Privacy Policy

Last updated: February 16, 2026

Wane ("we," "us," or "our") operates the Wane mobile application and website (collectively, the "Service"). This Privacy Policy describes how we collect, use, store, share, and protect your personal information, including biometric and health-related data, when you use our Service.

By using Wane, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

1. Information We Collect

We collect the following categories of information:

1.1 Account Information

Email address, display name, and profile photo (optional).
Authentication credentials (hashed password) or Apple ID identifier (if using Apple Sign In).
Account creation date and timezone.

1.2 Biometric and Health Data

With your explicit consent, we collect health and biometric data from your connected wearable devices and health platforms, including but not limited to:

Heart rate variability (HRV / RMSSD), resting heart rate, and heart rate ranges.
Sleep metrics: total duration, sleep stages (REM, deep, light, awake), sleep efficiency, and respiratory rate during sleep.
Recovery and strain scores (from compatible devices such as Whoop).
Readiness and activity scores (from compatible devices such as Oura Ring).
Blood oxygen saturation (SpO2) and skin temperature.
Activity data: step count, distance, flights climbed, calories, and VO2 max.
Body composition: weight, body fat percentage, lean body mass.
Mindfulness session duration.

This data may constitute "consumer health data" or "sensitive personal information" under applicable privacy laws (such as the Washington My Health My Data Act, CCPA, and GDPR). We do not collect biometric identifiers as defined under the Illinois Biometric Information Privacy Act (e.g., fingerprints, retina scans, face geometry). We treat all health data with the highest level of protection. We do not sell your health data, and we will never do so.

1.3 Device and Technical Information

Device platform (iOS or Android) and operating system version.
Expo push notification token (for delivering alerts).
App version and session timing.

1.4 Usage Data

Feature interactions and navigation patterns within the app.
Subscription status and purchase history (managed by RevenueCat and the respective app store).

1.5 Information You Provide Voluntarily

Support requests, feedback, and communications sent to us.
Notification preferences and display settings.

2. Legal Basis for Processing

We process your personal data on the following legal bases, as applicable under the EU General Data Protection Regulation (GDPR) and similar laws:

Explicit consent (Art. 6(1)(a) and Art. 9(2)(a) GDPR): Health and physiological data are "special category data" under GDPR. We process this data solely on the basis of your explicit consent, which you provide when connecting a wearable device or health platform in the app. You may withdraw consent at any time by disconnecting the data source or deleting your account. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
Performance of a contract (Art. 6(1)(b)): We process account information and subscription data as necessary to provide you with the Service under our Terms of Service.
Legitimate interest (Art. 6(1)(f)): We process technical and usage data (device platform, session timing, error logs) for service security, fraud prevention, and infrastructure performance only. Legitimate interest is not used as a basis for processing health or physiological data.
Legal obligation (Art. 6(1)(c)): We may process data when required to comply with applicable law, regulation, or legal process.

3. How We Use Your Data

Burnout risk monitoring: We analyze your biometric data using statistical and computational methods to generate your daily Wane Score, a wellness indicator derived from heart rate variability, sleep quality, resting heart rate, and recovery balance.
AI-powered insights (Premium): For premium subscribers who opt in, anonymized summary features (e.g., 7-day averages, baseline deviations, score ranges) are sent to our AI provider (Anthropic) to generate personalized wellness insights. No personal identifiers, device identifiers, precise timestamps, or individual raw measurements are shared. See Section 4 for details.
Alerts and notifications: We use your data to detect concerning biometric trends and send timely push notifications to inform you of changes in your burnout risk level.
Service operation: To authenticate your account, process subscriptions, sync wearable data, and deliver core app functionality.
Service improvement: Aggregated, de-identified data that cannot reasonably be linked back to you may be used to improve our algorithms and the overall Service.
No employer or third-party individual access: We do not share individual-level health data with employers, insurers, or any third party. If we introduce organizational or team features in the future, only aggregated, de-identified dashboards will be available to organizations, and only with explicit opt-in from each individual user. No individual-level data will ever be accessible to an employer or team administrator without the user's express consent.
Communications: To send you service-related messages (account verification, security alerts, subscription updates) and, with your consent, wellness-related notifications.

4. AI-Powered Features

Wane offers optional AI-generated wellness insights as a premium feature. When this feature is active:

We send only anonymized, aggregated summary features to Anthropic (our AI provider). Summaries consist of 7-day averages, deviations from personal baselines, and general ranges — they contain no personal identifiers, email addresses, device IDs, precise timestamps, or individual raw data points.
We use Anthropic under a Zero Data Retention eligible API configuration. Under this configuration, prompt and response data are not stored or used to train AI models, subject to limited exceptions required by law or for abuse prevention as described in Anthropic's usage policy.
AI-generated insights are cached on our servers (one per user per day) and associated with your account for delivery.
AI insights are informational only and may contain inaccuracies. They do not constitute medical advice. See our Terms of Service for the full AI disclaimer.

