PRIVACY POLICY

Last updated: April 2026

Deuswell, a next-generation technology platform specializing in burnout prediction and prevention, optimization of mental, emotional and physical well-being, and hybrid therapeutic support (AI + humans), attaches paramount importance to the protection of the privacy and data of its users ("you").

This Privacy Policy (hereinafter the "Policy") describes and governs how the company Deuswell SAS (hereinafter "we", "us", "our" or the "Company"), Data Controller, collects, uses, retains, stores and discloses information about you when you visit our website and use our mobile application and other online services (the "Services").

Please read this Privacy Policy carefully before starting to use the Services. By accessing and/or using the Services, you agree to be bound by and comply with this Privacy Policy and our Terms and Conditions available at https://deuswell.com/terms-and-conditions (the "T&Cs") incorporated herein by reference. If you do not wish to accept this Privacy Policy and the T&Cs, you must not access or use the Services.

Our commitment is to ensure full compliance with Data Protection Laws, in particular the General Data Protection Regulation (GDPR) and the French Data Protection Act. We have implemented a rigorous data governance program, including the adoption of internal policies, the implementation of appropriate technical and organizational measures (Privacy by Design/Default) and the designation of a Data Protection Officer (DPO).

1. DATA CONTROLLER AND DPO CONTACT

IDENTIFICATION OF THE DATA CONTROLLER

The Data Controller of your Data is the company Deuswell, which defines the purposes and means of the processing.

Company Name: Deuswell

Data Protection Officer (DPO): dpo@deuswell.com

2. PERSONAL DATA WE COLLECT

WHAT DATA IS COLLECTED?

We may collect personal information from you in various ways, including the following key categories and types of personal information:

Data Category	Data Examples	Legal Basis (Art. 6 GDPR)
Identification Information	Username, first name, email address, hashed password.	Performance of the Contract (T&Cs)
Additional Profile Information	Gender, date of birth, phone number (if provided).	Performance of the Contract / Consent
Third-Party Identification Data	Third-party unique identifier (Apple ID, Google ID, Facebook ID), name, profile picture and email address associated with the third-party account.	Performance of the Contract (T&Cs)
Preference and Personalization Data	Preferred language, time zone, accessibility settings.	Performance of the Contract / Legitimate Interest
Mood/Journaling Data	Mood input, personal notes.	Performance of the Contract / Legitimate Interest
Content created or published	Comments, emotional calendar, blog notes, associated metadata.	Performance of the Contract
Health / Biometric Data	Heart rate (HRV), sleep, SpO2, respiratory rate, steps, body temperature, stress level, meditation minutes.	Explicit Consent (Art. 9 GDPR)
Financial and Subscription Data	Unique subscription reference, payment status. We do not have access to payment card numbers.	Performance of the Contract
Conversations with Annie AI	History of exchanges with the AI assistant, contextual data transmitted to generate responses.	Explicit Consent (Art. 9 GDPR)
Connection and Technical Data	IP address, connection logs, device identifiers (UUID), operating system.	Legitimate Interest / Legal Obligation
Usage and Analysis Data	Frequency of connections, pages viewed, usage events.	Legitimate Interest
Geolocation Data	General region or area from which you access our Services.	Legitimate Interest
Inferences	Deductions made from the information collected to improve your experience.	Legitimate Interest
Messages and Communications	Content of messages exchanged, communication metadata (timestamp).	Performance of the Contract
Customer Support Data	Information provided when you contact us for any other reason (via the Application or forms).	Performance of the Contract / Legitimate Interest

Note on Mandatory Fields: We indicate mandatory fields with asterisks. Failure to provide this data may compromise the inability to provide the Services.

