(held) (by WellSet, Inc.) Privacy Policy Effective Date: February 27, 2026

At WellSet, Inc. (“WellSet,” “we,” “our,” or “us”), your privacy matters deeply. This Privacy Policy (“Policy”) explains how we collect, use, disclose, and safeguard your information when you use the (held) mobile application (“App”), website, and related services (collectively, the “Services”). By using the Services, you agree to this Policy. If you do not agree, please discontinue use immediately.

This Policy applies to information collected through our website, mobile application, and any online service operated by WellSet that links to this Policy. The (held) App provides nervous system regulation, mindfulness exercises, emotional insights and other wellness tools designed for general educational and entertainment purposes only. We are not a covered entity under HIPAA, and our Services are not intended for medical diagnosis or treatment.

We may modify this Policy from time to time. When we do, we will update the Effective Date above and post the revised version. Material changes will be communicated through the App or by email where appropriate. Continued use of the Services after any modification constitutes acceptance of the updated Policy.

We collect personal and non-personal information directly from you, automatically through your device, and from third parties. This includes:

1. Account registration information: Name, email address, login credentials (encrypted), and optional profile information you chose to provide, such as birthday, birthplace and birth time, phone number.
2. Usage and device data: IP address, browser type, operating system, device identifiers, and app usage metrics. We may use third-party analytics providers that process data on our behalf under written data processing agreements.
3. Wellness inputs: We treat the following information as “Sensitive Personal Information” under the California Privacy Rights Act (CPRA) and as “special category data” where applicable under GDPR: emotional need states, journal entries, check in entries, subjective intensity scores, sleep quality, energy levels, mood tracking, session participation, and related inputs.
4. Payment information: Payment information is processed by PCI-compliant third-party providers. We do not store full payment card numbers.
5. Communications: responses to surveys, workshops, or feedback forms and Support inquiries
6. Health Platform Integrations (If Applicable): If you choose to connect third-party health platforms (e.g., Apple HealthKit, Google Fit), we access only the data you authorize and use it solely to provide the Services. We do not use this data for advertising.

This information is used solely to provide, personalize, and improve the Services. We do not use Sensitive Personal Information for targeted advertising, cross-context behavioral advertising, or data brokerage.

Biometric information: We may collect biometric information such as:

• Heart rate
• Breathing rate
• Heart rate variability (HRV)
• Camera- or sensor-based estimations of physiological activity

We collect biometric identifiers only after obtaining informed written consent. Biometric information is used exclusively to provide app functionality. We do not sell, lease, trade, or otherwise profit from biometric identifiers or biometric information. Biometric data is retained only until the initial purpose for collection has been satisfied or within three (3) years of your last interaction with the Services, whichever occurs first. Biometric data is permanently destroyed in accordance with our data retention schedule. Where possible, biometric data is processed locally on your device and not stored on our servers unless necessary to provide functionality.

Use of Artificial Intelligence Services

We use third-party artificial intelligence service providers to power certain features of the App. When users submit text, reflections, prompts, or other content within the App, that content may be transmitted to Anthropic PBC (Claude API) for the purpose of generating AI-powered responses and providing personalized emotional support and app functionality.

The types of data that may be transmitted include:

• User-submitted messages

• Reflections or journal entries

• Emotional check-ins

• Other text content entered within the App

Users are presented with a clear in-app disclosure and must provide affirmative consent before any content is transmitted to Anthropic.

This information is transmitted solely to enable core App functionality, including generating responses and providing personalized support experiences. We do not use user-submitted content for advertising purposes.

Anthropic processes this data on our behalf pursuant to contractual obligations that require appropriate technical and organizational safeguards to protect personal information. We require our service providers to maintain data protection standards consistent with applicable privacy laws and to use submitted data only for the purpose of providing services to us.

We do not sell personal information to third parties.

User-submitted content may also be stored securely on our systems to provide conversation history, personalization, and service improvements. Access to such data is restricted and protected using industry-standard security measures.

Anthropic processes submitted content solely to provide services to us and does not use submitted content to train public or general foundation models. Processing occurs pursuant to contractual data protection obligations that restrict use to providing services to WellSet.

By using the App and submitting content, you acknowledge and agree that your submitted content may be transmitted to our third-party AI service provider, Anthropic PBC (Claude API), as described in this Policy.

