Purpose – Privacy Policy

Last Updated: March 20, 2026

I. Introduction.

Why Not Now LLC d/b/a Purpose, its owners, affiliates, partners, and subsidiaries (collectively, “we”, “our”, “us”, “the Company,” or, “Purpose”) are committed to protecting your (“you”, “your”, or the “User”) privacy rights and personal information while you are using our products and services, and we’d like you to understand how we collect, store, use, and disclose your personal information.

This Privacy Policy, which should be read and understood in conjunction with the Company’s Terms of Service, located at purpose.app/terms (“Terms of Service”), applies when you interact with or use, without limitation, the Company’s websites, platforms, software, or applications (mobile or otherwise) (collectively, the “Site”), as well as the Company’s social media interactions, products, services, or otherwise (collectively, with the Site, the “Services”) in any manner, and when you interact with any Company personnel with respect to the Services. By using the Services, or by interacting with Company personnel, you agree to both the terms herein and those included in the Company’s Terms of Service (collectively, the “Agreement”).

DISCLAIMER: THE INFORMATION AND ADVICE INCLUDED OR OFFERED ON THE SITE, OR AS OTHERWISE PROVIDED AS PART OF THE SERVICES, IS NOT INTENDED TO BE USED AS MEDICAL, FINANCIAL, OR LEGAL ADVICE. NO MATERIALS OR INFORMATION HEREIN ARE INTENDED TO BE A SUBSTITUTE FOR PROFESSIONAL MEDICAL ADVICE, DIAGNOSIS, OR TREATMENT. ALWAYS SEEK THE ADVICE OF A LICENSED PHYSICIAN OR OTHER QUALIFIED HEALTHCARE PROVIDERS WITH ANY QUESTIONS YOU MAY HAVE REGARDING A MEDICAL CONDITION OR MEDICAL TREATMENT.

IF YOU DO NOT AGREE TO ABIDE BY THE DATA PRACTICES DESCRIBED IN THIS PRIVACY POLICY OR TO THE TERMS SPECIFIED IN THE TERMS OF SERVICE, THEN PLEASE CLOSE YOUR BROWSER, APP, OR DEVICE IMMEDIATELY AND DO NOT USE OR ACCESS THE SERVICES.

II. Personal Information We Collect.

When you visit the Site, we may collect certain information about your device, including your IP address, browser type, operating system, and referring pages. We also collect information about the pages you visit on the Site and the actions you take on the Site (such as clicking on links).

The way we process your personal information may also depend on the particular Services, functionalities, or experiences you use, your location, and applicable law.

For reference, your use of the Services may result in the Company directing you to third-party sites or applications. Such third parties may have their own respective privacy policies and terms, and you are highly encouraged to apprise yourself of your rights thereunder. For the avoidance of doubt, by using the Site or the Services, you acknowledge and agree that the Company, in its sole discretion, may use such third-parties and/or integrate such third-parties into the Site or Services to, e.g., assist in storing your information and providing services hereunder. Additional information may be found in the Company’s Terms of Service.

III. Information You Provide to Us.

Communications, feedback and survey data, and related data. When you create an account with us, reach out to us for support, give us feedback, participate in optional surveys, participate in product research, or otherwise interact or communicate with us, we may collect personal information, such as, e.g., your full name, email address, date of birth, and any other personal information you choose to share or that we require. Specifically, the Company’s onboarding experience includes questions about, e.g., your life satisfaction, career satisfaction, and other psychological insights that are intended to customize and improve our Services to you.

Marketing data. You may provide us with your contact information and preferences for receiving our marketing communications.

Device and contact data. If you grant permission in your device settings, certain features may have access to your device and contacts.

Financial Information. To engage in the Site and/or the Services, we may collect and store your financial information, such as, without limitation, your credit card number, debit card number, and/or bank account information.

Health-Related Information. Purpose is not a “covered entity” or “business associate” under the Health Insurance Portability and Accountability Act (“HIPAA”), and HIPAA generally does not apply to your use of the Services. While you may voluntarily share information relating to your health, well-being, or mental state through the Services, Purpose does not provide medical or healthcare services. Any such information is protected in accordance with applicable privacy laws and this Privacy Policy.

Biometric Authentication (Face ID / Touch ID). If you choose to enable biometric authentication features available on your device, such as Face ID or Touch ID, such authentication is processed entirely by your device’s operating system. Purpose does not collect, receive, store, or process biometric identifiers or biometric information. You may enable or disable biometric authentication at any time through your device settings.

