1. Introduction and Scope

This Privacy Policy describes how the operators of AskSally Terminal and A1C Insight (collectively referred to as "we", "us", or "our") collect, use, disclose, and protect your personal information when you access and use our mobile and web applications, A1C Insights and AskSally Terminal (the "Apps"), and the related services, features, and content we provide (collectively, the "Services").

Our company is registered in Singapore, and our Services are designed for and offered to users worldwide. We recognize the importance of protecting your personal information, particularly health-related data, which is among the most sensitive types of personal information. This Privacy Policy has been developed to ensure compliance with a comprehensive range of international data protection and privacy regulations, including but not limited to:

• Singapore's Personal Data Protection Act 2012 (PDPA) [1]

• The European Union's General Data Protection Regulation (GDPR) [2]

• The California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) [3]

• Washington State's My Health My Data Act (MHMDA) [4]

• Nevada's Consumer Health Data Privacy Law [4]

• The Federal Trade Commission Act (FTC Act) [5]

• The FTC Health Breach Notification Rule [6]

• Other applicable international, federal, state, and local privacy laws

By creating an account, accessing, or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with this policy, you must not access or use our Services. Your use of our Services is also governed by our Terms and Conditions, which are incorporated by reference into this Privacy Policy.

Critical Medical Disclaimer

Our Apps are wellness and educational tools designed to help you track, understand, and manage your metabolic health based on data you provide. The Apps are not medical devices and have not been evaluated or approved by the Singapore Health Sciences Authority (HSA), the U.S. Food and Drug Administration (FDA), or any other regulatory authority. The Apps are not intended to diagnose, treat, cure, or prevent any disease or medical condition. All information, insights, and recommendations provided by the Apps are for informational and educational purposes only and must not be considered a substitute for professional medical advice, diagnosis, or treatment. You should always consult with a qualified healthcare provider regarding any medical questions, concerns, or decisions, including before making any changes to medication, diet, or exercise based on information from the Apps. In the event of a medical emergency, contact your local emergency services immediately.

2. Key Definitions

To ensure clarity and transparency throughout this Privacy Policy, the following terms are defined as they are used herein:

Term

Definition

Personal Data

Any information, whether true or not, about an individual who can be identified from that information, or from that information combined with other information to which we have or are likely to have access. This includes identifiers such as name, email address, and IP address.

Health Data

A subset of Personal Data that relates to the physical or mental health of an individual, including the provision of health care services, and which reveals information about their health status. Under GDPR, this is classified as a Special Category of Personal Data requiring heightened protection. Under CCPA/CPRA, this is Sensitive Personal Information.

Biomarker Data

Health-related data points you voluntarily provide to the Apps, such as blood glucose levels, heart rate, weight, blood pressure, and other metabolic or physiological indicators.

Lab Results

Medical laboratory test results that you manually enter or upload to the Apps, including but not limited to HbA1c levels, lipid panels, and other diagnostic test outcomes.

User Content

Any data, text, information, notes, feedback, or other materials you submit, upload, or otherwise provide to the Apps.

Processing

Any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, combination, restriction, erasure, or destruction.

Data Controller

The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. For the purposes of this Privacy Policy, we are the Data Controller of your Personal Data.

Data Processor

A natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Data Controller. Our third-party service providers act as Data Processors.

Explicit Consent

A freely given, specific, informed, and unambiguous indication of your wishes by which you, through a clear affirmative action, signify agreement to the Processing of Personal Data relating to you. For Health Data, this consent must be explicit and cannot be implied.

Breach of Security

Unauthorized acquisition, access, use, or disclosure of unsecured personal health information that compromises the security or privacy of such information.

3. Information We Collect

We collect several categories of information from and about users of our Services. The collection of this information is essential for providing, maintaining, and improving our Services.

3.1. Information You Provide Directly to Us

The following table outlines the types of information you actively provide when you use our Services:

Data Category

Description

Examples

Legal Classification

Account Information

Information required to create and maintain your user account.

Full name, email address, password, date of birth, country of residence.

Personal Data

Health & Wellness Data

Health-related information you voluntarily enter or upload to track your metabolic health. This is the core data used to provide our Services.

Biomarker Data (blood glucose, heart rate, weight, blood pressure), Lab Results (HbA1c, cholesterol levels), medication information, dietary logs, exercise data.