5. Cookies and Tracking Technologies

Our mobile application does not use cookies. Our website (getwane.app) uses the following:

Essential cookies: Necessary for website functionality (e.g., page routing). These cannot be disabled.
Analytics: We do not currently use third-party analytics or advertising trackers on our website. If we add analytics in the future, we will update this section and obtain consent where required.

We do not use advertising cookies, cross-site trackers, pixel tags, or web beacons. We do not participate in advertising networks. Because we do not engage in cross-site tracking or behavioral advertising, Do Not Track (DNT) and Global Privacy Control (GPC) signals have no material effect on our processing. If we introduce any form of tracking in the future, we will respect GPC signals as required by applicable law and update this section accordingly.

6. Data Sharing and Third-Party Providers

We do not sell, rent, or trade your personal data or health data to any third party.

We share data only with the following categories of service providers, each bound by data processing agreements:

Provider	Purpose	Data Shared
Supabase (Database)	Data storage and authentication	All account and biometric data (provider applies encryption at rest)
Railway (Hosting)	Backend server infrastructure	Processes data in transit (encrypted via TLS)
Anthropic (AI)	AI insight generation (premium only)	Anonymized summary features (averages, ranges) — no identifiers or raw data
Expo (Notifications)	Push notification delivery	Push token and notification content
RevenueCat (Payments)	Subscription management	Anonymous user ID and subscription status
Apple / Google	App distribution and payments	As required by their respective terms

We may also disclose data if required by law, subpoena, court order, or government request, or if necessary to protect our rights, safety, or property.

7. International Data Transfers

Wane's servers and infrastructure are located in the United States. If you access the Service from outside the United States (including from the European Economic Area, United Kingdom, or Switzerland), your personal data will be transferred to and processed in the United States.

We ensure appropriate safeguards for international transfers through:

Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable.
Data processing agreements with all service providers.
Encryption of data in transit (TLS 1.3) and at rest.

By using the Service, you acknowledge and consent to the transfer and processing of your data in the United States, subject to the protections described in this policy.

8. Data Storage and Security

We implement industry-standard security measures to protect your data:

Encryption in transit: Data transmitted between your device and our servers is encrypted using industry-standard transport layer security (TLS).
Encryption at rest: Our database provider (Supabase) encrypts stored data at rest using industry-standard encryption.
Authentication security: Passwords are hashed using a one-way hashing algorithm. Authentication tokens are stored on your device using platform-provided secure storage (Keychain on iOS, Keystore on Android).
Access controls: Server access is restricted to authenticated, authorized personnel only.
Token expiry: Access tokens are short-lived; refresh tokens have a limited lifetime. Specific durations may change as we improve our security posture.

No method of electronic storage or transmission is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

9. Data Retention

Active accounts: We retain your personal and biometric data for as long as your account remains active.
Account deletion: When you delete your account (via the app's Profile screen), all personal data, biometric records, burnout scores, alerts, AI insights, and uploaded images are deleted from our active production systems promptly. Residual copies in automated backups are purged on a rolling schedule (typically within 30 days). Certain records may be retained where required by law (e.g., transaction records for tax or legal compliance).
Disconnected data sources: When you disconnect a wearable, we stop collecting new data from that source. Previously synced data remains until you delete your account.
Aggregated data: De-identified, aggregated data that cannot be linked back to you may be retained indefinitely for research and service improvement.
Legal obligations: We may retain certain data as required by applicable law (e.g., transaction records for tax purposes).

10. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Access: Request a copy of the personal data we hold about you.
Correction: Request correction of inaccurate or incomplete data.
Deletion: Request deletion of your personal data (available directly in the app).
Portability: Request your data in a structured, machine-readable format.
Restriction: Request that we restrict processing of your data in certain circumstances.
Objection: Object to processing based on legitimate interests.
Withdraw consent: Withdraw consent for biometric data processing at any time by disconnecting data sources or deleting your account.
Non-discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (or sooner as required by applicable law). We may verify your identity before fulfilling requests.

If you believe your request was improperly denied, you have the right to appeal by contacting us at the same address. If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.

11. Information for EEA, UK, and Swiss Residents

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the following additional provisions apply under the General Data Protection Regulation (GDPR) and UK GDPR:

Data Controller: Wane is the data controller responsible for your personal data. Contact: [email protected].

