Command WellbeingWellbeing

Privacy

Privacy Policy

Effective date: [EFFECTIVE DATE]

Your trust matters. This Privacy Policy explains what information Command Wellbeing collects, how we use and share it, and the choices you have. It applies to Command Wellbeing users in the United States, the European Economic Area, the United Kingdom, and Canada.

1. Scope of this Policy

This Privacy Policy describes how [COMPANY LEGAL NAME] (Command Wellbeing,” “we,” “us,” or “our”) collects, uses, shares, and protects information when you use our website, mental health screeners, AI Peer Support coaching, inbox, library, and related services (the “Services”).

Important: Command Wellbeing is a consumer mental wellness platform built around anonymous accounts. We are not a HIPAA-covered entity or business associate, and the screening, assessment, and Peer Support information you provide is not treated as Protected Health Information under HIPAA. We nonetheless apply meaningful privacy and security practices to your information as described below.

By using the Services, you agree to this Policy. If you do not agree, please do not use the Services.

2. Information we collect

We collect the following categories of information:

a. Information you provide

  • Anonymous account information: a username and password of your choosing, a one-time recovery code we generate for you, an optional display name, and an optional language preference. We do not ask for or verify your real name, email address, or phone number.
  • Mental-health self-reported information: answers to validated screeners (PHQ-9, GAD-7, AUDIT, PCL-5, ACE, ASRS, MDQ, NODS, SCOFF, FTND, GSAQ, NM-ASSIST, OAS, PADIS, PQB, CBI, and others), the Quick Screen, the Full Assessment, and the contents of your AI Peer Support conversations.
  • Payment information (only if you buy a Peer Support top-up): billing details collected and processed by our payment processor (Stripe). Command Wellbeing does not store full card numbers.
  • Communications: messages you send us through the contact form.

b. Information collected automatically

  • Device and usage data: IP address, browser, operating system, device identifiers, pages and features used, and timestamps — used to operate and secure the Services.
  • Cookies and similar technologies: session cookies, preference cookies (such as your selected language), authentication cookies, and limited analytics. See Section 8 (Cookies) and Section 9 (DNT / Global Privacy Control).

c. Information from third parties

  • Payment processor (Stripe) for transaction status on any top-up purchase.

We do not use Google or other social sign-in providers, and we do not integrate with any laboratory, wearable, or advertising network.

3. How we use information

We use information to:

  • Provide, maintain, secure, and improve the Services, including generating screener scores and Peer Support responses;
  • Authenticate you and manage your anonymous account;
  • Process optional Peer Support top-up payments;
  • Monitor for safety signals (such as crisis-related language in Peer Support) and respond appropriately;
  • Detect, prevent, and respond to fraud, abuse, and security incidents;
  • Comply with legal obligations and enforce our Terms of Use.

AI processing. Peer Support messages are sent to our AI model provider (currently Anthropic, via the Claude API) on our behalf to generate responses. We instruct providers contractually not to use the content of your messages to train their public models. We do not sell Peer Support content.

Because we do not collect an email address, we do not send marketing or promotional email of any kind.

5. How we share information

We do not sell your personal information for monetary consideration, and we do not share Peer Support content for cross-context behavioral advertising. We share information only as described below:

  • Service providers (processors): hosting and infrastructure (Lovable Cloud / Supabase, Cloudflare Workers), payment processing (Stripe), and our AI model provider (Anthropic, for Peer Support) — bound by contract to protect your data and process it only on our instructions.
  • Legal and safety: to comply with law, lawful requests, court orders, or to protect the rights, safety, or property of Command Wellbeing, our users, or the public.
  • Business transfers: in connection with a merger, acquisition, financing, or sale of assets, subject to appropriate safeguards.

6. Data retention and member-controlled purge

We retain information for as long as your account is active and as needed to provide the Services, comply with legal obligations, resolve disputes, and enforce agreements.

You can purge your Peer Support history at any time from Account → Coaching privacy, choosing to delete messages only, everything, or anything older than a number of days you specify. When you delete your entire account, we will delete or de-identify your personal information within 30 days from our live systems, and from backups on their normal rotation, except where retention is required by law (for example, payment records) or necessary to defend against legal claims.

7. Security

We use technical and organizational safeguards designed to protect your information, including encryption in transit (TLS), access controls, role-based permissions, row-level security in our database, audit logging, and vendor due diligence. No method of transmission or storage is 100% secure, however, and we cannot guarantee absolute security. If we become aware of a breach affecting your personal information, we will notify affected members in-product and regulators where required by law.

