1. Introduction

Welcome to Glewell! We are committed to protect your privacy and handling your personal information with care, transparency, and respect.

This Privacy Policy explains how Glewell ("we," "us," "our," or "Company") collects, uses, stores, shares, and protects your personal information when you use our wellness platform, including our website, mobile applications, and all associated services (collectively, the "Service" or "Platform").

By using the Service, you agree to the collection, use, and disclosure of your information as described in this Privacy Policy. If you do not agree, please do not use the Service.

2. Information We Collect

We collect various types of information to provide, improve, and personalize the Service. The information we collect falls into the following categories:

2.1 Information You Provide Directly

Account Registration Information:

• Full name, email address, date of birth, password
• Profile photo (optional), username or display name

Profile and Preference Information:

• Gender, height, weight, body measurements
• Fitness level and activity preferences
• Dietary preferences and restrictions (vegetarian, vegan, keto, allergies)
• Health goals (weight loss, muscle gain, maintenance)
• Unit preferences (metric or imperial)

Health and Wellness Data:

• Food and Nutrition Logs: Meals, snacks, calorie intake, macronutrients, water intake
• Fitness and Exercise Logs: Workouts, exercises, sets, reps, weights, duration, distance
• Body Measurements: Weight, body fat percentage, muscle mass, BMI
• Health Metrics: Blood pressure, heart rate, sleep duration, menstrual cycle data, pregnancy status
• Progress Photos: Before/after photos, body transformation images

User-Generated Content:

• Posts, comments, and discussions in the community
• Recipes and meal plans you create
• Workout routines you design
• Direct messages to other users
• Challenge entries and competition submissions

Payment Information:

• Billing name and address
• Payment method details (processed securely by third-party payment processors)
• Transaction history and subscription status

2.2 Information Collected Automatically

• Device type, model, operating system and version
• Browser type, screen resolution, unique device identifiers
• IP address and approximate geographic location
• Pages viewed, features used, time spent on screens
• Navigation paths, search queries, date/time of access
• App crashes, errors, and performance metrics

2.3 Information from Third-Party Sources

• Wearable Devices and Health Apps: Data synchronized from fitness trackers and smartwatches
• Social Media: Profile information if you connect social accounts
• Authentication Providers: Basic profile info from Sign in with Apple, Google
• Food Databases: Nutritional information and barcode data

2.4 Sensitive Personal Information

We collect and process certain categories of sensitive personal information with your explicit consent:

• Health data (fitness, nutrition, body measurements, health metrics)
• Biometric data (progress photos, body composition data)
• Precise geolocation data (only if you enable location tracking for fitness activities)

3. How We Use Your Information

3.1 Provide and Improve the Service

• Create and manage your account, authenticate your identity
• Enable food logging, fitness tracking, meal planning, workout tracking
• Provide personalized recommendations, meal plans, workout suggestions
• Deliver AI-powered coaching based on your data, goals, and preferences
• Display progress, trends, charts, and insights through analytics dashboards
• Enable community participation, challenges, and direct messaging

3.2 AI and Machine Learning

• Train and improve our AI models for better personalized recommendations
• Generate AI-powered coaching insights and suggestions
• Analyze patterns in aggregated, anonymized data to improve algorithms
• Develop new AI features and capabilities

3.3 Communication

• Send transactional emails (account confirmations, subscription renewals, password resets)
• Respond to inquiries, support requests, and feedback
• Send important updates about the Service, changes to terms or policies
• Provide customer support and troubleshooting assistance

3.4 Marketing and Promotions (with your consent)

• Send promotional emails, newsletters, and updates about new features
• Display personalized content and recommendations within the Service
• Conduct surveys, questionnaires, and user research

You can opt out of marketing communications at any time by clicking "unsubscribe" in emails.

3.5 Security and Fraud Prevention

• Detect, prevent, and investigate fraud, abuse, security incidents
• Verify user identity and enforce our Terms of Service
• Protect the rights, safety, and property of Glewell, our users, and the public
• Monitor for violations of Community Guidelines

3.6 Legal Compliance

• Comply with legal obligations, court orders, subpoenas, or government requests
• Enforce our Terms of Service and other agreements
• Respond to legal claims and protect our legal rights

4. How We Share Your Information

We do not sell your personal information to third parties. However, we may share your information in the following circumstances:

4.1 With Your Consent

• Posting content publicly in the community (visible to other users)
• Sharing your profile, progress, or achievements with specific users
• Connecting third-party services or integrations (e.g., syncing with wearable devices)
• Participating in challenges where results are shared with other participants

4.2 Service Providers and Business Partners

We share information with trusted third-party service providers who assist in operating the Service:

• Cloud Infrastructure: Cloud storage, computing services, CDNs
• Payment Processing: Payment gateways, fraud detection services
• AI/ML Services: Natural language processing, recommendations, personalization
• Communication: Email service providers, SMS, push notifications
• Analytics: Performance monitoring, error tracking, A/B testing
• Customer Support: Help desk, support ticket management, live chat
• Security: Identity verification, threat detection, DDoS protection

4.3 Third-Party Integrations You Enable

When you connect third-party services (fitness trackers, wearable devices, health apps), you authorize us to share relevant data with those services. You can disconnect integrations at any time through your account settings.

