Privacy Policy
Effective date: 7 July 2026
This Privacy Policy applies to the Tidewell mobile application (available on iOS and Android) and the Tidewell website at tidewellapp.com (collectively, the "Service"). It explains what information we collect, why we collect it, how we use and protect it, and what rights you have.
Tidewell is operated by Tara Cloud Retail, doing business as Black Belt Code Labs, owned by Rahul Bhattacharya ("we", "us", "our"). We are the data controller for all personal data processed through the Service.
1. Information We Collect
Information you provide directly
When you use Tidewell, you choose to provide:
- Account credentials (email address and password, if you create an account)
- Injection logs — date, dose, medication name, and injection site
- Daily check-in responses — mood, energy levels, hunger, nausea, and other side-effect ratings
- Body weight and measurement entries
- Personal journal notes and milestone entries (Private Journey Record, if you use that feature)
- Any information you include when contacting our support team
Health and wellness data
The health and wellness data you log directly within Tidewell — medication records, symptom scores, weight entries — constitutes special category health data under GDPR and equivalent laws. We process this data on the legal basis of your explicit consent, which you provide when you create an account and begin logging. You may withdraw consent at any time by deleting your account.
Apple Health (HealthKit) — iOS only
With your explicit permission, Tidewell may read health data from Apple Health (HealthKit), which may include steps, active energy, sleep data, and heart rate. This integration is entirely optional. HealthKit data is used only to provide contextual display within your Tidewell experience.
- HealthKit data is never uploaded to Tidewell's servers. It is read and processed locally on your device only.
- HealthKit data is never used for advertising, sold, or shared with any third party for any commercial purpose. This is an Apple requirement we strictly observe.
- You can revoke Tidewell's access to Apple Health at any time via Settings > Privacy & Security > Health > Tidewell on your iPhone.
Android Health Connect — Android only
On Android, Tidewell may request access to Android Health Connect to read health data such as steps, sleep, and heart rate. The same principles apply: Health Connect data is processed locally on your device, never uploaded to our servers, never used for advertising, and never shared with third parties. You can revoke access via Settings > Apps > Health Connect > App permissions > Tidewell.
Device and technical information
To operate and improve the Service, we automatically collect:
- Device type, model, and operating system version
- App version and installation identifier
- General app usage patterns and feature interactions (anonymised — not linked to your identity)
- Crash reports and diagnostic error logs
- IP address (used for security and fraud prevention; not used to build advertising profiles)
We do not use Apple's Advertising Identifier (IDFA) or Google's Advertising ID (GAID) for advertising purposes. We request App Tracking Transparency permission on iOS only if we adopt advertising-based tracking in the future — which we do not do today.
Permissions requested on your device
Depending on your device and the features you use, Tidewell may request the following permissions:
- Notifications — to send you optional reminders (injection reminders, check-in prompts). You can manage or disable these in your device Settings at any time.
- Apple Health / Health Connect — as described above. Optional.
- Camera or Photo Library — only if you choose to add a profile photo or attach an image to a log entry. We do not access your camera or photos without your action.
We do not request access to your contacts, location, microphone, or any other sensor not listed here.
2. How We Use Your Information
We use the information we collect to:
- Create and manage your Tidewell account
- Deliver core app features — check-in tracking, medication logs, pattern insights, and doctor visit briefings
- Display your trends, patterns, and history across sessions and devices
- Sync your data securely across your devices (where you are signed in)
- Send you push notifications you have opted into (reminders, check-in prompts)
- Respond to support requests and resolve issues
- Send important notices about the Service — such as policy updates or security alerts (not marketing emails without your consent)
- Improve app features, diagnose bugs, and fix crashes using anonymised analytics
- Comply with legal obligations
We do not use your personal data to build advertising profiles, serve targeted advertisements, or train third-party AI or machine learning models.
3. Data Storage and Security
Your Tidewell account data — including your health logs and check-in history — is stored securely using Supabase, a cloud database platform. Supabase encrypts all data at rest (AES-256) and in transit (TLS 1.2+). Supabase infrastructure is hosted on AWS and operates in accordance with relevant security and data protection standards.
We apply appropriate technical and organisational measures to protect your data against unauthorised access, loss, or misuse — including access controls, encrypted connections, and periodic security reviews.
Apple HealthKit and Android Health Connect data is processed locally on your device and is never stored on Tidewell's servers.
No method of transmission or storage over the internet is completely secure. While we take reasonable steps to protect your information, we cannot guarantee absolute security.
4. Third-Party Services
Tidewell uses a small number of trusted third-party services to operate:
- Supabase — cloud database and authentication. Supabase processes your account data as a data processor on our behalf. Supabase Privacy Policy.
- Apple App Store — app distribution and in-app subscription billing for iOS users. Apple Privacy Policy.
- Google Play Store — app distribution and in-app subscription billing for Android users. Google Privacy Policy.
- Crash and diagnostics reporting — we may use a third-party crash reporting service to receive anonymised error reports. These reports do not include identifiable health data.