Data collected indirectly and automatically:

Data Category	Data Examples	Origin of Collection	Legal Basis (Art. 6 GDPR)
Financial and Subscription Data	Unique subscription reference, payment status.	Third-Party Provider (RevenueCat)	Performance of the Contract
Connection and Technical Data	IP address, connection logs, device identifiers (UUID), operating system.	Automatic collection	Legitimate Interest / Legal Obligation
Usage and Analysis Data	Frequency of connections, pages viewed, usage events.	Analysis Tools (Firebase Analytics)	Legitimate Interest

3. HOW WE COLLECT YOUR PERSONAL INFORMATION

BY WHAT MEANS DO WE COLLECT YOUR DATA?

We collect personal information from the following sources:

Directly. We collect personal information directly from you. When you sign up for the Services, submit information in a form, request information or otherwise communicate with us or our support staff, you may provide us with information such as your name and email address. By providing us with this information, you consent to your information being collected, used, disclosed, processed and stored by us in accordance with this Policy.

From third-party applications (Health data). With your permission, our Services connect to third-party applications and services (the "Third-Party Applications"), which may include Apple HealthKit, Google Health Connect, and other providers for which you give us permission to connect our Services. We connect to these Third-Party Applications solely for the purpose of importing certain health information about you.

Collection by Third-Party Platforms (Social Login). We may obtain information via your social network profiles (Apple, Google, Facebook) or other authorized online accounts. Access to this information (name, profile picture, email address) is subject to your authorization and is strictly limited by your privacy settings defined on the third-party platform.

Automatic collection. We automatically collect certain technical and usage data through our analysis tools (Firebase Analytics) and our logging systems.

4. HEALTH DATA AND BIOMETRIC INFORMATION

WHAT HEALTH DATA DO WE COLLECT AND HOW IS IT PROCESSED?

Third-party health information

With your permission, our Services connect to third-party applications and services (the "Third-Party Applications"), which may include Apple HealthKit (iOS), Google Health Connect (Android), and other providers for which you give us permission to connect our Services. We connect to these Third-Party Applications solely for the purpose of importing certain health information about you.

This health information may include the following:

Health Data Category	Details	Source
Heart Rate	Resting heart rate, active heart rate and heart rate variability (HRV).	Apple HealthKit / Google Health Connect
Sleep	Total duration, sleep phases (light, deep, REM), sleep quality.	Apple HealthKit / Google Health Connect
Physical Activity	Step count, distance traveled, calories burned, exercise minutes.	Apple HealthKit / Google Health Connect
Blood Oxygen (SpO2)	Blood oxygen saturation level.	Apple HealthKit / Google Health Connect
Respiratory Rate	Number of breaths per minute.	Apple HealthKit / Google Health Connect
Body Temperature	Measured or estimated body temperature.	Apple HealthKit / Google Health Connect
Stress Level	Stress indicator based on biometric data.	Apple HealthKit / Google Health Connect
Environmental Sound Level	Ambient noise level measured by the device.	Apple HealthKit / Google Health Connect
Meditation	Meditation minutes and mindfulness sessions.	Apple HealthKit / Google Health Connect / Deuswell
Morphological Data	Height, weight and age.	User input / Apple HealthKit / Google Health Connect

The health information you allow us to access as part of the Services is collectively referred to as "Health Information." See "Where Your Information Is Stored" below (Section 4bis) for information on where your Health Information is stored.

Apple HealthKit (iOS)

Our application uses Apple's HealthKit framework, which centralizes health and fitness information on iPhone and Apple Watch. With your explicit consent, the application can access the data listed above stored on your device. If you allow access to HealthKit, the application can also write certain data into HealthKit, for example, the meditation minutes listened to in the application in the Awareness Time section. Any new element added by HealthKit will require your prior approval before being used by the application.

Google Health Connect (Android)

We use the Google Health Connect SDK, a platform that allows users to manage their health and fitness data on Android. With your explicit consent, the application can access the data listed above. It can also add certain information into Health Connect, for example, meditation minutes listened to in the application. Any new type of data added will require your prior agreement before use.