4.4 With Other Users (Public Information)

Certain information you choose to share is visible to other users:

• Public Profile: Username, profile photo, bio, location (if you choose)
• Community Activity: Posts, comments, likes in public forums
• Challenge Participation: Username and performance in leaderboards

4.5 Aggregated and Anonymized Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you for industry research, trend analysis, academic studies, and improving our AI models.

4.6 Legal Requirements and Protection of Rights

We may disclose your information if required by law or to:

• Comply with legal obligations, court orders, subpoenas
• Enforce our Terms of Service, Privacy Policy, or other agreements
• Protect the rights, property, or safety of Glewell, our users, or the public
• Detect, prevent, or investigate fraud, security breaches, or illegal activity

4.7 Business Transfers

If Glewell is involved in a merger, acquisition, reorganization, sale of assets, bankruptcy, or other business transaction, your information may be transferred to the acquiring entity. We will notify you via email before your information is transferred.

5. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or other jurisdiction with similar data protection laws, we process your personal information based on the following legal grounds:

5.1 Contractual Necessity

We process your information to fulfill our contract with you (Terms of Service), including creating and managing your account, providing the Service, processing payments, and delivering customer support.

5.2 Consent

We process certain information based on your explicit consent, including:

• Sending marketing communications
• Using precise location data for GPS tracking
• Processing sensitive health data
• Connecting third-party integrations

You may withdraw consent at any time by contacting us.

5.3 Legitimate Interests

We process information based on our legitimate business interests, including:

• Improving and personalizing the Service
• Conducting research and development
• Ensuring security and preventing fraud
• Analyzing usage patterns and performance

5.4 Legal Obligations

We process information to comply with legal requirements, such as tax and accounting obligations, responding to legal requests and court orders, and complying with regulatory requirements.

5.5 Granular Consent Management (GDPR Compliance)

Cookie Consent Banner:

When you first visit our Service, you will see a cookie consent banner that allows you to:

• Accept All: Consent to all cookie categories (essential, functional, analytics, advertising)
• Reject All Non-Essential: Accept only essential cookies, reject all others
• Customize Preferences: Choose specific cookie categories to accept or reject
• Learn More: View detailed information about each cookie category and specific cookies

Cookie Categories and Granular Control:

Essential Cookies (Cannot Be Disabled):

• Required for core Service functionality
• Authentication, security, session management
• Legal basis: Contractual necessity

Functional Cookies (Optional):

• Toggle on/off independently
• Remember preferences, recent searches, tutorial progress
• Legal basis: Consent

Analytics and Performance Cookies (Optional):

• Toggle on/off independently
• Usage analytics, performance monitoring, error tracking
• Legal basis: Consent (or legitimate interest where permitted)

Advertising and Marketing Cookies (Optional):

• Toggle on/off independently
• Personalized advertising, conversion tracking, retargeting
• Legal basis: Consent

How to Manage Consent:

Initial Consent (First Visit):

1. Cookie banner appears on first visit
2. You can accept all, reject non-essential, or customize preferences
3. Your choice is saved for 12 months
4. You can change preferences at any time

Changing Consent (Anytime):

• In-App: Settings > Privacy > Cookie Preferences
• Website: Footer link "Cookie Policy" Page
• Browser: Manage cookies through browser settings
• Delete Cookies: Clear browser cookies to reset consent (banner will reappear)

Consent Withdrawal:

• You can withdraw consent at any time
• Withdrawal does not affect lawfulness of processing based on consent before withdrawal
• We will stop processing based on withdrawn consent going forward
• Essential cookies will continue to function (required for Service)

Consent for Specific Processing:

Marketing Communications:

• Opt-in required for promotional emails and SMS
• Checkbox during account registration (unchecked by default)
• Unsubscribe link in every marketing email

Precise Location Tracking:

• Opt-in required via device permissions
• Requested only when you use location-based features
• Disable in device settings or app settings anytime
• Can use Service without enabling location

Health Data Processing:

• Implicit consent by using health features (food logging, fitness tracking)
• Explicit consent for sensitive features (pregnancy, postpartum and senior modes, body composition analysis)
• Clear disclosure before data collection begins
• Opt-out by not using specific features

Third-Party Integrations:

• Explicit consent before connecting wearables, health apps
• Authorization screen explains what data will be shared
• Disconnect anytime in Settings
• Revoking access stops future data sharing

AI and Machine Learning:

• Does not affect your use of AI features (recommendations still provided)
• Applies prospectively (previously contributed anonymized data remains in training sets)

Consent Records:

We maintain records of your consent choices:

• Date and time of consent
• Consent method (banner, settings, device permissions)
• Specific purposes consented to
• IP address and device information
• Consent version (linked to Privacy Policy version)

GDPR Right to Withdraw Consent:

Under GDPR Article 7(3), you have the right to withdraw consent at any time. Withdrawal is as easy as giving consent:

• Same interface used for consent (Settings > Privacy)
• One-click withdrawal available
• Clear confirmation message
• No adverse consequences for withdrawal (except loss of features dependent on that processing)

6. Cookies and Tracking Technologies

6.1 What Are Cookies?

Cookies are small text files stored on your device by your web browser when you visit websites or use apps. Cookies and similar technologies help us recognize you, remember your preferences, and provide a better user experience.