8. Your privacy rights

Depending on where you live, you may have the right to:

  • Access the information we hold about you;
  • Correct inaccurate information;
  • Delete your account and information;
  • Restrict or object to certain processing;
  • Receive a portable copy of your information;
  • Opt out of targeted advertising, “sale” or “sharing” of personal information (we do not engage in these activities), and certain profiling;
  • Withdraw consent where processing is based on consent;
  • Lodge a complaint with your local data protection authority.

You can exercise most of these rights directly in-product from Account, which includes a data export and a delete-my-account control. For other requests, reach us through /contact. We will respond within the time required by applicable law and we will not discriminate against you for exercising your rights.

U.S. state-specific rights

Residents of California (CCPA/CPRA), Colorado (CPA), Connecticut (CTDPA), Virginia (VCDPA), Utah, and other states with comprehensive privacy laws have the rights listed above. We do not sell personal information or share it for cross-context behavioral advertising.

EU/UK (GDPR)

EU/UK users may contact us through /contact. The lead supervisory authority for your jurisdiction is also available to receive complaints.

9. Cookies and tracking

We use cookies and similar technologies to keep you signed in, remember your language and preferences, secure the Services, and understand usage in aggregate. Command Wellbeing uses a hard-block cookie consent approach: non-essential cookies and any analytics or advertising trackers are off by default and only load if you explicitly opt in through the cookie banner or Account → Cookie settings. We never load advertising pixels on screener, Peer Support, inbox, account, or other health-data pages, regardless of consent.

10. Do Not Track and Global Privacy Control

We currently do not respond to browser “Do Not Track” signals. We do honor recognized opt-out preference signals such as the Global Privacy Control (GPC) where required by applicable state law, treating them as an opt-out of “sale” or “sharing” of personal information.

11. International data transfers

Command Wellbeing operates from the United States, and our service providers may process your data in the U.S. or other countries that may have different data protection laws than your home country. Where required (for example, transfers from the EU/UK), we rely on lawful transfer mechanisms such as the European Commission’s Standard Contractual Clauses and the UK International Data Transfer Addendum, supplemented with appropriate technical and organizational safeguards.

12. Children

The Services are not directed to children under 13 (or the equivalent minimum age in your jurisdiction), and we do not knowingly collect personal information from them. If you believe a child has provided us with personal information, please contact us through /contact and we will take appropriate steps to delete it.

13. Consumer Health Data Rights (Washington, Nevada, Connecticut)

This section provides additional disclosures required by the Washington My Health My Data Act (RCW 19.373), the Nevada Consumer Health Data Privacy law (NRS 603A.400–.450), and the Connecticut Data Privacy Act (CTDPA) as amended for consumer health data. It supplements — and does not replace — the rest of this Policy.

Consumer health data we collect

When you use Command Wellbeing, we may collect the following categories of consumer health data that you choose to enter: self-reported mental and behavioral health screener responses (including PHQ-9, GAD-7, AUDIT, PCL-5 and other validated instruments), substance-use information, sleep, stress, mood, and the contents of your AI Peer Support conversations.

How we use it

We use this data only to (i) generate your personal screening results and assessment report, (ii) power your AI Peer Support coach, (iii) operate and secure your account, and (iv) deliver in-product communications you have requested. We do not sell consumer health data, and we do not share it with advertising networks, data brokers, or social media pixels.

Your rights

  • Right to know what consumer health data we hold about you.
  • Right to access and download your data — available in-product from your Account page as a JSON export.
  • Right to delete your consumer health data — available in-product via the Delete my account button on your Account page, which permanently removes your screener results, assessments, Peer Support history, action plans, and inbox messages from our live systems within 30 days, and from backups on their normal rotation. You can also surgically purge Peer Support history from Account → Coaching privacy.
  • Right to withdraw consent at any time by deleting your account.
  • Right to appeal a denied request by replying to our response.

To exercise any of these rights manually, reach us through /contact. We respond within 45 days. Washington residents may also file a complaint with the Washington Attorney General; the Act provides a private right of action.

No sale, no targeted advertising

We do not sell your consumer health data and do not use it for cross-context behavioral advertising. We honor recognized opt-out signals, including the Global Privacy Control (GPC), where applicable.

14. Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will provide reasonable in-product notice before the changes take effect. The “Effective date” at the top of this page indicates when this Policy was last updated.

15. Contact us

For questions, concerns, or requests about this Policy or your information, reach us through /contact.

Questions? Contact us at [CONTACT EMAIL].

← Return home