Legal

Privacy Policy

Last updated: 18 May 2026

1. Who we are

Welvow Ltd ("we", "us", "our") is a company registered in England and Wales. We operate the Welvow platform (the "Platform"), accessible at welvow.com and through our associated applications. For the purposes of UK data protection law, we are the data controller responsible for your personal data.

If you have any questions about this policy or your personal data, you can contact us at: [email protected].

2. What data we collect

We collect and process different categories of personal data depending on how you interact with the Platform.

Account information: When you create an account, we collect your name, email address, and a password (stored in hashed form). If you register as a practitioner or teacher, we also collect professional details such as your qualifications, modalities, location, and professional biography.

Wellness data: When you complete our wellness questionnaire or use features such as check-ins, goal tracking, or the cycle tracker, you provide information about your health interests, lifestyle, and wellbeing. Under UK GDPR, some of this data may constitute special category data (data concerning health). We process this data on the basis of your explicit consent, which you provide when you agree to our data consent statement before using these features.

Wearable and connected-health data: If you connect a wearable device (such as Fitbit or WHOOP) or grant access through Apple HealthKit on iOS or Google Health Connect on Android, we read a defined set of wellness metrics from that source. These may include sleep duration and stages, resting heart rate, heart rate variability, respiratory rate, blood oxygen, body temperature, steps, active minutes, calories burned, and distance. This is special category data (data concerning health) under UK GDPR. We process it on the basis of your explicit consent, given when you connect the device or grant the permission, and the detailed terms set out in section 7 below apply.

Usage data: We collect information about how you use the Platform, including pages visited, features used, search queries, and interaction patterns. This helps us improve the Platform and understand which features are most useful.

Device and technical data: We collect your IP address, browser type and version, operating system, device type, and similar technical information. If you enable push notifications, we store a notification subscription endpoint on your device.

Communications: If you send or receive messages through the Platform, we store the content of those messages to deliver the service. If you contact us directly, we keep records of that correspondence.

Payment data: If you subscribe to a paid plan, payment processing is handled by a PCI-compliant third-party payment provider. We do not store your full card details. We receive and store a record of your subscription status, plan type, and transaction references.

Verification by SMS: If email verification fails or is delayed during signup, we may offer to send you a 6-digit verification code by SMS through a trusted communications provider. We do not use your phone number for marketing.

Bug reports: If you submit a bug report through the in-app "report a bug" button, we capture a screenshot of your current screen, recent navigation history within the Welvow platform, and any browser console errors so that we can reproduce the problem. We treat bug-report content as confidential and use it solely to investigate and fix the issue.

3. How we use your data

We use your personal data for the following purposes:

To provide and operate the Platform, including creating your account, delivering personalised wellness suggestions, matching you with practitioners based on your stated interests, and enabling communication between you and practitioners.

To personalise your experience, your questionnaire responses, wearable metrics (where you have connected a device or granted access), and stated preferences are used to surface practitioners, classes, content, and resources that align with what you have told us you are interested in exploring, and to power features such as the wellness dashboard, Companion guidance, and trend insights.

To process payments and manage subscriptions, if you subscribe to a paid tier.

To communicate with you, including sending transactional emails (such as welcome emails, password resets, and booking confirmations), weekly digests if you have opted in, and push notifications if you have enabled them.

To improve the Platform, we analyse aggregated and anonymised usage data to understand how the Platform is used and to inform product development decisions. We do not use wearable, HealthKit, or Health Connect data for this purpose.

To ensure safety and compliance, including preventing misuse, detecting fraud, and meeting our legal obligations.

4. Lawful basis for processing

Under UK GDPR, we rely on the following lawful bases:

Consent (Article 6(1)(a) and Article 9(2)(a)): For processing your wellness and health-related data (special category data), we rely on your explicit consent. You provide this when you agree to our data consent statement before completing the wellness questionnaire or using health-related features, and again when you connect a wearable device or grant access through Apple HealthKit or Google Health Connect. You may withdraw consent at any time by disconnecting the source, contacting us, or deleting your account.

Contract (Article 6(1)(b)): Processing necessary to provide the Platform services you have signed up for, including account creation, practitioner matching, and subscription management.

Legitimate interests (Article 6(1)(f)): For usage analytics, platform security, fraud prevention, and improving our services, where these interests are not overridden by your rights and freedoms.

Legal obligation (Article 6(1)(c)): Where we are required to process your data to comply with a legal obligation, such as tax record-keeping for paid subscriptions.

