Home » Consumer Health Data Privacy Policy
Last updated: July 9, 2026
This Consumer Health Data Privacy Policy (this “Policy”) supplements the Welltory Privacy Policy and describes how Welltory Inc. (“Welltory,” “we,” “us,” or “our”) collects, uses, and discloses personal information that qualifies as “consumer health data” under applicable state law.
Who this Policy applies to. This Policy applies to residents of Washington State and Nevada – and to any person whose consumer health data is collected in Washington State or Nevada – In connection with their use of the Welltory app, website, and related services (the “Services”).
Changes. We may update this Policy from time to time. This Policy is effective as of the "Last updated" date shown above. If we make a material change, we will revise the date above and notify you through the Welltory app or by email before the change takes effect. Non-material updates (such as clarifications or corrections) will be reflected by updating the date without separate notice.
“Consumer health data” means personal information that is linked or reasonably linkable to you and that identifies – or could be used to identify – your past, present, or future physical or mental health status. This includes information you provide directly, information we collect automatically, and health-related information we may infer from other data you share with us.
This Policy covers only personal information that qualifies as consumer health data. For a full description of all personal information we collect and process, please see our Privacy Policy.
Depending on how you use our Services and which integrations you choose to connect, we may collect the following categories of consumer health data:
Vital signs and cardiovascular data — such as heart rate, heart rate variability, blood pressure, blood oxygen saturation, ECG readings, and respiratory rate;
Heart rate zone data — such as time spent in resting, fat burn, cardio, and peak zones;
Body composition and physical measurements — such as weight, height, BMI, and body fat percentage;
Physical activity data — such as steps, workouts, distance, GPS coordinates for outdoor activities, and recovery metrics;
Sleep data — such as sleep duration, sleep stages, and sleep quality metrics;
Mental and emotional health data — such as mood, stress, energy levels, and self-assessments, including any mental health conditions you choose to disclose;
Reproductive and sexual health data — such as menstrual cycle, ovulation, pregnancy, and basal body temperature, including any related health conditions you choose to disclose. This category is only collected if you enable the relevant features;
Nutrition and hydration data — such as caloric intake, macronutrients, micronutrients, and water intake;
Self-reported medical conditions, diagnoses, symptoms, and medications — any medical information you choose to enter;
Biochemical markers — such as blood glucose, cholesterol, or HbA1c, where synced from a connected platform;
Environmental and contextual health data — such as environmental sound levels, air quality, time in daylight, and weather conditions, where these may indicate or affect your health status;
Health information in voice input transcripts — text transcripts and tags from voice entries you choose to make. Audio is not stored;
Health context data for AI features — limited wellness information (such as age group, gender, height, weight, and selected metrics) transmitted when you use Megan (AI Support Bot) or AI Coach. Strong identifiers such as your name and email are not shared;
Inferred health data — health-related inferences we derive from other data you provide, such as inferring your BMI from height and weight, or inferring wellbeing patterns from activity data.
We collect and use consumer health data for the following purposes:
To provide the Services. We process your consumer health data to deliver personalized wellness insights, visualize your health trends over time, power in-app features you have enabled, and help you understand and improve your wellbeing.
To power AI features. When you use Megan or AI Coach, we transmit limited health context to AI model providers to generate responses. This data is used solely to respond to your query and for no other purpose.
Customer support. To respond to your questions, requests, and support tickets.
Security, fraud prevention, and legal compliance. To detect, investigate, and prevent security incidents and fraudulent or illegal activity, and to comply with our legal obligations.
Analytics and product improvement. To understand how the Services are used and improve their performance, using aggregated or de-identified data. Raw health metric data is not transmitted to analytics providers.
Research and de-identification. To aggregate and anonymize data for internal research, statistics, and development.
How your data is processed. Consumer health data is stored in encrypted cloud infrastructure (Amazon Web Services). It is transmitted to our service providers via encrypted API connections. Data entered manually or synced from connected platforms is processed on our servers to generate insights and is not processed on your device beyond the initial sync. For AI-powered features, we send only the health context reasonably necessary to generate the requested response. Our AI model providers process this data as service providers/processors under contractual restrictions and are not permitted to use it to train or improve their models. Provider-side retention depends on the applicable provider, feature, and data-retention configuration, and may include limited retention for security, abuse prevention, legal compliance, or service-operation purposes.
All consumer health data processing is based on your explicit consent, except where processing is necessary to provide a service you have requested, to comply with a legal obligation, or to protect against fraud or security threats. You can withdraw your consent at any time — see the Your rights section below.
