We are committed to protecting your personal information
For all data protection inquiries, please contact us at hello@aikalab.se with the subject line "Privacy Request".
Based on the current scale and nature of our processing activities, we have determined that the appointment of a Data Protection Officer is not mandatory under GDPR Article 37. We monitor this determination on an ongoing basis and will appoint a DPO if our processing activities reach the thresholds requiring such appointment. For all data protection inquiries, please contact hello@aikalab.se. We will respond within 30 days as required by GDPR Article 12.
Aika Lab ("we," "us," or "our") is the trading name of AI Player in Gothenburg, a sole proprietorship registered in Sweden (organization number 571121-3230, owned by Yuting Ma). We recognize the importance of your personal information and are committed to protecting your privacy.
This Privacy Policy ("Policy") applies to:
(collectively referred to as the "Services")
Please read this Policy carefully before using our Services. By accessing our Website or downloading and using our Apps, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree with any part of this Policy, please discontinue use of our Services.
This Policy applies to users worldwide. For users located in the European Economic Area (EEA), the United Kingdom, and other regions where the GDPR or similar data protection laws apply (such as the UK GDPR, China's PIPL, California's CCPA, and Brazil's LGPD), we provide specific compliance measures clearly marked throughout this Policy.
To provide our Services, we collect the following categories of personal information:
| Category | Details | Collection Method |
|---|---|---|
| Account Information | Username, password (stored hashed), profile photo (optional), display name (optional) | Provided during registration |
| Authentication Identifiers | Email address (optional, when registering with email or Google Sign-In) OR phone number (optional, when registering with SMS verification) | Provided during registration; only one method required |
| Google Sign-In Data | Google account ID, email address, profile photo (when you choose Google Sign-In) | Received from Google when you authenticate |
| Device Information | Device model, OS version, unique device identifier (Android Advertising ID or equivalent), app version | Collected automatically |
| Technical Logs | IP address, access timestamps, screens viewed, crash logs, performance metrics | Collected automatically |
| BCI Device Connection Data | Bluetooth pairing data with compatible EEG headsets, device serial number, signal quality metrics | Collected via Bluetooth permission with explicit user pairing |
| EEG and Biosignal Data | See Section 3 (Special Category Data) | See Section 3 |
| Physical Accessory Order Data | Shipping address, email (for order confirmation), transaction confirmations from Stripe (no card numbers visible to us) | Collected when you complete a purchase at aikalab.se/market |
| In-App Behavior Data | Which products you use, session duration, interaction patterns, feature usage | Collected automatically during App use |
EEG and biosignal data are classified as special category personal data under GDPR Article 9. We collect and process such data only with your explicit consent. See Section 3 for full details.
This section describes our handling of EEG (electroencephalography) and related biosignal data, which constitute special category personal data under GDPR Article 9 and similarly elevated categories under other applicable laws.
When you use our closed-loop neurostimulation products (such as MindSync Sleep, Deep Relax Sleep, Deep Quick Sleep, Deep Night Owl Sleep, and other future BCI-enabled products), we collect:
EEG data is associated with a system-generated User ID only. We do not link EEG data to your name, email, phone number, or any other directly identifying information at the storage level. The mapping between User ID and your account exists only in our access-controlled account database, separate from the EEG data store.
We process your EEG data on the basis of your explicit consent (GDPR Article 9(2)(a)). You provide this consent when you first pair a BCI device with our App and complete the in-App consent dialog. You may withdraw this consent at any time by:
Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal. Upon withdrawal, we will cease collecting new EEG data; previously collected data will be handled according to the retention rules in Section 8.
| Purpose | Description |
|---|---|
| Real-time service delivery | Detecting your sleep stage in real time to drive closed-loop acoustic stimulation; this is the core functionality of products like MindSync Sleep |
| Personal calibration | Computing individual baseline parameters from your Adaptation Night data to optimize the system for your physiology |
| Service quality monitoring | Detecting signal quality issues, hardware faults, or anomalous patterns that indicate the system should fall back to safe operation |
| Aggregate research | After anonymization (see Section 8), aggregate EEG data may be used to improve our algorithms, validate scientific claims, and inform future product development |
We do not use your EEG data to: diagnose any medical condition; provide medical advice; make decisions that have legal or similarly significant effects about you; share with insurers, employers, or any third party for profiling purposes; or train machine learning models that could be used to identify individuals.
