Privacy

Last Updated	April 28, 2026
Operator	WLLNSS sp. z o.o.
Registered Address	Aleja Solidarności 117/615, 00-140 Warsaw, Poland
Governing Law	Republic of Poland
Contact	s.atanasov@wllnss.health

At WLLNSS we process your process personal data according to the provisions of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation; hereinafter: GDPR).

1. Who is the Data Controller of your personal data?

Data Protection Officer (DPO)

We have appointed a Data Protection Officer to supervise compliance with data protection regulations. You may contact our DPO, Ivan Kuzmitski, at i.kuzmitski@wllnss.health.

The Data Controller of your personal data is WLLNSS spółka z ograniczoną odpowiedzialnością with its registered office in Warsaw, address: Aleja Solidarności 117-615, 00-140 Warsaw, entered into Registry of Entrepreneurs of National Court Registry held by the District Court for the Capital City of Warsaw in Warsaw, XIII Commercial Division of National Court Registry under KRS No.: 0001013538, NIP: 5273036904, VAT EU: PL5273036904, REGON: 524184997, REGON of a medical entity: 52418499700010, share capital: PLN 63.100,00.

2. How can you contact the Data Controller?

A contact with a Data Controller is possible via:

e-mail, by sending an email to: info@wllnss.health,
traditional mail, by sending a letter to: WLLNSS sp. z o.o., Aleja Solidarności 117-615, 00-140 Warsaw

3. What are legal bases for processing your personal data?

The legal basis for processing of your personal data varies, depending on occurrence of scenarios indicated below:

