WELLDIN, INC. PRIVACY POLICY

Effective Date: 1 April 2026 | Pilot / Beta Version

This Privacy Policy applies to the Welldin pilot (beta) product. Welldin is currently operating as a proof-of-concept platform. During this phase, Welldin does not share personal data with third parties for commercial or marketing purposes, does not operate a talent marketplace, and does not perform fraud detection or know-your-customer verification. This document reflects the data processing practices in effect as of the Effective Date above and will be updated prior to any material expansion of such practices.

1. Introduction and Scope

Welldin, Inc., a Delaware corporation ("Welldin," "we," "us," or "our"), operates an artificial intelligence-assisted pre-interview platform that enables businesses to screen job applicants through structured, question-based assessments (the "Platform"). The Platform is accessible at welldin.com and welldin.app. This Privacy Policy (the "Policy") sets forth the manner in which Welldin collects, processes, uses, discloses, and retains personal information in connection with the Platform and related services (collectively, the "Services"), and describes the rights and choices available to individuals whose personal information is processed.

This Policy applies to the following categories of individuals: (i) businesses and their human resources and recruitment personnel who access the Platform to create and manage interview processes ("Customers"); (ii) job applicants who are invited by a Customer to complete a pre-interview assessment through the Platform ("Candidates"); and (iii) visitors to Welldin's marketing website. Candidates are encouraged to read Section 3 of this Policy with particular care, as it describes the collection and use of personal information that most directly concerns them.

This Policy does not govern personal information that Customers collect or process independently outside the Platform, nor does it govern the employment decisions made by Customers on the basis of assessment results. Customers bear independent responsibility for compliance with applicable employment, data protection, and equal opportunity laws in their respective jurisdictions.

2. Data Controller and Processor Roles

2.1 Welldin as Controller

Welldin acts as a data controller, within the meaning of the General Data Protection Regulation ("GDPR") and analogous legislation, in respect of personal information that Welldin collects and processes for its own operational and commercial purposes. Such purposes include the administration of Customer accounts and billing relationships, the operation and security of the Platform, communications with Customers and prospective customers, and the collection of analytics relating to Welldin's marketing website.

2.2 Welldin as Processor

When a Customer deploys the Platform to conduct candidate assessments, Welldin processes Candidate personal information on behalf of and under the instructions of the Customer. In this context, the Customer is the data controller and Welldin acts as a data processor or service provider, as those terms are defined under applicable data protection law. The purposes and legal bases for the processing of Candidate data are determined by the Customer, and Candidates who wish to exercise data subject rights in respect of their application data should, in the first instance, direct their requests to the Customer that invited them to participate. Welldin will assist Customers in fulfilling such requests as required by law and by any applicable data processing agreement.

3. Personal Information Collected

3.1 Customer and User Account Information

In connection with the registration and administration of Customer accounts, Welldin collects the following categories of personal information from Customer personnel: full name; work email address; company name and job title; login credentials or, where applicable, single sign-on identifiers; billing contact details and subscription plan information. Payment card data is processed exclusively by Welldin's third-party payment processor and is not stored on Welldin's systems. Welldin also collects job and role-related content uploaded by Customers, including job descriptions, competency requirements, assessment criteria, and question sets, for the purpose of configuring interview processes on the Platform.

3.2 Candidate Personal Information

Candidate personal information is collected in stages corresponding to the Candidate's progression through the assessment process.

Stage 1: Application and Eligibility Screening

When a Candidate submits an application through a Welldin-hosted application page, Welldin collects the following information: full name; email address; telephone number; geographic location (city and country); desired salary range; and work authorisation status, where requested by the Customer. This information is used to create a Candidate account, to verify the Candidate's identity through email and, where applicable, SMS confirmation, and to conduct a rule-based eligibility check against the Customer's stated screening criteria. This eligibility check is rule-based and does not involve artificial intelligence or automated profiling. Welldin does not disclose this contact information to any third party. It is used solely for account creation, identity verification, and communications within the Platform.

Stage 2: Video and Audio Recording of Assessment Responses

Candidates who accept an invitation to complete an assessment are asked to record their responses to assessment questions by video and audio. The primary purpose of such recordings is to enable the Customer's authorised hiring personnel to watch and listen to the Candidate's responses as part of their human evaluation of the application. Recordings are additionally used for basic liveness verification to confirm that a real person is completing the assessment.

