Privacy Policy
At wellsyncy, privacy is not a setting — it's the product. This Privacy Policy explains what information wellsyncy LLC ("we", "our", "us") collects when you use our website and platform (the "Service"), how we use and protect it, and the rights you have.
1. Who we are
The data controller of personal data collected through the Service is wellsyncy LLC, 30 North Gould Street, Sheridan, WY 82801, United States. You can contact us any time at contact@wellsyncy.com.
When customers (employers) use wellsyncy to provide the Service to their employees, the employer is the controller and wellsyncy acts as a processor, under a Data Processing Agreement (DPA).
2. Data we collect
We collect only what we need to run the Service responsibly. That includes:
Account data
- Name, email, company, role, password hash, profile photo (optional).
Workspace meta-signals
- Calendar metadata (number of meetings, duration, attendee count) — not content;
- Messaging meta (response-time windows, activity hours) — not message content;
- Task-tool metadata you choose to connect.
Voluntary wellbeing data
- Responses to optional pulse check-ins and self-reported wellbeing scores. Individual responses are visible only to the responding employee.
Technical data
- IP address, browser / device type, pages visited, and other standard log data used for security and performance.
Billing data
- Billing contact, address, and last 4 digits of the card. Full card numbers are handled by Stripe and never touch our servers.
3. How we use data
We use personal data to:
- Provide, maintain, and improve the Service;
- Generate aggregated wellbeing insights and AI recommendations;
- Authenticate users and protect against fraud, abuse, and security threats;
- Process payments and manage subscriptions (via Stripe);
- Respond to support requests and communicate important service messages;
- Comply with legal obligations.
We do not sell personal data, and we do not use Customer Data to train foundational AI models.
4. Legal bases (EEA / UK users)
If you are in the EEA or the UK, we rely on the following legal bases under the GDPR / UK GDPR:
| Purpose | Legal basis |
|---|---|
| Providing the Service | Performance of a contract |
| Payments & tax compliance | Legal obligation |
| Security, fraud prevention | Legitimate interests |
| Optional wellbeing features | Consent (you can withdraw any time) |
| Marketing (non-customers) | Consent |
5. How we share data
We only share personal data with:
- Sub-processors who help us run the Service — cloud hosting, email, error monitoring, and Stripe for payments — all bound by strict data protection agreements;
- Your employer, only as aggregated, team-level insights that do not identify individuals (minimum aggregation group size enforced);
- Authorities, where legally compelled, in which case we'll notify affected customers where allowed by law;
- Acquirers in the event of a merger or acquisition, subject to continued protection of your data.
A current list of sub-processors is available on request at contact@wellsyncy.com.
6. AI & automated processing
We use AI to produce wellbeing indexes, burnout signals, and coaching suggestions. These are decision-support tools, not automated decisions that produce legal or similarly significant effects on you. We:
- Explain the signals that contributed to any recommendation;
- Allow employees to opt out of personal coaching features at any time;
- Do not use Customer Data to train foundational models.
7. Retention
We retain account data while your account is active and for up to 30 days after deletion (to allow recovery and comply with legal hold). Workspace meta-signals are retained for up to 24 months to support trend analysis, unless a shorter period is required by contract. Billing records are kept for 7 years to comply with tax law.
8. Security
We protect data with industry-standard controls, including:
- TLS 1.2+ in transit, AES-256 at rest;
- Role-based access, least-privilege, and regular access reviews;
- Continuous monitoring and independent penetration tests twice a year;
- A SOC 2 Type II–aligned control program.
No system is ever 100% secure. If we learn of a breach that affects you, we’ll notify you promptly in line with applicable law.
9. Your rights
Depending on where you live, you have rights to access, correct, delete, restrict, object to, or port your personal data, and to withdraw consent. To exercise these rights, email contact@wellsyncy.com — we will confirm your identity and respond within 30 days.
You can also lodge a complaint with your local data protection authority if you believe we've fallen short.
10. International transfers
We are based in the United States and process data there. Where we transfer personal data from the EEA or UK, we rely on Standard Contractual Clauses and equivalent safeguards. EU data residency is available on our Enterprise plan.
11. California privacy rights
California residents have specific rights under the CCPA/CPRA, including the right to know, delete, correct, and opt out of the "sale" or "sharing" of personal information. We do not sell personal information. To exercise your rights, contact contact@wellsyncy.com.
12. Children
The Service is not intended for users under 16, and we do not knowingly collect data from them. If you believe we have, please contact us and we will promptly delete it.
13. Changes
We may update this Policy from time to time. When we make material changes, we will notify you by email or in-app at least 30 days before they take effect.
14. Contact
Questions, concerns, or data requests?
wellsyncy LLC — Privacy
30 North Gould Street, Sheridan, WY 82801, United States
Email: contact@wellsyncy.com
Phone: +1 (442) 342-4185