Privacy Policy

Welling PLLC is a Washington professional limited liability company operating a metabolic health platform that combines a free wellness app with access to optional licensed clinical care. Our principal place of business is 539 Broadway, Tacoma, WA 98402. Welling operates both as a wellness technology platform and, with respect to users who opt into clinical care, as a healthcare provider subject to applicable state and federal law. The nature of our obligations with respect to your information depends on which services you use, as described below.

Account and identity information

• Name and email address
• Password (stored in hashed form — we never store your plaintext password)
• Apple ID when you use Sign in with Apple

Health and wellness profile

• Date of birth, biological sex, height, weight, and activity level
• Health goals, dietary restrictions, and program preferences
• Clinical intake information if you opt into clinical care (health history, medications, allergies, and related information)

Daily activity and logs

• Food entries, meal photos, and nutritional data
• Weight check-ins and water intake logs
• Streak and engagement data (daily logging activity used to calculate loyalty pricing)
• Progress photos and weekly summaries

Clinical data (if you opt into clinical care)

• Health history, current medications, and allergies
• Lab results and monitoring data you share with your clinician
• Prescription and treatment records
• Clinician notes and care plan information

Device and usage data

• App activity, feature usage, and session information
• Device type, operating system, and app version
• Apple Health data if you grant permission (steps, active energy, weight)
• Error and crash reports (via Sentry, used to identify and fix bugs)

• Provide and personalize the Service
• Power your AI health coach with relevant context
• Display progress history and generate weekly summaries
• Calculate and apply loyalty pricing based on streak engagement
• Provide clinical care including sharing relevant health information with your licensed clinician
• Coordinate pharmacy fulfillment when a prescription is issued
• Generate aggregate de-identified participation reports for employer partners
• Communicate with you about your account, care, and program
• Improve the Service and AI coaching quality
• Comply with legal, regulatory, and professional obligations

The Welling app uses Anthropic's Claude AI to power your health coach. When you send a message, log a meal, or submit a photo, relevant context from your profile and recent logs is sent to Claude to generate a personalized response. This context includes your daily macro totals, goals, recent food logs, and relevant profile information. We do not share your full health history or clinical records with Anthropic. Data sent to Anthropic is subject to Anthropic's privacy policy and terms of service. We use Anthropic's API under data processing terms consistent with our privacy obligations.

If you opt into clinical care through Welling, a licensed clinician reviews your intake and, if appropriate, enters into a treatment relationship with you. In that context, information you share for clinical purposes is protected health information (“PHI”) subject to HIPAA and applicable state law. We use and disclose your PHI only as permitted or required by HIPAA — primarily for treatment, payment, and healthcare operations, and with your authorization for other purposes. Clinical services are facilitated through Bask Health, Inc., our technology and care coordination partner, which operates as our subcontractor business associate under a HIPAA-compliant Business Associate Agreement.

Patient rights

• Right to access and receive a copy of your health records
• Right to request correction of inaccurate records
• Right to request restrictions on certain uses and disclosures
• Right to an accounting of disclosures
• Right to receive a copy of this Notice of Privacy Practices

To exercise any of these rights, contact privacy@wellinghealth.com. If you believe your privacy rights have been violated, you may file a complaint with the U.S. Department of Health and Human Services at www.hhs.gov/ocr. For users who use only the App's wellness features without opting into clinical care, HIPAA does not apply. Your wellness data is treated as consumer health information as described in Section 6.

Welling is subject to the Washington My Health My Data Act (“MHMD Act”) with respect to Washington residents' consumer health data. Under the MHMD Act, you have the right to:

• Know what consumer health data we collect about you and why
• Access the consumer health data we hold about you
• Withdraw consent to our collection or sharing of your consumer health data
• Request deletion of your consumer health data

We do not sell consumer health data. We do not share consumer health data for advertising purposes. To exercise your rights under the MHMD Act, contact privacy@wellinghealth.com. We will respond within the timeframes required by law. Other states may have similar consumer health data laws. We apply comparable protections to residents of states with applicable legislation.

We do not sell your personal data. We do not share your health data with advertisers. We may share your information in the following circumstances:

Service providers

We use third-party vendors to operate the Service, including Supabase (database and storage), Anthropic (AI coaching), Bask Health (care coordination and pharmacy fulfillment), Vercel (web hosting), Expo (mobile app infrastructure), and Sentry (error tracking). These vendors access your data only as necessary to provide their services and are bound by confidentiality obligations.

Licensed clinicians

When you receive clinical care through Welling, we share relevant health information with the licensed clinicians who provide your treatment, consistent with your care relationship and applicable law.

Pharmacy partners

If you receive a prescription through Welling, we may share information necessary for dispensing, verification, fulfillment, and refill coordination with pharmacies and related vendors as permitted by law.

Employer partners

If you access Welling through an employer benefit program, we may provide your employer with aggregate, de-identified participation reports. We never share your individual health information, food logs, weight data, prescriptions, or clinical communications with your employer.

Legal and regulatory

We may disclose information when required by law, regulation, valid legal process, or professional obligations, or when we believe in good faith that disclosure is necessary to protect health, safety, or rights.

Business transfers

If Welling is involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction subject to confidentiality commitments and continued protections consistent with this policy.

Your data is stored in Supabase, a SOC 2 compliant cloud database provider hosted in the United States. All data is encrypted in transit using TLS and encrypted at rest. Meal photos, progress photos, and other media are stored in a secure cloud storage bucket with access controls. We implement reasonable technical and organizational safeguards appropriate to the sensitivity of the information we process. However, no system is perfectly secure. You are responsible for maintaining the confidentiality of your login credentials and for keeping your device secure. If you believe your account has been compromised, notify us immediately at privacy@wellinghealth.com.

If you grant permission, the Welling app may read data from Apple Health, including steps, active energy burned, and body weight. This data is used to personalize your dashboard and provide context to your AI coach. We do not write data to Apple Health without your explicit action. You can revoke Apple Health permissions at any time in your iPhone Settings.

• Access the personal data we hold about you
• Correct inaccurate information via Settings in the app
• Delete your account and associated wellness data via Settings → Reset all data, or by emailing privacy@wellinghealth.com
• Export your data by contacting privacy@wellinghealth.com
• Withdraw consent to certain data processing where consent is the legal basis
• Lodge a complaint with a data protection authority or the Washington Attorney General

For clinical records, additional rights apply under HIPAA as described in Section 5. We may be required to retain certain records for minimum periods under applicable law even after you close your account.

The Service is not intended for children under 18 years of age. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us with personal information, please contact us at privacy@wellinghealth.com and we will delete it promptly.

We may update this Privacy Policy from time to time. We will post the updated policy on our website and update the effective date. If we make material changes, we will notify you by email or in-app notification before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

Regulatory contacts:

• Washington Attorney General (privacy): www.atg.wa.gov
• U.S. Department of Health and Human Services (HIPAA complaints): www.hhs.gov/ocr