5. How we store and protect your data

Your data is stored on secure cloud infrastructure hosted in the United Kingdom and European Economic Area (London region). Website delivery and caching are handled through a global edge network. All data is encrypted at rest and in transit using industry-standard TLS encryption.

Passwords are stored in hashed form and are never accessible in plaintext. Access to production data is restricted to authorised personnel only and is governed by role-based access controls and row-level security policies at the database level.

While we take all reasonable steps to protect your data, no system is completely secure. If we become aware of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours and inform you without undue delay where required.

6. Data sharing and third parties

We do not sell your personal data. We share data with the following categories of third party, only as necessary to operate the Platform:

Practitioners and teachers: If you engage with a practitioner or teacher through the Platform (for example, by sending a message or making a booking), they will see the information necessary to provide their service, such as your name and any details you share in messages. When you message a practitioner or teacher, we share your first name with them so they can reply to you personally; this is a standard part of using the Platform. They do not have access to your full wellness questionnaire responses. Where you explicitly choose to share wearable, HealthKit, or Health Connect data with a specific practitioner through the Platform, they receive read-only access to the same metrics shown on your own dashboard for the duration you select. You can revoke this access at any time, and the access is enforced server-side.

Infrastructure and service providers: We use trusted third-party providers for cloud hosting, content delivery, authentication, and payment processing (payments are handled by Stripe). These providers process data on our behalf under data processing agreements and do not use your data for their own purposes.

AI-powered features and your Wellness Companion: Certain features of the Platform use artificial intelligence to generate personalised wellness suggestions and practitioner matching, and to power your Wellness Companion. When you use these features, relevant portions of your questionnaire responses, and, where you have connected a source, summaries of your wearable, HealthKit, or Health Connect metrics, are processed by a third-party AI provider under a data processing agreement. Where you are on a paid Welvow tier and have connected a source, your Wellness Companion may refer to general patterns in your wearable data (for example, that you have slept less than usual recently, or that your movement has been quieter) so that it can respond as a thoughtful, observant friend rather than a generic assistant. The Companion never quotes specific numbers back at you and is not a medical service. This data is not used to train AI models and is handled in accordance with strict data protection standards.

We may also disclose data where required by law, regulation, legal process, or governmental request.

6a. Data we hold about businesses that have not signed up

To help people discover wellness practitioners and clinics across the UK, Welvow maintains a directory that includes a number of businesses that have not yet signed up to the platform ("unclaimed listings"). For each unclaimed listing we hold information gathered from publicly available sources, for example, business name, address, public contact details, opening hours, and publicly visible services and reviews.

For sole-trader businesses, this information may relate to an identifiable individual and therefore constitutes personal data under UK GDPR. The lawful basis for this processing is our legitimate interests (Article 6(1)(f)) in operating a comprehensive, accurate UK wellness directory that helps people find local services. We have considered the rights and freedoms of the businesses concerned and concluded that the processing is proportionate, the data is limited to information the business itself has made public, and we provide a free and easy route for any business to claim, correct, or remove its listing.

Claim, correct, or remove your listing. If you operate a business that appears on Welvow and you have not signed up, you can email [email protected] at any time to (a) claim your listing and take control of it, (b) correct any inaccurate information, or (c) ask us to remove your listing entirely. We will action removal requests without delay and confirm in writing.

We do not display the personal contact details of named individuals working at unclaimed businesses, beyond what those individuals or their business have already made public themselves. We do not sell unclaimed-listing data to any third party.

7. Wearable devices, Apple HealthKit, and Google Health Connect

Where you choose to connect a wearable device or grant access through Apple HealthKit on iOS or Google Health Connect on Android, the following terms apply in addition to the rest of this policy. They reflect the commitments we make to you, and the requirements set by Apple and Google for apps that read this category of data.

What we read: A defined set of wellness metrics, sleep duration and stages, resting heart rate, heart rate variability, respiratory rate, blood oxygen, body temperature, steps, active minutes, calories burned, and distance. We never write data back to your wearable, to Apple Health, or to Health Connect.

How we use it: Solely to provide, personalise, and improve your wellness experience within Welvow, including your dashboard, Companion guidance, trend insights, and practitioner suggestions where you have consented to share with a specific practitioner.

What we will not do: We will not use Apple HealthKit, Google Health Connect, or wearable data for advertising, marketing, behavioural retargeting, or other use-based data mining. We will not sell, rent, or otherwise disclose this data to data brokers, information resellers, or any third party for their own purposes. We will not use it to make, support, or supply decisions about life insurance, health insurance, employment, or credit eligibility, and we will not provide it to any party for those purposes. We will not share this data with any practitioner, third party, or other Welvow user without your explicit, granular consent. We will not store Apple HealthKit data in iCloud.

Where it is stored: When metrics are synced from a connected source, they are stored on our secure UK-based cloud infrastructure under row-level security, accessible only to your account and to any practitioner you have explicitly chosen to share with. On initial connection we sync up to 28 days of historical data to give you an immediate baseline; thereafter we maintain a rolling window of recent data rather than building a permanent archive.

Your control: You can disconnect a wearable at any time from the Platform, which stops further sync immediately. You can revoke Apple HealthKit access at any time from the Health app under Sources, or from within the Welvow app. You can revoke Google Health Connect access at any time from Health Connect on your Android device, or from within the Welvow app. Disconnecting stops further sync and revokes any active sharing with practitioners. You can request deletion of any data we have already synced by contacting [email protected], and the right to erasure described in section 10 applies in full to this category of data.

8. International data transfers

Our primary database is hosted in the United Kingdom. Some of our service providers are based outside the UK, including in the United States. Where personal data is transferred outside the UK, we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the ICO, or reliance on adequacy decisions where applicable.

9. Data retention

We retain your personal data for as long as your account is active and for a reasonable period thereafter to fulfil the purposes outlined in this policy. Specifically:

Account and profile data is retained until you delete your account. Wellness questionnaire responses and check-in data are retained until you delete your account or withdraw consent. Wearable, Apple HealthKit, and Google Health Connect data is retained on a 28-day initial plus rolling-7-day basis while your source is connected, is no longer synced once you disconnect, and is deleted on request. Messaging data is retained for the duration of your account. Payment records are retained for six years from the date of the transaction, as required by UK tax law. Usage and analytics data is aggregated and anonymised after 24 months.

When you delete your account, we will erase or anonymise your personal data within 30 days, except where we are required by law to retain certain records.

10. Your rights

Under UK GDPR, you have the following rights in relation to your personal data:

Right of access: You have the right to request a copy of the personal data we hold about you. We will respond within one month of receiving your request. For complex or numerous requests, we may extend this period by up to a further two months under Article 12(3) UK GDPR, in which case we will tell you within the first month and explain why.

Right to rectification: You can update your account information at any time through the Platform. If you believe other data we hold is inaccurate, contact us and we will correct it.

Right to erasure: You can ask us to delete your account, or to erase specific personal data we hold about you (including all wearable, Apple HealthKit, and Google Health Connect data we have synced), at any time by emailing [email protected]. We action erasure requests within 30 days unless we have a lawful reason to retain the data.

Right to restrict processing: You can request that we limit how we process your data in certain circumstances, for example, if you contest its accuracy.

Right to data portability: You can request a copy of the data you have provided to us in a structured, commonly used, machine-readable format.

Right to withdraw consent: Where we rely on your consent to process data (including special category health data, wearable data, and HealthKit or Health Connect data), you may withdraw that consent at any time. This does not affect the lawfulness of processing carried out before withdrawal.

Right to object: You can object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.

To exercise any of these rights, contact us at [email protected]. If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

11. Cookies and similar technologies

We use cookies and similar technologies in three categories:

Essential cookies are required to keep you logged in, remember your preferences, and protect the security of the Platform. These are always active and do not require your consent under UK PECR.

Analytics cookies help us understand how the Platform is used so we can improve it. We do not use analytics for advertising profiling.

Marketing cookies allow us to measure the effectiveness of our marketing, for example, by attributing a new signup to the channel that introduced you to Welvow.

On your first visit you will see a cookie banner letting you accept all, reject all, or choose categories individually. You can change your choice at any time by clearing your cookies for welvow.com or revisiting the cookie banner from the footer link. Our full Cookie Policy lists each category and how the categories are used.

12. Children's data

The Platform is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from someone under 18, we will take steps to delete that data promptly.

13. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. Where changes are significant, we will notify you by email or through a notice on the Platform. We encourage you to review this page periodically. The "last updated" date at the top of this policy indicates when it was most recently revised.

14. Contact us

If you have questions, concerns, or requests regarding your personal data or this Privacy Policy, please contact us at:

Welvow Ltd
Email: [email protected]