Skip to content

Privacy Policy (GDPR) for Wellapy

Latest version: 23. September 2024

This Privacy Policy explains how Wellapy processes personal data, including special categories of data related to health, in accordance with the EU General Data Protection Regulation (GDPR), the French Data Protection Act (Loi Informatique et Libertés), and applicable national laws. It applies to visitors of the Wellapy website and to users of our digital therapeutics (DTx) service who access the app via our website.

1) Who we are

  • Data Controller: Lifeness AS, operating the Wellapy digital therapeutic
  • Address: Vestregata 33, 9008 Tromsø, Norway
  • Company number: 921 141 130
  • Contact (privacy): privacy@wellapy.eu
  • DPO: If we appoint a Data Protection Officer, we will update this section and provide their contact details here.

If you access Wellapy in France, Lifeness AS remains the controller. Local partners may act as joint controllers or processors per agreement. You may also contact your local supervisory authority (see Section 13).

2) What data we process

We process the following categories of personal data, depending on how you interact with us:

  • Website data (visitors)
    • Device and usage data: IP address, device type, browser, OS, referring URLs, pages viewed, time spent, clicks
    • Cookie and similar technologies data: see Cookie Notice
    • Contact form data: name, email, message content
    • Newsletter data: email, subscription preferences, consent records
  • Account and app data (DTx users)
    • Identification data: name, email, account ID, language, country
    • Treatment context data: care program enrollment, clinic or prescriber identifier
    • Health data: weight, BMI, activity, nutrition logs, medication adherence, questionnaires, symptoms, outcomes and other information you record or that your care team records
    • Technical data: device identifiers, crash logs, app version, session timestamps
  • Professional contacts (HCPs and partners)
    • Identity and contact data, organization, role, communications

Providing health data is optional but necessary to receive the DTx service. If you choose not to provide it, some features will not function.

3) Why we process your data and legal bases

  • Provide and operate the DTx service, personalize content, track progress, enable care team collaboration
    • Legal bases: performance of a contract (Art. 6(1)(b)); for health data, explicit consent (Art. 9(2)(a)) or provision of health or social care by professionals under contract (Art. 9(2)(h)), as applicable in your program
  • Create and maintain your account, authenticate users, provide customer support and safety communications
    • Legal bases: contract; legitimate interests in account security and service integrity (Art. 6(1)(f))
  • Safety, quality, and improvement, including security monitoring, debugging, analytics, and clinical/real‑world evidence generation in aggregated or pseudonymized form
    • Legal bases: legitimate interests (Art. 6(1)(f)); for health data, substantial public interest or scientific research with appropriate safeguards (Art. 9(2)(i)/(j)) where applicable, or consent
  • Regulatory compliance and device vigilance (materiovigilance), incident reporting, and responding to legal obligations
    • Legal bases: legal obligation (Art. 6(1)(c)); for health data, public interest in the area of public health (Art. 9(2)(i))
  • Marketing communications (website visitors who opt in)
    • Legal bases: consent (Art. 6(1)(a)); you may withdraw at any time

Program variants: Depending on how you access Wellapy (for example via a clinic program or directly), the precise legal basis used for specific features may differ across consent, contract, legitimate interests, health or social care provision, public interest, or research bases. Where we rely on consent, you may withdraw it at any time in the app or by contacting us. Withdrawal does not affect prior processing.

4) Cookies and similar technologies

We use essential cookies to make the website work and, with your consent, analytics cookies to understand and improve performance. For detailed information, including cookie and SDK names, providers, purposes, and lifetimes, see our Cookie Notice and banner preferences.

  • Essential cookies: required for core functionality
  • Analytics cookies: audience measurement, page performance
  • Marketing cookies (if any): only with your consent

You can manage preferences via the cookie banner at any time. Refusing must be as easy as accepting. See: Cookie Notice — Wellapy (France).

5) In‑app privacy summary (mobile apps)

  • Just‑in‑time notices explain why permissions are requested and how to change them later
  • In‑app settings provide an easy way to withdraw consent, manage analytics preferences, and request account deletion
  • SDK inventory and roles are listed in the Cookie Notice and Sub‑processors list

6) Data sources

  • Data you provide directly in forms or the app
  • Data provided by your clinic, prescriber, or care team when they onboard you to the program
  • Device and service‑generated data from your use of the website or app

7) Disclosures and processors

We share personal data only as necessary and subject to data processing agreements:

  • Hosting and infrastructure providers
  • Analytics and error monitoring tools
  • Communication tools for in‑app messaging and email
  • Clinical partners and care teams involved in your treatment program
  • Regulators and public authorities where required by law
  • Professional advisors and auditors under confidentiality

Data Processing Agreements (GDPR Art. 28) are in place with our processors and require appropriate security, confidentiality, assistance with data subject rights, incident reporting, and return or deletion of data at end of service. International transfers use approved safeguards in line with GDPR Chapter V (e.g., SCCs or adequacy decisions) and our supplier onboarding procedure.

