Purpose – Privacy Policy

Last Updated: August 11, 2025

I. Introduction.

Why Not Now LLC d/b/a Purpose, its owners, affiliates, partners, and subsidiaries (collectively, “we”, “our”, “us”, “the Company,” or, “Purpose”) are committed to protecting your (“you”, “your”, or the “User”) privacy rights and personal information while you are using our products and services, and we’d like you to understand how we collect, store, use, and disclose your personal information.

This Privacy Policy, which should be read and understood in conjunction with the Company’s Terms of Service, located at heypurpose.com/terms (“Terms of Service”), applies when you interact with or use, without limitation, the Company’s websites, platforms, software, or applications (mobile or otherwise) (collectively, the “Site”), as well as the Company’s social media interactions, products, services, or otherwise (collectively, with the Site, the “Services”) in any manner, and when you interact with any Company personnel with respect to the Services. By using the Services, or by interacting with Company personnel, you agree to both the terms herein and those included in the Company’s Terms of Service (collectively, the “Agreement”).

DISCLAIMER: THE INFORMATION AND ADVICE INCLUDED OR OFFERED ON THE SITE, OR AS OTHERWISE PROVIDED AS PART OF THE SERVICES, IS NOT INTENDED TO BE USED AS MEDICAL, FINANCIAL, OR LEGAL ADVICE. NO MATERIALS OR INFORMATION HEREIN ARE INTENDED TO BE A SUBSTITUTE FOR PROFESSIONAL MEDICAL ADVICE, DIAGNOSIS, OR TREATMENT. ALWAYS SEEK THE ADVICE OF A LICENSED PHYSICIAN OR OTHER QUALIFIED HEALTHCARE PROVIDERS WITH ANY QUESTIONS YOU MAY HAVE REGARDING A MEDICAL CONDITION OR MEDICAL TREATMENT.

IF YOU DO NOT AGREE TO ABIDE BY THE DATA PRACTICES DESCRIBED IN THIS PRIVACY POLICY OR TO THE TERMS SPECIFIED IN THE TERMS OF SERVICE, THEN PLEASE CLOSE YOUR BROWSER, APP, OR DEVICE IMMEDIATELY AND DO NOT USE OR ACCESS THE SERVICES.

II. Personal Information We Collect.

When you visit the Site, we may collect certain information about your device, including your IP address, browser type, operating system, and referring pages. We also collect information about the pages you visit on the Site and the actions you take on the Site (such as clicking on links).

The way we process your personal information may also depend on the particular Services, functionalities, or experiences you use, your location, and applicable law.

For reference, your use of the Services may result in the Company directing you to third-party sites or applications. Such third parties may have their own respective privacy policies and terms, and you are highly encouraged to apprise yourself of your rights thereunder. For the avoidance of doubt, by using the Site or the Services, you acknowledge and agree that the Company, in its sole discretion, may use such third-parties and/or integrate such third-parties into the Site or Services to, e.g., assist in storing your information and providing services hereunder. Additional information may be found in the Company’s Terms of Service.

III. Information You Provide to Us.

Communications, feedback and survey data, and related data. When you create an account with us, reach out to us for support, give us feedback, participate in optional surveys, participate in product research, or otherwise interact or communicate with us, we may collect personal information, such as, e.g., your full name, email address, date of birth, and any other personal information you choose to share or that we require. Specifically, the Company’s onboarding experience includes questions about, e.g., your life satisfaction, career satisfaction, and other psychological insights that are intended to customize and improve our Services to you.

Marketing data. You may provide us with your contact information and preferences for receiving our marketing communications.

Device and contact data. If you grant permission in your device settings, certain features may have access to your device and contacts.

Financial Information. To engage in the Site and/or the Services, we may collect and store your financial information, such as, without limitation, your credit card number, debit card number, and/or bank account information.

