Consumer Health Data Privacy Policy

AUTONOMIC HEALTH

Consumer Health Data Privacy Policy

Washington My Health My Data Act and Nevada SB370

Effective Date: November 4, 2024 Last Updated: May 1, 2026

This Consumer Health Data Privacy Policy describes how Autonomic Health, Inc. ("Autonomic Health," "we," "our," or "us") collects, uses, shares, and protects "consumer health data" as defined under the Washington My Health My Data Act, RCW 19.373 ("MHMDA"), the Nevada Consumer Health Data Privacy Law, NRS Chapter 603A as amended by SB370 ("Nevada CHDPL"), and similar state laws (collectively, "Consumer Health Data"). It applies to Consumer Health Data we collect about Washington residents, Washington consumers (including non-residents whose Consumer Health Data is collected in Washington), and Nevada consumers. This policy supplements our general Privacy Policy. To the extent there is a conflict between this policy and the general Privacy Policy with respect to Consumer Health Data, this policy controls.

  1. Categories of Consumer Health Data We Collect We collect the following categories of Consumer Health Data: Biometric and physiological measurements derived from the ANS Testing Service and connected wearables, including heart rate variability, sympathetic and parasympathetic activity, respiration, and motion data. Health conditions, symptoms, diagnoses, treatments, and medications you self-report to us, share with the Autonomic AI chatbot, or that a Clinician documents through the Clinician Portal. Bodily functions, vital signs, and physical or mental health status. Diagnoses or diagnostic testing, including ANS Test results. Use, purchase, or search for health-related products or services. Reproductive or sexual health information, where you choose to share it (for example, in postpartum, perimenopause, menopause, or fertility-focused programs). Gender-affirming care information, where you choose to share it. Any precise geolocation that could indicate an attempt to acquire or receive health services or supplies, only if you grant the App permission. Any data that identifies a consumer seeking health services or supplies, derived or extrapolated from non-health information.
  2. Sources of Consumer Health Data Directly from you when you register, place an order, complete intake forms, talk to Autonomic AI, or contact support. From your devices when you connect a wearable, install the App, or visit the Site. From Clinicians who interpret your ANS Test results and document care through the Clinician Portal. From Partners that operate co-branded "Powered by Autonomic Health" experiences and share information with us under a written Partner Agreement and, where required, a Business Associate Agreement.
  3. Categories with Whom We Share Consumer Health Data Clinicians on the Clinician Portal, with your direction or consent, to provide you Clinical Services. Service providers and processors who perform services on our behalf under written contracts that limit their use of Consumer Health Data, including cloud hosting, analytics, communications, and payment processors. Partners through which you access the Services, subject to a Partner Agreement and Business Associate Agreement where required. Research collaborators, only on a de-identified or aggregated basis or with your separate opt-in consent. Public authorities, where required to comply with law, respond to lawful requests, or protect rights, property, or safety. Successor entities in connection with a merger, acquisition, financing, or sale of assets. We do not sell Consumer Health Data, and we will not sell Consumer Health Data without your separate, signed authorization that meets the requirements of RCW 19.373.040.
  4. Purposes for Collecting, Using, and Sharing Consumer Health Data We collect, use, and share Consumer Health Data only: To provide a product or service that you have requested from us, including the ANS Testing Service, the App, the Site, and Clinical Services through the Clinician Portal. To communicate with you about the Services, your test status, account, security, and policy changes. To detect, investigate, and prevent fraud, abuse, security incidents, and other harmful or illegal activity. To comply with our legal obligations and respond to lawful requests. With your separate consent, for purposes beyond what is necessary to provide the Services, including marketing and identifiable research. On a de-identified or aggregated basis, for research, product development, and AI model training as described in the general Privacy Policy.
  5. Consent Consistent with MHMDA, we will: Obtain your opt-in consent before collecting Consumer Health Data for purposes that are not necessary to provide the product or service you have requested from us. Obtain your separate opt-in consent before sharing Consumer Health Data, beyond sharing necessary to provide the product or service you have requested from us. Obtain your signed, valid authorization that meets the requirements of RCW 19.373.040 before any sale of Consumer Health Data. We do not currently sell Consumer Health Data. Where we rely on the necessary-to-provide exception, we collect and use only the Consumer Health Data necessary to deliver the product or service. Each consent we request will be a clear, affirmative, freely given, specific, informed, unambiguous, opt-in act, distinct from this policy and from your acceptance of our Terms of Service. Each consent will describe the categories of data, purposes, categories of recipients, and how to withdraw consent.
