Privacy Policy

1. Introduction

Well.Inc LLC ("WELL," "we," "us," or "our") is committed to protecting the privacy and security of your personal information and protected health information (PHI). This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our telehealth platform and services, including our website, mobile applications, and patient portal (collectively, the "Services").

By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with our policies and practices, please do not use our Services.

Important: This Privacy Policy applies to information collected through our platform. Your medical information is also protected by our Notice of Privacy Practices (HIPAA Notice), which is provided separately and governs how we use and disclose your protected health information.

2. HIPAA Compliance and Covered Entity Status

WELL operates as a covered entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and complies with all applicable HIPAA Privacy and Security Rules. We are committed to protecting your protected health information (PHI) in accordance with federal and state privacy laws.

Your PHI is subject to the protections outlined in our Notice of Privacy Practices, which is available upon request and provided during your initial enrollment. This Privacy Policy supplements our HIPAA Notice of Privacy Practices.

Your HIPAA Rights Include:

• The right to access and obtain a copy of your medical records
• The right to request corrections to your PHI
• The right to receive an accounting of disclosures of your PHI
• The right to request restrictions on certain uses and disclosures
• The right to request confidential communications
• The right to file a complaint if you believe your privacy rights have been violated

To exercise any of these rights or to request a copy of our Notice of Privacy Practices, please contact our Privacy Officer at privacy@well.inc.

3. Information We Collect

3.1 Protected Health Information (PHI)

We collect protected health information necessary to provide you with quality telehealth services, including:

• Demographic Information: Full legal name, date of birth, gender, address, phone number, email address
• Medical History: Current and past medical conditions, allergies, family medical history, surgical history
• Medication Information: Current medications, dosages, pharmacy information, medication history
• Clinical Information: Symptoms, diagnoses, treatment plans, lab results, vital signs, body measurements (height, weight, BMI)
• Treatment Records: Physician notes, consultation records, prescription records, progress notes, treatment outcomes
• Clinical Photos: Photos submitted for medical evaluation and documentation (if applicable to your treatment)
• Health Questionnaire Responses: Responses to medical intake forms and ongoing health assessments
• Insurance Information: Health insurance provider, policy numbers, coverage details (if applicable)

3.2 Personal Identification Information

We collect personal information to verify your identity, process payments, and communicate with you:

• Contact Information: Name, email address, phone number, mailing address, shipping address
• Identity Verification: Government-issued photo identification, date of birth, last four digits of Social Security Number (for identity verification purposes only)
• Payment Information: Credit card or debit card information, billing address, payment history
• Account Credentials: Username, password (encrypted), security questions and answers

3.3 Technical and Usage Information

We automatically collect certain information when you access our Services:

• Device Information: IP address, device type, operating system, browser type and version, unique device identifiers
• Usage Data: Pages viewed, time spent on pages, links clicked, features accessed, search queries
• Location Information: General geographic location based on IP address (city and state level, not precise GPS location)
• Cookies and Tracking Technologies: Session cookies, persistent cookies, web beacons, pixel tags (see Section 10 for details)
• Communication Records: Records of your communications with our support team, chat logs, email correspondence

3.4 Information from Third Parties

We may receive information about you from:

• Healthcare Providers: Medical records from your previous healthcare providers (with your authorization)
• Pharmacies: Prescription fulfillment status, medication delivery information
• Laboratory Services: Lab test results (if ordered as part of your treatment)
• Identity Verification Services: Verification of your identity to comply with legal requirements and prevent fraud
• Payment Processors: Payment confirmation and transaction details

4. How We Use Your Information

4.1 Treatment, Payment, and Healthcare Operations (TPO)

Under HIPAA, we may use and disclose your PHI without your authorization for treatment, payment, and healthcare operations:

• Treatment: Provide, coordinate, and manage your healthcare services; consult with healthcare providers; provide medical consultations; prescribe medications; monitor treatment effectiveness; coordinate care with other providers
• Payment: Process payments for services; bill for services rendered; verify coverage; coordinate benefits; collect outstanding balances
• Healthcare Operations: Improve quality of care; conduct quality assessment and improvement activities; train medical staff; perform business planning and development; conduct compliance audits

