Privacy Policy

Data Controller

Doawell Digital OU, Tallinn Estonia, is the controller of your personal data.

You can reach our Data Protection Officer / privacy contact at hi@doahwell.com.

1. Information We Collect

When you use Doahwell, we collect information you provide directly, such as your name, email address. We also collect usage data automatically — including log timestamps, feature interactions, and device identifiers — to improve reliability and the user experience.

* Health data you enter (medications, doses, adherence history). This is special category data under Art. 9 GDPR and receives our highest level of protection.

2. How We Use Your Data and Our Legal Bases (GDPR)

We use your information solely to provide and improve the Doahwell service. Specifically:

• Deliver reminders, log doses, track adherence. → Contract (Art. 6(1)(b)); for health data, your explicit consent (Art. 9(2)(a))
• Generate AI insights (Pro) on your own data. → Your explicit consent (Art. 9(2)(a))
• Transactional emails (password resets, receipts). → Contract / legal obligation (Art. 6(1)(b)/(c))
• Bug diagnosis, performance, new features. → Legitimate interests (Art. 6(1)(f))

We do not use your health data to train AI models without your explicit opt-in consent. You can withdraw any consent at any time without affecting prior processing.

Automated processing: AI insights surface patterns in your own adherence data. They are informational and do not produce legal or similarly significant effects on you within the meaning of Art. 22 GDPR. A human and your own judgment always remain in control of medication decisions.

3. Cookies & Tracking

The Doahwell web app uses strictly necessary cookies to maintain your session and authentication state. We use one analytics provider (privacy-focused, no cross-site tracking) to understand aggregate usage patterns.

You can opt out of analytics at any time in Settings → Privacy. We do not serve advertising cookies or join ad networks.

4. Third-Party Services (Sub-processors)

We share minimal data with trusted sub-processors required to run the service: Cloud infrastructure provider (SOC 2 Type II), Payment processor (PCI-DSS), Transactional email provider.

All are bound by data processing agreements (Art. 28 GDPR). Where a sub-processor is located outside the EEA, transfers are protected by an EU adequacy decision or Standard Contractual Clauses with appropriate supplementary measures.

Calendar sync (Google, Apple, Outlook) uses standard OAuth and only writes dose events you authorize. We do not read your existing calendar data.

5. Your Rights

Under the GDPR you have the right to:

• Access your data and obtain a copy
• Rectify inaccurate data
• Erase your data ("right to be forgotten")
• Restrict or object to processing
• Data portability
• Withdraw consent at any time
• Bug diagnosis, performance, new features. → Legitimate interests (Art. 6(1)(f))

You can exercise most rights directly in the app (Settings → Account → Your Data) or by contacting privacy@example.com. We respond within one month (extendable by two further months for complex requests, with notice).

You also have the right to lodge a complaint with a supervisory authority — your local Data Protection Authority, or the one for our place of establishment.

6. Data Retention

We retain account data while your account is active. If you delete your account, we permanently erase your personal data within 30 days, except where retention is required by law (e.g. tax/billing records). Anonymized, aggregated statistics that no longer identify you may be retained indefinitely.

7. Children

Doahwell is not directed at children under [16 / the applicable age in your country]. We do not knowingly collect their data without parental consent.

8. Contact

Questions about this policy? Contact our Privacy team at hi@doahwell.com . We take privacy concerns seriously and will respond promptly.