Privacy Policy
What we collect, and what we do with it.
Effective April 21, 2026 — Version 2026-05-01.
1. Who we are.
Off to Sleep Strong LLC (“OTSS,” “we,” “us,” “our”) is a Connecticut limited liability company providing behavioral sleep-consulting services and related educational content to parents and caregivers.
Registered mailing address:
Off to Sleep Strong LLC
1 Fado Lane
Cos Cob, CT 06807
Privacy contact: privacy@offtosleepstrong.com
General contact: hello@offtosleepstrong.com
For the purposes of state privacy laws, OTSS is the “business” (California), “controller” (Connecticut, Colorado, Virginia, Utah, Texas, Oregon, and other states using controller terminology), and operator of the websites and services described below.
2. Scope of this policy.
This Privacy Policy applies to personal information we collect through:
(a) Our website at offtosleepstrong.com and any subdomains we operate directly (collectively, the “Site”);
(b) Our paid membership community hub accessible at offtosleepstrong.com/hub (the “Hub”);
(c) Our one-to-one consulting engagements (the “1:1 Services”);
(d) Emails, forms, and other direct communications between you and OTSS; and
(e) Any other services that link to this Privacy Policy.
Collectively, the Site, Hub, 1:1 Services, and related services are the “Services.”
Third-party services with their own policies. Some features of the Services are powered by third parties who have their own privacy practices, described in Section 8. In particular, the community forum, direct messages, and events hosted at community.offtosleepstrong.com are operated by a third-party platform (Circle) under its own privacy policy. When you use that platform, Circle's privacy policy applies to your activity there alongside this Privacy Policy.
3. Personal information we collect.
We collect the following categories of personal information.
3.1 Information you provide directly
| Category | Examples |
|---|---|
| Account information | Name, email address, password (hashed), and authentication metadata (managed by Clerk) |
| Payment information | Billing name, billing address, card details (collected and stored by Stripe — we do not store full card numbers), subscription status |
| Child information you choose to provide | Your child's first name or nickname, date of birth or age in months, sleep history, feeding patterns, medical notes you elect to share during 1:1 Services or in plan forms |
| Household information | Whether a co-parent is sharing the account, their name and email if you add them (Section 3.2 of our Terms of Service) |
| Communications | Messages you send us via email, contact forms, intake forms, or other channels; your replies to surveys |
| Content you submit | Posts, comments, replies, and uploads you contribute in community spaces or plan-related forms |
3.2 Information we collect automatically
| Category | Examples |
|---|---|
| Device and usage information | IP address, device type, operating system, browser type, language, referrer URL, pages visited, time on page, click events |
| Cookies and similar technologies | Session cookies, persistent cookies, and similar technologies (see Section 10) |
| Log files | Standard server logs including timestamps, request paths, response codes, and user-agent strings |
3.3 Information from third parties
| Source | What we receive |
|---|---|
| Clerk (authentication) | Email verification status, sign-in metadata, multi-factor authentication status |
| Stripe (payments) | Subscription status, charge success/failure, last-four digits of card, billing ZIP, fraud-prevention signals |
| Circle (community platform) | Basic membership status tied to your OTSS account for SSO (if and when SSO is enabled) |
| Email deliverability providers | Bounce, complaint, and open/click signals for emails we send through Resend |
3.4 Information we do not collect
We do not collect:
(a) Precise geolocation data (we do not request device-level GPS);
(b) Biometric identifiers;
(c) Social Security numbers, driver's license numbers, passport numbers, or other government identifiers;
(d) Information from integrations with your social-media accounts (we do not offer social login today); or
(e) Information about any individual other than you, your co-parent (if you add one), and your child.
3.5 Sensitive personal information
Some of the information you may choose to provide — for example, your child's medical history, feeding and sleep patterns, or other health-adjacent information — may be considered “sensitive personal information” under certain state privacy laws.
We collect this information only when you voluntarily provide it, and we use it solely to provide the Services you have requested. We do not use sensitive personal information for any purpose other than those reasonably expected by you in connection with the Services, and we do not sell or share sensitive personal information. Under the California Privacy Rights Act (CPRA), you have the right to limit our use of sensitive personal information; because we already limit our use as described above, exercising this right does not change how we handle your information.
4. How we use personal information.
We use personal information for the following business purposes:
(a) Providing the Services — creating and maintaining your account, processing payments, delivering content, scheduling and conducting consulting sessions, and providing customer support;
(b) Communicating with you — sending service-related emails (account confirmations, billing receipts, trial and renewal reminders, product updates), responding to your inquiries, and, if you opt in, sending occasional newsletters;
(c) Improving the Services — analyzing how the Services are used so we can fix issues, improve design, and develop new features;
(d) Securing the Services — detecting, preventing, and responding to fraud, abuse, security incidents, and violations of our Terms of Service or Community Guidelines;
(e) Complying with legal obligations — responding to lawful requests from government authorities, maintaining records required by tax and corporate law, and defending or bringing legal claims; and
(f) With your consent — any other purpose for which you give us specific consent.