Aika Lab products are personal wellness tools. They are not medical devices. They do not diagnose, treat, cure, or prevent any disease or condition. EEG data we collect is used solely to deliver acoustic neuromodulation services and to improve those services. If you have concerns about your sleep, mental health, or any medical condition, please consult a qualified healthcare professional.
We process your personal information only when we have a lawful basis to do so. The legal bases vary by data type and processing purpose:
For each processing activity based on legitimate interest, we have conducted a balancing test to ensure your rights and interests are not overridden. You may object to processing based on legitimate interests at any time (see Section 10).
Where processing is based on your consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal. Withdrawal can be done through the App's privacy settings, by deleting your account, or by contacting hello@aikalab.se.
We do not sell your personal information. We do not share your personal information with third parties for their independent marketing or profiling purposes.
We may share your data with third parties only under the following circumstances:
We engage authorized service providers to operate our Services. See Section 6 for the complete current list. These providers may access your personal information only to the extent necessary to perform their services and are bound by data processing agreements (DPAs) consistent with GDPR Article 28.
We may disclose your information when required by law, or in response to court orders, subpoenas, government requests, or other legal processes. We will challenge any request that we believe is overbroad or improperly issued.
In the unlikely event of a merger, acquisition, asset sale, or insolvency, your personal information may be transferred as part of the transaction. We will notify you of any such transfer and ensure the receiving party maintains protections at least equivalent to those in this Policy.
Outside the circumstances described above, we will obtain your explicit consent before sharing your personal information with any third party.
We currently use the following service providers and third-party SDKs:
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Google Cloud Platform | Server hosting, database (Firestore), serverless backend (Cloud Run), secret management | All server-side data including account information, subscription records, anonymized EEG data | Frankfurt (eu-west) and other GCP regions |
| Google Sign-In SDK | Optional third-party authentication | Google account ID, email address, profile photo | Google LLC, USA |
| Flexolink AI | EEG device SDK for Bluetooth communication | Device pairing data; EEG signals processed on-device, not transmitted to Flexolink | China (SDK provider) |
| Stripe | Payment processing for physical accessories via aikalab.se/market | Transaction details, billing address (no card numbers visible to us) | Stripe Payments Europe Limited, Ireland; Stripe, Inc., USA |
We will update this list when we add, change, or remove any service providers. The current authoritative list is available at aikalab.se/service-providers.
The Flexolink SDK runs on your device to communicate with your BCI hardware. EEG signal data is processed locally and uploaded to our own servers (Google Cloud Platform), not to Flexolink's servers. Flexolink does not receive your EEG data.
Physical Accessory Purchases: Physical accessories (such as compatible BCI hardware) are purchased through our website at aikalab.se/market using a separate payment processor. The Aika Lab App does not process these purchases directly; the App may link to our website for these purchases, where applicable Web payment terms apply.
As a global service operating from Sweden (EU) with users worldwide, your personal information may be transferred to and processed on servers located outside your country or region. Specifically:
For transfers of personal data outside the European Economic Area, we rely on the following safeguards:
For users in mainland China, where data is transferred outside China, we will comply with the Personal Information Protection Law (PIPL), including completing necessary security assessments or obtaining appropriate certifications when required.
You may request a copy of the safeguards we use (such as SCC text) by contacting hello@aikalab.se.
