Privacy-first wearable wellness insights for a closed pilot community

ElioHealth is a private, invite-only wellness pilot operated for a Community Church internal participant community. The pilot helps self-enrolled participants understand selected wearable wellness signals and, where they choose to consent, receive limited wellness support from authorized advisors.

The platform is designed to support multiple wearable integrations over time. In the current pilot phase, ElioHealth is evaluating Oura as the first supported wearable connection for a limited participant group.

ElioHealth is built around a data-minimization and pseudonymous operating model. Participant wellness data is processed under random internal identifiers and platform-generated aliases wherever reasonably possible. Names, personal email addresses, phone numbers, and other direct identifiers are not routinely stored in the analytics environment. Where a technical account reference, OAuth credential, consent record, or limited contact-routing detail is needed for the service to function, it is stored separately under enhanced access restrictions.

During onboarding and account linking, each participant receives an offline-issued participant code. ElioHealth uses that code to connect the participant to the online service without routinely using their real name, email address, or phone number in the analytics environment. The real-world identity mapping is held separately by the authorized pilot administrator under restricted access.

Because wearable wellness data can still relate to an identifiable person when combined with separately held information, ElioHealth treats such data as protected personal data and applies heightened privacy and security controls accordingly.

What ElioHealth does

With a participant's explicit authorization, ElioHealth retrieves selected wearable wellness data and presents it in a structured dashboard environment. Depending on the participant's consent settings and the pilot configuration, the platform may support:

• a personal dashboard for the participant;
• a role-restricted program dashboard for authorized advisors or staff;
• limited wellness guidance for self-observation and lifestyle awareness; and
• program-level reporting using aggregated or anonymized statistics where possible.

Where participant consent has been provided, authorized advisors may view participant data through role-restricted dashboard views. These views are designed to use platform-generated aliases rather than direct personal identifiers. A small authorized administration function may separately hold the minimum identity or contact mapping needed for consent management, support, withdrawal, and participant-requested follow-up.

What ElioHealth does not do

ElioHealth is not:

• a medical device;
• a medical provider;
• an emergency response service;
• a diagnostic tool;
• a substitute for professional medical advice, diagnosis, or treatment; or
• a public consumer health application.

The platform is intended to support general wellness, self-observation, and optional advisor guidance only. Participants should contact qualified healthcare professionals for medical concerns and contact emergency services in an emergency.

How the pilot works

1. Invitation and voluntary consent Participation is closed, voluntary, and self-enrolled. A participant decides whether to connect an approved wearable source and which permissions to grant.
2. Pseudonymous participant setup The platform assigns a random internal identifier and platform alias for operational use. An offline-issued participant code supports onboarding and account linking without routine use of the participant's real name in the analytics environment.
3. Current wearable connection In the current pilot phase, ElioHealth retrieves selected data from Oura through the authorized OAuth connection flow.
4. Secure dashboard and optional advisor support Data is displayed in a secured application environment. Any advisor visibility is subject to explicit participant consent, role-based restrictions, and audit logging.
5. Withdrawal and deletion The participant may disconnect the integration or withdraw from the pilot at any time. Following revocation or withdrawal, ElioHealth stops retrieving new data and deletes or de-identifies retained personal data unless retention is required by law or permitted under applicable integration terms.

Privacy and security posture

ElioHealth is designed with privacy by default. Core safeguards include:

• minimization of requested integration permissions;
• offline-issued participant codes for pseudonymous onboarding and account linking;
• separation of identity, contact, consent, and token material from the analytics environment;
• pseudonymous internal identifiers and alias-based advisor views;
• encryption in transit and encryption at rest;
• role-based access control and least-privilege administration;
• audit logging for privileged access and advisor dashboard access;
• deletion workflows triggered by withdrawal, revocation, or account closure;
• no sale of personal data;
• no disclosure of wearable health data for advertising; and
• no use of Oura-sourced data to train general-purpose AI models.

Current pilot scope

• Status: private proof-of-concept pilot
• Access model: invitation only, voluntary, and self-enrolled
• Current supported integration: Oura
• Future architecture: designed to support additional compatible wearables over time, subject to technical, legal, and partner approval
• Purpose: wellness tracking and optional advisor support for a small closed community
• Public availability: not publicly available at this stage

Legal links

• Privacy Policy
• Terms of Service