Legal

Privacy Policy

Last updated April 23, 2026

This Privacy Policy explains what information WearLink collects, how we use it, and the rights you have over it. It covers both developer accounts (the customers who integrate with our API) and the end-users whose health data flows through the platform.

Developer accounts

When you sign up we collect your name, email, hashed password, and operational metadata (IP address, user agent, created/updated timestamps). We use this to authenticate you, secure the account, bill you, and notify you about changes to the Service. Data is retained for as long as the account is active plus a reasonable window afterwards for dispute resolution and tax records.

End-user health data

We store only what the developer integration asks us to store, plus normalised derivatives of that data (health scores, time-series aggregations). We don't sell end-user data, we don't train models on it, and we don't share it with third parties except the subprocessors listed below.

End-users can exercise their GDPR Article 15 / 17 rights (access, erasure) via the developer's own interface, which uses our POST /v1/users/<id>/export and DELETE /v1/users/<id> endpoints.

Subprocessors

  • Amazon Web Services — infrastructure hosting (data resident in the region the customer selects at provisioning time).
  • Svix — outbound webhook delivery and retries.
  • Razorpay — payment processing (PCI-DSS Level 1).
  • Sentry — exception monitoring (error payloads are scrubbed of PII).
  • Resend / Postmark — transactional email delivery.

Security

Data in transit uses TLS 1.2+. Data at rest is encrypted with AES-256. API keys and OAuth tokens are encrypted with per-tenant keys before being written to Postgres. We maintain an audit log of privileged actions; see /.well-known/security.txt for our responsible-disclosure contact.

Cookies

We use a small number of first-party cookies for authentication and session state. We don't run third-party analytics or advertising trackers on the marketing site.

Transfers

WearLink data is hosted in the region you select at signup. If your region is outside your jurisdiction, we rely on Standard Contractual Clauses for any cross-border processing required to deliver the Service.

Contact

Reach us at hello@wearlink.io. For security reports, use the address listed in /.well-known/security.txt.