Wellistic

Privacy Policy

Last updated: February 28, 2026

Overview

Wellistic ("we," "us," or "our") is designed with privacy as a core principle. We collect the minimum data necessary to provide the Service and we never collect patient identifying information. This Privacy Policy describes how we collect, use, disclose, and protect your information when you use our website and services (collectively, the "Service").

Information We Collect

Account Information

When you create an account, we collect your name, email address, practice type, and optional business information. This is used to provide and personalize the Service.

Session Input Data

When you generate a note, we receive the clinical details you provide (chief complaint, treatment, findings, plan). This data is de-identified by design — there are no fields for patient names, dates of birth, or other personally identifiable patient information.

Generated Notes

Notes you save to your history are stored in your account. You may delete them at any time.

Payment Information

Payment processing is handled by Stripe. We do not store credit card numbers or bank account details on our servers. Stripe's privacy policy governs the handling of your payment data.

Usage Data

We automatically collect certain technical information when you use the Service, including IP address, browser type, device type, pages visited, and timestamps. This data is used in aggregate to improve the Service and is not linked to individual patient data.

Cookies and Similar Technologies

We use essential cookies required for authentication and session management. We may also use analytics tools to understand how the Service is used. You can control cookie preferences through your browser settings. We do not use advertising cookies or third-party tracking cookies.

How We Use Your Data

  • To provide and operate the note generation service
  • To maintain your note history
  • To process payments and manage subscriptions
  • To send transactional emails (account verification, password reset, billing)
  • To improve the Service (aggregate, anonymized usage metrics only)
  • To detect and prevent fraud, abuse, or security incidents
  • To comply with legal obligations

What We Do NOT Do

  • We do not sell or share your personal information with third parties for monetary or other valuable consideration
  • We do not use your clinical input data to train AI models
  • We do not collect patient identifying information
  • We do not share your data with advertisers
  • We do not use targeted advertising or cross-site tracking

Data Security

All data is encrypted in transit (TLS 1.2+) and at rest. We use Supabase for data storage with row-level security ensuring users can only access their own data. Access to production systems is restricted, logged, and reviewed. While no system is 100% secure, we implement commercially reasonable measures to protect your data.

Data Retention

Your account data and saved notes are retained as long as your account is active. You may delete individual notes or your entire account at any time. Upon account deletion, your data is permanently removed within 30 days. We may retain certain data as required by law or for legitimate business purposes (e.g., billing records).

Data Location

Your data is stored and processed in the United States. By using the Service, you consent to the transfer and processing of your data in the United States.

Third-Party Services

We use the following third-party services to operate the Service:

  • Supabase — Authentication and database hosting (data stored in the US)
  • Anthropic (Claude) — AI note generation (receives de-identified clinical data only; does not use API inputs for model training)
  • Stripe — Payment processing (PCI-DSS compliant)
  • Vercel — Website hosting

Each third-party service processes data in accordance with their own privacy policies. We only share the minimum data necessary for each service to function.

Your Rights

Regardless of your location, you have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Delete your data and account
  • Export your notes
  • Opt out of non-essential communications

To exercise any of these rights, contact us at privacy@wellistic.com. We will respond to verifiable requests within 45 days.

California Residents — Your CCPA/CPRA Rights

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with additional rights regarding your personal information.

Categories of Personal Information Collected

  • Identifiers: Name, email address, IP address, account ID
  • Commercial information: Subscription plan, billing history
  • Internet/electronic activity: Pages visited, browser type, usage data
  • Professional information: Practice type, professional role

Your California Rights

  • Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the sources of that information, the business purpose for collecting it, and the third parties with whom we share it.
  • Right to Delete: You may request that we delete personal information we have collected from you, subject to certain exceptions.
  • Right to Correct: You may request that we correct inaccurate personal information.
  • Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising. No opt-out is necessary.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.
  • Right to Limit Use of Sensitive Personal Information: We do not use or disclose sensitive personal information for purposes beyond what is necessary to provide the Service.

How to Submit a Request

To exercise your California privacy rights, email us at privacy@wellistic.com with the subject line "California Privacy Request." We will verify your identity before processing your request and respond within 45 days. You may also designate an authorized agent to submit a request on your behalf.

Children's Privacy

The Service is intended for licensed or credentialed wellness practitioners and is not directed at children. You must be at least 13 years of age to use the Service. If you are between 13 and 18 years of age, you may only use the Service with the involvement and consent of a parent or legal guardian. We do not knowingly collect personal information from children under 13. If we become aware that we have collected data from a child under 13, we will promptly delete it.

Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice on the Service prior to the change taking effect. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated policy.

Contact

Privacy questions or requests? Contact us at privacy@wellistic.com.