Rhada Consumer Health Data Notice
Version 1.0.0 · Effective 25 May 2026
This Notice applies to consumer health data that DIAN Holdings Limited ("DIAN", "we", "us", "our") collects, uses, shares or processes about you when you use Rhada (mobile app and rhada.app website), if you are a resident of:
- Washington State — under the My Health My Data Act ("MHMDA", RCW 19.373; effective 31 March 2024).
- Nevada — under Senate Bill 370 ("SB 370", NRS 603A; effective 31 March 2024).
- Connecticut — under the Connecticut Data Privacy Act ("CTDPA") as amended by Public Act No. 23-56 (effective 1 October 2023).
This Notice supplements our Privacy Policy and our Terms of Use. Where this Notice grants you a broader right than the Privacy Policy, the broader right applies.
Rhada is not a HIPAA Covered Entity. HIPAA does not apply to your data when you use Rhada. The protections in this Notice exist because state law extends HIPAA-style protections to consumer health data held by any business, not only healthcare providers. See Privacy Policy §10.
1. Categories of consumer health data we collect
For the purposes of MHMDA, SB 370 and the CTDPA consumer-health-data amendments, the following information you provide to Rhada (or that we generate about you from the information you provide) is consumer health data:
| Category | Examples | Source |
|---|---|---|
| Bodily measurements | Weight, height, body fat %, weight history, target weight | You |
| Reproductive or sexual health information | Menstrual / cycle phase, sex assigned at birth, gender identity (where you provide it) | You |
| Diet and nutrition information | Food logs, calorie intake, macro breakdowns, allergies, dietary restrictions | You, food-vision AI, OpenFoodFacts barcode lookups |
| Physical activity information | Steps, workouts, active calories, exercise routines, training plans | Apple HealthKit / Android Health Connect (with your permission), you |
| Biological status indicators | Heart rate, heart rate variability, resting heart rate | Apple HealthKit / Android Health Connect (with your permission) |
| Sleep information | Sleep duration, sleep quality | Apple HealthKit / Android Health Connect (with your permission), your daily pulse responses |
| Subjective wellness information | Mood, energy, hunger, stress, sleep-quality scores; free-text check-in narratives | You (daily pulse, weekly check-ins) |
| Coaching conversations | Your messages to the AI coach and the coach's replies, including content where you discuss your health, body, mood or behaviour | You and Anthropic Claude (via our claude-proxy edge function) |
| Inferences derived from the above | Energy-expenditure estimates, plan adjustments, pattern detections (e.g., "increased hunger correlates with reduced sleep this week") | Computed by Rhada |
| Identifiers linked to the above | Your account ID; the email address associated with your account | You (or your federated-sign-in provider) |
We do not collect: precise device location; biometric identifiers (face/fingerprint/retina); genetic data; gender-affirming-care-specific records; substance-use treatment records; reproductive-care procedure history; immigration status; mental-health treatment records from licensed providers (we are not a provider — see Privacy Policy §10).
2. How we use your consumer health data
We use consumer health data only for the purposes described in the Privacy Policy:
- To provide the Service (generate your weekly meal plan, training programme, coach replies, check-in feedback, progress tracking).
- To operate, secure and improve the Service.
- To comply with legal obligations.
We do not:
- Use consumer health data for advertising or any marketing purpose.
- Use consumer health data to build profiles of you that are used for cross-context behavioural advertising.
- Sell consumer health data to anyone, for any purpose.
- Share consumer health data with any third party except the sub-processors listed in §3 below, each of which processes the data only on our written instructions under a data-protection contract.
3. With whom we share consumer health data
We share consumer health data only with the sub-processors listed in our Subprocessors register. The ones who actually receive consumer health data (as opposed to operational metadata) are:
| Sub-processor | What they receive | Why | Their commitment |
|---|---|---|---|
| Supabase, Inc. | All consumer health data stored by Rhada | Database, authentication, storage | Acts only on our written instructions per the Supabase DPA; does not sell or share |
| Anthropic, PBC | Your coach messages + the recent context (weight summary, food summary, check-in summary) needed to generate a reply | AI coaching via Claude API | Anthropic Commercial Terms §B.5 prohibits use of inputs to train general models; does not sell |
| Google LLC (Gemini API) | Meal and nutrition-label photos | Food-photo and label vision | Gemini API Additional Terms prohibit use of paid-API inputs to train general models; does not sell |
Sub-processors that do not receive consumer health data:
- Apple (Sign in with Apple; APNs push) — pseudonymous identifier and push token only.