Important restriction: We do not use Health Information for advertising or marketing purposes.

4bis. WHERE YOUR INFORMATION IS STORED

HOW AND WHERE IS YOUR DATA STORED?

Personal information and user-generated data. Contact information (such as name, email and profile data) and non-biometric user-generated data (such as mood entries, journaling and activity history) are stored using secure third-party cloud hosting providers (Google Firebase Platform) so that this information can sync across devices and support your use of the Services.

Health information (local processing by default). Imported biometric health information (such as heart rate, sleep, blood oxygen, respiratory rate and body temperature) is, by default, stored and processed locally on your device. Unless you enable Annie AI, we do not store or access these imported biometric health information in the normal course of providing the Services.

Annie AI (optional cloud processing). If you enable the optional Annie AI feature, certain biometric health information may be transmitted through third-party cloud hosting and artificial intelligence ("AI") technology providers in order to generate AI-based responses and coaching. Only the minimum relevant information necessary to generate a response will be transmitted. Once this data is processed by these third-party providers, it is subject to their systems and safeguards.

Storage location. To provide the Services, we store and process your personal data in the European Union and the United States (via Google Firebase Platform, whose servers may be located in the United States). By using the Services or otherwise providing us with information, you understand and consent to any personal information being transferred and processed in accordance with the provisions of Section 8 (Data Transfers outside the EU).

5. LEGAL BASES AND PURPOSES OF PROCESSING

FOR WHAT REASONS DO WE COLLECT YOUR DATA AND HOW DO WE JUSTIFY THE PROCESSING?

We process your Data only when we have a valid legal basis (Article 6 of the GDPR).

Purpose of Processing	Data Concerned	Legal Basis (Art. 6 GDPR)
Service Execution and Account Management	Identification, Preferences, Contents.	Performance of a contract (T&Cs)
Subscription Management	Payment/Subscription.	Performance of a contract (T&Cs)
Provision of health features	Health / Biometric Information.	Explicit consent (Art. 9 GDPR)
AI coaching and analysis (Annie AI)	Health Information, Conversations.	Explicit consent (Art. 9 GDPR)
System Security and Fraud Prevention	Mobile Devices and Techniques (IP, Logs).	Legitimate interest (Service security) and Legal obligation
Service Improvement (Analytics)	Usage and Analysis (anonymized/aggregated).	Legitimate interest (Development and continuous improvement)
Customer Support and Assistance	Communications/Support.	Performance of a contract or Legitimate interest

6. ARTIFICIAL INTELLIGENCE ASSISTANCE (ANNIE AI)

HOW DOES OUR AI ASSISTANT WORK?

When enabled, Annie AI processes the Health Information you authorize us to access, including biometric information from Third-Party Applications (HealthKit / Health Connect). Annie AI is a generative AI feature designed to help you understand and progress towards your wellness goals, provide educational guidance and integrate with the rest of your experience using our Services.

To provide this feature, we leverage third-party cloud hosting providers and AI technology from our large language model partners. Your Health Information will be transmitted to and processed by these third parties solely for the purpose of generating responses and advice.

Measures to protect your privacy:

- We share Health Information only in a format designed to minimize direct identifiability.

- The processing of sensitive information provided is based on your explicit consent (Art. 9 GDPR).

- We have executed a Data Processing Agreement (DPA) with the AI provider, including Standard Contractual Clauses (SCC), prohibiting the use of your conversations for training their models.

Conversation history retention:

We may retain the history of your conversations with Annie AI so that you can review past exchanges and so the feature can ensure continuity and context for future interactions. Certain data used to generate conversations, which may include biometric or other sensitive information, may be retained for up to thirty (30) days for debugging and quality assurance purposes, then deleted from our servers. After this period, only the conversation history itself remains available to you, unless you request its deletion.

To access your information or request its deletion, please contact us at dpo@deuswell.com.

