IT & Security Overview
For companies evaluating WeMove for employee step challenges
Last Updated: July 1, 2026
TL;DR
A quick summary for IT security reviewers (~5 min read)
- No employee data upload — company admin shares an invite link; employees self-register
- No IT integration required — no SSO, HRIS, MDM, or VPN setup for standard challenges
- Minimal data — daily step totals and optional weight; not raw HealthKit/Health Connect records
- US infrastructure — AWS + MongoDB Atlas (us-east-1)
- Employee-controlled — users can export or delete their data
- DPA available on request for business customers
1. What WeMove is
WeMove is a B2B wellness platform for employer-sponsored step challenges. Employees use the mobile app (or web leaderboard); company administrators use app.getwemove.com.
2. How employees join (no IT project)
- Admin creates a challenge at app.getwemove.com
- Admin shares one invite link (e.g. app.getwemove.com/members?code=XXXX)
- Each employee creates their own account (name, email, password)
- Steps sync from Apple Health (iOS) or the phone's step tracker / Health Connect (Android)
Only people with the invite link or code can register for that organization's challenge.
WeMove does not receive employee rosters from employers.
There is no CSV upload, HRIS sync, or Active Directory integration in the standard product.
3. What data is collected
From employees (self-entered or device-synced)
| Data | Purpose |
|---|---|
| Name, email, password | Account |
| Daily step counts | Challenges & leaderboard |
| Optional weight, gender, height | Personal tracking / leaderboard display |
| Workout summaries (type, duration, calories) | Activity feed (if enabled) |
From company administrators
| Data | Purpose |
|---|---|
| Name, email, company name | Admin account & billing |
| Challenge configuration | Program setup |
| Payment method (via Stripe) | Subscription |
What we do NOT store on our servers:
- Raw Apple Health / Health Connect records
- GPS routes or location tracking
- Heart rate, sleep, or stress data
- Employer-provided employee lists
4. What the employer can see
- Participation status, team assignment, leaderboard ranking
- Name and step counts on leaderboards
- Gender may appear on leaderboards if the employee provided it
Not shared with employer: weight logs, raw health data, detailed medical information.
Other challenge participants also see name and step counts on the leaderboard (not only administrators).
See also our Privacy Policy and Terms §4.
5. Security controls
- Encryption in transit: HTTPS/TLS for all API traffic
- Encryption at rest: Provider-managed (AWS, MongoDB Atlas)
- Access control: Role-based (member, club admin, platform admin)
- Authentication: JWT tokens, bcrypt password hashing, account lockout after failed logins
- Infrastructure: AWS Lambda, MongoDB Atlas, Redis — US (us-east-1)
- Providers: SOC 2–certified infrastructure providers (AWS, MongoDB Atlas, Stripe)
6. Subprocessors
| Provider | Purpose | Location |
|---|---|---|
| AWS | Hosting, file storage | US |
| MongoDB Atlas | Database | US |
| Redis Labs | Sessions / cache | US |
| Stripe | Payments | US |
| Loops / SendGrid | US | |
| Sentry | Error monitoring | US |
| Amplitude | Product analytics | US |
| Meta (Facebook Pixel) | Marketing analytics (admin website only) | US |
| Expo | Push notifications | US |
| Google (Gemini) | Admin invite copy generation only — no employee health data | US |
| Vercel | Admin panel hosting | US |
| Gift card partners | Reward fulfillment | US / varies |
| Slack (optional) | Integration when admin connects | US |
Analytics (Amplitude, Meta Pixel) apply to the admin onboarding website, not employee health data processing.
7. Data subject rights
- Access / export: Export available on request at DPO@reaction-club.com; in-app export coming soon
- Deletion: Account drawer → Settings → Delete account; active data deleted promptly; backup copies may persist up to 90 days
- Health permissions: Revocable anytime in iOS/Android device settings
- DPA: Business customers in EEA/UK may request a Data Processing Agreement at DPO@reaction-club.com
See Privacy Policy and Terms §3.6.
8. Billing & subscriptions (for IT context)
- Organization subscriptions: Purchased by the company admin via Stripe on app.getwemove.com (not App Store). See Subscription Terms and Terms §8B
- Employee accounts: Typically free; no individual subscription required for employer-sponsored challenges
- Cancel org subscription: Admin panel (not employee app). Deleting an employee account does not cancel the organization subscription
- Money-back policy applies to direct website consumer purchases per Money-Back Policy
9. FAQ for security questionnaires
Do you require SSO?▼
Do we upload employee data?▼
Is this HIPAA?▼
Where is data stored?▼
Do you sell employee data?▼
Do you use health data to train AI?▼
Can employees delete their data?▼
Do you have SOC 2?▼
Can we get a DPA?▼
10. Contact
- Privacy / DPA: DPO@reaction-club.com
- General support: hello@reaction-club.com
- Company: Reaction Wellness Ltd., Sapir 7, Herzliya, Israel
Copy for IT email▼
Paste this summary into an internal vendor approval or security review email:
WeMove — IT Security Summary (vendor evaluation) Product: Employer-sponsored step challenge platform. Employees use mobile app; admins use app.getwemove.com. Employee onboarding: No employer roster upload. Admin shares invite link; each employee self-registers (name, email, password). Only people with the invite link/code can register for that organization's challenge. No SSO, HRIS, MDM, or VPN required for standard challenges. Data collected (employees): Name, email, password; daily step counts; optional weight, gender, height; workout summaries (type, duration, calories). NOT stored on servers: raw Apple Health/Health Connect records, GPS, heart rate, sleep, stress, employer employee lists. Employer visibility: Participation status, team, leaderboard ranking, name and step counts. Other challenge participants also see name and step counts on the leaderboard (not only administrators). NOT shared: weight logs, raw health data. Infrastructure: United States (AWS us-east-1, MongoDB Atlas, Redis Labs). HTTPS/TLS in transit; provider-managed encryption at rest. Subprocessors: AWS, MongoDB Atlas, Redis Labs, Stripe, Loops/SendGrid, Sentry, Amplitude, Meta Pixel (admin site only), Expo, Google Gemini (admin copy only), Vercel, gift card partners. Security: Role-based access, JWT auth, bcrypt passwords, account lockout after failed logins. Data rights: Employees can delete account in-app or contact DPO@reaction-club.com. Export available on request at DPO@reaction-club.com; in-app export coming soon. DPA available for EEA/UK business customers. Billing: Organization subscriptions via Stripe (admin panel). Employees typically do not need individual subscriptions. Legal docs: https://www.getwemove.com/privacy | https://www.getwemove.com/privacy/terms | https://www.getwemove.com/privacy/subscription | https://www.getwemove.com/privacy/money-back | https://www.getwemove.com/privacy/it-security DPA requests: DPO@reaction-club.com
