Privacy Policy

This Privacy Policy explains how ElioHealth ("ElioHealth", "we", "us", or "our") processes personal data in connection with the ElioHealth website, application, dashboards, wearable integrations, and related participant services.

ElioHealth is a limited, invite-only wellness pilot operated for a private Community Church participant community. Participation is voluntary and self-enrolled. Technical development, hosting, maintenance, and support may be provided by contracted service providers acting under instructions from the pilot administrator.

The Service is designed to operate on a data-minimized and pseudonymous basis wherever reasonably possible. We aim not to routinely retain names, personal email addresses, phone numbers, postal addresses, or other direct identifiers in the analytics environment. However, wearable wellness data linked to an account, device, authorization token, dashboard alias, consent record, or separately held identity mapping may still constitute personal data and, in many cases, health-related or sensitive personal data under applicable data protection law. We therefore treat the information processed through ElioHealth as protected personal data and apply heightened privacy and security measures.

ElioHealth is not described as anonymous for legal purposes. Where data can still be linked back to a participant through separately held information, it is treated as pseudonymous personal data and protected accordingly.

1. Controller and Pilot Administrator

For this private pilot, the personal data controller or responsible pilot administrator is the ElioHealth pilot administrator operating the Community Church wellness pilot.

Because the pilot is closed and not publicly available, this public Policy uses "Community Church" as a neutral public description. Invited participants receive the full legal identity of the pilot administrator during onboarding, consent, or upon request.

Contact:

ElioHealth Pilot Administrator
Community Church wellness pilot
Privacy contact: enquiry@eliohealth.app
General support: enquiry@eliohealth.app
Legal contact: enquiry@eliohealth.app
Website: https://eliohealth.app

ElioHealth has not appointed an EU or UK representative for this private pilot. If the Service is later offered in a way that requires one, this Policy will be updated.

2. Scope of this Policy

This Privacy Policy applies to:

• the ElioHealth website;
• the ElioHealth application and dashboards;
• current Oura account connection and synchronization;
• future supported wearable integrations, if and when launched;
• participant-advisor communications conducted within ElioHealth, where enabled;
• consent, withdrawal, and support workflows; and
• security, audit, and operational interactions related to the Service.

This Policy does not govern processing performed independently by Oura or any other third-party service provider acting under its own privacy policy.

3. Our Privacy Model

ElioHealth is designed around the following privacy principles:

3.1 Data minimization

We request and process only the categories of data reasonably necessary for the pilot features we provide.

For the current pilot, ElioHealth is designed to avoid requesting Oura scopes that are not necessary for the Service, including direct-identifier-related scopes unless a specific operational need requires them.

3.2 Pseudonymous analytics environment

We do not intentionally store names, personal email addresses, phone numbers, postal addresses, or similar direct identifiers in the analytics database.

3.3 Alias-based account structure

Each participant is represented by a random internal identifier and a platform-generated alias wherever reasonably possible. Advisor-facing workflows are designed to use the alias rather than direct personal identifiers.

3.4 Offline-issued participant codes

During onboarding and account linking, each participant receives an offline-issued participant code. ElioHealth uses that code to connect the participant to the online service without routinely using their real name, email address, or phone number in the analytics environment. The real-world identity mapping is held separately by the authorized pilot administrator under restricted access. This supports encrypted, pseudonymous participation, but ElioHealth does not describe the Service as anonymous for legal purposes.

3.5 Separation of systems

OAuth credentials, provider account references, consent records, identity mapping, and any necessary operational contact-routing data are stored separately from the analytics database and are subject to enhanced access restrictions.

3.6 Consent-led visibility

We do not enable advisor, doctor, coach, or program-staff visibility into a participant's wearable-derived data unless that participant has provided explicit consent for such access.

3.7 Security by design

We use encryption, access controls, environment separation, security logging, and deletion workflows to reduce privacy risk.

4. Categories of Data We Process

4.1 Wearable wellness data

If you connect an approved wearable source, we may process selected categories of data that you authorize. In the current pilot, this may include data derived from Oura, such as:

• sleep summaries and sleep stage information;
• activity summaries;
• readiness or recovery-related summaries;
• heart rate and related time-series data;
• workout or session summaries;
• blood oxygen summaries where supported;
• temperature, stress, resilience, or similar wellness metrics where supported and authorized; and
• other wearable-derived wellness metrics that you expressly authorize.

4.2 Connection and authorization data

We may process technical data required to establish and maintain the connection, including:

• OAuth authorization codes, access tokens, refresh tokens, and token metadata;
• provider-specific application or user references;
• synchronization timestamps;
• permission grants and revocations;
• integration status and error events; and
• diagnostic events necessary to maintain the integration securely.

