Skip to content

MyHealth — Washington Consumer Health Data Privacy Policy

Required by the Washington My Health My Data Act (MHMDA), RCW chapter 19.373 (RCW 19.373.020 / .030 / .040).

Version (policy_version): 2.1 · Effective: 2026-06-23
This is a standalone Consumer Health Data Privacy Policy. It supplements, and is read together with, our general Privacy Policy and our Subprocessors page. Where this policy and the general Privacy Policy differ for consumer health data covered by the MHMDA, this policy controls for that data.

1. Who this policy is for

This policy applies to "consumer health data" as defined by the Washington My Health My Data Act when it relates to a "consumer" under that Act — that is, a natural person who is a Washington State resident, or a natural person whose consumer health data is collected in Washington — and who is acting in an individual or household capacity (not in an employment context).

Under the MHMDA, consumer health data means personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status — including health conditions, diagnoses, treatments, medications, vaccinations, bodily functions, vital signs, symptoms, diagnostic testing, reproductive or sexual health information, and any data that identifies a consumer seeking health care services.

Important position. Because MyHealth is a health application, we treat the fact that a person has a MyHealth account — and the identifiers tied to it (name and email) — as consumer health data when that person is a Washington consumer. This affects how we handle deletion (see Section 8).

This policy does not change rights you may have under our general Privacy Policy or under other laws.


2. Who we are

The entity responsible for the MyHealth app is:

BAS ARTIFICIAL INTELLIGENCE LTDA ("BAS AI", "MyHealth", "we", "us")
Tax ID (CNPJ): 64.106.409/0001-70
Address: Rua Gomes de Carvalho, 911, Vila Olímpia, São Paulo/SP, ZIP 04547-003, Brazil
Website: www.bas-ai.com

Data Protection Officer (Encarregado): Guilherme Bastian.

Privacy contact for consumer health data requests: dpo@bas-ai.com


3. The categories of consumer health data we collect

We collect consumer health data only that you provide or authorize — there is no background or passive collection of health data. Depending on how you use MyHealth, the categories may include:

We do not collect precise geolocation, your phone contacts, or microphone data. We do not use third-party trackers or analytics SDKs that see health data.


4. How we collect consumer health data

We collect consumer health data only with your consent for a specified purpose, or as strictly necessary to provide the product or service you have requested (RCW 19.373.030). Our system only performs a given operation when the matching consent is active; this is enforced automatically on our server on every operation. You can turn a purpose off at any time.


5. Why we collect it (purposes) and how it is used

We use consumer health data to:

We do not use consumer health data for targeted advertising, and we do not use it to train AI models.


6. The categories of sources from which we collect consumer health data


7. Sharing: categories of consumer health data shared, and with whom

We do not sell consumer health data, and we do not seek any "valid authorization" to sell it (RCW 19.373.070 / .110). We do not share consumer health data for advertising, marketing, or behavioral targeting.

We share consumer health data only with a minimal set of processors ("vendors"), each under a binding data processing agreement that limits them to processing data on our documented instructions (RCW 19.373.060), and only as necessary to provide the service you requested or as you separately consent. We do not have corporate affiliates that receive your consumer health data.

Processor (third party)Role / purposeCategories of consumer health data sharedLocationKey safeguards
Supabase (Supabase, Inc.)Database, authentication, document storage, and server functions that run the appPseudonymized clinical data; account identifiers (name, contact email, phone, national document) held encrypted in a separate vault; uploaded documents; account metadataSão Paulo, Brazil (sa-east-1)DPA in effect (signed 2026-06-18, includes EU Standard Contractual Clauses and safeguards); encryption in transit and at rest; additional authenticated field-level encryption (AES-256 via pgsodium) of vaulted identifiers; row-level isolation; daily backups (14-day retention)
Anthropic, PBC (Claude API)AI analysis of your record, extraction of data from documents, and the chat assistantPseudonymized clinical content (values, dates, notes, lifestyle habits, cycle, wearable aggregates) plus your sex, age, country, and year of birth (without day/month)no direct identifiers and no emergency contacts. For document analysis, the redacted copy of the uploaded image/PDF, handled transientlyUnited States (international transfer under SCC)Commercial Terms + Standard Contractual Clauses in effect (2026-06-17); contractual non-training (your data is not used to train or improve models); limited retention (as a rule ~30 days, then deleted); TLS
ResendSending transactional emails (one-time access codes and account notices)No health content — only your email address and the email's textUS / globalDPA in effect (2026-06-17); EU-US Data Privacy Framework + SCC; TLS