IV. Automatic Data Collection.

We may automatically log personal information about you, your computer, or mobile device, and your interaction over time with the Services, such as:

Device information. We may collect information about your device(s), such as IP addresses, log information, error messages, device type, and unique device identifiers. For example, we may collect IP addresses from you as part of our sign in and security features.
Usage information. We may collect information about your use of the Services, such as the pages you viewed, the services and features you used or interacted with, your browser type, and details about any links or communications with which you interacted.
Information stored locally. Some of our web-enabled services and offerings may synchronize with the information on your computer. In doing so, we may collect information such as device information, product usage, and error reports. We may also store personal information locally on your device.
Communication interaction data. We or our third-party service providers may collect information from email providers, communication providers, and social networks, such as your interactions with our email, text, or other communications.
Online behavioral data. We may automatically collect certain personal information about your use and interactions with our website, mobile applications, social media websites, and marketing campaigns that we or our partners organize, including device information, page view information, and search results

V. How We Use Your Personal Information.

We use the information we collect from you to, for example, and without limitation:

Provide the Site, Services, and their features;
Run and manage our business;
Communicate with you;
Offer you targeted advertising, and otherwise evaluate your eligibility for marketing offers, products, and services;
Track the use of the Site;
Improve the Site and our products and services;
Provide you with support and resolve disputes;
Authenticate your identity, if necessary; and
Comply with applicable laws and regulations.

Beyond that, we may further use your information to (i) improve and develop our Services by, e.g., analyzing how they are used and interacted with, by assessing your use of and interactions with our Services and certain content you send or display through the Site, and by conducting data analytics to develop insights about you, your needs, and your preferences; and (ii) combine and de-identified information about your interactions with us to create aggregate, de-identified statistics for use in research, and for marketing, promoting, improving, and developing our Site and Services.

We may log and analyze interactions within the Services, including conversational inputs and outputs, solely for purposes such as personalization, product improvement, security monitoring, analytics, and compliance. Such logs are retained only as long as necessary to satisfy operational, legal, or regulatory requirements. Where required by applicable law, you may submit a privacy request by contacting privacy@purpose.app.

We do not sell, share, or otherwise disclose your conversation history, personal insights, or user-generated content to third parties for their advertising purposes. We may, however, use information you provide through the Services, such as topics you’ve discussed or expressed interest in, to personalize your experience with Purpose, including sending you relevant in-app messages, text messages, or emails.

Moreover, we may use your personal information for compliance and protection issues, including, without limitation, to:

protect against misuse or abuse of our Services and ensure compliance with our Terms of Service;
(ii) comply with legal and regulatory requirements;
(iii) protect the rights, property, safety, or security of the Site, our customers, employees, or others, and prevent fraudulent or illegal activity;
(iv) exercise our rights in the course of judicial, administrative, or arbitral proceedings; and
(v) enforce, remedy, or apply our Terms of Service or other agreements.

We intend to comply with all applicable laws, including CAN-SPAM, GDPR, and similar regulations. Where required by law, we will obtain your consent before sending marketing or promotional communications. You may opt in to receive such communications during account creation or through your account settings. You may opt out at any time using the “unsubscribe” link included in our communications or by contacting privacy@purpose.app.

We may also send you service-related or product-related communications necessary to operate the Services, such as account notices, security alerts, product updates, onboarding guidance, or messages relating to your use of the platform. These communications are not marketing communications and may be sent regardless of marketing consent preferences.

If you use Voice Mode, we may process audio that you submit (and any resulting transcripts) in order to provide voice-based functionality, including transmitting audio to service providers that support real-time communications, speech-to-text processing, and voice synthesis. We use such providers solely to operate Voice Mode and do not permit them to use your data for their own advertising purposes.

Finally, the Company may use sub-processors to operate the Services (including Voice Mode), such as infrastructure providers, analytics providers, payment and subscription vendors, customer support tools, and AI processing providers. For a current list of sub-processors and our Data Processing Addendum, please refer to Schedule 1 below.

VI. Sharing Your Personal Information; No Selling of Personal Information.

First and foremost, we will not sell your information or data to any third-parties. We will, however, aggregate and de-identify data from you, as well as our other users, in accordance with Section V, particularly to improve the Site and Services, and we may share such de-identified or aggregated data with third parties.

