Privacy Policy

Welcome

This Privacy Policy explains how Establishment Dojo Tech (operator of DojoWell — referred to as "DojoWell," "we," "us," and "our") collects, uses, shares, and protects your personal information when you use our website at dojowell.com, our mobile apps, and our related services.

We have written this Policy in plain language wherever possible. Each major section opens with a short summary of what it actually means. Where the legalese is unavoidable, the summary tells you the operative point first.

Your privacy matters. DojoWell is built around reflection, journaling, and habit-tracking — that is private content, and we treat it accordingly. We do not sell your personal data, we do not run third-party advertising on the platform, and we collect only what we need to run the service.

1. About This Policy

1.1 Who is the data controller

The data controller for the personal information described in this Policy is:

• Establishment Dojo Tech — a sole-establishment registered in the Kingdom of Saudi Arabia.
• Saudi Commercial Registration (CR): 7049724300
• D&B D-U-N-S Number: 986461329
• Registered Address: 13A Alshula, Dammam, Eastern Province, Kingdom of Saudi Arabia
• Privacy contact: helpdesk@dojowell.com (subject: "Privacy")

1.2 What this Policy covers

This Policy applies to all personal information processed by DojoWell when you:

• Visit our website at dojowell.com.
• Create or use a DojoWell account.
• Download or use the DojoWell mobile apps on iOS or Android.
• Subscribe to a paid plan via Paddle (web), Apple App Store, or Google Play.
• Contact our support team.
• Subscribe to our newsletter or receive marketing communications.

1.3 Other policies that apply

This Policy is incorporated into our Terms & Conditions by reference. Our Refund Policy applies to payment-related matters. Where you buy a subscription, the privacy practices of the merchant of record (Paddle, Apple, or Google) also apply alongside ours.

1.4 Definitions

We use these terms throughout the Policy:

• Personal data / personal information — any information that identifies you or could reasonably identify you, such as your email, name, IP address, device identifier, or in-app activity tied to your account.
• Processing — any operation we perform on personal data: collecting, storing, using, sharing, or deleting it.
• Data controller — the entity that decides why and how personal data is processed. For DojoWell, this is Establishment Dojo Tech.
• Data processor — a third party that processes personal data on the controller's instructions (for example, AWS hosting our database).
• De-identified / aggregated data — information from which identifying details have been removed so it can no longer be linked to you.
• PDPL — Saudi Personal Data Protection Law (Royal Decree M/19, as amended).
• GDPR / UK GDPR — the EU General Data Protection Regulation and the UK GDPR.
• CCPA / CPRA — the California Consumer Privacy Act, as amended by the California Privacy Rights Act.

2. Data We Collect

2.1 Information you provide directly

• Account data: name, email address, password (stored only as a salted hash), date of birth, country, language preference.
• Profile data: profile photo (optional), display name, time-zone.
• Journal & reflection content: habit-tracking entries, journal text, quiz answers (matrix-quiz and others), and any reflections you record. This content is private to your account.
• Subscription data: plan, start date, renewal date, channel (web, iOS, Android). We do not see or store your full payment-card details — those go to Paddle, Apple, or Google.
• Support communications: messages you send to helpdesk@dojowell.com, including any attachments.
• Newsletter / marketing data: email address and preferences if you opt in.

2.2 Information from third parties

• Sign-in providers: if you sign in with Apple or Google, we receive a limited identifier and (where you authorise it) your name and email. We do not receive your social-network contacts, photos, or anything beyond the basic identity payload.
• Payment processors: Paddle, Apple, or Google tell us which subscription you bought, when it renews, and whether it is active — but not your card number, billing address, or full transaction details.
• Subscription manager (RevenueCat): for mobile in-app purchases, RevenueCat relays subscription status events from Apple and Google to our backend.

2.3 Information collected automatically

• Device & technical data: device model, OS version, app version, language, time-zone, IP address, approximate location derived from IP (city/country level).
• Usage events: screens viewed, levels completed, sessions started, audio sessions played, in-app actions tied to a pseudonymous user ID (we do not log your private journal text into analytics).
• Crash & stability data: crash reports, error logs, and performance metrics. We hash user IDs before sending crash reports so Crashlytics receives a non-identifiable token.
• Cookies and similar technologies on the website: see Section 8.

