Privacy Policy Beta

1. Introduction

WellnessDesk ("we," "our," or "us") operates the wellnessdesk.pro platform ("the Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Service as a wellness coach, practitioner ("Provider"), or as a client of a Provider ("Client").

By using the Service, you consent to the data practices described in this policy. If you do not agree, please do not use the Service.

2. Our Role: Data Processor vs. Data Controller

Understanding the distinction between data controller and data processor is important:

• For Provider account data: WellnessDesk is the data controller. We determine how and why your account information is processed.
• For Client data entered by Providers: The Provider is the data controller, and WellnessDesk acts as a data processor on the Provider's behalf. Providers are responsible for having a lawful basis to collect and process their clients' personal data, including obtaining appropriate consent.

If you are a Client and have questions about how your Provider uses your data, please contact your Provider directly.

3. Information We Collect

Information you provide directly

• Account information: Name and email address when you sign up via Google OAuth or email/password registration.
• Email verification data: Verification tokens and status for email/password accounts.
• Business information (Providers): Business name, timezone, specialties, service descriptions, pricing, availability schedules, and website/booking page content.
• Client data (entered by Providers): Client names, email addresses, session notes, engagement records, activity assignments, and shared resources.
• Messages: Communications sent between Providers and Clients through the platform's messaging feature.
• Content uploads: Images, documents, and other files uploaded for booking pages, resources, or activities.
• Payment information: Billing details are processed securely through Stripe. We do not store credit card numbers, CVVs, or full payment card data on our servers. Stripe acts as our PCI-DSS compliant payment processor.

Information collected automatically

• Usage data: Pages visited, features used, booking interactions, and platform navigation patterns.
• Device information: Browser type, operating system, screen resolution, and device identifiers.
• Log data: IP addresses, access times, referring URLs, and error logs.
• Cookies: We use strictly necessary cookies for authentication and session management (see Section 7).

Information from third-party integrations

• Google OAuth: Name, email address, and profile picture from your Google account (when you choose to sign in with Google).
• Google Calendar: Calendar event data when you connect your Google Calendar for scheduling synchronization. We access only the calendar data necessary to sync bookings.
• Stripe: Subscription status, payment confirmation, and customer identifiers. We do not receive or store your full payment card details.

4. How We Use Your Information

We use the information we collect for the following purposes:

• Service delivery: Provide, operate, and maintain the platform, including scheduling, messaging, notifications, resource sharing, and the client portal
• Booking management: Process appointments, send confirmations, reminders, and facilitate rescheduling or cancellations
• Video sessions: Facilitate virtual sessions through integrated video conferencing
• Calendar sync: Synchronize bookings with your connected Google Calendar
• Payment processing: Process subscription payments, manage billing, and handle checkout through Stripe
• Communications: Send transactional emails (booking confirmations, reminders, verification emails), respond to support requests, and notify you of important account or Service changes
• Security: Detect, prevent, and address fraud, unauthorized access, and other security issues
• Improvement: Analyze usage patterns to improve platform features and user experience
• Legal compliance: Comply with applicable laws, regulations, and legal processes

We do not use your information for behavioral advertising or sell it to third-party advertisers.

5. Data Sharing and Disclosure

We do not sell your personal information. We share data only in the following circumstances:

Service providers (sub-processors)

We use the following third-party services to operate the platform:

• Google Cloud Platform: Cloud hosting, database, and storage infrastructure (United States)
• Stripe, Inc.: Payment processing and subscription management
• Google: OAuth authentication and Calendar integration
• Daily.co: Video conferencing infrastructure for virtual sessions

Each sub-processor is contractually obligated to protect your data and process it only as needed to provide their services.

