Privacy Policy

Last updated: 16 June 2026

1. Who This Covers

Anxiety Pal is made by Mellow. This Privacy Policy explains what Anxiety Pal collects, why it is used, and how account, progress, Safety Plan, sharing, and analytics data are handled.

Questions or privacy requests should be sent to contact@bemlw.com.

2. Account And Auth Data

If you create an account, Anxiety Pal stores the account data needed to sign you in and protect saved account areas.

  • Email address, name, profile image, email-verification state, and account timestamps.
  • Google sign-in records when you use Google, including provider account identifiers and Auth.js account tokens.
  • Email and password records when you register directly. Passwords are stored as password hashes, not plaintext.
  • Hashed password reset tokens, expiry times, and used-at timestamps when you request a password reset.
  • Session data needed to keep you signed in, including the user id, name, email, profile image, email-verification state, and session expiry.

3. Technique And Progress Data

Core techniques can be used without an account. Anonymous technique use is not saved to a user profile.

If you are signed in, Anxiety Pal may save the technique id, start time, completion time, and optional rating you choose to give a completed technique. This is used to show your progress and recent activity. We do not save technique journal notes or free-text reflections.

4. Safety Plan Data

Your Safety Plan is private by default and is treated as sensitive. If you save one, Anxiety Pal stores the plan title, version, timestamps, and the sections you choose to fill in.

  • Warning signs.
  • Things you can try first.
  • Support options outside the app.
  • Practical next steps for your environment.
  • Trusted contacts, including contact details you add.
  • User-added support resources.
  • Reasons for living and short planning notes.

Anxiety Pal does not contact emergency services, trusted contacts, or support organisations for you. It does not monitor whether you are safe.

5. Safety Plan Share Links

If you create a Safety Plan share link, Anxiety Pal stores owner-only share metadata: the share label, expiry time, creation time, revocation time, a hashed share token, and an optional hashed share password. The raw share token appears in the link shown to you and is not stored in plaintext.

Anyone with an active share link, and the share password if you set one, can view the shared read-only page until the link expires or is revoked. The current shared view includes the plan title, updated time, warning signs, things to try first, support outside the app, and practical next steps. Trusted contacts, user-added emergency resources, reasons for living, and notes are not shown on the current shared view.

Shared Safety Plan pages are marked noindex, use no-referrer metadata where supported, and are not used for recipient tracking or open receipts.

6. Analytics, Cookies, And Tracking

We use essential cookies for account access, security, and basic functionality. We do not use tracking cookies or third-party analytics services.

Simple Analytics has been removed from the app. Shared Safety Plan pages are not tracked, and Safety Plan content, share tokens, share passwords, and technique request payloads are not sent to analytics tools.

7. How We Use Data

  • Provide account sign-in, registration, password reset, and session security.
  • Save progress, optional ratings, and Safety Plan updates for signed-in users.
  • Create, open, expire, and revoke Safety Plan share links.
  • Protect the product from misuse and investigate reliability or security issues.
  • Respond to support, export, correction, and deletion requests.

8. Third Parties

Anxiety Pal uses Google only when you choose Google sign-in. If password reset email is enabled, the configured email provider processes the reset message. Account, progress, and Safety Plan data are stored in the app's database through Prisma.

We do not sell personal data. We do not send Safety Plan content, saved technique data, or share link payloads to advertising networks or analytics providers.

9. Export, Correction, And Deletion

You can ask for a copy of your account data, correction of inaccurate account data, or deletion of your account and saved content.

Data request route: use account settings for export or deletion when signed in. You can also email contact@bemlw.com for export, correction, or deletion help.

Exports and deletion responses must not include password hashes, reset tokens, session tokens, provider secrets, raw share tokens, or share password hashes.

10. Security And Retention

We use access controls, validation, hashed credentials, hashed tokens, and owner checks to protect saved data. No internet service can promise perfect security, so Safety Plan sharing should be used carefully and shared only with people you trust.

Data is kept while your account or saved content remains active, unless deletion is requested or the data is removed through account controls. Expired or revoked share links stop opening the shared view.

Ambient sound

Ambience paused.

Garden