← Back to home

Privacy Policy

Last updated: June 1, 2026

1. Data Controller

Wellaryn Technologies ("Wellaryn", "we", "us") is the data controller responsible for processing your personal data.

Contact for privacy inquiries:
Email: privacy@wellaryn.com
Website: https://wellaryn.com

2. What Data We Collect

We collect the following categories of data:

Account Data:
• Name, email address, password (hashed)
• Sport, role (athlete/coach/doctor)
• Age, weight, height (optional, for algorithm calibration)
• Sleep need preference

Biometric and Health Data (sensitive personal data):
• Heart Rate Variability (HRV/rMSSD) — from connected wearable
• Resting Heart Rate (RHR) — from connected wearable
• Sleep data: total duration, sleep stages (deep, REM, light), sleep efficiency — from connected wearable
• Training load: session RPE (1-10) × duration — user-reported
• Steps and calories — from connected wearable
• Subjective stress and mood — user-reported (optional)

Derived Data (calculated by Wellaryn):
• Wellaryn Score (0-100)
• ACWR (Acute:Chronic Workload Ratio)
• Personal baselines (rolling averages of HRV, RHR, sleep)
• Qualitative risk levels
• Personalized recommendations

Technical Data:
• Device type, operating system, browser
• IP address (anonymized after 30 days)
• Usage analytics (pages visited, features used)

3. Why We Collect This Data (Purpose)

Your data is processed exclusively for the following purposes:

- Primary: To calculate your Wellaryn Score, generate personalized training recommendations, and track your wellness trends over time
Calibration: To establish your personal baselines (HRV, RHR, sleep) against which daily variations are measured — your data is NEVER compared against other users
Product improvement: To improve the accuracy of our algorithms based on aggregated, anonymized usage patterns
Communication: To send you account-related notifications and, with your separate consent, product updates
Legal compliance: To fulfill our obligations under applicable data protection laws

We do NOT:
• Sell your personal data to third parties — ever
• Use your health data for advertising or marketing profiling
• Share identifiable health data with insurers, employers, or any third party without your explicit consent
• Use your data for purposes other than those stated above

4. Legal Basis for Processing

Under Mexican law (LFPDPPP): Biometric and health data are classified as sensitive personal data (datos personales sensibles). We process this data based on your express written consent, which you provide during the onboarding flow before any health data is collected.

Under GDPR (if applicable): Health data is "special category data" under Article 9. We process it based on your explicit consent (Article 9(2)(a)).

You may withdraw your consent at any time (see Section 8 — Your Rights).

5. How We Store and Protect Your Data

Encryption:
• All data is encrypted in transit using TLS 1.3
• All data is encrypted at rest using AES-256
• Passwords are hashed using bcrypt with salt

Access control:
• Health data is isolated per user using row-level security policies
• Only authorized personnel with a legitimate need can access user data
• All access is logged and auditable

Infrastructure:
• Data is stored on secure, SOC 2 compliant cloud infrastructure
• Regular automated backups with encryption
• No health data is ever transmitted via URL parameters

Data minimization:
• We only collect data strictly necessary for the Service's functionality
• Raw wearable data is processed into daily summaries; raw sensor streams are not stored permanently

6. Data Retention

- Active accounts: Your data is retained for as long as your account is active
Account deletion: Upon account deletion, all personal and health data is permanently deleted within 30 days, except where retention is required by law
Anonymized data: Aggregated, anonymized data (which cannot identify you) may be retained indefinitely for research and product improvement
Beta program data: If you participated in the beta, anonymized research data may be retained per the informed consent you signed
Backups: Encrypted backups containing your data are automatically purged within 90 days of account deletion

7. Third-Party Services

We integrate with the following third-party services:

Wearable Providers (when you connect a device):
• Oura Ring (Oura Health Oy) — to receive HRV, sleep, and activity data
• WHOOP (WHOOP, Inc.) — to receive recovery, strain, and sleep data
• Apple HealthKit — on-device only, data read locally on your iPhone

These integrations use OAuth 2.0, meaning we never see or store your wearable account password. You can disconnect any device at any time.

Infrastructure Providers:
• Cloud hosting: data processed and stored securely
• Authentication: secure sign-in services

We require all third-party processors to maintain appropriate security measures and to process your data only on our instructions.

8. Your Rights (Derechos ARCO)

Under the Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP) of Mexico, you have the following rights:

A — Acceso (Access):
You have the right to know what personal data we hold about you, how it was obtained, and for what purpose it is used. You may request a copy of your data at any time.

R — Rectificación (Rectification):
You have the right to request correction of your personal data if it is inaccurate or incomplete.

C — Cancelación (Cancellation/Deletion):
You have the right to request the deletion of your personal data when:
• It is no longer necessary for the purposes for which it was collected
• You withdraw your consent
• You believe it has been processed unlawfully

O — Oposición (Opposition):
You have the right to oppose the processing of your personal data for specific purposes, such as marketing communications.

How to exercise your ARCO rights:
1. Send an email to privacy@wellaryn.com with the subject line "ARCO Request"
2. Include: your full name, email associated with your account, which right(s) you wish to exercise, and a description of your request
3. Attach a copy of an official ID for identity verification
4. We will respond within 20 business days of receiving your complete request
5. If your request is granted, changes will take effect within 15 business days

Additional rights:
Withdraw consent: You may withdraw your consent for health data processing at any time via account settings or by contacting us. This will limit certain features that depend on biometric data.
Data portability: You may request an export of your data in a machine-readable format (JSON/CSV)
Complaint: If you believe your data protection rights have been violated, you may file a complaint with the Secretaría Anticorrupción y Buen Gobierno (formerly INAI), the authority currently responsible for data protection oversight in Mexico.

9. Consent for Health Data

Before we collect any biometric or health data, you will be asked to provide express consent through a dedicated consent screen during onboarding. This consent is:

- Specific: Separate from the general Terms of Service
Informed: We explain exactly what data we collect and why
Freely given: You may use limited features of Wellaryn without connecting health data
Withdrawable: You may revoke consent at any time via account settings
Documented: We maintain a record of when and how you consented

For beta program participants, an additional informed consent form is presented that covers the use of your anonymized data for product validation research.

10. International Data Transfers

Your data may be processed on servers located outside of Mexico. In such cases, we ensure that:
• Appropriate safeguards are in place (standard contractual clauses or equivalent mechanisms)
• The receiving country provides an adequate level of data protection
• Transfers comply with Chapter V of the LFPDPPP and, where applicable, Chapter V of the GDPR

11. Children

Wellaryn is not intended for use by individuals under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will delete it promptly. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@wellaryn.com.

12. Cookies and Analytics

We use essential cookies for authentication and session management. We may use anonymized analytics to understand how the Service is used. We do not use tracking cookies for advertising. You may control cookie preferences through your browser settings.

13. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email and/or in-app notification at least 15 days before taking effect. The "Last updated" date at the top of this page indicates the most recent revision. Continued use of the Service after changes take effect constitutes acceptance.

14. Contact

For questions, ARCO requests, or data protection inquiries:

Privacy Officer
Email: privacy@wellaryn.com
Website: https://wellaryn.com

Regulatory Authority (Mexico):
Secretaría Anticorrupción y Buen Gobierno
(Authority currently responsible for personal data protection oversight)