WellSteps

Privacy Policy

Privacy Policy

Who We Are & Scope

This Privacy Policy describes how WellSteps, LLC (“WellSteps,” “we,” “us,” or “our”) collects, uses, and protects personal information when you use our websites, mobile applications, and online wellness platform (collectively, the “Platform”). This Privacy Policy is designed to comply with applicable U.S. federal and state privacy and health-data laws, including consumer privacy, biometric, and health-information statutes.

This Policy applies to individuals and those invited who participate in a WellSteps wellness program provided by your employer, your spouse’s employer, or other sponsoring organization (the “Program Sponsor”), as well as visitors to our public website.

WellSteps will collect, store, and use your personal data to provide wellness solutions for our clients’ eligible users (“Service”). By registering and using the Service, you agree to the collection and use of your personal information in accordance with this Privacy Policy.

WellSteps is designed to comply with applicable data privacy laws and appropriate industry-standard safeguards to manage and secure your personal information by following the privacy practices below.

WellSteps may update this Privacy Policy at any time. We encourage all individuals to review this Privacy Policy periodically.
Last updated January 2026.

What Information Does WellSteps Collect?

Depending on how you use the Platform, we may collect the following categories of personal information:

  1. Identifiers such as: Name, email address, phone number, user ID, employer or program sponsor, last four digits of SSN, spouse or invited individual’s name and email, IP address, device identifiers.
  2.  Contact Information, such as: Email, phone number, username, mailing address (if provided).
  3.  Sensitive Personal Information, such as:
      1. Health and wellness inputs such as sex (e.g., activity, nutrition, sleep, stress levels, tobacco status)
      2. Self-reported medical risk factors
      3. Biometric screening results or lab data, when supplied by you or your Program Sponsor’s vendor.
      4. Device or wearable data you authorize us to receive
  4. Internet or Usage Data: Log-in activity, device type, browser type, app version, crash logs, performance metrics, and pages viewed.
  5.  Geolocation Data: General location derived from IP address (not precise location).
  6. Shared Data: Content you share with the Platform while using the Service, such as personal avatar, uploaded files, posted comments, stories, and responses, manually entered daily metrics, etc.
  7. Sensitive Health and Biometric Information. Certain wellness programs may involve the collection of health-related, wellness-related, or biometric information (including biometric screening results or lab data) provided by you or authorized vendors acting on behalf of your Program Sponsor. Such information is collected solely for wellness program administration and reporting purposes.
  8. Biometric Notice. Where applicable, WellSteps may collect or receive biometric information, including biometric screening results, identifiers, or measurements, solely to support wellness program services. Biometric information is not sold, leased, traded, or otherwise monetized. Where required by law, biometric information is collected only with your prior written consent and is retained and destroyed in accordance with our Biometric Data Notice.

We collect only the information necessary to operate the Platform and provide wellness program services, and best interact with you as the consumer.

Category of Personal Information Purpose of Use Sources Disclosed to Sold
Identifiers Create and manage accounts; authenticate users; provide services Directly from you; Program Sponsor-provided Service providers No
Sensitive Personal Information Provide wellness services; personalize content; support coaching Directly from you; Program Sponsor-provided; third-party wellness tools Health coaches (with your permission); Service providers No
Internet/Usage Data Maintain security; improve Platform performance Automatically collected Service providers (analytics) No
Contact Information Communicate with you; send program updates Directly from you Service providers No
Geolocation Data (generalized) Personalization of content Derived internally Not shared externally No

Any information willfully entered by the individual in company-wide viewable areas on the site will be available to view by all users in the company. WellSteps does not sell your information to third parties. WellSteps does not use personal health, wellness, or biometric information to make employment, benefits, eligibility, insurance, or similarly significant decisions about individuals.

App Usage & Analytics Information

When you use the WellSteps mobile app, we may collect technical information such as app version, device type, operating system, performance data, and crash reports. This information helps us maintain security, troubleshoot issues, and improve the stability and user experience of the Platform. This data is generally not used to identify you personally.

Wearable Device & Activity Tracking Syncing

Should you choose to sync your WellSteps account with a wearable device or other activity tracking device, that information will also be protected in the ways described here.

Cookies and Tracking Technologies

“Cookies” are small text files of information sent to your browser by a website. We use cookies and similar technologies to operate the Platform, maintain security, remember your preferences, and understand how users engage with our content.

Cookies may collect identifiers such as IP address, device information, or session data. You can control cookies through your browser settings. Disabling certain cookies may affect site functionality. We do not use cookies for targeted advertising or cross-context behavioral advertising.

External Links

On occasion, the Platform may refer via link to external websites which WellSteps does not control or own. WellSteps does not share your personal information with those websites. WellSteps has no control over these websites and is not responsible for their privacy practices or content. WellSteps encourages you to learn about the privacy policies of any websites that you visit.

