background image

Melloway Privacy Policy

Last updated: October 07, 2025 • Controller: Melloway, Inc. • legal@melloway.app

Quick summary — key takeaways

  • What we collect: account info (email), device identifiers, and health data (heart rate, HRV, sleep stages, activity, SpO₂, body temperature, menstrual cycle).
  • Why we collect: to run the app, provide personalised recommendations, process payments, improve the product, and for security. Health data is collected only with explicit consent.
  • Who we share with: processors (Terra, Stripe, AWS, Knock, Sentry, Mixpanel, OpenAI, Diffy, GA4, GTM, Meta, Google Ads, Microsoft Clarity). We do not sell personal data.
  • Where we store: primarily in the United States (AWS US region). EU data transfers use SCCs.
  • Your rights: access, correction, deletion, portability, restrict, object, withdraw consent; CCPA rights for Californians.
  • Deletion & models: delete identifiable records and remove personal data from training datasets and, where applicable, retrain models within 90 days.

About us

Controller: Melloway, Inc.
Address: 1111B S Governors Ave STE 39837, Dover, DE 19904, USA
EIN: 38-4367302
Privacy contact: legal@melloway.app

Table of contents

1. Personal data we collect (categories)

  • Account & identity: email address, name (optional), account ID.
  • Device & technical: device model, OS version, device identifiers, app version, IP address (for security), analytics identifiers.
  • Payment & billing: payment card tokens and metadata (processed by Stripe). Melloway does not store full card numbers.
  • Health & biometric (special category): heart rate, HRV, sleep stages, activity, SpO₂, body temperature, menstrual cycle data — only with explicit consent.
  • Derived & inferred: personalised scores, trend analyses, AI-generated recommendations, aggregated metrics.
  • Diagnostics & analytics: crash reports (Sentry), usage analytics (Mixpanel, GA4), session replays (Clarity) only with consent.

2. How we collect it

Directly from you when you register, connect a wearable, enter health data, or contact support. From your device via HealthKit and connected wearables when you grant permission. From third parties you connect. Automatically via cookies and SDKs where consented.

3. Purposes of processing & legal bases (GDPR)

We rely on different lawful bases depending on processing:

  • Consent: for special category health data and targeted analytics/ads where required.
  • Contract performance: to provide the service, sync data, and process subscriptions.
  • Legitimate interest: for fraud prevention, security, product improvement (we do not rely on legitimate interest for health profiling).

4. Health data: special handling & explicit consent

Health data is sensitive. We will ask for clear, specific permission for each HealthKit scope we access. You can revoke permissions in device settings or via the app.
Apple HealthKit note: We follow Apple’s HealthKit rules — HealthKit data is never used for targeted advertising and we provide HealthKit usage descriptions in the app.

5. AI, models & deletion

We use OpenAI APIs and internal models to generate recommendations. Our approach:

  • We de-identify/pseudonymize data before training when feasible.
  • If you request deletion we will: remove personal data from production systems and backups where feasible; remove personal data from training datasets; retrain affected models to remove your influence within 90 days where technically feasible.
  • If data was irreversibly anonymized before training, removal may not be possible — anonymized datasets are not re-identifiable under our controls.

We document requests and actions in an internal audit trail and communicate status to the requester.

6. Sharing & subprocessors (who we work with)

We use processors to deliver and improve the Service. Subprocessors include (may change):

  • Terra (Tryterra) — connector for wearable data
  • Stripe — payments
  • AWS — hosting & storage (US)
  • Knock — notifications
  • Sentry — crash reporting
  • Mixpanel — analytics
  • OpenAI — recommendation generation
  • Diffy (cloud.diffy.ai) — API monitoring
  • Google Analytics 4 (GA4) & Google Tag Manager (GTM)
  • Meta Pixel + Conversion API
  • Google Ads Tag
  • Microsoft Clarity (session replay)

We require DPAs with processors. Contact legal@melloway.app for current subprocessors and DPAs. We do not sell your personal data.

7. International transfers

Data is processed/stored in the US. For EU/EEA transfers we rely on SCCs and transfer impact assessments. Request transfer safeguards via legal@melloway.app.

8. Retention & backups

We retain account and health data while your subscription is active and for 12 months after subscription end unless you request deletion earlier. Backups/logs retention up to 12 months.

9. Your rights

EU/EEA: access, correct, erase, restrict, portability, object, withdraw consent. California: CCPA/CPRA rights. To exercise rights: legal@melloway.app.

10. Security & operational measures

We implement TLS 1.2/1.3; encryption at rest (AES-256 with AWS KMS); IAM least privilege; MFA; CloudTrail; GuardDuty; quarterly scans; annual pen tests. We follow an incident response plan and will notify supervisory authorities within 72 hours when required.

11. Children & age limits

Users must be 18+. We do not knowingly collect data from children under 18; if we become aware we will delete it promptly.

12. Changes to this Policy

Material changes will be communicated via the App and email. Continued use after updates indicates acceptance.

13. Contact

Controller: Melloway, Inc. legal@melloway.app

Privacy PolicyTerms & ConditionsSupport
Disclaimer: Oura is a registered trademark of Oura Health Oy. Fitbit is a registered trademark of Google LLC. Apple Watch is a registered trademark of Apple Inc. Whoop is a registered trademark of WHOOP, Inc. Melloway is not affiliated with, endorsed by, or sponsored by these companies.