MHMDA · RCW 19.373

Consumer Health Data Privacy Policy

Effective Date: [SET AT DEPLOY] · Last Updated: [SET AT DEPLOY]

This Consumer Health Data Privacy Policy is provided by ExomeDNA, Inc. (“ExomeDNA,” “we,” “our,” “us”) in compliance with the Washington My Health My Data Act, Chapter 19.373 RCW (“MHMDA”). It describes our practices regarding consumer health data of Washington residents and individuals whose consumer health data is collected in Washington.

This policy applies in addition to our general Privacy Policy. Where the two address the same subject, this policy controls for consumer health data of Washington consumers.

ExomeDNA is intended for adults 18 and older and is not for anyone under 18. We do not knowingly collect consumer health data or genetic data from anyone under 18.

1. Categories of Consumer Health Data We Collect

We collect the following categories of consumer health data:

Genetic data uploaded by the consumer in the form of a raw DNA data file previously obtained from a third-party consumer DNA testing service (such as 23andMe or AncestryDNA).
Derived genetic trait results computed from that file, including polygenic risk scores, percentile rankings, trait categories, and confidence ratings.
Pre-generated educational summaries describing what published research suggests about each trait.
Identifying information linked to the above, including email address, name, and unique account identifier.

The raw DNA data file is processed transiently and discarded after scoring — never stored, logged, or retained. It is not saved to a database or shared with any third party. Derived results and identifying information are retained until the consumer requests deletion or deletes their account.

2. Sources of Consumer Health Data

We collect consumer health data from the following sources:

Directly from the consumer (the uploaded DNA file and account registration information).
Generated by ExomeDNA through analysis of the uploaded file (the derived trait results and educational summaries).

We do not purchase, license, or otherwise acquire consumer health data from data brokers or third-party aggregators.

3. Purposes for Which We Collect, Use, and Process Consumer Health Data

We collect, use, and process consumer health data for the following purposes:

To analyze the uploaded DNA file against published genome-wide association studies and generate the personalized educational trait report the consumer has requested.
To display those trait results to the consumer in their account.
To provide responses through the AI Health Coach feature, when the consumer has separately authorized such processing.
To enable consumer rights features, including data access, export, deletion, and consent management.
To operate the service securely, including authentication, audit logging, and fraud prevention.
To send product communications, only when the consumer has separately authorized such communications.

Each purpose listed above corresponds to a separate consent or service-necessity determination at the time of data collection. We do not use consumer health data for any purpose not listed above without first obtaining new consent.

4. Categories of Consumer Health Data Shared, and Categories of Third Parties

We share consumer health data only as described below. We do not sell consumer health data.

Category of consumer health data shared	Recipient	Purpose
Trait-level data (trait names, scores, percentiles, confidence ratings, educational summaries)	Anthropic, PBC (AI service provider)	To generate AI Health Coach responses, only with the consumer's separate authorization
Account and derived results data	Supabase Inc. (database hosting)	To operate the service the consumer has requested
Account and derived results data	Vercel Inc. (application hosting)	To operate the service the consumer has requested
Account and derived results data	Render Services, Inc. (backend processing)	To operate the service the consumer has requested

We do not share with the AI service provider any of the following: raw DNA file contents, gene names, rsID identifiers, genotype values, or personally identifying information. This restriction is enforced at the application architecture level.

5. Specific Affiliates Receiving Consumer Health Data

ExomeDNA does not currently have any affiliates as defined by the MHMDA. Consumer health data is not shared with any affiliate.

If this changes, this policy will be updated to identify each affiliate by company name before any sharing occurs, and the consumer's renewed consent will be obtained where required.

6. Specific Third Parties (Non-Affiliates) Receiving Consumer Health Data

The following specific third parties may receive consumer health data as processors or as recipients with the consumer's authorization:

Anthropic, PBC — AI service provider (Claude language model). Receives derived trait-level data only (never raw DNA, genotype values, gene names, or rsIDs), and only when the consumer has separately authorized AI Health Coach use. Anthropic does not train on this data and retains AI request data only for a limited period (up to 30 days) for trust and safety.
Supabase Inc. — database hosting and authentication infrastructure. Acts as a processor.
Vercel Inc. — application hosting infrastructure. Acts as a processor.
Render Services, Inc. — backend processing infrastructure. Acts as a processor.

The consumer may request the contact information for any of the above by contacting privacy@exomedna.com.

7. Consumer Health Data We Do Not Sell, Use for Advertising, or Share With Data Brokers

§7 — STATUTORY MHMDA AFFIRMATIONS (LOCKED)

We do not sell consumer health data. “Sale” has the meaning given in the MHMDA. We have not sold consumer health data in the past, do not currently sell consumer health data, and have no current plans to sell consumer health data. If this changes, we will obtain a separate signed authorization from the consumer before any sale, as required by MHMDA.

We do not use consumer health data for targeted advertising. We do not deliver any advertising — first-party or third-party — based on consumer health data.

We do not share consumer health data with data brokers, advertising networks, or aggregators. The third parties identified in Section 6 are processors providing infrastructure to operate the service, the consumer's separately authorized AI provider, and the payment processor (which receives no consumer health data).

8. Consumer Rights

§8 — MHMDA CONSUMER RIGHTS (LOCKED)

If you are a Washington consumer or your consumer health data was collected in Washington, you have the following rights under the MHMDA:

Right to confirm. You may confirm whether we are collecting, sharing, or selling your consumer health data.
Right to access. You may access the consumer health data we have collected about you, and receive a list of all third parties and affiliates with whom we have shared your data, including a contact method for each recipient.
Right to deletion. You may request that we delete your consumer health data. Upon a verified request, we will delete the data from our active systems without unreasonable delay and within 45 days. Where consumer health data is stored on archived or backup systems, deletion from those systems may be delayed to enable restoration of the archived or backup systems, but in no event will such delay exceed six months from authentication of the deletion request, as permitted by the MHMDA. We will also instruct any third party that received your data from us to do the same.
Right to withdraw consent. You may withdraw any consent you have previously given for the collection, sharing, or sale of your consumer health data. Withdrawing consent is as straightforward as providing it: any consent given through Settings > Privacy can be withdrawn through Settings > Privacy. Withdrawal of consent is prospective and does not affect processing already conducted under prior valid consent.
Right to appeal. If we deny your request, you may appeal that denial. Appeals are reviewed by a different person than the original decision-maker. We will respond to your appeal in writing.
Right to use an authorized agent. You may designate an authorized agent to exercise any of the rights described above on your behalf. We may require the authorized agent to provide signed written permission and may require the consumer to verify their own identity directly with us before processing the request.

We do not discriminate against consumers for exercising these rights.

9. How to Exercise Your Rights

To exercise any right described above, contact us at:

Email: privacy@exomedna.com
Subject line: “MHMDA Rights Request — [type of request, e.g., Access, Deletion, Withdraw Consent]”
Mailing address: ExomeDNA, Inc., 5900 Balcones Dr, Suite 100, Austin, TX 78731

We will respond to verified requests within 45 days. If reasonably necessary, we may extend this period by an additional 45 days, in which case we will inform you of the extension and the reason within the original 45-day period.

If your request is denied, our denial notice will explain how to file an appeal. If your appeal is denied, you may also contact the Washington Attorney General at https://www.atg.wa.gov/file-complaint.

10. Geofencing

ExomeDNA does not use, and does not authorize any third party to use on its behalf, a geofence around any location that provides in-person health care services to identify, track, collect data from, or send notifications, messages, or advertisements to consumers related to their consumer health data, health care services, or health care-seeking behavior.

11. Changes to This Policy

We will revise this policy if our practices regarding consumer health data change. Material changes — including new categories of consumer health data collected, new categories of recipients, or new purposes of use — will require new consent before any new processing begins. The “Effective Date” at the top of this policy will reflect any updates.

12. Contact

For any questions about this Consumer Health Data Privacy Policy, including to exercise your rights:

Email: privacy@exomedna.com

Mailing address: ExomeDNA, Inc., 5900 Balcones Dr, Suite 100, Austin, TX 78731