Health Privacy
Consumer Health Data Privacy Policy
Required disclosures under the Washington My Health My Data Act (RCW 19.373), Nevada SB 370, Connecticut SB 3, and California's CMIA (as extended by AB 352). Effective May 26, 2026. Last updated May 30, 2026.
Scope of this policy
This policy covers consumer health data (“CHD”) as defined by RCW 19.373 — personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status, including inferences derived from any information you provide to HealthBrew. It applies in addition to (not instead of) our general Privacy Policy.
HealthBrew is not a HIPAA-covered entity and Sophia is not a medical device. The protections below are offered voluntarily under state consumer-health-data law, not under HIPAA.
What HealthBrew holds vs. what LemonSqueezy holds
The HealthBrew database is built on a hard data-minimization rule: we never collect or store a user's legal name, mailing address, date of birth, gender, race, ethnicity, or any government identifier. The fields that exist in our schema are: email, avatar nickname, timezone, and product data (check-ins, journal text, milestones, Sophia outputs). That is the full list. The schema is public in git.
LemonSqueezy IE, an Irish company and the merchant of record for every HealthBrew subscription, holds your legal name, billing address, and tax jurisdiction. They have to — card processing, sales tax, and chargebacks require it. That data is governed by their privacy policy, not ours, and is never transmitted to HealthBrew. From LemonSqueezy we receive a webhook with subscription status only, keyed to your account email.
Practical consequence under RCW 19.373: the consumer health data we hold is genuinely de-identified from real-world identity at the database layer. A request to HealthBrew for “a person's data by legal name” cannot be fulfilled — we do not know which row that name corresponds to. Re-identification would require the consumer to tell us their account email or LemonSqueezy to disclose the email tied to a name under separate process.
1. Categories of consumer health data we collect
The only direct identifier tied to a HealthBrew CHD record is the account email and an avatar nickname the user chose. We do not collect or store legal name, mailing address, date of birth, gender, race, ethnicity, or any government ID.
From you, when you choose to enter it into the product:
- Self-reported mood, stress, mental clarity, and human-connection scores (1–10 scales, nightly).
- Self-reported physical signals: energy score, movement minutes, nutrition quality, sleep hours, sleep quality, wake time.
- Free-text journal entries, including a daily one-sentence reflection, gratitude text, forgiveness text, “best moment today,” and tomorrow's intention.
- Pain or symptom notes you choose to write into the symptoms field.
- Substance-use flag (a single boolean you toggle if a substance was a factor that day).
- Ingredients you log (named consumables — coffee, alcohol, sugar, etc.).
- Day color (green / yellow / red) — your self-assessed summary.
- Child profile data (if you choose to add one): nickname, age range, the five-item nightly ritual, and a free-text “what made you smile.” We do not collect a child's legal name, weight, BMI, calorie counts, or any biometric data.
- AI-derived inferences: Sophia generates reflections, pattern observations, and a daily plan from your check-in. These outputs are treated as CHD even though they are model-produced.
- Sophia chat is not retained as a transcript. The companion chat is never stored. Support chat keeps only Sophia's own replies, and deletes them within 24 hours for non-escalated conversations. The only lasting record is a paraphrased, consent-gated insight (max ~140 characters per field) — never your verbatim text. A message flagged as a safety crisis is the one exception we retain, for follow-up.
2. Categories of sources from which we collect
- Directly from you, through the in-product Close-the-Day form, the journal, the milestones feature, and Sophia chat.
- Operational metadata generated by your device: IP address (rotating, used for rate-limiting), browser type, the timestamps of your sessions, and your stated timezone.
- From LemonSqueezy IE, the merchant of record — subscription status only, keyed to your account email. We do not see or receive your card number, your legal name, your billing address, or your tax jurisdiction. Those fields stay with LemonSqueezy.
- From Sophia (our AI processor): model-generated inferences over data you provided. The model itself does not introduce outside data.