We process your information to operate, improve, and personalize our Services. This includes:

• Providing access to the App’s content and sessions;
• Personalizing exercises and recommendations;
• Processing payments and managing subscriptions;
• Communicating updates, promotions, and offers;
• Conducting analytics to improve user experience;
• Ensuring compliance with applicable laws and safety requirements;
• Preventing fraud, abuse, and unauthorized access;
• Creating aggregated or de-identified insights for research and service improvement;
• Complying with legal obligations.

We use automated systems to personalize exercises and recommendations based on your inputs. These systems do not produce legal effects or similarly significant effects. You may request human review of significant decisions by contacting us.

If you reside in the European Economic Area, the United Kingdom, or Switzerland, we rely on one or more of the following lawful bases for processing:

• Consent (for marketing, analytics, and biometric features);
• Contractual necessity (to deliver the Services you request);
• Legitimate interest (to operate, secure, and enhance our platform);
• Legal obligation (where required by applicable law).
• Where we process wellness or biometric data that qualifies as special category data under Article 9 of the GDPR, we rely on:

• Explicit consent (Article 9(2)(a)), or
• Processing necessary for provision of a service requested by you.
• You may withdraw consent at any time.

We collect only the personal information reasonably necessary to provide the Services. We do not collect health or biometric data for advertising purposes. We do not retain personal data longer than necessary for the purposes described in this Policy.

We retain your personal information only as long as necessary for the purposes described herein. Biometric and session data are deleted or anonymized after the functional purpose has been achieved or within three years of your last interaction. We use reasonable administrative, technical, and physical safeguards, but no online system is fully secure. You are responsible for maintaining the confidentiality of your login credentials. Payment records: retained as required by tax and accounting laws.

We do not sell personal information. We do not share Sensitive Personal Information for cross-context behavioral advertising. We may share personal information with:

• With Service Providers: for hosting, cloud infrastructure, artificial intelligence processing (including Anthropic PBC), analytics, customer support, and payment processing;
  
• Cloud Hosting providers
• With Affiliates and Partners: to improve or co-offer products and services;
• In Business Transfers: such as mergers, acquisitions, or asset sales;
• For Legal Compliance: to comply with applicable law or protect rights and safety;
• With Your Consent: when you voluntarily share or authorize such disclosure. We do not sell or rent your personal data.

We use cookies, web beacons, and similar technologies to collect usage data and understand engagement. These help us personalize content and measure performance. You can manage cookies through your browser settings. Third-party analytics providers such as Mixpanel may also collect aggregated usage data subject to their own privacy policies.

California residents may request that we limit the use and disclosure of Sensitive Personal Information to what is necessary to provide the Services.

Depending on your jurisdiction, you may have the right to:

• Access or request a copy of your personal information;
• Request correction or deletion;
• Withdraw consent to processing;
• Object to certain uses or restrict processing;
• Data portability (where applicable);
• Lodge a complaint with a regulatory authority. You may exercise these rights by contacting support@held.app.

The Services are not directed toward children under 13, and we do not knowingly collect personal information from them. If we learn that a child has provided us with personal data, we will delete it immediately. Parents or guardians who believe their child’s data has been improperly collected may contact us for removal.

Your information may be transferred to, stored, and processed in the United States or other jurisdictions where data protection laws may differ. When transferring data from the EEA/UK/Switzerland, we rely on approved mechanisms such as the EU Standard Contractual Clauses or other adequate safeguards.

If you are a California resident, you may have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including:

• Right to know what personal information we collect and how it is used;
• Right to request deletion of personal data;
• Right to correct inaccurate data;
• Right to opt out of the sale or sharing of personal data (we do not sell personal data);
• Right to non-discrimination for exercising your rights. To submit a request, email support@held.app with “California Privacy Request” in the subject line. We will verify your identity before processing your request.

We implement reasonable measures to protect your data against accidental loss, unauthorized access, or misuse. This includes encryption, access controls, and secure storage. However, no system can be completely secure; we cannot guarantee absolute protection. You acknowledge and accept this risk when using our Services.

By creating an account, you may receive service-related communications (e.g., transactional or security notices). You may also opt-in to receive promotional content. You can unsubscribe from marketing emails at any time through the “unsubscribe” link or by contacting support@held.app.

Our Services may include links to third-party websites or applications. We are not responsible for the privacy practices or content of such external sites. We encourage users to review the privacy policies of all third-party sites they visit.

For questions, data access requests, or privacy-related concerns, please contact us at:

Wellset, Inc. (held App)
Email: support@held.app
Address:
811 Wilshire Blvd
17th Floor, Unit 525
Los Angeles, CA 90017