4.2 With Your Consent

With your explicit consent, we may use your information to:

• Send you marketing communications about our services
• Conduct research and analysis to improve our services
• Share de-identified data for research purposes
• Use testimonials or success stories (with identifying information removed unless you specifically authorize)

4.3 Legal and Safety Purposes

We may use and disclose your information when required by law or to protect safety:

• Comply with federal, state, or local laws and regulations
• Respond to court orders, subpoenas, or legal process
• Report suspected abuse, neglect, or domestic violence as required by law
• Prevent or investigate suspected fraud or illegal activity
• Protect against threats to health or safety
• Report adverse drug reactions or product defects to the FDA

4.4 Service Delivery and Support

We use your information to:

• Create and maintain your patient account
• Verify your identity and prevent fraud
• Process your orders and deliver medications
• Provide customer support and respond to inquiries
• Send appointment reminders and follow-up communications
• Send important service updates and notifications
• Conduct satisfaction surveys to improve our services

4.5 Platform Improvement and Analytics

We use aggregated, de-identified data to:

• Analyze usage patterns and improve user experience
• Develop new features and services
• Conduct quality assurance and testing
• Monitor platform performance and troubleshoot issues
• Generate statistical reports and business intelligence

5. How We Share Your Information

We do not sell your personal information or protected health information.

5.1 Healthcare Providers

We share your PHI with licensed physicians, nurse practitioners, physician assistants, and other qualified healthcare professionals who evaluate your medical condition, prescribe treatment, and provide ongoing care. All providers are bound by HIPAA and state medical privacy laws.

5.2 Business Associates

We engage third-party service providers (Business Associates) who assist us in providing services. These parties are contractually required to protect your information and may only use it as necessary to perform services on our behalf:

• Pharmacy Partners: Licensed pharmacies that dispense and deliver your prescriptions
• Laboratory Services: Clinical laboratories that process lab work ordered by your provider (if applicable)
• Payment Processors: Secure payment processing services that handle credit card transactions
• Cloud Infrastructure Providers: Secure cloud hosting services that store and process data
• Technology Services: Software platforms for electronic health records, video consultations, and patient communications
• Customer Support Platforms: Services that help us provide customer support
• Identity Verification Services: Third-party services that verify your identity to prevent fraud
• Shipping and Logistics Partners: Couriers who deliver medications to your address

All Business Associates sign HIPAA-compliant Business Associate Agreements requiring them to safeguard your PHI.

5.3 Legal and Regulatory Requirements

We may disclose your information when required by law:

• To comply with court orders, warrants, subpoenas, or legal process
• To law enforcement agencies as required by law
• To state medical boards or licensing authorities
• To the Food and Drug Administration (FDA) for adverse event reporting
• To report suspected abuse, neglect, or domestic violence as mandated by law
• To avert serious threat to health or safety when necessary
• For public health activities as required by law

5.4 With Your Authorization

We will obtain your written authorization before using or disclosing your PHI for purposes other than treatment, payment, healthcare operations, or as otherwise permitted by law. You may revoke your authorization at any time by contacting us at privacy@well.inc.

5.5 De-Identified Information

We may use and share de-identified health information that cannot be reasonably used to identify you for research, analytics, and business purposes. De-identified information is not subject to HIPAA restrictions.

6. Data Security and Safeguards

We implement comprehensive administrative, technical, and physical safeguards to protect your information from unauthorized access, use, or disclosure:

6.1 Technical Safeguards

• Encryption: All data transmitted between your device and our servers is encrypted using industry-standard TLS/SSL protocols. Data at rest is encrypted using AES-256 encryption.
• Access Controls: Multi-factor authentication for user accounts; role-based access controls limiting staff access to only necessary information.
• Secure Infrastructure: HIPAA-compliant cloud hosting with regular security audits and penetration testing.
• Network Security: Firewalls, intrusion detection systems, and security monitoring to protect against unauthorized access.
• Automatic Logoff: Sessions automatically expire after periods of inactivity.
• Data Backups: Regular encrypted backups with secure, redundant storage.