Privacy Policy Regarding Mobile Phone Numbers

We collect mobile phone numbers from our users as part of our messaging service. These numbers are used solely to communicate information relevant to your engagement with our services. Your mobile phone number will not be shared with any third-party entities or affiliates for marketing or promotional purposes.

How Will My Information Be Used?

Your personal information is used to operate the Platform, provide direct feedback to you, deliver and administer program tools and features, personalize your experience, communicate with you, improve the Platform, fulfill requests from you or your Program sponsor, and produce aggregated analytics reports. We also use your information to respond to user and Program Sponsor requests to provide customer support.

Use of AI Tools and Automated Processing

Our website may provide access to AI-powered tools and features that generate general wellness or health-related information. By using these tools, you acknowledge that all AI-generated content is provided for informational purposes only and does not constitute medical advice, diagnosis, or treatment. You agree not to rely on AI outputs for healthcare decisions and to consult a qualified medical professional for any personal health concerns.

WellSteps does not engage in automated decision-making that produces legal or similarly significant effects. Users may request human review of AI-assisted interactions where applicable.

You must not submit, upload, or disclose any Personal Health Information (PHI) or other sensitive data when interacting with AI features. AI inputs and outputs may be processed to operate, maintain, and improve the system, consistent with our Privacy Policy, but are not used to make decisions regarding your health, employment, eligibility, or benefits.

We make no representations or warranties regarding the accuracy, reliability, completeness, or applicability of information generated by AI tools. To the fullest extent permitted by law, you assume all risk associated with the use of AI-generated content, and we disclaim all liability for any actions taken or not taken based on such content. Your use of these tools constitutes acceptance of these terms and acknowledgment of their limitations.

WellSteps does not engage in automated decision-making producing legal or similarly significant effects, and users may request human review where applicable.

Who Has Access To My Information?

WellSteps does not share your individual Personal Health Information (“PHI”) or detailed wellness responses with your Program Sponsor, unless:

  • You give us explicit permission for a specific service (for example, connecting with a health coach), or
  • We are required to do so by law, or
  • Your wellness program is being provided on a Reseller basis (see below)

Any information provided to your Program Sponsor will be stripped of identifying information and provided in aggregate. Your Program Sponsor may receive:

  • De-identified, aggregated reports, and
  • Limited information needed to administer incentives or participation records (for example, that you completed an activity, without sharing your underlying responses).

These reports and files are designed so your Program Sponsor cannot reasonably identify you as an individual participant.

Our employees may access your information to help provide wellness services and improve our platform and products.

Program Sponsors, Administrators, and White-Label Partners

Some programs are delivered through a white-label, co-branded, or reseller-supported version of the Platform. In these cases, your Program Sponsor (such as your employer, your spouse’s employer, or a partnering health system) may designate authorized individuals to help administer the program.

Authorized individuals may access limited account or participation information when necessary to operate the wellness program, support incentives, or provide coaching or health services. In programs offered by hospitals or other HIPAA-covered entities, the Program Sponsor may also have independent legal authority to access certain PHI under its own privacy practices or employee agreements.

Resellers or partners acting on behalf of your Program Sponsor may only access your information as permitted by the Program Sponsor and applicable law.

Please review your Program Sponsor’s privacy notices to understand how they may use or access your information.

In some, but not all, instances, WellSteps is the Program Sponsor’s “Business Associate” as defined by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  Where WellSteps acts as a Business Associate, the applicable Business Associate Agreement governs and controls in the event of any conflict with this Privacy Policy.

How do We Share Information?

We may share your personal information with the following parties, only as necessary to operate the WellSteps program and as permitted by law:

  • Service providers and vendors: We use trusted third-party companies to host our systems, provide customer support, deliver email or SMS messages, process analytics, or offer other operational services. These partners are required to:
    • Use your information only to provide services to WellSteps, and
    • protect your information with appropriate safeguards.
  • Program partners you choose to use: If you connect a device, sync a wellness service, or participate in an optional third-party offering, we may share limited information necessary to support your participation. See Device Data Privacy policy for further details.
  • Legal or safety requirements: We may disclose information to government authorities, courts, or law enforcement when required by law or when necessary to protect the rights, property, or safety of WellSteps, our users, or others.

We do not sell or rent your personal information to third parties.

Third-Party Wellness Tools & Integrations

Your Program Sponsor may offer optional wellness tools or services (such as activity trackers, coaching services, or educational resources) that integrate with the Platform. If you choose to use these tools, we may share only the minimum data necessary to enable the integration (for example, a unique identifier or participation status). Any data you provide directly to a third-party tool is governed by that company’s privacy policy.

