HeadWell — Privacy Policy

Effective date: May 17, 2026
Last updated: May 17, 2026

This Privacy Policy explains what data HeadWell ("we", "us", or "HeadWell") collects when you use the HeadWell iOS app and related services, why we collect it, how we store and protect it, and the rights you have over it. We've written it in plain English. If anything is unclear, please email us.

This policy is not legal advice and is a v1 publication. It will be reviewed by counsel and may be updated. Material changes will be communicated in-app.

1. Who we are

HeadWell is a consumer wellness app for people living with chronic and episodic headache disorders, developed and operated by HeadWell (a sole-proprietor d/b/a of Vishal Puri). For privacy questions, data-subject requests, or to report a concern, please contact:

Email: headeasesupport@gmail.com

We act as the data controller for the personal data described in this policy.

2. What we collect

2.1 Information you provide

• Account information: email address, password (stored hashed using BCrypt — we never see your plaintext password), display name.
• Authentication tokens: if you sign in with Apple or Google, we receive an identity token and (with your consent) your name. We do not see your Apple/Google password.
• Profile and patient details: optional information you enter — date of birth, address, phone, emergency contact, insurance number, primary care physician, neurologist contact.
• Intake survey responses: diagnoses, attack frequency, attack laterality, biological sex, gender identity, comorbidities, occupation, social habits, prior medications, prior imaging, prior surgeries.
• ACE-10 (Adverse Childhood Experiences) responses: optional. You may decline any item or skip the survey entirely.
• Clinical assessment results: MIDAS, HIT-6 scores.
• Headache and prodrome entries: pain level, duration, type, triggers, symptoms, pain locations and regions, pain quality descriptors, medications taken (with timing and effectiveness), aura type and duration, notes.
• Menstrual cycle entries (optional): period start and end dates, cycle length.
• Life event triggers: tags you record (stress, travel, etc.).
• Activity sessions: which breathing/stretching/massage protocols you complete and for how long.
• Notification preferences and settings.

2.2 Information from Apple HealthKit (with your permission)

HeadWell can read the following Apple Health data types on your device only:

• Sleep analysis
• Heart rate
• Heart rate variability (HRV — SDNN)
• Resting heart rate
• Step count
• Mindful minutes

HeadWell can write the following Apple Health data:

• Headache events (so your other apps and your clinician can see them)
• Mindful minutes (from completed breathing sessions)

Raw HealthKit samples never leave your device. Only daily aggregates (a single sleep-hours number, a daily HRV average, etc. — stored as HealthMetricSnapshot) are sent to our backend so your risk forecasts can be computed and synced across your devices.

2.3 Location and device sensors

• Location (when in use): used at the moment you open the app or refresh your risk forecast to fetch local barometric pressure, temperature, and humidity from Apple WeatherKit. Your location is not stored on our backend; only the resulting weather reading is associated with that day's risk score.
• Device barometer (motion permission): used to read your iPhone's built-in atmospheric pressure sensor for hyper-local pressure measurements. No motion or fitness data is collected.

2.4 Information collected automatically

• Diagnostic data: HeadWell subscribes to Apple's MetricKit, which delivers (~once per day) anonymized crash, hang, CPU, and disk-write metrics. These are stored locally on your device and are not currently uploaded.
• Sync metadata: for each record synced to our backend, we keep a remoteId and updatedAt timestamp used to resolve conflicts.

2.5 Information we do NOT collect

• Advertising identifiers (IDFA).
• Third-party tracking pixels or cookies.
• Microphone or camera input.
• Contacts, photos, calendar, or reminders.
• Voice recordings (the "Hey Siri" intent is handled by Apple's Siri service; HeadWell never receives the audio).

3. Why we collect it (purposes)

We process your data for the following purposes only:

1. Provide the app's core features — account login, headache logging, risk forecasting, intervention activities, insights and pattern detection, doctor reports.
2. Sync your data across your devices — so logging on iPhone shows up when you open the app on iPad.
3. Generate personalized predictions — combine your headache history, sleep, HRV, cycle, and weather into a daily risk score.
4. Diagnose and improve the app — local-only crash and performance metrics help us fix bugs.
5. Respond to your requests — when you contact us for support or to exercise a data right.

We do not use your data for advertising, profiling for marketing, sale, or any purpose outside the ones above.

4. Legal basis (GDPR)

If you are located in the European Economic Area or the United Kingdom, our legal basis for processing your personal data is:

• Performance of a contract (GDPR Art. 6(1)(b)) — for account creation, login, sync, and feature delivery.
• Your explicit consent (GDPR Art. 6(1)(a) and Art. 9(2)(a)) — for sensitive health information (Art. 9 special-category data: health data, trauma history). You provide this consent by completing the intake survey, granting HealthKit access, and accepting this Privacy Policy at onboarding.
• Our legitimate interests (GDPR Art. 6(1)(f)) — for diagnostic data used to keep the app stable.

You can withdraw consent at any time by deleting your account (see §7).

5. Sharing and disclosure

We do not sell, rent, trade, or share your personal data with any third party for any purpose other than the operational sub-processors listed below. We do not disclose your data to advertisers, data brokers, or marketing analytics providers.