We retain your personal information only for as long as necessary for the purposes described in this Policy. Specific retention periods:
| Data Category | Active Retention | Anonymization | Deletion |
|---|---|---|---|
| Account information | While account is active | N/A | Within 30 days of deletion request |
| EEG raw signal data | 90 days from collection | After 90 days (User ID removed) | Identifiable EEG deleted within 30 days of account deletion |
| Sleep stage & intervention events | 2 years from collection | Anonymized after 90 days | Identifiable data deleted within 30 days of account deletion |
| Adaptation Night EDF recordings | 90 days from collection | Anonymized after 90 days | Same as EEG raw data |
| Subscription & payment records | 7 years (Swedish Bokföringslag) | N/A (legal retention) | After 7-year statutory period |
| Crash logs & telemetry | 90 days | N/A | Automatic deletion after 90 days |
| Marketing consent records | While consent active + 3 years | N/A | After 3-year proof-retention period |
| Support correspondence | 2 years from last interaction | N/A | After 2 years |
When we anonymize data, we permanently sever the link between the data and any identifier that can reasonably be associated with you. Anonymized data is no longer personal data under GDPR and may be retained indefinitely for legitimate research and product improvement purposes.
About Account Deletion: When you request account deletion, we delete your identifiable data within 30 days. Note that already-anonymized data cannot be deleted because it is no longer linked to you; data we are legally required to retain will be kept for the mandated period; backups will be purged on the next regular rotation cycle (typically within 90 days).
We implement the following technical and organizational measures to protect your data:
In the event of a personal data breach, we will: promptly investigate and contain the breach; notify the Swedish Data Protection Authority (Integritetsskyddsmyndigheten, IMY) within 72 hours of becoming aware of the breach, where required by GDPR Article 33; notify affected users without undue delay where the breach is likely to result in high risk to their rights, as required by GDPR Article 34; and take remedial action to prevent recurrence.
Under applicable data protection laws, you have the following rights:
Know what personal data we process about you and obtain a copy.
Request correction of inaccurate or incomplete personal data.
Request deletion of your personal data under certain conditions.
Request that we stop processing your data while a dispute is resolved.
Receive your data in a machine-readable format and transfer it.
Object to processing based on our legitimate interests.
Withdraw consent at any time without affecting prior lawful processing.
Complain to your local supervisory authority (in Sweden: IMY, www.imy.se).
Submit your request to hello@aikalab.se with the subject line "Privacy Request — [type of request]". We will respond within 30 days as required by GDPR Article 12. For complex requests, we may extend by up to two additional months.
You can delete your account at any time through any of the following methods:
| Timeline | What Happens |
|---|---|
| Within 7 days | Your account credentials are disabled; you cannot log in |
| Within 30 days | All identifiable personal data is deleted from our active systems (account info, identifiable EEG data, session records, subscription state, in-App behavior data) |
| Within 90 days | Your data is removed from backups during the next regular backup rotation |
| Retained as required | Transaction records (7 years per Bokföringslag), proof-of-consent records (3 years) |
| Already anonymized | Cannot be deleted because the link to you no longer exists |
If you have pending orders for physical accessories (such as BCI hardware) from our website store at aikalab.se/market, account deletion does not automatically cancel these orders. Please contact hello@aikalab.se to coordinate pending shipments or refunds before requesting account deletion.
The current version of Sleep Tuning and our other Apps are completely free to use. There are no subscriptions, no pay-per-use charges, no in-App purchases, and no advertisements. All product features, sessions, and associated reports are available to you at no cost.
If we introduce paid features or subscriptions in future versions, we will update this Privacy Policy in advance, clearly communicate the changes, and obtain your renewed consent for any new data processing activities related to payments.
Physical accessories (such as compatible BCI hardware) are sold separately through our website store at aikalab.se/market. These sales are governed by our Terms of Sale displayed on the website.
When you purchase a physical accessory:
For each physical accessory order, we process: shipping address, email address (for order confirmation and shipping updates), transaction confirmation from Stripe, order status and fulfillment records, and refund records (if applicable). This data is retained per Section 8 (7 years for transaction records, per Swedish accounting law).
Refund policy for physical accessory purchases is governed by our Terms of Sale on the website. Under EU consumer protection law, you typically have a 14-day right of withdrawal for physical goods purchased at distance, subject to the product being in original condition.
To connect to compatible BCI devices (such as Flexolink FLEX-BM05BF), our Apps require Bluetooth permissions. On certain Android versions (particularly Android 11 and below), Android's permission system technically requires location permission to perform Bluetooth scanning, even when location data is not actually used.
