Privacy Policy — olivetwell

1. Introduction

This Privacy Policy describes how OlivetWell LLC ("OlivetWell," "we," "us," or "our") collects, uses, shares, and protects information about you when you use the olivetwell mobile application, website, and related services (collectively, the "Service"). By using the Service, you acknowledge that you have read and understood this Privacy Policy.

This Privacy Policy is incorporated by reference into our Terms of Service. Capitalized terms not defined in this Privacy Policy have the meanings given to them in the Terms of Service.

A note about health information olivetwell is an educational health platform. The information you submit to the Service may include sensitive information about your health, supplements, lab values, and medical history. We treat this information with care, but we are not a HIPAA-covered entity, and the protections afforded to information you submit are governed by this Privacy Policy and applicable consumer privacy laws, not by HIPAA. Please review this Privacy Policy carefully before submitting health information.

2. Information We Collect

2.1 Information You Provide Directly

When you create an account and use the Service, you may provide us with the following categories of information:

Account Information. Account information, including your name, email address, and password.
Health-Related Information. Information about your supplements, dosages, lab values, symptoms, health goals, age, sex, weight, dietary practices, and medical history that you choose to enter into the Service.
Conversation Content. The content of questions, prompts, and messages you submit to the AI assistant, including any health-related context you include.
User-Generated Content. Notes, observations, journal entries, and pattern-tracking entries you create within the Service.
Preferences and Feedback. Subscription preferences and feedback you provide.

2.2 Information Collected Automatically

When you use the Service, we automatically collect certain technical information, including:

Device Information. Device type, operating system version, application version, and approximate device identifiers.
Usage Information. Pages, screens, and features you access; the duration and frequency of your sessions; and similar usage patterns. We use this information to operate, improve, and secure the Service.
Crash and Diagnostic Data. Crash logs, error reports, and performance metrics, which may incidentally include limited device or session context. Crash data is processed by our error-monitoring provider with personally identifiable information scrubbing where feasible.
Approximate Location. Approximate location derived from your IP address. We do not collect precise GPS location.

2.3 Information We Do Not Collect

We do not collect government identifiers, financial account information, biometric identifiers, contact lists, photos or media files, calendar entries, or audio recordings. Payment information for paid subscriptions is processed by the applicable App Store and is not shared with us.

3. How We Use Your Information

We use the information we collect for the following purposes:

Service Provision. To create and maintain your account, authenticate you, and enable your access to the Service.
AI Educational Responses. To process the questions you submit to the AI assistant, retrieve relevant educational content from our Source Material library, and produce educational responses tailored to the context you have provided.
Personalization. To remember your supplements, lab values, history, and prior conversations so that the Service can provide a continuous educational experience tailored to you over time.
Service Operations and Security. To monitor performance, diagnose errors, prevent abuse and fraud, and improve the reliability of the Service.
Analytics. To produce aggregated and de-identified analytics about how users interact with the Service. These analytics do not identify any individual user.
Communications. To send you transactional communications (such as account confirmations and security alerts) and, with your consent or as permitted by applicable law, product updates and educational announcements.
Legal Compliance. To comply with applicable law, respond to lawful requests from public authorities, and enforce our Terms of Service.

4. AI and Conversation Data

Because olivetwell's AI features are central to the Service, we want to be specific about how conversation data is handled:

Storage of Conversations. We store the questions you submit and the AI-generated responses for the duration of your account, so that the Service can maintain context, support personalization, and allow you to review your prior interactions.
AI Inference Provider. When you submit a query to the AI assistant, the content of your query (including any health context you have included) is transmitted to our third-party AI inference provider, currently Anthropic, PBC, for the purpose of generating an educational response. The query is processed under our enterprise agreement with that provider, which restricts the provider from using submitted content to train their general models.
Embeddings and Retrieval. Portions of your queries and conversation history may be processed by third-party embedding and retrieval providers (such as Voyage AI and Qdrant Cloud) to identify relevant educational content from our Source Material library. These providers are bound by data-processing agreements that restrict their use of your data to providing services to OlivetWell.
Training Limitations. We do not sell your conversation data. We do not provide your conversation data to third parties for the training of general-purpose AI models. We may use de-identified, aggregated learnings (such as which categories of questions are common, which retrieval strategies are effective, or which content gaps exist) to improve the Service.
AI Errors and Inaccuracies. Please remember that AI-generated content may contain errors, inaccuracies, or fabricated citations. The Service stores AI responses as we generated them, including any errors. We are not able to retrospectively correct individual AI responses that have already been delivered. Always verify critical information independently.

