Privacy Policy

1. Purpose

Health Lync LLC, doing business as Wellyfy ("Wellyfy," "we," "us," or "our"), based in Austin, Texas, is committed to protecting the privacy and security of Personal Information in compliance with applicable laws, including the Texas Data Privacy and Security Act (TDPSA), the Health Insurance Portability and Accountability Act (HIPAA), and other relevant federal and state regulations ("Applicable Law"). This Privacy Policy outlines our responsibilities regarding the collection, use, disclosure, and protection of Personal Information (PI) and Sensitive Personal Information for our telehealth services.

2. Policy Owner

Privacy Officer, Health Lync LLC

Contact: support@thehealthlync.com

3. Scope

This policy applies to Wellyfy's telehealth services ("Services") offered to eligible individuals ("Members") in Texas and, where applicable, other U.S. states. Services include connecting Members with treating physicians, psychologists, or specialists for general practitioner services, expert medical opinions, online consultations, and mental health support, including interactions with Wellyfy's AI platform powered by Gemini and Claude.

This policy covers all Wellyfy employees, contractors, and third-party service providers ("Subcontractors") who handle PI in connection with our Services.

• Personal Information (PI) is defined as information that identifies or could reasonably identify an individual, including name, address, phone number, email, or other data treated as personal under Applicable Law.
• Sensitive Personal Information includes health information, biometric or genetic data, sexual orientation, racial or ethnic origins, or other data afforded extra protection under Applicable Law, such as protected health information (PHI) under HIPAA.

4. Personal Information Collected

Wellyfy collects PI necessary to provide Services, including:

4.1 Personal Information:

• Demographic details (name, address, phone number, date of birth, email, IP address).
• Identification (e.g., driver's license, passport for identity verification).
• Insurance policy number.
• Demographic information of Members' legal representatives (if applicable).
• Payment and billing information (e.g., credit card details, billing address), processed through PCI DSS-compliant payment processors.

4.2 Sensitive Personal Information:

• Medical records (e.g., medical history, treatment records, diagnostic tests, imaging like X-rays or CT scans, pathology samples).
• Health-related data (e.g., heart and lung sounds, vital signs, sexual orientation, mental health information, if relevant to Services).
• Wearable device and health platform data (e.g., activity metrics, heart rate, sleep data, vital signs obtained through connected integrations as described in Section 6.7).
• Telehealth session data (e.g., consultation records, clinical notes, prescriptions generated during telehealth encounters).

4.3 Technical and Device Information:

• Device identifiers (e.g., device model, operating system, unique device identifiers, mobile advertising identifiers).
• Log data (e.g., access times, pages viewed, app activity, referring URLs).
• Network information (e.g., IP address, internet service provider, connection type).
• Browser type and version (for web-based access).
• App version, crash reports, and performance diagnostics.
• Location data (only when explicitly authorized by the user, for features such as locating nearby providers).

5. How Personal Information is Collected

We collect PI through the following methods:

5.1 Direct Collection

• Direct input from Members or their legal representatives during registration, onboarding, or use of Services.
• Authorized collection from treating physicians or healthcare facilities.
• Insurance providers or employers, solely to verify eligibility for Services.
• Interactions with YodocEMR during telehealth sessions.
• User-initiated connections to wearable devices and health platforms (as described in Section 6.7).

5.2 Automated Collection

When users access the Wellyfy platform (via web browser or mobile application), certain technical information is collected automatically, including:

• Device and browser information (type, version, operating system, unique identifiers).
• Log and usage data (pages visited, features used, session duration, click patterns).
• App performance data (crash logs, diagnostics, response times).
• Cookies, pixels, and similar technologies (see Section 22 — Cookies and Tracking Technologies).

5.3 Third-Party Sources

• Health data from connected wearable devices and platforms (Apple Health, Google Fit, Garmin Connect, Fitbit, Samsung Health) when authorized by the user.
• Identity verification services used to confirm Member identity.
• Analytics providers that help us understand platform usage patterns (using de-identified data only).

Notice and consent are obtained before collecting PI, except where necessary to determine eligibility, in accordance with TDPSA and HIPAA requirements. Wellyfy does not collect data in the background or when the app is not actively in use, unless the user has explicitly enabled a feature that requires background data access (e.g., continuous health monitoring from a connected wearable device).

