What we collect.

1The app

• No analytics SDK. No Firebase, no Crashlytics, no Mixpanel, no in-house telemetry. Open the source and grep for it yourself.
• No network calls — ever. The app does not connect to the internet for any reason. The five noise colors are generated mathematically on your phone; nothing is streamed, fetched, or phoned home.
• No accounts. No login, no signup, no email collection, no "create a profile to save your settings."
• Almost no permissions. The app requests only the foreground service permission needed to keep audio playing when the screen sleeps. No microphone, camera, location, contacts, storage, calendar, or sensors.
• All settings stay on your device. Color choice, volume, and timer length are stored in Android's DataStore, locally. Nothing leaves the phone, because nothing is sent anywhere.

2This website

• No analytics. No Google Analytics, no Plausible, no Fathom, no Cloudflare web analytics, no heat-map software. We do not know how many people visit, what pages they read, or where they came from.
• No cookies. Zero. If your browser shows a cookie for this site, it didn't come from us.
• No third-party scripts or pixels. No Facebook Pixel, no Twitter widget, no embedded GitHub buttons, no chat bubble.
• Self-hosted fonts. The italic serif you're reading is Crimson Text, served from this domain — not from Google Fonts. Google does not see your IP address as a side effect of you visiting.
• No local storage. We don't write to localStorage, sessionStorage, or IndexedDB.
• Outbound links don't leak referrers. Every external link uses rel="noopener noreferrer", so when you click through to GitHub we don't send the URL of the page you were on.

3What our server does see

The site is hosted on Apache through a third-party shared host (Dathorn). Like every web server on the planet, it writes a line to an access log when you request a page — your IP address, your browser's User-Agent string, and the path you asked for.

We do not analyze these logs. They rotate automatically after roughly 30 days and are kept only for the rare case where we need to investigate abuse, debug a server outage, or comply with a law-enforcement request we cannot legally refuse. We do not share them with advertisers, analytics vendors, or anyone else.

4What we did on 2026-05-23 to make sure

Before launching the site at simplysleepsounds.com we did a deliberate security & privacy pass:

• Removed Google Fonts; vendored Crimson Text into /assets/fonts/ as four woff2 files.
• Extracted all inline JavaScript to app.js so the site can run under a strict Content Security Policy.
• Added a Content-Security-Policy response header with default-src 'self' and explicit allow-lists for fonts, scripts, styles, and images — blocks any rogue third-party request at the browser level.
• Forced http:// → https:// via an Apache rewrite rule. TLS certificate issued by Let's Encrypt.
• Set Strict-Transport-Security with a two-year max-age and includeSubDomains.
• Set Referrer-Policy: no-referrer so we don't leak which page you came from to anyone you click through to.
• Set Permissions-Policy to disable browser features we don't use (geolocation, camera, microphone, FLoC).
• Upgraded every outbound link from rel="noopener" to rel="noopener noreferrer".
• Disabled directory listing under /assets/.
• Confirmed there is no service worker, no PWA install handler, and no other persistent storage surface.

5What changes that

If the app ever adds analytics, crash reporting, accounts, payments, or network calls of any kind — or if this site ever adds tracking pixels, cookies, or third-party embeds — this page changes first, with the date and the reason. If you'd like to know about silent changes, the entire repository is on GitHub and you can subscribe to commit notifications.