5. Health Information

Sensitivity. We recognize that information you submit about your supplements, lab values, symptoms, and medical history is sensitive. We treat such information with care and apply technical and organizational safeguards described in Section 8 below.
Not a HIPAA-Covered Entity. OlivetWell is not a healthcare provider, health plan, or healthcare clearinghouse, and is not a "covered entity" as defined under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). Information you submit to the Service is not subject to HIPAA, but it may be subject to other state and federal privacy laws, including the laws described in Section 11 below.
Your Choices. You are not required to submit any specific health information to use the Service. The educational responses you receive are informed by the information you provide; if you provide less information, responses will be less personalized. You may request deletion of any health information you have submitted by following the procedures in Section 10 below.

6. How We Share Your Information

We share information about you only as described in this Section. We do not sell your information to advertisers or data brokers.

6.1 Service Providers (Subprocessors)

We share information with third-party service providers that help us operate the Service. Each subprocessor is bound by a data-processing agreement that restricts their use of your information to providing services to us. Our current subprocessors include:

Database and Authentication. Database, authentication, and storage services (currently Supabase, Inc.).
Application Hosting. Application server hosting and content delivery (currently Fly.io, Inc.).
AI Inference. Generation of AI educational responses (currently Anthropic, PBC).
Embeddings and Reranking. Generation of vector embeddings and reranking of retrieved content (currently Voyage AI, Inc.).
Vector Database. Storage and search of vector representations of Source Material (currently Qdrant Solutions GmbH).
Error Monitoring. Application error monitoring and crash reporting (currently Functional Software, Inc., d/b/a Sentry).
Transactional Email. Transactional and operational email delivery (currently Resend, Inc.).
App Distribution. Distribution and payment processing (Apple, Inc., for iOS distribution and payments; Google LLC, for Android distribution and payments).

6.2 Updates to Subprocessor List

We may add, remove, or change subprocessors from time to time. Material changes will be communicated through this Privacy Policy.

6.3 Legal Disclosures

We may disclose your information if required to do so by law, regulation, court order, subpoena, or other legal process; to respond to lawful requests from public authorities; to enforce our Terms of Service; to protect the rights, property, or safety of OlivetWell, our users, or others; or to investigate suspected fraud or security incidents. Where reasonably practicable and not prohibited by law, we will notify you before disclosing your information in response to a legal request.

6.4 Business Transfers

If OlivetWell is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such transaction and any choices you may have regarding your information.

6.5 Aggregated and De-Identified Data

We may share aggregated or de-identified data that cannot reasonably be used to identify you for any lawful purpose, including research, analytics, and marketing.

7. Data Retention

We retain your information for as long as your account is active or as needed to provide the Service to you. After you delete your account, we will delete or de-identify your personal information within a reasonable period, except that we may retain limited information as necessary to comply with legal obligations, resolve disputes, prevent fraud and abuse, or enforce our Terms of Service. Backups containing your information may persist for a limited period after deletion in accordance with our standard backup retention policies.

8. Security

We implement reasonable technical and organizational measures designed to protect your information against unauthorized access, disclosure, alteration, and destruction. These measures include encryption of data in transit, access controls, authentication safeguards, monitoring, and the use of reputable subprocessors. However, no method of transmission over the internet or electronic storage is one hundred percent secure, and we cannot guarantee the absolute security of your information. You are responsible for maintaining the confidentiality of your account credentials.

9. Children's Privacy

The Service is not directed to, and may not be used by, anyone under the age of eighteen (18). We do not knowingly collect personal information from children under thirteen (13), and our Terms of Service prohibit users under eighteen from creating accounts. If we become aware that we have collected personal information from a child under thirteen without verified parental consent, we will delete that information.