We do not use Facebook SDKs, Google Analytics, or any advertising SDKs.
5. Data We Do Not Sell or Share
We do not sell, rent, trade, or otherwise disclose your personal data to any third party for their independent marketing or commercial purposes.
We do not share identifiable personal data with:
- Advertising networks or ad-tech companies
- Data brokers or data aggregators
- Social media platforms for targeting or retargeting purposes
- Insurance companies, employers, or any organisation that could use it adversely
We may disclose information if required by law, regulation, legal process, or governmental request — and only to the extent strictly required. We will make reasonable efforts to notify you unless prohibited.
6. Push Notifications
Tidewell may send push notifications to your device for purposes such as injection reminders, check-in prompts, and important service updates. You will be asked for permission before we send any notifications.
You can opt out of push notifications at any time:
- iOS: Settings > Notifications > Tidewell
- Android: Settings > Apps > Tidewell > Notifications
Disabling notifications does not affect your ability to use the app.
7. Subscriptions and Payments
Tidewell Plus subscriptions are managed and billed exclusively by Apple (via the App Store) or Google (via Google Play). We do not collect, process, or store your payment card information at any point.
Subscription purchases, renewals, and refunds are governed by Apple's or Google's respective terms and privacy policies. To manage or cancel your subscription:
- iOS: Settings > [Your Name] > Subscriptions > Tidewell
- Android: Google Play app > Subscriptions > Tidewell
8. Account Deletion
You have the right to delete your Tidewell account and all associated personal data at any time. You can request account deletion:
- In-app: via Settings > Account > Delete Account within the Tidewell app
- By email: contact us at support@blackbeltcodelabs.com with the subject line "Account Deletion Request"
We will permanently delete your account and all associated health data within 30 days of receiving your request. Anonymised, non-identifiable aggregated data may be retained. Deletion requests submitted through the app are processed immediately for account access revocation, with full data purge completed within 30 days.
9. Data Retention
We retain your personal data for as long as your account remains active. If you delete your account, we will delete your personal data within 30 days as described above.
We may retain certain information for a limited period where required by applicable law (for example, transaction records for tax compliance), or where it is necessary to resolve a dispute or enforce our agreements.
10. Your Rights
Rights for all users
Regardless of your location, you may:
- Request access to the personal data we hold about you
- Request correction of inaccurate or incomplete data
- Request deletion of your account and data
- Opt out of push notifications at any time via your device settings
- Revoke Apple Health or Health Connect permissions at any time via your device settings
Rights under GDPR and UK GDPR (EU and UK residents)
If you are located in the European Economic Area or the United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR) and UK GDPR:
- Right of access — obtain a copy of the personal data we hold about you
- Right to rectification — correct inaccurate or incomplete data
- Right to erasure — request deletion of your personal data ("right to be forgotten")
- Right to restriction — ask us to pause processing your data in certain circumstances
- Right to data portability — receive your data in a structured, machine-readable format
- Right to object — object to processing based on legitimate interests
- Right to withdraw consent — where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing
Our lawful bases for processing are: consent (for health and wellness data, and for marketing communications); contract (to provide the Service you have signed up for); and legitimate interests (for security, fraud prevention, and anonymised analytics — balanced against your rights).
You have the right to lodge a complaint with your local data protection authority. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk. In the EU, contact the supervisory authority in your member state.
Rights under CCPA / CPRA (California residents)
If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
- Right to know — what personal information we collect, use, and disclose
- Right to delete — request deletion of your personal information
- Right to correct — request correction of inaccurate personal information
- Right to opt out of sale or sharing — we do not sell or share your personal information, so this right is already satisfied. You may still submit a request to confirm.
- Right to non-discrimination — we will not treat you differently for exercising any of these rights
To exercise your California rights, contact us at support@blackbeltcodelabs.com. We will respond within 45 days.
11. Children's Privacy
Tidewell is not directed to children. You must be at least 13 years of age (or 16 in certain EU/EEA jurisdictions) to use the Service. We do not knowingly collect personal information from anyone under these age thresholds.
If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us at support@blackbeltcodelabs.com and we will delete that information promptly.
12. International Data Transfers
Tidewell is based outside the European Economic Area. If you use the Service from within the EEA or UK, your personal data may be transferred to and processed in countries that may not provide the same level of data protection as your home country.
Where we transfer personal data outside the EEA or UK, we rely on appropriate safeguards — including Standard Contractual Clauses (SCCs) where applicable — to ensure your data is protected in accordance with GDPR and UK GDPR.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. We will provide notice of material changes through the app or by email at least 14 days before they take effect.
The "Effective date" at the top of this page indicates when this version was last revised. We encourage you to review this policy periodically. Continued use of Tidewell after changes take effect constitutes your acceptance of the updated policy.
14. Contact
Questions, requests, or concerns about this Privacy Policy? Contact us:
Tara Cloud Retail, doing business as Black Belt Code Labs
Attention: Privacy
Email: support@blackbeltcodelabs.com
We aim to respond to all privacy-related enquiries within 5 business days.