DeRUCCI AI Global Privacy Policy

Last Updated Date: March 23, 2026

This Privacy Policy (hereinafter referred to as the “Policy”) aims to explain how Mattress International Pte.Ltd. (hereinafter referred to as the “we”) collects, uses, and processes your personal data when you use the DeRUCCI AI mobile application (hereinafter referred to as the “Application”) and related smart mattresses (hereinafter referred to as the “Devices”). The Application and Devices are collectively referred to as the “Services”.

We are committed to protecting your privacy. Please read this Policy carefully to understand our practices regarding the processing of your personal data.

 

Policy Summary

This summary is intended to help you quickly understand the key points of the Policy and is not a substitute for reading the full text of the Policy.

Core Areas	Summary	Learn More
What data do we collect?	We collect data you provide to create an account, data from the Devices to enable smart features (including health data if you consent), and technical data about your phone and Application usage to ensure the proper functioning of the Services.	Refer to Section 2.
How do we use your data?	We use your data to provide the core functionalities of the Services (e.g., controlling the mattress and generating sleep analysis reports), as well as for account management, security, and client support.	Refer to Section 2.
With whom do we share your data?	We only share data with necessary service providers (e.g., cloud computing and IoT platform partners) who assist us in operating the Services, as well as family members you choose to invite to share the Devices.	Refer to Section 3.
Where is your data processed?	Your personal data is primarily processed and stored on secure servers located in Singapore.	Refer to Section 4.
How do we protect your data?	We implement robust technical and organizational security measures (including encryption and access controls) to protect your data.	Refer to Section 5.
What rights do you have?	You have the right to access, correct, and delete your data, as well as to withdraw consent for specific data processing activities.	Refer to Section 6.
How to contact us?	If you have any questions or wish to exercise your rights, you may contact our dedicated Data Protection Officer.	Refer to Section 9.

 

1. Scope of Application of the Policy

This Policy applies only to the “Services” provided by us and does not apply to any third-party websites, services, or applications (even if you access them through our platform, such as via links or third-party software development kits (SDKs)). When you interact with these third parties, they may independently collect your personal information, and their data collection and usage practices will be governed by their own privacy policies. We strongly recommend that you review the privacy policies of third parties before providing any information to them.

 

1. Personal Data We Collect and How We Use It

We adhere to the principle of “data minimization” and only collect personal data necessary to provide and improve the “Services”. “Personal data” refers to any information that can directly or indirectly identify you. We collect such data when you create an account, bind a device, or use the functionalities of the Application and Devices.

The table below details our data processing activities, including the types of data collected, the reasons for collection, and the legal basis for processing under applicable data protection laws:

Activity/Function	Types of Personal Data Collected	Purpose of Processing (Reason for Collection)	Legal Basis for Processing
Account creation and management	Account information: email address, encrypted password, and country/region Device identifier: device Id and client Id	To create and secure your account, verify your identity when you log in, and provide client support	Performance of a contract with you
Device binding and setup	Network information: Wi-Fi name (SSID) and Wi-Fi password Device identifier: smart mattress machine code and MAC address Mobile device information: OS type/version, language settings, and time zone	To connect the smart mattress to your Wi-Fi network and pair it with the Application for remote control and data synchronization	Performance of a contract with you
Smart mattress control	Device settings: mattress firmness adjustment and mode selection Usage data: Application version, session ID (sid), and operation logs (e.g., function click records)	To enable you to control the mattress via the Application, save your preferences, and ensure proper Application operation	Performance of a contract with you
Sleep health monitoring	Sensitive health data: heart rate and respiratory rate	To monitor your sleep quality, generate sleep analysis reports, and provide personalized sleep insights	Your explicit consent
Family creation and sharing	Family information: family name and invitation code	To allow you to share device access and sleep data with trusted family members within the Application	Your consent (for data sharing) and our legitimate interests (providing sharing functionality)

 

Special Note on Sensitive Health Data

The collection of your sensitive health data (heart rate and respiratory rate) is one of the core functionalities of the smart mattress, aimed at providing you with detailed sleep analysis. Such data is collected solely through the mattress’s built-in sensors when you use the mattress, and this feature is entirely optional.

