California Privacy Disclosures (CCPA / CPRA) — MyHealth
Version (policy_version): 2.1 Effective: 2026-06-23
Who this is for. These disclosures supplement our Privacy Policy and apply to California residents ("consumers") whose personal information we process, as required by the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (the "CCPA"/"CPRA"), Cal. Civ. Code §§ 1798.100 et seq., and its implementing regulations (including the regulations on automated decisionmaking technology and risk assessments effective January 1, 2026). Where these disclosures and the general Privacy Policy differ, the more protective provision controls for California residents.
In short
- We do NOT sell your personal information, and we do NOT share it for cross-context behavioral advertising. We never have. Because of this, we are not required to — and do not — provide a "Do Not Sell or Share My Personal Information" link, but you still have the rights described below.
- We do not use sensitive personal information (including your health data) beyond the purposes of providing and securing the service you asked for, so the "limit the use of my sensitive personal information" link is not required of us; we honor a limitation request regardless.
- Our AI is an educational assistant with a human in the loop. It does not make decisions about you that produce legal or similarly significant effects — it organizes information and offers an educational reading that you review and confirm. It is not automated decisionmaking technology ("ADMT") used to make a "significant decision" within the meaning of the CCPA regulations.
- To exercise any right, contact our Data Protection Officer at dpo@bas-ai.com.
1. The business and how to reach us
The "business" responsible for your personal information is:
BAS AI — BAS ARTIFICIAL INTELLIGENCE LTDA
Tax ID (CNPJ): 64.106.409/0001-70
Website: www.bas-ai.com
Address: Rua Gomes de Carvalho, 911, Vila Olímpia, São Paulo/SP, ZIP 04547-003, Brazil
Data Protection Officer (DPO): Guilherme Bastian — dpo@bas-ai.com (see Section 9 for verification and timelines).
2. Categories of personal information we collect
The table below lists, for the preceding 12 months, the categories of personal information we collect (using the categories enumerated in Cal. Civ. Code § 1798.140(v) and § 1798.81.5), the sources, the business or commercial purposes for which we use each category, and the categories of third parties to whom we disclose it. We collect only what is necessary for the app to work (data minimization, § 1798.100(c)).
| CCPA category | What we collect | Source | Purpose | Disclosed to |
|---|---|---|---|---|
| A. Identifiers | Name (or display name), contact email, phone, and a national identification document (all stored encrypted in a separate identity vault using authenticated, field-level encryption, AES-256); account identifiers; device push token (delivery only) | You; your device | Create/maintain your account; authenticate you; deliver app notices; locate an account for support and billing | Supabase (hosting); Resend (transactional email); Apple (push/distribution) |
| B. Customer records (§ 1798.80(e)) | Name, contact data, and payment/transaction records tied to subscriptions and service usage (pages and prompts) | You; Apple (receipts) | Operate the account; process and account for purchases | Supabase; Apple |
| C. Protected-class characteristics | Biological sex and age (kept in your pseudonymized profile to interpret lab reference ranges) | You | Correctly interpret your health record (e.g., reference ranges) | Supabase; Anthropic (AI), which receives sex, age, country, and year of birth without day/month — never your direct identifiers |
| D. Commercial information | Subscription status, usage/quota balance and movements, AI-usage metadata (function, token counts) — no clinical content | You; your use of the app | Operate billing; prevent abuse; provide support | Supabase; Apple |
| F. Internet / electronic activity | App stability and diagnostics (crashes, errors, performance), no health content, no third-party trackers; access/audit log metadata (action, table, source IP — never clinical content) | Your device; our systems | Keep the app secure and working; security, fraud prevention, audit | Supabase (internal only) |
| G. Geolocation | Coarse only and optional: country, state/province, city (no precise location, no GPS, no full address) | You | Adapt the experience; regionalize, educationally, emergency and vaccination-schedule guidance (only country is sent to the AI) | Supabase; Anthropic (country only) |
| K. Inferences | The AI's educational reading derived from your record (conditions, alerts, insights); AI-assisted derived organizational data (active ingredients, vaccine/allergen normalization) — you review and confirm; not a diagnosis | Derived from data you provide | Build your health-record timeline; offer an educational, confirm-with-your-doctor reading | Anthropic (AI), without your direct identifiers |
| Sensitive PI — health (see Section 3) | Lab results/markers; conditions; medications; allergies; vaccines; appointments; vital signs and bioimpedance; symptoms; physical activity; documents/reports; family history; care team; emergency-card data; menstrual-cycle/reproductive data; device events (ECG classification — never the raw waveform); declared lifestyle habits; chat/notes to the extent they contain health data | You (entered or imported, incl. Apple Health / connected wearables) | Organize your own health record; with your consent, AI extraction and educational reading | Supabase (pseudonymized; PII in encrypted vault); Anthropic (AI), receiving a redacted copy with on-device best-effort redaction of printed identifiers |
Categories we do NOT collect: SSN, driver's license/state ID, financial account number with access code, account log-in with password to another account, precise geolocation, biometric information to uniquely identify you, contents of communications to which we are not a party, your phone contacts, or microphone audio. We do not receive your payment-card number (Apple processes purchases as merchant of record).
