Privacy Policy

Introduction

xlr8well ("we," "us," or "our") is committed to protecting the privacy and security of our users' ("user," "you," "your") data. This Privacy Policy explains how we collect, use, process, disclose, and safeguard your information when you use our website, mobile application, and all related services (collectively, the "Services").

This policy has been updated to align with the laws of the United Arab Emirates, including Federal Decree-Law No. 45 of 2021 regarding the Protection of Personal Data (the "PDPL").

Please read this Privacy Policy carefully. By accessing or using our Services, you signify your understanding of and agreement to the terms of this Privacy Policy. If you do not agree with these terms, please do not access or use the Services.

1. Information We Collect

We collect information that is necessary to provide and improve our Services. The types of information we may collect include:

Personal Data: Personally identifiable information that you voluntarily provide to us when you register for an account or use the Services. This includes, but is not limited to:

• Identity Data: Full name, username, or similar identifier.
• Contact Data: Shipping address, email address, and telephone number.
• Demographic Data: Date of birth, gender, and city.

Sensitive Personal Data (Health and Wellness Data): Due to the nature of our Services, we collect data related to your health and wellbeing. This is classified as Sensitive Personal Data under the PDPL and is handled with the highest level of care. We will only collect and process this data with your explicit consent. This includes:

• Medical history, health conditions, and lifestyle information you provide.
• Biomarker data from blood tests and other wellness assessments.
• Health goals and preferences.
• Data from connected wearable devices (e.g., activity levels, sleep patterns, heart rate).

Derivative Data: Information our servers automatically collect when you access the Services, such as your IP address, browser type, operating system, access times, and the pages you have viewed directly before and after accessing the Services.

Financial Data: Financial information, such as data related to your payment method (e.g., valid credit card number, card brand, expiration date) required to process transactions. We store only very limited financial information. Most financial information is securely stored and processed by our third-party payment processor.

Data from AI Interactions: We collect the queries and inputs you provide to our AI-powered features (e.g., AI-Powered Provider Matching) to generate responses, personalize your experience, and improve our algorithms. We take steps to ensure that personal data used in AI model training is anonymized where possible.

2. Legal Basis and Purpose for Using Your Information

We only process your Personal Data when we have a lawful basis to do so under the UAE PDPL. Our legal basis and purposes for processing your information include:

• Consent: We process your Personal Data, and specifically your Sensitive Personal Data, based on your clear, specific, and unambiguous consent, which you provide when you sign up for and use our Services.
• Contractual Necessity: To create and manage your account, process transactions, and deliver the Services you have requested.
• Legitimate Interest: To monitor and analyze usage and trends to improve and personalize your experience with the Services.
• Legal Obligation: To comply with applicable legal and regulatory requirements within the UAE.

Specifically, we use your information to:

• Create and manage your secure account.
• Fulfill and manage purchases, orders, payments, and other transactions.
• Deliver personalized wellness summaries and AI-powered provider matching.
• Communicate with you regarding your account, orders, and service updates.
• Respond to your inquiries and provide customer support.
• Request feedback and monitor the effectiveness of our Services.
• Ensure the security of our platform and prevent fraud.

3. Disclosure of Your Information

We do not sell your Personal Data. We may share information we have collected about you in certain situations, as follows:

• By Law or to Protect Rights: If we believe the release of information is necessary to respond to a legal process, investigate potential violations of our policies, or protect the rights, property, and safety of others, we may share your information as required or permitted by any applicable UAE law.
• Service Providers: We may share your information with trusted third-party vendors, consultants, and other service providers who perform services for us or on our behalf and require access to such information to do that work (e.g., payment processing, data analysis, email delivery, hosting services).
• Healthcare Providers: With your explicit and specific consent, we will share relevant health information with healthcare providers you choose to engage with through our platform.
• Corporate Wellness Programs: If you are using our Services through your employer's corporate wellness program, we may provide aggregated and anonymized reports to your employer for ROI and engagement analysis. Your individual personal or health data will never be shared with your employer without your explicit consent.
• Business Transfers: We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business by another company.

4. Data Security and Retention

Data Security: We use robust administrative, technical, and physical security measures to help protect your Personal Data. We utilize secure infrastructure, such as Firebase by Google, and employ measures like encryption and access controls. While we have taken reasonable steps to secure the information you provide, please be aware that no security measure is perfect or impenetrable.

Data Retention: We will only retain your Personal Data for as long as it is necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. When your data is no longer needed, we will securely destroy or anonymize it.

5. Cross-Border Data Transfers

Your information, including Personal Data, may be transferred to — and maintained on — computers located outside of the UAE where data protection laws may differ. We will only transfer Personal Data outside the UAE in compliance with the PDPL, ensuring that the destination country provides an adequate level of data protection or by implementing appropriate safeguards (such as Standard Contractual Clauses) and obtaining your explicit consent for such a transfer.

6. Your Rights as a Data Subject

Under the UAE PDPL, you have certain rights regarding your Personal Data. You have the right to:

• Access Information: Request access to a copy of the Personal Data we hold about you.
• Request Rectification: Request the correction of any inaccurate or incomplete Personal Data.
• Request Erasure (Right to be Forgotten): Request the deletion of your Personal Data when it is no longer necessary for the purposes for which it was collected.
• Restrict Processing: Request that we stop processing your Personal Data in certain circumstances.
• Data Portability: Request the transfer of your Personal Data to you or another party in a structured, machine-readable format.
• Object to Processing: Object to our processing of your Personal Data, for example, for direct marketing purposes.
• Withdraw Consent: Withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

To exercise any of these rights, please contact us at privacy@xlr8well.com. We will respond to your request within the timeframes stipulated by UAE law.

7. Policy for Minors

We do not knowingly solicit information from or market to individuals under the age of 18. If you are under 18, you may not use these Services without the consent and supervision of a parent or legal guardian. If we learn that we have collected Personal Data from an individual under 18 without verification of parental consent, we will take steps to delete that information as quickly as possible.

8. Data Breach Notification

In the unfortunate event of a data breach that is likely to result in a risk to your rights, we will comply with our obligations under the PDPL, which includes notifying the UAE Data Office and, where required, notifying affected individuals without undue delay.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify you of any material changes by updating the "Last Updated" date of this Privacy Policy and, where appropriate, by notifying you via email or a prominent notice on our Services.

10. Governing Law and Jurisdiction

This Privacy Policy and any disputes related thereto shall be governed by and construed in accordance with the laws of the United Arab Emirates as applied in the Emirate of Dubai.

11. Contact Us

If you have any questions, comments, or requests regarding this Privacy Policy or our data protection practices, please do not hesitate to contact us: