Privacy Policy
Effective Date: April 11, 2026 | Last Updated: April 11, 2026
🔒 Privacy at a Glance
- We never sell your personal data. Period. Not to advertisers, data brokers, or anyone else.
- Your health data stays yours. HealthKit data is never used for advertising or shared without your explicit consent.
- NOVA conversations are private. Your AI chats are processed by OpenAI solely to generate responses. We don't train models on your data.
- We never see your payment info. All payments are handled by Apple and RevenueCat.
- You can delete everything. Request full account and data deletion anytime at hello@flexwell.com.
- No hidden tracking. No ads, no third-party trackers, no selling data to advertisers.
1. Who We Are
Flexwell is owned and operated by Micawber Media LLC, a Texas limited liability company.
Address: 1885 FM 2673, Suite H31, Canyon Lake, TX 78132
Email: hello@flexwell.com
Website: flexwell.com
This Privacy Policy applies to the Flexwell mobile application, the Flexwell website (flexwell.com), and all related services (collectively, the "Service").
2. Information We Collect
Information You Provide
| Data Type | What We Collect | Why |
|---|
| Account Data | Email address, name (optional), password (stored as bcrypt hash) | Account creation and authentication |
| Supplement Stack | Supplements you track, dosages, timing preferences, custom entries | Core tracking functionality |
| Daily Logs | Which supplements you take or skip each day, timestamps | Consistency tracking and streaks |
| NOVA Conversations | Messages you send to NOVA, AI responses | Personalized AI supplement guidance |
| Barcode Scans | Barcodes and FNSKUs you scan | Supplement identification and lookup |
Information from Connected Services (Your Choice)
| Data Type | What We Collect | Why |
|---|
| Apple HealthKit Data | Heart rate, sleep duration, steps, HRV, blood oxygen (Premium feature, opt-in only) | Health-contextualized NOVA advice and insights |
Information Collected Automatically
| Data Type | What We Collect | Why |
|---|
| Device Info | Device type, operating system, app version | Bug fixes and compatibility |
| Usage Data | App opens, feature usage, screen views | Improving the app experience |
Information We Never Collect
- Credit card or payment details (handled entirely by Apple and RevenueCat)
- Precise GPS location
- Contact lists or phone contacts
- Photos, microphone, or other device sensors (camera is used only for barcode scanning and never stored)
3. How We Use Your Information
We use your information for the following purposes:
- Provide the Service: Supplement tracking, daily logs, streak calculations, barcode scanning
- Power NOVA AI: Your supplement stack, health data, and conversation history are sent to our AI service to generate personalized guidance
- Health Insights: Analyze connected health data to provide trends and supplement optimization suggestions (Premium)
- Interaction Warnings: Check your supplement stack for potential interactions
- Account Management: Authentication, password resets, account settings
- Communication: Respond to support requests, send service updates
- Improvement: Understand usage patterns to improve features and fix bugs
We never use your data for advertising. We never sell your data. We never share your health data with third parties for their own purposes.
4. AI and Machine Learning (NOVA)
NOVA is Flexwell's AI-powered supplement advisor. Here is exactly how your data is used:
- What NOVA sees: When you chat with NOVA, we send your current supplement stack, recent health data (if connected), consistency history, and your conversation history to generate a personalized response.
- Processing: NOVA conversations are processed using OpenAI's GPT-4o API. Your data is sent to OpenAI via their API for the sole purpose of generating responses.
- OpenAI's policy: Per OpenAI's API data usage policy, data submitted via the API is not used to train their models. See OpenAI's API Data Usage Policies.
- Storage: Your NOVA conversation history is stored in our database to provide context for future conversations and improve response quality.
- No profiling: We do not use AI to make automated decisions that produce legal or similarly significant effects on you.
Important: NOVA provides informational guidance only. It is not a substitute for professional medical advice, diagnosis, or treatment. Always consult a qualified healthcare provider before making changes to your supplement regimen.
5. Health Data and Apple HealthKit
If you choose to connect Apple HealthKit (a Premium feature), we access health metrics you explicitly authorize, such as heart rate, sleep, steps, HRV, and blood oxygen.
Apple HealthKit Commitments (Required by Apple):
- Health data obtained from HealthKit will not be sold to advertising platforms, data brokers, or information resellers.
- Health data will not be used for advertising or marketing purposes.
