Last Updated: 21 May 2025

1. Introduction

Welcome to Wist (“the App”), provided by Syft Health Ltd (“we,” “us,” or “our”). We are committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application.

This policy outlines our practices concerning data collection, use, and sharing, and informs you of your privacy rights under applicable data protection laws, including the General Data Protection Regulation (GDPR) in the UK and EU, and applicable US state privacy laws, including the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

Please read this policy carefully. By using the App, you acknowledge you have read and understood this Privacy Policy.

Controller Information:
For the purpose of the UK and EU GDPR, the data controller is Syft Health Ltd of 27 Mortimer Street, London, England, W1T 3BL. You can contact us regarding privacy matters at privacy@wist.life.

2. Information We Collect

Based on your interaction with the App, we collect the following types of information:

• Information You Provide Directly:
  • Account Information (Required): When you create an account using email/password or federated login (Google/Apple), we collect your Email address and assign internal User IDs.
  • Onboarding Suitability Information (Required):
    • During our onboarding process, to help ensure Wist is a suitable tool for you, we require you to answer a question regarding your current eating disorder status (Yes/No). Your answer to this question is used solely to determine your eligibility to proceed with using the App. If you indicate a current active diagnosis of an eating disorder, you will not be able to complete onboarding at this time. If you indicate no such diagnosis, you may proceed. This specific piece of information is used only for this one-time suitability check at onboarding and is not stored against your user profile or used for any other purpose.
  • Profile & Fitness Information (Optional):
    • To enhance your experience and enable personalised features within the App, such as calculating more accurate Recommended Daily Allowances (RDAs), tracking progress towards fitness goals, and receiving tailored nutritional insights, we invite you to provide certain profile information. This may include your: first name, age, sex, gender, height, weight, target weight, dietary requirements, and your primary and secondary health goals.
    • Providing this information is entirely optional. You can choose to skip inputting any or all of these details during onboarding or leave the fields blank in your profile settings.
    • If You Provide This Data: We use the information you choose to share to enable and refine the personalised features mentioned above, providing you with more relevant calculations and insights.
    • If You Skip This Data: The core functionality of logging meals and general food information will still be available. However, features that rely on personal metrics for accurate calculation or personalisation (like specific RDA targets based on your body composition, or detailed progress tracking towards a weight goal) will either be unavailable, operate using generic estimations, or provide less accurate results. Your overall experience will be less personalised.
  • Meal/Prompt Information (Required for Core Functionality): We collect Other in-app messages, which includes the meal names or food items you input for nutritional analysis (In-app search history) and any text prompts you provide for conversational AI features.
  • Photos (Optional): You may choose to upload Photos to enable specific features, such as obtaining nutritional analysis from food images or providing visual context for conversational AI interactions. Providing photos is optional and only required if you wish to use these specific features.

• Information Collected Automatically:
• App Interactions (Required): We collect information about how you interact with the App, such as features used, buttons clicked, achievements earned, and session identifiers (like connection IDs or push tokens necessary for notifications), to provide app functionality, security, developer communications, and personalization.
• Purchase History (Required): When you subscribe (including initiating a free trial that converts), we receive Purchase history information from the platform provider (Google Play/App Store), such as subscription status, transaction identifiers, and renewal dates, to manage your access to premium features. We do not directly collect or store your payment card details.

• Data We Do NOT Collect: We do not actively collect data categories such as Last Name, Precise Location, Web browsing history, Contacts, Calendar events, SMS/MMS, Device hardware IDs, or Files and Docs unless explicitly stated otherwise for a future feature requiring separate consent.

3. How We Use Your Information and Legal Basis for Processing

We use your information for the following purposes, relying on specific legal bases under GDPR:

Note on AI Processing: Core features of the App rely on processing your inputs (meal names, text prompts, and optionally uploaded photos) using Artificial Intelligence (AI) / Large Language Models (LLMs). We utilize third-party AI service providers accessed either directly or through our cloud infrastructure providers. These providers act as our service providers (processors or sub-processors) to generate the nutritional analysis or conversational responses you request. They process your input data solely on our behalf and according to contractual agreements designed to protect your data’s confidentiality and security.

4. Data Sharing and Disclosure

We do not sell your personal information (as defined under CCPA/CPRA and other applicable state laws). We do not share your personal information with third parties for their own independent marketing purposes (sometimes referred to as “cross-context behavioral advertising” under certain laws). We may disclose your information in the following limited circumstances:

• Service Providers: We share information with third-party vendors and service providers who perform services for us or on our behalf and require access to such information to do that work. Examples include:
  • Amazon Web Services (AWS): For cloud hosting, database storage, compute functions, and related infrastructure services. Process data according to our instructions and their customer agreements.
    • https://aws.amazon.com/compliance/data-protection/ 
  • AI/LLM Service Providers: User inputs such as text prompts (“Other in-app messages”) and optionally uploaded images (“Photos”) are processed by third-party providers of artificial intelligence models to generate requested responses. These providers act as processors/sub-processors under contractual terms with us and/or our infrastructure providers.
  • Authentication Providers: Google and Apple, if you choose to use their services for federated login.
  • Payment Processors: Google Play and Apple App Store handle subscription payments directly.
    These providers are contractually obligated to protect your data and use it only for the services we request.
    • https://www.apple.com/legal/privacy/
    • https://policies.google.com/privacy
  • RevenueCat: Our subscription management provider, used to manage your subscriptions, validate receipts with platform providers (Google Play/App Store), and provide us with your subscription status and purchase history. RevenueCat processes data according to our instructions and their own privacy policy and terms.
    • https://www.revenuecat.com/privacy/ 

• Legal Requirements: We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency).
• Protection of Rights: We may disclose information where we believe it is necessary to investigate, prevent, or take action regarding potential violations of our policies, suspected fraud, situations involving potential threats to the safety of any person, or as evidence in litigation.
• Business Transfers: In connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business by another company, your information may be transferred.

5. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements, and providing you with the App’s services while your account is active.

When you request account deletion via wist.life/support or contact method, we will process the deletion of your account and associated personal data in accordance with applicable law and our internal procedures, subject to any legal obligations requiring longer retention. Data provided optionally (Age, Sex, Height, Weight, Target Weight, Gender, or Photos) may be deleted sooner if you remove it via app settings where applicable.

6. Data Security

We implement technical and organizational measures to protect the security of your personal information. This includes:

• Encrypting all user data collected by the app in transit using protocols like TLS/SSL.
• Using reputable cloud infrastructure providers.
• Implementing access controls within our systems.

However, please be aware that no security measures are perfect or impenetrable. While we strive to protect your personal information, we cannot guarantee its absolute security against interception or misuse.

7. Your Data Protection Rights (UK, EU, and U.S. States)

Depending on your location and applicable law, you may have the following rights regarding your personal data:

• Rights under UK and EU GDPR:
• Right to Access: Request copies of your personal data.
• Right to Rectification: Request correction of inaccurate personal data.
• Right to Erasure (Deletion): Request deletion of your personal data (“right to be forgotten”).
• Right to Restrict Processing: Request restriction of the processing of your personal data.
• Right to Object to Processing: Object to our processing of your personal data where we rely on legitimate interests.
• Right to Data Portability: Request transfer of the data we have collected to another organization, or directly to you.
• Right to Withdraw Consent: Where we rely on consent for processing (e.g., for optional data you choose to provide like Age, Sex, Height, Weight, Target Weight, Gender, or Photos), you have the right to withdraw that consent at any time.
• Right to Lodge a Complaint: You have the right to lodge a complaint with a relevant supervisory authority (like the Information Commissioner’s Office (ICO) in the UK or your local EU data protection authority).
• Rights under U.S. State Privacy Laws:
• Depending on your state of residence, you may have additional rights. For example, residents of California (under the CCPA/CPRA) have specific rights including the right to know what personal information is collected, used, disclosed, and sold/shared; the right to delete personal information; the right to correct inaccurate personal information; and the right to opt-out of the “sale” or “sharing” of personal information (note: we do not “sell” or “share” your personal information as defined by CCPA/CPRA). California residents also have the right to limit the use and disclosure of sensitive personal information (SPI). We recognize that certain optional profile information you may choose to provide — such as age, sex, height, weight, or dietary requirements — can be considered SPI under CCPA/CPRA. If you choose to provide this optional SPI, we limit its use and disclosure solely to providing the specific personalized features you have requested and enabled within the App (such as calculating personalized RDAs or tracking fitness goals) and for no other purpose.
• Residents of other states such as Virginia, Colorado, Connecticut, and Utah have also enacted comprehensive privacy laws granting similar rights, including rights to access, correct, delete, obtain a copy of personal data, and opt-out of processing for targeted advertising, sale of personal data, or certain profiling.
• As privacy laws evolve, residents of additional states may gain comparable rights.
• You have the right not to receive discriminatory treatment for exercising your applicable privacy rights under state law.

Exercising Your Rights:
To exercise your right to request deletion of your account and associated data, please use the link: wist.life/support
For other requests regarding your rights under GDPR, CCPA/CPRA, or other applicable laws, or if you have questions about which rights apply to you based on your location, please contact us at: privacy@wist.life.
We will respond to verifiable requests in accordance with applicable law. We may need to verify your identity before processing your request.

8. Children’s Privacy

The App is not intended for individuals under the age of 16. We do not knowingly collect personal information from children under this age. If we become aware that we have inadvertently collected such information, we will take steps to delete it promptly.

9. International Data Transfers

Your information, including personal data, may be transferred to, stored, and processed by us and our third-party service providers (as listed in Section 4) in countries outside of your country of residence, including the United States, where data protection laws may differ from those in your jurisdiction. We rely on appropriate safeguards, such as Standard Contractual Clauses approved by the European Commission/UK authorities or adequacy decisions, where applicable, for transfers of personal data from the UK/EU to third countries like the United States. By using the App, you understand that your information may be transferred to our facilities and those third parties with whom we share it as described in this Privacy Policy.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The updated version will be indicated by a “Last Updated” date. We encourage you to review this policy periodically to stay informed about how we are protecting your information. Significant changes may be communicated through the App or via email.

11. Contact Us

If you have any questions, comments, or concerns about this Privacy Policy or our data practices, please contact us at:

Syft Health Ltd.
privacy@wist.life
27 Mortimer Street,
London,
England,
W1T 3BL