Privacy Policy

Medwell Engage is a community-health volunteering platform operated by Medwell Solutions(“Medwell Engage,” “we,” “us,” or “our”). This policy explains what personal information we collect, how we use it, who we share it with, and the rights you have over it.

If you have questions, email us at privacy@medwellsolutions.com.

We collect only the information needed to run the platform.

• Account information — your name, email address, and (for password sign-ups) a one-way bcrypt hash of your chosen password. Plaintext passwords are never stored or logged.
• Google OAuth profile data — when you sign in with Google, we receive your name, email, and (if you consent) your Google profile photo. We request the userinfo.profile and userinfo.email scopes only.
• Optional profile data — phone number, school, major, organization affiliation, and a profile photo, all entered voluntarily on your profile page.
• Activity data — the activities you register for, attend, or cancel; the points you earn; any volunteer role you take; submission of past activity for review.
• Email preferences — your opt-in / opt-out state for reminders and organizer updates.
• Technical data — your IP address (used only for rate-limiting abuse-prone endpoints), and the user-agent string from your browser when you submit an error report through our crash-reporting flow.
• Local browser storage— we store a small dismissal flag in your browser's localStorage so the first-time welcome banner doesn't reappear after you close it. We do not use cookies for advertising or cross-site tracking.

We do not collect: payment information (Medwell Engage is free), location data beyond the user-supplied activity location, browsing history outside our site, or biometric data.

• Provide the service — let you sign in, register for activities, earn points, see the leaderboard.
• Send transactional emails — registration confirmations, day-before reminders, cancellation notices, password resets, and email-verification links.
• Operate the platform — protect against abuse (rate-limiting), debug errors, and improve reliability.
• Communicate about your account — security notices, terms changes, and answers to questions you send us.

We do not use your information for targeted advertising, behavioral profiling, or training third-party AI models. We do not sell your information.

Medwell Engage's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

In plain terms: we use Google account data only to sign you in and display your Google profile photo on your profile. We do not sell, share, or transfer Google user data for any purpose unrelated to providing the service you signed up for, and we do not use it to train AI models.

We share information with the following processors strictly to operate the service. Each is contractually limited to using the data only on our instructions.

• Vercel — hosting (web traffic, server logs).
• Neon — Postgres database (account + activity data).
• Resend — transactional email delivery (your email address and the message contents we send to it).
• Cloudflare R2 — image storage (profile and activity cover photos).
• Google— OAuth sign-in (the OAuth flow itself; we don't share back).

We do not share your information with advertisers, data brokers, or analytics platforms.

You can exercise the following rights at any time by emailing privacy@medwellsolutions.com or by using the in-app tools described below. We respond within 45 days.

• Access — request a copy of the data we hold about you.
• Correction — fix inaccurate data via your profile editor or by emailing us.
• Deletion — request that we delete your account and personal information.
• Opt out of communications — use the unsubscribe page to manage email preferences for reminders and organizer updates. Transactional emails (registration confirmations, cancellations, password reset, email verification) are response-to-action and not subject to opt-out.
• Non-discrimination — we will not deny service, charge a different price, or provide a different level of service because you exercised any of these rights.

California residents (CCPA/CPRA) and Texas residents (TDPA) have the same rights listed above, including the right to request the categories and specific pieces of information we have collected, disclosed, or (if applicable) sold or shared. We do not sell personal information and do not share it for cross-context behavioral advertising.

We keep your information for as long as your account is active. When you delete your account, we delete or anonymize your personal information within 30 days, except where retention is required by law (e.g. accounting records) or where the data has been aggregated such that it can no longer identify you.

Medwell Engage is not directed to children under 13, and we do not knowingly collect personal information from anyone under 13. If you believe a child under 13 has provided us information, email us and we will delete it.

We protect your information with industry-standard practices: passwords are bcrypt-hashed; transport is HTTPS-only; OAuth tokens are stored server-side; image uploads route through signed presigned URLs. No system is perfectly secure, so we cannot guarantee absolute security — if we ever experience a breach affecting your information, we will notify you consistent with applicable law.

Our service providers may process data on servers located in the United States and other countries. By using Medwell Engage you consent to your information being transferred to and processed in those locations.

We may update this policy over time. We'll update the “Last updated” date at the top, and for material changes we'll notify you by email or via an in-app notice. Continued use of the service after a change means you accept the revised policy.

Questions, requests, or concerns: privacy@medwellsolutions.com.