⚠️ Important medical disclaimer:

Please note that Annie AI generates responses based on your inputs and your Health Information, and these responses may be inaccurate, incomplete or inconsistent. Annie AI does not provide medical advice and should never be used as a substitute for professional medical care, diagnosis or treatment. You should always consult a qualified physician or other licensed healthcare professional with any questions you may have regarding your health, medical condition or wellness decisions.

7. INFORMATION ON MINORS

INFORMATION ON MINORS UNDER FIFTEEN (15) YEARS OLD

Our Services are not directed at children under 13 years of age. We do not knowingly collect personal information from children under 13.

Validity of consent: The user must be at least fifteen (15) years old to validly consent to the processing of their Data. For any minor under fifteen (15) years old, processing is only lawful if consent is given or authorized by the holder of parental authority.

Features related to sensitive health data, financial transactions and Annie AI are only available to users aged 18 or older.

Exercise of Rights: Any holder of parental authority can exercise the minor's rights by contacting the DPO.

If we learn that we have collected information from a child under 13, we will promptly delete it. If you believe that we have mistakenly collected information from a child under 13, please contact us at dpo@deuswell.com.

8. DISCLOSURE AND DATA TRANSFERS

TO WHOM ARE WE LIKELY TO DISCLOSE YOUR PERSONAL DATA?

With service providers. We share information with vendors and subcontractors who help us provide, maintain and improve the Services, such as cloud hosting providers (Google Firebase), technology partners, customer support providers and communication services. If you choose to enable Annie AI, we may also share certain Health Information with third-party AI technology providers to generate AI-based responses. When shared, Health Information is limited to what is reasonably necessary to provide the feature and, where possible, is anonymized.

With partners for research and development. We may share your information with third-party partners who help us develop and improve the Services. Information shared for this purpose will be anonymized and the third parties with whom we share this information will be subject to non-disclosure obligations.

With third parties at your request. We may share your information with third parties with your consent or at your request, or as part of a transaction you make through the Services.

As required by law. We may share your information with the relevant authorities if we believe that their disclosure is consistent with or required by any applicable law, including legal requests from public authorities to meet national security or law enforcement requirements.

In corporate transactions. In the event of financing, reorganization, merger or sale of the Company, we may transfer your personal information to the relevant third parties involved in the transaction. These recipients will be required to protect your information under a non-disclosure agreement or comparable confidentiality obligation.

For legal proceedings and protection. We may disclose your information to comply with any law, regulation, legal process, governmental request or when we believe in good faith that it is reasonably necessary to protect our rights, property or safety or those of others, in connection with claims or litigation, or to protect users from fraudulent, abusive or illegal use of our Services.

DATA PROCESSING AND TRANSFER OUTSIDE THE EUROPEAN UNION (EU/EEA)

If your data is transferred to third countries, such as the United States, we ensure that legal requirements in accordance with Art. 44 et seq. of the GDPR are met, in particular:

Guarantees: We generally use what are known as the EU Standard Contractual Clauses (SCC) that we conclude with the concerned provider. These contractual measures aim to ensure an adequate level of protection for your Data.

Impact Analysis (Post-CJEU): We proceed with an analysis of the risks and impacts on your rights and freedoms. This assessment, required after the so-called "Schrems II" ruling of the Court of Justice of the European Union (CJEU), allows us to guarantee that, even in case of transfer to a third country, your Data is processed in accordance with European standards.

Copy of Guarantees: A copy of these guarantees can be sent to you upon request to the DPO.

9. WE DO NOT SELL YOUR PERSONAL INFORMATION

We do not sell or rent your personal information. We only share your personal data with certain trusted service providers and partners so that we can provide and improve our Services and operate our business.

We do not use Health Information for advertising or marketing purposes.

10. COOKIES, TRACKERS AND SIMILAR TECHNOLOGIES

We use cookies and other trackers on our Website and in our Application.