Sensitive Personal Data / Special Category Data / Sensitive Personal Information

User Content

Any additional information or content you choose to provide.

Notes about your health, feedback about the Apps, communications with our support team, survey responses.

Personal Data (may include Health Data)

3.2. Information We Collect Automatically

When you access and use our Services, we automatically collect certain information about your device and usage patterns:

Data Category

Description

Examples

Usage Data

Information about your interaction with the Apps and Services.

Features accessed, pages viewed, time spent on pages, navigation paths, frequency of use, actions taken within the Apps.

Device Information

Technical information about the device you use to access our Services.

IP address, device type and model, operating system and version, browser type and version, unique device identifiers, mobile network information.

Log Data

Information automatically recorded by our servers when you use the Services.

Date and time of access, error logs, crash reports, performance data.

3.3. Information from Other Sources

We do not currently collect information about you from third-party sources. If this changes in the future, we will update this Privacy Policy and notify you accordingly.

4. How We Use Your Information

We process your Personal Data only for specific, explicit, and legitimate purposes. We will not process your data in a manner that is incompatible with these purposes. The table below outlines our purposes for processing, the categories of data used, and the legal bases we rely upon under applicable data protection laws.

Purpose of Processing

Categories of Data Used

Legal Basis (GDPR)

Legal Basis (PDPA)

Legal Basis (CCPA/CPRA)

Providing Core Services – To deliver the personalized metabolic health analysis, educational insights, and recommendations that form the core functionality of the Apps.

Account Information, Health & Wellness Data, User Content

Explicit Consent (for Health Data) and Contractual Necessity (to perform the contract with you)

Consent

Contractual Necessity and Consent

Service Improvement and Development – To analyze usage patterns, identify bugs, and develop new features to enhance user experience.

Usage Data, Device Information, De-identified and Aggregated Health Data

Legitimate Interests (improving our Services and user experience)

Legitimate Interests

Business Purpose

Communication – To send you administrative messages, service updates, security alerts, and respond to your inquiries.

Account Information, User Content

Legitimate Interests (maintaining our relationship with you) and Contractual Necessity

Legitimate Interests

Business Purpose

Research and Development – To conduct research to advance scientific understanding of metabolic health, improve algorithms, and contribute to public health knowledge. We use only de-identified and aggregated data for this purpose unless we obtain your separate explicit consent.

Aggregated and De-identified Data (or identifiable data with separate explicit consent)

Legitimate Interests (for de-identified data) or Explicit Consent (for identifiable data)

Legitimate Interests (for de-identified data) or Consent (for identifiable data)

Business Purpose (for de-identified data) or Consent (for identifiable data)

Security and Fraud Prevention – To verify accounts, detect and prevent fraud, abuse, and security incidents, and protect the rights and safety of our users and the public.

Account Information, Usage Data, Device Information

Legitimate Interests (ensuring security) and Legal Obligation

Legitimate Interests and Legal Obligation

Business Purpose and Legal Obligation

Legal Compliance – To comply with applicable laws, regulations, legal processes, and enforceable governmental requests.

Any relevant Personal Data

Legal Obligation

Legal Obligation

Legal Obligation

5. Data Sharing and Disclosure

We understand the sensitive nature of your Health Data and are committed to maintaining your trust. We do not sell your Personal Data to third parties. We may share your information only in the following limited circumstances:

5.1. With Service Providers (Data Processors)

We engage carefully selected third-party service providers to perform functions on our behalf. These service providers may have access to your Personal Data only to the extent necessary to perform their designated functions and are contractually obligated to:

• Process your data only in accordance with our documented instructions

• Implement appropriate technical and organizational security measures

• Not use your data for their own purposes

• Maintain confidentiality

• Delete or return your data upon termination of services

Examples of service providers include cloud hosting providers, data analytics services, customer support platforms, and email communication services.

5.2. For Legal Reasons and Protection

We may disclose your Personal Data if we believe in good faith that such disclosure is necessary to:

• Comply with applicable laws, regulations, legal processes, or enforceable governmental requests

• Enforce our Terms and Conditions, including investigation of potential violations

• Detect, prevent, or otherwise address fraud, security, or technical issues

• Protect against harm to the rights, property, or safety of our company, our users, or the public as required or permitted by law

  
  

5.3. In Aggregated or De-identified Form

We may share aggregated statistical data or de-identified information that cannot reasonably be used to identify you. This information may be used for research, statistical analysis, business intelligence, marketing, and other legitimate business purposes. De-identified data is not considered Personal Data under most data protection laws.

