Privacy Policy

Last Updated: June 5, 2026

Bedroomlabs SRL ("we", "us", "our") operates the esc. mobile application, our custom e-commerce storefront, and the physical esc. hardware node (collectively, the "Ecosystem"). We are committed to protecting your privacy and ensuring that your personal data is handled securely, transparently, and in strict compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

This Privacy Policy explains exactly how we collect, use, disclose, and secure your information across our digital and physical product boundaries.

1. Introduction & Data Controller

For the purposes of European data protection legislation, the Data Controller responsible for processing your personal information is Bedroomlabs SRL, a legal entity registered and operating under the laws of Romania.

This Privacy Policy applies to all individuals who purchase our physical hardware, download or interact with our mobile application layer, or visit our custom web storefront. By interacting with the Ecosystem, you acknowledge the data collection and processing methodologies described in this policy. If you do not agree with these processing terms, you should immediately cease all interaction with our software and hardware components.

2. Legal Basis for Processing (GDPR)

Under the European General Data Protection Regulation (GDPR), we process your personal data using the following strict legal frameworks:

• Contractual Necessity: To fulfill your physical hardware purchases, manage order routing, and facilitate initial database device-pairing sequences.
• Explicit Consent: When you actively opt into our mobile application environment via third-party OAuth authentication, or choose to allow optional analytics and marketing tracking blocks via our storefront banner.
• Legitimate Interest: To debug application stability, patch system security vulnerabilities, and optimize our custom storefront operations, provided these interests do not override your fundamental privacy rights.

3. Information We Collect Automatically (Storefront Telemetry)

When you visit our custom web storefront, our hosting servers and local code layers automatically capture standard network telemetry. This information includes your Internet Protocol (IP) address, browser configuration headers, device type, operating system version, and basic timestamp paths.

This telemetry is gathered to maintain operational stability and secure our frontend checkout against malicious activity. Any tracking of your specific navigation paths, referral URLs, or purchase behaviors for marketing purposes is strictly deferred and managed according to your active selection within our centralized cookie gatekeeper architecture.

4. Information You Provide to Us (E-Commerce & Accounts)

We collect personal information that you actively and voluntarily provide to us across two distinct environments:

• Storefront Checkout Layout: To execute physical orders, we collect your full name, shipping destination address, and email address. We strictly do not collect phone numbers during checkout, and all informational alerts regarding order confirmation and logistics updates are dispatched exclusively via email. Financial transaction data (credit card tokens) is processed entirely by encrypted third-party payment gateways and never touches our servers.
• Mobile App Account Creation: To provision an account within the local mobile application, you must authenticate using your choice of Apple Sign-In, Google Sign-In, or straight email registration. We collect and store your email address and the full name provided directly by your selected identity provider (including the native masked names provided specifically by Apple's privacy architecture).

5. Single-Pairing Database Architecture & Device Boundaries

To protect system integrity, prevent cloning, and minimize persistent cloud data trails, our database infrastructure and physical device configurations operate under a decoupled single-pairing security framework:

• The Unique Device Key: Each physical esc. puck is pre-flashed with an automated, statically assigned unique identifier in UUID format.
• The Sync Lifecycle: When you initialize the app, the local system executes a network query to our central database exactly once to bind that specific hardware UUID to your created user account. If our database indicates the UUID has already been claimed, the pairing loop terminates.
• Offline Operation: Once the single-pairing event is validated and written, all future focus verification checks and alarm-silencing interactions happen entirely offline on-device through localized near-field communication. The web storefront and the mobile application database operate in absolute isolation and never exchange data paths.

6. Mobile OS Permissions & Local Processing Boundaries

To enforce focus states and deactivate alarms via the physical hardware puck, the esc. mobile application requires access to highly restricted system-level frameworks. We process all telemetry gathered through these endpoints strictly on-device, ensuring zero structural transmission to our backend infrastructure:

• iOS Screen Time Integration (FamilyControls & ManagedSettings): The application utilizes Apple's native Screen Time API to restrict access to user-selected application categories during focus windows. This framework operates entirely via opaque system-level tokens. We do not collect, read, store, or transmit your app usage statistics, browsing history, or screen-time durations to any external cloud servers.
• Android Accessibility & Usage Stats Integration (AccessibilityService & UsageStatsManager): On Android environments, the app utilizes the UsageStatsManager engine and the AccessibilityService API to immediately detect when a restricted application enters the foreground thread. This permission is used solely to construct a full-screen, local focus-mode lock overlay over the target interface. The app does not read your screen contents, log key entries, or transmit app interactions back to our database.

7. Physical Hardware & NFC Architecture

The physical esc. puck is an entirely passive electronic hardware node containing an integrated NTAG213 silicon circuit.

• No Active Components: The device contains no battery cells, power routing, GPS positioning components, bluetooth chips, or active transmission telemetry.
• Data Restrictions: The chip contains zero internal storage allocations for personal data. It stores only a static, factory-written unique identifier in UUID format. Scanning the device via your phone's near-field communication reader simply reads this cryptographically signed hardware key locally to trigger app-unlock intents within the application layer.