6. Purposes for Collecting, Using, and Disclosing Personal Information

6.1 Providing Services

Wellyfy collects, uses, and discloses PI primarily to deliver telehealth Services, including:

• Verifying eligibility for Services.
• Collecting medical history and treatment information.
• Collaborating with physicians, psychologists, or specialists.
• Assessing, diagnosing, and treating Members.
• Recommending healthcare providers or facilities.
• Engaging Members with eligibility notifications or health-related updates.

6.2 Use of Anonymized Data for AI Training and Healthcare Improvement

To enhance healthcare outcomes and improve our Services, Wellyfy may use anonymized patient data to train artificial intelligence (AI) models. This data includes, but is not limited to:

• Heart and lung sounds.
• Vital signs (e.g., blood pressure, heart rate, temperature).
• Interactions with Wellyfy's AI platform (e.g., de-identified session data).
• Other de-identified health information derived from medical records.

All data used for AI training is anonymized to remove personally identifiable information, ensuring compliance with HIPAA and TDPSA. Anonymized data cannot be linked back to an individual Member. This process supports the development of more accurate diagnostic tools, personalized treatment recommendations, and improved telehealth experiences.

6.3 Disclosures to Members or Authorized Individuals

PI is disclosed to Members or their legal representatives after identity verification. Disclosures to others involved in a Member's care require written or documented verbal consent, per HIPAA.

6.4 Disclosures to Subcontractors

Wellyfy may share PI with Subcontractors (e.g., healthcare experts, IT providers, or Affiliates) to support Services or administrative functions. Subcontractors sign Business Associate Agreements (BAAs) or other contracts ensuring PI protection and compliance with Applicable Law. Wellyfy conducts due diligence to verify Subcontractors' compliance. If a Subcontractor violates privacy obligations, Wellyfy will investigate, require corrective action, or terminate the agreement if feasible. Upon termination, Subcontractors must securely destroy or return PI.

6.5 International Data Transfers

PI is primarily stored on servers in the United States. If Services involve experts or Affiliates outside the U.S. (e.g., for specialist consultations), PI may be transferred internationally with Member consent and compliance with Applicable Law, including HIPAA and TDPSA safeguards for cross-border data transfers.

6.6 Legal and Public Policy Disclosures

PI may be disclosed as required by law, including:

• Public health reporting (e.g., disease exposure, child abuse).
• Health oversight activities.
• Judicial or administrative proceedings.
• Law enforcement requests.
• Health or safety purposes (e.g., preventing harm).

Such disclosures require Privacy Officer approval and must comply with Applicable Law.

6.7 Wearable Device and Health Platform Integrations

Wellyfy may allow users to connect wearable devices and third-party health platforms to import wellness and activity data into the Wellyfy platform. These integrations are optional and only occur when a user explicitly authorizes the connection.

Supported integrations may include, but are not limited to:

• Apple Health (Apple Inc.)
• Google Fit / Health Connect (Google LLC)
• Garmin Connect (Garmin Ltd.)
• Fitbit (Google LLC)
• Samsung Health (Samsung Electronics Co., Ltd.)

When a user connects one of these services, Wellyfy may access certain wellness and activity data made available by the user through that platform's APIs.

The types of data that may be accessed include:

• Activity metrics (steps, distance, calories burned, workouts)
• Heart rate and cardiovascular metrics
• Sleep and recovery data
• Vital signs such as blood pressure or oxygen saturation (when available)
• Other wellness metrics shared by the user through the connected platform

Wellyfy collects this information solely for the purpose of:

• Providing wellness tracking and health insights
• Supporting telehealth consultations with healthcare providers
• Enabling personalized health recommendations
• Improving the functionality of the Wellyfy platform

Access to wearable data is granted only with the user's explicit authorization through the respective platform's authentication process. Wellyfy does not access wearable data without the user's consent.

Users may revoke access to any wearable integration at any time by:

• Disconnecting the integration within their Wellyfy account settings, or
• Revoking Wellyfy's access through the respective platform (e.g., Apple Health, Google Fit, Garmin Connect, Fitbit, or Samsung Health).

Wellyfy does not sell or monetize wearable device data. All data received from these integrations is treated as Sensitive Personal Information and is protected under the same safeguards described in this Privacy Policy, including compliance with HIPAA, TDPSA, and other applicable laws.

Third-party platforms such as Apple, Google, Garmin, Fitbit, and Samsung operate independently and are not responsible for the privacy practices or operation of the Wellyfy platform. Users should review the privacy policies of these providers to understand how they manage data within their own systems.

