Consumer Health Data Privacy Policy

This Consumer Health Data Privacy Policy describes how reThrive Labs LLC ("we," "us," "Freddy") collects, uses, shares, and protects "consumer health data" as that term is defined under the Washington My Health My Data Act (RCW 19.373) ("MHMDA"). It supplements our general Privacy Policy and our Terms of Service, both of which remain in effect. Where this policy and the general Privacy Policy address the same subject, the more protective provision applies to Washington consumers.

This policy is also intended to address comparable consumer health data provisions under Nevada's SB 370 and Connecticut's Senate Bill 3 for consumers in those states.

Categories of consumer health data we collect

We collect the following categories of consumer health data, all of which originate from health data sources that you elect to connect to Freddy:

• Biometric data: heart rate, heart-rate variability, blood oxygen saturation, body temperature, electrodermal activity, and other physiological measurements reported by your connected devices.
• Sleep data: sleep stages, sleep duration, sleep timing, sleep efficiency, and related metrics.
• Activity and exercise data: workouts, steps, distance, calories, training load, recovery metrics, and related physical-activity measurements.
• Body measurements: weight, body composition, height, and similar measurements where reported by a connected provider.
• Continuous glucose data: blood-glucose readings and trends from continuous glucose monitors, where you connect a CGM provider.
• Reproductive and cycle data: menstrual-cycle and related fertility data, where reported by a connected provider.
• Device-derived inferences: derived metrics computed by the connected provider (e.g., readiness scores, recovery scores, sleep scores) that we sync alongside the underlying measurements.
• Account identifiers: email address, the OAuth identifiers or API keys associated with your connected providers, and your Freddy account identifier — to the extent these are linked to the health data above and therefore constitute "consumer health data" under MHMDA's broad definition.

Sources of consumer health data

All consumer health data in Freddy is sourced from third-party providers that you connect to your Freddy account through OAuth or an API key you supply. We do not purchase consumer health data, we do not infer or derive it from non-health sources, and we do not collect it through pixels, cookies, or other passive tracking. The currently supported providers are listed in our Privacy Policy.

How we use consumer health data

We use consumer health data exclusively to operate the personal MCP endpoint you have signed up for:

• To sync data from the providers you have connected and store it under your account.
• To return that data to the AI client you have connected to your personal MCP URL, at your direction.
• To operate basic account functions such as authentication, audit logging of MCP requests, and billing for the optional PRO subscription.

We do not use consumer health data for marketing, advertising, behavioral targeting, profiling, automated decision-making, research, or model training. We do not derive consumer health data from non-health sources.

With whom we share consumer health data

We do not "sell" consumer health data, and we do not "share" consumer health data as those terms are defined under MHMDA (RCW 19.373.010(20), (22)). We will not sell or share consumer health data without first obtaining a valid authorization that complies with RCW 19.373.030.

We disclose consumer health data only to the limited set of service providers ("processors") that are strictly necessary to deliver the service, each of which is bound by contractual confidentiality obligations and processes the data only on our instructions:

• Railway — hosting and database infrastructure (United States). Stores the encrypted database.
• Stripe — payment processor for the optional PRO subscription (United States). Receives only billing-related data, not consumer health data.
• Resend — transactional email provider (United States). Receives email addresses and transactional message content; does not receive consumer health data.
• Sentry — application error monitoring (United States). Sentry receives crash stack traces and request URLs only; request bodies, breadcrumb payload data, and additional context attached to errors are filtered out before transmission. Sentry does not receive consumer health data.

We also transmit consumer health data, at your direction, to the AI client you have connected to your MCP URL. That client is acting as your agent, not as our processor or affiliate, and is governed by its own terms and privacy policy. You authorize that transmission by connecting the client and by issuing queries; you can withdraw that authorization at any time by disconnecting the client or deleting your Freddy account.

We do not share consumer health data with affiliates (we have none), advertisers, data brokers, or any third party other than as described above. If we receive a valid legal process compelling disclosure of consumer health data (such as a subpoena or court order), we will, where legally permitted and operationally feasible, notify you in advance so you can challenge the request.

Your rights under MHMDA

As a Washington consumer, you have the following rights with respect to your consumer health data:

• Right to confirm whether we are collecting, sharing, or selling your consumer health data, and to access that data.
• Right to a list of all third parties and affiliates with whom we have shared or sold your consumer health data. We do not sell or share consumer health data, so this list comprises only the processors named in the section above.
• Right to withdraw consent for the collection and sharing of your consumer health data.
• Right to deletion of your consumer health data from our records and from those of our processors.

You can exercise these rights at any time:

• Access: via your personal MCP endpoint, the dashboard data viewer, or the CSV export tool at your dashboard. You may also email privacy@freddy.coach for a formal Subject Access Request.
• Withdraw consent — per provider: disconnect the provider from your dashboard. All data synced from that provider is deleted immediately.
• Withdraw consent — account-wide: click Delete account from your dashboard. This action takes effect with one click + a confirmation prompt — the same level of effort as the consent click you made at signup — and permanently deletes your account record and all consumer health data within 30 days. We provide this as a one-action withdrawal mechanism to satisfy MHMDA's requirement (RCW 19.373.030) that consent withdrawal be at least as easy as consent.
• Subject access or other requests by email: contact privacy@freddy.coach. We respond within 45 days of receipt and may extend by an additional 45 days where reasonably necessary, with notice to you within the original 45-day window.

We will not discriminate against you for exercising any of these rights — there is no premium tier you lose access to, and no functional degradation other than the loss of data syncing from providers you have disconnected.

You can appeal a denial of any rights request by emailing privacy@freddy.coach with the subject line MHMDA appeal. We will respond to your appeal in writing, with reasons, within 45 days of receipt. If we deny your appeal, you may file a complaint with the Washington State Attorney General at atg.wa.gov/file-complaint.

How we obtain your consent

We collect consumer health data only after you have given separate, specific, freely given, unambiguous, opt-in consent — distinct from your acceptance of our general Terms of Service. At signup, you check a separate consent box authorizing Freddy to collect and process consumer health data from the providers you choose to connect. You then provide additional, specific consent by connecting each individual provider through that provider's own OAuth flow or by entering an API key. You can withdraw consent for any provider at any time by disconnecting it.

Users who created Freddy accounts before this policy's effective date gave their initial consent under our prior consent framework, which we treat as preserved here. If you would like to refresh your consent under this updated framework, please email privacy@freddy.coach.

Security and retention

Consumer health data is stored in a PostgreSQL database on infrastructure located in the United States. Provider credentials (OAuth tokens, API keys) and the contents of synced health metrics are encrypted at the application layer using AES-256-GCM before being written to the database. All connections use TLS. Your MCP endpoint is served only over HTTPS.

Consumer health data is retained for as long as the relevant provider is connected and your account is active. Disconnecting a provider deletes that provider's data immediately. Deleting your account deletes all consumer health data within 30 days.

Geofencing

Freddy does not implement, deploy, or use any geofence around any in-person healthcare facility, mental health facility, reproductive or sexual health facility, or other location where consumer health data might be inferred from a consumer's presence. We do not collect precise geolocation data of any kind.

Changes to this policy

If we materially change the categories of consumer health data we collect, the purposes for which we use it, or the categories of recipients with whom we share it, we will update this policy and notify affected consumers by email at the address associated with their account before the change takes effect.