Held (by Wellset, Inc.) Privacy Policy Effective Date: December 16, 2025

At Wellset, Inc. (“Wellset,” “we,” “our,” or “us”), your privacy matters deeply. This Privacy Policy (“Policy”) explains how we collect, use, disclose, and safeguard your information when you use the Held mobile application (“App”), website, and related services (collectively, the “Services”). By using the Services, you agree to this Policy. If you do not agree, please discontinue use immediately.

1. Overview and Scope

This Policy applies to information collected through our website, mobile application, and any online service operated by Wellset that links to this Policy. The Held App provides nervous system regulation, mindfulness exercises, and other wellness tools designed for general educational and entertainment purposes only. We are not a covered entity under HIPAA, and our Services are not intended for medical diagnosis or treatment.

1. Changes to this Privacy Policy

We may modify this Policy from time to time. When we do, we will update the Effective Date above and post the revised version. Material changes will be communicated through the App or by email where appropriate. Continued use of the Services after any modification constitutes acceptance of the updated Policy.

1. Information We Collect

We collect personal and non-personal information directly from you, automatically through your device, and from third parties. This includes:

• Account information: name, email address, login credentials, and profile details.
• Usage and device data: IP address, browser type, operating system, device identifiers, and app usage metrics.
• Wellness inputs: stress levels, sleep quality, energy levels, mood tracking, breathwork participation, and related inputs.
• Biometric information: sensor or camera-based data (such as heart rate or breathing estimations). This data is processed for functionality only and not used for identification.
• Payment information: processed through third-party providers for subscription fees or in-app purchases.
• Communications: responses to surveys, workshops, or feedback forms.

This has to be expanded.

1. How We Use Your Information

We process your information to operate, improve, and personalize our Services. This includes:

• Providing access to the App’s content and sessions;
• Personalizing exercises and recommendations;
• Processing payments and managing subscriptions;
• Communicating updates, promotions, and offers;
• Conducting analytics to improve user experience;
• Ensuring compliance with applicable laws and safety requirements;
• Preventing fraud, abuse, and unauthorized access;
• Creating aggregated or de-identified insights for research and service improvement.

1. Legal Basis for Processing (EEA/UK Users)

If you reside in the European Economic Area, the United Kingdom, or Switzerland, we rely on one or more of the following lawful bases for processing:

• Consent (for marketing, analytics, and biometric features);
• Contractual necessity (to deliver the Services you request);
• Legitimate interest (to operate, secure, and enhance our platform);
• Legal obligation (where required by applicable law).

1. Retention and Security

We retain your personal information only as long as necessary for the purposes described herein. Biometric and session data are deleted or anonymized after the functional purpose has been achieved or within three years of your last interaction. We use reasonable administrative, technical, and physical safeguards, but no online system is fully secure. You are responsible for maintaining the confidentiality of your login credentials.

1. How We Share Information

We may share personal information in limited circumstances:

• With Service Providers: for hosting, analytics, customer support, and payment processing;
• With Affiliates and Partners: to improve or co-offer products and services;
• In Business Transfers: such as mergers, acquisitions, or asset sales;
• For Legal Compliance: to comply with applicable law or protect rights and safety;
• With Your Consent: when you voluntarily share or authorize such disclosure. We do not sell or rent your personal data.

1. Cookies and Tracking Technologies

We use cookies, web beacons, and similar technologies to collect usage data and understand engagement. These help us personalize content and measure performance. You can manage cookies through your browser settings. Third-party analytics providers such as Mixpanel may also collect aggregated usage data subject to their own privacy policies.

1. Your Rights and Choices

Depending on your jurisdiction, you may have the right to:

• Access or request a copy of your personal information;
• Request correction or deletion;
• Withdraw consent to processing;
• Object to certain uses or restrict processing;
• Data portability (where applicable);
• Lodge a complaint with a regulatory authority. You may exercise these rights by contacting privacy@wellset.co.

1. Children’s Privacy

The Services are not directed toward children under 13, and we do not knowingly collect personal information from them. If we learn that a child has provided us with personal data, we will delete it immediately. Parents or guardians who believe their child’s data has been improperly collected may contact us for removal.

1. International Data Transfers

Your information may be transferred to, stored, and processed in the United States or other jurisdictions where data protection laws may differ. When transferring data from the EEA/UK/Switzerland, we rely on approved mechanisms such as the EU Standard Contractual Clauses or other adequate safeguards.

1. Biometric Information Policy

Biometric information (e.g., heart rate, breathing rate, or HRV) is collected only for functional use within the App and not for identification. We securely destroy or de-identify biometric data after use or within three years of last activity. We use commercially reasonable measures to protect biometric information from unauthorized access or disclosure.

1. California Consumer Privacy Rights (CCPA/CPRA)

If you are a California resident, you may have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including:

• Right to know what personal information we collect and how it is used;
• Right to request deletion of personal data;
• Right to correct inaccurate data;
• Right to opt out of the sale or sharing of personal data (we do not sell personal data);
• Right to non-discrimination for exercising your rights. To submit a request, email info@held.app
  with “California Privacy Request” in the subject line. We will verify your identity before processing your request.

1. Data Security Practices

We implement reasonable measures to protect your data against accidental loss, unauthorized access, or misuse. This includes encryption, access controls, and secure storage. However, no system can be completely secure; we cannot guarantee absolute protection. You acknowledge and accept this risk when using our Services.

1. Communications and Marketing

By creating an account, you may receive service-related communications (e.g., transactional or security notices). You may also opt-in to receive promotional content. You can unsubscribe from marketing emails at any time through the “unsubscribe” link or by contacting info@held.app.

1. Third-Party Links and Services

Our Services may include links to third-party websites or applications. We are not responsible for the privacy practices or content of such external sites. We encourage users to review the privacy policies of all third-party sites they visit.

1. Contact Information

For questions, data access requests, or privacy-related concerns, please contact us at:

Wellset, Inc. (Held App)
Email: info@held.app
Address:
811 Wilshire Blvd
17th Floor, Unit 525
Los Angeles, CA90017