6.7.1 Apple HealthKit Disclosure

Wellyfy integrates with Apple HealthKit to read and/or write health and fitness data on the user's device, only with the user's explicit permission. In accordance with Apple's requirements:

• Data obtained through HealthKit is not used for advertising, marketing, or sale to advertising platforms, data brokers, or information resellers.
• HealthKit data is not used to determine creditworthiness, insurance eligibility, or for any purpose other than providing health and wellness services within the Wellyfy platform.
• HealthKit data is not disclosed to third parties without the user's express consent, except where required to deliver core health services or as required by law.
• Wellyfy does not store HealthKit data in iCloud or any unsecured storage medium. All HealthKit data is encrypted in transit and at rest.
• Users may revoke Wellyfy's access to HealthKit data at any time through their device's Health app settings.

6.7.2 Google Fit / Health Connect Disclosure

Wellyfy integrates with Google Fit and Health Connect APIs to access user-authorized health and fitness data. In accordance with Google's Limited Use Requirements:

• Data retrieved through Google Fit or Health Connect APIs is used solely to provide and improve the health and wellness features within the Wellyfy platform.
• Wellyfy does not transfer Google Fit or Health Connect data to third parties except as necessary to provide or improve app features, to comply with applicable laws, or as part of a merger, acquisition, or asset sale with prior user notice.
• No human can read user data obtained from these APIs unless the user provides affirmative consent, it is necessary for security purposes, or it is required to comply with applicable law.
• All other transfers, uses, or sales of this data are prohibited, including the use of data for serving advertisements or determining creditworthiness.
• Wellyfy's use of Google Fit and Health Connect data complies with Google's API Services User Data Policy, including the Limited Use requirements.

6.7.3 Garmin Connect Data Clause

Wellyfy integrates with Garmin Connect to access wellness and activity data that users choose to share. In accordance with Garmin's developer requirements:

• Data obtained from Garmin Connect is used exclusively to provide health and wellness features within the Wellyfy platform.
• Wellyfy accesses Garmin Connect data only with the user's explicit authorization through the Garmin Connect OAuth process.
• Garmin Connect data is not sold, rented, or shared with third parties for marketing or advertising purposes.
• Users may revoke Wellyfy's access to Garmin Connect data at any time through their Garmin Connect account settings or within the Wellyfy app.
• Wellyfy stores Garmin Connect data with the same security safeguards applied to all Sensitive Personal Information, including encryption in transit and at rest.

6.7.4 Fitbit API Data Usage

Wellyfy integrates with the Fitbit Web API to access user-authorized health and fitness data. In accordance with Fitbit's developer terms and policies:

• Fitbit data accessed by Wellyfy is used solely for the limited purpose of providing health tracking, wellness insights, and telehealth-related features within the Wellyfy platform.
• Wellyfy does not use Fitbit data for advertising, marketing, or any purpose unrelated to the user's health and wellness experience.
• Fitbit data is not sold, licensed, or disclosed to third parties except as required to deliver core app functionality or as required by law.
• Users may disconnect their Fitbit account from Wellyfy at any time through their Wellyfy account settings or by revoking access in the Fitbit app.
• Wellyfy retains Fitbit data only for as long as necessary to provide the services described in this Privacy Policy, subject to the data retention periods outlined herein.

6.7.5 Samsung Health Disclosure

Wellyfy integrates with the Samsung Health SDK and platform to access wellness and health data that users choose to share. In accordance with Samsung's developer requirements:

• Samsung Health data is used exclusively to provide health tracking and wellness features within the Wellyfy platform.
• Wellyfy accesses Samsung Health data only after the user grants explicit permission through the Samsung Health authorization process.
• Samsung Health data is not shared with, sold to, or used by third parties for advertising, marketing, or profiling purposes.
• All Samsung Health data received by Wellyfy is encrypted in transit and at rest, and is treated as Sensitive Personal Information under this Privacy Policy.
• Users may revoke Wellyfy's access to Samsung Health data at any time by disconnecting the integration within their Wellyfy account settings or through the Samsung Health app.

