Back to Home

Privacy Policy

The Wellspring App Ltd · Last Updated: 24 May 2026

The Wellspring App Ltd

Last Updated: 25 May 2026

1. Introduction

Welcome to Wellspring. This Privacy Policy explains how The Wellspring App Ltd ("we", "us", "our", or "Wellspring") collects, uses, discloses, and protects your personal information when you use our mobile application and related services (collectively, the "Service").

Wellspring is a corporate wellness platform designed to help employees track and improve their wellbeing across three pillars: Body (physical activity), Mind (mental wellness), and Spirit (emotional wellness).

We are committed to protecting your privacy and handling your data in an open and transparent manner. By using our Service, you agree to the collection and use of information in accordance with this Privacy Policy.

Data Controller: The Wellspring App Ltd United Kingdom

For any privacy-related queries, please contact us at: sam@thewellspringapp.com For general support, please contact us at: sam@thewellspringapp.com

2. Information We Collect

We collect several types of information to provide and improve our Service:

2.1 Personal Information

When you create an account and use Wellspring, we may collect:

  • Account Information: First name, last name, email address, and password
  • Profile Information: Profile picture, avatar preferences, department, and job title
  • Company Information: Your employer's company code (provided by your employer)

2.2 Health and Wellness Data

Wellspring collects health and wellness data to track your activities and progress. This data is considered special category data under GDPR and is processed only with your explicit consent.

Physical Activity Data (Body)

  • Activity type (e.g., running, walking, cycling, swimming, gym workouts, team sports)
  • Duration and timestamps
  • Distance travelled
  • GPS route data and location coordinates
  • Pace, speed, and elevation
  • Intensity levels
  • Activity notes and descriptions
  • Sport-specific data (e.g., match scores, exercise details)

Mental Wellness Data (Mind)

  • Breathing exercise sessions and completion data
  • Focus session details (e.g., Pomodoro sessions, tasks)
  • Meditation activity records
  • Session duration and ratings
  • Personal notes and reflections

Emotional Wellness Data (Spirit)

  • Gratitude journal entries and content
  • Mood indicators
  • Personal reflections and tags
  • Privacy preferences for journal entries

Thrive Sessions

  • Session responses and reflections
  • Goal setting and progress data
  • Personal development notes

2.3 Device and Health App Integration Data

With your explicit permission, we may access data from:

  • Apple HealthKit (iOS devices): Workout records only — activity type, start/end time, duration, and distance where included in the workout. We do not read steps, heart rate, or other HealthKit data types.
  • Health Connect (Android devices): Workout records only — the same workout fields as above. We do not read steps or other Health Connect metrics beyond workouts.

We only read data from these services with your consent to automatically import completed workouts into your activity history. We do not write data back to your device's health apps.

Important: Data obtained through Apple HealthKit and Health Connect is used solely to provide wellness tracking features within the Service. We do not use this data for advertising, marketing, or sale to third parties. This data is not shared with third parties except as required to provide core app functionality, and only with your consent.

2.4 Social and Engagement Data

When you participate in social features, we collect:

  • Club memberships and participation
  • Posts, comments, and reactions you create
  • Images uploaded to posts (up to 4 images per post)
  • Event RSVPs and attendance
  • Challenge participation and team memberships
  • Leaderboard positions and rankings
  • Achievements, badges, and milestones
  • Experience points (XP) and levels

2.5 Content Moderation Data

To maintain a safe and respectful community, we collect:

  • Reports submitted by users about content (including reason for report and optional notes)
  • Flagged content records
  • Moderation actions taken

2.6 Usage and Technical Data

We automatically collect certain information when you use the Service:

  • Device type, platform, and operating system
  • App version
  • Activity timestamps
  • Feature usage patterns
  • Push notification device tokens (for delivering notifications)
  • Locally stored preferences (e.g., unit preferences, notification settings)

2.7 Photos and Camera

With your permission, we access your device camera and/or photo library to allow you to:

  • Upload a profile picture
  • Attach images to community and club posts

We only access your camera or photo library when you initiate an upload action. Images are compressed and transmitted securely to our servers.

2.8 Location Data

For distance-based activities (e.g., running, cycling, walking), we collect GPS coordinates to:

  • Track your route during activities
  • Calculate accurate distances
  • Display route maps in your activity history

Location tracking occurs when you actively record an activity and grant location permissions. Background location access may be used during active activity tracking to ensure continuous GPS recording even when the app is not in the foreground. We do not track your location outside of active activity recording sessions.

You can revoke location permissions at any time through your device settings.

2.9 Audio

Wellspring may play audio content (such as guided breathing exercises and coaching prompts) within the app. We do not record audio from your device microphone.