Before any recording session commences, Candidates are presented with a dedicated consent screen that describes the purpose and use of the recording in plain terms, discloses that responses will be evaluated by an automated AI system as required by Article 50 of the EU AI Act, and requires the Candidate to click a clearly labelled consent button to proceed. Receipt of an invitation to complete an assessment does not constitute consent to recording. Candidates may withdraw from the process at any time before completing the assessment by closing the session.

The following information is collected during the recording session: video and audio of the Candidate's responses to assessment questions; and session metadata including timestamps, browser and device type, and session identifier. Welldin does not analyse facial expressions, eye movements, micro-expressions, or physical gestures from recordings. Welldin does not perform paralinguistic analysis, including analysis of tone of voice, speaking pace, or other non-verbal audio signals. Welldin does not infer personality traits, psychological profiles, emotional states, or any characteristic of the Candidate other than the substance of their spoken answers.

Important notice regarding biometric data: Video recordings may capture facial imagery and voiceprints that may constitute biometric data under applicable law, including the Illinois Biometric Information Privacy Act ("BIPA") and the GDPR. Welldin collects such recordings solely for the purposes described above. Recordings are stored with appropriate security controls, access is restricted to the Customer's authorised personnel, and recordings are deleted upon account deletion or upon receipt of a valid data deletion request. Customers who operate in jurisdictions that impose specific requirements in respect of the collection of biometric data bear responsibility for ensuring compliance with those requirements prior to inviting Candidates to record.

Stage 3: Assessment Responses and Transcripts

Welldin transcribes Candidates' spoken responses into text using third-party transcription services acting as sub-processors. These transcripts constitute the primary input for Welldin's AI-assisted evaluation feature, as described in Section 4. Transcripts are stored securely and are accessible to the Customer's authorised personnel through the Platform dashboard.

4. Artificial Intelligence Features

Welldin employs artificial intelligence at two discrete points in the assessment workflow.

4.1 AI-Assisted Question Generation

Upon a Customer's configuration of a new interview process, Welldin's AI engine analyses the materials provided by the Customer, including job descriptions, required competencies, and role-specific criteria, and proposes assessment topics and questions. The Customer is responsible for reviewing and approving the final question set prior to deployment. This feature is assistive in nature; the Customer retains full editorial control over the questions presented to Candidates.

4.2 AI-Assisted Response Evaluation

Following completion of an assessment, Welldin's system applies AI analysis to the text transcripts of Candidates' responses for the purpose of evaluating response quality. This evaluation is based exclusively on the substantive content of what the Candidate said: that is, the technical accuracy and clarity of their answers. The evaluation does not draw upon video or audio recordings, paralinguistic signals, facial or behavioural data, or any characteristic of the Candidate other than the informational content of their responses. The evaluation does not produce scores attributed to individuals, nor does it generate inferences regarding personality, cognitive aptitude, confidence, cultural fit, or any characteristic beyond the subject-matter quality of the answers given.

The output of the evaluation is presented to the Customer's human resources or recruitment personnel as a shortlisting aid, indicating relative response quality on a descriptive scale. All decisions regarding which Candidates to invite for further interview, or to reject, are made by the Customer's authorised human personnel. Welldin does not make or recommend hiring decisions.

Welldin does not use Candidate answers, recordings, or transcripts for the purpose of training generalised artificial intelligence or machine learning models. Candidate data is used solely for the evaluation of that Candidate's responses within the Customer's hiring process.

4.3 Sub-Processor AI Services

To deliver its AI features, Welldin transmits Candidate transcript data to third-party AI service providers acting as sub-processors. Voice and audio data is transmitted to transcription service providers for the purpose of converting spoken responses to text. Welldin configures these providers, where technically available, to disable prompt and completion logging. Candidate data transmitted to sub-processors is not used by those providers to train their own models. A current list of sub-processors, including the identity of all AI service providers, is published at welldin.com/subprocessors. Where sub-processors are located outside the European Economic Area or the United Kingdom, Welldin relies on appropriate transfer mechanisms as described in Section 11.

5. Lawful Basis for Processing

Welldin processes Candidate personal data on the following legal bases under the GDPR:

• Consent (Article 6(1)(a)): the recording of video and audio responses and the AI-assisted evaluation of those responses. Consent is obtained through the explicit consent mechanism on the assessment preparation screen prior to any recording commencing. Candidates may withdraw consent at any time before completing the assessment.