We do not collect, store, or use your location data for any purpose. The location permission is requested solely because it is technically required by the Android operating system to enable Bluetooth scanning. We never read your GPS coordinates, IP-based location, or any other location signal.
On Android 12 and above, where the operating system provides separate BLUETOOTH_SCAN and BLUETOOTH_CONNECT permissions, our Apps use these dedicated permissions and do not request location access.
You may revoke any permission at any time through your device's settings. Revoking Bluetooth permission will disable BCI-dependent features but will not affect open-loop products that do not require a BCI device.
Our Website uses cookies and similar tracking technologies (e.g., pixel tags, web beacons, local storage) to enhance user experience and analyze service usage. Our mobile Apps use device identifiers and local storage in a similar manner.
Essential Cookies: Required for basic functionality (authentication, security). These cannot be disabled.
Functional Cookies: Remember your preferences for a personalized experience.
Analytics Cookies: Help us understand how users interact with our Services. These are loaded only with your consent (where required by EU ePrivacy rules).
Marketing Cookies: We currently do not use marketing cookies. If we add any in the future, they will be loaded only with your consent.
You can manage or delete cookies through your browser settings. For users in the EU/EEA, we provide a cookie consent management tool on first visit, allowing you to accept or reject non-essential cookies.
Our mobile Apps do not use advertising identifiers for cross-app tracking. The Android Advertising ID may be collected as part of device information but is used solely for crash analytics and not for advertising purposes.
Our Services are intended for users aged 18 and above. The Sleep Tuning App and other BCI-enabled products involve acoustic neuromodulation that has not been validated for use by minors and may interact with developing nervous systems in ways we have not characterized. For this reason:
If we discover that we have collected information from a child below our age threshold, we will delete such information promptly. Parents or guardians who believe their child has provided information to us should contact hello@aikalab.se for immediate removal.
We do not engage in automated decision-making within the meaning of GDPR Article 22 — that is, decisions made solely by automated means that produce legal effects or similarly significant effects about you.
Our Services use algorithmic processing (such as real-time sleep stage detection by the Sleep Tuning Stage Detector) to deliver core functionality. These algorithmic determinations are used solely for service delivery (selecting which acoustic stimulation to deliver at a given moment) and do not produce legal effects, employment decisions, financial decisions, or similarly significant decisions about you.
If we ever introduce features that constitute automated decision-making under Article 22, we will update this Policy and provide the meaningful information about the logic involved, the significance, and the consequences as required by Article 13(2)(f).
We may update this Policy from time to time to reflect changes in our Services, our data processing practices, or applicable law.
For material changes (such as new categories of data collected, new processing purposes, or new third-party recipients), we will notify you in advance via:
For changes that affect consent-based processing (including processing of EEG data under Article 9), we will seek your renewed consent. Continued use of our Services after a non-material update constitutes acceptance of the revised Policy.
We maintain a version history of this Policy. The "Effective Date" at the top of this Policy reflects the current version's effective date.
For all privacy-related questions, requests, or concerns:
Email: hello@aikalab.se
Subject Line: Please use "Privacy Request — [topic]" for privacy-specific inquiries
Postal Address:
Aika Lab (AI Player in Gothenburg)
Legendgatan 13
422 55 Hisings Backa
Sweden
We will respond to your request as soon as possible, and no later than 30 calendar days from receipt as required by GDPR Article 12.
If you are in the EU/EEA and believe we have not addressed your concerns, you have the right to lodge a complaint with your local data protection supervisory authority. For Swedish residents, this is:
Integritetsskyddsmyndigheten (IMY)
Box 8114, 104 20 Stockholm, Sweden
Phone: +46 8 657 61 00
Web: www.imy.se
This Privacy Policy was substantially revised on April 18, 2026 to reflect the launch of Sleep Tuning and other BCI-enabled products.
The previous version dated April 2, 2026 is archived and available upon request.
This product is a personal wellness tool and does not constitute medical advice.