Provider-Client data sharing

Certain data is shared between Providers and their Clients as part of the coaching relationship:

• Booking details, messages, shared resources, and activity assignments are visible to both the Provider and the relevant Client
• Provider-only session notes are not visible to Clients
• Provider business information (name, services, availability) is visible on public booking pages

Other disclosures

• Legal requirements: When required by law, regulation, subpoena, court order, or other legal process
• Safety: To protect the rights, safety, or property of WellnessDesk, our users, or the public
• Business transfers: In connection with a merger, acquisition, reorganization, or sale of assets, in which case your data would remain subject to this Privacy Policy

6. Data Security

We implement technical and organizational security measures to protect your data, including:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS (HTTPS)
• Tenant isolation: Each Provider's data is logically isolated using row-level security (RLS) at the database level, ensuring one Provider cannot access another Provider's data
• Access controls: Role-based access controls restrict data access to authorized personnel and functions
• Secure authentication: Passwords are hashed using BCrypt; OAuth tokens are managed securely
• Payment security: Credit card data is handled exclusively by Stripe (PCI-DSS Level 1 certified) and never touches our servers

While we implement commercially reasonable security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

7. Cookies

We use a minimal set of cookies that are strictly necessary for the Service to function:

• Session cookie: Maintains your authenticated session while using the platform
• Cookie consent: Remembers your cookie preference
• OAuth state: Temporary cookies used during the Google sign-in process for security (CSRF protection)

We do not use third-party tracking cookies, advertising cookies, or analytics cookies that track you across other websites. Because our cookies are strictly necessary for the Service to operate, they do not require separate consent under most privacy regulations.

8. Data Retention

• Active accounts: We retain your data for as long as your account is active and as needed to provide the Service.
• After cancellation: When you cancel your subscription, your data is retained for 30 days to allow for reactivation or data export. After 30 days, your personal data is deleted or anonymized.
• Account deletion: Upon request, we will delete your personal data within 30 days, except where retention is required by law (e.g., financial records, tax obligations).
• Backups: Data may persist in encrypted backups for up to 90 days after deletion before being permanently removed.
• Legal obligations: We may retain certain data longer where required by applicable law, regulation, or legal proceedings.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you
• Correction: Request that we correct inaccurate or incomplete data
• Deletion: Request that we delete your personal data (subject to legal retention requirements)
• Portability: Request your data in a structured, commonly used, machine-readable format
• Restriction: Request that we restrict processing of your data in certain circumstances
• Objection: Object to processing of your data based on our legitimate interests
• Withdraw consent: Where processing is based on consent, withdraw that consent at any time

To exercise any of these rights, contact us at support@wellnessdesk.pro. We will respond to your request within 30 days (or sooner where required by law). We may ask you to verify your identity before fulfilling your request.

10. European Economic Area (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the following additional provisions apply:

• Legal basis for processing: We process your data based on: (a) performance of our contract with you (providing the Service); (b) your consent (where applicable); (c) our legitimate interests (improving the Service, security, fraud prevention); and (d) legal obligations.
• International transfers: Your data is transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) and other appropriate safeguards to ensure your data is protected in accordance with GDPR requirements.
• Data Protection Officer: For GDPR-related inquiries, contact us at privacy@wellnessdesk.pro.
• Supervisory authority: You have the right to lodge a complaint with your local data protection authority if you believe your rights have been violated.

11. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to know: You may request details about the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the categories of third parties with whom we share it.
• Right to delete: You may request deletion of your personal information, subject to certain legal exceptions.
• Right to correct: You may request correction of inaccurate personal information.
• Right to opt out of sale/sharing: We do not sell or share your personal information for cross-context behavioral advertising.
• Non-discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.

To submit a request, email support@wellnessdesk.pro.

12. Healthcare Data Disclaimer

WellnessDesk is designed for non-licensed wellness professionals (wellness coaches, life coaches, holistic practitioners, and similar roles). The platform is not designed or intended to be used for the storage, transmission, or processing of Protected Health Information (PHI) as defined by the Health Insurance Portability and Accountability Act (HIPAA).

We are not a HIPAA-covered entity and do not offer Business Associate Agreements (BAAs). If you are a healthcare provider subject to HIPAA, you should not use this platform for clinical data.

13. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information promptly. If you believe a child has provided us with personal data, please contact us at support@wellnessdesk.pro.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes at least 30 days in advance by posting the updated policy on this page, updating the effective date, and sending a notification to the email address associated with your account. Your continued use of the Service after the effective date of the revised policy constitutes acceptance of the changes.

15. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:

• WellnessDesk
• Email: support@wellnessdesk.pro
• Privacy inquiries: privacy@wellnessdesk.pro