If you visit our website https://wllnss.health or use our online applications	We process your personal data for purposes of: ensuring stability, performance, and correct functioning of the website or our services, tracking website traffic, vearifying the manner in which website is used, displaying contextual advertising within our website where such advertising is served by WLLNSS without sharing Your personal data with third-party advertisers (any sharing of personal data with third-party advertising partners is conducted only on the basis of Your explicit consent, as described in Section 4 of this Privacy Policy), possible prevention of activities not compliant with applicable law. These data we save especially within cookie files and logs relating to website’s or online app’s visits. The legal basis for processing of personal data in this case is Article 6.1.f of the GDPR enabling us to process personal data when it is necessary for the purposes of legitimate interests pursued by the Data Controller or third party, where the legitimate interest in this case is connected with ensuring proper functioning of the website, maintaining statistics regarding website’s functioning, displaying ads, combating fraud and infringing provisions of applicable law.
If you use the contact form available on the website or you send us messages to the provided e-mail address, or you contact us via mail or via phone	We process your personal data for purposes of contacting you and exchanging messages. The legal basis for processing of personal data is Article 6.1.f of the GDPR enabling us to process personal data when it is necessary for the purposes of legitimate interests pursued by the Data Controller or third party, where the legitimate interest in this case is connected with processing personal data for purposes of contacting persons and responding to questions they ask.
Where we have to process your personal data for purposes of preventing infringements and fraud, as well as possible pursuing of claims or defending against claims	Processing of your personal data is carried out on basis of Article 6.1.f of the GPDR, which indicates that processing of personal data is possible where it is necessary for purposes of Data Controller’s legitimate interests. The legitimate interest in this case is defending against claims and pursuing claims.
If you contact us for purposes of establishing cooperation, or you already are our Client, Contractor, Service Provider, or you cooperate with us on basis of a civil law contract	If you contact us for purposes of beginning to use our services, then we process your personal data for the purpose of undertaking activities you request before we conclude an agreement. If you already are our Client, then we process your personal data for purposes of performing the agreement. In such cases, the legal basis for personal data processing is Article 6.1.b of the GPDR, enabling processing of personal data where it is necessary for the performance of an agreement to which the data subject is party or in order to take steps at the request of the data subject prior to entering into an agreement. Moreover, we can process your personal data for purposes of complying with our legal obligations stemming from conclusion of agreements, especially accountancy and tax obligations – on basis of Article 6.1.c. of the GDPR, which enables data processing where it is necessary for compliance with a legal obligation to which the controller is subject
Where you are a person acting on behalf of our Client, Contractor, or Service Provider (that is, the entity which concluded an agreement with us) and as such, you contact us acting as a representative of our Client, Contractor, or Service Provider (e.g., as a member of the board, employee, or associate)	We process your personal data for purposes of concluding or performing an agreement concluded between us and the Client, Contractor, or Service Provider. The legal basis for processing of personal data is Article 6.1.f of the GDPR enabling us to process personal data when it is necessary for the purposes of legitimate interests pursued by the Data Controller or third party. The legitimate interest in this case is connected with processing personal data for purposes of concluding and performing agreements concluded between us and our Client, Contractor, or Service Provider which requires contacting representatives of the Client, Contractor, or Service Provider.
If you use our medical services in regard to remote medical consultations, including those basing on your agreements with our contractor	In a scenario where you use IT tools created and operated by WLLNSS which enable you to conduct activities connected with arranging medical consultations (in various fields of medicine), and especially in order to: remotely contact doctors, manage meetings with doctors, prepare a schedule of your treatment, manage the process of providing medical services, receiving requested information from doctors, store your medical documentation, WLLNSS may process special categories of personal data, in particular data concerning health. Such data are processed on the basis of: (a) Article 9(2)(a) GDPR — your explicit consent; and (b) Article 9(2)(h) GDPR — where processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services. Disclosure regarding AI partners processing health data: Certain AI-powered features of the Service (including AI-assisted medical consultations, diagnostics and mental health support functionalities) are provided in partnership with third-party technology providers, including providers located outside the EEA. Where the provision of these features requires the transfer of Your health data (constituting special category data under Article 9 GDPR) to such providers, such transfer is conducted: (a) on the basis of Your explicit consent pursuant to Article 9(2)(a) GDPR, which You provide when activating the relevant AI feature within the Application; and (b) subject to appropriate safeguards including Standard Contractual Clauses approved by the European Commission (Decision (EU) 2021/914) and Data Processing Agreements with each provider. A list of current AI feature partners and the applicable safeguards is set out in the table above. You may withdraw Your consent to the use of AI features involving transfer of health data at any time via the Privacy Settings in the Application, without affecting the lawfulness of prior processing. Where processing is based on your consent, you have the right to withdraw such consent at any time, without affecting the lawfulness of processing carried out before its withdrawal. Moreover, WLLNSS can process your personal data which does not constitute a special category of data and is related to provision of services. This data can especially be connected with verifying you as a user of WLLNSS services and platforms and creating your own user account – for example, your name, surname, e-mail address, phone number, and date of birth. In such a case, your personal data is processed on basis of Article 6.1.b of the GDPR, enabling processing of personal data where it is necessary for the performance of an agreement to which the data subject is party or in order to take steps at the request of the data subject prior to entering into an agreement. This processing takes places in order to perform our agreement with our contractor, which in turn leads to contractor performing their agreement with you. Also, in connection with provision of medical services, we are obliged to process personal data of patients in accordance with requirements arising from provisions of law. The legal basis for processing of personal data in this regard is Article 6.1.c of the GDPR enabling processing of personal data where it is necessary for compliance with a legal obligation to which the controller is subject. In this case, these obligations are connected with provisions of Act from 6th of November 2008 on rights of a patient and Patient’s Right Office (Ustawa z dnia 6 listopada 2008 r. o prawach pacjenta i Rzeczniku Praw Pacjenta) and Act from 15th of April 2011 on medical activities (Ustawa z dnia 15 kwietnia 2011 r. o działalności leczniczej), as well as other legal acts which regulate the matter in more detail.
If you subscribe to our newsletter or other mailing lists	If you subscribe to our mailing list (newsletter), the legal basis for processing personal data in this regard is our legitimate interest, that is, conducting marketing and promotional activities. We process your personal data on the basis of Article 6.1.f. of the GDPR, which states that the processing of personal data is lawful if the processing is necessary for the purposes of the legitimate interests pursued by the Data Controller. What is more, specific legal provisions arising from the Polish Telecommunications Act require us to obtain prior consent before sending marketing messages. Therefore, we will not send any e-mails if such a consent has not been given by you.
Employer-Sponsored Access (B2B2C)	Where You access the Service through your employer, WLLNSS may process your personal data in connection with a corporate agreement concluded with your employer. In such cases: • WLLNSS may act as a data processor on behalf of the employer for certain processing activities, pursuant to a Data Processing Agreement; • your employer receives only aggregated and anonymized reports; • your employer does not have access to your individual health data, consultations, or personal wellbeing information; • your personal data remain confidential and are not shared with your employer in identifiable form. The legal basis for such processing may include Article 6(1)(b), 6(1)(f), and where applicable Article 9(2)(a) GDPR.

