Privacy Policy

Last updated: April 18, 2026

1. What Well Togethr Is

Well Togethr is a care-focused app that helps people gently look after someone they care about. It connects two types of users: members (the person being supported) and supporters (the people who care about them). This policy explains what data we collect, why, and how we handle it.

2. Data We Collect

Account Information

  • Email address (for login and account identification)
  • First name (displayed to your supporters or the people you support)
  • Password (stored as a one-way hash; we cannot see your password)
  • Profile picture (optional; stored securely)
  • Region/locale preference (to show relevant content)
  • Timezone (detected automatically to time notifications correctly)

Daily Check-Ins

If you are a member, you can check in each day. We store:

  • How you are feeling (a 1–5 scale)
  • What would help most today (your selected intent)
  • The date and time of check-in

End-of-Day Reflection

  • How your day was (good, okay, or tough)
  • One good thing from today (optional text, up to 150 characters)
  • Whether you chose to share that reflection with your supporters

Routines and Events

  • Routine items you add (e.g. "Take a quiet moment") and whether you completed them
  • Events you schedule (title, date, time, optional notes)
  • Event notes are private unless you explicitly choose to share them

Medications

  • Medication names, dosage, frequency, time of day, and instructions
  • Whether each medication was taken on a given day
  • Refill dates (optional)

Medication details are visible only to you. Supporters see only the total count taken vs. total, not individual medicine names or details.

Photos

  • Photos you upload (resized and stripped of location metadata before storage)
  • Captions you add (up to 100 characters)
  • The context you choose: private, shared with supporters, or as part of a help request

Private photos are visible only to you. Shared and help photos are visible to your connected supporters.

Vault Documents

  • Documents you upload (encrypted at rest with AES-256)
  • Document title, category, and optional notes
  • Who you choose to share each document with

Vault documents are private by default. You choose individually who can access each document.

Messages

  • Short notes between you and your supporters (up to 300 characters)
  • Message threads expire automatically after 72 hours
  • Each thread is limited to 5 messages

Help Requests

  • Help request messages (up to 200 characters) and optional photos
  • These are visible to your connected supporters
  • Help requests are automatically resolved when you next check in

Shopping List

  • Items you add to your essentials list (name and quantity)
  • This is visible only to you

Feedback

  • Optional ratings and comments you submit about app features

3. What Supporters See

When you connect with a supporter, they can see:

  • Your name and profile picture
  • Your daily check-in feeling (1–5 scale)
  • Whether you asked for help
  • Your end-of-day rating (good/okay/tough)
  • How many routines you completed (count only, not specific items)
  • How many medications you took vs. total (count only, not names)
  • Event titles and times (notes only if you mark them as shared)
  • Photos you share or submit as help requests
  • Vault documents you explicitly share with them

Supporters cannot see: your medication names or details, your routine item names, your private photos, your shopping list, your vault documents (unless shared), or your intent selection.

4. How We Use Your Data

We use your data to:

  • Provide the core service: connecting members with supporters
  • Send daily summary notifications to your supporters (at 8pm in your timezone)
  • Detect patterns that may indicate you need additional support (e.g. missed check-ins)
  • Show you personalized routine suggestions based on your check-in
  • Display relevant content (recipes, books, podcasts, plant care) based on your region

We do not use your data for advertising, profiling, or selling to third parties.

5. Third-Party Services

We use the following third-party services to provide functionality:

  • Amazon Web Services (AWS) — database hosting (RDS), file storage (S3), and application hosting (Amplify). Data is stored in the US East (N. Virginia) region. Vault documents are encrypted at rest with AES-256.
  • Google Places API — used only when you search for nearby services (e.g. pharmacies, parks). Your location is sent to Google only when you initiate a search. We do not store your location.
  • Spoonacular — recipe search and nutritional data. No personal data is sent to this service.
  • Podcast Index — podcast search. No personal data is sent.
  • OpenLibrary and Internet Archive — book and magazine content. No personal data is sent.
  • Perenual — plant care information. No personal data is sent.
  • Web Push (VAPID) — browser push notifications. Your push subscription token is stored so we can send notifications.

We do not use any analytics, advertising, or tracking services. We do not embed third-party pixels, scripts, or SDKs that track your behavior.

6. Cookies and Local Storage

We use a single authentication cookie (wt_token) to keep you signed in. It is:

  • HTTP-only (cannot be read by JavaScript)
  • Secure (transmitted only over HTTPS in production)
  • SameSite: Lax (not sent with cross-site requests)
  • Expires after 30 days

We do not use any third-party cookies, tracking cookies, or advertising cookies.

We use your browser's local storage to save preferences (region, game progress, recent activity) on your device. This data is not sent to our servers.

7. Location Data

We do not track your location. If you use the "Find nearby" feature (e.g. to find a pharmacy or park), your browser will ask for permission. If you grant it, your coordinates are sent to Google Places to find results near you. We do not store your location.

8. Data Retention

  • Account data — retained until you delete your account
  • Check-ins, routines, events, medications — retained as long as your account exists
  • Shared photos — automatically deleted after 7 days
  • Help request photos — auto-resolved after 24 hours if unclaimed, deleted after 7 days
  • Private photos — retained until you delete them or your account
  • Message threads — expire automatically after 72 hours
  • Vault documents — retained until you delete them or your account

9. Your Rights

You can:

  • Export your data — download a copy of your check-ins, events, routines, medications, and essentials from Account > Advanced
  • Delete your account — permanently remove all your data from our systems. This requires your password to confirm. Deletion is immediate and irreversible.
  • Control sharing — choose what your supporters see. You can disconnect from a supporter at any time.
  • Withdraw consent — you can stop using the app at any time. You can pause check-ins without deleting your account.

When you delete your account, all associated data is permanently removed: check-ins, events, routines, medications, photos, vault documents, messages, connections, and supporter notes.

10. Security

  • Passwords are hashed using bcrypt (industry-standard one-way hashing)
  • All connections use HTTPS (TLS encryption in transit)
  • Vault documents are encrypted at rest with AES-256
  • Photos are stripped of EXIF/location metadata before storage
  • Authentication uses signed JSON Web Tokens with HTTP-only cookies
  • API endpoints are protected with rate limiting to prevent abuse
  • Security headers are applied to all responses (Content-Security-Policy, HSTS, X-Frame-Options)

11. Children

Well Togethr is not intended for use by anyone under 18 years of age. We do not knowingly collect data from children.

12. Changes to This Policy

If we make significant changes to this policy, we will update the date at the top of this page. Continued use of the app after changes constitutes acceptance.

13. Contact

If you have questions about your data or this policy, email us at privacy@welltogethr.com.