6.2 Types of Cookies We Use

Essential Cookies (Required):

• Enable core functionality of the Service
• Remember your login session and authentication
• Maintain security and prevent fraud

Functional Cookies:

• Remember your preferences and settings (language, timezone, units)
• Personalize your experience
• Store recently viewed items or searches

Analytics and Performance Cookies:

• Understand how users interact with the Service
• Track page views, clicks, and navigation patterns
• Measure performance and identify errors

Advertising and Marketing Cookies:

• Show you relevant ads on our Service and third-party platforms
• Track ad performance and conversions
• Personalize content based on your interests

6.3 Your Cookie Choices

You can control cookies through browser settings, our cookie preferences, opt-out tools, or browser extensions. Note: Disabling essential cookies will surely prevent you from using features of the Service.

7. Third-Party Services and Integrations

7.1 Third-Party Data Collection

When you use third-party integrations or visit external websites linked from our Service, those third parties may collect information about you according to their own privacy policies. We are not responsible for the privacy practices of third parties.

Examples of third-party services:

• Wearable device manufacturers (fitness trackers, smartwatches)
• Health and fitness apps that sync with Glewell
• Payment processors (e.g., Stripe, PayPal)
• Social media platforms
• Cloud infrastructure and AI/ML service providers

7.2 Data Sharing with Third Parties

We share only the minimum data necessary for third-party integrations to function. You can disconnect third-party services at any time through your account settings.

8. Data Retention

8.1 Retention Periods

We retain your personal information for as long as necessary to:

• Provide the Service and fulfill the purposes described in this Privacy Policy
• Maintain your account and subscription
• Comply with legal, regulatory, tax, and accounting obligations
• Resolve disputes and enforce our agreements
• Prevent fraud and abuse

8.2 Retention by Data Type

Account and Profile Information: Retained while your account is active, plus up to 90 days after account deletion to allow for recovery or address disputes.

Health and Wellness Data: Retained while your account is active. Deleted within 90 days after account deletion, except as required by law.

Payment and Transaction Data: Retained for at least 7 years to comply with tax and accounting regulations.

Analytics and Usage Data: Aggregated, anonymized data may be retained indefinitely for research and analysis. Individual-level usage data is retained for up to 2 years.

8.3 Data Deletion

When data is deleted, it is removed from active systems and databases. Backups are purged according to our backup retention schedule (typically within 90 days). Aggregated, anonymized data derived from deleted personal information may be retained indefinitely.

9. Data Security

9.1 Security Measures

We implement industry-standard technical, administrative, and physical security measures to protect your information:

Technical Safeguards:

• Encryption: Data encrypted in transit using TLS/SSL and at rest using AES-256
• Secure Authentication: Passwords hashed and salted using bcrypt
• Firewalls: Network firewalls and web application firewalls (WAF)
• Access Controls: Role-based access controls (RBAC) limit employee access
• Intrusion Detection: Monitoring systems detect suspicious activity

Administrative Safeguards:

• Regular security and privacy training for all employees
• Background checks for employees with access to sensitive data
• Confidentiality agreements for all employees and contractors
• Incident response plan for security incidents

9.2 Security Limitations

Despite our security measures, no system is 100% secure. We cannot guarantee absolute security against all threats, including hacking, phishing, malware, or unauthorized access due to weak passwords.

9.3 Your Responsibility

• Strong Passwords: Use a unique, strong password and do not share it
• Two-Factor Authentication: Enable 2FA from settings page
• Secure Devices: Keep your devices and software up to date
• Public Wi-Fi: Avoid accessing sensitive information over unsecured networks
• Report Incidents: Notify us immediately if you suspect unauthorized access

9.4 Data Breach Notification

In the event of a data breach affecting your personal information, we will investigate and contain the breach promptly, notify affected users via email within 72 hours, notify relevant regulatory authorities as required, and provide information about the breach and steps you can take to protect yourself.