We may share your personal information with third parties to help us use your information as described in this Agreement. We may also share your personal information to comply with applicable laws and regulations, to respond to a subpoena, search warrant, or other lawful request for information we receive, or to protect our rights.

Additionally, we may use advertising networks and other providers to display advertising on our Site or to manage our advertising on other sites.

We may also use advertising networks or service providers to help us measure the performance of our own promotional campaigns. However, we do not share personally identifiable information or conversation data with third-party advertisers, nor do we allow third parties to use your data for behavioral advertising. Cookie data may be used solely to understand aggregate usage patterns or serve limited promotions for our own Services, in accordance with your preferences.

We may also share your personal information with third parties for legal reasons without your consent, including (i) when we reasonably believe disclosure is required in order to comply with a subpoena, court order, or other applicable law, regulation, or legal process; (ii) to protect the rights, property, or safety of the Company, the Services, Site, our customers, or others; (iii) to enforce, remedy, or apply our Privacy Policy, Terms of Service, or other agreements; (iv) to prevent fraud, cybersecurity attacks, or illegal activity, or to protect or defend against same; (v) with regulatory agencies, including government tax agencies, as necessary to help detect and combat fraud and/or protect our customers, users, and/or the Site, or in required institutional risk control programs.

Certain mood and well-being data you provide to us may qualify as “health-related information” under the FTC’s “Health Breach Notification Rule”. In the event that such information is shared with us and then there is an authorized acquisition of such information, we will notify you in accordance with, e.g., the Health Breach Notification Rule. Moreover, in the future, we may adopt voluntary HIPAA self-attestation to further demonstrate our commitment to protecting such information.

VII. Cookies.

We may use commonly used tools, such as cookies, web beacons, pixels, local shared objects, and similar technologies (collectively, “Cookies”), to collect information about you (“Cookie Information”) so that we can provide the experiences you request, recognize your visit, track your interactions, and improve your and other customers’ experiences. You have control over some of the information we collect from Cookies and Cookie Information and how we use it, detailed further in the “Your Rights” section, below.

VIII. Do Not Track Signals.

Some browsers send a “Do Not Track” signal. We do not currently respond to Do Not Track signals.

IX. Your Rights

Depending on your jurisdiction, you may have certain rights regarding your personal information under applicable privacy laws, which may include the right to request access to, correction of, or deletion of your personal information, as well as the ability to object to or request restriction of certain processing activities, or to request a copy of your information in a portable format.

Residents of certain U.S. states, as well as individuals located in the European Economic Area, the United Kingdom, Canada, and other jurisdictions, may have additional rights under applicable privacy laws.

To exercise any applicable privacy rights, please submit your request to privacy@purpose.app. We may require verification of your identity before fulfilling your request. We will respond within the timeframes required by applicable law.

We may retain certain information as necessary to comply with legal obligations, resolve disputes, enforce our agreements, or protect against fraudulent or abusive activity.

You may delete your account and associated data at any time within the Services (Profile → Delete Account).

Purpose does not sell personal information or share personal information for cross-context behavioral advertising.

X. Data Protection Rights of International Users.

If you are accessing the Services from outside the United States, then you may have additional data protection rights not explicitly listed herein.

European Economic Area; GDPR.

If you are accessing the Services from within Europe (including, for purposes herein, the United Kingdom and the European Economic Area), then the Data Protection Act, General Data Protection Regulation, and similar statutes (collectively, for purposes herein, “GDPR”) may provide you with additional privacy protections and options regarding your PII, some of which are summarized herein for your convenience.

Specifically, the GDPR applies to PII (such as, e.g., your name, address, email address, IP address, payment details, etc.), and we, as the data collector, must have a “lawful reason” for storing or using such personal data, including, for example:

(i) consent (you have consented to us having your data);
(ii) contractual reasons (collection and storage of the personal data is required for contractual performance); and
(iii) it is necessary for us to use and store such PII for its “legitimate interest”.

With the aforementioned criteria in mind, by using the Services, you explicitly grant us the ability to use, access, and store your PII in accordance with the GDPR.

Notwithstanding the foregoing, due to the nature of our Services, we also have a “legitimate interest”, as detailed in the GDPR, to collect such PII and to use and store it in accordance with applicable law, our legitimate business purposes, and/or your expectations regarding the Services.

Despite our rights under the GDPR, we endeavor to minimize the amount of PII that we actually obtain or collect in the performance of the Services.