4. Who can we share your personal data with?

For purposes of ensuring proper provision of our services, we use the help of some third parties. For that reason, personal data provided by you can be shared with:

entities providing us with server and hosting services:
Digital Ocean LLC with its seat in New York, NY, USA,
Amazon Web Services EMEA SARL with its registered office in Luxembourg and Amazon Web Services, Inc. with its seat in Seattle, Washington, USA.
entity providing us with accounting services: PVB POLSKA SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ (Aleja ”Solidarności” 117/615, 00-140 Warszawa, NIP: 5252947664)
various entities, being qualified medical professionals (especially doctors, nurses, psychiatrists), as well as professional laboratories conducting tests and examinations, to whom WLLNSS subcontracts provision of certain services – the goal of sharing personal data is beginning or continuing provision of medical services,
entities providing us with Google Workspace and Google Analytics services – Google Ireland Limited, Gordon House Barrow Street Dublin 4, Ireland, and Google LLC with its seat in Mountain View, California, USA.

Due to the fact that your personal data can be processed by entities such as Google, Amazon, or Digital Ocean, your personal data can be subject to transfer outside of the European Economic Area. The legal basis of transferring your personal data to the USA is EU-U.S. Data Privacy Framework, accepted by the European Commission.

These transfers are carried out only when necessary and always with appropriate safeguards, including:

Standard Contractual Clauses (SCC) approved by the European Commission, or
Participation in the EU-U.S. Data Privacy Framework, where applicable.

We have signed Data Processing Agreements (DPAs) and implemented SCCs with the following partners:

Partner	Country	Purpose	Safeguard
UAB DOBRA GPI	Lithuania, EU	Digital therapy	DPA only
iHairium Inc	USA	AI - Medical consultation & diagnostics	DPA + SCC
Elomia Health Inc	USA	Mental chatbot	DPA + SCC
Kinda Smart Inc / Kinestex	USA	AI-guided exercise platform	DPA + SCC
Skinive Holding B.V.	Netherlands, EU	AI - Medical consultation & diagnostics	DPA only
EAAS Bluefish Solutions Ltd	Cyprus	AI - Medical consultation & diagnostics	DPA only

Standard Contractual Clauses (SCC) refer to the European Commission Implementing Decision (EU) 2021/914.

Where partners are located within the European Economic Area (EEA), SCCs are not required and processing is subject to GDPR directly.

These partners are contractually required to handle your data in accordance with the same high standards of security and compliance as we do, and only for the purposes defined in our agreement.

For transfers of personal data to recipients located outside the European Economic Area (EEA) — in particular to recipients in the United States and the United Arab Emirates — WLLNSS has conducted Transfer Impact Assessments (TIA) in accordance with the recommendations of the European Data Protection Board (EDPB) issued on 18 June 2021 (Recommendations 01/2020). These assessments confirm that, taking into account the contractual, technical and organisational safeguards in place, the level of protection afforded to transferred personal data is not undermined. Copies of relevant documentation are available upon request addressed to the Data Protection Officer at i.kuzmitski@wllnss.health.

We do not share your personal data with advertisers or third-party marketing partners without your explicit, informed consent.

5. For how long do we store your personal data?

We do our best to store your personal data only for as long as it is actually necessary, and after that we delete it. The time for which we store your personal data depends on what is the type of our interaction:

If you are a person who entered our website, we process your personal data for as long as you use the website and up to 14 months after your last visit.
If you contact us via contact form, e-mail, or mail – we process your personal data for as long as the contact between us is maintained and for 3 months after it ends.
If you are our Client (entity which concluded an agreement with us) or its representative – we process your personal data for as long as the agreement between us is binding and for the duration of limitation of claims (up to 3 years from termination or expiration of the agreement).
If you use services of WLLNSS, your personal data which is not entered into your medical documentation is processed until the end of provision of services and for the duration of limitation of claims (up to 6 years from termination or expiration of the agreement).
In a scenario where WLLNNS creates medical documentation regarding individuals using services of WLLNSS, such data within that documentation is generally stored for a period of 20 years, counted from the end of a calendar year in which the last entry to medical documentation was made, as envisioned by Polish law. There are exceptions to abovementioned period:
medical documentation in case of patient’s death as a result of bodily injury or poisoning shall be retained for period of 30 years counting from the end of the calendar year in which the death occurred,
medical documentation containing the data necessary to monitor the fate of blood and its components shall be retained for a period of 30 years, counting from the end of the calendar year in which the last entry was made,
x-rays kept outside the patient's medical records shall be retained for a period of 10 years from the end of the calendar year in which the image was taken,
referrals for examinations or doctor's orders, shall be retained for a period of:
5 years, counting from the end of the calendar year in which the health service that is the subject of the referral or physician's order was provided,
2 years, counting from the end of the calendar year in which the referral was issued - in case the health care service was not provided due to the patient's failure to appear within the established time limit, unless the patient received the referral,
medical documentation regarding children under the age of 2 shall be retained for 22 years.
Data processed for purposes of fulfilling accountancy and tax obligations shall be processed for a period of 5 years from the end of the calendar year in which the deadline for payment of tax obligation has lapsed.
If you subscribed to our mailing list (newsletter) we process your personal data until you unsubscribe to the newsletter or until we stop carrying out marketing and promotional activities connected to that specific mailing list.

6. What rights do you have when it comes to personal data processing?

Due to the fact that your personal data is processed, you have the following rights:

Request access to your personal data	You can request confirmation from us that your personal data are processed and request appropriate information in this regard, including information on what types of personal data are processed and for which purposes.
Request rectification of your personal data	You have the right to request immediate rectification of incorrect personal data and supplement incomplete personal data.
Request erasure of your personal data	You have the right to request immediate erasure of your personal data if any of the following criteria apply: personal data are no longer necessary to realize purposes for which they were collected or are otherwise processed, you have revoked consent (assuming it is the basis of processing) and there are no other legal bases for personal data processing, you have filed an objection regarding processing of your personal data and there are no other legally justified legal bases for personal data processing which override the objection, personal data have been processed illegally, personal data have to be erased in order to fulfil a legal obligation, personal data have been collected in connection with providing information society services to a child.
Request restriction of processing your personal data	You have the right to restrict the processing of your personal data if: you object the correctness of personal data, processing of personal data is illegal but you object erasure of your personal data, requesting a restriction of processing instead, we do not need your personal data for processing purposes, but you need them to establish, pursue claims or defend from claims, you have filed an objection regarding processing of your personal data.
Request transferring your personal data	You have the right to receive the personal data concerning you, which you provided, in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller. Such requests can be fulfilled only where your personal data are processed on the basis of consent or an agreement and are processed by automated means. You also have the right to request from us sending of your personal data directly to another controller, assuming that it is technically possible.
Right to file a complaint to a competent authority	You have the right to file a complaint to an authority competent in matters related to personal data processing – in Poland it is the President of Data Protection Officer (Prezes Urzędu Ochrony Danych Osobowych – PUODO), address: Urząd Ochrony Danych Osobowych, Stawki 2, 00-193 Warsaw.
Right to withdraw your consent for processing	You have the right to withdraw consent for processing of your personal data in a scenario, where the consent is a legal basis of such an activity. You can also withdraw consent where a specific activity undertaken by us is based on consent in understanding of regulations on protection of personal data, especially when it comes to sending marketing messages. You may also withdraw your consent at any time via the privacy settings available within the WLLNSS application, where such functionality is provided. Withdrawing consent does not affect the legality and effectiveness of personal data processing until the consent was withdrawn.
Object to the processing of your personal data	You have the right to object to personal data processing in scenarios where the legal basis for processing is our legitimate interest.

7. Additional information

Automated decision-making: WLLNSS does not make automated decisions that produce legal effects or similarly significant effects within the meaning of Article 22 GDPR.

Profiling: Certain features of the Service involve profiling within the meaning of Article 4(4) GDPR — specifically, the automated processing of Your personal data to evaluate certain personal aspects, including Your wellbeing preferences, health goals and engagement patterns. This profiling is used solely for the purpose of personalising Your experience within the Application (for example, generating AI-based wellbeing recommendations) and does not produce legal effects or similarly significant effects on You. The legal basis for such profiling is Our legitimate interest in providing a personalised service (Article 6(1)(f) GDPR), or, where the profiling involves health data, Your explicit consent (Article 9(2)(a) GDPR). You have the right to object to profiling based on legitimate interest at any time by contacting i.kuzmitski@wllnss.health.

Provision of personal data is voluntary, although in scenarios where we process your personal data in order to conclude or perform a concluded agreement, and especially to provide you with access to WLLNSS services connected with remote medical consultations, withholding from providing personal data might render provision of services impossible.

8. Data Security Measures

We implement appropriate technical and organizational measures to ensure the security of your data. These include:

Encryption of data in transit and at rest,
Pseudonymization,
Access control and role-based permissions.

While we take security seriously, no method of transmission or storage is 100% secure. Therefore, we cannot guarantee absolute protection of your data, though we follow industry standards and legal requirements.

Cookie files

Cookie files are small files which enable or facilitate usage of certain functions of the Website. They can be saved on your device directly by us or by third parties with whom we cooperate. In connection with using cookies by us, we may process your personal data, such as your IP address, history of your use of the Website, or information about the device or software you use. The cookie files we use are connected with functioning of our Website, monitoring Website’s traffic, maintaining statistics on how the website is used by the users, undertaking marketing activities, preventing errors and technical malfunctions, ensuring security, as well as preventing frauds and violations of applicable law.

There are the following types of cookies files:

Session cookies: cookies that are stored on your device during the time you use the Website (they are deleted when you close your web browser). Session cookies enable the correct use of the Website. Blocking them may result in encountering errors or prevent you from using the Website.

Persistent cookies: they are stored on your device until they are deleted or until they expire.

Consent Management: Where Your consent is required for the use of cookies (in particular, non-essential cookies such as analytics and advertising cookies), WLLNSS obtains such consent through a Consent Management Platform (CMP) presented to You upon Your first visit to the website or upon any material change to Our cookie practices. You may withdraw or modify Your cookie consent at any time by accessing the cookie settings available in the footer of Our website or by using Your browser settings. Records of consents given are stored in accordance with applicable law to allow WLLNSS to demonstrate compliance. Please note that disabling certain categories of cookies may affect the functionality of the Service.

Categories of cookies used by WLLNSS: (i) Strictly necessary cookies — required for the basic functioning of the Service; no consent required. (ii) Analytics and performance cookies — used to understand how users interact with the Service; require Your consent. (iii) Functional cookies — used to remember Your preferences; require Your consent. (iv) Advertising and targeting cookies — used, where applicable, to display relevant advertising; require Your explicit consent.

Usage of cookie files is based on your consent, expressed in accordance with Article 173 §1 of the Telecommunications Act (ustawa Prawo Telekomunikacyjne). We would like to mention that lack of such consent or subsequent deletion of cookie files may render functionalities of the website unusable.

You have the option of limiting or disabling cookies on your device. Settings regarding the use of cookies can be found in the settings of your web browser. Web browsers allow you to disable all cookies or certain groups of cookies (e.g., from third parties). If you disable cookies just partly, cookies used within the Website may be saved on your device, enabling the Website to function properly. If you limit usage of cookie files, using specific services we provide can be limited, and even impossible in some scenarios.

9. Changes to this Privacy Policy

This Privacy Policy may be updated from time to time to reflect changes in legal requirements or in the way we process personal data. The latest version is always available at https://wllnss.health/privacy. If substantial changes are made, we will notify users via the application or by email.