PII and PHI. While we do not intend to collect any “Personally Identifiable Information” (“PII”) and/or Protected Health Information (“PHI”) that falls under the protection of the Health Insurance Portability and Accountability Act (“HIPAA”), nor do we intend to cover the role of a “covered entity” or “business associate” pursuant to HIPAA, you acknowledge and agree that, given the nature of the Services, we may directly or indirectly handle such PII and/or PHI that falls within the protections of HIPAA. Accordingly, you warrant that any such information provided to the Company is done so voluntarily, and, to the extent that we collect protected PII and/or PHI, we will safeguard it in accordance with applicable laws and this Privacy Policy. Accordingly, this Privacy Policy further serves as notice to you regarding how we use, disclose, and protect your PII and/or PHI, if applicable.

Biometric Data (Face ID/Touch ID). If you use biometric authentication features on your devices, such as Face ID or Touch ID, then you may have the option of opting-in to such biometric authentication to use the Services, and such processing would be governed by, e.g., applicable laws regarding biometric information privacy. You may opt-out of biometric processing by emailing us at privacy@heypurpose.com.

IV. Automatic Data Collection.

We may automatically log personal information about you, your computer, or mobile device, and your interaction over time with the Services, such as:

Device information. We may collect information about your device(s), such as IP addresses, log information, error messages, device type, and unique device identifiers. For example, we may collect IP addresses from you as part of our sign in and security features.
Usage information. We may collect information about your use of the Services, such as the pages you viewed, the services and features you used or interacted with, your browser type, and details about any links or communications with which you interacted.
Information stored locally. Some of our web-enabled services and offerings may synchronize with the information on your computer. In doing so, we may collect information such as device information, product usage, and error reports. We may also store personal information locally on your device.
Communication interaction data. We or our third-party service providers may collect information from email providers, communication providers, and social networks, such as your interactions with our email, text, or other communications.
Online behavioral data. We may automatically collect certain personal information about your use and interactions with our website, mobile applications, social media websites, and marketing campaigns that we or our partners organize, including device information, page view information, and search results

V. How We Use Your Personal Information.

We use the information we collect from you to, for example, and without limitation:

Provide the Site, Services, and their features;
Run and manage our business;
Communicate with you;
Offer you targeted advertising, and otherwise evaluate your eligibility for marketing offers, products, and services;
Track the use of the Site;
Improve the Site and our products and services;
Provide you with support and resolve disputes;
Authenticate your identity, if necessary; and
Comply with applicable laws and regulations.

Beyond that, we may further use your information to (i) improve and develop our Services by, e.g., analyzing how they are used and interacted with, by assessing your use of and interactions with our Services and certain content you send or display through the Site, and by conducting data analytics to develop insights about you, your needs, and your preferences; and (ii) combine and de-identified information about your interactions with us to create aggregate, de-identified statistics for use in research, and for marketing, promoting, improving, and developing our Site and Services.

For example, we may log and analyze your interactions at a token level for purposes of, e.g., personalization and analytics, and these logs shall be retained for only as long as necessary to comply with our internal storage, legal, or regulatory requirements. You may opt-out of such token-level logging by contacting us at privacy@heypurpose.com.

We do not sell, share, or otherwise disclose your conversation history, personal insights, or user-generated content to third parties for their advertising purposes. We may, however, use information you provide through the Services, such as topics you’ve discussed or expressed interest in, to personalize your experience with Purpose, including sending you relevant in-app messages, text messages, or emails.

Moreover, we may use your personal information for compliance and protection issues, including, without limitation, to:

protect against misuse or abuse of our Services and ensure compliance with our Terms of Service;
(ii) comply with legal and regulatory requirements;
(iii) protect the rights, property, safety, or security of the Site, our customers, employees, or others, and prevent fraudulent or illegal activity;
(iv) exercise our rights in the course of judicial, administrative, or arbitral proceedings; and
(v) enforce, remedy, or apply our Terms of Service or other agreements.