By enabling the “Physical Data Collection and Analysis” toggle in the Application’s device settings, you explicitly consent to our collection of such data. You may disable this toggle at any time to withdraw your consent. If you do not consent or withdraw your consent, we will not collect such health data, and the sleep analysis report functionality will be unavailable.

 

1. How and Why We Share Your Personal Data

We do not sell your personal data. We only share your data under the following limited circumstances:

1. Sharing with our service providers: We collaborate with trusted third-party service providers to assist in operating and providing the “Services”, including:
2. IoT platform providers: Our “Services” are built on the Internet of Things (IoT) platform provided by Tuya Inc. to ensure device connectivity and smart functionalities. This platform processes data such as device identifiers and operational commands on our behalf.
3. Cloud hosting providers: We use secure cloud servers to store your data.
4. Application analytics and crash reporting providers: We use services such as Google Firebase to understand application usage and identify and resolve crash issues. Such services may collect technical device data and usage data.

We enter into strict contracts with service providers, requiring them to keep your data confidential and secure, and prohibiting them from using your data for any purpose other than providing services to us.

1. Sharing with your family members: When you use the “Family Sharing” feature, you instruct us to share device access and related data (including sleep reports) with the family members you invite.
2. Compliance with laws and ensuring security: We may need to disclose your personal data when required to comply with applicable laws or respond to legitimate legal processes (such as court orders or requests from government agencies).
3. Business transfers: If we are involved in a merger, acquisition, or asset sale, your personal data may be transferred as part of the transaction. We will ensure that the new entity receiving the data adheres to privacy commitments at least as stringent as those in this Policy.

 

1. International Data Transfers

To provide you with the “Services”, your personal data shall be processed and stored on secure servers located in Singapore.

As a global company, we may need to transfer your data to (or allow access by) affiliated companies, support teams, or service providers located in other countries/regions where data protection laws may differ from those in your jurisdiction.

When transferring your personal data outside your region, we take comprehensive measures to ensure it receives an equivalent level of protection, including relying on legally recognized data transfer mechanisms and safeguards. For example, where required, we implement contractual agreements approved by Hong Kong authorities to protect data. Simultaneously, we assess whether the recipient country/region is deemed to provide an “adequate” level of data protection.

By using our “Services” and agreeing to this Policy, you acknowledge and consent to the transfer, storage, and processing of your data in Singapore and other locations as described in this Policy. The processing and storage of personal data of users in the United States are all conducted within the United States. For details, please refer to "Notice for Data Subjects in the United States".

 

1. Data Security and Retention

Data Security

We attach great importance to the security of your personal data and have implemented a comprehensive information security program designed to prevent unauthorized access, use, alteration, disclosure, or destruction of your data through appropriate administrative, technical, and physical safeguards. Specific security measures include:

1. Encryption: We employ strong encryption protocols (e.g., Transport Layer Security (TLS)/HTTPS) to protect data transmitted between the Application and servers. Additionally, sensitive personal data stored in our systems (such as account passwords) is encrypted (encryption at rest).
2. Access controls: We enforce strict access controls, permitting only authorized personnel with legitimate business needs to access your personal data. Access rights are regularly reviewed and restricted based on the principle of “least privilege”.
3. Security assessments: We conduct regular security assessments and vulnerability scans to identify and remediate potential threats to our systems.
4. Incident response: We have established an incident response plan to promptly address and manage potential data security incidents.

Although we have taken all reasonable measures to protect your information, please note that no security system is absolutely impenetrable. We cannot guarantee absolute security of our systems, and any risks associated with data transmission shall be borne solely by you.

