Consumer Health Data Privacy Policy

This policy covers consumer health data (“CHD”) as defined by RCW 19.373 — personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status, including inferences derived from any information you provide to HealthBrew. It applies in addition to (not instead of) our general Privacy Policy.

HealthBrew is not a HIPAA-covered entity and Sophia is not a medical device. The protections below are offered voluntarily under state consumer-health-data law, not under HIPAA.

From you, when you choose to enter it into the product:

• Self-reported mood, stress, mental clarity, and human-connection scores (1–10 scales, nightly).
• Self-reported physical signals: energy score, movement minutes, nutrition quality, sleep hours, sleep quality, wake time.
• Free-text journal entries, including a daily one-sentence reflection, gratitude text, forgiveness text, “best moment today,” and tomorrow's intention.
• Pain or symptom notes you choose to write into the symptoms field.
• Substance-use flag (a single boolean you toggle if a substance was a factor that day).
• Ingredients you log (named consumables — coffee, alcohol, sugar, etc.).
• Day color (green / yellow / red) — your self-assessed summary.
• Child profile data (if you choose to add one): nickname, age range, the five-item nightly ritual, and a free-text “what made you smile.” We do not collect a child's legal name, weight, BMI, calorie counts, or any biometric data.
• AI-derived inferences: Sophia generates reflections, pattern observations, and a daily plan from your check-in. These outputs are treated as CHD even though they are model-produced.

• Directly from you, through the in-product Close-the-Day form, the journal, the milestones feature, and Sophia chat.
• Operational metadata generated by your device: IP address (rotating, used for rate-limiting), browser type, the timestamps of your sessions, and your stated timezone.
• From LemonSqueezy, our payment processor — subscription status only. We do not see or receive your card number.
• From Sophia (our AI processor): model-generated inferences over data you provided. The model itself does not introduce outside data.

We do not purchase consumer health data from data brokers, ad networks, social platforms, or any third party.

We share consumer health data only with the processors strictly necessary to run the Service, and only in the minimum amount needed:

• With Anthropic (Claude API): your recent check-in fields and recent journal text, sent at the moment Sophia generates a reflection. We send the substance, not your name or email. Anthropic does not train models on data sent via its API per its API terms.
• With Supabase: the database of record — every row you write to HealthBrew is stored on Supabase infrastructure under our project.
• With Render: our hosting provider for the web app and the background worker that runs the Sophia pipeline. Data passes through Render only in transit.
• With Resend: when we send you a transactional email (welcome, reminder, password reset). The email body may contain a generic reminder but never contains your journal text.
• With LemonSqueezy: subscription metadata only; no health data.

We do not share, sell, lease, or rent consumer health data to advertisers, data brokers, insurers, employers, or any party not listed above. We have never received a request from law enforcement; if we do, we will require a valid subpoena or warrant and will notify the affected user unless legally prohibited.

• Anthropic, PBC — AI processing (Claude API). Purpose: generate Sophia's reflections and the daily plan.
• Supabase, Inc. — Postgres hosting and authentication. Purpose: durable storage of your account and check-ins.
• Resend, Inc. — Transactional email delivery. Purpose: account email (welcome, reminder, password reset).
• LemonSqueezy (Stripe subsidiary) — Payment processing. Purpose: subscription billing.
• Render, Inc. — Web hosting and background worker. Purpose: serve the app and run the Sophia pipeline.

You have the right, at any time, to:

• Confirm whether we are collecting, sharing, or selling your CHD (we do not sell it).
• Access the CHD we hold about you. Use Dashboard → Exports for a full machine-readable download.
• Delete your CHD. Close your account from Settings; we delete every row associated with your user_id within 30 days, cascade-deleted from check-ins, journal, milestones, Sophia conversations, child profiles, and the consent log itself.
• Withdraw consent to AI processing at any time. Open the in-product consent panel (Settings → Sophia AI processing) or POST a DELETE to /api/consent/chd. Withdrawal takes effect immediately on the next pipeline run; Sophia enters local-only mode and no journal text leaves Supabase.
• Receive a copy of every consent record we hold for your account. Available on request — email [email protected].

We do not require you to create an account, log in, or pay a fee to exercise any of these rights. We respond within 45 days, in writing, in plain English.

If we deny any rights request in whole or in part — for example, if we cannot verify that you are the account holder — we will tell you why in writing.

To appeal, reply to that decision email or write to [email protected] with the word “Appeal” in the subject. A human (not Sophia) will re-review the request and respond within 45 days. If we still deny the appeal, we will provide you with a written explanation and information on how to contact the Washington Attorney General's Office (or the equivalent authority in your state) to file a complaint.

Washington residents may file a complaint directly with the Washington Attorney General at atg.wa.gov/file-complaint. Nevada residents may file with the Nevada Attorney General. Connecticut residents may file with the Connecticut Attorney General.

This policy is effective May 25, 2026 and was last updated May 25, 2026.

If we materially change how we collect, share, or process consumer health data, we will (a) email every active account holder at least 30 days before the change takes effect, (b) post the revised policy at this URL with a new effective date, and (c) require fresh, affirmative consent before any new processing under the revised policy begins. Prior versions remain in our public git history indefinitely so you can audit what changed and when.

Email [email protected]. A human reads it.