We intend to comply with all applicable laws, including, e.g., CAN-SPAM, and while we plan to use ‘double opt-in e-mail’, whereby you confirm your intention to receive, e.g., marketing, promotional, and Service-related correspondence from us at both the time of sign-up and through an e-mail confirmation link, if you would like to opt out of receiving such marketing and promotional materials at any time, then please use our “unsubscribe” feature, as available, and/or please notify us of your decision to opt out by e-mailing privacy@heypurpose.com.

Finally, the Company may use sub-processors to operate the Services, including, e.g., AWS, OpenAI, Anthropic, Google Cloud, Google Workspace, RevenueCat, Stripe, Postmark, Raindrop, and Mem0. For a complete list of sub-processors and our Data Processing Addendum, please visit heypurpose.com/legal/subprocessors

VI. Sharing Your Personal Information; No Selling of Personal Information.

First and foremost, we will not sell your information or data to any third-parties. We will, however, aggregate and de-identify data from you, as well as our other users, in accordance with Section V, particularly to improve the Site and Services, and we may share such de-identified or aggregated data with third parties.

We may share your personal information with third parties to help us use your information as described in this Agreement. We may also share your personal information to comply with applicable laws and regulations, to respond to a subpoena, search warrant, or other lawful request for information we receive, or to protect our rights.

Additionally, we may use advertising networks and other providers to display advertising on our Site or to manage our advertising on other sites.

We may also use advertising networks or service providers to help us measure the performance of our own promotional campaigns. However, we do not share personally identifiable information or conversation data with third-party advertisers, nor do we allow third parties to use your data for behavioral advertising. Cookie data may be used solely to understand aggregate usage patterns or serve limited promotions for our own Services, in accordance with your preferences.

We may also share your personal information with third parties for legal reasons without your consent, including (i) when we reasonably believe disclosure is required in order to comply with a subpoena, court order, or other applicable law, regulation, or legal process; (ii) to protect the rights, property, or safety of the Company, the Services, Site, our customers, or others; (iii) to enforce, remedy, or apply our Privacy Policy, Terms of Service, or other agreements; (iv) to prevent fraud, cybersecurity attacks, or illegal activity, or to protect or defend against same; (v) with regulatory agencies, including government tax agencies, as necessary to help detect and combat fraud and/or protect our customers, users, and/or the Site, or in required institutional risk control programs.

Notwithstanding the foregoing, Purpose is not (nor does it intend to act as) a “covered entity” or “business associate” as defined under HIPAA, and HIPAA generally does not apply to your use of our Services. However, certain information you choose to share may resemble “health information” as defined by HIPAA, and we safeguard such information in accordance with applicable law and our internal security practices.

Certain mood and well-being data you provide to us may qualify as “health-related information” under the FTC’s “Health Breach Notification Rule”. In the event that such information is shared with us and then there is an authorized acquisition of such information, we will notify you in accordance with, e.g., the Health Breach Notification Rule. Moreover, in the future, we may adopt voluntary HIPAA self-attestation to further demonstrate our commitment to protecting such information.

VII. Cookies.

We may use commonly used tools, such as cookies, web beacons, pixels, local shared objects, and similar technologies (collectively, “Cookies”), to collect information about you (“Cookie Information”) so that we can provide the experiences you request, recognize your visit, track your interactions, and improve your and other customers’ experiences. You have control over some of the information we collect from Cookies and Cookie Information and how we use it, detailed further in the “Your Rights” section, below.

VIII. Do Not Track Signals.

Some browsers send a “Do Not Track” signal. We do not currently respond to Do Not Track signals.

IX. Your Rights

You have certain rights regarding your personal information. You may, e.g.:

Request access to your personal information;
Request that we correct any inaccurate or incomplete personal information;
Request that we delete your personal information;
Object to the processing of your personal information;
Request that we restrict the processing of your personal information; and/or
Request that we transfer your personal information to another company.

To make any of these requests, please contact us at privacy@heypurpose.com, and we will respond to your request as soon as possible and within a reasonable time.