 

Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected. The determination of retention periods is based on:

1. Service provision requirements: We retain your personal data while your account remains active or for as long as necessary to provide the “Services”.
2. Legal and regulatory obligations: Certain data may be retained for longer periods if required by law (e.g., tax, accounting, or legal reporting requirements) or to resolve disputes and enforce agreements.

When your personal data is no longer required for the above purposes or after you delete your account, we will take measures to securely delete or anonymize such data in accordance with applicable laws and internal policies.

 

Local Device Data Management

Your smart mattress may temporarily cache recent sleep data locally on the Devices. To ensure you have full control over your data, you can securely delete locally stored data by restoring the Devices to factory settings. This action is irreversible and will delete all personal settings and data on the mattress. You can initiate this action in the Application via: Me > Device Settings > More Settings > Restore Devices to Factory Settings.

 

1. Your Privacy Rights and Choices

You have control over your personal data, and we are committed to enabling you to exercise your rights conveniently and effectively. Depending on the laws of your jurisdiction, you may have the following rights regarding your personal data held by us:

1. Right to access: You have the right to request a copy of the personal data we hold about you and to understand how it is used and disclosed.
2. Right to correction: If you believe that the personal data we hold about you is inaccurate or incomplete, you have the right to request its correction.
3. Right to deletion: Under specific circumstances (e.g., when data is no longer necessary for the purposes for which it was collected), you have the right to request the deletion of your personal data. You may permanently delete your account and associated data through the Application settings.
4. Right to withdraw consent: If our data processing is based on your consent, you have the right to withdraw such consent at any time. For example, you may toggle off the “Physical Data Collection and Analysis” switch in the Application’s device settings to withdraw consent for health data collection. Withdrawal of consent does not affect the lawfulness of processing conducted prior to the withdrawal.
5. Right to data portability: In some jurisdictions, you have the right to request that we provide your personal data in a structured, commonly used, and machine-readable format and, where technically feasible, to transmit it to another company.
6. Right to object/restrict processing: You may have the right to object to or request restrictions on the processing of your data for specific purposes (e.g., direct marketing).
7. Right to lodge a complaint: If you believe that our processing of your personal data violates applicable laws, you have the right to lodge a complaint with the relevant data protection authority. The specific authority depends on your region (e.g., users in Singapore may complain to the Personal Data Protection Commission (PDPC)).

How to Exercise Your Rights

You may exercise many of the above rights directly within the Application via Me > Account & Security settings. For additional assistance or to submit other requests, please contact our Data Protection Officer using the contact details provided in Section 9.

To protect your privacy and security, we are required to verify your identity before processing your requests. We may ask you to provide sufficient information to confirm that you are the authorized holder of the account. We will respond to your requests within the timeframes required by applicable laws. Please note that these rights are not absolute, and in certain legally prescribed circumstances, we may have the right to decline your request.

 

1. Policy Regarding Children

Our “Services” are not directed to minors under the age of 18 (or under the minimum age specified in the relevant jurisdiction, hereinafter referred to as “Children”), and we do not knowingly collect personal data from Children. If we identify a user as a Child, we will proactively terminate the service and delete the data.

If you are a parent or guardian and discover that your Child has provided personal data to us without your consent, please contact us immediately using the contact details in Section 9. If we become aware that we have collected personal data from a Child without parental consent, we will take immediate steps to delete such information from our servers.

 

1. Policy Updates

We may update this Policy from time to time to reflect changes in our data processing practices, updates to the “Services”, or for operational, legal, regulatory, or other reasons.

In the event of material changes to this Policy, we will notify you through prominent means before the changes take effect, such as via in-app notifications, emails to the email address associated with your account, or other methods we deem appropriate. We will also update the “Last Updated Date” at the top of this Policy. Where required by law, we will obtain your consent before implementing new terms. We recommend that you periodically review this Policy to stay informed about how we protect your information.

 

1. Contact Us and the Data Protection Officer (DPO)

The controller responsible for processing your personal data is Mattress International Pte.Ltd.

