Privacy Policy

This Privacy Policy (“Policy”) explains how Wellness360 Technologies, Inc. (“Wellness360,” “we,” “us,” or “our”) collects, uses, shares, and protects your personal information when you use the Wellness360 Cares website and participate in wellness challenges offered through your employer or other sponsoring organization (your “Program Sponsor”).

This Policy is provided in compliance with the Health Insurance Portability and Accountability Act (HIPAA), Americans with Disabilities Act (ADA), Genetic Information Nondiscrimination Act (GINA), California Consumer Privacy Act (CCPA/CPRA), and other applicable state and federal privacy laws.

Your participation in wellness challenges is completely voluntary. You are not required to participate, and your employer will not take any adverse action against you if you choose not to participate.

1. Who We Are

2. What Information We Collect

The information we collect depends on which features you choose to use and which features your Program Sponsor has enabled.

2.1 Registration and Profile Information

Name, email address, employee or member ID, date of birth, and optional profile information such as phone number, mailing address, and profile photo.

2.2 Health and Wellness Information (Voluntary)

If you choose to participate, we may collect: Health Risk Assessment (HRA) data, biometric screening data, health coaching data, and activity and engagement data including physical activity, sleep data, nutrition logs, and participation in wellness challenges.

2.3 Device and Technology Data

If you connect fitness tracking devices or health apps, we may collect activity data synced from devices (Fitbit, Apple Health, Google Fit, Garmin, etc.), device information, and sync history. We also automatically collect IP address, browser type, pages viewed, and session data.

2.4 Information from Other Sources

We may receive eligibility data from your Program Sponsor, lab results from biometric screening providers, and claims data from your health insurance provider (if enabled and you participate).

3. How We Use Your Information

• Create and manage your wellness account
• Verify your eligibility for the program
• Track your participation and progress
• Award points and incentives for completed activities
• Generate personalized wellness recommendations
• Evaluate program effectiveness using aggregated, de-identified data
• Send program updates, reminders, and notifications (with your consent)

4. Reporting to Your Employer

We provide your Program Sponsor with aggregate, de-identified reports only (e.g., “40% of employees completed health assessments”). Your employer cannot identify you from these reports.

Your employer does NOT see:

• Your Health Risk Assessment responses
• Your biometric screening results
• Your health coaching notes or goals
• Any specific health conditions, medications, or diagnoses

5. Who Receives Your Information

We share your information only as necessary with: authorized Wellness360 employees, infrastructure providers (AWS), biometric screening and health coaching providers, communication tools (for support), and analytics platforms (de-identified data only).

All service providers sign HIPAA Business Associate Agreements (BAAs) and are contractually required to protect your information.

We do not sell your personal information. Wellness360 does not and will not sell, rent, or lease your information to third parties for monetary consideration.

6. Your Privacy Rights

You have the right to:

• Access — View and request a copy of all information we hold about you
• Correct — Update inaccurate or incomplete information
• Delete — Request permanent deletion of your information (within 60 days)
• Data Portability — Receive a copy of your information in a portable format (CSV, JSON, PDF)
• Restrict Processing — Limit how we use your information
• Object — Object to processing of your information
• Opt-Out of Sale — We do not sell your data, but you may exercise this right at any time

To exercise your rights, email privacy@wellness360.co or call +1 415 463 1515. We will respond within 30 days.

California Residents (CCPA/CPRA)

You have the right to know what Personal Information is collected, used, shared, or sold; delete Personal Information; opt out of sale; and receive non-discriminatory treatment for exercising your rights.

7. Voluntary Participation

Participation in the wellness program and sharing health information is completely voluntary. You are not required to participate, complete assessments, participate in screenings, share health information, or connect fitness tracking devices.

Your employer will not require participation as a condition of employment, take adverse employment action if you choose not to participate, or deny health insurance coverage based on your participation.

8. Data Security

Wellness360 is HITRUST r2 certified, demonstrating compliance with the highest standards for healthcare data security including HIPAA Security Rule, NIST Cybersecurity Framework, and ISO/IEC 27001.

• All data encrypted in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access control with multi-factor authentication
• Complete audit logging of all data access
• Regular vulnerability scanning and penetration testing
• Data stored in HITRUST-certified AWS data centers with 24/7 physical security

9. Data Retention

We retain your information for as long as your account is active. After account termination, identifiable information is permanently deleted within 60 days (30-day deactivation + 30-day deletion grace period). Information required for legal, tax, audit, or compliance purposes is retained for 7 years.

10. Genetic Information (GINA)

We do not require genetic information (including family medical history) as a condition of participation. Any optional family health history questions are used only for health risk assessment and personalized recommendations, and are never shared with your employer in identifiable form.

11. International Data Transfers

Your information is stored on servers in the United States (AWS data centers). If you access the program from outside the United States, your information will be transferred to, stored, and processed in the U.S. For EU/UK users, data transfers are covered by Standard Contractual Clauses (SCCs).

12. Data Breach Response

In the unlikely event of a data breach, we will notify you within 60 days of discovery (as required by HIPAA), provide details about affected data, advise on protective steps, and report the breach to the U.S. Department of Health & Human Services and your Program Sponsor.

13. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be communicated via email or platform notification. Your continued participation after changes become effective constitutes acceptance of the updated Policy.

14. Contact Us