Privacy Policy

Wellday Health LLC ("Wellday," "we," "us," or "our") is a Missouri limited liability company. We operate the Wellday platform, which connects patients with licensed clinicians for migraine and neurological health care.

This Privacy Policy explains how we collect, use, share, and protect information about you when you use our website at wellday.com, our mobile applications, and our services (collectively, the "Services").

Wellday's legal status under HIPAA. Wellday operates as a technology platform. The medical care provided to you comes from licensed clinicians and clinical entities that contract with Wellday to provide medical care on the Wellday platform (collectively, "Wellday Medical Affiliates"). Wellday is not itself a HIPAA covered entity. Wellday Medical Affiliates are HIPAA covered entities, and your health information is protected under HIPAA when it is handled by them. Wellday operates as a Business Associate of Wellday Medical Affiliates under HIPAA-required Business Associate Agreements when we handle health information on their behalf.

If you are a California, Washington, Nevada, Connecticut, or other state resident with additional privacy rights under state law, see Section IX.

Personal information you provide directly: Name, email address, phone number, mailing address, date of birth, gender, emergency contact, and payment information. (Payment card numbers are processed by our payment vendors and are not stored on Wellday systems.)

Health information you provide: Information you share through the Wellday intake questionnaire and through ongoing communication with your clinical care team — your migraine frequency, severity, triggers, medical history, current and past medications, allergies, contraindications, and treatment responses. This information constitutes Protected Health Information (PHI) under HIPAA when handled by Wellday Medical Affiliates.

Information collected automatically: Device information, IP address, approximate location, usage information, and information from cookies and similar technologies (see Section VII).

Information from third parties: We may receive information from your clinical care team, pharmacies, your insurer (in connection with prior authorization or claims), identity verification services, analytics providers, and advertising platforms about how you arrived at our website.

We use your information to:

• Provide and operate the Services, including connecting you with licensed clinicians and coordinating your care
• Process payments and manage your subscription
• Coordinate with pharmacies, insurers, and Wellday Medical Affiliates to fulfill prescriptions, file prior authorizations, and arrange savings cards
• Communicate with you about your account, your care, and your billing
• Send you marketing emails (you can opt out anytime; transactional emails about your account and care continue)
• Improve our Services through analysis of how patients use our platform
• Detect, investigate, and prevent fraud, abuse, and security threats
• Comply with legal obligations
• Defend our legal rights when necessary

We do not use your health information to target advertising. Advertising platforms may use general information (like the fact that you visited our website) to show you ads, but we never share your specific health information — what condition you have, what medications you take, what your clinician told you — with advertising companies.

We share your information with:

Wellday Medical Affiliates — for the purpose of providing your medical care.

Pharmacies — to dispense your medications.

Insurers and payers — when you authorize us to coordinate insurance for medication coverage, prior authorization, or savings card enrollment.

Service providers — third-party companies that help operate the Services, including hosting providers, payment processors, customer support tools, email delivery services, and analytics providers. These providers are bound by contracts that restrict how they can use your information.

Legal and safety — when required by law or necessary to protect rights, safety, or property.

Business transfers — if Wellday is acquired, merges, or sells assets, your information may transfer to the new entity.

With your consent — for any sharing not described above.

We do not sell your information. We do not share your health information with advertisers, data brokers, or other third parties for their direct marketing purposes.

While Wellday is not a HIPAA covered entity, we implement administrative, technical, and physical safeguards designed to protect your information at industry-standard levels, including:

• Encryption of data in transit (TLS) and at rest
• Access controls limiting who can view your information
• Audit logs of access to sensitive information
• Regular security assessments
• Employee training on privacy and security
• Business Associate Agreements with Wellday Medical Affiliates and other vendors who handle PHI

Despite these measures, no system is perfectly secure. If we ever experience a security incident that affects your information, we will notify you in accordance with applicable law.

We retain your information for as long as your account is active and for a period thereafter as required by law:

• Medical records held by Wellday Medical Affiliates — retained for the period required by state medical record laws, typically 7–10 years for adult records
• Account information — retained while your account is active and up to 7 years after closure
• Payment information — retained per payment processing and tax law requirements
• Marketing information — if you opt out, retained only to ensure we don't email you again

After applicable retention periods, we either delete your information or de-identify it.

We use cookies and similar tracking technologies. Four categories:

• Strictly necessary — required for the website to function (login, security)
• Functional — remember your preferences
• Analytics — help us understand how patients use our website (Google Analytics with IP anonymization)
• Advertising — measure advertising effectiveness on our public marketing pages only (Meta Pixel, Google Ads)

We do not run advertising or analytics trackers on pages where you provide health information — including the intake questionnaire, your patient portal, or your Wellday Care Plan. Health information is never shared with advertising platforms.

You can manage cookie preferences through our cookie banner, browser settings, or cookie management tools. We honor browser-based opt-out signals like Global Privacy Control (GPC).

For more details, see our Cookie Policy.

You have the right to:

• Access — request a copy of your information. For health information held by Wellday Medical Affiliates, requests are processed through their medical records process; we'll route requests to the right place.
• Correct — request that we correct inaccurate information.
• Delete — request deletion of your information, subject to legal retention requirements.
• Restrict — request limits on how we use or share information.
• Portability — request a copy in portable format.
• Object — object to certain uses, including marketing.
• Withdraw consent — at any time where we rely on consent.
• Complain — to us, or to the U.S. Department of Health and Human Services Office for Civil Rights at hhs.gov/hipaa/filing-a-complaint.

To exercise any of these rights, email privacy@welldayhealth.com. We respond within 30 days, or longer where the law allows.

California residents: Under the CCPA and CPRA, you have rights to know, delete, correct, and opt out of "sales" or "sharing" of personal information. Wellday does not "sell" personal information as defined under California law. Some advertising practices may constitute "sharing." You can opt out by:

• Clicking "Do Not Sell or Share My Personal Information" in our website footer
• Managing cookies through our cookie banner
• Emailing privacy@welldayhealth.com with the subject line "CCPA Opt-Out"

Washington residents: Under the My Health My Data Act, you have rights to know, withdraw consent, delete consumer health data, and appeal denials. We do not sell consumer health data.

Nevada residents: Under Nevada's Consumer Health Data Privacy Law, similar rights apply. We do not sell consumer health data.

Connecticut residents: Under the Connecticut Data Privacy Act, you have rights to access, correct, delete, and opt out of certain processing. We honor opt-out preference signals like Global Privacy Control.

As state privacy laws expand, we will update this section.

Wellday is intended for adults 18 and over. We do not knowingly collect personal information from children under 18. If you believe a child has provided information to Wellday, contact privacy@welldayhealth.com.

When we make material changes, we'll post the updated policy with a new "Last updated" date and notify you by email or through the patient portal if changes are significant. Your continued use of the Services after a Privacy Policy update means you accept the updated terms.

For questions or to exercise your privacy rights: privacy@welldayhealth.com

For HIPAA-related complaints, you may also contact the U.S. Department of Health and Human Services Office for Civil Rights at hhs.gov/hipaa/filing-a-complaint or 1-877-696-6775.