Retention. We do not keep personal information longer than reasonably necessary for the disclosed purpose (§ 1798.100(c)). Health record and identity vault: kept while your account exists; access/audit logs: 6 months (Marco Civil, Art. 15). By default, identity is erased on deletion; a transaction record is kept only where tax/accounting law requires it — see Section 7. Full table: Privacy Policy, Section 12.
3. Sensitive personal information (including health data)
Some of the data above is sensitive personal information under § 1798.140(ae) — most importantly, information concerning your health:
- Why we collect it: solely to provide the service you requested — organize your own health record and, only with your consent, run AI extraction and an educational reading.
- How we limit its use: only for the purposes permitted under § 1798.121 and § 7027 of the regulations — performing the requested service, security/integrity, short-term operational uses — and not to infer characteristics for any other purpose. We do not sell, share, or use it for advertising/profiling.
- Right to limit: because we already confine sensitive PI to permitted purposes, we are not required to post a "Limit the Use of My Sensitive Personal Information" link; we honor a limitation request anyway.
- Identity separation and on-device redaction before AI: AI runs only if you enable it. Your direct identifiers (name, national ID, contact email, phone) are held encrypted in a separate identity vault and are not sent to the AI as structured fields. When you ask the AI to read a document, the app applies, on your device, a best-effort redaction directed at those four identifiers of the account holder before sending; the redacted copy is what goes to the AI. This is best-effort, not de-identification — where the redaction runs and finds no match, or the vault is empty, the original document may be sent. The AI provider (Anthropic) operates under contract with Standard Contractual Clauses, does not train on your data, and retains it for a limited period (about 30 days).
4. Sale and sharing — we do neither
- We do NOT sell your personal information for money or other valuable consideration.
- We do NOT share it for cross-context behavioral advertising.
- We have not sold or shared personal information, including that of consumers under 16, in the preceding 12 months.
- We use no third-party advertising trackers or analytics SDKs. Diagnostics are internal and contain no health content.
Because we neither sell nor share, the law does not require a "Do Not Sell or Share" link, and we do not post one. Our processing vendors (Supabase, Anthropic, Resend) act as service providers / contractors under written agreements prohibiting them from selling/sharing your data or using it for their own purposes. Apple acts as an independent party for app distribution and as merchant of record for purchases.
5. Automated decisionmaking technology (ADMT) and AI risk assessment
- What our AI does. With your consent, it reads documents to extract and pre-fill records (which you confirm before saving) and produces an educational reading (conditions, alerts, insights).
- Human in the loop; no significant decision. You review and confirm output. The AI does not diagnose, prescribe, or decide anything about you; it has a non-significant effect — it does not determine access to or denial of health care, employment, credit, lending, housing, education, insurance, or any other "significant decision" (Cal. Code Regs. tit. 11, § 7001). It is therefore not ADMT used to make a significant decision. The AI also does not check drug interactions or contraindications, and does not cross-reference allergies against medications.
- Your right anyway. You may ask about the logic of the educational reading and request human review of any output you think is wrong — and you can correct it yourself in the app. Contact dpo@bas-ai.com.
- Risk assessment. We maintain a privacy risk assessment for sensitive (health) data processing and AI use, consistent with the CCPA risk-assessment regulations. It weighs benefits, risks, and safeguards (identity/clinical separation, encryption, on-device redaction, no-training contract, consent gates, human review). A summary is available from the DPO on request.
6. Your California privacy rights
Subject to CCPA exceptions, you have the right to:
- Know / access (§§ 1798.100, .110, .115) — view/export your full record in-app (FHIR R4 / PDF).