The following third parties are used to process or house your data on behalf of WellSteps:

Sub-Processor Purpose Data Location Services
Amazon Web Services Primary hosting & storage USA Infrastructure, secure data storage, and email
Intelliticks Customer support, chat, USA Customer support
Microsoft Email, calendaring, productivity tools USA Email (Office 365/Outlook), productivity
Google LLC Analytics, cloud services USA Google Analytics, cloud
Twilio SMS delivery USA SMS notifications

Biometric Screening Providers (when applicable)

  • eHS
  • Circle Wellness
  • Life Health
 Biometric data integration & SSO USA Receiving of biometric data & scheduling

How long will We Keep your Information?

Personal information is retained only for as long as reasonably necessary to provide wellness services, comply with legal and contractual obligations, resolve disputes, and maintain program records. Biometric and sensitive health data are retained for the minimum period required by applicable law or contract and are securely destroyed thereafter.

How Will My Information Be Kept Secure?

WellSteps safeguards the security of your information with administrative, technical, and physical safeguards designed to protect your personal information from unauthorized access, disclosure, alteration, or destruction. These safeguards include:

  • Encryption in transit and at rest
  • Role-based access controls
  • Secure cloud hosting through Amazon Web Services (AWS)
  • Real-time data redundancy and backups
  • Regular vulnerability scanning and security monitoring
  • Secure software development and change management processes

No method of transmission over the Internet or method of electronic storage is perfectly secure. However, we follow industry-standard practices to safeguard your information.

Data is stored at Amazon Web Services data centers on secure servers with real-time, redundant back-up, located in multiple sites within the United States.

WellSteps uses industry-standard Secure Sockets Layer (SSL) encryption on all web pages where personal information is required. With any transactions, you must use an SSL-enabled browser. (e.g. Chrome, Firefox, Safari, and Edge).

Using an updated browser is recommended because it helps protect the confidentiality of your personal information while it is transmitted over the Internet.

Your Privacy Choices & Rights

Regardless of where you live, you may have certain rights related to your personal information. These rights may vary based on applicable law, but WellSteps allows all users to make the following requests:

  • Access: Request a copy of the personal information we maintain about you.
  • Correction: Ask us to correct inaccurate or incomplete information.
  • Deletion: Request deletion of your personal information. Please note that deleting your information will end your access to the WellSteps program and may result in loss of earned but unredeemed incentives.
  • Communication Preferences: Update your contact preferences or opt out of emails or text messages.

 U.S. State Privacy Rights

Residents of California, Colorado, Connecticut, Utah, Texas, and Virginia may have additional rights, including rights to access, correct, delete, appeal decisions regarding requests, opt out of certain processing activities, and designate authorized agents. WellSteps does not sell or share personal information for cross-context behavioral advertising and does not discriminate against users for exercising privacy rights.

 To exercise any of these rights, please contact us at info@wellsteps.com or use the tools available in your account where applicable. We will strive to respond within a reasonable timeframe and as required by law.

These rights may be limited in certain circumstances, for example, when we need to retain information to comply with legal obligations, maintain program integrity, or detect fraud.

 Additional Rights for U.S. State Residents

Residents of certain U.S. states may have additional rights with respect to their personal information under state law. These may include rights to:

  • request access to specific categories and pieces of personal information we collect;
  • request deletion or correction of certain information;
  • opt out of certain types of “sales” or “sharing” of personal information, as those terms are defined by law, and not to be discriminated against for exercising these rights.

We do not sell or share your personal information for cross-context behavioral advertising. You can contact us at info@wellsteps.com to exercise any available state-specific rights. We will strive to respond as required by applicable state law.

International Users

If you access the Platform from outside the United States, you understand that your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction.

Children’s Privacy

WellSteps does not knowingly collect, use, or disclose personal information from children under the age of 18. The Platform is intended for use by adult employees, adult dependents, and individuals who have been granted access by a participating Program Sponsor.

If we learn that we have collected personal information from a child without appropriate authorization or consent as required by law, we will take reasonable steps to delete that information as quickly as possible.

If you believe that a child under the applicable age has provided personal information to WellSteps, please contact us immediately at info@wellsteps.com so we can investigate and take appropriate action.

Changes to This Policy

We may update or modify this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or the services we offer. When we make material changes, we will:

  • Post the updated policy on this page with a revised “Last Updated” date; and
  • Provide additional notice where required by law (such as email or in-Platform notification)

Your continued use of the Platform after an updated Privacy Policy is posted means that you acknowledge and agree to the revised terms. If you do not agree to the updated policy, you should discontinue use of the Platform.

Translations & Official Version

Any translation of this privacy policy is intended solely to facilitate access to the information. The English version is the only official version, and any translation inaccuracies or discrepancies are not binding and have no legal effect for compliance and enforcement purposes.

Contact Information

Should you have further questions about this Privacy Policy or the security of our website, please contact info@wellsteps.com. Alternatively, you can contact WellSteps by writing to: WellSteps LLC, PO Box 26,8 Oak City, UT 84649, United States

 

Mostrar en español

Voir en français