4.3 Participant alias and internal account data

We may process:

• a random internal participant identifier;
• a platform-generated alias;
• consent status and consent history;
• service-status flags;
• advisor-assignment status where applicable; and
• the minimum separately stored identity or contact mapping needed for onboarding, support, withdrawal, and participant-requested follow-up.

4.4 Communications data

If you choose to communicate with us, receive pilot updates, or enable a communications channel, we may process:

• the content of your messages to us;
• support correspondence;
• onboarding, consent, withdrawal, or follow-up requests;
• delivery metadata; and
• where strictly necessary, the minimum routing data required for the chosen channel.

Where a communications channel is enabled at your request, the minimum routing data necessary for that channel may be stored separately under enhanced access restrictions.

4.5 Website, dashboard, and security data

We may process limited technical and security information such as:

• IP addresses and network metadata;
• authentication events;
• access logs;
• device or browser metadata where needed for security or compatibility;
• advisor dashboard access logs;
• audit records relating to privileged access; and
• security alerts or incident records.

5. Data We Do Not Routinely Retain in the Analytics Database

Unless a specific operational or legal need requires otherwise, ElioHealth does not routinely retain the following in the analytics database:

• real names;
• personal email addresses;
• phone numbers;
• postal addresses;
• government-issued identifiers;
• payment card data;
• advertising identifiers; or
• unrelated location-tracking data.

6. Purposes of Processing and Legal Bases

We process personal data only where we have an appropriate legal basis under applicable law. The pilot is intended for a closed Community Church participant community. Where the GDPR, UK GDPR, Hong Kong Personal Data (Privacy) Ordinance, or another data protection law applies, we process personal data consistently with the relevant requirements.

6.1 Service provision and dashboard operation

We process data to operate the platform, synchronize authorized data, display participant dashboards, maintain participant consent records, and provide support.

• Typical basis: consent, performance of a participant relationship, or legitimate interests where appropriate
• Health or sensitive data basis where required: explicit consent or another applicable legal condition

6.2 Advisor support and participant guidance

Where you explicitly consent, we process your wearable data so authorized advisors, wellness staff, or a Community Church-appointed doctor can review trends and provide limited wellness guidance.

• Typical basis: explicit participant consent
• Health or sensitive data basis where required: explicit consent or another applicable legal condition

6.3 Security, fraud prevention, and service integrity

We process technical and security data to secure the Service, investigate incidents, enforce access controls, maintain availability, and protect participant data.

• Typical basis: legitimate interests, legal obligation, or consent where required

6.4 Legal compliance and claims

We may process personal data to comply with legal obligations, respond to lawful requests, establish or defend legal claims, and maintain legally required records.

• Typical basis: legal obligation, legitimate interests, or another applicable legal condition

6.5 Aggregated or anonymized analytics

We may create aggregated or anonymized statistics to understand pilot performance, service quality, and usage trends. Where data has been rendered anonymous so that no individual is identifiable, it is no longer personal data.

• Typical basis for preparatory processing: legitimate interests or consent where required

7. Health-Related and Sensitive Data

Wearable wellness data may constitute data concerning health, biometric-related information, or sensitive personal data under applicable law. We process such data only where we have a valid legal basis and, where required, explicit participant consent.

8. Consent

Where we rely on consent:

• consent is requested clearly and separately where appropriate;
• connecting a wearable source is optional;
• advisor or doctor visibility is optional and requires explicit consent;
• you may withdraw consent at any time;
• withdrawal does not affect processing already carried out lawfully before withdrawal; and
• if you revoke your wearable authorization or withdraw from the pilot, we stop collecting new data and delete or de-identify retained personal data unless we are legally required to keep it or a limited retention exception applies.

9. Recipients of Data

We may disclose personal data only to the following categories of recipients, and only where necessary:

• hosting, infrastructure, database, logging, and security providers acting as processors or service providers;
• technical development, maintenance, and operational support providers acting under instructions;
• authorized advisors, wellness staff, or a Community Church-appointed doctor, but only where you have explicitly consented to such access;
• Oura, where necessary for API authorization, API usage, account connection, revocation, support, security, or compliance with Oura developer terms;
• professional advisers, auditors, insurers, or legal counsel where necessary; and
• competent authorities or courts where required by law.

We do not sell personal data and do not disclose wearable health data for advertising purposes. We do not use Oura-sourced data to train general-purpose AI models.

10. Oura API Usage and Independent Oura Processing

The current pilot phase uses Oura as the first supported wearable integration. Oura may collect certain usage data and information relating to use of the Oura API, Oura Platform, and connected developer applications, and may process such information under Oura's own terms and privacy policy.

