Privacy Policy

LeWell ("we", "our", "us") is a science-based wellness learning platform. This Privacy Policy explains how we collect, use, and protect your personal information across our marketing site (lewell.app) and our web and mobile (iOS and Android) apps. The data controller is LEWELL Co., Ltd., Bangkok, Thailand. Contact: privacy@lewell.app.

Waitlist: If you join our waitlist on the marketing site, we collect your email address and the page you signed up from.

Account information: Email address, username, and password (stored as a salted hash, never in plaintext). If you sign in with Google or Apple, we receive the email address you authorise and a provider-issued user identifier, but never your provider password or other account data. Apple may provide a private relay email address instead of your real address.

Profile and preferences: Information you set to tailor the experience, such as your learning goals, daily goal time, preferred units (metric or imperial), and your timezone (used to schedule reminders and resolve your local day).

Health and wellness data: To personalize practices and let you track progress, we collect wellness information you enter: date of birth, biological sex, height and weight; daily check-ins such as mood and affect ratings; activity and intake logs such as steps, water, and nutrient amounts; and health metrics you choose to record (for example resting heart rate, heart rate variability, VO2 max, blood glucose, blood lipids, and sleep). Some of this is health-related and, where applicable, is treated as special-category or sensitive personal data. We collect it only when you enter it, and we process it on the basis of your consent to provide these features.

Usage data: Lesson and practice completion records, quiz responses and scores, XP, gold, gem, and streak data, challenge completion logs, and social activity (follows, friend connections, reactions).

Practice responses:Some practices and mood check-ins ask you to write a short reflection. These responses are sent to Anthropic's Claude API for instant validation and feedback. Anthropic does not retain or train on the responses we send. Some responses (such as commitments you set for yourself, and your recorded check-ins and metrics) are stored on our servers as part of your record so you can return to them later.

Analytics: We use PostHog to understand how the product is used: which screens you view and for how long, which features you use, how long lessons and practices take to complete, and retention over time. PostHog data is stored in the EU. On iOS, on-device analytics require you to accept App Tracking Transparency; if you decline, the app collects no analytics events from your device. We also record a small number of first-party operational events on our own servers (for example, when a subscription is activated or a notification is sent) to run and bill the service. These are tied to your account, are never used for advertising or cross-app tracking, and are not affected by your App Tracking Transparency choice.

Crash diagnostics: We use Sentry to capture crash reports and performance diagnostics. These may include device model, OS version, app version, and the technical context of an error. They do not include the contents of your personal data.

Device information: Where your browser or device supports it, we store push notification tokens to deliver notifications, via Web Push (browsers), Firebase Cloud Messaging (Android), and Apple Push Notification service (iOS).

• Send launch updates if you joined the waitlist
• Create and maintain your account and track your progress
• Unlock lessons, award XP and gold, and maintain streaks
• Validate written practice responses and return immediate feedback
• Personalize practice targets and recommendations (for example, protein and hydration targets based on your body data)
• Show your progress, trends, and history for the check-ins and metrics you track
• Send streak reminders, challenge reminders, routine reminders, and social notifications at the right local time
• Understand how the product is used so we can improve it
• Detect and fix crashes and performance issues

We do not sell your personal data. We use the following sub-processors to operate the service:

• Anthropic: AI feedback on practice responses and mood reflections. See Anthropic's Privacy Policy.
• PostHog: Usage analytics, EU region. See PostHog's Privacy Policy.
• Sentry: Crash and diagnostics reporting. See Sentry's Privacy Policy.
• Render: Application and database hosting. See Render's Privacy Policy.
• Cloudflare: DNS, marketing site hosting, and email routing. See Cloudflare's Privacy Policy.
• Resend: Transactional email such as verification and password reset. See Resend's Privacy Policy.
• Google: Sign-in with Google and Android push via Firebase Cloud Messaging. See Google's Privacy Policy.
• Apple: Sign in with Apple, and iOS push via Apple Push Notification service where supported. See Apple's Privacy Policy.

Some providers process data outside Thailand (in the EU, US, or UK). They are bound by their own data protection commitments and contractual safeguards.

• Passwords are hashed using bcrypt
• Authentication uses short-lived JWT access tokens with httpOnly refresh cookies
• All data is transmitted over HTTPS
• Database access is restricted to authenticated application queries

Account data is retained as long as your account is active. You can permanently delete your account and all associated data from Settings inside the app, or by visiting lewell.app/delete-account. Push notification tokens are automatically cleaned when they expire.

Under the Thai Personal Data Protection Act (PDPA) and the EU/UK General Data Protection Regulation (GDPR), you have the right to:

• Access: View your account data in your Profile and Settings
• Rectification: Correct inaccurate personal data
• Deletion: Permanently delete your account and all associated data from Settings, or via lewell.app/delete-account
• Data portability: Request an export of your data by emailing privacy@lewell.app
• Object: Object to certain processing by emailing privacy@lewell.app
• Withdraw consent: Withdraw analytics consent on iOS via system settings (App Tracking Transparency). You can withdraw consent for health and wellness data by deleting the entries you recorded or by deleting your account, which removes the data.

You can also unsubscribe from waitlist emails using the link in any email we send.

LeWell is not intended for users under 13 years of age. We do not knowingly collect personal information from children under 13.

We may update this Privacy Policy from time to time. We will notify users of significant changes via in-app notification or email.

For privacy-related questions, complaints, or requests, email privacy@lewell.app. Data Controller: LEWELL Co., Ltd., Bangkok, Thailand.