We do not use personal information to train machine-learning models, and we do not sell personal information. See Section 6.
5. Legal bases (for users in jurisdictions that require them).
Where applicable law requires us to identify a legal basis, we rely on:
(a) Contract — processing necessary to provide the Services you have subscribed to or purchased;
(b) Legitimate interests — improving, securing, and administering the Services, provided our interests are not overridden by your rights;
(c) Consent — where we ask for it (for example, marketing emails beyond service-related messages); and
(d) Legal obligation — where processing is required to comply with applicable law.
You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.
6. How we share personal information.
We share personal information only in the following circumstances:
6.1 Service providers (subprocessors)
We share personal information with third-party service providers who process it on our behalf to operate the Services. Each service provider is contractually bound to use the information only for the purposes we specify and to maintain appropriate safeguards. Our current service providers are:
| Service provider | Purpose | Categories shared |
|---|---|---|
| Clerk | Authentication, account management | Account information, authentication logs |
| Stripe | Payment processing, subscription billing | Payment information, billing contact |
| Neon | Database hosting (Postgres) | All data you provide to the Services that we store in our database |
| Railway | Application hosting | Server logs, application-layer data |
| Resend | Transactional and optional marketing email | Name, email address, email content, deliverability signals |
| Circle | Community forum, DMs, events (at community.offtosleepstrong.com) | Account information, community activity |
| Cloudflare (if used) | Content delivery, DDoS protection | IP address, request metadata |
| Analytics provider (e.g., Plausible or Vercel Analytics) | Aggregated, privacy-respecting usage analytics | Truncated IP, page-view metadata |
The list above may be updated from time to time as we add, remove, or change service providers. Material changes will be reflected in this Privacy Policy.
6.2 Legal, safety, and protection of rights
We may disclose personal information when we believe in good faith that disclosure is necessary to:
(a) Comply with applicable law, regulation, legal process, or governmental request;
(b) Enforce our Terms of Service, Services Agreement, or other agreements;
(c) Protect the rights, property, or safety of OTSS, our users, or others, including to detect and prevent fraud or security issues; or
(d) Respond to an emergency we believe in good faith requires us to disclose information to prevent imminent harm.
Where permitted by law, we will notify you before disclosing your information in response to a legal request.
6.3 Business transfers
If OTSS is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of its assets, personal information may be transferred as part of that transaction, subject to standard confidentiality protections and, where required, your prior notice or consent. The successor entity will be bound by the commitments made in this Privacy Policy or will notify you of any material changes.
6.4 With your direction or consent
We may share personal information with third parties when you direct us to do so — for example, if you ask us to share your plan notes with a caregiver or provider.
6.5 Aggregated or de-identified information
We may create and share aggregated or de-identified information that cannot reasonably be used to identify you. We will not attempt to re-identify de-identified information and will contractually obligate any recipient not to do so.
6.6 What we do not do
- We do not sell personal information as that term is defined under the CPRA or other state privacy laws — we do not receive monetary or other valuable consideration in exchange for personal information.
- We do not share personal information for cross-context behavioral advertising as that term is defined under the CPRA — we do not allow third parties to collect personal information across the Services for profiling-based advertising.
- We do not use personal information for targeted advertising as that term is defined under the Connecticut Data Privacy Act or similar state laws.
- We do not profile in furtherance of decisions that produce legal or similarly significant effects concerning you.
If either of the first two statements ever changes, we will update this Privacy Policy, post clear notice on the Site, and — where required — obtain your consent before the change takes effect.
7. Your privacy rights.
Depending on where you live, you may have certain rights regarding your personal information. Some of these rights are guaranteed by state law; we extend the substantive rights listed below to all U.S. users, regardless of state, subject to verification and any legal exceptions.
7.1 Rights available to all U.S. users
(a) Right to know / access. You have the right to request that we confirm whether we process personal information about you and, if so, disclose the categories and specific pieces of personal information we have collected about you in the prior 12 months (or the full period you have used the Services, whichever is shorter), the sources, the purposes for collection, and the categories of third parties with whom we have shared it.
(b) Right to correct. You have the right to request that we correct inaccurate personal information we maintain about you.
(c) Right to delete. You have the right to request that we delete personal information we have collected from you, subject to exceptions (for example, we may retain information to complete a transaction, comply with a legal obligation, or defend a legal claim).
