Privacy Policy
Last updated: June 17, 2026
| Last Updated | June 17, 2026 |
|---|---|
| Operator | WLLNSS sp. z o.o. |
| Registered Address | Aleja Solidarności 117/615, 00-140 Warsaw, Poland |
| Governing Law | Republic of Poland |
| Contact | s.atanasov@wllnss.health |
At WLLNSS we process your process personal data according to the provisions of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation; hereinafter: GDPR).
1. Who is the Data Controller of your personal data?
Data Protection Officer (DPO)
We have appointed a Data Protection Officer to supervise compliance with data protection regulations. You may contact our DPO, Ivan Kuzmitski, at i.kuzmitski@wllnss.health.
The Data Controller of your personal data is WLLNSS spółka z ograniczoną odpowiedzialnością with its registered office in Warsaw, address: Aleja Solidarności 117-615, 00-140 Warsaw, entered into Registry of Entrepreneurs of National Court Registry held by the District Court for the Capital City of Warsaw in Warsaw, XIII Commercial Division of National Court Registry under KRS No.: 0001013538, NIP: 5273036904, VAT EU: PL5273036904, REGON: 524184997, REGON of a medical entity: 52418499700010, share capital: PLN 63.100,00.
2. How can you contact the Data Controller?
A contact with a Data Controller is possible via:
- e-mail, by sending an email to: info@wllnss.health,
- traditional mail, by sending a letter to: WLLNSS sp. z o.o., Aleja Solidarności 117-615, 00-140 Warsaw
3. What are legal bases for processing your personal data?
The legal basis for processing of your personal data varies, depending on occurrence of scenarios indicated below:
If you visit our website https://wllnss.health or use our online applications | We process your personal data for purposes of:
These data we save especially within cookie files and logs relating to website’s or online app’s visits. The legal basis for processing of personal data in this case is Article 6.1.f of the GDPR enabling us to process personal data when it is necessary for the purposes of legitimate interests pursued by the Data Controller or third party, where the legitimate interest in this case is connected with ensuring proper functioning of the website, maintaining statistics regarding website’s functioning, displaying ads, combating fraud and infringing provisions of applicable law. |
|---|---|
| If you use the contact form available on the website or you send us messages to the provided e-mail address, or you contact us via mail or via phone | We process your personal data for purposes of contacting you and exchanging messages. The legal basis for processing of personal data is Article 6.1.f of the GDPR enabling us to process personal data when it is necessary for the purposes of legitimate interests pursued by the Data Controller or third party, where the legitimate interest in this case is connected with processing personal data for purposes of contacting persons and responding to questions they ask. |
| Where we have to process your personal data for purposes of preventing infringements and fraud, as well as possible pursuing of claims or defending against claims | Processing of your personal data is carried out on basis of Article 6.1.f of the GPDR, which indicates that processing of personal data is possible where it is necessary for purposes of Data Controller’s legitimate interests. The legitimate interest in this case is defending against claims and pursuing claims. |
| If you contact us for purposes of establishing cooperation, or you already are our Client, Contractor, Service Provider, or you cooperate with us on basis of a civil law contract | If you contact us for purposes of beginning to use our services, then we process your personal data for the purpose of undertaking activities you request before we conclude an agreement. If you already are our Client, then we process your personal data for purposes of performing the agreement. In such cases, the legal basis for personal data processing is Article 6.1.b of the GPDR, enabling processing of personal data where it is necessary for the performance of an agreement to which the data subject is party or in order to take steps at the request of the data subject prior to entering into an agreement. Moreover, we can process your personal data for purposes of complying with our legal obligations stemming from conclusion of agreements, especially accountancy and tax obligations – on basis of Article 6.1.c. of the GDPR, which enables data processing where it is necessary for compliance with a legal obligation to which the controller is subject |
| Where you are a person acting on behalf of our Client, Contractor, or Service Provider (that is, the entity which concluded an agreement with us) and as such, you contact us acting as a representative of our Client, Contractor, or Service Provider (e.g., as a member of the board, employee, or associate) | We process your personal data for purposes of concluding or performing an agreement concluded between us and the Client, Contractor, or Service Provider. The legal basis for processing of personal data is Article 6.1.f of the GDPR enabling us to process personal data when it is necessary for the purposes of legitimate interests pursued by the Data Controller or third party. The legitimate interest in this case is connected with processing personal data for purposes of concluding and performing agreements concluded between us and our Client, Contractor, or Service Provider which requires contacting representatives of the Client, Contractor, or Service Provider. |
| If you use our medical services in regard to remote medical consultations, including those basing on your agreements with our contractor | In a scenario where you use IT tools created and operated by WLLNSS which enable you to conduct activities connected with arranging medical consultations (in various fields of medicine), and especially in order to:
