Privacy Policy

Xelecta Inc.("Xelecta," "we," "us," or "our") operates the Xelecta precision wellness platform at xelecta.com and related mobile applications and services. This Privacy Policy explains our practices regarding the collection, use, storage, sharing, and protection of personal information — including highly sensitive health, wellness, and genomic data.

This Policy applies to all users of our Platform globally and incorporates our obligations under: HIPAA (45 CFR Parts 160 and 164), the California Consumer Privacy Act (CCPA / CPRA), the EU General Data Protection Regulation (GDPR), the UK GDPR, the Genetic Information Nondiscrimination Act (GINA), the Children's Online Privacy Protection Act (COPPA), and other applicable privacy laws.

Core Commitment: We do not sell, rent, or license your personal health or genomic data to third parties. Your data exists to provide you with a better wellness experience — nothing else.

A. Data You Provide Directly

• Account registration data: name, email address, password (hashed), date of birth, and country
• Billing and payment data: credit/debit card details (tokenized; processed by Stripe — we do not store raw card numbers)
• Shipping address for physical product orders
• Health intake data: health goals, existing conditions you choose to disclose, hardware preferences
• Genomic data: if you choose to upload a DNA file from a third-party genotyping service (e.g., 23andMe, AncestryDNA) or our at-home kit
• Communications: emails, messages, and feedback you send us

B. Health & Biometric Data Generated Through the Platform

• Continuous glucose monitoring (CGM) data: glucose readings, meal events, exercise events
• Body composition data: weight, body fat percentage, visceral fat index, skeletal muscle mass, vascular age score
• Heart-rate variability (HRV): RMSSD, SDNN, autonomic tone metrics
• Sleep architecture: sleep stages (N1, N2, N3/deep, REM), total sleep time, sleep efficiency
• Wearable device data imported via API integrations (e.g., Apple Health, Google Fit, Oura, Garmin)
• Protocol adherence data: supplement logs, activity records you enter

C. Automatically Collected Technical Data

• IP address and approximate geolocation (city/region level only)
• Browser type and version, operating system, device type
• Pages visited, features used, session duration, clickstream data
• Cookies and similar tracking technologies (see Section 7)
• Error logs and crash reports

Genomic Data Handling:Raw genomic files (e.g., VCF, 23andMe raw data format) are encrypted on your device before transmission. Processing occurs exclusively within hardware-based Trusted Execution Environments (TEEs). Xelecta's servers and employees never have access to your raw DNA sequence data. Only computed variant classifications are stored in our systems, encrypted under your user key.

CGM and Biometric Data: All sensor data is transmitted over TLS 1.3 and stored with AES-256 encryption at rest. Access is restricted to your account and (for Longevity Suite users) your assigned health architect.

Legal Basis for Processing (GDPR): We process special category health data on the basis of your explicit consent (Article 9(2)(a) GDPR). You may withdraw consent at any time (see Section 11). We also process data as necessary for the performance of our contract with you (Article 6(1)(b)) and to comply with legal obligations (Article 6(1)(c)).

We use your data to:

• Provide, operate, and improve the Platform and its features
• Generate personalized wellness protocols, supplement recommendations, and insights
• Process purchases, fulfill orders, and manage billing
• Authenticate your account and protect against unauthorized access
• Enable your assigned health architect to support your wellness journey (Longevity Suite)
• Send transactional communications: order confirmations, receipts, security alerts
• Send marketing communications — only with your explicit opt-in consent, and you may unsubscribe at any time
• Comply with legal and regulatory obligations
• Investigate and prevent fraud, abuse, and security incidents
• Analyze de-identified, aggregated usage patterns to improve algorithms and platform features (data cannot be used to re-identify you)

We do not use your health or genomic data for advertising, advertising targeting, or to infer characteristics for non-wellness commercial purposes.

We share your data only in the following limited circumstances:

Service Providers (Sub-Processors)

We share data with vetted third-party service providers who process data on our behalf under written data processing agreements (and HIPAA Business Associate Agreements where applicable). These include:

• Stripe Inc. — Payment processing. They handle card data directly; we receive only a payment token.
• Amazon Web Services (AWS) — Cloud infrastructure and encrypted data storage.
• Terra API / Tryvital — Wearable device data aggregation.
• SendGrid / Postmark — Transactional email delivery.
• Analytics providers — Privacy-preserving, server-side analytics (no PII shared).