2.4 What we do NOT collect

We want to be explicit about this:

• We do not access or sync data from external health platforms (Apple Health, Google Fit, Samsung Health, etc.).
• We do not collect biometric identifiers (fingerprint, face data). Where you use Face ID or Touch ID to unlock the app, that authentication happens entirely on your device — DojoWell never sees the biometric template.
• We do not run third-party advertising trackers on the platform. We do not use ad-network SDKs.
• We do not buy personal data from data brokers.
• We do not record voice or video unless you explicitly send us a voice recording (e.g., a support attachment).

2.5 Aggregated and de-identified data

We may create aggregated or de-identified datasets from the personal data we collect — for example, "average number of habit completions per week across all users in country X." Once de-identified, this data is not personal information and we may use or share it for any lawful purpose, including improving the product or research about behavioural change.

3. How We Use Your Data

3.1 To provide and operate DojoWell

We process your data to:

• Create and manage your account.
• Authenticate you (including via Apple or Google sign-in).
• Save and display your habit progress, journal entries, and journey state.
• Process subscriptions and renewals through Paddle, Apple, or Google.
• Send service-essential notifications (account, billing, security, policy changes).
• Provide customer support.

3.2 To personalise your experience

We use your in-app activity to personalise content recommendations, journey suggestions, and the next-step prompts within the 7-Levels Journey. This personalisation is based on aggregated patterns and your explicit progress markers — not on inferences about your identity, beliefs, or sensitive characteristics.

3.3 For analytics, research, and product improvement

We analyse usage data — typically in aggregated or pseudonymous form — to:

• Understand which features users find valuable.
• Identify bugs and stability issues.
• Measure the impact of new features and content.
• Conduct internal research on the Meaning-Density framework.

3.4 For marketing and communications (with consent)

If you have opted in (or where local law permits us to email existing customers), we may send newsletters, product updates, and offers. You can withdraw consent at any time using the unsubscribe link in any marketing email, your account settings, or by emailing us.

3.5 For legal, safety, and compliance reasons

We process data to:

• Comply with applicable law, court orders, and regulatory requests.
• Detect, investigate, and prevent fraud, abuse, or violations of our Terms.
• Protect the rights, property, and safety of DojoWell, our users, and the public.
• Establish, exercise, or defend legal claims.

3.6 Legal bases (GDPR / UK GDPR)

Where the EU/UK GDPR applies, we rely on the following lawful bases:

• Contract: processing necessary to provide the service you have signed up for.
• Consent: for marketing communications, optional analytics, and any sensitive-category processing.
• Legitimate interests: for product improvement, fraud prevention, and security — balanced against your rights and freedoms.
• Legal obligation: where we are required by law to retain or disclose data.

You can withdraw consent or object to processing based on legitimate interests at any time (Section 7).

4. Who We Share Data With

4.1 Service providers we share data with

We share personal data with the following categories of service providers, each of whom is contractually bound to use the data only for the purposes we specify:

4.2 Affiliates and successors

If we go through a corporate change — merger, acquisition, restructuring, or sale of all or part of the business — your personal data may be transferred to the surviving or acquiring entity. We will notify you in advance and your data will continue to be protected by this Policy (or a substantially similar policy) in line with applicable law.

4.3 Legal, regulatory, and safety disclosures

We may disclose personal data when required to do so by law, when responding to a valid legal process, when complying with a regulator's lawful request, or where we believe in good faith that disclosure is necessary to: (i) protect the rights, property, or safety of DojoWell, our users, or others; (ii) enforce our Terms; or (iii) prevent or investigate fraud, abuse, or technical attacks.

4.4 Aggregated and de-identified data

We may share aggregated or de-identified data with research partners, regulators, or the public — for example, anonymised statistics about loop completion or content engagement. Such data does not identify you.

4.5 We do not sell your personal data

DojoWell does not sell personal data, and does not share personal data for cross-context behavioural advertising, as those terms are defined in California's CCPA/CPRA or similar laws.

