Privacy Policy

Last updated: May 15, 2026

1. Controller Information

Sparrowise
Spanker 2
Oude Wetering 2377VW
Netherlands
VAT: NL005202754B97

Email: info@sleepwalker.ai
Phone: +31618368830

Sparrowise acts as the data controller for your personal data.

2. Information We Collect

We collect the following data when you use Sleepwalker:

  • Account Information: email address, name, account settings
  • Billing Information: billing address and tax ID where applicable; full payment card details are collected and stored by Stripe and never reach our servers
  • URLs You Monitor: web pages you choose to analyze
  • Prompts and Queries: search prompts you enter
  • Brand and Competitor Data: names you track
  • Test Configuration: language and country metadata used to localize AI queries
  • Usage Data: features used, monitoring frequency, run history
  • Device Information: browser type, IP address (used for rate-limiting and abuse prevention), general location

3. Legal Bases for Processing (GDPR)

We process your data based on:

  • Contract: to provide and operate the Service
  • Legitimate interests: improving performance, security, fraud prevention
  • Legal obligation: tax and compliance requirements
  • Consent: where applicable

4. How We Use Your Information

We use your data to:

  • provide and maintain the Service
  • process subscriptions and payments
  • generate AI-based insights and reports
  • send transactional emails (account, billing, alert, and trial notifications)
  • rate-limit requests and prevent abuse
  • improve functionality and performance
  • respond to support requests
  • comply with legal obligations

We do not sell your personal data. We do not currently send marketing emails. If we introduce marketing communications in the future, they will be opt-in and you will be able to unsubscribe at any time.

5. Third-Party Processors (Subprocessors)

To provide the Service, we rely on the following third-party AI and infrastructure providers, each acting as a data processor on our behalf:

  • Supabase (EU) - authentication, database, and storage for accounts, monitoring data, and run history
  • Stripe (US/EU) - subscription billing, payment processing, and tax calculation
  • OpenAI (US) - AI model processing for analysis features
  • Google (Gemini) (US/EU) - AI model processing for analysis features
  • xAI (Grok) (US) - AI model processing for analysis features
  • Perplexity AI (US) - AI model processing for analysis features
  • Resend (US/EU) - transactional email delivery for account, billing, and alert notifications
  • Render (US) - application hosting and operational logs

Depending on the functionality used, these providers may process URLs and web page content, prompts and queries you submit, brand names and competitor data, structured outputs generated by the Service, and account or billing identifiers needed to operate the Service.

All providers are contractually bound to process data in accordance with applicable data protection laws. A current list of subprocessors and a Data Processing Agreement (DPA) are available on request via info@sleepwalker.ai.

6. AI Provider Data Use

Prompts, brand names, competitor data, and other inputs you submit are sent to the AI providers listed above to generate the analyses you request. Each AI provider processes data under its own terms, privacy policy, and data usage policy. Those policies may differ by provider, account type, region, and product tier, and may change over time.

We do not control these providers' data usage practices. You should not submit confidential, proprietary, or personal data unless you are comfortable with the applicable provider terms.

7. International Data Transfers

Several of the providers listed above (including OpenAI, xAI, Perplexity, Render, and parts of Stripe, Google, and Resend) process data outside the European Economic Area (EEA), primarily in the United States.

We rely on appropriate safeguards for these transfers, including Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework certification of the recipient.

8. Data Retention

We retain different categories of data for different periods:

  • Account and profile data: while your account is active and for up to 30 days after account deletion
  • Monitoring tests, runs, and AI Citation results: while your account is active and for up to 30 days after account deletion
  • Billing records and invoices: 7 years (legal retention requirement under Dutch tax law)
  • Operational logs (request and error logs): typically 30 days, retained by our hosting provider
  • Email delivery metadata: typically 30 days, retained by our email provider
  • Anonymized or aggregated data: may be retained indefinitely for analytics and product improvement

9. Data Security

We implement industry-standard security measures, including:

  • encryption in transit (SSL/TLS)
  • secure storage practices
  • access controls

No method of transmission or storage is completely secure, but we take reasonable steps to protect your data.

10. Your Privacy Rights

Under GDPR, you have the right to:

  • access your data
  • correct inaccurate data
  • request deletion
  • request data portability
  • withdraw consent
  • object to processing

To exercise your rights, contact: info@sleepwalker.ai

11. California Privacy Rights

If you are a California resident, you may request:

  • access to your personal data
  • deletion of your data
  • correction of inaccurate data

We do not sell or share personal data.

12. Cookies

We use only essential cookies, including the authentication session cookie set by Supabase, for:

  • authentication
  • session management
  • security

We do not use tracking, advertising, or third-party analytics cookies.

13. Automated Processing and AI Outputs

The Service uses third-party large language models to generate analyses of brand visibility and competitor mentions in AI search results. These models are probabilistic and may produce outputs that are inaccurate, incomplete, or contain hallucinated content (citations, brand mentions, or facts that do not exist or are misattributed).

The outputs are intended as decision support, not as automated decisions producing legal or similarly significant effects. You remain responsible for reviewing AI-generated outputs before relying on them for any business decision.

14. Changes to This Policy

We may update this Privacy Policy from time to time.

For material changes, we will provide at least 30 days' notice by email or within the Service before the changes take effect.

15. Contact

For any privacy-related questions:

info@sleepwalker.ai