7. Data Retention for Health and Wearable Data

Wellyfy retains personal health information and wearable device data in accordance with applicable legal requirements and the following retention practices:

• Health and medical records (including telehealth consultation records and PHI) are retained for a minimum of seven (7) years from the date of the last patient encounter, or as otherwise required by HIPAA, Texas state law, or other applicable regulations.
• Wearable and health platform data (e.g., data from Apple Health, Google Fit, Garmin Connect, Fitbit, Samsung Health) is retained for as long as the user's account is active and the integration remains connected, plus a reasonable period thereafter to support continuity of care.
• De-identified or anonymized data derived from wearable or health platform sources may be retained indefinitely for research, analytics, and platform improvement purposes, as it cannot be traced back to an individual user.

Upon account deletion or disconnection of a wearable integration, Wellyfy will delete or de-identify the associated wearable data within ninety (90) days, unless retention is required by law or necessary for legitimate healthcare purposes.

Users may request deletion of their data at any time by contacting support@thehealthlync.com. Deletion requests are honored in accordance with HIPAA, TDPSA, and other applicable regulations, which may require certain records to be retained for specified periods.

8. Third-Party API Disclosure

Wellyfy uses third-party application programming interfaces (APIs) to provide certain features and services within the platform. These integrations are subject to the data practices described in this Privacy Policy and the specific terms of each third-party provider.

The third-party APIs used by Wellyfy include, but are not limited to:

• Apple HealthKit API — for reading and writing health and fitness data on Apple devices, subject to Apple's HealthKit guidelines and the disclosures in Section 6.7.1.
• Google Fit / Health Connect API — for accessing user-authorized health and fitness data on Android devices, subject to Google's API Services User Data Policy (including Limited Use requirements) and the disclosures in Section 6.7.2.
• Garmin Connect API — for importing wellness and activity data from Garmin devices, subject to Garmin's developer terms and the disclosures in Section 6.7.3.
• Fitbit Web API — for accessing user-authorized health and fitness data from Fitbit devices, subject to Fitbit's developer terms and the disclosures in Section 6.7.4.
• Samsung Health SDK — for accessing wellness and health data from Samsung devices, subject to Samsung's developer terms and the disclosures in Section 6.7.5.

Wellyfy accesses data through these APIs only with the user's explicit consent. Data obtained from third-party APIs is used solely to provide and improve the health and wellness features of the Wellyfy platform. Wellyfy does not use data obtained from these APIs for purposes unrelated to the user's health and wellness experience, including but not limited to advertising, data brokering, or credit determination.

Wellyfy complies with each API provider's developer policies, data use restrictions, and limited use requirements. In the event of any conflict between this Privacy Policy and a third-party API provider's requirements, the more restrictive standard shall apply.

9. AI Transparency

Wellyfy uses artificial intelligence (AI) technologies, including Gemini (Google LLC) and Claude (Anthropic PBC), to enhance the quality and accessibility of its health and wellness services. Wellyfy is committed to transparency regarding how AI is used within the platform.

9.1 How AI Is Used

AI technologies within Wellyfy may be used for the following purposes:

• Analyzing health data (including wearable device data) to provide personalized wellness insights and recommendations.
• Supporting healthcare providers with clinical decision-support tools during telehealth consultations.
• Processing and interpreting health metrics such as heart rate, sleep patterns, activity levels, and vital signs.
• Facilitating conversational health interactions through Wellyfy's AI platform.
• Identifying trends and patterns in anonymized health data to improve platform features.

9.2 AI and Health Data

• AI-generated insights are intended to support — not replace — professional medical judgment. All clinical decisions remain with licensed healthcare providers.
• Health data processed by AI systems is subject to the same privacy and security protections described throughout this Privacy Policy, including HIPAA and TDPSA compliance.
• Wearable device data used by AI models is processed only with the user's consent and in accordance with the platform-specific disclosures in Section 6.7.

9.3 AI Training Data

• Wellyfy may use de-identified and anonymized data to train and improve AI models, as described in Section 6.2.
• Identifiable health data is never used for AI training without the user's explicit written authorization.
• Anonymized data used for AI training cannot be re-identified or linked back to any individual user.

10. User Consent for Health Data

Wellyfy is committed to ensuring that users maintain full control over their personal health data. The collection, use, and sharing of health data — including data from wearable devices and third-party health platforms — occurs only with the user's informed and explicit consent.