Users may delete their account and all associated data at any time from within the Services mobile app (Profile → Delete Account).

Unless you specifically ask us to delete your personal information, we may retain your personal information as long as it is necessary to comply with our data retention requirements and/or as required by law. Even if you submit a deletion request, we may be required to maintain your personal information for as long as necessary to:

comply with our legal or regulatory compliance needs;
to exercise, establish, or defend legal claims; and/or
to protect against fraudulent or abusive activity on our Site.

There may be occasions where we are unable to fully delete, or de-identify your personal information due to technical, legal, regulatory compliance, or other operational reasons. Where this is the case, we will take reasonable measures to securely isolate your personal information from any further processing until such time as we are able to delete, or de-identify it.

Additionally, if you are a citizen of the State of, e.g., California, Colorado, Connecticut, Virginia, or Utah, then you may have additional privacy rights that are not listed herein, including, e.g., the right to correction and deletion; the right to access all privacy information of yours that we have collected, etc.

Under the California Consumer Privacy Act (CCPA/CPRA) and the Colorado Privacy Act (CPA), specifically, you may have:

The right to request disclosure of the categories and specific pieces of personal information we have collected about you;
The right to request deletion or correction of your personal information; and
The right to opt out of the sale or sharing of your personal information.

You are encouraged to research the privacy rights and protections that may be applicable to you in your specific location or State, and to stay apprised of such rights.

If you have any explicit questions about such rights or wish to enforce any of your legal rights, please contact us at privacy@heypurpose.com with as much specificity and detail as possible, and we would be happy to assist you.

While we do not sell personal information, certain privacy laws (such as the California Consumer Privacy Act) give you the right to opt out of the sale or sharing of your personal information.You may access our “Do Not Sell or Share My Personal Information” opt-out, located at our Do Not Sell or Share My Personal Information page.

X. Data Protection Rights of International Users.

If you are accessing the Services from outside the United States, then you may have additional data protection rights not explicitly listed herein.

European Economic Area; GDPR.

If you are accessing the Services from within Europe (including, for purposes herein, the United Kingdom and the European Economic Area), then the Data Protection Act, General Data Protection Regulation, and similar statutes (collectively, for purposes herein, “GDPR”) may provide you with additional privacy protections and options regarding your PII, some of which are summarized herein for your convenience.

Specifically, the GDPR applies to PII (such as, e.g., your name, address, email address, IP address, payment details, etc.), and we, as the data collector, must have a “lawful reason” for storing or using such personal data, including, for example:

(i) consent (you have consented to us having your data);
(ii) contractual reasons (collection and storage of the personal data is required for contractual performance); and
(iii) it is necessary for us to use and store such PII for its “legitimate interest”.

With the aforementioned criteria in mind, by using the Services, you explicitly grant us the ability to use, access, and store your PII in accordance with the GDPR.

Notwithstanding the foregoing, due to the nature of our Services, we also have a “legitimate interest”, as detailed in the GDPR, to collect such PII and to use and store it in accordance with applicable law, our legitimate business purposes, and/or your expectations regarding the Services.

Despite our rights under the GDPR, we endeavor to minimize the amount of PII that we actually obtain or collect in the performance of the Services.

Beyond that, as required by Article 22 of the GDPR, you have the right not to be subject to decisions based solely on automated processing for certain issues, and, consequently, you have the right to opt out of such automated decision making by emailing us at privacy@heypurpose.com.

Additionally, you may have data protection and privacy rights pursuant to your Data Subject Access Rights under the GDPR, which may permit you to, e.g., withdraw consent, request a copy of your data, or request deletion of your data.