WLLNSS may process special categories of personal data, in particular data concerning health. Such data are processed on the basis of: (a) Article 9(2)(a) GDPR — your explicit consent; and (b) Article 9(2)(h) GDPR — where processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services. Where processing is based on your consent, you have the right to withdraw such consent at any time, without affecting the lawfulness of processing carried out before its withdrawal. Moreover, WLLNSS can process your personal data which does not constitute a special category of data and is related to provision of services. This data can especially be connected with verifying you as a user of WLLNSS services and platforms and creating your own user account – for example, your name, surname, e-mail address, phone number, and date of birth. In such a case, your personal data is processed on basis of Article 6.1.b of the GDPR, enabling processing of personal data where it is necessary for the performance of an agreement to which the data subject is party or in order to take steps at the request of the data subject prior to entering into an agreement. This processing takes places in order to perform our agreement with our contractor, which in turn leads to contractor performing their agreement with you. Also, in connection with provision of medical services, we are obliged to process personal data of patients in accordance with requirements arising from provisions of law. The legal basis for processing of personal data in this regard is Article 6.1.c of the GDPR enabling processing of personal data where it is necessary for compliance with a legal obligation to which the controller is subject. In this case, these obligations are connected with provisions of Act from 6th of November 2008 on rights of a patient and Patient’s Right Office (Ustawa z dnia 6 listopada 2008 r. o prawach pacjenta i Rzeczniku Praw Pacjenta) and Act from 15th of April 2011 on medical activities (Ustawa z dnia 15 kwietnia 2011 r. o działalności leczniczej), as well as other legal acts which regulate the matter in more detail. |
| If you subscribe to our newsletter or other mailing lists | If you subscribe to our mailing list (newsletter), the legal basis for processing personal data in this regard is our legitimate interest, that is, conducting marketing and promotional activities. We process your personal data on the basis of Article 6.1.f. of the GDPR, which states that the processing of personal data is lawful if the processing is necessary for the purposes of the legitimate interests pursued by the Data Controller. What is more, specific legal provisions arising from the Polish Telecommunications Act require us to obtain prior consent before sending marketing messages. Therefore, we will not send any e-mails if such a consent has not been given by you. |
| Employer-Sponsored Access (B2B2C) | Where You access the Service through your employer, WLLNSS may process your personal data in connection with a corporate agreement concluded with your employer. In such cases: • WLLNSS may act as a data processor on behalf of the employer for certain processing activities, pursuant to a Data Processing Agreement; • your employer receives only aggregated and anonymized reports; • your employer does not have access to your individual health data, consultations, or personal wellbeing information; • your personal data remain confidential and are not shared with your employer in identifiable form. The legal basis for such processing may include Article 6(1)(b), 6(1)(f), and where applicable Article 9(2)(a) GDPR. |
| Customer Support via Live Chat (Crisp) | If you use the live chat feature on our website or within the Application, we process your personal data through our chat provider, Crisp IM SAS (France, EU), including your email address and/or phone number (if provided), message content, IP address, device type, and language preference. The legal basis for this processing is Article 6(1)(b) GDPR (provision of customer support) and Article 6(1)(f) GDPR (legitimate interest in responding to inquiries). Crisp IM SAS acts as our data processor under a Data Processing Agreement. As Crisp is established in the European Union, no Standard Contractual Clauses are required for this transfer. Your chat data is stored within EU data centres (Netherlands, Germany, with encrypted backups in Ireland). |
| AI-Powered Wellness Recommendations (Google Vertex AI — Gemini) | The Application uses Google's Vertex AI (Gemini models) to generate personalised wellness recommendations and content tailored to you. This processing may involve information relating to your mood, self-reported symptoms, and wellbeing diary entries, which constitute special category data under Article 9 GDPR. Before being sent to Google, this data is pseudonymised — direct identifiers (such as your name, e-mail address, and account ID) are replaced with a token, and re-linked to your account only by WLLNSS upon receiving the response. As re-identification by WLLNSS remains possible, this data continues to be treated as personal data under GDPR. The legal basis for this specific processing is your separate, explicit, freely given, and informed consent (Article 9(2)(a) GDPR). You may withdraw this consent at any time via the privacy settings available within the WLLNSS application, without affecting your ability to use other features of the Service. Where technically available, this data is processed within Google's EU infrastructure (europe-west4, the Netherlands). Google LLC acts as our data processor under the Google Cloud Data Processing Addendum, incorporating Standard Contractual Clauses for any data transferred outside the EEA. AI-generated recommendations are informational only and do not constitute medical advice, diagnosis, or treatment. |
4. Who can we share your personal data with?
For purposes of ensuring proper provision of our services, we use the help of some third parties. For that reason, personal data provided by you can be shared with:
entities providing us with server and hosting services:
Digital Ocean LLC with its seat in New York, NY, USA,
Amazon Web Services EMEA SARL with its registered office in Luxembourg and Amazon Web Services, Inc. with its seat in Seattle, Washington, USA.
- entity providing us with accounting services: PVB POLSKA SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ (Aleja ”Solidarności” 117/615, 00-140 Warszawa, NIP: 5252947664)
- various entities, being qualified medical professionals (especially doctors, nurses, psychiatrists), as well as professional laboratories conducting tests and examinations, to whom WLLNSS subcontracts provision of certain services – the goal of sharing personal data is beginning or continuing provision of medical services,
- entities providing us with Google Workspace and Google Analytics services – Google Ireland Limited, Gordon House Barrow Street Dublin 4, Ireland, and Google LLC with its seat in Mountain View, California, USA.
Due to the fact that your personal data can be processed by entities
such as Google, Amazon, or Digital Ocean, your personal data can be
subject to transfer outside of the European Economic Area. The legal
basis of transferring your personal data to the USA is EU-U.S. Data
Privacy Framework, accepted by the European Commission.
These transfers are carried out only when necessary and always with
appropriate safeguards, including:
- Standard Contractual Clauses (SCC) approved by the European Commission, or
- Participation in the EU-U.S. Data Privacy Framework, where applicable.
We have signed Data Processing Agreements (DPAs) and implemented SCCs with the following partners:
| Partner | Country | Purpose | Safeguard |
|---|---|---|---|
| UAB DOBRA GPI | Lithuania, EU | Digital therapy | DPA only |
| iHairium Inc | USA | AI - Medical consultation & diagnostics | DPA + SCC |
| Elomia Health Inc | USA | Mental chatbot | DPA + SCC |
| Kinda Smart Inc / Kinestex | USA | AI-guided exercise platform | DPA + SCC |
| KSF Software Trading FZCO | UAE, Dubai | AI - Medical consultation & diagnostics | DPA + SCC |
| Skinive Holding B.V. | Netherlands, EU | AI - Medical consultation & diagnostics | DPA only |
| EAAS Bluefish Solutions Ltd | Cyprus | AI - Medical consultation & diagnostics | DPA only |
| Google LLC (Vertex AI — Gemini API) | USA / EU (europe-west4) | AI-powered wellness recommendations and content personalisation | DPA + SCC |
Standard Contractual Clauses (SCC) refer to the European Commission Implementing Decision (EU) 2021/914.
Where partners are located within the European Economic Area (EEA), SCCs are not required and processing is subject to GDPR directly.
These partners are contractually required to handle your data in accordance with the same high standards of security and compliance as we do, and only for the purposes defined in our agreement.
We do not share your personal data with advertisers or third-party marketing partners without your explicit, informed consent.
5. For how long do we store your personal data?
We do our best to store your personal data only for as long as it is actually necessary, and after that we delete it. The time for which we store your personal data depends on what is the type of our interaction:
- If you are a person who entered our website, we process your personal data for as long as you use the website and up to 14 months after your last visit.
- If you contact us via contact form, e-mail, or mail – we process your personal data for as long as the contact between us is maintained and for 3 months after it ends.
- If you are our Client (entity which concluded an agreement with us) or its representative – we process your personal data for as long as the agreement between us is binding and for the duration of limitation of claims (up to 3 years from termination or expiration of the agreement).
- If you use services of WLLNSS, your personal data which is not entered into your medical documentation is processed until the end of provision of services and for the duration of limitation of claims (up to 6 years from termination or expiration of the agreement).
In a scenario where WLLNNS creates medical documentation regarding individuals using services of WLLNSS, such data within that documentation is generally stored for a period of 20 years, counted from the end of a calendar year in which the last entry to medical documentation was made, as envisioned by Polish law. There are exceptions to abovementioned period:
medical documentation in case of patient’s death as a result of bodily injury or poisoning shall be retained for period of 30 years counting from the end of the calendar year in which the death occurred,
medical documentation containing the data necessary to monitor the fate of blood and its components shall be retained for a period of 30 years, counting from the end of the calendar year in which the last entry was made,
x-rays kept outside the patient's medical records shall be retained for a period of 10 years from the end of the calendar year in which the image was taken,
referrals for examinations or doctor's orders, shall be retained for a period of:
5 years, counting from the end of the calendar year in which the health service that is the subject of the referral or physician's order was provided,
2 years, counting from the end of the calendar year in which the referral was issued - in case the health care service was not provided due to the patient's failure to appear within the established time limit, unless the patient received the referral,
medical documentation regarding children under the age of 2 shall be retained for 22 years.