Legal Basis: Cookies strictly necessary for the platform's technical functioning do not require your consent (Legitimate Interest). All other trackers (analytical, personalization) are subject to your prior and explicit consent (Article 6.1.a of the GDPR).

Management: You can manage your cookie preferences at any time via the consent banner on our Website or your Device settings for the mobile Application.

11. THIRD-PARTY LINKS AND SERVICES

Our Services may contain links or other content from the websites and services of our partners, vendors and other third parties (collectively, the "Third-Party Services"). We do not control the content or links that appear on these Third-Party Services and are not responsible for the practices employed by these Third-Party Services.

In addition, these Third-Party Services may have their own privacy policies and customer service policies. Your browsing and interaction on any of these Third-Party Services are subject to those Third-Party Services' own terms and policies.

Our Services may be provided or hosted on a third-party platform. Use by these third parties of any information you share is governed by the relevant third party's privacy policy.

12. YOUR CHOICES

WHAT CHOICES DO YOU HAVE ABOUT THE PROCESSING OF YOUR DATA?

You have certain choices about how we process your personal information:

Changes to personal information. You can review and request changes to your personal information by editing your profile directly in the Application or by contacting us at dpo@deuswell.com. We will make good faith efforts to make the requested changes as soon as possible.

Marketing communications. You can unsubscribe from promotional marketing communications by contacting us at hello@deuswell.com. We may still send you non-promotional communications, such as those about your account or our ongoing activity.

Annie AI. You can choose whether or not to enable and interact with Annie AI. We will only share your Health Information with our third-party cloud hosting providers / large language model partners if you enable and interact with the feature. If you no longer wish to use Annie AI, you can disable the feature entirely from the mobile Application by going to settings at any time. Please note, however, that any information you have previously shared with Annie AI may have already been transmitted and stored in these third-party systems, and disabling the feature may not delete or retract that past information.

Cookies. Most web browsers are set to accept cookies by default. You can usually configure your browser to remove or reject cookies. Please note that if you choose to reject, it could affect the availability and functionality of our Services.

Tracking technology. You can disable some or all of our tracking software by following your browser's instructions. On a mobile device, you can disable some or all of the tracking through your mobile device settings.

Not providing personal information. You can choose not to provide us with personal information. However, if you do not provide personal information, we may not be able to offer you all or part of our Services.

13. DATA RETENTION PERIOD

FOR HOW LONG DO WE RETAIN YOUR PERSONAL DATA?

We only retain your Data for the duration necessary to achieve the purposes, or to comply with our legal and regulatory obligations.

Data Category	Retention Period (Legal and practical justification)
Account Identification Data	Duration of service use + 3 years after inactivity.
Payment Data (Subscription ID)	Duration of the subscription + 13 months after termination. Legal archiving: 10 years (tax obligations).
Mobile Device Data and Logs (IP)	1 year from collection (Security and legal obligation).
Usage Data (Analytics)	13 months maximum (before full anonymization).
Health Information (on servers, if Annie AI enabled)	30 days maximum for AI processing data, then deletion. Conversation history remains available unless deletion is requested.
Annie AI Conversations	History retained as long as the account is active, unless deletion is requested by the user.

14. PROTECTION AND SECURITY OF YOUR DATA

HOW DOES DEUSWELL PROTECT YOUR INFORMATION?

We have taken technical and organizational measures to ensure that data protection regulations are respected by both us and external service providers.

We implement appropriate technical and organizational measures (Article 32 of the GDPR) to prevent unauthorized access, disclosure, modification, or destruction of your Data, including:

- Data encryption in transit (SSL/TLS) and at rest (AES-256).

- Strict access controls (Principle of Least Privilege).

- Password hashing (secure hashing algorithms).

- Use of SSL/TLS encryption on our Website to protect the transmission of confidential content.

- Logging and monitoring of access to sensitive data.

- Regular security testing and vulnerability audits.

