Consumer Health Data Privacy

This Consumer Health Data Privacy Policy explains how Daylogue LLC collects, uses, shares, and protects consumer health data under the Washington My Health My Data Act (RCW 19.373), Nevada SB 370 (NRS Chapter 629), and Connecticut SB 3. It is published separately from our general Privacy Policy as required by those laws. To the extent there is any conflict between this policy and our Privacy Policy, this policy controls for consumer health data.

• Check-in entries (text and voice transcripts)
• Mood, energy, and stress self-ratings
• AI-generated wellness narratives, summaries, and pattern outputs
• Sleep data and other voluntarily connected health signals
• Inferences derived from any of the above

We collect consumer health data only when you provide it directly through a check-in, journal entry, voice session, or connected integration you authorize. We do not buy, license, or otherwise acquire consumer health data from data brokers.

• To provide check-ins, narratives, and pattern features.
• To run AI inference on AWS Bedrock under a zero-retention contract.
• To transcribe voice through Deepgram under a zero-retention contract. We do not retain audio.
• To generate de-identified, aggregated participation and theme metrics for organization-context dashboards (administrators never see individual entries, transcripts, or numeric mood scores).

We do not use consumer health data for advertising, profiling for advertising, or to train any AI model.

• We do not sell consumer health data.
• We do not share it with data brokers.
• We do not use geofencing around any in-person health-care facility, mental-health-care facility, or reproductive- or sexual-health facility for any purpose, including advertising, identification, or notification.

Only sub-processors that are bound by written confidentiality and security obligations and process data on our instructions: Supabase (database), AWS Bedrock (AI inference, zero retention), Deepgram (voice-to-text, zero retention), Resend (transactional email), Stripe (payments), and Vercel (hosting). The full list is at /trust#subprocessors.

• Access — request a copy of the consumer health data we hold about you.
• Deletion — request deletion of your consumer health data, including from any subprocessor.
• Withdraw consent — revoke any consent you gave to collection, processing, or sharing, at any time, with effect for the future.
• Appeal — if we decline a request, you may appeal in writing; we will respond within 45 days.
• Authorized agent — Washington residents may designate an authorized agent to make a request on their behalf.

To exercise these rights, email privacy@daylogue.io or use the in-app data request flow at Settings → Data & Privacy.

Consumer health data is retained for as long as your account is active. On account deletion, active records are removed immediately and backups are purged within 30 days. Voice audio is never persisted; transcripts are encrypted at rest until you delete them or the account.

AES-256 at rest, TLS 1.3 in transit, AES-256-GCM client-side encryption for journal vault entries, role-based access control, audit logging, and encryption-key management aligned to NIST SP 800-57. Full detail at /trust.

Daylogue LLC, Privacy Officer
privacy@daylogue.io

Washington residents may also contact the Washington State Attorney General. Nevada residents may contact the Nevada Attorney General. Connecticut residents may contact the Connecticut Attorney General.

Daylogue is not therapy and is not a replacement for professional mental health care.