10.1 How Consent Is Obtained

• Users are presented with clear, plain-language explanations of what data will be collected, how it will be used, and with whom it may be shared before any health data is accessed.
• For wearable device integrations, consent is obtained through the respective platform's authorization flow (e.g., Apple Health permissions dialog, Google Fit consent screen, Garmin Connect OAuth, Fitbit authorization, Samsung Health permissions).
• Separate, specific consent is obtained before using any identifiable health data for purposes beyond direct care delivery, such as AI training or research.

10.2 Withdrawing Consent

Users may withdraw consent for health data collection at any time by:

• Disconnecting wearable integrations within their Wellyfy account settings.
• Revoking permissions through the respective health platform's settings (e.g., Apple Health, Google Fit, Garmin Connect, Fitbit, Samsung Health).
• Contacting Wellyfy at support@thehealthlync.com to request cessation of data processing.
• Deleting their Wellyfy account, which will trigger deletion of associated health data in accordance with Section 7 of this Privacy Policy.

Withdrawal of consent does not affect the lawfulness of data processing conducted prior to the withdrawal. Certain data may be retained as required by HIPAA, TDPSA, or other applicable law, as described in Section 7.

10.3 Consent for Minors

For users under the age of 18, health data consent must be provided by a parent or legal guardian. Wellyfy does not knowingly collect health data from minors without verifiable parental consent.

11. Medical Disclaimer

The information, insights, and recommendations provided through the Wellyfy platform, including those generated by artificial intelligence technologies, are intended for informational and supportive purposes only.

Wellyfy does not provide medical diagnoses, medical treatment, or emergency medical services through automated systems. Any health-related insights or wellness recommendations generated by the platform should not be considered a substitute for professional medical advice, diagnosis, or treatment.

Users should always seek the advice of a licensed physician or qualified healthcare provider regarding any medical condition or treatment decisions.

If a user believes they may be experiencing a medical emergency, they should immediately contact emergency services or visit the nearest emergency medical facility.

Healthcare decisions made through the Wellyfy platform are the responsibility of licensed healthcare providers and the patient.

11.1 Role of the Wellyfy Platform

Wellyfy provides a technology platform that enables users to connect with licensed healthcare professionals for telehealth consultations and related services.

Wellyfy itself does not provide medical care and does not replace the professional judgment of healthcare providers. Healthcare services offered through the platform are delivered by independent licensed physicians, psychologists, or other qualified healthcare professionals.

Wellyfy is not responsible for medical advice, diagnosis, or treatment provided by healthcare professionals using the platform.

11.2 Accuracy of Health Data

Health information collected through wearable devices, connected health platforms, or user-reported inputs may not always be accurate or complete.

Wellyfy does not guarantee the accuracy, reliability, or medical validity of data obtained from wearable devices, third-party health platforms, or user inputs.

Users and healthcare providers should independently verify health information before making medical decisions.

12. Authorizations

Uses or disclosures of PI beyond those outlined require written Member authorization, particularly for collecting medical records from third parties or using PI for AI training (prior to anonymization), per HIPAA.

13. Minimum Necessary Standard

Wellyfy limits PI use, disclosure, or requests to the minimum necessary to achieve the intended purpose, as required by HIPAA and TDPSA.

14. Verification

Before disclosing PI, Wellyfy verifies the identity and authority of the requestor (e.g., via questions or ID documents), unless the requestor is known to us.

15. Sale of Personal Information

Wellyfy does not sell PI or receive remuneration for PI disclosures, in compliance with TDPSA and HIPAA.

16. Security of Personal Information

Wellyfy maintains a comprehensive, enterprise-grade security program designed to protect PI and Sensitive Personal Information against unauthorized access, disclosure, alteration, and destruction. Our security practices meet or exceed the requirements of HIPAA, TDPSA, and industry best practices.

16.1 Administrative Safeguards

• Designated Security Officer and Privacy Officer responsible for oversight of the security program.
• Mandatory privacy and security training for all employees, contractors, and Subcontractors upon hire and annually thereafter.
• Role-based access controls (RBAC) ensuring personnel access only the minimum PI necessary for their job functions.
• Background checks for all personnel with access to PHI or Sensitive Personal Information.
• Documented incident response and breach notification procedures.
• Regular risk assessments and security audits conducted at least annually.