6.2 Administrative Safeguards

• Privacy and Security Training: All workforce members receive regular training on HIPAA and data protection requirements.
• Business Associate Agreements: Written agreements with all third parties who handle PHI.
• Incident Response Plan: Documented procedures for responding to security incidents and data breaches.
• Risk Assessments: Regular evaluation of security risks and implementation of appropriate safeguards.
• Sanctions Policy: Disciplinary measures for workforce members who violate privacy policies.

6.3 Physical Safeguards

• Secure data centers with restricted physical access
• Video surveillance and access logging
• Secure disposal of physical records and devices containing PHI

6.4 Breach Notification

In the event of a breach of unsecured protected health information, we will notify affected individuals, the Secretary of the Department of Health and Human Services, and, if required, the media, in accordance with HIPAA Breach Notification requirements.

Important Security Note: While we implement robust security measures, no system is completely secure. You are responsible for maintaining the confidentiality of your account credentials and should never share your password with others.

7. Your Privacy Rights

7.1 HIPAA Rights

Under HIPAA, you have the following rights regarding your protected health information:

Right to Access

You have the right to inspect and obtain a copy of your medical records and billing records. We will respond to your request within 30 days. We may charge a reasonable, cost-based fee for copying and mailing records.

Right to Amend

You have the right to request that we amend your PHI if you believe it is incorrect or incomplete. We may deny your request in certain circumstances, and we will provide you with a written explanation of any denial.

Right to an Accounting of Disclosures

You have the right to receive a list of certain disclosures we have made of your PHI within the past six years (excluding disclosures for treatment, payment, or healthcare operations).

Right to Request Restrictions

You have the right to request restrictions on how we use or disclose your PHI. We are not required to agree to your request except in certain circumstances involving payments from health plans.

Right to Confidential Communications

You have the right to request that we communicate with you about medical matters in a certain way or at a certain location (e.g., by mail instead of phone).

Right to a Paper Copy of This Notice

You have the right to receive a paper copy of our Notice of Privacy Practices at any time, even if you agreed to receive it electronically.

7.2 General Privacy Rights

In addition to your HIPAA rights, you have the following rights:

• Right to Know: Request information about what personal information we collect, use, and share
• Right to Deletion: Request deletion of your personal information (subject to legal retention requirements)
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out: Opt out of marketing communications at any time
• Right to Data Portability: Request a copy of your data in a portable format
• Right to Non-Discrimination: You will not receive discriminatory treatment for exercising your privacy rights

7.3 How to Exercise Your Rights

To exercise any of these rights, please contact us:

• Email: privacy@well.inc
• Mail: Well.Inc LLC, Attn: Privacy Officer, 30 N Gould St Ste R, Sheridan, WY 82801
• Patient Portal: Submit a request through your account settings

We will respond to your request within 30 days (or as required by applicable law). We may require verification of your identity before processing your request.

8. State-Specific Privacy Rights

8.1 California Residents (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to know what personal information we collect, use, disclose, and sell
• Right to delete personal information (subject to exceptions)
• Right to correct inaccurate personal information
• Right to opt-out of the sale or sharing of personal information (we do not sell personal information)
• Right to limit use of sensitive personal information
• Right to non-discrimination for exercising privacy rights

Note: Medical information governed by HIPAA is exempt from certain CCPA provisions, but we extend many CCPA protections to all personal information we collect.

8.2 Virginia, Colorado, Connecticut, and Utah Residents

Residents of these states have rights including:

• Right to access personal data
• Right to correct inaccuracies in personal data
• Right to delete personal data
• Right to data portability
• Right to opt-out of targeted advertising and sale of personal data (we do not engage in these activities)

8.3 Washington Residents (My Health My Data Act)

Washington residents have enhanced protections for consumer health data. Please see our Consumer Health Data Privacy Policy for details.

8.4 Nevada Residents

Nevada residents have the right to opt-out of the sale of their personal information. We do not sell personal information to third parties.