Beyond that, as required by Article 22 of the GDPR, you have the right not to be subject to decisions based solely on automated processing for certain issues, and, consequently, you have the right to opt out of such automated decision making by emailing us at privacy@purpose.app.

Additionally, you may have data protection and privacy rights pursuant to your Data Subject Access Rights under the GDPR, which may permit you to, e.g., withdraw consent, request a copy of your data, or request deletion of your data.

For international transfers from the European Economic Area, Switzerland, and the United Kingdom to the United States, Purpose relies on approved transfer mechanisms, including the European Commission’s Standard Contractual Clauses and the UK Addendum, where applicable. Where required by law, individuals may request additional information regarding applicable transfer safeguards by contacting privacy@purpose.app

Personal Information Protection and Electronic Documents Act (“PIPEDA”) and Quebec’s Law 25

If you are accessing the Services from within Canada, then, pursuant to PIPEDA, Quebec’s Law 25, or similar privacy regulations, you may have the right to:

(i) Request access to the personal information we have about you;
(ii) Request the correction of inaccurate or incomplete personal information about you;
(iii) Withdraw your consent to the collection, use, or disclosure of your personal information, subject to applicable restrictions; and
(iv) Request that we delete or de-identify your personal information.

You may have additional rights beyond what is explicitly listed herein, and you are encouraged to research the protections applicable to you in your jurisdiction.

If you would like to do any of the aforementioned options, please e-mail us at privacy@purpose.app and we will respond accordingly. Please note that a request to, e.g., withdraw consent or delete your data may affect your use of the Services, including potentially limiting or preventing your ability to access the Services.

We shall retain your PII for as long as we maintain a legitimate interest in or need for such data or as long as applicable law permits, whichever is longer.

If you are located outside of the aforementioned regions, then you are encouraged to research the privacy and data protection laws in your jurisdiction. If you have any questions about your personal information or your privacy rights, or if you wish to exercise your rights under applicable law, then please e-mail us at privacy@purpose.app.

XI. Security.

We take security measures to protect your personal information from unauthorized access, use, disclosure, alteration, or destruction. These measures include, e.g.:

Access controls to limit who has access to your personal information;
Encryption of your personal information when it is stored or transmitted; and
Regularly monitoring our security systems and procedures.

Accordingly, we use reasonable physical, technical, and organizational safeguards that are designed to protect your personal information. However, despite these controls, we cannot completely ensure or warrant the security of your personal information, and we explicitly disclaim any and all liability related to damages, losses, and issues related to or arising from your use of the Site or Services.

XII. Changes to This Policy.

We reserve the right to change the terms and conditions of this Privacy Policy at any time and in our sole discretion. You are responsible for checking, and explicitly agree to periodically check, the Agreement from time to time for any changes. We will endeavor, but shall not be obligated, to provide thirty (30) days’ prior notice of any material change. Notice may be provided in writing, electronically, or via the Site. If you do not wish to be bound by such change, you may discontinue using and terminate the Services before the changes become effective. If you continue to use the Services after the changes become effective, you will be bound by the changes.

XIII. Site and Services Not Intended for Minors.

The Site and Services are not intended for or directed to people under the age of 18, and we do not knowingly collect personal information from minors. If you believe we may have information from a minor, please contact us at privacy@purpose.app .

XIV. Liability Waiver.

By using our Site or Services, you explicitly agree to the terms herein, and, accordingly, you further agree to release and forever discharge us from any claim whatsoever which arises or may hereafter arise on account of any service rendered or provided by us to you.

XV. Contact Us.

If you have any questions about this Privacy Policy or the Agreement in general, please contact us at privacy@purpose.app .

Schedule 1 – Data-Processing Addendum (DPA)

Effective Date: March 20, 2026

Parties: Why Not Now LLC d/b/a Purpose (“Processor”) and each customer (“Controller”)

Integration: This DPA is incorporated by reference into the Privacy Policy and Terms of Service. Continued use of the Services constitutes acceptance.

1 Purpose & Scope

This DPA governs Processor’s handling of Personal Data on Controller’s behalf while providing the Purpose AI-coaching platform (the “Services”) and satisfies Art. 28 GDPR, UK GDPR, CCPA/CPRA, and comparable laws.

2 Definitions

Capitalised terms have the meanings given in the GDPR unless this DPA defines them more narrowly. “Sub-processor” = any processor engaged by Purpose to help deliver the Services.