10. General Privacy Rights

Subject to applicable law and verification of your identity, you may have the following rights with respect to your information:

Access. You may request access to the personal information we hold about you.
Correction. You may request correction of inaccurate or incomplete personal information.
Deletion. You may request deletion of your personal information, subject to retention exceptions described in Section 7.
Portability. You may request a copy of your personal information in a structured, commonly used, machine-readable format.
Opt-Out of Marketing. You may opt out of marketing communications by following the unsubscribe instructions in the communication or by contacting us.

To exercise any of these rights, please contact us at privacy@olivetwell.com. We will respond to your request within the time period required by applicable law. We may need to verify your identity before fulfilling certain requests.

11. State-Specific Privacy Rights

11.1 California Residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA"), provides you with additional rights regarding your personal information. The categories of personal information we collect, the purposes for which we use it, and the categories of recipients with whom we share it are described in Sections 2, 3, and 6 above.

As a California resident, you have the right to know what categories and specific pieces of personal information we have collected about you in the preceding twelve months; request deletion of personal information we have collected about you; request correction of inaccurate personal information; opt out of any "sale" or "sharing" of your personal information (we do not sell your personal information or share it for cross-context behavioral advertising); and limit our use of "sensitive personal information." We will not discriminate against you for exercising your CCPA rights. To exercise your rights, contact us at privacy@olivetwell.com.

11.2 Washington Residents (My Health My Data Act)

If you are a Washington resident, the Washington My Health My Data Act ("MHMDA") provides specific rights regarding your "consumer health data," which includes information you submit about supplements, symptoms, lab values, dietary practices, and other health-related matters. We collect and process consumer health data for the purposes described in Section 3 above, primarily to provide the Service to you, deliver educational AI responses, personalize your experience, and operate and secure the Service. We share consumer health data with the subprocessors listed in Section 6.1, each of which is bound by a data processing agreement. We do not sell consumer health data.

As a Washington resident, you have the right to confirm whether we are processing your consumer health data and access such data; request deletion of your consumer health data; and withdraw consent for our collection or sharing of your consumer health data, where consent is the basis for processing. To exercise your rights, contact us at privacy@olivetwell.com. You also have the right to file a complaint with the Washington State Office of the Attorney General.

11.3 Other State Privacy Laws

Residents of other states with comprehensive consumer privacy laws (including without limitation Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Indiana, Florida, Delaware, New Jersey, New Hampshire, Minnesota, Maryland, and Rhode Island) may have additional rights similar to those described above. To exercise any rights provided under your state's privacy law, contact us at privacy@olivetwell.com.

12. International Users

The Service is operated in the United States and is intended for users in the United States. If you access the Service from outside the United States, your information will be transferred to, processed, and stored in the United States, where data protection laws may differ from those in your country. By using the Service, you consent to the transfer of your information to the United States. We have not designed the Service to comply with the requirements of the European Union General Data Protection Regulation, the United Kingdom General Data Protection Regulation, or other non-U.S. data protection laws, and we do not currently offer the Service to data subjects in the European Economic Area, the United Kingdom, or other regions where additional regulatory requirements apply.

13. Cookies and Tracking Technologies

Our website may use cookies and similar technologies to operate, secure, and analyze the website. We do not use cookies for cross-context behavioral advertising. The mobile application uses standard mobile platform identifiers solely for the operation, security, and analytics of the application. You can manage cookie and tracking preferences through your browser or device settings.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting the updated Privacy Policy within the Service, by sending you an email, or by another reasonable means, and we will update the Effective Date at the top of the Privacy Policy. Your continued use of the Service after the effective date of the updated Privacy Policy constitutes acceptance of the updated terms.

15. Contact Information

If you have any questions, concerns, requests, or notices regarding this Privacy Policy or our handling of your information, please contact us at:

OlivetWell LLC
Attn: Privacy
8 The Green, Suite B
Dover, Delaware 19901
Email: privacy@olivetwell.com
General inquiries: legal@olivetwell.com