Privacy Policy

Effective Date: January 1, 2025 • Last Updated: March 1, 2025

Wellumix, Inc. ("Wellumix," "we," "us," or "our") operates the Wellumix wellness platform accessible at wellumix.org and through our mobile applications (collectively, the "Service"). We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

Please read this Privacy Policy carefully. If you do not agree with the terms of this Privacy Policy, please do not access the Service. We reserve the right to make changes to this Privacy Policy at any time and for any reason. We will alert you about any changes by updating the "Last Updated" date of this Privacy Policy.

1. Information We Collect

We collect information you provide directly to us, information we collect automatically when you use our Service, and information from third-party sources.

1.1 Information You Provide Directly

When you register for an account, we collect your name, email address, date of birth, and password. When you use our wellness features, you may voluntarily provide health and wellness data including:

1.2 Information Collected Automatically

When you use our Service, we automatically collect certain information, including:

1.3 Information from Third-Party Sources

With your authorization, we may receive health and wellness data from third-party services and wearable devices you connect to Wellumix, including Apple Health, Google Fit, Fitbit, Garmin, Oura, Whoop, and other compatible platforms. We collect only the data categories you explicitly authorize.

2. How We Use Your Information

We use the information we collect for the following purposes:

3. HIPAA and Health Data

Wellumix is committed to the highest standards of health data privacy. We implement HIPAA-aligned security practices for health data stored on our platform, including end-to-end encryption of health records, role-based access controls, regular security audits, and comprehensive incident response procedures. While Wellumix may not function as a HIPAA-covered entity in all contexts, we voluntarily adopt HIPAA-equivalent safeguards for all health data in our custody.

Your health data is used exclusively to power your personal wellness experience. We do not sell your health data to third parties, including insurance companies, employers, or data brokers. We do not use your health data for advertising purposes.

4. Information Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties. We may share your information in the following limited circumstances:

5. Data Security

We implement industry-standard security measures to protect your information from unauthorized access, use, or disclosure. These measures include AES-256 encryption for data at rest, TLS 1.3 encryption for data in transit, multi-factor authentication requirements for account access, regular penetration testing and security audits, SOC 2 Type II certified infrastructure, and employee security training and access controls.

No method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security. If you believe your security has been compromised, please contact us immediately at security@wellumix.org.

6. Your Rights and Choices

Depending on your location, you may have certain rights regarding your personal information:

To exercise these rights, contact us at privacy@wellumix.org. We will respond to all requests within 30 days and comply with applicable law. We do not discriminate against users who exercise their privacy rights.

7. Children's Privacy

Our Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have inadvertently collected information from a child under 16, we will promptly delete it. If you believe we may have information from or about a child under 16, please contact us at privacy@wellumix.org.

8. International Data Transfers

Wellumix is based in the United States. If you access our Service from outside the United States, your information may be transferred to and processed in the United States and other countries where our service providers operate. We implement appropriate safeguards for international transfers, including Standard Contractual Clauses approved by the European Commission where applicable.

9. Retention of Your Information

We retain your personal information for as long as your account is active or as needed to provide our Service. If you delete your account, we will delete your personal data within 30 days, except where retention is required by law or necessary for legitimate business purposes such as resolving disputes, preventing fraud, or complying with our legal obligations. Aggregated, anonymized data may be retained indefinitely for research and analytics purposes.

10. California Privacy Rights

California residents have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including the right to know what personal information we collect and how we use it, the right to delete personal information, the right to opt out of sale or sharing of personal information, the right to correct inaccurate personal information, and the right to limit use and disclosure of sensitive personal information. To exercise California privacy rights, contact us at privacy@wellumix.org or call +1 415 555 0192.

11. Contact Information

For questions, concerns, or to exercise your privacy rights, please contact our Privacy Team:

For EU/EEA residents, Wellumix processes personal data under the legal bases of contract performance, legitimate interests, and consent. Our EU representative can be contacted at eu-privacy@wellumix.org.

12. GDPR Rights for EEA Residents

If you are located in the European Economic Area (EEA), European Union, or United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR). Wellumix processes your personal data under the following legal bases: Contract Performance (to provide the Service), Legitimate Interests (fraud prevention, security, Service improvement), Consent (marketing, research participation), and Legal Obligation (compliance with applicable law).

EEA/UK residents have the right of access (Article 15), right to rectification (Article 16), right to erasure (Article 17), right to restrict processing (Article 18), right to data portability (Article 20), right to object (Article 21), and rights related to automated decision-making (Article 22). To exercise these rights, contact privacy@wellumix.org. You also have the right to lodge a complaint with your local supervisory authority.

13. Automated Decision-Making and Profiling

Wellumix uses automated machine learning processes to generate personalized wellness recommendations. While these are automated processes, they are designed to support rather than replace human judgment in wellness decisions. Significant health decisions should always involve qualified healthcare professionals. You may request human review of any automated wellness assessment by contacting privacy@wellumix.org.

14. Data Breach Notification

In the event of a data breach that poses a high risk to your rights and freedoms, Wellumix will notify affected users within 72 hours of becoming aware of the breach, as required by GDPR. Notifications will be sent to the email address associated with your account. We will include information about the nature of the breach, the categories of data affected, the likely consequences, and the measures taken to address the breach.

15. Privacy by Design

Wellumix integrates data protection principles into our product development and business processes from the outset. Our privacy-by-design approach includes data minimization (collecting only data necessary for each specific purpose), purpose limitation (using data only for the purposes for which it was collected), storage limitation (retaining data only as long as necessary), and accountability (maintaining records of processing activities and demonstrating compliance with applicable law).

16. Special Category Health Data

Health and wellness data constitutes "special category personal data" under GDPR and "sensitive personal information" under CCPA/CPRA, warranting heightened protection. We collect and process health data only with your explicit consent, use it solely to provide your personalized wellness experience, and never use it for advertising targeting, insurance assessment, employment decisions, or any other secondary purpose. You may withdraw consent for health data processing at any time through your account settings, which will disable personalized wellness features but not affect your ability to use basic Service functionality.