Privacy Policy

Last updated: 1 May 2026

Your privacy matters

The Wellness App is designed to be a calm, private space for tracking your wellbeing. We take your privacy seriously and are committed to protecting your personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

What we collect

  • Account information: your email address, first name, and last name when you register.
  • Check-in data: daily wellness tracking entries including pain levels, fatigue, sleep quality, mood, and brain fog scores.
  • Journal entries: encrypted at rest using AES-128-CBC (Fernet). We cannot read your journal entries.
  • Quiz responses: your wellness assessment answers, used to personalise your experience.
  • Community posts: content you choose to share publicly in the community feed.
  • Payment information: processed securely by Stripe. We store only your Stripe customer ID, never your card details.

How we use your data

  • To provide and personalise your wellness tracking experience.
  • To generate AI wellness summaries from your own self-reported data only.
  • To send you email notifications about sessions and insights (you can unsubscribe at any time).
  • To process your subscription payments via Stripe.

We never use your health data for advertising, sell it to third parties, or use it to train AI models.

AI wellness summaries

Our AI summaries are generated using the Anthropic Claude API. Your check-in data is sent to generate a plain-English summary of your own trends. This data is not used to train the AI model and is not retained by Anthropic after processing.

AI summaries are not medical advice. They simply reflect patterns in your own self-reported data.

Data storage & security

  • All data is stored on AWS servers in the eu-west-2 (London) region.
  • Journal entries are encrypted at rest using Fernet (AES-128-CBC).
  • All connections use TLS 1.3 encryption in transit.
  • Passwords are hashed using PBKDF2 with SHA-256.
  • We use Cloudflare for DDoS protection and WAF.

Your rights (GDPR)

Under UK GDPR, you have the right to:

  • Access: download all your data as a JSON file from your profile settings.
  • Rectification: edit your personal information at any time.
  • Erasure: delete your account and all associated data from your profile settings.
  • Portability: export your data in a machine-readable format.
  • Withdraw consent: unsubscribe from emails or delete your account at any time.

Cookies

We use only essential cookies required for authentication (session tokens). We do not use tracking cookies, analytics cookies, or advertising cookies.

Contact

For privacy-related enquiries, please contact us at privacy@wellness.app.

Data controller: Instant GP Limited, London, United Kingdom.