- Data processed for purposes of fulfilling accountancy and tax obligations shall be processed for a period of 5 years from the end of the calendar year in which the deadline for payment of tax obligation has lapsed.
- If you subscribed to our mailing list (newsletter) we process your personal data until you unsubscribe to the newsletter or until we stop carrying out marketing and promotional activities connected to that specific mailing list.
6. What rights do you have when it comes to personal data processing?
Due to the fact that your personal data is processed, you have the following rights:
| Request access to your personal data | You can request confirmation from us that your personal data are processed and request appropriate information in this regard, including information on what types of personal data are processed and for which purposes. |
|---|---|
| Request rectification of your personal data | You have the right to request immediate rectification of incorrect personal data and supplement incomplete personal data. |
| Request erasure of your personal data | You have the right to request immediate erasure of your personal data if any of the following criteria apply:
|
| Request restriction of processing your personal data | You have the right to restrict the processing of your personal data if:
|
| Request transferring your personal data | You have the right to receive the personal data concerning you, which you provided, in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller. Such requests can be fulfilled only where your personal data are processed on the basis of consent or an agreement and are processed by automated means. You also have the right to request from us sending of your personal data directly to another controller, assuming that it is technically possible. |
| Right to file a complaint to a competent authority | You have the right to file a complaint to an authority competent in matters related to personal data processing – in Poland it is the President of Data Protection Officer (Prezes Urzędu Ochrony Danych Osobowych – PUODO), address: Urząd Ochrony Danych Osobowych, Stawki 2, 00-193 Warsaw. |
| Right to withdraw your consent for processing | You have the right to withdraw consent for processing of your personal data in a scenario, where the consent is a legal basis of such an activity. You can also withdraw consent where a specific activity undertaken by us is based on consent in understanding of regulations on protection of personal data, especially when it comes to sending marketing messages. You may also withdraw your consent at any time via the privacy settings available within the WLLNSS application, where such functionality is provided. Withdrawing consent does not affect the legality and effectiveness of personal data processing until the consent was withdrawn. |
| Object to the processing of your personal data | You have the right to object to personal data processing in scenarios where the legal basis for processing is our legitimate interest. |
7. Additional information
WLLNSS does not carry out automated decision-making producing legal effects or similarly significant effects within the meaning of Article 22 GDPR.
However, certain features of the Service may involve limited profiling or personalization (for example, AI-based wellbeing recommendations). Such processing does not produce legal or similarly significant effects and is used solely for informational and user experience purposes.
Provision of personal data is voluntary, although in scenarios where we process your personal data in order to conclude or perform a concluded agreement, and especially to provide you with access to WLLNSS services connected with remote medical consultations, withholding from providing personal data might render provision of services impossible.
8. Data Security Measures
We implement appropriate technical and organizational measures to
ensure the security of your data. These include:
- Encryption of data in transit and at rest,
- Pseudonymization,
- Access control and role-based permissions.
While we take security seriously, no method of transmission or storage
is 100% secure. Therefore, we cannot guarantee absolute protection of
your data, though we follow industry standards and legal
requirements.
Cookie files
Cookie files are small files which enable or facilitate usage of certain functions of the Website. They can be saved on your device directly by us or by third parties with whom we cooperate. In connection with using cookies by us, we may process your personal data, such as your IP address, history of your use of the Website, or information about the device or software you use. The cookie files we use are connected with functioning of our Website, monitoring Website’s traffic, maintaining statistics on how the website is used by the users, undertaking marketing activities, preventing errors and technical malfunctions, ensuring security, as well as preventing frauds and violations of applicable law.
There are the following types of cookies files:
Session cookies: cookies that are stored on your device
during the time you use the Website (they are deleted when you close
your web browser). Session cookies enable the correct use of the
Website. Blocking them may result in encountering errors or prevent you
from using the Website.
Persistent cookies: they are stored on your device
until they are deleted or until they expire.
Usage of cookie files is based on your consent, expressed in accordance with Article 173 §1 of the Telecommunications Act (ustawa Prawo Telekomunikacyjne). We would like to mention that lack of such consent or subsequent deletion of cookie files may render functionalities of the website unusable.
You have the option of limiting or disabling cookies on your device. Settings regarding the use of cookies can be found in the settings of your web browser. Web browsers allow you to disable all cookies or certain groups of cookies (e.g., from third parties). If you disable cookies just partly, cookies used within the Website may be saved on your device, enabling the Website to function properly. If you limit usage of cookie files, using specific services we provide can be limited, and even impossible in some scenarios.
9. Changes to this Privacy Policy
This Privacy Policy may be updated from time to time to reflect changes in legal requirements or in the way we process personal data. The latest version is always available at https://wllnss.health/privacy. If substantial changes are made, we will notify users via the application or by email.