5.1 Sub-processors (service providers that process data on our behalf)

We use Standard Contractual Clauses or equivalent safeguards for any international data transfer where required.

5.2 Legal disclosure

We may disclose personal data if compelled by valid legal process (subpoena, court order). We will notify affected users unless legally prohibited from doing so.

5.3 In the event of a sale or merger

If HeadWell is acquired or merged with another entity, we will provide notice and the option to delete your account before any data transfer occurs.

6. How long we keep your data

• Account data: kept for as long as your account exists.
• Health entries, surveys, assessments, HealthKit aggregates: kept for as long as your account exists, so the app's prediction engine has historical context.
• Diagnostic data: kept locally on your device only and rotated automatically by iOS.
• Backend logs: standard application logs are retained for 30 days, then rotated.

When you delete your account (see §7), all data is permanently removed from our backend within 30 days.

7. Your rights

You have the following rights regardless of where you live (GDPR, CCPA/CPRA, and other applicable laws):

• Access — request a copy of the personal data we hold about you. The fastest way: open the app, go to Profile → Data Export, and export your full data as CSV or JSON. You can also email us.
• Deletion ("right to be forgotten") — delete your account and all associated data from our backend. In the app: Profile → Account → Delete my account. This action is irreversible.
• Correction — update inaccurate personal data via your profile, or email us if you need help.
• Portability — the in-app JSON export provides your data in a machine-readable, portable format.
• Restriction — ask us to pause processing pending a request.
• Objection — object to processing based on legitimate interests.
• Withdraw consent — you can revoke HealthKit access in Settings → Privacy & Security → Health → HeadWell at any time, or delete your account to revoke all consent.

7.1 California residents (CCPA / CPRA)

In addition to the above:

• Right to know — categories of personal information collected, sources, purposes, and recipients (this policy covers all of those).
• Right to delete — same as the in-app deletion above.
• Right to opt out of sale or sharing — we do not sell or share personal information for cross-context behavioral advertising. There is nothing to opt out of, but you have the right to confirm this.
• Right to non-discrimination — we will not deny service or change pricing because you exercised a right.

To exercise any right, email headeasesupport@gmail.com. We respond within 30 days (45 days under CCPA for complex requests).

8. HealthKit-specific commitments

We follow Apple's HealthKit privacy guidelines:

• We request the minimum necessary Health data types.
• HealthKit data is never used for advertising or shared with any third party.
• HealthKit data is never sold.
• HealthKit data is never disclosed to a third party for any purpose other than the operational sub-processors in §5.1, and only as anonymized daily aggregates.
• Raw HealthKit samples never leave your device.
• If you revoke HealthKit access in iOS Settings, HeadWell stops reading new samples immediately. Any aggregates already stored in your backend record remain unless you delete your account.

9. Security

• All network traffic uses HTTPS (TLS 1.2 or higher).
• Authentication tokens are stored in the iOS Keychain.
• Passwords are hashed with BCrypt server-side. We never see, log, or transmit plaintext passwords.
• Backend storage (MongoDB Atlas) uses AES-256 encryption at rest by default.
• We follow the principle of least privilege for backend access.

No internet-connected service is 100% secure. If you become aware of a security issue, please email headeasesupport@gmail.com and we will investigate promptly.

10. Children

HeadWell is intended for adults 18 years of age or older. We do not knowingly collect personal data from children under 13 (in the US) or under 16 (in the EU/UK). If you believe a child has provided us personal data, please email us and we will delete it.

11. International data transfers

If you are located outside the United States, your data will be transferred to and processed in the United States (where our backend infrastructure is hosted). By using HeadWell, you consent to this transfer. We use industry-standard safeguards (TLS in transit, AES-256 at rest, restricted access controls) and, where required by GDPR, Standard Contractual Clauses with sub-processors.

12. Cookies and similar technologies

The HeadWell iOS app does not use cookies. Our marketing website (https://vishalpuri2594.github.io/headwell-website/) is a static page hosted on GitHub Pages and does not set any tracking cookies. GitHub Pages may set technically-necessary cookies for content delivery; refer to GitHub's Privacy Statement.

13. Changes to this policy

We may update this policy as the app and our practices evolve. Material changes will be:

• Posted to this page with an updated Effective date and Last updated timestamp.
• Surfaced in the app via a one-time banner asking you to re-acknowledge.

Continued use of HeadWell after the effective date constitutes acceptance of the updated policy.

14. Medical disclaimer

HeadWell is a consumer wellness app for self-tracking and education. It is not a medical device, does not diagnose, treat, cure, or prevent any disease, and is not a substitute for professional medical advice. If you are experiencing a sudden, severe, or entirely new type of headache, seek emergency medical attention.

15. Contact

For privacy questions, data-subject access or deletion requests, or to report a concern:

Email: headeasesupport@gmail.com

We will acknowledge receipt within 5 business days and respond substantively within 30 days (45 days in California for complex CCPA requests).

© 2026 HeadWell. All rights reserved.