16.2 Technical Safeguards

• Encryption of all data in transit using TLS 1.2 or higher.
• Encryption of all data at rest using AES-256 or equivalent standards.
• Multi-factor authentication (MFA) required for all administrative and clinical access.
• Automatic session timeouts and secure session management.
• Intrusion detection and prevention systems (IDS/IPS).
• Continuous monitoring and logging of all access to PI and PHI, with audit trails retained for a minimum of six (6) years.
• Secure software development lifecycle (SDLC) practices, including code reviews and vulnerability testing.
• Regular penetration testing and vulnerability scanning.

16.3 Physical Safeguards

• Data hosted in SOC 2 Type II-certified and HIPAA-compliant data centers within the United States.
• Physical access controls, surveillance, and environmental protections at all data center facilities.
• Secure disposal and destruction of physical and electronic media containing PI.

16.4 Business Continuity

• Disaster recovery and business continuity plans tested at least annually.
• Geographically redundant data backups with encryption.
• Defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for critical systems.

Wellyfy retains PI for the minimum period required by law (e.g., 7 years for HIPAA-covered records in Texas, or as required by other applicable regulations). Upon expiration of required retention periods, PI is securely destroyed using NIST-approved methods.

17. Member Rights

Wellyfy respects the rights of all Members under HIPAA, TDPSA, and other Applicable Law. Members may exercise the following rights by contacting the Privacy Officer at support@thehealthlync.com.

17.1 Right of Access

Members have the right to request access to their PI, including PHI, in a designated record set. Wellyfy will respond to access requests within thirty (30) days, as required by HIPAA. Members may request their records in electronic format where available.

17.2 Right to Amendment

Members may request amendments to their PI if they believe the information is inaccurate or incomplete. Requests must be submitted in writing. Wellyfy will respond within sixty (60) days and will provide a written explanation if the request is denied.

17.3 Right to an Accounting of Disclosures

Members have the right to request an accounting of certain disclosures of their PHI made by Wellyfy during the six (6) years prior to the request, as required by HIPAA. This accounting includes disclosures made for purposes other than treatment, payment, or healthcare operations.

17.4 Right to Request Restrictions

Members may request restrictions on the use or disclosure of their PHI for treatment, payment, or healthcare operations. While Wellyfy is not required to agree to all requested restrictions, we will honor any restriction agreed upon. Wellyfy is required to comply with a request to restrict disclosure to a health plan when the disclosure relates to services for which the Member has paid out of pocket in full.

17.5 Right to Confidential Communications

Members may request that Wellyfy communicate with them about their health information through alternative means or at alternative locations (e.g., sending correspondence to a specific address or using a specific phone number). Wellyfy will accommodate reasonable requests.

17.6 Right to Data Portability

Members have the right to receive a copy of their PI in a commonly used, machine-readable format, and to request that Wellyfy transmit that data directly to another entity where technically feasible. This right applies to data collected with consent or through the performance of Services, in accordance with TDPSA and HIPAA requirements.

17.7 Opt-Out and Data Deletion

Under TDPSA, Members may opt out of targeted advertising, data sales, or profiling. Deletion requests are honored unless retention is required by law (e.g., HIPAA record retention). Wellyfy will respond to deletion requests within forty-five (45) days. Wellyfy does not discriminate against Members who exercise their privacy rights.

17.8 Right to Revoke Authorization

Members may revoke any previously granted authorization for the use or disclosure of their PHI at any time by submitting a written request. Revocation does not apply to uses or disclosures made in reliance on the authorization before it was revoked.

17.9 Right to a Copy of This Notice

Members have the right to obtain a paper or electronic copy of this Privacy Policy at any time by contacting Wellyfy or visiting the Wellyfy platform.

17.10 Complaints and Questions

Members may submit privacy-related complaints or questions to:

Members may also file a complaint with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights if they believe their privacy rights have been violated. Wellyfy will not retaliate against any Member who files a complaint.

Complaints are reviewed by the Privacy Officer, with anonymized cases forwarded to privacy-incident@thehealthlync.com for investigation.

18. Incident Response and Breach Notification

Employees must report potential unauthorized PI uses or disclosures ("Privacy Incidents") to support@thehealthlync.com. Reports must be anonymized by removing identifiers (e.g., name, ID, DOB). The Privacy Officer will investigate, document, and determine if notification to Members or regulators is required.

18.1 Breach Notification to Members

In the event of a breach of unsecured PHI, Wellyfy will notify affected Members without unreasonable delay and no later than sixty (60) days following discovery of the breach, as required by the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414). Notification will include:

• A description of the breach, including the date(s) of the breach and date of discovery.
• The types of PI or PHI involved.
• Steps Members should take to protect themselves.
• A description of actions Wellyfy is taking to investigate, mitigate harm, and prevent future breaches.
• Contact information for Members to ask questions or obtain additional information.