- Delete (§ 1798.105) — delete account/data in-app (Profile › Privacy › Delete my account); see Section 7.
- Correct (§ 1798.106) — edit most data directly.
- Limit use/disclosure of sensitive PI (§ 1798.121) — honored on request.
- Opt out of sale/sharing (§ 1798.120) — nothing to opt out of; right preserved if practices change.
- Non-discrimination (§ 1798.125) — no denial, different price, or degraded service for exercising a right; essentials work with or without AI enabled.
- Portability (§ 1798.100(d)) — in-app export (FHIR R4 / PDF).
Authorized agents may submit requests on your behalf with written authorization signed by you; we may verify your identity directly and ask the agent to demonstrate authority (§ 7063).
7. Deletion and our double-track retention model
On deletion we run a permanent cascade removal of your clinical record and files, revoke wearable connections, and close your account. We also delete the data of the dependent profiles you manage; alternatively, where a minor has a co-responsible guardian, you may transfer guardianship so the minor's profile continues with that co-guardian instead of being deleted. The default is to erase identity; retention is the exception, only where a concrete law requires it:
- Never transacted: we also erase name and contact email; no identity record survives. Minors' identity is always erased on deletion.
- Made a purchase: tax/accounting law may require a minimum transaction record; where indispensable, name/email are kept encrypted and isolated, and deleted at the end of the legally required period (in the United States, approximately 5 years; other jurisdictions differ). This is the legal-obligation exception under § 1798.105(d)(8), applied only to consumers who transacted.
- Always remains: access logs for their 6-month security window (released only on lawful request), and de-linked, pseudonymized consent records as proof of lawfulness (identity replaced via an HMAC keyed outside the database) — these are pseudonymized, not anonymous (cf. § 1798.140(m)).
- Backups are overwritten in the processor's normal cycle and in any event within 6 months.
California residents who also have Washington MHMDA rights are covered by our separate Consumer Health Data Privacy Policy, which applies the most protective deletion standard.
8. Minors
Self-registration is for 18+. We do not knowingly collect data from consumers under 16 and do not sell/share their data. A minor's data exists only as a guardian-managed profile with verifiable parental consent (COPPA where applicable); a minor's identity is never retained for a fiscal reason on deletion.
9. How to exercise your rights, and how we verify
- Submit to dpo@bas-ai.com; many rights are exercisable directly in-app.
- Verification: we verify identity by matching information you provide (to a reasonable-to-high degree for sensitive data); we will not require a new account to make a request.
- Timing: confirm receipt within 10 business days; respond within 45 calendar days (extendable +45 with notice) (§§ 7020–7021).
- No fee for most requests; manifestly unfounded/excessive requests may be charged or declined with explanation.
- Complaint: California Privacy Protection Agency (cppa.ca.gov) or California Attorney General (oag.ca.gov/privacy/ccpa).
10. "Shine the Light" (Cal. Civ. Code § 1798.83)
We do not disclose your personal information to third parties for those third parties' own direct-marketing purposes, and we offer choices through these disclosures and the Privacy Policy. We are therefore not required to maintain a Shine-the-Light process. Should this change, we will update this section and provide the required mechanism. Questions: dpo@bas-ai.com.
11. Notice of financial incentives
We do not offer financial incentives or price/service differences in exchange for collecting, selling, or retaining personal information (§ 1798.125(b)). The free usage allowance (courtesy pages and prompts) is a product feature for all users, not consideration for data.
12. Changes
We update these disclosures when practices or law change, revise the version/date, and — when material to California residents — provide notice. Published at https://www.bas-ai.com/myhealth/legal/us-california.
13. Contact
- Data Protection Officer (DPO): Guilherme Bastian — dpo@bas-ai.com
- Business: BAS ARTIFICIAL INTELLIGENCE LTDA (CNPJ 64.106.409/0001-70) — www.bas-ai.com — Rua Gomes de Carvalho, 911, Vila Olímpia, São Paulo/SP, ZIP 04547-003, Brazil
- General Privacy Policy: https://www.bas-ai.com/myhealth/legal/privacidade
- Subprocessors: https://www.bas-ai.com/myhealth/legal/subprocessadores
These California disclosures supplement, and should be read with, the MyHealth Privacy Policy. They describe practices in effect for California residents. Nothing here limits rights you have under other applicable law.