W
WellOps
Terms of ServiceProvider AgreementCorporate Client TermsPrivacy PolicyTrust & SecurityInsurance Disclaimer

Legal

Trust & Security

Last updated: July 5, 2026Effective: July 5, 2026

WellOps is owned and operated by WellOps, LLC, an Arizona limited liability company. This page describes, in plain language, how we protect the data on our platform and how we operate securely. It is written for providers, corporate clients, and their security and procurement teams evaluating WellOps. Everything below reflects how the platform actually works today — we do not claim certifications or audits we have not completed.

1. HIPAA is not applicable to WellOps

WellOps is operational and booking software for wellness services — not a medical, clinical, or health-records system. We are not a HIPAA covered entity and not a business associate, and WellOps does not create, receive, maintain, or transmit Protected Health Information (PHI).

  • WellOps handles business logistics: corporate requests, quotes, event schedules, booking slots, invoices, and provider account data.
  • We do not ask for, and we ask employees not to submit, medical histories, diagnoses, medications, or treatment records. Free-text fields on our booking pages are limited to general session preferences (for example, pressure preference or mobility notes).
  • Where a provider offers a licensed-healthcare service (such as acupuncture or IV hydration), that provider — not WellOps — owns any patient health information directly, in their own systems. Our request and booking pages for those services deliberately skip health and medical questions.

Because WellOps does not touch PHI, HIPAA and Business Associate Agreements (BAAs) do not apply to our platform. If a provider believes their use case involves PHI, that data must not be entered into WellOps.

2. What data we collect

We collect only the business data needed to operate the platform. This is summarized here and covered in full in our Privacy Policy.

  • Providers: business and contact details, brand preferences, insurance certificates and other uploaded documents, account credentials, and a payment method (stored by Stripe, not by us).
  • Corporate clients: company and contact details and event preferences submitted with a wellness request.
  • Employees: name, work email, and chosen appointment time, plus optional non-medical session preferences. No account is required.
  • Usage & analytics: aggregate product-usage data (pages and features used) and general device/location signals, used to improve the product — not for advertising.

We do not sell, rent, or trade personal data for marketing purposes.

3. Encryption in transit and at rest

  • In transit: all connections to WellOps are encrypted with TLS (HTTPS). Traffic is served only over HTTPS.
  • At rest: the database and uploaded files are encrypted at rest by our infrastructure providers (Supabase, hosted on AWS). Payment card data is encrypted and stored by Stripe — WellOps never stores full card numbers.

4. Tenant isolation & access control

Each provider is a separate tenant, and one tenant can never read or change another tenant’s data. We enforce this in multiple layers:

  • Row-Level Security (RLS): our database enforces per-tenant row-level security policies, so data access is scoped to the owning account at the database layer — not just in application code. Public (unauthenticated) reads of sensitive tables return no rows.
  • Role-based access control (RBAC): within a provider account, teammates have roles (Owner, Admin, User, Viewer). Sensitive areas such as Documents, revenue totals, and billing are restricted to Owners and Admins.
  • Token-scoped public flows: corporate quote review, quote approval, employee booking, and invoice payment happen through opaque, unguessable capability tokens tied to a single record. These tokens are generated with cryptographically secure randomness, are never exposed in our public API responses, and grant access only to the one record they belong to.
  • Least privilege: privileged operations run only in server-side code, never in the browser.

5. Sub-processors

We rely on a small set of established sub-processors to run the platform. Each processes only the data needed for its function:

  • Supabase (hosted on AWS, US region) — database, authentication, and encrypted file storage.
  • Stripe — payment processing and payouts. Stores provider payment methods; WellOps does not store card numbers.
  • Resend — transactional email delivery (quotes, confirmations, notifications).
  • PostHog — product analytics.
  • Google Analytics 4 — web analytics.
  • Replit — application hosting and deployment infrastructure.
  • Coverdash — optional insurance partner. WellOps does not transmit personal data to Coverdash; a provider only reaches Coverdash by clicking through to Coverdash’s own site.

6. Data retention

We keep data only as long as needed to operate the platform and meet legal obligations:

  • Provider accounts: for the life of the account, plus 12 months after termination.
  • Uploaded documents (COI, service agreements): for the life of the account, plus 24 months, to support compliance and dispute resolution.
  • Corporate client data: 24 months from last interaction.
  • Employee booking data: 12 months from the event date, then deleted or anonymized.
  • Analytics data: retained by PostHog and Google Analytics per their own policies (typically ~24 months for GA4).

7. Backups & disaster recovery

  • Automated daily database backups with 7-day retention.
  • Point-in-time recovery covering the most recent 7 days for fine-grained restores.
  • Periodic full data exports kept as an additional independent copy.

These layers let us restore service and data after an incident, hardware failure, or accidental change.

8. Breach notification

If we become aware of a security breach affecting your data, we will notify affected users without undue delay and in accordance with applicable law. Our notice will describe, to the extent known, what happened, what data was involved, and the steps we and you can take in response.

9. Your data rights (access, export & deletion)

Providers can export all of their account data at any time from Settings (a downloadable archive of their records). You can also request access to, correction of, or deletion of your data by emailing us; we respond within 30 days, subject to legal retention requirements. Employees may request deletion of their booking data the same way. Full details are in our Privacy Policy.

10. Reporting a vulnerability & security contact

We welcome reports from security researchers and customers. If you believe you’ve found a vulnerability or have a security question, email hello@wellopsapp.com. Please give us reasonable time to investigate and remediate before any public disclosure. Our machine-readable security contact is published at /.well-known/security.txt.

11. What we do not claim

In the interest of honesty for due-diligence reviews: WellOps has not completed a SOC 2, ISO 27001, or comparable third-party audit, and does not claim one. We do not perform routine external penetration testing at this time. This page describes the real, currently-implemented controls above — nothing more. We will update it as our program matures.


Also see: Privacy Policy · Terms of Service

Terms of ServiceProvider AgreementCorporate Client TermsPrivacy PolicyTrust & SecurityInsurance Disclaimer

© 2026 WellOps, LLC. Questions? hello@wellopsapp.com