- RevenueCat — subscription state only.
- Expo Push Service — push token only.
- Resend — transactional email (no health data in message body).
- Sentry — crash reports (PII scrubbed; see Privacy Policy §4.7 and §9).
- OpenFoodFacts — barcode string only; no user identifier attached.
4. Your rights
4.1 Washington — MHMDA rights
If you are a Washington resident, you have the right to:
- Confirm whether we are collecting, sharing, or selling consumer health data concerning you, and to access such data.
- List of all third parties (including affiliates) with whom we have shared or to whom we have sold your consumer health data — including the third party's contact information.
- Withdraw consent from our collection and sharing of your consumer health data.
- Delete your consumer health data, and to require us to notify our processors to do the same.
You also have the right not to be sold consumer health data without your separate written authorisation — we do not sell consumer health data so this right is satisfied automatically, but we record it explicitly for clarity. We do not use geofencing technology around in-person healthcare facilities, contrary to MHMDA §1.06.
How to exercise: email support@rhada.app from the email associated with your Rhada account, or use Settings → Account → Privacy → MHMDA rights request in the app. We respond within forty-five (45) days (with a single forty-five-day extension where reasonably necessary, with notice to you).
Appeal: if we deny your request, you can appeal by replying to our denial; we will provide a final response within 45 days, including written explanation if we maintain the denial. You may also file a complaint with the Washington State Attorney General — https://www.atg.wa.gov/file-complaint.
4.2 Nevada — SB 370 rights
If you are a Nevada resident, you have the right to:
- Confirm and access the consumer health data we collect, share or sell.
- Withdraw consent to our collection or sharing.
- Delete your consumer health data, and require us to notify our processors.
- Not be sold consumer health data without your separate written authorisation (we do not sell it).
How to exercise: email support@rhada.app. We respond within 60 days (extendable once by 60 days with notice).
Complaint route: Nevada Attorney General Bureau of Consumer Protection — https://ag.nv.gov/.
4.3 Connecticut — CTDPA consumer-health-data rights
If you are a Connecticut resident, in addition to the general CTDPA rights described in Privacy Policy Schedule D.2, you have specific protections for consumer health data:
- We obtain opt-in consent before processing consumer health data (we obtain this at onboarding when you set up your profile, and re-obtain it on material changes).
- We do not sell consumer health data and would obtain your separate opt-in consent before doing so (we have no plans to sell).
- We restrict employee or contractor access to consumer health data to those with confidentiality obligations and a need to access.
- We maintain a secure environment for consumer health data processing (see Privacy Policy §9).
How to exercise: email support@rhada.app. We respond within 45 days (extendable once by 45 days).
Complaint route: Connecticut Attorney General — https://portal.ct.gov/AG.
5. How we authenticate rights requests
To prevent unauthorised disclosure or deletion, we authenticate consumer health data rights requests by:
- Verifying that the request email matches the email on the Rhada account.
- For deletion requests, sending a confirmation email with a confirmation link that must be clicked within 7 days.
- For access requests where you ask us to send the data to a different address from your account email, asking you to verify ownership of the account email first.
- For all requests, refusing to comply if we are unable to authenticate the requester after a reasonable effort.
We do not require you to create a new account to make a rights request.
6. Authorised agents
You may designate an authorised agent to submit a request on your behalf. We require:
- Written, signed authorisation from you to the agent (a power of attorney is sufficient but not required).
- Direct verification from you that the agent is authorised to act on your behalf (we will contact you).
7. Changes to this Notice
We will update this Notice when our practices, our sub-processors, or applicable law changes. Changes are recorded in CHANGELOG.md. Material changes trigger an in-app re-prompt for acceptance and a notice email to the registered email address.
8. Contact
For questions about this Notice or to exercise the rights described above:
- Email: support@rhada.app
- In-app: Settings → Account → Privacy
- By mail: address available on request via support@rhada.app
End of Consumer Health Data Notice v1.0.0.