A current list of sub‑processors is available here: Sub‑processors — Wellapy and in the app settings.

8) International data transfers

Your data may be processed outside your country, including outside the EEA/UK. Where we transfer data internationally, we implement safeguards such as adequacy decisions or the European Commission’s Standard Contractual Clauses, plus supplementary technical and organizational measures where needed. You may request a copy of applicable safeguards.

9) Security measures

We apply appropriate technical and organizational measures aligned with the risk of processing health data, including encryption in transit and at rest, access controls, audit logging, secure software development, vulnerability management, and business continuity. Access to health data is role‑based and limited to authorized personnel.

10) Data breaches and notifications

If a personal data breach occurs, we will assess the impact and respond in line with our internal Incident Response & Nonconformity Policy and Procedure. Where required by law, we will notify the competent supervisory authority within 72 hours and inform affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms. This includes documenting the incident, root cause, actions taken, and lessons learned. See our internal procedures for details.[1][2]

11) HDS health data hosting (France)

For users in France, health data are hosted with an HDS‑certified provider in the EEA (for example, AWS in Frankfurt) in accordance with Article L.1111‑8 of the French Public Health Code. Hosting includes administration and operation services delivered by certified providers. See our declaration of conformity for details and scope: Déclaration de conformité HDS (link available on request). We comply with the updated HDS framework and will maintain certification in line with the latest version and applicable transition timelines.[3]

12) Data retention

We keep personal data only as long as necessary for the purposes described above and as required by law, standards, and our internal control framework:

  • Website analytics: typically 13–26 months, or as configured per tool
  • Support and communications: up to 3 years after last interaction
  • DTx account and treatment records: for the duration of your program and for the applicable medical device and healthcare record retention periods required by law or clinical governance
  • Incident and safety records: per legal obligations

Retention rules are defined and reviewed under our GDPR Internal Control and template mappings, and are reflected in our records of processing. Program‑specific retention schedules may apply and will be communicated in the app or program materials. We will delete or anonymize data once retention periods end.[4][5][6][7]

13) Your rights (including France‑specific)

Subject to conditions and exceptions under GDPR, you have the right to:

  • Access your data and receive a copy
  • Rectify inaccurate or incomplete data
  • Erase data in certain circumstances
  • Restrict processing in certain circumstances
  • Object to processing based on legitimate interests
  • Data portability for data you provided under consent or contract
  • Withdraw consent at any time for consent‑based processing
  • Not be subject to decisions based solely on automated processing where they produce legal or similarly significant effects, unless permitted by law with safeguards

In France, you may also leave post‑mortem directives regarding the fate of your personal data and how your rights should be exercised after death. To exercise your rights, contact privacy@wellapy.eu. We will respond without undue delay and within one month, extendable by two months where necessary due to complexity or number of requests.

14) Children

Wellapy is intended for use as part of a clinically supervised program for adults, unless explicitly authorized by a healthcare professional and as permitted by local law. We do not knowingly collect data from children without appropriate authorization and consent.

15) Joint controllers and partners

In some programs, your clinic or healthcare provider may be a joint controller for certain processing activities, for example onboarding and clinical follow‑up. In such cases, key responsibilities are allocated by agreement under Article 26 GDPR, and you may exercise your rights with either party. The essence of the arrangement is available on request, and program‑specific notices may also apply within the patient portal.

16) France‑specific information and supervisory authority

For users in France, you may contact the Commission Nationale de l’Informatique et des Libertés (CNIL) at cnil.fr or by mail at 3 Place de Fontenoy, TSA 80715, 75334 Paris, Cedex 07. If Wellapy is provided via an approved scheme or platform, program‑specific notices may also apply within the patient portal.

17) How to contact us

  • Email: privacy@wellapy.eu
  • Postal address: Lifeness AS, Vestregata 33, 9008 Tromsø, Norway

You also have the right to lodge a complaint with your local supervisory authority. A list of EU authorities is available at ec.europa.eu.

18) Profiling and automated decisions

If we use profiling or automated decision‑making features, they will not produce legal or similarly significant effects without appropriate safeguards. Where such features exist, we will provide information on the logic involved, as well as the significance and the envisaged consequences for you, and you can obtain human review and contest a decision.

19) Changes to this Policy

We may update this Policy to reflect changes in our practices or legal requirements. We will post the updated version on this page and indicate the effective date. For material changes, we will provide a prominent notice or seek consent where required.

20) Effective date

Effective date: 2025-09-23

Appendices

  • Appendix A: Cookie Notice — Wellapy (France)
  • Appendix B: Sub-contractors
  • Appendix C: Data Protection Impact Assessment — Lifeness conducts DPIAs for health‑data processing and maintains records of processing; a high‑level summary is available on request.

Still have questions?

To get in touch with us, send us an e-mail:contact@lifeness.no
Contact us