18.2 Regulatory Notification

• Breaches affecting 500 or more individuals will be reported to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights and to prominent media outlets serving the affected area, as required by HIPAA.
• Breaches affecting fewer than 500 individuals will be logged and reported to HHS annually.
• Breaches involving Texas residents will be reported to the Texas Attorney General as required under TDPSA and the Texas Identity Theft Enforcement and Protection Act.

18.3 Subcontractor Breach Obligations

Subcontractors and Business Associates are contractually required to report any suspected or confirmed breach of PI or PHI to Wellyfy within twenty-four (24) hours of discovery. Failure to comply may result in termination of the business relationship.

19. Policy Exceptions

Exceptions are reviewed case-by-case by the Privacy Officer in consultation with legal counsel.

20. Enforcement

Non-compliance by employees or Subcontractors may result in disciplinary action, up to termination.

21. Telehealth Session Privacy

Wellyfy provides telehealth services that enable Members to consult with licensed healthcare providers remotely. The following practices apply to the privacy of telehealth sessions:

• Telehealth consultations are conducted over encrypted communication channels using TLS 1.2 or higher.
• Video, audio, and text communications during telehealth sessions are not recorded by Wellyfy unless the Member provides explicit consent prior to recording. If recording occurs, Members are notified and may opt out.
• Clinical notes, prescriptions, and consultation summaries generated during telehealth encounters are treated as PHI and are subject to all protections described in this Privacy Policy.
• Telehealth session data is stored in HIPAA-compliant systems and is accessible only to the treating healthcare provider, the Member, and authorized Wellyfy personnel with a legitimate need for access.
• Members are advised to conduct telehealth sessions in a private setting to protect the confidentiality of their health information.

22. Cookies and Tracking Technologies

Wellyfy uses cookies and similar technologies to operate, secure, and improve the platform. This section describes how these technologies are used.

22.1 Types of Cookies and Technologies Used

• Strictly Necessary Cookies: Required for platform functionality, including authentication, session management, and security. These cannot be disabled.
• Performance and Analytics Cookies: Help us understand how users interact with the platform, which pages are visited most frequently, and how the platform can be improved. Analytics data is aggregated and de-identified.
• Functional Cookies: Enable enhanced features such as language preferences, accessibility settings, and remembered user choices.

22.2 Technologies Not Used

• Wellyfy does not use advertising or retargeting cookies.
• Wellyfy does not use tracking pixels or web beacons for advertising purposes.
• Wellyfy does not share cookie data with advertising networks or data brokers.

22.3 Mobile Application

The Wellyfy mobile application uses mobile analytics SDKs (e.g., Firebase Analytics, Crashlytics) solely for app performance monitoring and crash reporting. These SDKs collect de-identified device and usage data. No health data or PHI is transmitted to analytics providers.

22.4 Managing Cookies

Users may control cookies through their browser or device settings. Disabling certain cookies may affect platform functionality. For the mobile application, users may control data collection through device-level privacy settings (e.g., "Limit Ad Tracking" on iOS, "Opt out of Ads Personalization" on Android).

22.5 Do Not Track

Wellyfy honors Do Not Track (DNT) signals sent by web browsers. When a DNT signal is detected, Wellyfy will not engage in tracking activity beyond what is strictly necessary for platform functionality.

23. Children's Privacy

Wellyfy's Services are not directed to children under the age of thirteen (13). Wellyfy does not knowingly collect Personal Information from children under 13 without verifiable parental consent, in compliance with the Children's Online Privacy Protection Act (COPPA).

For users between the ages of 13 and 17, health data consent must be provided by a parent or legal guardian, as described in Section 10.3. Telehealth services for minors require the involvement of a parent or legal guardian in accordance with applicable state law.

If Wellyfy becomes aware that it has inadvertently collected PI from a child under 13 without verifiable parental consent, Wellyfy will take immediate steps to delete that information from its systems. Parents or guardians who believe their child's information has been collected without consent should contact Wellyfy at support@thehealthlync.com.

24. Biometric Data

Wellyfy may collect or process biometric data in connection with certain features of the platform. Biometric data is afforded heightened protection under this Privacy Policy and applicable law, including the Texas Capture or Use of Biometric Identifier Act (Texas Bus. & Com. Code § 503.001).

