Privacy Policy

Last Updated: March 30, 2026  ·  Effective: March 30, 2026

1. Introduction & Core Principles

Welcome to Qire. Wellbee App, LLC ("Qire," "we," "us," or "our") has engineered a privacy-first physiological and nutritional intelligence platform. This Privacy Policy details the aggressive technical and legal safeguards we have implemented to protect the personal, biometric, and conversational data you process through the Qire mobile application (the "App"), our website at qire.app, and our underlying services (collectively, the "Services").

At Qire, our architecture defines our privacy stance:

• We absolutely do not sell your personal data. Nor do we "share" it under the definition of the CCPA/CPRA. Qire operates on a direct-to-consumer software-as-a-service (SaaS) business model, not a data brokerage model.
• We do not use tracking pixels, ad networks, or behavioral SDKs. You will never see third-party advertisements in the App.
• Zero-Knowledge chat transit. Our AI conversations utilize envelope encryption (X25519 key agreement + AES-256-GCM), meaning we are mathematically incapable of decrypting your real-time chat transit for law enforcement or subpoena compliance.
• Your raw health data stays on-device. Integrations with Apple Health (HealthKit) and Android Health Connect ensure that raw step, respiratory, and autonomic nervous system data are processed strictly on your local hardware.

2. Data We Collect

2.1 Account & Identity Data

To provision and secure your account, we collect:

• Email address — used exclusively for authentication (OIDC, magic links, or Apple/Google SSO).
• Display name — optional.
• Authentication keys — we do not store plaintext passwords; our identity infrastructure relies on cryptographic token exchange (PKCE).

2.2 Physiological & Onboarding Data

To construct your metabolic fingerprint and personalize the AI engine, we collect:

• Date of birth, biological sex at birth, height, and current body mass.
• Activity archetypes, kinetic goals (e.g., hypertrophy, body recomposition).
• Dietary restrictions, intolerances, and preferred culinary traditions.
• Measurement taxonomies (metric/imperial) and timezone offsets securely localized to your device.

2.3 User-Generated Object Content

We persist objects you explicitly author to enable cross-device synchronization and disaster recovery. This includes:

• Food logs, absolute nutritional intake quantities, and unstructured camera-scanned meals.
• Workout logs, volume tracking inputs, and mechanical tension metadata.
• AI chat conversations (securely encrypted at rest) and derived "AI memories" (e.g., "User prefers high-protein breakfasts").
• Custom recipe taxonomies and ingredient modifications.

2.4 Systems & Diagnostic Data

We collect essential telemetry and diagnostic data to ensure application uptime and performance. This is restricted to:

• Operating system version, hardware models, and App build numbers.
• Anonymized crash diagnostics devoid of biometric overlays or chat plaintext.
• Aggregate operational metrics (e.g., LLM query volume, API latency) utilized solely for internal capacity planning and cost attribution.

3. Health, Biometric Data & HIPAA Exemption

Qire leverages native ecosystem APIs (Apple HealthKit for iOS, Health Connect for Android) to provide profound physiological intelligence. Our architectural boundaries are strict:

On-Device Computation Boundary

• Raw biometric streams (heart rate variability (HRV), continuous heart rate, blood oxygen saturation, complex sleep staging indices, body temperature differentials, and respiratory rates) are queried, parsed, and evaluated entirely on your physical device. The raw time-series data for these metrics is never exfiltrated to Qire’s backend servers.
• Local algorithms synthesize these streams into "Daily Snapshots" and "Stress Scores," which are stored in the device's encrypted sandbox.

Cloud Synchronization Boundary

• Only data required for contextual cross-device continuity (e.g., logged meals, finalized workout sessions, daily steps, and hydration totals) is synchronized over TLS 1.3 to our encrypted cloud database using user-scoped row-level security (RLS).

Regulatory Boundaries (Apple, Google & HIPAA)

We are unequivocally not a "Covered Entity" or "Business Associate" under the Health Insurance Portability and Accountability Act (HIPAA). Consumer wearable data inputted into Qire is not protected health information (PHI) under US federal law. However, we maintain strict adherence to Apple's App Store Review Guidelines regarding HealthKit and Google Play’s Health Connect policies: we will never use, sell, or rent your health data for advertising, marketing, or data mining purposes.

4. Location Data

For services requiring environmental awareness (e.g., weather-adjusted recovery recommendations or heat-index hydration warnings), the App may request approximate location telemetry via your operating system. We utilize geographic region hashing (Geohash) prior to network transmission, degrading precision to approximately a 150-kilometer radius before passing it to upstream weather providers. We do not aggregate historic location trails or sell generalized location segments.

5. AI Processing & Zero-Knowledge Architecture

Qire integrates large language models (LLMs) and advanced computer vision APIs. We strictly govern data flow to these external inference engines.

5.1 The Prompt Payload

Inference requests sent to our AI services (e.g., Google Gemini models) contain only localized contextual vectors: user goals, summarized daily stress states (e.g., "User slept poorly, HRV is depressed"), user dietary preferences, and explicit chat context. Under no circumstances do we stream raw biometric time-series data to standard LLM inference endpoints.