We do not purchase consumer health data from data brokers, ad networks, social platforms, or any third party.
3. Categories of consumer health data we share
We share consumer health data only with the processors strictly necessary to run the Service, and only in the minimum amount needed:
- With Anthropic (Claude API): your recent check-in fields and recent journal text, sent at the moment Sophia generates a reflection. We send the substance, not your name or email. Anthropic does not train models on data sent via its API per its API terms.
- With Supabase: the database of record. Your check-ins, journal, milestones, and paraphrased Sophia insights are stored on Supabase under our project. Raw Sophia chat is not retained there.
- With Render: our hosting provider for the web app and the background worker that runs the Sophia pipeline. Data passes through Render only in transit.
- With Resend: when we send you a transactional email (welcome, reminder, password reset). The email body may contain a generic reminder but never contains your journal text.
- With LemonSqueezy IE: account email and subscription event only (start, cancel, renewal). No consumer health data is transmitted to LemonSqueezy. They never see check-ins, journal text, scores, or Sophia outputs.
We do not share, sell, lease, or rent consumer health data to advertisers, data brokers, insurers, employers, or any party not listed above. We have never received a request from law enforcement; if we do, we will require a valid subpoena or warrant and will notify the affected user unless legally prohibited.
4. List of third parties with which CHD is shared
- Anthropic, PBC — AI processing (Claude API). Purpose: generate Sophia's reflections and the daily plan.
- Supabase, Inc. — Postgres hosting and authentication. Purpose: durable storage of your account and check-ins.
- Resend, Inc. — Transactional email delivery. Purpose: account email (welcome, reminder, password reset).
- LemonSqueezy IE (Irish company; Stripe-owned) — Merchant of record. Purpose: card processing, sales tax, chargebacks. Receives email + subscription event; receives no consumer health data.
- Render, Inc. — Web hosting and background worker. Purpose: serve the app and run the Sophia pipeline.
5. How you can exercise your rights
You have the right, at any time, to:
- Confirm whether we are collecting, sharing, or selling your CHD (we do not sell it).
- Access the CHD we hold about you. Use Dashboard → Exports for a full machine-readable download.
- Delete your CHD. Close your account from Settings; we delete every row tied to your user_id within 30 days, across check-ins, journal, milestones, your paraphrased Sophia insights, child profiles, and the consent log itself. (Raw Sophia chat is not stored, so there is no transcript to delete.)
- Withdraw consent to AI processing at any time. Open the in-product consent panel (Settings → Sophia AI processing) or POST a DELETE to
/api/consent/chd. Withdrawal takes effect immediately on the next pipeline run; Sophia enters local-only mode and no journal text leaves Supabase. - Receive a copy of every consent record we hold for your account. Available on request — email [email protected].
We do not require you to create an account, log in, or pay a fee to exercise any of these rights. We respond within 45 days, in writing, in plain English.
6. How to appeal a denied rights request
If we deny any rights request in whole or in part — for example, if we cannot verify that you are the account holder — we will tell you why in writing.
To appeal, reply to that decision email or write to [email protected] with the word “Appeal” in the subject. A human (not Sophia) will re-review the request and respond within 45 days. If we still deny the appeal, we will provide you with a written explanation and information on how to contact the Washington Attorney General's Office (or the equivalent authority in your state) to file a complaint.
Washington residents may file a complaint directly with the Washington Attorney General at atg.wa.gov/file-complaint. Nevada residents may file with the Nevada Attorney General. Connecticut residents may file with the Connecticut Attorney General.
7. Effective date and revisions
This policy is effective May 26, 2026 and was last updated May 30, 2026.
If we materially change how we collect, share, or process consumer health data, we will (a) email every active account holder at least 30 days before the change takes effect, (b) post the revised policy at this URL with a new effective date, and (c) require fresh, affirmative consent before any new processing under the revised policy begins. Prior versions remain in our public git history indefinitely so you can audit what changed and when.
Questions
Email [email protected]. A human reads it.