All sub-processors are contractually prohibited from using your data for their own purposes.

Legal Requirements

We may disclose your data to comply with applicable law, regulation, legal process, or governmental request; to enforce our Terms; to protect the rights, property, or safety of Xelecta, its users, or the public; or to respond to an emergency involving physical danger. We will notify you of such disclosures to the extent permitted by law.

Business Transfers

In the event of a merger, acquisition, sale of assets, or bankruptcy, your data may be transferred as part of that transaction. We will provide 30 days' notice and offer you the ability to delete your account before the transfer becomes effective. The acquiring entity must agree to honor this Privacy Policy or provide equivalent protections.

With Your Consent

We may share your data in ways not described above with your prior explicit consent.

We use the following types of cookies and similar technologies on our Platform:

• Strictly Necessary Cookies: Required for the Platform to function (authentication, security). Cannot be disabled.
• Functional Cookies: Remember your preferences, language settings, and login state.
• Analytics Cookies: Server-side, privacy-preserving analytics to understand how the Platform is used in aggregate. No personal data is shared with analytics providers.

We do not use advertising cookies, third-party advertising pixels, social media tracking pixels, or any cross-site behavioral tracking on our Platform.

You can control cookies through your browser settings. Disabling functional cookies may affect Platform functionality.

We implement comprehensive technical, administrative, and physical safeguards to protect your data, including:

• TLS 1.3 encryption for all data in transit
• AES-256 encryption for all data at rest
• Hardware Security Module (HSM) based key management
• Role-based access controls with principle of least privilege
• Multi-factor authentication required for all employee access to production systems
• Continuous vulnerability scanning and annual third-party penetration testing
• 24/7 security monitoring and incident response
• Regular employee security and HIPAA training
• Physical security controls at data center facilities

Despite these measures, no security system is impenetrable. In the event of a data breach affecting your personal information, we will notify you as required by applicable law (including HIPAA Breach Notification Rule within 60 days of discovery, and GDPR within 72 hours to supervisory authorities).

We retain your data for as long as your account is active and as necessary to provide services, comply with legal obligations, resolve disputes, and enforce agreements.

• Account data: Retained while account is active + 3 years after closure (for legal/audit purposes)
• Health and biometric sensor data: Retained for duration of service + 2 years, then deleted
• Genomic data (computed variants only): Deleted within 30 days of account closure upon request
• Raw genomic files: Never stored on Xelecta servers (processed in TEE and discarded)
• Transaction records: Retained 7 years for tax and audit compliance
• Audit and security logs: Retained 7 years per HIPAA requirements
• Marketing communications data: Deleted within 30 days of unsubscribe request

You may request earlier deletion of your data (see your rights below), subject to our legal retention obligations.

To the extent Xelecta handles Protected Health Information (PHI) under HIPAA, you have the following rights:

• Right to Access: Request a copy of your health information that we maintain. We will respond within 30 days (with one 30-day extension available).
• Right to Amend: Request corrections to inaccurate or incomplete health information.
• Right to Restriction: Request restrictions on certain uses and disclosures of your PHI, subject to limitations.
• Right to Accounting of Disclosures: Request a list of certain disclosures we have made of your PHI.
• Right to Confidential Communications: Request we communicate with you through alternative means or at alternative locations.
• Right to Receive a Notice of Privacy Practices: See our full HIPAA Notice.
• Right to File a Complaint: You may file a complaint with our Privacy Officer at privacy@xelecta.com or with the U.S. Department of Health and Human Services Office for Civil Rights at hhs.gov/ocr/privacy. We will not retaliate against you for filing a complaint.