Finally, for international data transfers from the EEA, Switzerland, and the United Kingdom to the United States, we rely on Standard Contractual Clauses (SCCs) and the UK Addendum, as approved by the European Commission and the UK Information Commissioner, respectively. Copies of the applicable transfer mechanisms may be requested by emailing us at privacy@heypurpose.com

Personal Information Protection and Electronic Documents Act (“PIPEDA”) and Quebec’s Law 25

If you are accessing the Services from within Canada, then, pursuant to PIPEDA, Quebec’s Law 25, or similar privacy regulations, you may have the right to:

(i) Request access to the personal information we have about you;
(ii) Request the correction of inaccurate or incomplete personal information about you;
(iii) Withdraw your consent to the collection, use, or disclosure of your personal information, subject to applicable restrictions; and
(iv) Request that we delete or de-identify your personal information.

You may have additional rights beyond what is explicitly listed herein, and you are encouraged to research the protections applicable to you in your jurisdiction.

If you would like to do any of the aforementioned options, please e-mail us at privacy@heypurpose.com and we will respond accordingly. Please note that a request to, e.g., withdraw consent or delete your data may affect your use of the Services, including potentially limiting or preventing your ability to access the Services.

We shall retain your PII for as long as we maintain a legitimate interest in or need for such data or as long as applicable law permits, whichever is longer.

If you are located outside of the aforementioned regions, then you are encouraged to research the privacy and data protection laws in your jurisdiction. If you have any questions about your personal information or your privacy rights, or if you wish to exercise your rights under applicable law, then please e-mail us at privacy@heypurpose.com.

XI. Security.

We take security measures to protect your personal information from unauthorized access, use, disclosure, alteration, or destruction. These measures include, e.g.:

Access controls to limit who has access to your personal information;
Encryption of your personal information when it is stored or transmitted; and
Regularly monitoring our security systems and procedures.

Accordingly, we use reasonable physical, technical, and organizational safeguards that are designed to protect your personal information. However, despite these controls, we cannot completely ensure or warrant the security of your personal information, and we explicitly disclaim any and all liability related to damages, losses, and issues related to or arising from your use of the Site or Services.

XII. Changes to This Policy.

We reserve the right to change the terms and conditions of this Privacy Policy at any time and in our sole discretion. You are responsible for checking, and explicitly agree to periodically check, the Agreement from time to time for any changes. We will endeavor, but shall not be obligated, to provide thirty (30) days’ prior notice of any material change. Notice may be provided in writing, electronically, or via the Site. If you do not wish to be bound by such change, you may discontinue using and terminate the Services before the changes become effective. If you continue to use the Services after the changes become effective, you will be bound by the changes.

XIII. Site and Services Not Intended for Minors.

The Site and Services are not intended for or directed to people under the age of 18, and we do not knowingly collect personal information from minors. If you believe we may have information from a minor, please contact us at privacy@heypurpose.com.

XIV. Liability Waiver.

By using our Site or Services, you explicitly agree to the terms herein, and, accordingly, you further agree to release and forever discharge us from any claim whatsoever which arises or may hereafter arise on account of any service rendered or provided by us to you.

XV. Contact Us.

If you have any questions about this Privacy Policy or the Agreement in general, please contact us at privacy@heypurpose.com.

Schedule 1 – Data-Processing Addendum (DPA)

Effective Date: 22 July 2025

Parties: Why Not Now LLC d/b/a Purpose (“Processor”) and each customer (“Controller”)

Integration: This DPA is incorporated by reference into the Privacy Policy and Terms of Service. Continued use of the Services constitutes acceptance.

1 Purpose & Scope

This DPA governs Processor’s handling of Personal Data on Controller’s behalf while providing the Purpose AI-coaching platform (the “Services”) and satisfies Art. 28 GDPR, UK GDPR, CCPA/CPRA, and comparable laws.

2 Definitions

Capitalised terms have the meanings given in the GDPR unless this DPA defines them more narrowly. “Sub-processor” = any processor engaged by Purpose to help deliver the Services.

3 Details of Processing (Art. 28 §3)

Item	Description
Subject matter	SaaS mental-wellness coaching, LLM inference, analytics
Duration	Term of the master agreement ＋ 30 days for export/deletion
Nature & purpose	Storage, transmission, analytics, conversation processing
Data categories	Name, email, subscription ID, chat text, usage metadata, IP
Data subjects	End-users authorised by Controller (employees, customers, consumers)

4 Controller Instructions

Purpose processes Personal Data only on documented instructions from Controller, including this DPA, the master agreement, and in-product settings.

