we will delete it.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this document will reflect any changes. Where the change is material we will provide notice in-app or by other appropriate means before it takes effect.
14. Contact Us
Service: Sauna Score Operator: Gaialab Email: hello@gaialab.io Website: https://saunascore.com