5.4. Business Transfers

In the event of a merger, acquisition, reorganization, sale of assets, or bankruptcy, your Personal Data may be transferred to a successor entity. We will notify you via email and/or a prominent notice in the Apps before your Personal Data is transferred and becomes subject to a different privacy policy.

5.5. With Your Explicit Consent

We may share your Personal Data with other third parties when we have obtained your explicit consent to do so for a specific purpose.

6. International Data Transfers

As a Singapore-registered company offering Services to users worldwide, your Personal Data may be transferred to, stored, and processed in Singapore or other countries where we or our service providers operate. These countries may have data protection laws that differ from those in your country of residence.

When we transfer Personal Data from the European Economic Area (EEA), United Kingdom, Switzerland, or other jurisdictions with comprehensive data protection laws to countries that have not been recognized as providing an adequate level of data protection, we implement appropriate safeguards to ensure your data remains protected. These safeguards include:

• Standard Contractual Clauses (SCCs): We use Standard Contractual Clauses approved by the European Commission [5] and other relevant authorities. These are standardized contractual terms that ensure the transferred data receives a level of protection consistent with EEA data protection law.

• Adequacy Decisions: Where applicable, we may rely on adequacy decisions issued by the European Commission or other relevant authorities recognizing certain countries as providing adequate data protection.

• Your Explicit Consent: In certain circumstances, we may seek your explicit consent for the transfer of your data to a third country.

For more information about the safeguards we use for international data transfers, please contact us using the information provided in the "Contact Us" section.

7. Your Data Protection Rights

We respect and uphold your rights concerning your Personal Data. Depending on your jurisdiction and the applicable data protection laws, you may have the following rights:

7.1. Universal Rights (Available to All Users)

Right

Description

How to Exercise

Right to Access

You have the right to request and receive a copy of the Personal Data we hold about you.

Contact us using the information in Section 14. We will provide the information within the timeframe required by applicable law (typically 30 days).

Right to Rectification (Correction)

You have the right to request that we correct any inaccurate or incomplete Personal Data.

You can update certain information directly in your account settings, or contact us for assistance.

Right to Erasure (Deletion)

You have the right to request the deletion of your Personal Data, subject to certain legal and contractual obligations.

You may delete your account through the Apps or contact us. We will delete your data in accordance with our retention policies and legal obligations.

Right to Withdraw Consent

Where we rely on your consent to process your Personal Data, you have the right to withdraw that consent at any time.

You can withdraw consent by closing your account or contacting us. Withdrawal will not affect the lawfulness of processing based on consent before withdrawal.

7.2. Additional Rights for EEA, UK, and Swiss Residents (GDPR)

In addition to the universal rights above, if you are located in the EEA, UK, or Switzerland, you have the following additional rights under GDPR:

Right

Description

Right to Data Portability

You have the right to receive your Personal Data in a structured, commonly used, and machine-readable format and to transmit it to another data controller without hindrance.

Right to Object

You have the right to object to processing of your Personal Data based on legitimate interests or for direct marketing purposes.

Right to Restrict Processing

You have the right to request the restriction of processing of your Personal Data in certain circumstances, such as when you contest the accuracy of the data.

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, particularly in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

7.3. Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the CCPA and CPRA:

Right

Description

Right to Know

You have the right to request information about the categories and specific pieces of Personal Information we have collected, the categories of sources, the business or commercial purposes for collection, and the categories of third parties with whom we share Personal Information.

Right to Delete

You have the right to request deletion of your Personal Information, subject to certain exceptions.

Right to Opt-Out of Sale

You have the right to opt-out of the "sale" of your Personal Information. We do not sell your Personal Information.

Right to Non-Discrimination

You have the right not to receive discriminatory treatment for exercising your CCPA/CPRA rights.

Right to Limit Use of Sensitive Personal Information

You have the right to limit the use and disclosure of your Sensitive Personal Information (which includes Health Data) to purposes necessary to provide the Services you requested.

7.4. Rights for Washington State Residents (MHMDA)

If you are a Washington State resident, you have specific rights under the My Health My Data Act regarding your consumer health data, including the right to confirm collection, access third-party recipients, withdraw consent, and request deletion.

7.5. How We Respond to Your Requests

We are committed to facilitating the exercise of your rights. When you submit a request, we will:

• Verify your identity to protect your Personal Data from unauthorized access

• Respond within the timeframe required by applicable law (typically 30 days, which may be extended by an additional 30 days in complex cases)

• Provide the requested information or action free of charge for the first request, though we may charge a reasonable fee for subsequent repetitive or manifestly unfounded requests

• Inform you if we cannot comply with your request and explain the reasons

  
  

8. Data Security

Protecting your Personal Data, particularly your sensitive Health Data, is of paramount importance to us. We have implemented and maintain appropriate technical, physical, and organizational security measures designed to protect your Personal Data against unauthorized or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure.

8.1. Security Measures

Our security measures include, but are not limited to:

• Encryption: We use industry-standard encryption protocols (such as TLS/SSL) to protect data in transit between your device and our servers. Data at rest is also encrypted using strong encryption algorithms.

• Access Controls: Access to Personal Data is restricted to authorized employees, contractors, and service providers who have a legitimate need to access the data to perform their duties. Access is granted on a need-to-know basis and is protected by authentication mechanisms.

• Security Monitoring: We employ monitoring systems to detect and respond to security incidents, unauthorized access attempts, and anomalous activity.

• Regular Security Assessments: We conduct regular security audits, vulnerability assessments, and penetration testing to identify and remediate potential security weaknesses.

• Incident Response Plan: We maintain an incident response plan to ensure prompt and effective response to any data breach or security incident.

• Vendor Security: We require our service providers to implement appropriate security measures and conduct due diligence to assess their security practices.

  
  

8.2. Your Responsibility

While we implement robust security measures, the security of your Personal Data also depends on you. You are responsible for:

• Maintaining the confidentiality of your account password and not sharing it with others

• Using a strong, unique password for your account

• Logging out of your account when you finish using the Apps, especially on shared devices

• Notifying us immediately if you suspect any unauthorized access to your account

• Keeping your device's operating system and security software up to date

8.3. Limitations

Despite our best efforts, no method of transmission over the Internet and no method of electronic storage is completely secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authorities in accordance with applicable law.

9. Data Retention

We retain your Personal Data only for as long as necessary to fulfill the purposes for which it was collected, to comply with our legal obligations, resolve disputes, and enforce our agreements.

9.1. Retention Criteria

The criteria we use to determine retention periods include:

• Service Provision: We retain your data for as long as your account is active and you continue to use our Services.

• Legal Obligations: We may be required to retain certain data for specific periods to comply with legal, tax, accounting, or regulatory requirements.

• Legitimate Interests: We may retain data for a reasonable period to protect our legal rights, such as in the event of disputes or litigation.

9.2. Account Closure and Data Deletion

When you close your account or request deletion of your Personal Data:

• We will delete or anonymize your Personal Data within a reasonable timeframe (typically within 30 to 90 days), unless we are required or permitted by law to retain it for a longer period.

• Some information may be retained in our backup systems for a limited period before being permanently deleted.

• De-identified and aggregated data that cannot be used to identify you may be retained indefinitely for research and analytical purposes.

  
  

10. Breach Notification

10.1. Our Commitment

We take the security of your information seriously and have implemented measures to prevent breaches. However, in the unlikely event of a breach of security involving your Personal Data, we are committed to transparency and will comply with all applicable breach notification requirements.

10.2. Notification Under GDPR

For users in the EEA, UK, or Switzerland, if a breach is likely to result in a risk to your rights and freedoms, we will notify you without undue delay and, where feasible, within 72 hours of becoming aware of the breach. We will also notify the relevant supervisory authority as required by GDPR [2].

10.3. Notification Under FTC Health Breach Notification Rule

As our Apps are not covered by HIPAA, we are subject to the FTC Health Breach Notification Rule [6]. In the event of a breach of security involving unsecured personally identifiable health information, we will:

• Notify Affected Individuals: Provide notice to each individual whose information was breached without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. The notice will include:

• A description of what happened

• The types of information involved

• Steps we are taking to investigate and mitigate harm

• What you can do to protect yourself

• Contact information for questions

• Notify the FTC: If the breach involves 500 or more individuals, we will notify the Federal Trade Commission at the same time we notify affected individuals.

• Media Notice: If the breach involves 500 or more residents of a state or jurisdiction, we will provide notice to prominent media outlets serving that state or jurisdiction.\

  
  

10.4. Notification Under Other Laws

We will also comply with breach notification requirements under PDPA, CCPA/CPRA, MHMDA, and other applicable laws, which may have different thresholds and timeframes.

10.5. What Constitutes a Breach

Under the FTC Health Breach Notification Rule, a "breach of security" means:

• Unauthorized acquisition of personally identifiable health information

• Unauthorized access to such information

• Unauthorized use or disclosure of such information

This includes both external attacks (such as hacking) and internal incidents (such as unauthorized employee access).

11. Data Retention

We retain your Personal Data only for as long as necessary to fulfill the purposes for which it was collected, to comply with our legal obligations, resolve disputes, and enforce our agreements.

11.1. Retention Criteria

The criteria we use to determine retention periods include:

• Service Provision: We retain your data for as long as your account is active and you continue to use our Services.

• Legal Obligations: We may be required to retain certain data for specific periods to comply with legal, tax, accounting, or regulatory requirements (typically 3-7 years depending on the jurisdiction and type of data).

• Legitimate Interests: We may retain data for a reasonable period to protect our legal rights, such as in the event of disputes or litigation.

• User Requests: We will delete data upon your request, subject to legal retention requirements.

  
  

11.2. Specific Retention Periods

Data Category

Retention Period

Account Information

Duration of account plus 30 days after account closure (unless longer retention required by law)

Health & Wellness Data

Duration of account plus 30 days after account closure (unless longer retention required by law)

Usage and Log Data

12-24 months, unless required for security investigations or legal compliance

De-identified/Aggregated Data

Indefinitely (as it cannot identify you)

Backup Data

Up to 90 days in backup systems before permanent deletion

11.3. Account Closure and Data Deletion

When you close your account or request deletion of your Personal Data:

• We will delete or anonymize your Personal Data within 30 days of your request, unless we are required or permitted by law to retain it for a longer period.

• Some information may be retained in our backup systems for up to 90 days before being permanently deleted.

• De-identified and aggregated data that cannot be used to identify you may be retained indefinitely for research and analytical purposes.

• We may retain certain information as necessary to comply with legal obligations, resolve disputes, enforce our agreements, or as otherwise permitted by law.

  
  

12. Children's Privacy

Our Services are not intended for, marketed to, or directed at individuals under the age of 18 years. We do not knowingly collect, use, or disclose Personal Data from children under 18. By using our Services, you represent and warrant that you are at least 18 years of age or have reached the age of legal majority in your jurisdiction.

If we become aware that we have inadvertently collected Personal Data from a child under 18 without proper parental consent, we will take immediate steps to delete such information from our systems. If you believe that we may have collected information from a child under 18, please contact us immediately using the information provided in the "Contact Us" section, and we will investigate and take appropriate action.

13. Cookies and Tracking Technologies

We may use cookies, web beacons, pixels, and similar tracking technologies to collect information about your use of our Services and to enhance your user experience.

13.1. What Are Cookies?

Cookies are small text files that are placed on your device when you visit a website or use an application. They allow the application to recognize your device and remember certain information about your preferences or past actions.

13.2. Types of Cookies We Use

Cookie Type

Purpose

Duration

Essential Cookies

Necessary for the operation of the Services, such as authentication and security. Without these cookies, the Services cannot function properly.

Session or short-term

Functional Cookies

Enable enhanced functionality and personalization, such as remembering your preferences and settings.

Persistent (typically 1-12 months)

Analytics Cookies

Help us understand how users interact with the Services, allowing us to improve functionality and user experience. These cookies collect information in aggregate form.

Persistent (typically 12-24 months)

13.3. Managing Cookies

You can manage your cookie preferences through your browser or device settings. Most browsers allow you to refuse cookies or to alert you when cookies are being sent. However, if you disable cookies, some features of the Services may not function properly.

For more detailed information about the cookies we use and how to manage them, please refer to our separate Cookie Policy, which is available within the Apps.

13.4. Third-Party Cookies

We may use third-party analytics services (such as Google Analytics) that use cookies to collect information about your use of the Services. These third parties have their own privacy policies governing their use of information. We do not control these third-party cookies and encourage you to review the privacy policies of these third parties.

13.5. Do Not Track Signals

Some browsers have a "Do Not Track" feature that lets you tell websites that you do not want to have your online activities tracked. We currently do not respond to "Do Not Track" signals, as there is no universally accepted standard for how to respond to such signals. However, you can manage cookies and tracking through your browser settings as described above.

For more detailed information about the cookies we use and how to manage them, please refer to our separate Cookie Policy, which is available within the Apps.

14. Third-Party Links and Services

Our Services may contain links to third-party websites, applications, or services that are not owned or controlled by us. This Privacy Policy applies only to our Services. We are not responsible for the privacy practices or content of third-party services.

When you click on a link to a third-party service, you will be subject to that third party's privacy policy and terms of service. We encourage you to read the privacy policies of any third-party services you visit or use. We do not endorse, screen, or approve third-party services, and we are not responsible for their privacy practices or content.

15. Changes to This Privacy Policy

We reserve the right to update or modify this Privacy Policy at any time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make changes, we will update the "Last Updated" date at the top of this policy.

15.1. Notification of Material Changes

If we make material changes that significantly affect your rights or how we process your Personal Data, we will provide you with prominent notice prior to the changes taking effect. This notice may be provided through:

• Email notification to the address associated with your account

• A prominent notice within the Apps

• A notification when you next access the Services

We will provide such notice at least 30 days before the new policy takes effect, giving you the opportunity to review the changes and decide whether to continue using the Services.

15.2. Your Continued Use

Your continued use of the Services after the effective date of the revised Privacy Policy constitutes your acceptance of the changes. If you do not agree with the revised policy, you must stop using the Services and may close your account. If you close your account due to a material change in the Privacy Policy, we will delete your Personal Data in accordance with Section 11 (Data Retention).

15.3. Reviewing Changes

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. You can always find the most current version of this policy on our website or within the Apps.

16. Contact Us

We are committed to addressing your questions, concerns, and requests regarding this Privacy Policy and our data practices. If you wish to exercise your data protection rights, have questions about how we process your Personal Data, or wish to file a complaint, please contact us using the following channels:

For A1C Insights Users:

Support Portal: https://a1c.canny.io/insight-user-support

For AskSally Terminal Users:

Feedback Portal: https://asksally.xyz/feedback

General Privacy Inquiries:

When contacting us about privacy matters, please include:

• Your full name and email address associated with your account

• A detailed description of your request or concern

• Any relevant supporting documentation

We will make every effort to respond to your request within the timeframe required by applicable law (typically 30 days, which may be extended by an additional 30 days for complex requests).

17. Supervisory Authority and Dispute Resolution

17.1. For EEA, UK, and Swiss Residents

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the right to lodge a complaint with a data protection supervisory authority if you believe that our processing of your Personal Data violates applicable data protection law. You may lodge a complaint in the Member State of your habitual residence, your place of work, or the place where the alleged infringement occurred.

A list of supervisory authorities in the EEA is available at: https://edpb.europa.eu/about-edpb/board/members_en

For the UK, the supervisory authority is the Information Commissioner's Office (ICO): https://ico.org.uk/

17.2. For California Residents

California residents may contact the California Attorney General's office regarding privacy concerns or complaints:

• Website: https://oag.ca.gov/contact/consumer-complaint-against-business-or-company

• Phone: (916) 210-6276

  
  

17.3. For Washington State Residents

Washington State residents may contact the Washington State Attorney General's office:

• Website: https://www.atg.wa.gov/file-complaint

• Phone: (800) 551-4636

  
  

17.4. For Singapore Residents

Singapore residents may contact the Personal Data Protection Commission (PDPC):

• Website: https://www.pdpc.gov.sg/

• Email: [email protected]

  
  

17.5. FTC Complaints

For matters related to the FTC Act or FTC Health Breach Notification Rule, you may file a complaint with the Federal Trade Commission:

• Website: https://reportfraud.ftc.gov/

• Phone: 1-877-FTC-HELP (1-877-382-4357)

  
  

17.6. Dispute Resolution

For all users, we encourage you to contact us first so that we can attempt to resolve any concerns directly. If we are unable to resolve your concern, you may have the right to pursue dispute resolution through arbitration or the courts as set forth in our Terms and Conditions.

18. Compliance Summary

This Privacy Policy is designed to comply with the following major data protection frameworks and regulations:

Jurisdiction/Law

Key Compliance Elements

Singapore PDPA

Consent, purpose limitation, notification, access and correction, protection, retention limitation, transfer limitation, accountability

EU GDPR

Lawfulness of processing, special category data protections, data subject rights, data protection by design and by default, international transfers with safeguards, breach notification within 72 hours

California CCPA/CPRA

Consumer rights (know, delete, opt-out), sensitive personal information protections, non-discrimination, privacy policy disclosures, right to limit use of sensitive personal information

Washington MHMDA

Consumer health data consent requirements, authorization for sale, geofencing prohibition (not applicable to our apps), consumer rights (confirm, access, withdraw, delete)

Nevada Health Data Law

Consent, privacy notice, restricted access, authorization for sale/sharing, security measures, geofencing restriction (not applicable to our apps)

FTC Act

Reasonable privacy and security practices, truthful representations, protection against unfair or deceptive practices

FTC Health Breach Notification Rule

Notification to affected individuals within 60 days, notification to FTC (if 500+ affected), media notification (if 500+ in a state), breach definition includes unauthorized acquisition, access, use, or disclosure

18.1. Why HIPAA Does Not Apply

Important Notice: Our Apps are NOT covered by HIPAA because:

1. We are not a health plan, healthcare provider, or healthcare clearinghouse (i.e., not a HIPAA "covered entity")

2. We do not receive health information directly from HIPAA covered entities

3. We do not provide services to HIPAA covered entities that would make us a "business associate"

4. Our Apps are offered directly to consumers who voluntarily enter their own health information

5. The Apps are wellness tools, not medical devices

As stated by the U.S. Department of Health and Human Services (HHS): "The HIPAA Rules do not apply to health information maintained by anyone who isn't a covered entity or business associate. For example, the HIPAA Rules likely wouldn't apply to consumer health information maintained in an app that isn't offered by a HIPAA covered entity or its business associate, even if the health information originated from a covered entity or business associate." [7]

Our Apps are offered directly to consumers who voluntarily enter their own health information, and we do not receive health information from or provide services to HIPAA covered entities.

18.2. Applicable Laws Provide Comprehensive Protection

While HIPAA does not apply, the combination of PDPA, GDPR, CCPA/CPRA, MHMDA, Nevada Health Data Law, FTC Act, and FTC Health Breach Notification Rule provides comprehensive protection for your personal and health information that is equal to or exceeds HIPAA protections in many respects.

19. Acknowledgment and Consent

By creating an account and using our Services, you acknowledge that:

1. You have read and understood this Privacy Policy

2. You consent to the collection, use, and disclosure of your Personal Data as described in this Privacy Policy

3. For users providing Health Data, you provide explicit consent for the processing of your Health Data for the purposes described in this Privacy Policy

4. You understand that you can withdraw your consent at any time by closing your account or contacting us

5. You understand that HIPAA does not apply to our Apps, but that your information is protected by other comprehensive privacy laws

6. You are at least 18 years of age or have reached the age of legal majority in your jurisdiction

You have the authority to provide the Personal Data you submit to the Apps

References

[1] Personal Data Protection Commission Singapore. (2023). Advisory Guidelines for the Healthcare Sector. Retrieved from https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/advisory-guidelines/advisory-guidelines-for-the-healthcare-sector-sep-2023.pdf

[2] European Parliament and Council of the European Union. (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation). Retrieved from https://gdpr-info.eu/

[3] State of California Department of Justice. California Consumer Privacy Act (CCPA). Retrieved from https://oag.ca.gov/privacy/ccpa

[4] Securiti. (2023). Healthcare Privacy Laws & Regulations Around the World. Retrieved from https://securiti.ai/healthcare-privacy-laws/

[5] Federal Trade Commission. Federal Trade Commission Act. Retrieved from https://www.ftc.gov/legal-library/browse/statutes/federal-trade-commission-act

[6] Federal Trade Commission. (2024). Health Breach Notification Rule. Retrieved from https://www.ftc.gov/legal-library/browse/rules/health-breach-notification-rule

[7] U.S. Department of Health and Human Services. (2022). HIPAA & Health Apps. Retrieved from https://www.hhs.gov/hipaa/for-professionals/special-topics/health-apps/index.html