  6. Geofencing Restrictions Consistent with RCW 19.373.080, we do not implement a geofence around any in-person healthcare facility for the purpose of identifying or tracking consumers seeking healthcare services, collecting Consumer Health Data from consumers in the geofenced area, or sending notifications, messages, or advertisements to consumers based on their entry into the geofenced area.
  7. Your Rights If you are a Washington or Nevada consumer, you have the following rights with respect to your Consumer Health Data: Right to confirm and access. You can confirm whether we are collecting, sharing, or selling your Consumer Health Data and obtain a list of categories of data we have collected, third parties and affiliates with whom we have shared the data, and an active email address or other online mechanism that you may use to contact those third parties. Right to delete. You can request that we delete your Consumer Health Data. We will honor the request and notify all affiliates, processors, contractors, and third parties to whom we have shared the data. Right to withdraw consent. You can withdraw consent for collection or sharing of Consumer Health Data at any time. Withdrawal is prospective and does not affect prior processing. Right to non-discrimination. We will not deny you our Services or charge a different price because you exercised your rights under this policy. Right to appeal. If we deny your request, you can appeal by replying to our denial within forty-five (45) days; we will respond within forty-five (45) days of receipt of the appeal. 7.1 How to Exercise Your Rights To exercise these rights, email privacy@autonomichealth.ai with the subject line "Consumer Health Data Request" and a description of the request. We will respond within forty-five (45) days, with one possible forty-five-day extension when reasonably necessary, in which case we will notify you of the extension and the reason for the delay. We may need to verify your identity using information already associated with your account before responding. 7.2 Authorized Agents You can use an authorized agent to submit a request on your behalf. The agent must provide proof that you authorized them to act for you, and we may ask you to verify your identity directly. 7.3 Complaints If you are unsatisfied with our response, you can file a complaint with the Washington State Attorney General at https://www.atg.wa.gov/file-complaint or, for Nevada residents, with the Nevada Attorney General at https://ag.nv.gov.
  8. De-Identified Data MHMDA does not apply to data that has been de-identified consistent with RCW 19.373.010(8). We de-identify Consumer Health Data using methods that meet either the HIPAA Safe Harbor standard (45 C.F.R. § 164.514(b)(2)) or the HIPAA Expert Determination standard (45 C.F.R. § 164.514(b)(1)) and we publicly commit not to attempt to re-identify the data. Once de-identified, the data is no longer Consumer Health Data and may be used as described in our general Privacy Policy, including for AI model training. You may opt out of having your information used in this way as described in the general Privacy Policy.
  9. Retention We retain Consumer Health Data only for as long as reasonably necessary to provide the product or service you have requested, comply with applicable law, defend potential claims, or fulfill another purpose for which you have given consent. Specific retention periods are described in the general Privacy Policy. De-identified data may be retained indefinitely as described in Section 8.
  10. Security We protect Consumer Health Data using administrative, technical, and physical safeguards reasonably designed to protect the data, including encryption in transit and at rest, role-based access controls, multi-factor authentication, vendor security review, and an incident response plan that includes breach notification consistent with applicable state law.
  11. Relationship to HIPAA Consumer Health Data does not include Protected Health Information governed by HIPAA, information used solely as part of the provision of healthcare by a healthcare provider, information collected and used in compliance with the HIPAA Security and Privacy Rules where the regulated entity is a covered entity or business associate, or de-identified information. Where data is governed by HIPAA, our HIPAA Notice of Privacy Practices and the relevant Business Associate Agreement apply rather than this policy.
  12. Changes to this Policy We may update this Consumer Health Data Privacy Policy from time to time. When we make material changes, we will notify you by posting the updated policy on the Site and the App and updating the Effective Date. We will obtain renewed opt-in consent where required by law before applying material changes to existing users.
  13. How to Contact Us Autonomic Health, Inc. Privacy: privacy@autonomichealth.ai Subject line: Consumer Health Data Request Website: https://www.autonomichealth.ai

END OF CONSUMER HEALTH DATA PRIVACY POLICY