3 Details of Processing (Art. 28 §3)

Item	Description
Subject matter	SaaS mental-wellness coaching, LLM inference, analytics
Duration	Term of the master agreement ＋ 30 days for export/deletion
Nature & purpose	Storage, transmission, analytics, conversation processing
Data categories	Name, email, subscription ID, chat text, usage metadata, IP
Data subjects	End-users authorised by Controller (employees, customers, consumers)

4 Controller Instructions

Purpose processes Personal Data only on documented instructions from Controller, including this DPA, the master agreement, and in-product settings.

5 Confidentiality

All Purpose personnel with access to Personal Data are bound by written confidentiality obligations.

6 Security

Purpose implements the technical and organizational measures listed in Annex A and will not materially diminish them during the term.

7 Sub-processors

Authorized Sub-processors appear in Annex B.
Purpose will give 30 days’ email ＋notice before adding or replacing a Sub-processor.
Controller may object on reasonable, data-protection grounds within 15 days. If unresolved, Controller may suspend the affected Service.

8 Data-Subject Assistance

Purpose will assist Controller in fulfilling requests for access, rectification, erasure, restriction, portability, or objection within 30 days.

9 Breach Notification

Purpose will notify Controller without undue delay—and in any event within 72 hours— after confirming a Personal-Data Breach and will provide the information required by Art. 33 §3 GDPR.

10 DPIAs & Audits

Purpose will supply the information needed for Data-Protection Impact Assessments.
Controller may audit once per contract year with 30 days’ notice. Remote review of SOC 2 / ISO 27001 reports or equivalents satisfies this right unless a material incident justifies on-site access.

11 International Transfers

Cross-border transfers rely on (i) the EU 2021 Standard Contractual Clauses (Modules 2 & 3), (ii) the UK Addendum, and (iii) any adequacy decisions. Purpose applies supplementary measures (encryption, pseudonymization) as recommended by the EDPB.

12 Return or Deletion

Within 30 days after termination, Controller may export data via self-service tools. Thereafter Purpose deletes remaining Personal Data unless legal retention applies.

13 Liability

Liability caps mirror those in the master agreement. Each party indemnifies the other for fines or claims arising from its breach of this DPA.

14 Precedence

If conflicts arise: SCCs → DPA → Master Agreement / Terms of Service.

15 Governing Law

Same as the master agreement, except the SCCs follow the law specified therein.

Annex A — Technical & Organizational Measures (summary)

#	Measure	Key controls
1	Encryption	TLS 1.2+ in transit; AES-256 at rest
2	Access control	SSO ＋ MFA; least privilege; quarterly reviews
3	Network security	VPC isolation, firewall rules, IDS/IPS (planned)
4	App security	CI/CD with SAST/DAST (planned); OWASP Top-10 mitigations (planned)
5	Monitoring & logging	24 × 7 alerting; 90-day log retention
6	Pen-testing	Independent annual penetration test (planned); critical issues fixed ≤ 30 days
7	BC/DR	Daily encrypted backups; RPO 24 h; RTO 8 h
8	Incident response	Formal IR plan; breach communications within 72 h

Full control list available on request.

Annex B — Authorized Sub-processors

A live version is maintained at https://purpose.app/legal/subprocessors

#	Vendor	Purpose	Location	Transfer mechanism
1	Amazon Web Services	Hosting & storage	US / selected region	SCC ＋ AWS DPA
2	PostHog	Product analytics	US	SCC ＋ PostHog DPA
3	RevenueCat	Subscription management	US	SCC ＋ RevCat DPA
4	Superwall	Payment testing	US	SCC ＋ Superwall DPA
5	Stripe	Web checkout	US	SCC ＋ Stripe DPA
6	OpenAI	LLM inference	US	SCC ＋ OpenAI DPA
7	Anthropic	LLM inference	US	SCC ＋ Anthropic DPA
8	Groq	LLM inference	US	SCC ＋ Groq DPA
9	Mem0	Memory storage	US	SCC ＋ Mem0 DPA
10	Google Workspace	Internal email/docs	US/EU	SCC ＋ Google DPA
11	Zendesk	Customer support	US/EU	SCC ＋ Zendesk DPA
12	Raindrop	Conversation Analytics	US	SCC
13	LiveKit	Voice Mode	US	SCC + LiveKit DPA