10. Your Privacy Rights

10.1 Account Access and Management

You can access and manage your information at any time through your account settings:

• View and update your profile information
• Change your email, password, or other account details
• Adjust privacy settings and preferences
• Manage third-party integrations
• Download your data
• Delete specific logs or content

10.2 Rights Available to All Users

Right to Access: Request a copy of the personal information we hold about you

Right to Correction: Correct inaccurate or incomplete personal information

Right to Deletion: Request deletion of your personal information (subject to legal exceptions)

Right to Data Portability: Receive your personal information in a structured, machine-readable format

Right to Withdraw Consent: Withdraw consent for processing based on consent at any time

Right to Object: Object to processing based on legitimate interests; opt out of personalized advertising

10.3 How to Exercise Your Rights

To exercise any of these rights:

• Email: privacy@glewell.com with your request
• Account Settings: Use in-app tools for access, correction, deletion, and data export
• Identity Verification: We may request additional information to verify your identity

Response Time: We will respond to requests within 30 days (or as required by applicable law). Complex requests may take up to 60 days; we will notify you of any delay.

11. Age Requirements and Privacy

11.1 Minimum Age Requirement

The Service is intended for users aged 18 years and older. We do not knowingly collect, use, or disclose personal information from individuals under 18 years of age.

11.2 Verification and Enforcement

By creating an account, you represent and warrant that you are at least 18 years old. We may request proof of age at any time, and accounts found to belong to users under 18 will be immediately terminated.

If we learn that we have collected personal information from anyone under 18 without proper verification, we will delete that information promptly.

11.3 Parental Notice

Parents and Guardians: If you believe someone under 18 has provided personal information to Glewell, please contact us immediately at privacy@glewell.com and we will take appropriate action to remove such information and terminate the account.

11.4 Health and Safety Considerations

The 18+ age requirement is in place because:

• Health and fitness recommendations may not be appropriate for developing bodies
• Nutrition tracking requires mature judgment and understanding
• Users should be able to make independent healthcare decisions
• The Service is not designed for pediatric health needs

12. International Data Transfers

12.1 Cross-Border Data Transfers

Glewell operates globally, and your information may be transferred to, stored, and processed in countries other than your country of residence. These countries may have data protection laws that differ from those in your jurisdiction.

When we transfer your information internationally, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): EU-approved clauses for transfers from the EEA/UK
• Adequacy Decisions: Transfers to countries deemed adequate by regulatory authorities
• Your Consent: We may obtain your explicit consent for international transfers

12.2 Primary Data Locations

Your data may be stored and processed in the following regions:

• European Union: For EU/EEA users to comply with GDPR
• United States: Cloud infrastructure and service providers
• Other Regions: As necessary to provide the Service globally

Regardless of where your data is processed, we maintain the same high standards of data protection and security.

13. California Privacy Rights (CCPA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

13.1 Categories of Personal Information We Collect

We collect: Identifiers, personal information, protected classifications, commercial information, biometric information, internet/network activity, geolocation data, sensory information, and inferences.

13.2 Business Purposes for Collection

We use personal information for providing and improving the Service, personalization, AI recommendations, marketing, security, fraud prevention, and legal compliance.

13.3 Sharing and Disclosure

We do not sell personal information. We share information with service providers, business partners, third-party integrations you enable, analytics partners, and legal/regulatory authorities when required.

13.4 California Consumer Rights

• Right to Know: Request disclosure of categories and specific pieces of personal information we collect
• Right to Delete: Request deletion of your personal information
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out: We do not sell information; you can opt out of targeted advertising
• Right to Limit Use: Request limitation on use of sensitive personal information
• Right to Non-Discrimination: We will not discriminate for exercising your rights

13.5 How to Exercise Your Rights

Email privacy@glewell.com with subject "California Privacy Rights Request". We will respond to verified requests within 45 days.

14. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have specific rights under the General Data Protection Regulation (GDPR).

14.1 GDPR Rights

• Right of Access (Article 15): Obtain confirmation of whether we process your personal data and access your information
• Right to Rectification (Article 16): Correct inaccurate or incomplete personal data
• Right to Erasure / "Right to Be Forgotten" (Article 17): Request deletion of your personal data
• Right to Restriction (Article 18): Restrict how we use your personal data
• Right to Data Portability (Article 20): Receive your data in machine-readable format
• Right to Object (Article 21): Object to processing based on legitimate interests or direct marketing
• Rights Related to Automated Decision-Making (Article 22): Not be subject to decisions based solely on automated processing
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent

14.2 How to Exercise Your Rights

Contact us at privacy@glewell.com. We will respond to requests within one month (extendable by two months for complex requests).

14.3 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority in your country of residence, place of work, or where an alleged infringement occurred. We encourage you to contact us first so we can address your concerns directly.

14A. Comprehensive Privacy Disclosures

14A.1 Not Medical Advice

IMPORTANT: The Service is for informational and educational purposes only and is not a substitute for professional medical advice, diagnosis, or treatment.