(d) Right to data portability. You have the right to receive a copy of the personal information you have provided to us in a portable, commonly used, and, to the extent technically feasible, machine-readable format.
(e) Right to opt out of sale / sharing / targeted advertising. We do not sell personal information or share it for cross-context behavioral advertising or targeted advertising. If this ever changes, you will have the right to opt out and we will provide a mechanism to exercise it, including by honoring recognized opt-out preference signals (see Section 7.3).
(f) Right to limit use of sensitive personal information. As noted in Section 3.5, we already limit our use of sensitive personal information to purposes reasonably expected by you. You may still submit a request to limit our use of sensitive personal information.
(g) Right to non-discrimination. We will not discriminate against you for exercising any of these rights. We will not deny you Services, charge you different prices, or provide a different level of quality because you exercised your rights.
7.2 State-specific additions
California (CPRA / CCPA). California residents have the rights listed in Section 7.1 and the right to limit the use of sensitive personal information described above. Authorized agents may submit requests on your behalf; we may require verification of both the agent's authority and your identity.
Connecticut (CTDPA, as amended by CT HB 5001 (2024) and subsequent amendments). Connecticut residents have the rights in Section 7.1 and the right to appeal our decision regarding a privacy-rights request (see Section 7.5). We honor recognized opt-out preference signals, including Global Privacy Control (GPC), as Connecticut law requires. The 2024 amendments expanded consumer rights regarding minors' data and sensitive data; consistent with those amendments, we do not knowingly process personal information of a Connecticut resident under 18 for targeted advertising, sale, or profiling without the consent required by law.
Colorado (CPA), Virginia (VCDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), and other states with comprehensive privacy laws. Residents of these states have the rights described in Section 7.1 that are provided by their respective laws, and the right to appeal our decision regarding a privacy-rights request (see Section 7.5).
Nevada. Nevada residents may submit a verified request directing us not to sell the covered information we have collected about them, even though we do not today sell personal information as defined under Nevada law.
7.3 Honoring the Global Privacy Control (GPC)
We honor the Global Privacy Control browser signal and treat it as a valid opt-out request from users residing in states whose laws require us to do so (including California, Connecticut, Colorado, Oregon, Texas, and Delaware), and we extend this treatment to all U.S. users as a matter of policy. Because we do not sell or share personal information for cross-context behavioral advertising or targeted advertising today, the GPC signal primarily affects any future practices that would require an opt-out.
7.4 How to submit a privacy rights request
To exercise any of these rights, please email privacy@offtosleepstrong.com with:
(a) Your first and last name;
(b) The email address associated with your OTSS account;
(c) The specific right you wish to exercise; and
(d) Any details that will help us locate your information.
We will acknowledge receipt of your request within ten (10) business days and respond substantively within forty-five (45) calendar days of the verified request. If we need additional time (up to an additional 45 days), we will notify you of the reason and the extended period before the original period expires.
Verification. To protect your information, we will take reasonable steps to verify your identity before responding to your request. Depending on the sensitivity of the information and the type of request, this may involve matching the information you provide with information in your OTSS account, confirming ownership of the email address on file, or requesting additional information. We will only use information provided for verification purposes for the purpose of verification and will delete it as soon as practicable.
Authorized agents. You may designate an authorized agent to submit requests on your behalf. We may require written proof of authorization and may require you to verify your own identity directly.
7.5 Right to appeal
If we decline your privacy-rights request in whole or in part, you may appeal our decision within sixty (60) days of our response by emailing privacy@offtosleepstrong.com with the subject line “Privacy Request Appeal” and a brief statement of the basis for your appeal. We will respond to your appeal within forty-five (45) days of receipt, explaining any action taken or not taken.
If we deny your appeal, you may contact your state Attorney General to submit a complaint. Contact information for state Attorneys General is available through their respective state websites.
8. Community platform (Circle) and SSO.
Our community features are hosted on Circle. When you use community.offtosleepstrong.com, you interact directly with Circle's service. Circle processes information you submit to the community platform under Circle's own privacy policy, available at [Circle's privacy policy URL, to be linked].
Information we share with Circle. Your name, email, and OTSS account status (active member, trial, or cancelled) so Circle can grant you appropriate access.
Information Circle shares with us. Basic membership status tied to your OTSS account. We do not receive the content of DMs you exchange on Circle unless those DMs are reported to us for safety or policy reasons.
When SSO is enabled (future). When we enable single sign-on between OTSS and Circle, we will pass an authentication token scoped to the minimum information needed to establish your Circle account (typically your email address and a unique identifier).