• Legitimate interests (Article 6(1)(f)): the operation and security of the Platform, prevention of fraud and abuse, and improvement of the Services through anonymised and aggregated analysis, where such interests are not overridden by the interests or fundamental rights of the Candidate.

• Performance of a contract (Article 6(1)(b)): the creation and administration of Customer accounts and the delivery of the Services to Customers.

Customers are independently responsible for identifying and documenting their own lawful basis for processing Candidate data in connection with their hiring decisions.

6. Processing Practices Not Currently in Effect

In the interest of transparency regarding the current pilot stage of the Platform, Welldin confirms that the following data processing activities are not active and will not be activated without prior amendment of this Policy and advance notification to affected Customers and Candidates: sharing of Candidate or Customer personal data with third parties for commercial, marketing, or recruitment marketplace purposes; the operation of any talent marketplace or profile-sharing feature; know-your-customer or third-party identity verification processing; biometric identification, including facial recognition or voiceprint matching against external databases; behavioural or psychological profiling of Candidates; and fully automated hiring decisions made without human review.

7. Disclosure of Personal Information

Welldin discloses personal information only in the circumstances described in this Section. Welldin does not sell personal information, and does not disclose personal information for cross-context behavioural advertising purposes.

7.1 Disclosure to Customers

Candidate profiles, application data, recordings, transcripts, and AI-assisted evaluation outputs are made available through the Platform to the Customer that initiated the relevant assessment process, and to that Customer's authorised personnel exclusively. No Candidate data is accessible to any other Customer or employer through the Platform.

7.2 Disclosure to Sub-Processors

Welldin engages third-party sub-processors, including providers of cloud hosting and storage, AI language model services used for question generation and response evaluation, transcription services used to convert voice responses to text, transactional email and SMS delivery, and application performance monitoring. These sub-processors process personal data solely for the purpose of delivering services to Welldin and are contractually prohibited from processing such data for their own purposes, including model training. A full and current list of sub-processors is published at welldin.com/subprocessors.

7.3 Disclosure Required by Law

Welldin may disclose personal information where required to do so by applicable law, regulation, court order, or other legal process, or where Welldin reasonably determines that such disclosure is necessary to protect the rights, safety, or property of Welldin, its Customers, Candidates, or other parties.

7.4 Business Transfers

In the event that Welldin is a party to a merger, acquisition, asset sale, financing, reorganisation, or insolvency proceeding, personal information may be transferred as part of such transaction. Welldin will use reasonable efforts to ensure that any successor entity is bound by obligations substantially similar to those set forth in this Policy.

8. Retention of Personal Information

Welldin retains personal information for no longer than is necessary for the purposes for which it was collected, or as required by applicable law or contractual obligation.

Candidate recordings, transcripts, and associated personal data are retained for the duration of the Customer's active hiring process and for a period of up to twelve (12) months following the close of that process, after which they are deleted from Welldin's systems including from cloud storage. Candidate account data is retained until the Candidate requests deletion of their account. Customer account data is retained for the duration of the Customer's subscription and for a reasonable period thereafter to support billing reconciliation and compliance obligations. Website analytics data and security logs are retained for a period of up to twelve (12) months.

Candidates may request deletion of their data at any time in accordance with Section 10.

9. Security

Welldin implements and maintains appropriate technical and organisational measures designed to protect personal information against unauthorised access, disclosure, alteration, or destruction. Such measures include encrypted storage and transmission of all personal data, including recordings and transcripts; role-based access controls ensuring that only the specific Customer's authorised personnel may access their Candidates' data; logical separation of Candidate data between Customers; and security event monitoring and logging. No information security system is impenetrable, and Welldin does not warrant the absolute security of personal information. In the event of a personal data breach likely to result in a risk to the rights and freedoms of affected individuals, Welldin will notify the relevant supervisory authorities and, where required, affected individuals, within the timeframes prescribed by applicable law.

10. Cookies and Similar Technologies

Welldin's website employs cookies and similar tracking technologies for the following purposes: the operation of essential website functionality, including session management and security; and the collection of aggregated analytics data for the purpose of understanding website usage patterns. Welldin does not currently use cookies or similar technologies for advertising, retargeting, or cross-site behavioural tracking. In jurisdictions where applicable law requires prior consent for the use of non-essential cookies, Welldin will obtain such consent through an appropriate consent mechanism presented upon the user's first visit to the website.