5. Cross-Border Transfers

Because DojoWell is operated from Saudi Arabia and depends on cloud infrastructure provided by international vendors, your personal data may be transferred to and processed in countries outside your country of residence — including the United States, the European Union, and other jurisdictions where our service providers operate.

Where such transfers are restricted by law, we rely on legally recognised safeguards. Examples include:

• For Saudi PDPL: approved transfer mechanisms permitted under the PDPL implementing regulations issued by SDAIA, including adequacy assessments and contractual safeguards.
• For EU/UK GDPR: Standard Contractual Clauses (SCCs) approved by the European Commission, the UK International Data Transfer Agreement, and supplementary measures where required.
• For other jurisdictions: the safeguards required by applicable local law.

You can request a summary of the safeguards in place for a specific transfer by emailing helpdesk@dojowell.com.

6. Data Security & Retention

6.1 Security measures

We use technical and organisational measures appropriate to the risk, including:

• HTTPS/TLS in transit, AES encryption at rest for sensitive data.
• Passwords stored only as salted hashes — we never see or store your plaintext password.
• Access control: only authorised personnel can access production data, with audit logs.
• Server-side enforcement of authentication tokens, session expiry, and rate limits.
• For sensitive operations (such as profile-image upload), we use a server-side proxy with short-lived signed URLs rather than embedded credentials.
• Regular security review of dependencies, third-party services, and code.

No system is perfectly secure. We cannot guarantee that data transmitted over the internet or stored on our systems will never be accessed by an unauthorised party. If you suspect a security issue with your account, please email helpdesk@dojowell.com immediately.

6.2 Data retention

We retain personal data only as long as we need it to deliver the service or to comply with legal obligations. Examples:

• Account data: for the life of your account.
• Journal & reflection content: for the life of your account, unless you delete specific entries earlier.
• Subscription & billing records: for the period required by tax and accounting law (typically 5–10 years depending on jurisdiction; in Saudi Arabia, 10 years for VAT records).
• Support correspondence: typically 2 years after the issue is resolved.
• Crash and analytics events: typically 90 days at full detail, longer in aggregated form.
• Marketing preferences: until you withdraw consent or for 3 years of inactivity, whichever is shorter.

When you delete your account, we delete or de-identify your personal data within a reasonable period (typically 30 days for most data, longer for backup retention cycles), except data we are required to keep by law.

6.3 Data breach notification

If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify SDAIA (Saudi Data and AI Authority) without undue delay where the PDPL requires.
• Notify the relevant EU/UK supervisory authority within 72 hours where the GDPR/UK GDPR requires.
• Notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

7. Your Rights

7.1 Rights you have

Subject to applicable law, you have the right to:

• Access the personal data we hold about you.
• Correct data that is inaccurate or incomplete.
• Delete your account and associated personal data ("right to be forgotten"), subject to legal retention obligations.
• Export your data in a portable, machine-readable format ("data portability").
• Restrict or object to certain processing (for example, marketing or processing based on legitimate interests).
• Withdraw consent at any time, where processing is based on consent. Withdrawal does not affect the lawfulness of processing before withdrawal.
• Not be discriminated against for exercising your rights — we will not deny service, charge different prices, or provide a different level of service because you exercised a privacy right (subject to lawful exceptions).

7.2 How to exercise your rights

You can manage your data directly in the app:

• Update your profile in Settings → Profile.
• Update marketing preferences in Settings → Notifications.
• Delete your account via Settings → Account → Delete Account.

Or email helpdesk@dojowell.com with the subject line "Privacy Request" and tell us which right you wish to exercise. We may need to verify your identity (for example, by confirming the email associated with your account) before fulfilling the request.

7.3 Response time

We will respond to verified requests within the timeframe required by applicable law — typically 30 days under PDPL and GDPR, extendable to 60 or 90 days for complex requests with notice. There is no charge for the first request in any 12-month period; we may charge a reasonable fee for clearly unfounded or excessive requests.

7.4 Right to complain

If you are not satisfied with how we have handled a privacy request, you have the right to lodge a complaint with your local data-protection authority. See Section 10 for region-specific contact details.

