Skip to content

California Privacy Disclosures (CCPA / CPRA) — MyHealth

Version (policy_version): 2.1 Effective: 2026-06-23

Who this is for. These disclosures supplement our Privacy Policy and apply to California residents ("consumers") whose personal information we process, as required by the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (the "CCPA"/"CPRA"), Cal. Civ. Code §§ 1798.100 et seq., and its implementing regulations (including the regulations on automated decisionmaking technology and risk assessments effective January 1, 2026). Where these disclosures and the general Privacy Policy differ, the more protective provision controls for California residents.

In short


1. The business and how to reach us

The "business" responsible for your personal information is:

BAS AI — BAS ARTIFICIAL INTELLIGENCE LTDA
Tax ID (CNPJ): 64.106.409/0001-70
Website: www.bas-ai.com
Address: Rua Gomes de Carvalho, 911, Vila Olímpia, São Paulo/SP, ZIP 04547-003, Brazil

Data Protection Officer (DPO): Guilherme Bastian — dpo@bas-ai.com (see Section 9 for verification and timelines).


2. Categories of personal information we collect

The table below lists, for the preceding 12 months, the categories of personal information we collect (using the categories enumerated in Cal. Civ. Code § 1798.140(v) and § 1798.81.5), the sources, the business or commercial purposes for which we use each category, and the categories of third parties to whom we disclose it. We collect only what is necessary for the app to work (data minimization, § 1798.100(c)).

CCPA categoryWhat we collectSourcePurposeDisclosed to
A. IdentifiersName (or display name), contact email, phone, and a national identification document (all stored encrypted in a separate identity vault using authenticated, field-level encryption, AES-256); account identifiers; device push token (delivery only)You; your deviceCreate/maintain your account; authenticate you; deliver app notices; locate an account for support and billingSupabase (hosting); Resend (transactional email); Apple (push/distribution)
B. Customer records (§ 1798.80(e))Name, contact data, and payment/transaction records tied to subscriptions and service usage (pages and prompts)You; Apple (receipts)Operate the account; process and account for purchasesSupabase; Apple
C. Protected-class characteristicsBiological sex and age (kept in your pseudonymized profile to interpret lab reference ranges)YouCorrectly interpret your health record (e.g., reference ranges)Supabase; Anthropic (AI), which receives sex, age, country, and year of birth without day/month — never your direct identifiers
D. Commercial informationSubscription status, usage/quota balance and movements, AI-usage metadata (function, token counts) — no clinical contentYou; your use of the appOperate billing; prevent abuse; provide supportSupabase; Apple
F. Internet / electronic activityApp stability and diagnostics (crashes, errors, performance), no health content, no third-party trackers; access/audit log metadata (action, table, source IP — never clinical content)Your device; our systemsKeep the app secure and working; security, fraud prevention, auditSupabase (internal only)
G. GeolocationCoarse only and optional: country, state/province, city (no precise location, no GPS, no full address)YouAdapt the experience; regionalize, educationally, emergency and vaccination-schedule guidance (only country is sent to the AI)Supabase; Anthropic (country only)
K. InferencesThe AI's educational reading derived from your record (conditions, alerts, insights); AI-assisted derived organizational data (active ingredients, vaccine/allergen normalization) — you review and confirm; not a diagnosisDerived from data you provideBuild your health-record timeline; offer an educational, confirm-with-your-doctor readingAnthropic (AI), without your direct identifiers
Sensitive PI — health (see Section 3)Lab results/markers; conditions; medications; allergies; vaccines; appointments; vital signs and bioimpedance; symptoms; physical activity; documents/reports; family history; care team; emergency-card data; menstrual-cycle/reproductive data; device events (ECG classification — never the raw waveform); declared lifestyle habits; chat/notes to the extent they contain health dataYou (entered or imported, incl. Apple Health / connected wearables)Organize your own health record; with your consent, AI extraction and educational readingSupabase (pseudonymized; PII in encrypted vault); Anthropic (AI), receiving a redacted copy with on-device best-effort redaction of printed identifiers

Categories we do NOT collect: SSN, driver's license/state ID, financial account number with access code, account log-in with password to another account, precise geolocation, biometric information to uniquely identify you, contents of communications to which we are not a party, your phone contacts, or microphone audio. We do not receive your payment-card number (Apple processes purchases as merchant of record).

Retention. We do not keep personal information longer than reasonably necessary for the disclosed purpose (§ 1798.100(c)). Health record and identity vault: kept while your account exists; access/audit logs: 6 months (Marco Civil, Art. 15). By default, identity is erased on deletion; a transaction record is kept only where tax/accounting law requires it — see Section 7. Full table: Privacy Policy, Section 12.

3. Sensitive personal information (including health data)

Some of the data above is sensitive personal information under § 1798.140(ae) — most importantly, information concerning your health:


4. Sale and sharing — we do neither

Because we neither sell nor share, the law does not require a "Do Not Sell or Share" link, and we do not post one. Our processing vendors (Supabase, Anthropic, Resend) act as service providers / contractors under written agreements prohibiting them from selling/sharing your data or using it for their own purposes. Apple acts as an independent party for app distribution and as merchant of record for purchases.


5. Automated decisionmaking technology (ADMT) and AI risk assessment


6. Your California privacy rights

Subject to CCPA exceptions, you have the right to:

  1. Know / access (§§ 1798.100, .110, .115) — view/export your full record in-app (FHIR R4 / PDF).
  2. Delete (§ 1798.105) — delete account/data in-app (Profile › Privacy › Delete my account); see Section 7.
  3. Correct (§ 1798.106) — edit most data directly.
  4. Limit use/disclosure of sensitive PI (§ 1798.121) — honored on request.
  5. Opt out of sale/sharing (§ 1798.120) — nothing to opt out of; right preserved if practices change.
  6. Non-discrimination (§ 1798.125) — no denial, different price, or degraded service for exercising a right; essentials work with or without AI enabled.
  7. Portability (§ 1798.100(d)) — in-app export (FHIR R4 / PDF).

Authorized agents may submit requests on your behalf with written authorization signed by you; we may verify your identity directly and ask the agent to demonstrate authority (§ 7063).


7. Deletion and our double-track retention model

On deletion we run a permanent cascade removal of your clinical record and files, revoke wearable connections, and close your account. We also delete the data of the dependent profiles you manage; alternatively, where a minor has a co-responsible guardian, you may transfer guardianship so the minor's profile continues with that co-guardian instead of being deleted. The default is to erase identity; retention is the exception, only where a concrete law requires it:

California residents who also have Washington MHMDA rights are covered by our separate Consumer Health Data Privacy Policy, which applies the most protective deletion standard.

8. Minors

Self-registration is for 18+. We do not knowingly collect data from consumers under 16 and do not sell/share their data. A minor's data exists only as a guardian-managed profile with verifiable parental consent (COPPA where applicable); a minor's identity is never retained for a fiscal reason on deletion.


9. How to exercise your rights, and how we verify


10. "Shine the Light" (Cal. Civ. Code § 1798.83)

We do not disclose your personal information to third parties for those third parties' own direct-marketing purposes, and we offer choices through these disclosures and the Privacy Policy. We are therefore not required to maintain a Shine-the-Light process. Should this change, we will update this section and provide the required mechanism. Questions: dpo@bas-ai.com.


11. Notice of financial incentives

We do not offer financial incentives or price/service differences in exchange for collecting, selling, or retaining personal information (§ 1798.125(b)). The free usage allowance (courtesy pages and prompts) is a product feature for all users, not consideration for data.


12. Changes

We update these disclosures when practices or law change, revise the version/date, and — when material to California residents — provide notice. Published at https://www.bas-ai.com/myhealth/legal/us-california.


13. Contact


These California disclosures supplement, and should be read with, the MyHealth Privacy Policy. They describe practices in effect for California residents. Nothing here limits rights you have under other applicable law.