- Health data will not be shared with third parties without your explicit consent, except as required to provide the Service (e.g., sending to NOVA for health-contextualized advice).
- Health data will be used solely for providing health-related features directly to you within the Flexwell app.
- You can disconnect HealthKit at any time in your device settings or within the Flexwell app.
We store health data in our secure database with source attribution (e.g., "apple_health") to provide trends and power NOVA's health-aware insights. This data is encrypted in transit and at rest.
Flexwell is not a HIPAA-covered entity. However, we treat all health data with the highest level of care and apply security standards consistent with sensitive health information.
6. How We Share Information
We do not sell your personal information. We share data only in these limited circumstances:
- OpenAI: Supplement stack, health data, and conversation history are sent to OpenAI's API to power NOVA responses. OpenAI does not use API data to train models.
- Apple / RevenueCat: Purchase receipts are processed by Apple and RevenueCat for subscription management. We never receive your credit card information.
- Hosting Provider: Our database and API are hosted on Railway. They process data on our behalf under standard data processing terms.
- Mailchimp: If you opt in to marketing emails, your email address is shared with Mailchimp for email delivery.
- Legal Requirements: We may disclose information if required by law, court order, subpoena, or government request.
- Business Transfer: If Micawber Media LLC is acquired or merges with another company, your data may be transferred as part of that transaction. We will notify you before your data becomes subject to a different privacy policy.
7. Third-Party Services
Flexwell integrates with the following third-party services:
| Service | Purpose | Data Shared |
|---|
| OpenAI | Powers NOVA AI advisor | Supplement stack, health data, conversation messages |
| Apple HealthKit | Health data sync | Read-only access to authorized metrics |
| RevenueCat | Subscription management | Purchase receipts, subscription status |
| Apple App Store | Payment processing | Payment handled entirely by Apple |
| Railway | Cloud hosting | All app data (encrypted) |
| Mailchimp | Email marketing (opt-in) | Email address only |
Each service operates under its own privacy policy. We encourage you to review them.
8. Data Retention
- Active accounts: We retain your data for as long as your account is active.
- Deleted accounts: When you request account deletion, we permanently delete your personal data within 30 days, including your supplement stack, daily logs, NOVA conversation history, and health data.
- Anonymized data: We may retain anonymized, aggregated data (that cannot identify you) for analytics purposes.
- Legal obligations: We may retain certain data as required by law (e.g., transaction records for tax purposes).
- Backups: Deleted data may persist in encrypted backups for up to 90 days before being purged.
9. Data Security
We implement industry-standard security measures to protect your data:
- Encryption in transit: All data transmitted between the app and our servers uses TLS (HTTPS) encryption.
- Encryption at rest: Database is encrypted at rest via our hosting provider.
- Password security: Passwords are hashed using bcrypt with salt rounds. We never store plaintext passwords.
- Authentication: JWT (JSON Web Token) based authentication with 30-day expiry.
- Access control: API endpoints require authenticated access. Users can only access their own data.
No system is 100% secure. While we take extensive precautions, we cannot guarantee absolute security. If you believe your account has been compromised, contact us immediately at hello@flexwell.com.
10. Your California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Right to Know: Request what personal information we collect, use, disclose, and sell.
- Right to Delete: Request deletion of your personal information.
- Right to Correct: Request correction of inaccurate personal information.
- Right to Opt-Out of Sale: We do not sell personal information, so this right is automatically satisfied.
- Right to Limit Use of Sensitive Data: Request that we limit the use of sensitive personal information (including health data) to what is necessary to provide the Service.
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
Categories of Personal Information Collected (Last 12 Months)
| Category | Collected | Sold | Shared for Advertising |
|---|
| Identifiers (email, name) | Yes | No | No |
| Health information | Yes (opt-in) | No | No |
| Commercial info (subscriptions) | Yes | No | No |
| Internet activity (usage data) | Yes | No | No |
| Inferences (AI-generated insights) | Yes | No | No |
Submitting a Verifiable Consumer Request
To exercise your rights, email hello@flexwell.com with the subject line "CCPA Request." We will verify your identity using the email associated with your account and respond within 45 days (extendable by 45 days with notice).
You may designate an authorized agent to submit a request on your behalf. We may require proof of authorization.
11. International Privacy Rights (GDPR-Aligned)
While Flexwell is currently US-based, we extend the following rights to all users in preparation for international availability:
- Right of Access: Request a copy of your personal data.