Your use of Oura and any related Oura services is governed by Oura's own terms and privacy policy:

• Oura account: Oura on the Web
• Oura privacy policy: Oura Privacy Policy
• Oura terms: Oura Terms and Conditions
• Oura API Agreement: Oura API Agreement

ElioHealth is an independent service and is not responsible for the independent acts, omissions, availability, membership requirements, account decisions, or policies of Oura or any other third party.

11. International Transfers

Your personal data may be processed in jurisdictions outside your country of residence. Where required by law, we implement appropriate safeguards for international transfers, which may include:

• adequacy decisions;
• standard contractual clauses;
• contractual confidentiality and security obligations; or
• other lawful transfer mechanisms.

You may contact us to request more information about relevant safeguards.

12. Data Retention

We retain personal data only for as long as reasonably necessary for the purposes described in this Policy and only where retention is permitted by applicable law, participant consent, and relevant wearable-provider terms.

For Oura-sourced data, ElioHealth follows applicable Oura developer terms. Under the currently published Oura API Agreement, Oura data must not remain in cache longer than 60 days, and Oura-sourced personal data must be deleted after user revocation or termination unless a lawful and permitted exception applies. If Oura grants different written permission or updates its developer terms, ElioHealth will apply the applicable permitted retention period.

Unless a shorter period is required by law, participant request, or wearable-provider terms, our general retention approach is:

• active pilot participation: retained only as needed for the pilot and within applicable wearable-provider retention limits;
• after wearable revocation or pilot withdrawal: deletion or irreversible de-identification within 30 days, unless a shorter period is required by the provider terms or law;
• OAuth tokens and connection credentials: deleted or disabled promptly after revocation, withdrawal, or account closure, unless needed temporarily for security or legal reasons;
• security and audit logs: retained for a limited period reasonably necessary for security, accountability, incident response, and legal compliance;
• consent and withdrawal records: retained as needed to demonstrate consent status, withdrawal, and compliance; and
• anonymous aggregates: may be retained for pilot evaluation, service quality, or research purposes where they no longer identify any individual.

13. Access, Portability, and Deletion Requests

Subject to applicable law and verification, you may request:

• access to personal data held about you;
• a copy of Oura-sourced data collected through the Service, where technically available;
• correction of inaccurate information;
• deletion of personal data;
• withdrawal of advisor-access consent;
• disconnection of a wearable integration; or
• withdrawal from the pilot.

To make a request, contact enquiry@eliohealth.app.

14. Security Measures

We implement appropriate technical and organizational measures designed to protect personal data, including:

• encryption in transit;
• encryption at rest;
• offline-issued participant codes for pseudonymous onboarding and account linking;
• environment separation and access segmentation;
• separation of analytics data from identity, contact, consent, and token material;
• role-based access control and least-privilege administration;
• privileged access logging and audit trails;
• advisor dashboard access logging where technically supported;
• key and secret management controls;
• deletion and revocation workflows; and
• regular review of security practices.

No system can be guaranteed to be completely secure. Participants should also protect their own devices, accounts, passwords, and wearable-provider credentials.

15. Data Breach Response

If a personal data breach occurs, we will assess the incident promptly and, where required by applicable law or wearable-provider terms:

• notify the relevant supervisory authority without undue delay;
• notify affected individuals where the breach is likely to result in a high risk to their rights and freedoms;
• notify Oura where an incident involves Oura data or the Oura integration and notification is required; and
• take appropriate steps to contain, investigate, and remediate the incident.

16. Your Rights

Subject to applicable law, you may have the right to:

• request access to your personal data;
• request rectification of inaccurate data;
• request erasure of your personal data;
• request restriction of processing;
• object to certain processing;
• request data portability where applicable;
• withdraw consent at any time where processing is based on consent; and
• lodge a complaint with your local data protection authority.

For Hong Kong matters, this may include the Office of the Privacy Commissioner for Personal Data.

To exercise your rights, contact us at enquiry@eliohealth.app.

17. Children

ElioHealth is not intended for individuals under 18 years of age, and we do not knowingly collect personal data from children.

18. Changes to this Policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide notice appropriate to the nature of the change and update this page accordingly.

19. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact:

ElioHealth Pilot Administrator
Community Church wellness pilot
Privacy contact: enquiry@eliohealth.app
General support: enquiry@eliohealth.app
Legal contact: enquiry@eliohealth.app

The full legal identity and postal contact of the pilot administrator are provided to invited participants during onboarding, consent, or upon request.

Effective date: April 27, 2026