3. How We Use Your Information

We use your information for the following purposes:

3.1 Providing and Improving the Service

  • Creating and managing your account
  • Tracking and displaying your wellness activities
  • Calculating statistics, progress, and achievements
  • Generating personalised insights and recommendations
  • Improving and optimising the Service

3.2 Social and Community Features

  • Enabling participation in clubs, challenges, and events
  • Displaying your activity on leaderboards (where applicable)
  • Facilitating social interactions with colleagues
  • Sending notifications about club activities and events
  • Moderating user-generated content and handling reports

3.3 Employer Wellness Programmes

  • Providing wellness engagement data to your employer to support corporate wellness initiatives
  • Supporting company wellness challenges and initiatives
  • Generating company-wide engagement reports

Your employer's designated administrators may have visibility of your activity participation data, including your name, activities completed, distances logged, and challenge progress. They may also see your Thrive session data, including goals, goal tracking, and question responses within Thrive—employers can set up and view this 1-1 data. Your employer receives aggregated, anonymised data only for mood tracking and daily wellness question responses—they cannot see your individual responses to these. Your gratitude journal entries are private and are not visible to your employer. This may change in the future; we will update this policy if it does.

3.4 Communications

  • Sending push notifications (with your consent) about activities, challenges, achievements, and reminders
  • Providing customer support
  • Notifying you of updates to our Service or policies

3.5 Health Data Usage Restrictions

We do not use health data (from HealthKit, Health Connect, or manual entry) for:

  • Advertising or marketing purposes
  • Sale to data brokers or third parties
  • Employment decisions by your employer
  • Insurance underwriting or eligibility determinations

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, we process your personal data based on the following legal grounds:

PurposeLegal Basis
Providing the ServicePerformance of contract
Account managementPerformance of contract
Health and activity trackingYour explicit consent
Location data collectionYour explicit consent
Background location during activitiesYour explicit consent
Health app integration (HealthKit/Health Connect)Your explicit consent
Camera/photo library accessYour explicit consent
Push notificationsYour explicit consent
Leaderboards and social featuresLegitimate interests (community engagement)
Content moderation and reportingLegitimate interests (user safety)
Sharing activity data with employer administratorsLegitimate interests (wellness programme support)
Service improvementLegitimate interests (product development)
Legal complianceLegal obligation

You may withdraw your consent at any time by adjusting your app settings or contacting us directly.

5. Data Sharing and Disclosure

We do not sell your personal data. We do not use your data for advertising. We may share your information in the following circumstances:

5.1 Within Your Organisation

  • Colleagues: Your name, profile, and activity participation may be visible to colleagues in shared clubs, challenges, and leaderboards
  • Administrators: Your employer's designated administrators may view your activity participation data (name, activities, distances, challenge progress) and your Thrive session data (goals, tracking, question responses within Thrive) in order to manage and support the wellness programme
  • Aggregated Reports: We provide your employer with aggregated, anonymised statistics for mood tracking and daily wellness question responses—individual responses are not shared
  • Gratitude Journal: Your gratitude journal entries are private and are not shared with your employer

5.2 Service Providers

We use trusted third-party service providers to operate our Service:

ProviderPurposeData Processed
Amazon Web Services (AWS)Cloud infrastructure, data storage, content delivery (CloudFront CDN), serverless computing (Lambda), database (DynamoDB)All user data (encrypted)
Firebase (Google)User authentication, cloud messaging (push notifications)Email, password (hashed), user ID, device tokens
MapboxMap tiles and route visualisationGPS coordinates, route data, IP address
Google FontsTypographyIP address (standard web request)

All service providers are contractually bound to protect your data and use it only for the purposes we specify.

5.3 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency).

5.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal data may be transferred. We will provide notice before your personal data is transferred and becomes subject to a different privacy policy.

6. Data Storage and Security

6.1 Data Storage

Your data is stored securely using Amazon Web Services (AWS) infrastructure in the EU West (London) region, primarily in encrypted databases. Images (such as profile pictures, club images, and post images) are stored in secure cloud storage (AWS S3) with encrypted transmission via CloudFront CDN.

Certain data is also stored locally on your device (such as preferences and cached content) using secure local storage mechanisms.

6.2 Security Measures

We implement appropriate technical and organisational measures to protect your data, including:

  • Encryption of data in transit (TLS/SSL)
  • Encryption of data at rest
  • Secure authentication mechanisms (Firebase Authentication)
  • Presigned URLs for secure image uploads
  • Regular security assessments
  • Access controls and authentication for our systems
  • Employee training on data protection

While we strive to protect your personal information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

7. Data Retention

We retain your personal data for as long as necessary to provide the Service and fulfil the purposes described in this Privacy Policy:

Data TypeRetention Period
Account informationUntil data deletion request is processed or employer agreement ends
Activity dataUntil data deletion request is processed or employer agreement ends
Health integration dataUntil data deletion request, integration disconnection, or employer agreement ends
Journal entriesUntil data deletion request is processed or employer agreement ends
Social content (posts, comments)Until deleted by you, data deletion request, or employer agreement ends
Content moderation reportsAs long as necessary for safety and legal purposes
Push notification tokensUntil data deletion request or token invalidation
Aggregated statisticsIndefinitely (anonymised)

7.1 Data Deletion Requests

As Wellspring is provided through your employer's corporate wellness programme, your account access is managed by your employer. You may request deletion of your personal data at any time by:

Upon receiving a valid data deletion request, we will delete or anonymise your personal data within 30 days, except where we are required to retain it for legal or legitimate business purposes. Your activity contributions to aggregated company statistics will be anonymised rather than deleted.