We collect consumer health data from the following sources:
Directly from you — information you enter manually, including measurements, notes, self-assessments, symptom logs, and voice entries;
Automatically through your use of the Services — camera-based heart rate and HRV readings (PPG measurements) that you initiate;
Health platform integrations you authorize — Apple HealthKit, Google Health Connect, Google Fit, and Samsung Health;
Wearable device integrations you authorize — Apple Watch, Fitbit, Pixel Watch, Samsung Watch, Whoop, Oura Ring, Garmin Connect, Withings Health Mate, and other compatible devices;
Third-party app integrations you authorize — Strava, AccuWeather, RescueTime, Netatmo, and other apps you choose to connect;
Inferences — health-related data we derive or extrapolate from other information you provide through the Services.
We do not sell your consumer health data. We do not share consumer health data for cross-context behavioral advertising or targeted marketing.
We disclose consumer health data only in the following circumstances:
Service providers (processors). We share consumer health data with companies that process it on our behalf under binding contracts that restrict its use to the specified purpose. These may include, where applicable: cloud infrastructure, hosting, and backend providers, such as Amazon Web Services (AWS) and Firebase Cloud Firestore (Google LLC); AI and machine-learning service providers, such as OpenAI API (OpenAI, L.L.C.) and Google ML Kit (Google LLC); analytics, attribution, observability, and crash/error reporting providers, such as Amplitude Analytics (Amplitude Inc.), AppsFlyer (AppsFlyer Ltd.), Google Analytics for Firebase (Google LLC), Kibana / Elasticsearch, Inc., Crashlytics (Google LLC), and Sentry (Functional Software, Inc.); customer support, messaging, email, push notification, and survey providers, such as Intercom (Intercom Inc.), GetResponse (GetResponse S.A.), Postmark (AC PM, LLC), ZeroBounce (Hertza L.L.C.), Firebase Notifications / Firebase Cloud Messaging (Google LLC), and Typeform (TYPEFORM S.L.); and content delivery, performance, and security providers, such as Cloudflare (Cloudflare Inc.).
Third-party platforms you connect. When you authorize an integration, we send and receive data with that platform in accordance with your instructions. Each connected platform processes your data under its own privacy policy.
Legal requirements. We may disclose consumer health data when required by law or valid legal process, or to protect the safety and security of our Services and users.
Business transactions. In connection with a merger, acquisition, or sale of assets, consumer health data may be transferred to the acquiring party under obligations consistent with this Policy.
Affiliates. Welltory Inc. is the sole data controller. We currently have no corporate affiliates with whom we share consumer health data.
Third-party collection across websites and services. We do not permit third parties to collect consumer health data through our Services for use across unrelated websites or services.
If you are a resident of Washington or Nevada, you have the following rights with respect to your consumer health data:
Right to confirm and access. You may confirm whether we collect, share, or sell your consumer health data, and request a copy of it — including a list of the third parties we have shared it with and a valid email address or equivalent online contact mechanism for each of them.
Right to withdraw consent and cease collection. You may withdraw your consent and ask us to stop collecting your consumer health data at any time. Because health data processing is core to the Welltory Services, this will result in account deletion.
Right to cease sharing. You may ask us to stop sharing your consumer health data with third parties. Where sharing is necessary to deliver a feature or integration you have enabled, you can stop it by disconnecting the relevant integration or disabling the feature. Sharing with service providers that is necessary to operate the Services cannot be stopped without deleting your account.
Right to deletion. You may request that we delete your consumer health data.
Right to review and request corrections. You may request access to your consumer health data to review it and ask us to correct information that is inaccurate.
Right not to be discriminated against. We will not treat you differently for exercising any of the rights described here.
How to submit a request. You may exercise any of the rights above by contacting us at [email protected].
We will respond to your request within 45 days of receipt (or, where identity verification is required, within 45 days of successful authentication). We may extend this period by an additional 45 days when reasonably necessary — we will notify you of any extension within the initial 45-day period, together with the reason. Responses are free of charge up to twice a year. We may charge a reasonable fee for requests that are manifestly unfounded, excessive, or repetitive.
How to appeal. If we decline your request, you may appeal using the same channels above. We will respond in writing within 45 days. If your appeal is denied, you may contact:
Washington State Attorney General: atg.wa.gov/file-complaint
Nevada Attorney General: ag.nv.gov/complaints/
If you have questions about this Policy or your consumer health data, please contact us:
Welltory Inc.
541 Jefferson Avenue, Suite 100
Redwood City, CA 94063, USA
Email: [email protected]