• Not a Medical Device: Glewell is not a medical device and is not intended to diagnose, treat, cure, or prevent any disease
• Consult Healthcare Providers: Always seek the advice of your physician or other qualified health provider with any questions about your medical condition
• Emergency Situations: Never disregard professional medical advice or delay seeking it because of information provided through the Service
• No Doctor-Patient Relationship: Use of the Service does not create a doctor-patient relationship between you and Glewell

14A.2 AI-Generated Content Limitations

Our AI coaching feature provides automated suggestions based on algorithms and data patterns:

• Not Personalized Medical Advice: AI recommendations are general wellness suggestions, not personalized medical advice
• May Contain Errors: AI-generated content may be inaccurate, incomplete, or inappropriate for your specific situation
• Human Oversight Recommended: Always verify AI suggestions with qualified healthcare professionals
• Your Responsibility: You are solely responsible for decisions made based on AI-generated content
• Continuous Improvement: Our AI models are continuously updated, but accuracy cannot be guaranteed

14A.3 Special Health Mode Data (Pregnancy, Postpartum, and Senior Modes)

Pregnancy Mode:

If you enable Pregnancy Mode, we collect additional sensitive information:

• Pregnancy Status: Confirmation of pregnancy, due date, trimester
• Pregnancy-Related Metrics: Weight gain, symptoms, medical appointments
• High-Risk Indicators: We flag potentially concerning data but do not provide medical guidance
• Emergency Warnings: The Service may display warnings for certain activities or metrics, but these are not medical diagnoses
• Healthcare Provider Sharing: We recommend sharing your Glewell data with your healthcare provider
• Data Sensitivity: Pregnancy data is treated as highly sensitive and processed with explicit consent only

PREGNANCY DISCLAIMER: If you are pregnant or planning to become pregnant, consult your healthcare provider before using any fitness, nutrition, or wellness program. Certain activities, diets, or supplements may be unsafe during pregnancy.

Postpartum Mode:

If you enable Postpartum Mode, we collect additional sensitive information:

• Postpartum Status: Delivery date, recovery stage, breastfeeding status
• Recovery Metrics: Weight changes, energy levels, physical recovery progress
• Breastfeeding Data: Feeding schedules, nutrition needs, caloric adjustments
• Mental Health Indicators: Mood tracking, sleep quality, stress levels (postpartum-specific)
• Exercise Modifications: Pelvic floor safety, core recovery, activity restrictions
• Healthcare Provider Sharing: We recommend sharing your postpartum data with your healthcare provider
• Data Sensitivity: Postpartum data is treated as highly sensitive and processed with explicit consent only

POSTPARTUM DISCLAIMER: Postpartum recovery is a critical period requiring medical supervision. Consult your healthcare provider before resuming exercise or making significant dietary changes. The Service provides general wellness guidance only, not medical advice for postpartum recovery.

Senior Mode:

If you enable Senior Mode, we collect and adjust recommendations based on age-specific data:

• Age and Health Status: Date of birth, general health conditions, mobility level
• Senior-Specific Metrics: Bone health, balance, flexibility, medication considerations
• Safety Modifications: Exercise intensity adjustments, fall prevention considerations, joint-friendly activities
• Nutrition Adjustments: Age-appropriate caloric needs, protein requirements, nutrient density focus
• Chronic Condition Management: Optional tracking for common senior health concerns (with healthcare provider approval)
• Healthcare Provider Sharing: We recommend sharing your senior wellness data with your healthcare provider
• Data Sensitivity: Senior health data is treated as sensitive and processed with explicit consent only

SENIOR MODE DISCLAIMER: Senior wellness requires special considerations for safety and health. Consult your healthcare provider before starting any new fitness or nutrition program, especially if you have chronic conditions, take medications, or have mobility limitations. The Service is not a substitute for medical care or physical therapy.

14A.4 Biometric Data Processing

We process biometric data with special protections:

• Progress Photos: Photos you upload are encrypted and stored securely
• Body Composition Analysis: If you use body scanning features, biometric measurements are processed locally on your device when possible
• Facial Recognition: We do not use facial recognition technology
• Fingerprint/Face ID: If you enable biometric authentication, this data is stored locally on your device and never transmitted to our servers
• Retention: Biometric data is deleted within 30 days of account deletion unless you request immediate deletion

14A.5 Mental Health and Wellness Data

We may collect information related to mental wellness:

• Mood Tracking: Self-reported mood, stress levels, sleep quality
• Wellness Check-Ins: Responses to wellness questionnaires
• Crisis Resources: If you indicate distress, we may provide crisis helpline resources
• No Mental Health Treatment: The Service does not provide mental health treatment or therapy
• Crisis Situations: If you are experiencing a mental health crisis, please contact emergency services or a crisis helpline immediately

Mental Health Resources:

• National Suicide Prevention Lifeline (US): 988
• Crisis Text Line: Text "HELLO" to 741741
• International: iasp.info/resources/Crisis_Centres/

14A.6 Community Content Moderation

Our community features involve user-generated content:

• Content Monitoring: We use automated tools and human moderators to review community posts
• Prohibited Content: Content violating Community Guidelines is removed
• Reporting Mechanisms: Users can report inappropriate content or behavior
• Account Suspension: Violations may result in temporary or permanent account suspension
• No Privacy for Public Posts: Content you share publicly in the community is visible to all users
• Direct Messages: Private messages are encrypted in transit but may be reviewed if abuse is reported

14A.7 Third-Party SDKs and Libraries

The Service uses third-party software development kits (SDKs) and libraries:

Analytics and Performance:

• Google Analytics (Firebase): App usage analytics and crash reporting
• Sentry: Error tracking and performance monitoring

Cloud Infrastructure and Hosting:

• Render: Cloud hosting and deployment platform
• Supabase: Backend infrastructure, database, and file storage
• Cloudflare: Content delivery and DDoS protection

Database and Storage:

• Supabase: PostgreSQL database, real-time subscriptions, and object storage

Payment Processing:

• LemonSqueezy: Payment processing and subscription management
• Apple In-App Purchase / Google Play Billing: Mobile app purchases

Communication:

• Brevo (formerly Sendinblue): Transactional and marketing emails, SMS
• SendPulse: Email marketing and automation
• Twilio: SMS notifications (if enabled)
• OneSignal: Push notifications

AI and Machine Learning:

• OpenAI API: Natural language processing for AI coaching
• Google Cloud AI: Image recognition for food logging

Authentication:

• Supabase Auth: User authentication and session management
• Sign in with Apple: Apple ID authentication
• Google Sign-In: Google account authentication

Social Integrations:

• Facebook SDK: Social sharing and authentication

Each third-party SDK collects data according to its own privacy policy. We select providers with strong privacy and security practices, but we cannot control their data handling.

Your Control: You can disable certain third-party integrations through account settings (e.g., social sharing, analytics cookies).

14A.8 Marketing and Advertising Practices

Email Marketing:

• Frequency: We may send promotional emails up to 2 times per week
• Opt-Out: Click "unsubscribe" in any email or adjust preferences in account settings
• Transactional Emails: Account-related emails (e.g., password resets) cannot be disabled

Push Notifications:

• Types: Promotional offers, feature updates, community activity, reminders
• Opt-Out: Disable in device settings or app settings
• Frequency Control: You can set "quiet hours" to avoid notifications during certain times

In-App Advertising:

• Free Users: May see relevant ads for third-party products/services
• Premium Users: No third-party advertising
• Ad Personalization: Based on your activity and preferences (you can opt out)
• Third-Party Ad Networks: We may use ad networks that collect data for targeted advertising

Retargeting and Remarketing:

• We may display ads to you on other platforms (e.g., Facebook, Google) based on your interaction with our Service
• You can opt out of interest-based advertising through Digital Advertising Alliance or Network Advertising Initiative

Affiliate and Referral Programs:

• We may earn commissions from affiliate links to products/services we recommend
• Referrals: If you refer friends, we may provide rewards (see Terms of Service for details)
• We do not sell user lists to third parties for their marketing

14A.9 Account Deletion and Data Portability Details

Account Deletion Process:

1. Go to Settings > Account > Delete Account
2. Confirm your identity (password or 2FA)
3. Review what will be deleted
4. Receive informal email with deletion details

What Happens When You Delete Your Account:

Immediate Actions:

• Your profile becomes inaccessible to other users
• You are logged out of all devices
• Scheduled emails and notifications are cancelled
• Third-party integrations are disconnected

Permanent Deletion (within 90 days):

• Account and profile information deleted
• Health and wellness data deleted
• User-generated content removed (except public posts that cannot be attributed to you)
• Backups purged within 90 days

What Is NOT Deleted:

• Aggregated, anonymized data used for research and analytics
• Transaction records (retained for 7 years for tax compliance)
• Data required for legal compliance or pending disputes
• Copies of public community posts (username removed)

14A.10 Data Processing for Research and Analytics

Aggregated Research:

We may use aggregated, anonymized data for:

• Public Health Research: Contributing to studies on nutrition, fitness, and wellness trends
• Academic Partnerships: Collaborating with universities and research institutions
• Industry Reports: Publishing anonymized insights and benchmarks
• Product Improvement: Analyzing patterns to improve features and recommendations

Anonymization Process:

• All personally identifiable information is removed
• Data is aggregated across large groups (minimum 1,000 users)
• Re-identification safeguards are applied
• No individual user can be identified from aggregated data

Opt-Out of Research:

• You can opt out of research data use in Settings > Privacy > Research Participation
• Opting out does not affect your use of the Service
• Previously contributed aggregated data cannot be removed (it's already anonymized)

14A.11 Payment Security and PCI Compliance

Payment Card Industry (PCI) Standards:

• We are PCI-DSS Level 1 compliant through our payment processors (Lemonsqueezy, Stripe, Apple, Google)
• We do not store your full credit card number on our servers
• Payment data is tokenized and encrypted

Payment Information We Store:

• Last 4 digits of card number (for identification)
• Card brand (Visa, Mastercard, etc.)
• Expiration date
• Billing address
• Transaction history

Payment Information We Do NOT Store:

• Full credit card number
• CVV/CVC security code
• Bank account login credentials

14A.12 Automated Decision-Making and Profiling

What Is Automated Decision-Making:

We use algorithms and AI to make certain automated decisions, such as:

• Personalized meal and workout recommendations
• Daily calorie and macro targets
• Progress predictions and goal timelines
• Content recommendations in community feed
• Identification of potential health trends or concerns

Profiling:

We create user profiles based on:

• Your stated goals and preferences
• Historical activity and behavior patterns
• Health metrics and progress data
• Engagement with features and content
• Comparison with similar users (cohort analysis)

Your Rights:

• Human Review: You can request human review of automated decisions that significantly affect you
• Explanation: You can ask for an explanation of how a specific recommendation was generated
• Opt-Out: You can opt out of certain automated processing (may limit personalization)
• Override: You can manually adjust AI-generated targets and recommendations

14A.13 Dispute Resolution and Governing Law

Governing Law:

This Privacy Policy shall be governed by and construed in accordance with applicable laws, without regard to conflict of law principles.

Jurisdiction:

Any disputes arising from or relating to this Privacy Policy shall be subject to the jurisdiction of the competent courts, in accordance with applicable law.

EU/UK Users:

EU and UK users retain the right to bring complaints to their local data protection authority and courts, regardless of governing law provisions.

14A.14 Insurance and Liability Limitations

Data Breach Insurance:

We take appropriate security measures to protect personal data and continuously review and improve our safeguards in line with industry standards.

Limitation of Liability:

To the maximum extent permitted by law, we are not liable for damages arising from unauthorized access to your data caused by your failure to secure your account, or for data breaches affecting third-party services you connect to our platform.

14A.15 Specific Protections for Vulnerable Populations

Users with Chronic Conditions:

• We do not diagnose or treat medical conditions
• All AI suggestions are general wellness advice, not medical treatment

Users with Eating Disorders:

• We provide resources for eating disorder support
• Certain features (e.g., extreme calorie restriction) include warnings
• We encourage users with eating disorders to consult healthcare providers before using the Service

14A.16 Business and Employer Wellness Programs (B2B)

If your employer provides Glewell as part of a corporate wellness program:

What Your Employer Can See: Aggregated data only (participation rates, average engagement). No individual health metrics, food logs, weight, or personal activity unless you explicitly share it.

What Your Employer CANNOT See: Your specific meals, workouts, health measurements, weight, body composition, progress photos, community posts, private messages, goals, or individual usage patterns.

Your Privacy Rights: Your health data remains private even if your employer pays for the service. You can opt out of employer reporting while still using the Service. If you leave your job, you can convert to an individual account and retain your data.

HIPAA Considerations (US): Corporate wellness programs are generally NOT covered by HIPAA. Glewell is not a covered entity.

14A.2 Geolocation and GPS Tracking

Approximate Location (Always Collected): Based on IP address (city/region level). Used for timezone settings, regional content, fraud prevention.

Precise GPS Location (Optional): Collected only if you enable location services. Used for healthy food finder, outdoor workout tracking (running, cycling routes), location-based challenges, nearby gym finder.

What We Track: Workout routes, distance, elevation, location history, geofencing alerts.

Privacy Controls: Disable background tracking anytime. Location data deleted within 90 days of account deletion.

14A.3 Voice and Video Data

Voice Commands: Temporarily stored to process commands (e.g., "Log 200 calories"). Processed by third-party AI services. Voice recordings deleted immediately after processing.

Video Content: User-uploaded videos stored encrypted. AI may analyze form and technique (processed locally when possible). Videos private unless you share them. Deleted within 30 days of account deletion.

Live Video Classes: Your video/audio can be shared with instructors and participants if you enable camera/mic. You can participate with camera/mic off.

14A.4 Machine Learning and AI Training

How Your Data Trains Our AI: We use anonymized, aggregated data to train and improve AI models for food recognition, workout recommendations, and progress predictions.

Anonymization Process: All personally identifiable information removed before training. Data aggregated across thousands of users. We apply differential privacy techniques to prevent re-identification.

Your Control: Opt out of AI training data contribution by contacting us.

14A.5 Accessibility and Accommodations

Standards Compliance: WCAG 2.1 Level AA, ADA Compliance, Section 508 Compliance.

Accessibility Features: Screen reader support (VoiceOver, TalkBack), adjustable font sizes, high contrast modes, keyboard navigation, alternative text for images, closed captions for videos, voice control compatibility.

Disability-Related Data: Voluntary disclosure, treated as highly sensitive, used only for accommodations, never shared with employers or third parties.

Contact accessibility@glewell.com for accessibility support.

14A.6 Data Backup and Disaster Recovery

Backup Locations: Primary (AWS WEST US North California)

Backup Frequency: Real-time replication for critical data, daily full database backups, weekly archives, monthly long-term retention.

Recovery Objectives: 4-hour Recovery Time Objective (RTO), 1-hour Recovery Point Objective (RPO - maximum data loss).

Data Destruction in Backups: Active databases purged immediately upon account deletion. Daily backups purged within 30 days. Weekly backups purged within 90 days.

Security of Backups: AES-256 encryption at rest, TLS 1.3 in transit, access restricted to authorized personnel only.

14A.7 Law Enforcement and Government Requests

When We Disclose Data: Valid subpoenas, court orders, search warrants, national security letters (where permitted), emergency requests (imminent threat of death or serious injury).

What We Require: Valid legal process, narrow scope, user notice (unless legally prohibited), legal review of all requests.

User Notification: We notify users within 7 days unless legally prohibited (sealed court order, national security letter), emergency circumstances, or notification would compromise investigation.

Transparency Report: We have annual transparency reports including number of government requests, accounts affected, types of requests, disclosure rate, and challenges filed.

14A.8 Complete Cookie Vendor List

Essential Cookies: accessToken (authentication), refreshToken (authentication), csrf_token (security), user_preferences (language, units, timezone).

Analytics Cookies: Google Analytics (_ga, _gid, _gat), Firebase (firebase_analytics), Amplitude (amplitude_id), Mixpanel (mixpanel_distinct_id).

Advertising Cookies: Facebook (_fbp), Google Ads (_gcl_au), DoubleClick (IDE), Twitter (personalization_id).

Opt-Out Links:

• Google Analytics: tools.google.com/dlpage/gaoptout
• Facebook: facebook.com/ads/preferences
• DAA Opt-Out: optout.aboutads.info
• NAI Opt-Out: optout.networkadvertising.org

14A.9 Beta Features and Experimental Programs

Early Access Programs: You may be invited to test unreleased features. Beta testing involves increased logging, feedback forms, error reports, and optional screen recordings.

A/B Testing: We conduct A/B tests to improve the Service. You may be randomly assigned to test groups and see different features or interfaces than other users.

Your Control: Participation is voluntary. Opt out at any time. Request deletion of beta-related data. Beta data subject to same privacy protections as regular data.

14A.10 Data Processing Agreements and Vendor Management

Vendor Requirements: All vendors sign Data Processing Agreements (DPAs), maintain ISO 27001 or SOC 2 Type II certification, comply with GDPR/CCPA, undergo annual security audits.

Key Subprocessors:

• Infrastructure: Render (cloud hosting), Supabase (backend infrastructure, database, storage), Cloudflare (CDN)
• Analytics: Google Analytics, Firebase, Sentry (error tracking)
• Communication: Brevo (email marketing), SendPulse (email automation), Twilio (SMS), OneSignal (push notifications)
• Payment: LemonSqueezy (payment processing), Apple In-App Purchase, Google Play Billing
• AI/ML: OpenAI (NLP), Google Cloud AI (image recognition)
• Authentication: Supabase Auth (user authentication and session management)

Full subprocessor registry: Contact privacy@glewell.com

Vendor Changes: We notify you 30 days before adding new subprocessors. You can object and terminate subscription if needed.

14A.11 Data Anonymization Techniques

K-Anonymity: Each record indistinguishable from at least 999 other records (k=1000). Ensures no individual can be singled out.

Differential Privacy: Mathematical guarantee of privacy by adding calibrated noise to datasets. Protects individual privacy while preserving statistical accuracy.

Data Aggregation: Combining data from multiple users. Minimum group size: 1,000 users. Suppression of small cell sizes.

Pseudonymization: Replacing identifiers with pseudonyms. Separate storage of key mappings. Can be reversed only by authorized personnel.

Hashing: One-way cryptographic hashing (SHA-256 or stronger). Cannot be reversed to original data. Used for passwords in logs.

14A.12 Referral Programs and Affiliate Marketing

Referral Program Data: We collect your email, name, referral code, referee information, and relationship tracking.

What We Share: With referee: Your first name and that you invited them. With you: Confirmation of signup (not their personal data). Not shared with third parties.

Privacy Considerations: Only refer people you know. Do not spam or send unsolicited referrals. Referees can opt out of communication.

Affiliate Links: We track clicks and conversions through unique affiliate links. Commission tracking uses cookies (disclosed to users).

14A.13 Privacy Policy Versioning

Current Version: 1.0

Last Updated: January 1, 2026

Material Changes: New categories of personal information collected, new purposes for using data, sharing with new types of third parties, reducing privacy rights, changes to retention periods.

Non-Material Changes: Clarifications, formatting changes, adding detail without changing substance, updating contact information, fixing typos.

15. Changes to This Privacy Policy

15.1 Updates and Revisions

We may update this Privacy Policy from time to time to reflect changes to our data practices, new features or services, legal or regulatory requirements, or feedback from users.

15.2 Notification of Changes

When we make material changes to this Privacy Policy, we will:

• Update the "Last Updated" date at the top of this document
• Notify you via email (to the address associated with your account)
• Display a prominent notice within the Service or on our website
• Request your consent if required by law

15.3 Your Acceptance

Your continued use of the Service after changes to this Privacy Policy constitutes your acceptance of the updated policy. If you do not agree to the changes, you should stop using the Service and may delete your account.

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: