Consumer Health Data Privacy Policy

Last updated: April 2026

Scope: This notice applies to Gudea users who are residents of Washington state (covered by the My Health My Data Act) and, by extension, users in other states with similar consumer health data laws (Nevada, Connecticut). It is in addition to our general Privacy Policy.

1. Categories of Consumer Health Data We Collect

Gudea is a consumer fitness and nutrition app. We collect the following categories of Consumer Health Data, all of which you enter or grant access to:

Biometric measurements — weight, body fat percentage, body measurements, heart rate, resting heart rate, blood oxygen, respiratory rate
Physical activity — workouts, steps, distance, active calories, flights climbed, workout history
Sleep — duration, quality, stages (REM, deep, light), bedtime and wake times
Nutrition & food intake — food entries, meals, macronutrients, micronutrients, calorie intake, serving sizes
Symptoms and bodily reactions — digestive symptoms, flares, food sensitivities, mood, energy, stress ratings
Medications and supplements — names, dosages, schedules, adherence
Reproductive or menstrual health — cycle entries (only if you use this feature)
Glucose readings — only if you manually enter them or sync from a connected CGM
Medical conditions you disclose — free-text notes about diagnoses for AI coach context
Coach chat & notes — messages you send to the AI coach and persistent preferences you save
Images — photos of supplement or nutrition labels you capture (processed, not retained)

2. Sources of the Data

Directly from you, when you log entries in the app
From Apple HealthKit or Google Health Connect, with your device-level permission
Derived on-device from other entries you made (e.g. a rolling nutrient deficiency pattern)

3. Categories of Purposes

We use Consumer Health Data only to:

Provide core app features (tracking, charts, history, alerts)
Generate AI coaching responses, daily reports, and plan suggestions (only when AI Coach Processing is enabled)
Identify patterns you’ve asked to see (nutrient deficiencies, food-symptom links, ultra-processed food trends)
Send reminders you’ve configured (medications, supplements, workouts, meals)
Sync across your own devices, if you enable Cloud Backup

We do not use Consumer Health Data for advertising, profiling for ad targeting, or any purpose unrelated to the feature you used it for.

4. Categories We Share

We share Consumer Health Data only with the following processors, each acting under contract to provide Gudea’s functionality:

Anthropic PBC (USA) — a relevant subset of your data (see Privacy Policy) is sent for AI coach features when enabled. Anthropic does not train on API inputs.
Google Firebase (USA) — Cloud Functions relay between your phone and Anthropic; optional Cloud Firestore if you enable Cloud Backup.
Google Analytics for Firebase (USA) — anonymous event counts only, no health-data payloads, only if you opt in.

We do not share or sell Consumer Health Data with any party outside this list.

5. Sale of Consumer Health Data

Gudea does not sell Consumer Health Data. We have never sold it and do not plan to.

6. Your Rights

Under Washington’s My Health My Data Act (and similar laws in other states), you have the right to:

Withdraw consent — in Settings → Privacy & Data, toggle off AI Coach Processing, Analytics, Cloud Backup, or any other processing. Effect is immediate.
Confirm whether we are collecting, sharing, or selling your data — we’ve confirmed in Section 4 that we collect and share with the listed processors, and in Section 5 that we do not sell.
Access a list of the categories of data we hold about you — this document lists every category. For an itemized export, use Settings → Export My Data.
Delete your data — use Settings → Delete All Data for a one-tap wipe of every local Hive box AND the server copies under users/{uid}/data/*, including chat history, coach notes, and all health entries. For total account erasure (Firebase Auth record, community attribution), use Settings → Delete My Account. For any additional deletion not covered in-app, email gudeasupport@gmail.com.
Appeal a denied request — we will respond within 45 days. If we deny, appeal by replying to our response. If we deny the appeal, you can contact the Washington Attorney General’s office.

7. How to Exercise Your Rights

Most rights are exercisable directly in the app at Settings → Privacy & Data. For anything not covered by in-app controls, email gudeasupport@gmail.com. We do not require account creation to exercise these rights — if you’re an anonymous user, include enough detail for us to locate the relevant server logs.

We respond within 45 days. If we need more time, we’ll notify you and extend by up to 45 additional days.

8. Security

On-device data is stored in Hive boxes in Gudea’s private app storage, which iOS and Android sandbox from other apps. API traffic uses HTTPS with certificate validation. Firebase and Anthropic encrypt data at rest and in transit. We will notify you of any confirmed breach affecting your Consumer Health Data within 72 hours.

9. Changes

We’ll update the “Last updated” date at the top and show an in-app notice for material changes.

10. Contact

Questions, requests, or appeals regarding Consumer Health Data?

Email: gudeasupport@gmail.com
Physical: VeloVault LLC, c/o Northwest Registered Agent Service, Inc., 2501 Chatham Rd Ste N, Springfield, IL 62704-4188