WellerU Privacy Policy

WellerU (“WellerU,” “we,” “us,” or “our”) provides wellness-driven solutions to help improve medical insurance risk profiles. As part of securing user accounts, we offer SMS-based multifactor authentication (MFA) to verify identity during login.

This Privacy Policy describes how we collect, use, disclose, and protect personal information related to SMS-based MFA and related account security communications sent via our toll-free number through our service provider Twilio. This policy supplements our general privacy policy and applies specifically to SMS/MFA communications.

When you opt in to SMS MFA, we collect and process:

• Identifiers: mobile phone number, account identifier (e.g., email/username), and device/OS metadata associated with authentication events.

• Authentication Events: timestamps, delivery status, verification outcomes, and associated system logs.

• Communications Metadata: content limited to verification codes and required program notices; STOP/HELP responses; consent records (time, method, source).

• Security & Fraud Signals: rate limiting data, carrier responses, IP/time anomalies.

We do not ask you to send health or other sensitive information by SMS, and we do not use SMS to collect health data.

We use your information solely to:

• Send one-time verification codes for login and account protection.

• Confirm your opt-in and provide HELP/STOP support.

• Maintain audit trails for compliance (e.g., opt-in records).

• Detect and prevent fraud and abuse of our authentication systems.

• Meet legal and regulatory obligations (e.g., TCPA, CTIA, carrier rules).

We do not use SMS MFA data for marketing or profiling.

Where GDPR applies, our processing is based on:

• Consent (Article 6(1)(a)) for receipt of SMS MFA messages; and

• Legitimate Interests (Article 6(1)(f)) in securing accounts and preventing fraud.
  We rely on contractual necessity (Article 6(1)(b)) where MFA is required to access services.

We share your information with:

• Service Providers/Subprocessors: Twilio (SMS delivery and compliance), hosting, logging, security vendors—all bound by contractual confidentiality and security obligations.

• Legal/Compliance: If required by law, regulation, or court order; or to protect rights, safety, and integrity of the service.

We do not sell or share SMS MFA personal information for cross-context behavioral advertising.

• Verification codes: ephemeral; stored only in logs as necessary for delivery/validation and security troubleshooting.

• Opt-in records & SMS logs (STOP/HELP, delivery status): retained for 24 months or longer if required by law or to resolve disputes and ensure compliance.

• Account security logs: retained per our security and audit policy for 24 months or longer if required by law or to resolve disputes and ensure compliance.

• If you are outside the United States, personal information may be transferred to and processed in the U.S. and other jurisdictions with different data protection laws. Where applicable, we use appropriate safeguards (e.g., Standard Contractual Clauses) with our vendors.

• We implement administrative, technical, and physical safeguards designed to protect personal information, including access controls, audit logging, encryption in transit, rate limiting, and fraud detection. No method of transmission or storage is 100% secure; you are responsible for protecting your account credentials.

• Opt-In: You must provide explicit consent to receive SMS MFA messages (e.g., checking a box or replying to an opt-in message).

• Opt-Out: Reply STOP at any time to stop receiving SMS MFA messages. You can also disable SMS MFA in account settings.

• HELP: Reply HELP for assistance or contact us via the methods below.

• Costs: Message and data rates may apply.

• Frequency: Messages are sent only during login or security events (e.g., recovery).

Note: If you opt out, you may need to set up an alternative MFA method to retain account access.

• Depending on your location, you may have rights to:

• Access, correct, or delete personal information;

• Object to or restrict certain processing;

• Withdraw consent (does not affect processing before withdrawal);

• Port data, where applicable.

• California Residents (CPRA/CCPA): You have rights to know, correct, delete, opt out of sale/share (not applicable to SMS MFA data), and to non-discrimination. See our general privacy policy for how to exercise these rights.

• You can make requests via email to info@welleru.com. We will verify your identity and respond within the time required by law.

• WellerU does not knowingly offer SMS MFA to children under 13 (or applicable age of consent). If you believe a child provided a phone number, contact us to remove it.

• Program Name: WellerU SMS MFA

• Purpose: One-time passcodes and account security notifications.

• Sender: WellerU (toll-free number via Twilio)

• Frequency: Message frequency varies, typically only during login or security events.

• Opt-Out: Reply STOP to cancel.

• Help: Reply HELP or contact info@welleru.com

• Costs: Message & data rates may apply.

• Privacy: This page and our general privacy policy govern SMS MFA processing.

• We may update this policy from time to time. We will post updates with a new “Last Updated” date and, where required, provide notice and seek consent for material changes.

• Email: info@welleru.com

• Phone (toll-free SMS): 1-833-953-1723 (SMS only; reply HELP for assistance)

• Mailing Address: 6360 Heathfield Drive, East Lansing, MI, 48823

• Data Protection Officer/Privacy Contact (if applicable):  Bill Eger, bill@welleru.com