On redaction before AI processing. Before clinical content is sent to Anthropic, we replace your direct identifiers with sex, age, country, and year of birth (without day/month), used only to regionalize educational guidance. For uploaded documents, the app attempts an on-device, best-effort redaction (covering) of four of your identifiers — name, national document (CPF), email, and phone — and the redacted copy is the one sent; the original file stays intact in your record. This redaction is best-effort and is not de-identification: it is directed only at your own four identifiers, and when the redaction process runs but finds nothing to cover (for example, because your identity vault is empty), the original may proceed to the AI. We do not represent that identifiers are guaranteed to be removed.

Apple processes your subscription and in-app purchases as merchant of record; no health content is in the payment flow. Apple Health, Oura, and WHOOP are sources you connect, not recipients — they do not receive data from your health record.


8. Your rights as a Washington consumer (RCW 19.373.040)

If you are a Washington consumer, you have the right to:

How deletion works in MyHealth. You can delete your account directly in the app, in Profile › Privacy › Delete my account. On confirmation we permanently remove, in cascade, your encrypted identity vault and all clinical data (exams, conditions, medications, vaccines, documents, measurements, history, appointments, AI conversations, sleep, wearable scores, device events, lifestyle habits, medication-intake and check-in logs), your uploaded files, your wearable connection data, and your AI usage/quota metadata — including the data of any dependents you manage — and we close your account. Where you manage a minor, deletion offers you the option to transfer guardianship of that minor to an existing co-guardian (so the minor's record survives with them) instead of deleting it.

For Washington consumers, we treat the identifiers tied to your health account (name and email) as consumer health data and delete them on your request. The only data that may be retained is a minimal tax/accounting record for a consumer who actually completed a purchase, kept encrypted and dissociated from the health-account context and held solely to meet a legal accounting obligation — this is not your consumer health data and is never used to infer your health status. Consumers who never transacted, and minors, have their identity deleted with the rest of the record.

What remains after deletion is limited to: (a) a de-linked, pseudonymized record of consent events (cryptographically dissociated from your identity), kept only to evidence that consent was given and withdrawn; and (b) security/access logs kept for a short period (up to six months) that record metadata of access (time, action, source IP) and never the clinical content — used only for security and fraud detection, never to infer your health status.


9. How to exercise your rights, and how to appeal

To make a request (confirm/access, delete, or withdraw consent), use either:

We take prompt steps to authenticate your request (to protect your data we may ask you to verify your identity or your control of the account). We respond within 45 days of receiving the request; if reasonably necessary, we may extend once by an additional 45 days and will tell you why within the first 45 days.

Authorized agents. You may use an authorized agent to make a request on your behalf; we may require proof of the agent's authority and verification of your identity.

Appeals. If we decline to act on your request, we will tell you why. You may appeal by replying to our decision or writing to dpo@bas-ai.com with the subject "Washington MHMDA appeal." We will respond to the appeal within a reasonable time and explain our decision. If your appeal is denied, you may contact the Washington State Office of the Attorney General (https://www.atg.wa.gov/file-complaint).


10. No sale; no targeted advertising

We do not sell consumer health data and do not seek valid authorization to sell it. We do not use consumer health data for targeted advertising, profiling for advertising, or sharing with data brokers. If this ever changes, we will update this policy and obtain any consent or authorization the law requires before doing so.


11. Geofencing

We do not use geofences around health care facilities, and we do not use precise location to identify or track consumers seeking health services (RCW 19.373.090).


12. Security

We protect consumer health data with encryption in transit and at rest, authenticated field-level encryption (AES-256 via pgsodium) of the identifiers held in a separate vault, strict row-level isolation between accounts, server-side enforcement of consent on every operation, and access controls with security/access logging. No method of transmission or storage is perfectly secure, but we maintain technical and organizational measures appropriate to the sensitivity of health data.


13. Changes to this policy

We will not collect, use, or share categories of consumer health data, or use it for purposes, not described here without first updating this policy and, where required, obtaining your affirmative consent. Material changes will be posted here with a new version and effective date. A link to this policy is published prominently on our homepage.


14. Contact