5.2 Subpoena Limitation & Envelope Encryption

Between your device and our real-time streaming backend, AI chats employ advanced envelope encryption (X25519 key agreement combined with AES-256-GCM). The private keys required to decipher your real-time chat streams during transit exist exclusively on your local device. Because Wellbee App, LLC holds a Zero-Knowledge posture regarding these transit keys, we are mathematically incapable of providing plaintext chat streams to third parties or law enforcement authorities wielding subpoenas for network intercepts.

5.3 AI Training Opt-Out Status

Via our enterprise API agreements, your inputs, prompts, and images are strictly exempted from being used to train, fine-tune, or otherwise improve the foundational models managed by our AI service providers (e.g., Google or OpenAI).

6. How We Use Your Data (Internal BI)

We process your data for the exclusive purpose of honoring our software contract with you. This includes computing physiological metrics, generating meal workflows, supporting authentication, enforcing API rate limits, and communicating service updates.

Exception for Internal Business Intelligence

While we eschew third-party behavioral analytics, we do perform complex multi-dimensional aggregation of our own operational databases (e.g., via internal Metabase dashboards) to compute macro-level key performance indicators (KPIs) involving user retention, feature utilization rates, and server loads. This internal business intelligence is fully de-identified during analysis and remains securely quarantined within the Wellbee App, LLC infrastructure. This data is leveraged strictly to engineer a superior product.

7. Data Sharing & Third Parties

We restrict data transmission exclusively to indispensable sub-processors governed by strict Data Processing Agreements (DPAs):

• Cloud Infrastructure: For hosting secure databases, executing cloud functions, and routing edge API traffic.
• AI & Machine Learning APIs: Providers like Google (Gemini) strictly for stateless model inference.
• Nutritional Metadata Resolvers: Food databases (e.g., FatSecret) to query macros using anonymous text strings or barcodes.
• Operation Support: Transactional email dispatchers and anonymized application crash reporters.

8. Data Security & Encryption

Qire treats your physiological and conversational data as a high-value asset, imposing defensive depth exceeding consumer-grade standards:

• Data at Rest: Cloud data is encrypted using AES-256 algorithms. Health data synthesized locally is securely corralled in encrypted iOS Keychain or Android KeyStore environments, fundamentally tethered to the device's hardware enclave.
• Data in Transit: All HTTP/WebSockets channels require TLS 1.3 encryption.
• Row-Level Security (RLS): Cryptographic and database constraints assert that only authenticated JSON Web Tokens (JWTs) representing your specific identity can query, mutate, or access your relational data.

9. Data Retention

We subscribe to a data minimization doctrine. Account data, synced routines, encrypted chat history, and derived AI memories persist only for the temporal life of your active account. Upon executing an account deletion request through the App settings, the platform triggers a cascading deletion of your user records. Due to automated database backup cycles, archival data may take up to 30 continuous days to be irreversibly purged. Any health data siloed locally on your device is destroyed immediately upon logout or application uninstallation.

10. Regional Privacy Rights (CCPA, GDPR)

Wellbee App, LLC extends paramount privacy execution rights to all users globally; however, we specifically acknowledge statutory rights belonging to residents of defining jurisdictions.

For California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA) & Connecticut (CTDPA) Residents

Consumers possess the specific right to: know what precise categories of data we collect, mandate the deletion of personal information, correct inaccurate information, and unilaterally restrict the processing of sensitive personal information. Because Qire explicitly does not sell, trade, or share your personal data for cross-context behavioral advertising, the statutory "Do Not Sell/Share" opt-out requirements are satisfied by default architecture.

For European Economic Area (EEA), UK & Switzerland Residents (GDPR)

We process your personal data under the lawful bases of: (a) Performance of a Contract (operating the App), (b) Consent (for explicitly linking Apple HealthKit or local wearables), and (c) Legitimate Interests (ensuring application security and synthesizing internal analytics). You possess the right to object to processing, lodge a complaint with a supervisory authority, and demand complete data portability.

To execute a legal data rights request, email privacy@qire.app with the subject header "Data Subject Access Request." We authenticate requests prior to execution and fulfill them within 30 days.

11. Children's Privacy

Because the physiological baseline assumptions in our metabolic models are predicated on adult biology, the Services are strictly designed for users aged 16 and older. We do not knowingly solicit, collect, or process personal data from children under 16 without verified parental consent. To report a violation of this policy or the Children's Online Privacy Protection Act (COPPA), contact us immediately.

12. International Data Transfers

Wellbee App, LLC operates backend infrastructure geographically sovereign to the United States. Utilizing the Service entails the fundamental transmission and aggregation of data in the US. By utilizing the Services, you provide explicit consent to this cross-border transfer regimen. We secure European transmissions using Standard Contractual Clauses (SCCs) where algorithmically and legally mandated.

13. Changes to This Policy

We maintain the unilateral authority to update, revise, or restructure this Privacy Policy. Substantive or material alterations to data processing scopes will be communicated to your paramount registered email address or via mandatory in-app intercept at least 14 days prior to operational enforcement.

14. Contact Us

All legal inquiries, compliance audits, or privacy requests must be directed to:

• Privacy / Data Protection Officer: privacy@qire.app
• General Consumer Support: support@qire.app
• Corporate Headquarters: Wellbee App, LLC, 7901 4th St N, Ste 9076, Saint Petersburg, FL 33702, USA