Basically, we can do whatever we want with your data.
You put your data into zScore at your own risk. In general, we’re not unreasonable people, and will try to respect the privacy settings you set in zScore. On the other hand, we also screw up sometimes, so we make no guarantees; it’s possible that we’ll accidentally let everyone on the internet see everything you’ve ever entered. Similarly, most days we won’t use our backend access to get data that we couldn’t otherwise, but some days we might be feeling evil, and we definitely reserve the right to abuse our power. Nobody’s asked us if they can buy user sleep data yet, so we don’t know what we will do if someone does. We will also compute and publish aggregate stats if they’re interesting. In general we’ll try not to expose individual data in those, but again, we might screw up.
Regarding the NSA and PRISM: whether or not we can, we won't confirm or deny whether we're currently providing user data to any government agencies. We aren't responsible for any black helicopters, unmanned drones, crazy penguins, or FBI agents that visit right after you go to sleep. We're working on a mobile app with push notifications to any monsters that may be hiding under your bed.
Regarding passwords and security: our passwords are encrypted using PBKDF2_SHA256, which the cryptographers claim is plenty secure. If you use the site over HTTP (the default), though, anyone on your Wi-Fi network can probably read your password if they know what they're doing. If you want the NSA to have to do a bit more work to get your password, use our secure site at https://zscore.mit.edu. That said, if we're feeling evil, we can impersonate our secure server, so if you use your zScore password on any other sites, expect us to hack your accounts soon.
Our warrant canary: We have not been served with any warrants, National Security Letters, NSA PRISM requests, or requests under sections 213, 214, 216, or 217 of the USA PATRIOT Act. We also haven't been asked for data by any members of the MIT administration. If we do get any of those, we will probably leave this message here, because we aim to confuse.