Legal

Privacy Policy

Effective 31 May 2026 · Last updated 31 May 2026

Lyvwell is a preventive-health platform that rewards healthy behaviour. Your health data is sensitive, so we treat it that way. This policy explains exactly what we collect, why we collect it, who we share it with, and the controls you have.

The short version: We collect only what we need to calculate your health score and pay you for healthy behaviour. We never sell your data. Your mental-health entries are encrypted before they leave your device. You can delete everything at any time, in one tap, inside the app.

1. Who we are

Lyvwell is operated by [Lyvwell Health Ltd., Accra, Ghana] ("Lyvwell," "we," "us"). For privacy questions, contact privacy@lyvwell.health. For data-protection requests, see Section 9 below.

2. What we collect

2.1 Account information

When you sign up we collect your phone number (for OTP login), full name, preferred language, and country. If you choose to redeem rewards to mobile money or claim insurance discounts, we collect KYC information — typically your national ID number, date of birth, and the country that issued the ID. KYC details are encrypted at rest.

2.2 Health and activity data

With your explicit permission, we read activity data from Apple Health (iOS) or Health Connect (Android):

  • Daily step counts
  • Sleep duration (when you've granted that scope)
  • Resting heart rate and heart-rate variability (when you've granted those scopes, for the Recovery sub-score)
  • Active minutes / workouts

You may also log values manually inside the app — for example, sleep hours, blood-pressure readings, and completed screenings. We store only the values you provide; we never read other Health categories.

2.3 Mental health and screening data

If you complete a mood check-in or screening log inside the app, we store:

  • The mood label you selected (e.g., "happy," "tired")
  • Your PHQ-2 responses (if you provided them) — encrypted on your device before transmission
  • Any free-text note you added — also encrypted on your device before transmission
  • The type and date of any screening you logged

Lyvwell employees cannot read the encrypted fields. They are only decryptable in your authenticated session.

2.4 Rewards and ledger

We record the coins you earn, the rewards you redeem, and your transaction history so we can show your balance and process payouts. These records contain transaction IDs and amounts, not the underlying health value that triggered them.

2.5 Device and diagnostic data

Standard server logs (IP address, device type, app version, timestamps) are kept for security and abuse detection for up to 90 days. We do not use third-party analytics or advertising SDKs.

3. How we use your data

  • To run the service: calculate your health score, award coins, surface progress and goals.
  • To process redemptions: verify KYC where required by partners or regulators, transfer mobile money, issue insurance discounts.
  • To keep you safe: if your PHQ-2 score indicates elevated risk, the app may surface mental-health resources in your country.
  • To improve the product: aggregated, de-identified statistics about feature usage. Never linkable to you.
  • To meet legal obligations: fraud prevention, tax reporting on large redemptions, lawful requests from authorities.

We do not use your data for advertising. We do not sell your data. We do not share identifiable health data with employers, insurers, or partners.

4. Who we share it with

We share only what's necessary, only with vetted processors, and only under written contracts that require equivalent protection. Categories of recipients:

  • Cloud infrastructure: Fly.io (application hosting, Frankfurt region), Cloudflare (DNS, edge security).
  • Payment rails: Mobile-money providers (MTN MoMo and equivalents) when you redeem cash rewards — they receive your phone number and the payout amount only.
  • KYC verification: Identity-verification providers, when redemption rules require it. They receive only the document and check the result.
  • Redemption partners: When you redeem a reward, the partner receives a redemption code — never your health data.
  • Legal authorities: Only in response to a valid, narrowly-scoped legal request.

5. Health data and HealthKit

Lyvwell uses Apple HealthKit and Android Health Connect strictly to read the metrics listed in Section 2.2. In accordance with Apple's HealthKit policy:

  • Health data is never used for advertising or sold to third parties.
  • Health data is never shared with third parties for marketing.
  • Health data is never disclosed without explicit consent.

6. How long we keep your data

Data typeRetention
Active account profile, daily metrics, mood entries, screeningsUntil you delete your account
Server logs / diagnostics90 days
Point ledger and redemption records7 years (Ghana tax/financial-records requirements). Anonymised once your account is deleted.
Consent records7 years for legal evidence of consent

7. Security

All connections use TLS 1.2+. Sensitive fields (KYC ID, mental-health entries, mobile-money wallet) are encrypted at rest using AES-256. Access to production databases is limited to a small set of named engineers using SSO with hardware-key MFA. We log every administrative access. If we ever discover a breach affecting your data, we will notify you and the relevant authority within 72 hours.

8. International data transfers

Our primary infrastructure is hosted in Frankfurt, Germany. Some processors (e.g., Cloudflare's edge network) operate globally. Where data crosses borders we rely on Standard Contractual Clauses or equivalent safeguards.

9. Your rights

You have the right to:

  • Access the data we hold about you
  • Delete your account and personal data (in-app: Profile → Delete account; see /account-deletion for the full process)
  • Correct inaccurate data (in-app for profile fields; email us for everything else)
  • Export a machine-readable copy of your data (email us — we'll deliver within 30 days)
  • Withdraw consent for any optional scope at any time (e.g., disconnect a wearable in Profile → Connected devices)
  • Lodge a complaint with your data-protection authority — in Ghana, the Data Protection Commission (dataprotection.org.gh)

To exercise any of these rights, email privacy@lyvwell.health. We will respond within 30 days.

10. Children

Lyvwell is intended for users aged 18 and over. We do not knowingly collect data from children. If you believe a child has registered, contact us and we will delete the account.

11. Changes to this policy

We will notify you in-app and by email at least 30 days before any material change takes effect. The "Last updated" date at the top of this page always reflects the current version.

12. Contact us

Privacy questions: privacy@lyvwell.health
General support: support@lyvwell.health
Postal: [Lyvwell Health Ltd., Accra, Ghana]