8. Third-Party Script Injection & Marketing Telemetry

Our custom web storefront interacts with selected third-party telemetry tools to optimize ad distribution and calculate our return-on-ad-spend. To maximize performance and keep codebase bundles minimal, we employ direct script injection inside our custom layout instead of relying on heavy tag management containers:

• The Consent Guardrail: By default, all direct script injections—including Google Analytics tracking, Meta Pixels, and TikTok Pixels—are completely blocked from initializing or compiling code into your browser DOM.
• The Activation Vector: These tracking blocks remain entirely passive until you provide explicit affirmative consent via our storefront privacy banner. If you reject optional cookies, your custom data footprint remains entirely null across our advertising dashboards, and our code scripts will not execute.

9. Third-Party Data Processors & Service Providers

We never sell your personal data. To maintain a functional, multi-platform commerce and account infrastructure, we transmit encrypted data tokens to trusted third-party service providers who operate under strict data processing agreements:

• E-Commerce Pipeline: Our custom headless frontend routes customer checkout information securely through the Shopify Storefront API to manage order logs, while transaction payments are executed entirely via secure, encrypted payment gateways.
• Account Infrastructure: Your mobile application profile attributes (names, emails, and paired device UUIDs) are stored securely within our hosted cloud database architecture.
• System Alert Engine: Your email address is shared with our transactional mailing providers to transmit order tracking data, and separate push notification tokens are routed through Apple and Google push notification servers to deliver local alarm synchronization and focus alerts.

10. Corporate Registry and Official Legal Address

In compliance with Romanian national tax legislation and European commercial code validation requirements, the corporate identity and physical headquarters of the Data Controller are explicitly declared as follows:

• Corporate Entity: Bedroomlabs SRL
• Unique Fiscal Registration Code (CUI): 54738881
• Trade Register Registration Number (ONRC): J2026033450009
• European Unique Identifier (EUID): ROONRC.J2026033450009
• Statutory Fully Paid Shared Capital: 1000 RON
• Official Legal Headquarters Address: Strada Garoafei 17, Bloc S1, Scara B, Etaj 1, Apartament 28, Mărășești, Vrancea, Romania

11. International Data Transfers

As an organization utilizing a modern decoupled cloud architecture, data tokens stored within our backend systems may be processed and stored on virtual server nodes located outside of the European Economic Area (EEA).

Whenever we utilize processing infrastructure managed by our hosted cloud providers, we ensure that your personal records are protected under robust legal mechanisms. This includes verifying that our providers utilize strict Standard Contractual Clauses (SCCs) approved by the European Commission, maintaining end-to-end data transport encryption, and ensuring that any external server facilities maintain equivalent data security certifications to comply fully with European GDPR standards.

12. Data Retention Framework

We strictly regulate our data retention timelines to minimize the volume of personal information stored on our platforms:

• E-Commerce Data: Information processed during your custom storefront checkout (names, emails, and shipping destinations) is retained for the mandatory duration dictated by Romanian fiscal and accounting legislation governing corporate transaction logs.
• Mobile Application Data: Your account email address, provided authentication name, and the paired hardware device UUID string are stored continuously while your account profile remains active. If an account profile remains entirely dormant or a deletion request is initiated, these entries will be systematically purged or anonymized.

13. Your GDPR Rights & Data Erasure Protocols

If you are a resident of the European Union, you maintain comprehensive, legally enforceable rights regarding your personal information under the General Data Protection Regulation (GDPR). These rights include the right to access the exact data attributes we store, the right to rectify inaccurate records, the right to restrict processing, and the right to data portability.

You also possess the absolute right to request the permanent and immediate erasure of your personal data ("Right to be Forgotten"). To initiate a data erasure request, or to ask any technical questions regarding your data privacy, you can contact us directly at our operational support email: hi@bedroomlabs.co. Upon receiving your request and verifying your identity, we will permanently purge your customer records from our active database infrastructures within thirty (30) calendar days, unless statutory tax retention laws mandate a continued log.

14. Children’s Privacy & Age Restrictions

Our Ecosystem is not designed or intended for independent use by individuals under the age of 13. We do not knowingly collect or solicit personal information from minors.

As outlined in our Terms of Service, users between the ages of 13 and 18 require explicit parental or legal guardian consent to interact with our mobile application and custom store. If we discover that personal data from a child under the age of 13 has been automatically written to our database without verifiable guardian permission, we will take immediate engineering steps to wipe those specific data blocks from our servers and terminate the associated profile configuration.

15. Changes and Updates to This Policy

Bedroomlabs SRL reserves the right to modify or update this Privacy Policy at any time to reflect changes in our custom layout code, physical hardware deployment models, or evolving mobile operating system frameworks.

When structural changes are committed, we will update the "Last Updated" timestamp at the top of this document. If a change significantly alters how your personal data is processed, we will deploy an active notification layout update—such as a custom in-app banner component or a direct email notification to your account address. Your continued use of the mobile application or web storefront after an updated policy is posted implies automatic acceptance of the revised data methodologies.

16. Right to Lodge a Complaint

If you believe that Bedroomlabs SRL has processed your personal information in a manner that violates European data protection directives or Romanian national privacy laws, you maintain the absolute legal right to file an official complaint with the competent supervisory authority.

In Romania, the primary regulatory body is the National Supervisory Authority for Personal Data Processing:

• Authority Name: Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
• Official Web Portal: www.dataprotection.ro
• Headquarters Address: B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, cod poștal 010336, București, Romania