24.1 Types of Biometric Data

• Voice patterns used during telehealth consultations (if voice recognition features are enabled).
• Facial geometry used for identity verification (if facial recognition features are enabled).
• Fingerprint data used for device-level authentication (processed locally on the user's device; not transmitted to Wellyfy servers).
• Physiological biometrics obtained through wearable devices (e.g., heart rate variability, blood oxygen levels) as described in Section 6.7.

24.2 Consent and Use

• Wellyfy obtains informed consent before collecting biometric data, and provides notice of the specific purpose and duration of collection.
• Biometric data is used solely for the purposes disclosed at the time of collection (e.g., identity verification, health monitoring).
• Biometric data is not sold, leased, or otherwise disclosed to third parties except as required to provide Services or as required by law.

24.3 Retention and Destruction

Biometric data is retained only for as long as necessary to fulfill the purpose for which it was collected, or for a maximum of three (3) years from the last interaction with the user, whichever is shorter. Upon expiration of the retention period, biometric data is permanently destroyed using secure methods.

25. Communications and Notifications

Wellyfy may communicate with Members through the following channels:

25.1 Transactional Communications

These are necessary for the operation of Services and cannot be opted out of. They include:

• Account verification and security alerts.
• Appointment confirmations and reminders.
• Prescription and care-related notifications.
• Privacy Policy and Terms of Service updates.
• Breach notification communications.

25.2 Health and Wellness Communications

With the user's consent, Wellyfy may send:

• Personalized health insights and wellness recommendations.
• Eligibility notifications for Services.
• Health-related educational content.

25.3 Push Notifications

The Wellyfy mobile application may send push notifications for appointment reminders, health alerts, and wellness updates. Users may enable or disable push notifications at any time through their device settings. Disabling push notifications does not affect the delivery of transactional communications via email or in-app messaging.

25.4 Opting Out

Members may opt out of non-essential communications at any time by adjusting their notification preferences within their Wellyfy account settings, using the unsubscribe mechanism in email communications, or contacting support@thehealthlync.com.

26. California Privacy Rights

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), to the extent they apply to information not otherwise governed by HIPAA. These rights include:

• The right to know what PI is collected, used, shared, or sold.
• The right to delete PI held by Wellyfy, subject to certain exceptions.
• The right to opt out of the sale or sharing of PI. Wellyfy does not sell PI.
• The right to non-discrimination for exercising privacy rights.
• The right to correct inaccurate PI.
• The right to limit the use and disclosure of Sensitive Personal Information to purposes necessary to provide Services.

To exercise these rights, California residents may contact Wellyfy at support@thehealthlync.com. Wellyfy will verify the identity of the requestor before processing the request and will respond within forty-five (45) days.

Note: Health information collected and maintained as part of a HIPAA-covered transaction is exempt from CCPA/CPRA. This section applies only to PI that is not otherwise protected under HIPAA.

27. Changes to This Privacy Policy

Wellyfy reserves the right to update or modify this Privacy Policy at any time to reflect changes in our practices, Services, legal requirements, or regulatory guidance.

• Material changes to this Privacy Policy will be communicated to Members via email, in-app notification, or a prominent notice on the Wellyfy platform at least thirty (30) days prior to the changes taking effect.
• The "Effective Date" at the top of this Privacy Policy will be updated to reflect the date of the most recent revision.
• Continued use of the Wellyfy platform after the effective date of changes constitutes acceptance of the updated Privacy Policy.
• Members who do not agree with the updated Privacy Policy may discontinue use of the Services and request deletion of their data in accordance with Section 17.7.

Previous versions of this Privacy Policy are available upon request by contacting support@thehealthlync.com.

28. Governing Law and Jurisdiction

This Privacy Policy is governed by and construed in accordance with the laws of the State of Texas and applicable federal laws of the United States, including HIPAA, TDPSA, COPPA, and other relevant regulations.

Any disputes arising from or related to this Privacy Policy or Wellyfy's data practices shall be subject to the exclusive jurisdiction of the state and federal courts located in Travis County, Texas.

If any provision of this Privacy Policy is found to be unenforceable or invalid by a court of competent jurisdiction, the remaining provisions shall continue in full force and effect.

29. Contact Information

For questions, complaints, or to exercise rights: