Privacy Policy

This Privacy Policy describes how Excitable Robot Publishing, LLC ("we", "us", or "our") collects, uses, and protects your information when you use Wellpipe ("the Service"), including the CLI tool and cloud-hosted version.

Account Information

When you create a Wellpipe Cloud account, we collect:

• Email address (for authentication and account recovery)
• Name (if provided by your authentication provider)

Health Provider Data

When you authorize the Service to connect to your health data providers (such as WHOOP, Oura, or others), we access data through their APIs including:

• Sleep activity data (duration, stages, scores)
• Recovery and readiness data
• Workout and strain data
• Basic profile information

How We Access Your Data

We access your health data only after you explicitly authorize the connection through each provider's OAuth authentication process. You can revoke this access at any time through the provider's account settings or through Wellpipe.

Your health data is used solely to:

• Display your health and fitness metrics through AI assistant interfaces
• Provide insights and analysis when you request them
• Enable natural language queries about your health data

AI Assistant Data Sharing

Important: When you connect a health data provider to Wellpipe and use the Service with an AI assistant, your health data will be transmitted to third-party AI providers. By connecting your health data providers, you explicitly consent to this data sharing.

When you query your health data through an AI assistant (such as Claude, ChatGPT, or others), your health data is sent to that AI provider to generate responses. This includes:

• Sleep data, recovery scores, and workout information
• Physiological metrics (heart rate, HRV, etc.)
• Any other data you have authorized from your connected providers

This data transmission is governed by the respective AI provider's privacy policy and terms of service. We recommend reviewing those policies before using Wellpipe with any AI assistant. Major AI providers include:

• Anthropic (Claude): Privacy Policy
• OpenAI (ChatGPT): Privacy Policy

CLI Tool

• Local Processing: Your data is processed locally and is not stored on external servers
• Token Storage: OAuth tokens are stored securely on your local device
• No Data Sharing: We do not sell, trade, or share your personal health data with third parties
• Encryption: All communication with provider APIs uses HTTPS encryption

Cloud Service (Wellpipe Cloud)

• Encrypted Storage: OAuth tokens are encrypted at rest using AES-256-GCM
• Per-User Encryption: Each user's tokens are encrypted with a unique key
• Secure Infrastructure: Hosted on reputable cloud providers with industry-standard security
• No Data Retention: Health data is fetched on-demand and not permanently stored

We do not permanently store your health data. Data is fetched from provider APIs when requested and is not retained after your session ends. OAuth tokens are stored only to maintain your authenticated session.

We use essential cookies and session storage to:

• Maintain your authenticated session
• Remember your preferences
• Protect against cross-site request forgery

We do not use tracking cookies, advertising cookies, or any third-party analytics services.

This Service connects to health data providers including:

• WHOOP API: Subject to WHOOP's Privacy Policy
• Additional providers will be listed here as they are added

We do not integrate with any third-party analytics, advertising, or data collection services.

You have the right to:

• Access: Request information about what data we access
• Revoke: Disconnect the Service from your provider accounts at any time via their settings or through Wellpipe
• Delete: Remove locally stored tokens by uninstalling or resetting the Service, or delete your Wellpipe Cloud account

California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: Request disclosure of the categories and specific pieces of personal information we collect
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: We do not sell or share your personal information for cross-context behavioral advertising
• Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To exercise these rights, contact us at privacy@wellpipe.io.

European Users (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

• Legal Basis: We process your data based on your consent (OAuth authorization) and legitimate interest (providing the Service)
• Data Portability: Request a copy of your data in a portable format
• Erasure: Request deletion of your personal data
• Restriction: Request that we limit how we use your data
• Objection: Object to our processing of your data

To exercise these rights, contact us at privacy@wellpipe.io.

This Service is not intended for use by children under 13 years of age. We do not knowingly collect data from children.

In the event of a data breach that affects your personal information, we will notify affected users via email within 72 hours of becoming aware of the breach, as required by applicable law. We will also notify relevant regulatory authorities where required.

If you discover a security vulnerability in the Service, please report it responsibly to security@wellpipe.io. We take security issues seriously and will respond promptly.

For security vulnerabilities that may affect our integrated health data providers (such as WHOOP), we will coordinate disclosure with the affected provider within 24 hours of verification. If you believe you have discovered a vulnerability in a provider's API while using Wellpipe, please also report it directly to the provider.

We may update this Privacy Policy from time to time. We will notify users of any material changes by updating the "Last Updated" date. For significant changes, we will notify you via email.

If you have questions about this Privacy Policy, please contact us at:

• Email: privacy@wellpipe.io

Wellpipe is an independent service and is not affiliated with, endorsed by, or sponsored by any of the health data providers it integrates with.

WHOOP: WHOOP and the WHOOP logo are registered trademarks of WHOOP Inc. Wellpipe accesses WHOOP data through the official WHOOP API pursuant to the WHOOP API Terms of Use. WHOOP does not endorse Wellpipe or guarantee the accuracy of any data provided through this integration.

Other Trademarks: Oura is a registered trademark of Oura Health Oy. All other trademarks, service marks, and trade names referenced in this Service are the property of their respective owners.