Privacy Policy

Last updated: April 4, 2026

ApproveWell (“we,” “us,” or “our”) operates the approvewell.com website and the ApproveWell platform (collectively, the “Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our Service. Please read this policy carefully. By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

1. Information We Collect

We collect the following categories of information:

Account Data. When you register for an account, we collect your name, email address, password (stored in hashed form), workspace name, and billing information. If you sign up for a paid plan, payment details are collected and processed directly by Stripe—we do not store your full credit card number on our servers.

Usage Data. We automatically collect information about how you interact with the Service, including pages visited, features used, approval workflows created, files uploaded, comments posted, timestamps of activity, and referring URLs.

Device and Technical Data. We collect your IP address, browser type and version, operating system, device identifiers, screen resolution, and language preferences.

Cookies. We use strictly necessary session cookies for authentication and maintaining your login state. We do not use advertising or third-party tracking cookies. See Section 9 for more details.

Content Data. We store files, images, documents, comments, annotations, and other content you upload to or create within the Service. This content is stored solely to provide the Service to you and your collaborators.

2. How We Use Your Information

We use the information we collect for the following purposes:

  • To provide, operate, and maintain the Service, including processing approval workflows, delivering files to reviewers, and sending notifications.
  • To process transactions and manage your subscription, including billing, invoicing, and payment processing through Stripe.
  • To send transactional emails such as approval requests, reminder notifications, password resets, and account confirmations via our email provider, Resend.
  • To provide customer support and respond to your inquiries.
  • To detect, prevent, and address security incidents, fraud, and technical issues.
  • To analyze usage patterns and improve the functionality, performance, and reliability of the Service.
  • To enforce our Terms of Service and comply with legal obligations.

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases:

  • Performance of a Contract. Processing necessary to provide the Service you have requested, including account creation, file storage, approval workflows, and billing.
  • Legitimate Interests. Processing necessary for our legitimate business interests, including improving the Service, ensuring security, preventing fraud, and analyzing usage patterns—provided these interests are not overridden by your data protection rights.
  • Consent. Where you have given explicit consent for specific processing activities, such as receiving optional product update communications. You may withdraw consent at any time.
  • Legal Obligation. Processing necessary to comply with applicable laws, regulations, or legal proceedings.

4. Information Sharing and Third Parties

We share your information only with the following third-party service providers, each of which is bound by data processing agreements:

  • Stripe — Payment processing. Stripe receives your billing information (name, email, payment method details) to process subscription payments. Stripe’s privacy policy is available at stripe.com/privacy.
  • Resend — Transactional email delivery. Resend receives recipient email addresses and email content to deliver approval notifications, reminders, and account-related messages.
  • Cloudflare — CDN, DDoS protection, and SSL/TLS termination. Cloudflare processes request metadata (IP addresses, headers) to route traffic and protect the Service from attacks. Cloudflare’s privacy policy is available at cloudflare.com/privacypolicy.

We may also disclose your information if required by law, regulation, legal process, or governmental request, or if necessary to protect the rights, property, or safety of ApproveWell, our users, or the public.

5. Data Storage and Security

We implement industry-standard security measures to protect your data:

  • Encryption in Transit. All data transmitted between your browser and our servers is encrypted using TLS (Transport Layer Security). Cloudflare provides an additional layer of SSL/TLS encryption at the edge.
  • Encryption at Rest. All stored data, including uploaded files and database records, is encrypted at rest using AES-256 encryption.
  • Access Controls. Access to production systems is restricted to authorized personnel only, protected by SSH key authentication and firewalls. Database access is limited to the application layer.
  • Password Security. User passwords are hashed using industry-standard algorithms and are never stored in plaintext.

While we take reasonable precautions to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

6. Data Retention and Deletion

We retain your personal data for as long as your account is active or as needed to provide the Service. Specifically:

  • Active Accounts. Your data is retained for the duration of your account.
  • Account Deletion. When you delete your account, your personal data and uploaded files are scheduled for permanent deletion within 30 days. During this period, your data is no longer accessible but may exist in encrypted backups.
  • Backups. Encrypted backups containing your data may persist for up to 90 days after deletion, after which they are purged.
  • Legal Requirements. We may retain certain data for longer periods if required by applicable law, such as billing records for tax compliance.

You may request deletion of your data at any time by contacting us at support@approvewell.com or by using the account deletion feature in your account settings.

7. International Data Transfers

The Service is hosted in the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using the Service, you consent to the transfer of your information to the United States. For users in the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs) or other approved transfer mechanisms to ensure adequate protection of your personal data when transferred internationally.

8. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal data:

GDPR Rights (EEA, UK, Switzerland):

  • Right of Access. You have the right to request a copy of the personal data we hold about you.
  • Right to Rectification. You have the right to request correction of inaccurate or incomplete personal data.
  • Right to Erasure. You have the right to request deletion of your personal data, subject to certain legal exceptions.
  • Right to Data Portability. You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
  • Right to Restriction of Processing. You have the right to request that we limit the processing of your personal data under certain circumstances.
  • Right to Object. You have the right to object to the processing of your personal data based on legitimate interests.
  • Right to Withdraw Consent. Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
  • Right to Lodge a Complaint. You have the right to lodge a complaint with your local data protection supervisory authority.

CCPA Rights (California Residents):

  • Right to Know. You have the right to request information about the categories and specific pieces of personal information we have collected, the purposes for collection, and the categories of third parties with whom we share it.
  • Right to Delete. You have the right to request deletion of your personal information, subject to certain exceptions.
  • Right to Opt-Out of Sale. We do not sell your personal information. However, you have the right to opt out if this practice changes.
  • Right to Non-Discrimination. We will not discriminate against you for exercising your CCPA rights.

To exercise any of these rights, please contact us at support@approvewell.com. We will respond to verifiable requests within 30 days (or as required by applicable law).

9. Cookies and Tracking

ApproveWell uses a minimal cookie approach:

  • Session Cookies. We use strictly necessary session cookies to authenticate users, maintain login state, and ensure the security of your session. These cookies are essential for the Service to function and cannot be disabled.
  • No Tracking Cookies. We do not use advertising cookies, third-party tracking cookies, or analytics cookies that track you across other websites.
  • No Third-Party Trackers. We do not embed social media pixels, retargeting scripts, or any other third-party tracking technologies.

10. Children’s Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@approvewell.com, and we will take steps to delete such information. We comply with the Children’s Online Privacy Protection Act (COPPA) and similar regulations worldwide.

11. Data Breach Notification

In the event of a data breach that compromises the security, confidentiality, or integrity of your personal data, we will notify affected users without undue delay and no later than 72 hours after becoming aware of the breach, as required by applicable law (including GDPR Article 33). Notification will be provided via email to the address associated with your account and, where appropriate, through a prominent notice on our website. The notification will include the nature of the breach, the categories of data affected, the likely consequences, and the measures taken or proposed to address the breach.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email or by posting a prominent notice on the Service at least 30 days before the changes take effect. The “Last updated” date at the top of this page indicates when this policy was last revised. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised policy.

13. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at: support@approvewell.com.

ApproveWell
Email: support@approvewell.com
Website: approvewell.com

Privacy Policy | ApproveWell