Weft ← Back

Legal

Privacy Policy

Effective: May 3, 2026

Overview

Weft is a check-in and self-reflection app. You share personal data — mood, energy, stress, anxiety, written reflections, and life context — because that data is the product. This policy explains exactly what we collect, why, where it goes, and what rights you have over it.

Weft is operated by David Spedding ("we", "us"). Questions can be directed to privacy@myweft.app.

Scope

This policy covers the Weft mobile application and the website at myweft.app. By using either, you agree to the terms below.

What We Collect

Account and profile data:

• First name, last name, email address
• Phone number — used to match connections in the social layer and to enable contact photo display from your device address book
• Pronouns (optional)
• Authentication identifiers via Google OAuth or Apple Sign-In

Check-in and reflection data:

• Slider scores: Mood, Energy, Stress, Anxiety (1–5 scale)
• Custom metric scores and labels (if enabled)
• Responses to clarifying questions generated by the app
• Open-text reflections you write in response to prompts
• Timestamps of all check-ins

Life context data:

• Big Five personality scores (set by you, editable)
• Life context tags and free-text enrichment (e.g. "on parental leave", "training for a marathon")

Social layer data (Threads):

• Connection relationships with other users (mutually consented)
• Notes sent and received between connections
• Hearts given and received
• Composite thread color shared with connections — this is a single derived value, not your underlying scores

Technical data:

• Push notification tokens (for delivery of notifications you have enabled)
• Server-side request and error logs retained by our infrastructure provider for security and reliability

What We Do Not Collect

• We do not collect precise location data
• We do not read your device contacts. Phone number matching for contact photo display happens entirely on your device — no contact data is transmitted to our servers
• We do not collect HealthKit data in the current version of the app
• We do not sell, rent, or share your personal data with third parties for their marketing purposes
• We do not serve advertising, and we do not work with advertising networks
• We do not use your data to train AI models

How We Use Your Data

• To generate observations, clarifying questions, and reflections personalized to your history and life context
• To display your check-in history, patterns, and weekly summaries to you
• To power the Threads social layer — showing your connections a single composite color derived from your scores, never the scores themselves
• To send push notifications you have enabled
• To respond to support requests you initiate
• To comply with legal obligations

We do not read individual users' check-in or reflection content except when required to investigate a specific support request you initiate, in response to a verified legal request, or to address a security incident.

Third-Party Services

We use the following service providers to operate Weft. Each is bound by their own privacy policy and applicable data processing terms:

• Supabase — hosts our database, authentication, and server functions. Stores all check-in data, reflections, life context, and account data. Supabase privacy policy
• Anthropic — processes check-in data and life context to generate questions and reflections via the Claude API. Anthropic does not retain inputs for model training under the API's terms. We do not transmit your name, email, or phone number to Anthropic. Anthropic privacy policy
• Apple — handles app distribution, in-app authentication via Sign in with Apple, and push notification delivery via APNs. Apple privacy policy
• Google — provides authentication via Google Sign-In if you choose that method. Google privacy policy
• Expo — provides build infrastructure and push notification routing. Expo privacy policy
• Netlify — hosts the myweft.app website. Netlify privacy policy

International Data Transfers

Our service providers are based in the United States. If you access Weft from outside the United States, your data will be transferred to and processed in the United States. We rely on standard contractual clauses and the relevant providers' compliance frameworks where applicable.

Data Storage and Security

Data is stored on Supabase, encrypted at rest and in transit. Row-level security policies enforce that users can only access their own data. The social layer exposes only the composite thread color to your connections — never raw scores, reflection text, or notes content beyond what is explicitly sent.

We use industry-standard practices to protect your data, but no system can be guaranteed fully secure. If we become aware of a breach affecting your personal data, we will notify affected users without undue delay and as required by applicable law.

Data Retention

Your data is retained for as long as your account is active. To request deletion of your account and all associated personal data, contact us at privacy@myweft.app. We will process deletion requests within a reasonable timeframe and confirm completion by email. Data may persist in encrypted database backups for up to 90 days following deletion before being permanently purged. Anonymized or aggregated data that cannot reasonably be linked back to you may be retained indefinitely.

Your Rights

Regardless of where you are located, you have the following rights with respect to your personal data:

• Access: Request a copy of the personal data we hold about you
• Correction: Update your profile, life context, and personality data directly in the app, or contact us for help
• Deletion: Request deletion of your account and personal data by emailing privacy@myweft.app
• Portability: Request an export of your check-in history in a machine-readable format
• Withdraw consent: Withdraw consent for any processing based on consent (e.g. push notifications) at any time

To exercise any of these rights, email privacy@myweft.app from the address associated with your account. We may need to verify your identity before fulfilling certain requests.

California Residents (CCPA/CPRA)

California residents have the rights described above plus the right to know what categories of personal information we collect, the right to non-discrimination for exercising privacy rights, and the right to opt out of the sale or sharing of personal information. We do not sell or share personal information as defined under the CCPA.

EU and UK Residents (GDPR/UK GDPR)

If you are in the European Economic Area or the United Kingdom, our legal basis for processing your personal data is:

• Performance of a contract — to provide the Weft service you have signed up for, including check-in storage, reflection generation, and the social layer
• Consent — for push notifications and any optional features you opt into. You can withdraw consent at any time
• Legitimate interests — to maintain security, prevent abuse, and improve the reliability of the service
• Legal obligation — where required to comply with applicable law

You have the right to lodge a complaint with your local supervisory authority.

AI Processing

Weft uses Anthropic's Claude API to generate observations, clarifying questions, and reflections. Your check-in scores, reflection text, and life context are transmitted to Anthropic's API for the purpose of generating these responses. Under Anthropic's API terms, inputs are not used to train their models. We do not transmit your name, email address, or phone number to Anthropic.

Cookies and Website Analytics

The myweft.app website uses minimal first-party cookies necessary for basic functionality. We do not use third-party analytics, advertising trackers, or behavioral tracking on the website. Hosting infrastructure may collect standard server logs (IP addresses, request timestamps) for security and reliability purposes.

Children

Weft is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal information, contact us at privacy@myweft.app and we will delete it promptly.

Changes to This Policy

We will update this policy as the product evolves. Material changes will be communicated via in-app notice and via email to active users where practical. The effective date at the top of this page reflects the most recent revision. Previous versions are available on request.