5 Confidentiality

All Purpose personnel with access to Personal Data are bound by written confidentiality obligations.

6 Security

Purpose implements the technical and organizational measures listed in Annex A and will not materially diminish them during the term.

7 Sub-processors

Authorized Sub-processors appear in Annex B.
Purpose will give 30 days’ email ＋notice before adding or replacing a Sub-processor.
Controller may object on reasonable, data-protection grounds within 15 days. If unresolved, Controller may suspend the affected Service.

8 Data-Subject Assistance

Purpose will assist Controller in fulfilling requests for access, rectification, erasure, restriction, portability, or objection within 30 days.

9 Breach Notification

Purpose will notify Controller without undue delay—and in any event within 72 hours— after confirming a Personal-Data Breach and will provide the information required by Art. 33 §3 GDPR.

10 DPIAs & Audits

Purpose will supply the information needed for Data-Protection Impact Assessments.
Controller may audit once per contract year with 30 days’ notice. Remote review of SOC 2 / ISO 27001 reports or equivalents satisfies this right unless a material incident justifies on-site access.

11 International Transfers

Cross-border transfers rely on (i) the EU 2021 Standard Contractual Clauses (Modules 2 & 3), (ii) the UK Addendum, and (iii) any adequacy decisions. Purpose applies supplementary measures (encryption, pseudonymization) as recommended by the EDPB.

12 Return or Deletion

Within 30 days after termination, Controller may export data via self-service tools. Thereafter Purpose deletes remaining Personal Data unless legal retention applies.

13 Liability

Liability caps mirror those in the master agreement. Each party indemnifies the other for fines or claims arising from its breach of this DPA.

14 Precedence

If conflicts arise: SCCs → DPA → Master Agreement / Terms of Service.

15 Governing Law

Same as the master agreement, except the SCCs follow the law specified therein.

Annex A — Technical & Organizational Measures (summary)

#	Measure	Key controls
1	Encryption	TLS 1.2+ in transit; AES-256 at rest
2	Access control	SSO ＋ MFA; least privilege; quarterly reviews
3	Network security	VPC isolation, firewall rules, IDS/IPS (planned)
4	App security	CI/CD with SAST/DAST (planned); OWASP Top-10 mitigations (planned)
5	Monitoring & logging	24 × 7 alerting; 90-day log retention
6	Pen-testing	Independent annual penetration test (planned); critical issues fixed ≤ 30 days
7	BC/DR	Daily encrypted backups; RPO 24 h; RTO 8 h
8	Incident response	Formal IR plan; breach communications within 72 h

Full control list available on request.

Annex B — Authorized Sub-processors

A live version is maintained at https://heypurpose.com/legal/subprocessors

#	Vendor	Purpose	Location	Transfer mechanism
1	Amazon Web Services	Hosting & storage	US / selected region	SCC ＋ AWS DPA
2	PostHog	Product analytics	US	SCC ＋ PostHog DPA
3	RevenueCat	Subscription management	US	SCC ＋ RevCat DPA
4	Superwall	Payment testing	US	SCC ＋ Superwall DPA
5	Stripe	Web checkout	US	SCC ＋ Stripe DPA
6	OpenAI	LLM inference	US	SCC ＋ OpenAI DPA
7	Anthropic	LLM inference	US	SCC ＋ Anthropic DPA
8	Groq	LLM inference	US	SCC ＋ Groq DPA
9	Mem0	Memory storage	US	SCC ＋ Mem0 DPA
10	Google Workspace	Internal email/docs	US/EU	SCC ＋ Google DPA
11	Zendesk	Customer support	US/EU	SCC ＋ Zendesk DPA
12	Raindrop	Conversation Analytics	US	SCC