When your employer's agreement with Wellspring ends, we will delete or anonymise all personal data associated with that organisation within 30 days, unless otherwise agreed with your employer or required by law.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

8.1 Access

You have the right to request a copy of the personal data we hold about you.

8.2 Rectification

You have the right to request correction of inaccurate or incomplete personal data.

8.3 Erasure

You have the right to request deletion of your personal data ("right to be forgotten"). As the Service is provided through your employer, data deletion requests will result in the removal of your personal data while your employer retains control of the account seat. See Section 7.1 for details.

8.4 Restriction

You have the right to request restriction of processing of your personal data.

8.5 Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format.

8.6 Objection

You have the right to object to processing of your personal data based on legitimate interests.

8.7 Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time. This includes revoking permissions for HealthKit, Health Connect, location, camera, and notifications through your app or device settings.

8.8 Exercising Your Rights

To exercise any of these rights, please contact us at: sam@thewellspringapp.com

We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.

8.9 Complaints

If you are not satisfied with our response, you have the right to lodge a complaint with a supervisory authority:

UK: Information Commissioner's Office (ICO) - https://ico.org.uk

9. Children's Privacy

Wellspring is not intended for individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you become aware that a child has provided us with personal data, please contact us immediately at sam@thewellspringapp.com, and we will take steps to delete such information.

10. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including the United States (where certain AWS, Firebase, and Mapbox services operate). When we transfer data internationally, we ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions by relevant authorities
  • Binding Corporate Rules where applicable

11. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party services you access.

12. Cookies and Tracking Technologies

The Wellspring mobile application does not use cookies or third-party tracking/analytics SDKs. We do not use advertising identifiers (IDFA/GAID) and do not participate in cross-app tracking.

Our website and web-based administration portal may use cookies and similar technologies for:

  • Essential functionality (session management)
  • Remembering your preferences
  • Security purposes

You can control cookies through your browser settings.

13. Apple HealthKit and Health Connect Compliance

13.1 Apple HealthKit (iOS)

In compliance with Apple's HealthKit guidelines:

  • We request read-only access to workout records only (HKWorkoutTypeIdentifier) with your explicit consent
  • We do not read steps, heart rate, or other HealthKit data types
  • We do not write data back to HealthKit
  • HealthKit data is not used for advertising, marketing, or sale to third parties
  • HealthKit data is not shared with third parties for purposes unrelated to health or fitness
  • HealthKit data is not disclosed to third parties without your explicit consent
  • We do not use HealthKit data to build user profiles for advertising or for purposes other than providing wellness tracking services
  • HealthKit data stored on our servers is encrypted and subject to the same security protections as all user data

13.2 Health Connect (Android)

In compliance with Google's Health Connect guidelines:

  • We request read-only access to workout records only with your explicit consent
  • We do not read steps or other Health Connect data types beyond workouts
  • Health Connect data is used solely for providing wellness tracking features within the Service
  • Health Connect data is not used for advertising or marketing purposes
  • You may disconnect Health Connect at any time through the app settings

14. Push Notifications

We use push notifications to keep you informed about:

  • Daily wellness questions and reminders
  • Challenge updates and completions
  • Team and community activity
  • Achievement unlocks
  • Workout reminders from your fitness plan

Push notifications are optional. You can enable or disable notifications at any time through the app settings or your device settings. We use Firebase Cloud Messaging (FCM) to deliver push notifications, which requires storing a device token on our servers. This token is deleted when you disable notifications or delete your account.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

  • Posting the new Privacy Policy in the app
  • Updating the "Last Updated" date at the top of this policy
  • Sending you a notification (for significant changes)

We encourage you to review this Privacy Policy periodically for any changes.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

The Wellspring App Ltd

Email (privacy): sam@thewellspringapp.com Email (support): sam@thewellspringapp.com

For data protection enquiries, please include "Data Protection" in your subject line.

17. Additional Information for Specific Regions

17.1 United Kingdom and European Economic Area

We comply with the UK GDPR and EU GDPR. The legal bases for our processing are set out in Section 4 above.

17.2 California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to Know: You can request information about the categories and specific pieces of personal information we have collected about you
  • Right to Delete: You can request deletion of your personal information
  • Right to Opt-Out: We do not sell personal information
  • Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To exercise these rights, contact us at: sam@thewellspringapp.com

Thank you for trusting Wellspring with your wellness journey.

© 2026 The Wellspring App Ltd. All rights reserved.