Legal documents, stated plainly.

Who controls your data

WelloWork AB, registered in Sweden (org. nr. 559472‑9997), operating from Uppsala, is the data controller for personal data collected on this website and through direct enquiries.

For data processed inside the TwentyThird platform on behalf of an organisation — a clinic, a research institution, an employer — WelloWork AB acts as processor and the customer organisation is the controller. That relationship is governed by a separate Data Processing Agreement.

What we collect

Contact and account data. Name, email address, and any information you provide when signing up or writing to us. Legal basis: performance of contract (Art. 6(1)(b) GDPR).

Session and platform data. Journal entries, responses, dream content, and linguistic patterns you share inside TwentyThird. This is the substrate of the analysis. Legal basis: explicit consent (Art. 9(2)(a) GDPR), given at onboarding and revocable at any time. We treat this data as special-category health-adjacent data and apply corresponding safeguards regardless of formal classification.

Technical data. IP address, browser type, device identifiers, and usage timestamps — collected automatically when you access the platform. Legal basis: legitimate interest (Art. 6(1)(f) GDPR) to maintain security and diagnose errors.

We do not collect data on race, ethnicity, political opinion, or religious belief. If content you share incidentally reveals such information, it is not processed as a distinct category.

How we use it

We use your data to deliver and improve the TwentyThird service, send transactional messages you have requested, detect and prevent fraud or abuse, and comply with legal obligations.

We do not use your data for advertising profiling. We do not sell it, license it, or share it with data brokers. We do not use it to train general-purpose AI models operated by third parties.

Who sees it

Within WelloWork AB: Clinicians and engineers who need access to maintain the service. Access is role-restricted and logged.

Infrastructure providers: Supabase (database and authentication, EU region), Vercel (hosting, EU edge), and Postmark (transactional email). Each is bound by a Data Processing Agreement and processes data only on our documented instruction.

Legal obligation: We disclose data to competent authorities only when required by law, and only to the extent required.

No data is transferred outside the EU/EEA. If that changes, we will update this policy and obtain fresh consent where required.

Retention

Account and platform data is retained for as long as your account is active, plus 30 days after deletion to allow recovery. Technical logs are retained for 90 days. Contact enquiries are retained for 24 months.

After these periods, data is permanently deleted or irreversibly anonymised.

Your rights

You have the right to access the data we hold about you, correct inaccuracies, request deletion, restrict or object to processing, and receive a machine-readable copy for portability. Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.

To exercise any right: privacy@day-23.com. We respond within 30 days. If you are unsatisfied with our response, you may lodge a complaint with Integritetsskyddsmyndigheten (IMY), Sweden's data protection authority.

Children

TwentyThird is not directed at persons under 18. We do not knowingly collect data from minors. If we become aware that a minor has submitted data, we delete it promptly.

Changes

We update this policy when our practices change. Material changes are notified by email at least 14 days before they take effect. The version date appears at the bottom of this page.

Effective: 18 May 2026 · Governing law: Swedish law and the GDPR