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing our compliance with this Policy and applicable data protection laws. If you have any questions, comments, or concerns regarding this Policy, or wish to exercise your privacy rights, please feel free to contact our Data Protection Officer:

1. Email: derucci_dpo@derucci.com
2. Mailing address:

10 Changi North Street 1 #04-01 MaxCoil,Singapore 498826

Attn: Data Protection Officer

 

Notice for Data Subjects in the United States

This section applies specifically to users residing in the United States, including California residents. It supplements our general Privacy Policy to comply with U.S. state and federal privacy laws, including the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

 

Data Collection and Disclosure

The table below describes the categories of personal information we have collected and disclosed for a business purpose in the preceding twelve (12) months. The data collection and usage behaviors remain consistent with those described in Section 2 of this Policy, with the addition of a dedicated data center located in the United States to serve our U.S. users.

Category (as defined by CCPA)	Information Details	Data Sharing
Identifiers	Account email address, encrypted password, country/region, device identifiers (Smart Mattress machine code, MAC address, Device ID, Client ID), and IP address.	Shared with IoT platform providers (Tuya Inc.) and cloud hosting providers for service operation.
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e))	Contact details (email), account information, and encrypted password.	Shared with service providers for account management and support.
Commercial information	Smart mattress usage data, firmness adjustment settings, mode selection, and device operation logs.	No (Used internally for service optimization).
Internet or other electronic network activity information	Application version, session ID (sid), operation logs (function click records), OS type/version, language settings, and time zone.	Shared with application analytics and crash reporting providers (e.g., Google Firebase).
Sensitive personal information	Sensitive health data: heart rate and respiratory rate (collected only with your explicit consent).	No (Processed for sleep analysis reports).
Inference information	Sleep quality analysis and personalized sleep insights derived from health and usage data.	No (Provided directly to you).

 

Data Storage

To provide the Services to users in the United States, your personal data is processed and stored on secure servers located in the United States. By using our Services, you acknowledge and consent to the storage and processing of your data within the United States.

 

“Do Not Track” (DNT) Signals

We do not track our users over time and across third-party websites to provide targeted advertising and therefore do not respond to Do Not Track (DNT) signals. However, some third-party sites may track your browsing activities. You may use browser controls to manage cookies and similar technologies.

 

Your Privacy Rights

As a U.S. resident, you may have the following rights regarding your personal information, subject to certain legal limitations:

1. Right to Know and Access: You have the right to request that we disclose what personal information we collect, use, disclose, and sell. You may request the specific pieces of personal information we have collected about you over the past 12 months.
2. Right to Data Portability: You have the right to obtain a copy of your personal information in a portable and, to the extent technically feasible, readily usable format.
3. Right to Rectification: You have the right to request that we correct inaccurate personal information that we maintain about you.
4. Right to Deletion: You have the right to request the deletion of your personal information, subject to certain exceptions (e.g., if the data is necessary to provide the service or comply with a legal obligation).
5. Right to Opt-out of Sale or Sharing: We do not sell your personal information for monetary consideration. However, if our use of certain tracking technologies is deemed a “sale” or “sharing” under state law, you have the right to opt-out.
6. Right to Limit Use of Sensitive Personal Information: We only use sensitive health data (heart rate, respiratory rate) to provide the core sleep monitoring features you have requested. You may withdraw your consent for this collection at any time.
7. Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.

 

How to Exercise Your Rights

You may exercise your rights directly within the Application via Me > Account & Security or by contacting our Data Protection Officer at derucci_dpo@derucci.com.

For security reasons, we will verify your identity before processing your request. We aim to respond to verifiable consumer requests within 45 days of receipt. If we require more time, we will inform you of the reason and extension period in writing.

 

“Shine the Light” Law

California’s “Shine the Light” law (Civil Code Section § 1798.83) permits California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes. For inquiries, please contact us at derucci_dpo@derucci.com.