Privacy is a property of the hardware.

What does not exist in the sensor

• No camera in the sensor. No lens, no imager, no CMOS or CCD element. The sensor is physically incapable of producing an image of the room. You can open it; the optical components do not exist.
• No microphone in the sensor. No mic element exists in the bill of materials. The sensor cannot capture voice or ambient sound. There is no audio path from the room into the device.
• No wearable. Nothing the cared-for person has to put on, charge, or remember. The sensor lives on the ceiling; the person does not need to interact with it.
• No voice data captured. Without a microphone, no voice data can exist anywhere in the system.
• No image data captured. Without a camera, no image or video can exist anywhere in the system.

What the sensor does see

Wellytic uses 60 GHz mmWave radar (and 5.8 GHz radar in the bathroom variant). What the radar produces:

• Presence signature. Is something with a human-scale radar cross-section in the room? Yes or no. Most of the time, this is a single bit.
• Activity signature. Is the presence moving, resting, sleeping, or in transition? Categorical, not numeric.
• Posture signature. Standing, sitting, lying, or transitioning rapidly between them. The fall classifier reads from this signal.
• Motion velocity envelopes. Used to distinguish walking from a stumble from a fall. No spatial detail beyond that.

None of these are images, recordings, or identifiers. Two different people in the same room cannot be told apart by the sensor.

How the signal is processed

• On-device classification. Raw radar IQ data is processed on the sensor itself. Only categorical event data leaves the sensor: "presence", "fall signature", "stillness threshold crossed", with timestamps.
• Gateway authenticates and signs. The household gateway collects events from each sensor and signs them via Veritize before forwarding to the cloud. This makes tampering detectable end to end.
• Cloud stores categorical events only. No radar IQ data, no waveforms, no spatial reconstructions are stored in the cloud.

Data retention posture

Two distinct postures, depending on which product you have.

Family kit (Wellytic Home)

• Categorical events: 90 days hot, then summarized into daily/weekly aggregates.
• Daily summaries: retained for the life of the subscription.
• Fall events: retained indefinitely while the subscription is active; exported as evidence bundles on request.
• Account deletion: full event purge within 30 days of cancellation.

Care home kit (Wellytic Care)

• Categorical events: 365 days hot for audit and regulatory access.
• Evidence bundles: retained for the life of the operator agreement plus the regulator-mandated minimum.
• Resident data export and erasure: within the operator's documented data-handling SLA. See /docs/data-handling.

Cloud posture

• Default deployment region. Canada (BC) for North American customers, with a US fallback for cross-border families.
• Sovereign Canadian deployment. Available on Heroa BC substrate for care homes that require all data to stay inside Canada under Canadian-entity MSA. See /docs/data-handling.
• No third-party advertising or analytics processors. Wellytic does not share event data with ad networks. Production telemetry is on a single first-party endpoint.

Independent privacy audit

Status: {{TBD-audit-status}}. We are commissioning an independent third-party privacy audit prior to GA. The auditor name and report will be published on this page when the audit completes.

What this all adds up to

You can summarize Wellytic's privacy posture in one sentence: the sensor cannot do the things you would worry a sensor in a senior's home could do, because the components that would allow it are not in the device. Privacy is not a setting you can toggle in the app, because it is not implemented in the app. It is implemented in the bill of materials.

Next

• Hardware detail: /how-it-works
• Data handling and export: /docs/data-handling
• FAQ: /faq