Privacy Policy

Well — Privacy Policy

Effective date: June 24, 2026

Introduction

Well is a health application operated by BairWise LLC ("Well," "we," "us"). This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our mobile application (iOS and Android) and our web portal. We follow the CARIN Code of Conduct for Consumer-Facing Applications, and we apply this Policy whether or not a given activity is covered by HIPAA. We developed this Policy using the ONC Model Privacy Notice and the CARIN questionnaire as resources.

Information we collect

  • Account information — name, email, phone, password, and profile details you provide.

  • Identity-verification information — when you verify your identity to retrieve or share records, our verification partner (Fasten, which uses CLEAR or ID.me) checks your identity to NIST IAL2. We receive a verified result; we do not store the underlying proofing documents.

  • Health information — records you choose to retrieve from your providers/networks (conditions, medications, allergies, lab results, immunizations, visit summaries) and information you add yourself (notes, uploaded documents, device/wearable data you choose to provide).

  • Usage and device information — app interactions, log data, and a push-notification token (notification contents are generic and contain no health details).

We explain, for each type, whether information is collected once or on an ongoing basis, and you can change these choices at any time in the app's privacy settings.

How we use your information

  • To provide and maintain the service (store your records, let you view and share them, support messaging with your care team).

  • To personalize AI guidance that you opt into (see "AI assistant").

  • To keep the service secure (fraud prevention, abuse detection, protecting your account).

  • To communicate service and account messages. Marketing messages are optional and sent only with your separate opt-in consent.

Some uses are required to provide the service; others are optional and only happen with your consent. You can decline optional uses without losing access to core features.

AI assistant

Our AI assistant gives you personalized education and guidance and helps summarize information for your provider. It is off by default — you turn it on with an in-app consent toggle. AI responses are clearly labeled as AI-generated and are not a substitute for professional medical advice; the assistant does not make automated decisions that produce legal or similarly significant effects. AI processing is performed by our cloud provider (AWS, using Anthropic via AWS Bedrock) under a business-associate agreement. We do not use your data to train AI models, and your data is not retained by the AI provider for training.

Session data and tracking

We use session data only as needed for the app to function and to keep it secure. We do not use tracking pixels or third-party advertising/analytics trackers, we do not sell your personal data, and we do not use or track your personal or health data for targeted advertising.

How we share your information

We share information only:

  • With service providers / sub-processors that process data on our behalf under contracts that bind them to commitments similar to those in this Policy. Our principal sub-processors are Fasten (identity verification via CLEAR/ID.me and health-records connectivity over the TEFCA network) and our cloud provider (hosting, authentication, and AI processing). In-app messaging is handled within the application. Each sub-processor that handles your data is engaged under a data-processing / business-associate agreement.

  • With recipients you direct — when you share a health summary (for example, with your provider after an AI symptom summary), we disclose only what you choose, to the recipient you choose.

  • As required by law.

Effect on others: some health information (e.g., genetic or family-history) may reveal information about your relatives — please consider this before sharing.

Your choices and consent

  • No default sharing — we obtain your informed, proactive opt-in before disclosing your personal data.

  • Granular controls — you turn specific uses (AI, notifications, etc.) on or off in the app's privacy settings; everything is off until you choose.

  • Withdraw consent easily at any time in the app.

  • Direct your sharing — you choose recipients and what to include.

Your rights — access, correction, deletion

  • Access / export — view the personal data we hold about you and download your data from the app.

  • Correction — report inaccurate or incomplete data in the app; where an error came from another source (e.g., a provider), we will tell you and explain your HIPAA right to request a correction from that source.

  • Deletion ("right to be forgotten") — delete your account in the app; we securely and permanently delete your personal data (cascading across our database and records store), except where we are legally required to retain it.

Data retention and inactive accounts

We keep your information only as long as needed to provide the service or as required by law. If your account becomes inactive, we notify you at 12 months and again at 13 months, lock it at 14–15 months, and delete the data at 24 months of inactivity. Deleted data is purged from backups within 90 days and is not archived — you would need to re-establish it.

How we protect your information

We use administrative, physical, and technical safeguards, including encryption in transit and at rest, access controls and audit logging, and contractual protections on our vendors. No method of transmission or storage is 100% secure, but we work to responsibly protect your data.

Data provenance

Where possible, we maintain the source of your data and, when it changes, a record of what changed — so you and your authorized recipients understand its origin.

Children's privacy

Well is intended for adults, including parents/guardians acting on behalf of a child. We collect date of birth at sign-up and comply with the Children's Online Privacy Protection Act (COPPA): individuals under 13 cannot create a self-managed account and are routed to a verified parent/guardian who manages the account and provides consent. If we learn we have inadvertently collected information from a child under 13 outside this flow, we will delete it. Parents/guardians can review, delete, or refuse further collection by contacting us at privacy@bairwise.com.

SMS program

By opting into our SMS program, you agree to receive text messages from us about app development, beta testing, and related service information. We do not share your phone number or personal information with third parties for their marketing. You can opt out anytime by replying STOP; reply HELP for assistance. Message frequency varies; message and data rates may apply.

Changes to this Policy

We may update this Policy. We will proactively notify you of material changes — including, where required, prompting you to re-affirm your consent before continued use — and we will post the updated Policy here with a new effective date.

Contact us

Our responsible executive for these data commitments is Dr. Michael Hecht, MD, Founder & Chief Medical Officer. For questions, requests, or complaints, contact us at privacy@bairwise.com or by mail at 875 E 12th St, Brooklyn, NY 11230. We will acknowledge and respond promptly. You may also contact the Federal Trade Commission or your State Attorney General.

When Well receives a certification or accreditation (such as DirectTrust / CARIN), we will note it here, including its timing and duration.