11. Rights of Data Subjects

11.1 Rights of Candidates

Subject to applicable law, Candidates may have the right to: (i) request confirmation of whether Welldin or the Customer holds personal data relating to them and to obtain a copy of such data; (ii) request correction of inaccurate or incomplete personal data; (iii) request erasure of their personal data, including recordings and transcripts, in accordance with Article 17 of the GDPR and applicable law; (iv) receive their personal data in a structured, commonly used, and machine-readable format for the purpose of transmitting it to another controller; (v) object to or request restriction of certain processing activities; and (vi) withdraw consent to the recording of their assessment responses at any time prior to completion of the assessment session.

Because the Customer is, in most circumstances, the data controller in respect of Candidate data processed through the Platform, Candidates are advised to direct requests to exercise the above rights to the Customer in the first instance. Where a Candidate is unable to contact the Customer, or where the request concerns processing for which Welldin is the controller, requests may be submitted to info@welldin.com. Welldin will respond within thirty (30) days.

Requests for account deletion and the associated erasure of personal data, including recordings and transcripts, may be submitted to info@welldin.com. Welldin will process such requests within thirty (30) days, subject to any applicable legal obligation to retain specific records for a longer period.

11.2 Rights of Customers

Customers may request access to, correction of, export of, or deletion of their account data and Customer-uploaded content through the account settings interface or by contacting info@welldin.com.

11.3 Marketing Opt-Out

Recipients of marketing communications from Welldin may opt out at any time by using the unsubscribe mechanism included in each communication, or by submitting a request to info@welldin.com.

12. International Transfers of Personal Data

Welldin is incorporated and headquartered in the United States of America. Personal data processed through the Platform may be transferred to and stored in the United States and in such other countries in which Welldin's sub-processors operate. Where personal data is transferred from the European Economic Area or the United Kingdom, Welldin relies on appropriate transfer mechanisms, including where applicable the Standard Contractual Clauses adopted by the European Commission or the UK International Data Transfer Agreement, to ensure an adequate level of protection. Further information regarding the transfer mechanisms relied upon for any particular transfer, including in respect of sub-processors, is available on request by contacting info@welldin.com.

13. EEA and UK Supplemental Notice (GDPR)

This Section applies to individuals located in the European Economic Area or the United Kingdom whose personal information is processed by Welldin in its capacity as a data controller. The legal bases upon which Welldin relies for such processing are set out in Section 5 of this Policy.

Data subjects located in the EEA or the UK have the right to lodge a complaint with the competent data protection supervisory authority in their jurisdiction. A list of EEA supervisory authorities is available at edpb.europa.eu. The supervisory authority for the United Kingdom is the Information Commissioner's Office, accessible at ico.org.uk.

14. California Supplemental Notice (CCPA/CPRA)

This Section applies to residents of the State of California to the extent that Welldin acts as a "business" within the meaning of the California Consumer Privacy Act, as amended by the California Privacy Rights Act. Welldin collects the categories of personal information described in Section 3 of this Policy for the purposes described in Section 4. The categories of personal information collected include identifiers; internet and network activity information; professional or employment-related information; visual and audio information; and the contents of communications.

Welldin does not sell personal information within the meaning of the CCPA/CPRA. Welldin does not share personal information for the purpose of cross-context behavioural advertising. California residents have the right to know, access, delete, and correct personal information held about them. Requests may be submitted to info@welldin.com.

15. Minors

The Services are not directed to individuals under the age of eighteen (18). Customers are prohibited from inviting individuals under the age of eighteen (18) to complete assessments through the Platform without a lawful basis and, where required by applicable law, the consent of a parent or legal guardian. If Welldin becomes aware that it has collected personal information from a minor without appropriate authorisation, it will take prompt steps to delete such information. Enquiries may be directed to info@welldin.com.

16. Amendments to This Policy

Welldin reserves the right to amend this Policy from time to time. The "Effective Date" at the head of this document will be updated upon each revision. In the event of material changes to this Policy, including any changes that expand the purposes for which Candidate personal data is processed or that add new sub-processors, Welldin will provide advance notice to affected Customers and Candidates by email or through a prominent notice within the Platform, prior to such changes taking effect.

17. Contact Information

Entity: Welldin, Inc.
Address: 1111B S Governors Ave STE 39725, Dover, DE 19904, United States
Email: info@welldin.com
Website: welldin.com

© 2026 Welldin, Inc. All rights reserved.