- Right to Rectification: Request correction of inaccurate data.
- Right to Erasure: Request deletion of your data ("right to be forgotten").
- Right to Data Portability: Request your data in a machine-readable format.
- Right to Restrict Processing: Request that we limit how we use your data.
- Right to Object: Object to processing based on legitimate interests.
- Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.
Our lawful bases for processing include: (a) your consent, (b) performance of a contract (providing the Service), and (c) our legitimate interests (improving the Service, ensuring security).
To exercise these rights, email hello@flexwell.com.
12. Do Not Sell or Share My Personal Information
We do not sell your personal information. We have not sold personal information in the preceding 12 months. We do not share personal information for cross-context behavioral advertising.
Because we do not sell or share your information for advertising, there is no need to opt out. However, if you have questions, contact hello@flexwell.com.
13. Children's Privacy (COPPA)
Flexwell is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. Health tracking features (Apple HealthKit integration) require users to be at least 16 years old.
If we discover that we have collected personal information from a child under 13, we will delete it immediately. If you believe a child under 13 has provided us with personal information, contact us at hello@flexwell.com.
14. Email Marketing (CAN-SPAM)
We comply with the CAN-SPAM Act. If you opt in to our email list:
- We will clearly identify ourselves in all emails.
- Every marketing email includes an unsubscribe link.
- We honor unsubscribe requests within 10 business days.
- We never use deceptive subject lines or false header information.
- We include our physical address in every marketing email.
Transactional emails (password resets, account notifications) are not marketing and may be sent without opt-in.
15. Push Notifications (TCPA)
Flexwell may send push notifications (e.g., supplement reminders). We comply with the Telephone Consumer Protection Act (TCPA):
- Push notifications require your explicit opt-in via device settings.
- You can disable notifications at any time in your device settings or within the app.
- We do not send SMS or text message marketing.
- Reminder notifications are a core feature, not marketing.
16. Cookies and Tracking Technologies
Mobile App: The Flexwell app does not use cookies. We do not use third-party advertising trackers or analytics SDKs that create advertising profiles.
Website (flexwell.com): Our website may use essential cookies for basic functionality. We do not use advertising cookies, retargeting pixels, or third-party tracking scripts.
17. Do Not Track Signals
Some browsers transmit "Do Not Track" (DNT) signals. Because there is no industry standard for DNT compliance, we do not currently respond to DNT signals. However, we do not engage in cross-site tracking, so the practical effect is the same: your browsing activity is not tracked across websites by Flexwell.
18. International Data Transfers
Flexwell's servers are located in the United States. If you access the Service from outside the US, your data will be transferred to and processed in the United States.
By using Flexwell, you consent to the transfer of your data to the US. We apply the same privacy protections to all users regardless of location.
19. Data Breach Notification
In the event of a data breach that affects your personal information:
- We will notify affected users by email within 72 hours of becoming aware of the breach.
- We will describe the nature of the breach, what data was affected, and what steps we are taking.
- We will notify relevant authorities as required by applicable law (including the California Attorney General if 500+ California residents are affected).
- We will provide guidance on steps you can take to protect yourself.
20. Your Right to Delete
You may request complete deletion of your account and all associated data at any time:
- Email hello@flexwell.com with the subject "Delete My Account."
- We will verify your identity using your account email.
- Within 30 days, we will permanently delete: your account, supplement stack, daily logs, NOVA conversation history, health data, and all other personal information.
- Anonymized aggregated data (that cannot identify you) may be retained.
- Data in encrypted backups will be purged within 90 days.
Account deletion is irreversible. Cancelled subscriptions must be managed through the Apple App Store.
21. California Shine the Light
Under California Civil Code Section 1798.83, California residents may request information about our disclosure of personal information to third parties for direct marketing purposes. Because we do not disclose personal information to third parties for their direct marketing purposes, no such disclosure list is required. For questions, contact hello@flexwell.com.
22. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes:
- We will update the "Last Updated" date at the top of this page.
- For significant changes, we will notify you by email or through an in-app notification.
- Continued use of Flexwell after changes are posted constitutes acceptance of the updated policy.
- We encourage you to review this policy periodically.
For questions, concerns, or requests related to this Privacy Policy or your personal data:
Micawber Media LLC
1885 FM 2673, Suite H31
Canyon Lake, TX 78132
Email: hello@flexwell.com
Website: flexwell.com
We aim to respond to all privacy inquiries within 30 days.