Healthia Privacy Policy
At a glance. Healthia is an AI companion app supporting older adults with daily health and conversation. This policy explains what we collect, with whom we share it, and how you can exercise your rights. We do not sell or share your personal information for advertising.
1. Who we are
Healthia ("we", "us") provides this service and acts as the Controller of personal information described in this policy.
Contact: privacy@healthia.app
2. Information we collect
We collect the following categories (CCPA §1798.140(v)):
| Category | Examples |
|---|---|
| Identifiers | Phone, email, device IDs, push tokens |
| Personal information (Cal. Civ. Code §1798.80) | Display name, birth year |
| Internet / electronic activity | App usage logs, feature timestamps, crash reports |
| Geolocation (optional) | City / district level only — no precise coordinates |
| Audio / visual (optional) | Microphone signal (real-time only, not stored) |
| Health information | Meal / medication logs, photos (optional), self-reported symptoms and emotion |
| Inferences | Personality, interests, and mood inferred from conversation |
3. Sources
- Information you provide (signup, consent, conversation, photo upload)
- Device-generated information (device IDs, push tokens)
- Information your linked family provides via the family app
- Outputs from third-party services (e.g., Vertex AI responses)
4. Purposes of use
- AI companion conversation and memory of your context
- Text-to-speech for natural voice responses
- Daily plans, meal / medication reminders, and lifestyle support
- Family guidance (optional) — short summaries to enable family care
- Video identity verification (optional) — recover account with family if phone is lost
- Legal compliance, fraud prevention, and security auditing
5. Service providers
We share information only with the following providers under confidentiality and purpose-limited agreements.
| Recipient | Data sent | Purpose |
|---|---|---|
| Google Vertex AI (Gemini) | Display name, birth year, recent conversation, learned facts | Conversation understanding and response. Enterprise terms — not used for model training. |
| Google Vertex AI Live | Voice PCM (streaming) | Real-time voice conversation. No recordings retained. |
| Google Cloud Text-to-Speech | Response text | Voice synthesis. Your voice is not sent. |
| Zoom Video SDK | Video / audio stream | Family identity verification call. BAA in place. |
| Apple Push / Google FCM | Push tokens, notification payloads | Notification delivery. |
| Supabase (infrastructure) | Subset of the above for storage | Service operation. BAA in place. |
6. Do Not Sell or Share notice
We do not sell your personal information, and we do not share it for cross-context behavioral advertising. No opt-out is required because the protection applies automatically. (CCPA §1798.120 / CPRA)
7. Sensitive Personal Information
SPI under CPRA includes health information, audio signals, and precise geolocation (which we do not collect). We do not use SPI beyond service delivery and the purposes you have explicitly consented to. You may restrict SPI use via the in-app Consent history screen. (CPRA §1798.121 — Right to Limit Use of SPI)
8. Retention
- Active retention while your account is in use. After 24 months of inactivity we will notify and deactivate.
- Account deletion request: all data removed within 30 days (consent ledger preserved as legal evidence for statutory periods).
- Consent withdrawal: related data removed within 30 days (WMHMDA).
- Legal hold periods take precedence where applicable.
9. Your rights
Depending on your residency, you have the rights below. We grant the same rights to all users regardless of location.
9.1 Rights granted to all users
- Right to Know. Request a copy of the information we hold about you.
- Right to Delete. Request deletion of your information.
- Right to Correct. Request correction of inaccurate information.
- Right to Portability. Receive your information in a machine-readable format (JSON / CSV).
- Right to Limit SPI. Restrict use of health / voice / location data.
- Opt-out of Sale / Share. We do not sell or share — applies automatically.
- Opt-out of Automated Decision-Making. Request exclusion from AI-based profiling (CPRA Reg 2025).
- Non-discrimination. No penalty for exercising your rights.
- Right to Appeal. Appeal denied requests within 60 days (VCDPA / CPA / CTDPA).
- Authorized Agent. A trusted family member may submit requests on your behalf (CCPA §1798.135).
9.2 How to exercise
- In-app: Settings → My information rights
- Email: privacy@healthia.app
- Processing time: within 45 days of receipt (one 45-day extension where permitted). WMHMDA-driven consent deletions: 30 days.
10. Consumer Health Data (WA MHMDA · NV SB370 · CT)
This section is the Consumer Health Data Privacy Policy required by Washington's My Health My Data Act and analogous laws. "Consumer Health Data" includes information related to physical or mental health status, medications, diagnoses, treatments, precise location, and inferences thereof.
10.1 Categories collected
- Meal and medication records and photos
- Inferred physical / emotional state from conversation
- Pill bottle and prescription photos (if uploaded)
- Voice signals (real-time processing, not stored)
10.2 Sources
- Your direct input
- Microphone input (optional consent)
- Photo uploads (optional consent)
10.3 Purposes
- Daily health support (meal / medication / mood)
- Family guidance summaries (optional)
10.4 Third parties
Same as section 5. No advertising sharing.
10.5 Withdrawal and deletion
You can withdraw consent per item in the in-app Consent history screen. Upon withdrawal, related Consumer Health Data is deleted within 30 days, including downstream processor copies.
10.6 No geofencing
We do not use geofencing around healthcare facilities for data collection or advertising. (WMHMDA RCW 19.373.030)
10.7 No sale (opt-in)
We never sell Consumer Health Data, and we do not share it without separate opt-in consent.
11. Biometric notice (Illinois BIPA)
We use voice only for speech-to-text. We do not generate, store, or use voiceprints (biometric identifiers). Raw audio is discarded immediately after conversion.
Illinois residents are protected under 740 ILCS 14 (BIPA), which includes written consent and retention policy rights. Voice features will not activate if you decline the related consent.
12. Children
The service is intended for users 18+. If a sub-13 account is discovered we will immediately deactivate and delete the data (COPPA 16 CFR Part 312). We do not engage in targeted advertising to users under 16 (MD MODPA).
13. Security
We implement reasonable technical and administrative safeguards (encryption in transit and at rest, access control, audits) consistent with the NY SHIELD Act and industry standards. No system is absolutely secure.
14. International transfers
The service operates in multiple countries including the United States. Information may be transferred internationally; in such cases the higher of local law or this policy applies.
15. Changes to this policy
Material changes are notified in-app and by email at least 7 days before effective date. Significant scope changes require renewed consent.
16. Contact
- Privacy contact: privacy@healthia.app
- Rights requests: privacy@healthia.app (subject line: [Rights Request])
- Mail: (address to be added upon business registration)