However, we cannot guarantee the total security of your information. It is your responsibility to keep your login credentials confidential.

15. DATA BREACH MANAGEMENT

In accordance with Articles 33 and 34 of the GDPR, in the event of a Data breach, we commit to notifying the CNIL within 72 hours and communicating the breach to the concerned Users as soon as possible if the risk is high.

16. YOUR DATA PROTECTION RIGHTS

WHAT ARE YOUR RIGHTS?

You have the following rights, in accordance with Articles 15 to 22 of the GDPR:

GDPR Right	Detailed Action Description
Right of Access	Obtain confirmation that your Data is being processed, and receive an exhaustive copy.
Right to Rectification	Correction of inaccurate Data or completion of incomplete Data.
Right to Erasure	Obtain the erasure of your Data ("Right to be Forgotten"), subject to our legal retention obligations.
Right to Restriction of Processing	Request temporary suspension of your Data processing in certain specific cases.
Right to Object	Object to the processing of your Data, in particular for commercial prospecting purposes.
Right to Portability	Receive your Data in a structured format (machine-readable) and transfer them to another controller.
Right to Withdraw Consent	Withdraw your consent at any time, when the processing is based on this legal basis.

To exercise these rights, you must send your request to the DPO at the address: dpo@deuswell.com. A response will be provided to you within the legal period of one (1) month.

You have the right to exercise the choices described above without being subject to discriminatory treatment.

17. USE AND DELETION OF PERSONAL INFORMATION

You may request what personal information we have collected, used and disclosed about you and the identity of third parties to whom we have disclosed your personal information. You may also request the deletion of your personal information.

Please note that we cannot delete all of your information if: (1) we need it to perform a service as you have requested or to execute a contract we have with you; (2) we need that information to repair any errors in our Services or detect data security breaches; or (3) we need that information to protect ourselves against fraud or illegal activities or to comply with applicable law.

Please note that if we delete your personal information, we may not be able to provide you with the Services with the same features.

To make any request for personal information or deletion, please send an email to dpo@deuswell.com.

18. INFORMATION FOR RESIDENTS OF THE EUROPEAN ECONOMIC AREA

If you are a resident of the European Economic Area ("EEA"), you have certain rights and protections under applicable law regarding the processing of your personal information.

When we process your personal information as described in this Policy, we will only do so when we have a legal basis for doing so. The legal bases for processing include consent, contractual necessity and our legitimate interests (for example, our legitimate interest in providing the Services, responding to your requests or sending you communications).

In addition to the rights described in Section 16, you may also:

- Obtain a copy of any standard contractual clauses or other international data transfer agreements we may use to transfer your personal data outside of Europe.

- File a complaint with the supervisory authority of the relevant Member State. For contact details: http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm.

For more information or to submit a request, please send an email to dpo@deuswell.com.

19. RIGHT OF RECOURSE

Right to Lodge a Complaint: You have the right to lodge a complaint with the competent supervisory authority.

National Commission for Information Technology and Civil Liberties (CNIL)

3 Place de Fontenoy - TSA 80715

75334 Paris CEDEX 07

Tel: 01 53 73 22 22

20. MODIFICATION OF THIS POLICY AND CONTACT

MODIFICATION OF THIS POLICY:

We have the discretion to update this Policy at any time. We encourage you to frequently check this page for any changes. You acknowledge and agree that it is your responsibility to periodically review this Policy and become aware of modifications.

In case of substantial modification, you will be informed before it comes into effect. Subject to applicable law, your continued use of our Services will be deemed acceptance of our revised Policy.

HOW TO CONTACT DEUSWELL FOR ANY QUESTION REGARDING DATA PROTECTION?

For any question or comment on this Privacy Policy or on the management of your Personal Data, you can contact:

The Data Protection Officer (DPO): dpo@deuswell.com

General Email: hello@deuswell.com

By post to the following address:

Deuswell