Wellapy ("we", "us") is a CE‑marked digital therapeutics (DTx) software that will be registered with CNEDiMTS in France. This Privacy Policy explains how we collect, use, share, and protect personal data of our users in France, in compliance with GDPR, the French Data Protection Act, the French Public Health Code (HDS), and relevant HAS/CNIL guidelines.

1. Data Controller

• Controller: Lifeness AS, established in Vestregata 33, 9008 Tromso, Norway.
• HDS‑certified health data host: all health data is hosted under Hébergeur de Données de Santé standards
• DPO Contact: Lifeness AS, Aimée Bruheim contact@wellapy.eu, Vestregata 33, 9008 Tromso, Norway

‍

2. Legal Basis & Concent

• We process health data only with explicit informed consent, in line with GDPR (Art. 9) and French law .
• Consent is obtained via clear opt-in dialogs explaining data use.
• You may withdraw consent at any time; this will not affect data processed prior to withdrawal.

4. Data Collected

• Health & wellness data: vitals, treatment adherence, mental well‑being.
• Identity & contact: name, email, phone (for password and identificaton for prescription)
• Technical & usage data: device info, app interactions, logs, IP.
• Optional: location data for features like activity tracking—only collected with consent .

Data collection follows minimization—only necessary data are collected .

5. Purposes of Processing

• Therapeutic delivery: clinical recommendations, self‑management support, telemonitoring alerts.
• Quality & safety: system logs, bug fixes, health incident monitoring (HAS CNEDiMTS obligation).
• Research (optional): anonymized data aggregated for scientific insights—with separate consent.
• Compliance: legal obligations (e.g. medical billing), fraud prevention, responding to official requests.

6. Data Retention

• User data retained only as long as necessary to provide the service or fulfill statutory obligations.

7. Data Security

• We use end‑to‑end encryption in transit and at rest.
• Strong authentication (2FA)
• Full logging of access, with periodic audit.

8. Privacy by Design & Default

• Built-in privacy safeguards: minimal data collection, anonymization (where possible), and default‑on protections
• By-default settings favor maximum user privacy.

9. Rights of Data Subjects

Under GDPR and French law, users have the right to:

• Access, correct, or delete personal data
• Restrict or object to processing
• Data portability
• Withdraw consent
• Be informed in case of data breach
• Requests can be submitted to our DPO at mailto:contact@wellapy.eucontact@wellapy.eu

10. International Transfers

All data storage occurs within the EEA on HDS‑certified servers.

11. Third‑Party Processors

We engage only GDPR‑compliant, HDS‑certified subprocessors.

Data Processing Agreements are in place per Art. 28 GDPR.

12. Telehealth & Telemonitoring

We support telemonitoring under French Public Health Code and HAS/CNIL telemedicine rules, including patient free & informed consent, professional authentication, and clinical record‑keeping.

13. Clinical Validation & MDR

As a CE‑marked medical device under EU MDR 2017/745, we continuously maintain clinical evidence and post‑market surveillance.

14. Children & Minors

For users under 15 years, parental consent is required. Children’s data are subject to stricter protections.

15. Updates to This Policy

We will notify users of material changes. The latest version is always available in the app and on our website.

16. Contact & Complaints

Questions? Contact our DPO at e-mail: contact@wellapy.eu. You have the right to lodge a complaint with the CNIL.

Compliance Highlights

• GDPR‑ and CNIL‑aligned data subject rights, breach notification, lawful basis.
• HDS‑certified hosting—secure handling of health data.
• Privacy by Design (minimization, default-on, transparency).
• CNIL‑prescribed cybersecurity and telemedicine-specific safeguards.
• EU MDR CE marking and post-market obligations.
• Health incident reporting & retention frameworks .

‍

‍