9. Children's privacy.
The Services are intended for adults (18+) who are parents or caregivers acting on behalf of their children. The Services are not directed to children under 13, and we do not knowingly collect personal information directly from children under 13 in a manner that would require consent under the Children's Online Privacy Protection Act (COPPA).
We do, however, process information that you as a parent or guardian choose to provide about your child (for example, your child's first name, date of birth, sleep schedule, or feeding notes) so we can provide the Services you have requested. In this context, you — the parent or guardian — are the person giving us direction to process information about your child, and you warrant that you have the legal authority to do so.
If you believe we have collected information from a child in a manner that violates COPPA or applicable law, please contact us immediately at privacy@offtosleepstrong.com and we will promptly investigate and, where appropriate, delete the information.
9.1 Minors' data under state law
Several states (including Connecticut, per the 2024 CTDPA amendments, and California, per the CPRA) have heightened requirements regarding the processing of personal information of minors under 18. We do not knowingly process personal information of a resident under 18 for targeted advertising, sale, or profiling that produces legal or similarly significant effects, without the consent required by applicable law. Because we do not engage in any of those practices today, these restrictions are fully satisfied.
10. Cookies and similar technologies.
We use cookies and similar technologies to:
(a) Keep you logged in (session cookies);
(b) Remember your preferences (for example, dismissed banners);
(c) Protect the Services against fraud and abuse; and
(d) Measure aggregate usage in a privacy-respecting way.
We do not use advertising cookies, cross-site tracking pixels, or data brokers' tags.
You can control cookies through your browser settings. Disabling cookies may affect your ability to stay logged in or use certain features. Modern browsers also offer “Do Not Track” signals and GPC signals; we honor GPC as described in Section 7.3.
11. Data retention.
We retain personal information for as long as necessary to provide the Services and for legitimate business purposes such as:
(a) Maintaining your account while active;
(b) Responding to support requests and resolving disputes;
(c) Complying with our legal obligations (for example, retaining billing records for the period required by tax law, typically seven years);
(d) Defending against or bringing legal claims within applicable limitations periods; and
(e) Preserving the integrity of back-ups and security logs for a reasonable period.
When you cancel your membership or request deletion, we will delete or de-identify your personal information within a reasonable period, except as permitted or required by law to retain (for example, billing records and limited account metadata). Community posts may remain visible in threaded conversations after account deletion, attributed to a deleted or anonymized account, except that we will remove or anonymize on request.
12. Security.
We use commercially reasonable administrative, technical, and physical safeguards to protect personal information, including:
(a) Encryption of data in transit (TLS);
(b) Encryption of sensitive data at rest where technically appropriate;
(c) Access controls limiting employee access to personal information to those who need it to perform their roles;
(d) Vendor due diligence and contractual data-protection obligations; and
(e) Regular review of security practices.
No method of transmission over the Internet or electronic storage is fully secure. We cannot guarantee absolute security. If we become aware of a security incident affecting your personal information, we will notify you and applicable regulators consistent with applicable law.
13. International users.
The Services are intended for residents of the United States. We do not actively market the Services outside the United States. Our infrastructure is hosted primarily in the United States.
If you access the Services from outside the United States, you understand and consent to the transfer, processing, and storage of your information in the United States, which may have data-protection laws different from those in your jurisdiction.
We do not intend to process personal information subject to the EU or UK General Data Protection Regulation. If you are in the EU, EEA, or UK, please refrain from using the Services. If you do create an account from such jurisdictions, we reserve the right to close your account and delete associated personal information in accordance with applicable law.
14. Third-party links.
The Services may contain links to third-party websites and services. This Privacy Policy does not apply to those third parties. We encourage you to review their privacy policies before providing them with personal information.
15. Changes to this Privacy Policy.
We may update this Privacy Policy from time to time. When we do, we will:
(a) Update the “Last Updated” date at the top of this policy;
(b) Post the revised policy at offtosleepstrong.com/privacy;
(c) For material changes (such as a new category of personal information collected, a new use we had not previously described, or a new category of third-party sharing), provide prior notice by email to active account holders and, where required by law, obtain your consent before the change takes effect; and
(d) Preserve prior versions of this policy at offtosleepstrong.com/privacy/archive for a reasonable period.
Continued use of the Services after the effective date of the revised policy constitutes acceptance of the revised policy, subject to any additional consent required by law.
16. How to contact us.
If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:
Email: privacy@offtosleepstrong.com
General inquiries: hello@offtosleepstrong.com
Mail:
Off to Sleep Strong LLC
Attn: Privacy
1 Fado Lane
Cos Cob, CT 06807
We will do our best to respond promptly, and in any event within the timelines described in Section 7.4.