8. Cookies & Similar Technologies

8.1 What we use

• Essential cookies: required for the site to work (session, authentication, security tokens). These cannot be disabled without breaking the service.
• Analytics: first-party analytics to understand site usage in aggregate.
• Preferences: remember your language and locale.

8.2 What we don't use

We do not run third-party advertising cookies, retargeting pixels, or cross-site behavioural-advertising trackers on dojowell.com.

8.3 Mobile apps

Our mobile apps do not use cookies. Equivalent functions (session persistence, analytics) are handled via local storage and Firebase SDKs as described in Section 4.1.

8.4 Your choices

Most browsers let you block or delete cookies. Doing so may affect the functionality of the website. You can also use browser-level tracking-protection features, "Do Not Track" signals, and Global Privacy Control (GPC) — we honour GPC where required by law.

9. Children

DojoWell is intended for users aged 13 and older. We do not knowingly collect personal information from children under 13. If we learn that a user is under 13, we will delete the account and the associated personal data without delay.

If you are between 13 and the age of legal majority in your country (typically 18), you may use DojoWell only with the consent and supervision of a parent or legal guardian. By using DojoWell, you confirm that this consent has been given.

Parents or guardians who believe their child under 13 has provided personal information to DojoWell can email helpdesk@dojowell.com (subject: "Child privacy") and we will delete the data promptly.

10. Regional Disclosures

10.1 Saudi Arabia (PDPL)

If you are a resident of the Kingdom of Saudi Arabia, the Personal Data Protection Law (Royal Decree M/19, as amended) and its implementing regulations issued by the Saudi Data and AI Authority (SDAIA) apply to our processing of your personal data.

You have the rights described in Section 7 of this Policy. In addition, you have the right to lodge a complaint with SDAIA if you believe we have processed your personal data unlawfully.

Our data controller and primary point of contact for PDPL matters is Establishment Dojo Tech (see Section 1.1). Contact us at helpdesk@dojowell.com (subject: "PDPL request").

10.2 European Economic Area, United Kingdom, and Switzerland

If you are a resident of the EEA, the UK, or Switzerland, the EU GDPR, UK GDPR, and Swiss Federal Data Protection Act apply.

You have the rights described in Section 7. You also have:

• The right to lodge a complaint with your local supervisory authority (a list of EU authorities is at edpb.europa.eu/members; for the UK, see ico.org.uk).
• The right to information about the legal bases we rely on (Section 3.6).
• The right to information about international transfers and the safeguards we use (Section 5).

10.3 California (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, gives you specific rights regarding your personal information:

• The right to know what personal information we collect, use, and disclose.
• The right to delete personal information.
• The right to correct inaccurate personal information.
• The right to opt out of the sale or sharing of personal information.
• The right to limit the use of sensitive personal information.
• The right to non-discrimination for exercising your rights.

As stated in Section 4.5, DojoWell does not sell personal information and does not share personal information for cross-context behavioural advertising as those terms are defined in the CCPA/CPRA. We honour Global Privacy Control (GPC) signals as a "do not sell or share" preference.

To exercise your California privacy rights, email helpdesk@dojowell.com with subject "California Privacy Request."

10.4 Other jurisdictions

If your country or state has a comprehensive privacy law (for example, Brazil's LGPD, Canada's PIPEDA, Australia's Privacy Act, or US state privacy laws like Virginia's VCDPA, Colorado's CPA, or others), the rights described in Section 7 of this Policy generally cover the rights granted by those laws. Contact us at helpdesk@dojowell.com to exercise any specific right we have not enumerated here.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in the service, in our practices, or in applicable law. When we make material changes, we will:

• Update the "Effective Date" and "Last Updated" at the top.
• Send notice to your registered email address and/or post a notice in the app at least 30 days before the changes take effect, where the change is material.

For non-material changes (clarifications, typo fixes), we may update the Policy without prior notice. The "Last Updated" date at the top of this page tells you when the Policy was last revised.

Your continued use of DojoWell after the Effective Date of a revised Policy means you accept the revised Policy. If you do not accept it, you must stop using DojoWell and may delete your account.

12. Contact & Complaints

— Establishment Dojo Tech, Dammam, Kingdom of Saudi Arabia