Legal Basis: See Section 2 above for our legal bases for processing.

Your GDPR Rights: In addition to the rights listed in Section 10, you have the right to:

Lodge a complaint with your local supervisory authority (e.g., ANSPDCP in Romania, ICO in the UK, CNIL in France, BfDI in Germany).
Object to automated decision-making. Wane's burnout score is generated through automated processing of biometric data. You may request human review of any automated decision that significantly affects you.
Request restriction of processing while we verify the accuracy of your data or assess an objection.

International Transfers: Your data is transferred to the United States. We rely on Standard Contractual Clauses (SCCs) and encryption as safeguards. See Section 7.

Retention: See Section 9. We retain data only as long as necessary for the purposes described in this policy.

12. Information for California Residents

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights. This section supplements the rest of our Privacy Policy.

Categories of Personal Information Collected (past 12 months):

Identifiers: Email address, display name, Apple ID identifier, device tokens.
Biometric information: Heart rate variability, resting heart rate, sleep metrics, respiratory rate, blood oxygen, body temperature, and related physiological data.
Health information: Sleep patterns, recovery scores, activity data, burnout risk assessments.
Internet/electronic activity: App usage data, feature interactions, session timing.
Commercial information: Subscription status and purchase records (managed by Apple/Google).
Inferences: Burnout risk scores and wellness trend assessments derived from biometric data.

We do not:

Sell your personal information (as defined under CCPA).
Share your personal information for cross-context behavioral advertising.
Use or disclose sensitive personal information for purposes other than providing the Service.
Sell or share the personal information of users under 16 years of age.

Your California Rights:

Right to Know: Request details about the categories and specific pieces of personal information we collect, use, and disclose.
Right to Delete: Request deletion of your personal information (available directly in the app via account deletion).
Right to Correct: Request correction of inaccurate personal information.
Right to Opt-Out of Sale/Sharing: We do not sell or share your data, so this right is automatically satisfied.
Right to Limit Use of Sensitive Personal Information: We use sensitive personal information (biometric/health data) only to provide the Service.
Right to Non-Discrimination: We will not discriminate against you for exercising these rights.

To submit a request, email [email protected] with the subject line "California Privacy Request." We will verify your identity and respond within 45 days.

13. Information for Other US State Residents

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Oregon, Texas, Montana, and other states with comprehensive privacy laws may have additional rights, including:

Right to access, correct, and delete personal data.
Right to opt out of targeted advertising (we do not engage in targeted advertising).
Right to opt out of the sale of personal data (we do not sell personal data).
Right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects.
Right to appeal our decision regarding a privacy request.

To exercise your rights, contact [email protected].

Washington Residents (My Health My Data Act): Wane collects "consumer health data" as defined under the Washington My Health My Data Act, including physiological metrics such as heart rate, sleep data, and activity data. We collect this data solely to provide the wellness monitoring service described in this policy. We do not sell consumer health data. We do not share consumer health data except with the service providers listed in Section 6, and only as necessary to operate the Service. You may withdraw consent and request deletion of your health data at any time by deleting your account or contacting [email protected].

Note on Illinois BIPA: Wane does not collect "biometric identifiers" as defined under the Illinois Biometric Information Privacy Act (BIPA). We do not collect fingerprints, retina or iris scans, voiceprints, or face geometry. The physiological metrics we collect (heart rate, HRV, sleep data) are not biometric identifiers under BIPA.

14. Children's Privacy

Wane is not intended for users under 16 years of age (or under 13 in jurisdictions where 13 is the applicable minimum). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at [email protected] and we will promptly delete it.

15. Electronic Communications

By creating an account, you consent to receive electronic communications from us, including:

Service messages: Account verification, security alerts, subscription confirmations, and important service updates. These are necessary for providing the Service and cannot be opted out of while your account is active.
Push notifications: Burnout risk alerts, trend changes, milestones, and wellness insights. You can control these per category in the app's notification settings, or disable them entirely through your device settings.
Weekly reports: Optional summary of your weekly wellness trends. You can enable or disable this in notification preferences.

We do not send marketing emails or promotional push notifications. All communications are directly related to the Service and your wellness data.

16. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

Update the "Last updated" date at the top of this page.
Notify you through the app (via in-app notification or alert).
For material changes to how we process biometric or health data, we will request renewed consent where required by law.

Your continued use of the Service after changes take effect constitutes acceptance of the updated policy, except where renewed consent is required.

17. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, contact us at:

Privacy inquiries: [email protected]
General support: [email protected]

For GDPR-related inquiries, you may also contact your local data protection authority. A list of EEA supervisory authorities is available at edpb.europa.eu.