If you are located in the European Economic Area (EEA) or United Kingdom, the GDPR and UK GDPR grant you the following rights:

• Right to Access (Art. 15 GDPR): Obtain a copy of your personal data and information about how it is processed.
• Right to Rectification (Art. 16): Correct inaccurate personal data.
• Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements.
• Right to Restriction (Art. 18): Restrict processing of your data in certain circumstances.
• Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format and transmit it to another controller.
• Right to Object (Art. 21): Object to processing based on legitimate interests, including direct marketing.
• Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time where processing is based on consent (including consent to process health/genomic data). Withdrawal does not affect prior lawful processing.
• Right to Lodge a Complaint: Lodge a complaint with your national data protection authority (e.g., ICO in the UK, relevant EU DPA).

Data Protection Officer (DPO): Our DPO can be reached at privacy@xelecta.comwith the subject "DPO Request."

International Transfers: When we transfer your data from the EEA or UK to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and/or the UK International Data Transfer Agreement (IDTA). See Section 16 for details.

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you the following rights:

• Right to Know: Request disclosure of the categories and specific pieces of personal information we collect, use, disclose, and sell (we do not sell).
• Right to Delete: Request deletion of your personal information, subject to legal exceptions.
• Right to Correct: Request correction of inaccurate personal information we maintain about you.
• Right to Opt Out of Sale or Sharing: We do not sell or share personal information for cross-context behavioral advertising.
• Right to Limit Use of Sensitive Personal Information: Limit our use of your sensitive personal information (which includes health and genomic data) to purposes necessary to provide services. We already comply with this restriction as a matter of policy.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

How to Submit a CCPA Request: Email privacy@xelecta.comwith the subject "CCPA Request" and include your full name, email address on file, and the specific right(s) you wish to exercise. We will verify your identity before processing the request and respond within 45 days (with one 45-day extension available with notice).

Authorized Agent: You may designate an authorized agent to exercise CCPA rights on your behalf by providing written authorization and verifying your identity directly.

Categories of Personal Information Collected in the Last 12 Months:Identifiers, commercial information, internet activity, geolocation data (city-level), health information, biometric information, and inferences drawn from health data.

The Genetic Information Nondiscrimination Act (GINA) prohibits discrimination based on genetic information in health insurance and employment. While Xelecta is a wellness company and not an insurer or employer, we honor the spirit and protections of GINA:

• We will never share your genetic information with any insurance company, employer, or entity that could use it to discriminate against you.
• We process genetic data exclusively for wellness optimization purposes.
• We will never use genetic information to make employment decisions.
• Your genetic data is processed in isolated, encrypted environments as described in Section 3.

The Xelecta Platform is not directed to, and we do not knowingly collect personal information from, children under 13 years of age. We do not knowingly collect personal information from individuals under 18 years of age without verified parental consent.

If we learn that we have inadvertently collected personal information from a child under 13, we will promptly delete that information. If you believe a child has provided us with personal information, please contact us at privacy@xelecta.com.

Xelecta is headquartered in the United States. If you access our Platform from outside the United States, your data may be transferred to and processed in the United States, where privacy laws may differ from those in your country.

For transfers from the EEA or UK to the US, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission (2021 Implementing Decision)
• UK International Data Transfer Agreement (IDTA) for UK-to-US transfers
• Additional technical and organizational measures (encryption, access controls) applied to compensate for differences in legal protections

A copy of our Standard Contractual Clauses is available upon written request to privacy@xelecta.com.

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or for other business reasons. When we make material changes, we will notify you by email and by posting a prominent notice on the Platform at least 30 days before the changes take effect.

Your continued use of the Platform after the updated Policy takes effect constitutes acceptance. If you do not agree to the updated Policy, you must stop using the Platform and may request deletion of your data.

For privacy questions, requests, or complaints, contact our Privacy Officer:

For GDPR requests, our Data Protection Officer (DPO) can be reached at the same address with the subject "DPO Request."

For HIPAA-related requests and complaints, contact our HIPAA Privacy Officer at privacy@xelecta.com. You may also file a complaint with the HHS Office for Civil Rights: U.S. Department of Health and Human Services, 200 Independence Avenue S.W., Washington, D.C. 20201, hhs.gov/ocr/privacy.

California residents may also contact the California Attorney General's office or the California Privacy Protection Agency (CPPA) at cppa.ca.gov.