9. Cookies and Tracking Technologies

9.1 Types of Cookies We Use

• Essential Cookies: Necessary for the website to function properly (e.g., authentication, security)
• Performance Cookies: Help us understand how visitors use our site (e.g., Google Analytics)
• Functional Cookies: Remember your preferences and personalize your experience
• Targeting/Advertising Cookies: Used to deliver relevant advertising (only with your consent)

9.2 Third-Party Analytics

We use third-party analytics services (e.g., Google Analytics) to understand how users interact with our Services. These services may use cookies and similar technologies to collect information about your use of our Services. This information is aggregated and does not identify you personally.

9.3 Your Cookie Choices

Most web browsers automatically accept cookies, but you can modify your browser settings to decline cookies. However, disabling cookies may affect your ability to use certain features of our Services. You can also opt-out of targeted advertising through industry opt-out tools:

• Digital Advertising Alliance: optout.aboutads.info
• Network Advertising Initiative: optout.networkadvertising.org

10. Data Retention

We retain your information for as long as necessary to fulfill the purposes outlined in this Privacy Policy and to comply with legal and regulatory requirements:

• Medical Records: Retained for a minimum of 7 years from the date of last treatment, or as required by state law (whichever is longer). Some states require longer retention periods.
• Prescription Records: Retained in accordance with DEA and state pharmacy regulations (typically 2-7 years)
• Billing Records: Retained for 7 years as required by IRS regulations
• Account Information: Retained while your account is active and for a reasonable period thereafter
• Marketing Data: Retained until you opt-out or request deletion

After the retention period expires, we securely delete or de-identify your information. You may request early deletion of certain information (subject to legal retention requirements) by contacting privacy@well.inc.

11. Children's Privacy

Our Services are intended for adults aged 18 and older. We do not knowingly collect, use, or disclose personal information from individuals under 18 years of age. If you are under 18, please do not use our Services or provide any information to us.

If we learn that we have collected personal information from a child under 18 without verification of parental consent, we will delete that information as quickly as possible. If you believe we have collected information from a child under 18, please contact us immediately at privacy@well.inc.

12. International Users and Data Transfers

Our Services are provided from the United States and are intended for users located in the United States. If you access our Services from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States where our servers are located and our service providers operate.

The data protection laws in the United States may differ from those in your country of residence. By using our Services, you consent to the transfer of your information to the United States and its processing in accordance with this Privacy Policy and applicable U.S. laws.

13. Third-Party Links and Services

Our Services may contain links to third-party websites, applications, or services that are not owned or controlled by WELL. This Privacy Policy does not apply to third-party websites or services. We are not responsible for the privacy practices of third parties.

We encourage you to review the privacy policies of any third-party websites or services before providing them with your personal information.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

• Posting the updated Privacy Policy on our website with a new "Last Updated" date
• Sending you an email notification (if you have an account)
• Displaying a prominent notice on our website or in our patient portal

Your continued use of our Services after the effective date of the updated Privacy Policy constitutes your acceptance of the changes. If you do not agree with the updated Privacy Policy, you must stop using our Services.

We will not make material changes to how we use your PHI without first obtaining your authorization, as required by HIPAA.

15. How to Contact Us

If you have questions, concerns, or complaints about this Privacy Policy, our privacy practices, or your privacy rights, please contact us:

We will investigate and attempt to resolve complaints and disputes regarding use and disclosure of PHI in accordance with this Privacy Policy and applicable law.

16. Filing a Complaint

If you believe your privacy rights have been violated, you have the right to file a complaint with:

WELL:

Well.Inc LLC
Attn: Privacy Officer
30 N Gould St Ste R, Sheridan, WY 82801
Email: privacy@well.inc

U.S. Department of Health and Human Services:

Office for Civil Rights
U.S. Department of Health and Human Services
200 Independence Avenue, S.W.
Washington, D.C. 20201
Phone: 1-877-696-6775
Website: www.hhs.gov/ocr/privacy/hipaa/complaints/

You will not be retaliated against or penalized for filing a complaint.

17. Acknowledgment and Consent

By using our Services, you acknowledge that you have read and understood this Privacy Policy and our Notice of Privacy Practices. You consent to the collection, use, and disclosure of your information as described in this Privacy Policy.

If you do not agree with this Privacy Policy, you must not access or use our Services.