idicine← Back to home

Legal

Consumer Health Data Privacy Policy

Effective Date: May 17, 2026  ·  Last Updated: May 19, 2026

This Consumer Health Data Privacy Policy applies to Idicine's collection, use, and sharing of consumer health data as defined under applicable state laws, including the Washington My Health My Data Act (RCW 19.373), the Nevada Consumer Health Data Privacy Law (SB 370), and similar state consumer health data laws. This policy is a standalone notice required by these laws and should be read together with our Privacy Policy and Genetic, Biomarker and Bio-Matching Consent.

1. Categories of Consumer Health Data We Collect and the Purpose for Each

  • Blood type — used to calculate bio match scores and determine Bio Chat visibility.
  • Biomarker data extracted from uploaded lab reports and bloodwork — used to calculate bio match scores, determine Bio Chat access, and improve matching quality.
  • Genetic data extracted from uploaded DNA files (such as 23andMe or AncestryDNA raw files) — used to calculate bio match scores and determine Bio Chat access.
  • Self-reported health experiences, including supplement reactions, medication experiences, symptoms, and wellness observations — used to enable peer-support conversations in Bio Chats.
  • Match signals and embeddings derived from the above data — used to organize Bio Chats and rank content.

2. Categories of Sources

We collect consumer health data directly from you:

  • Blood type entered during onboarding.
  • Self-reported experiences entered in Bio Chats.
  • Uploaded lab reports, bloodwork PDFs, and DNA raw files.

3. Categories of Consumer Health Data Shared

  • Biomarker data, genetic data, and lab content from uploaded files: processed by Idicine's own AI infrastructure to extract match signals. No uploaded file content is transmitted to third-party AI providers. Processing occurs on Idicine-controlled servers.
  • Privacy-safe match signals (not raw data): used internally to determine Bio Chat visibility.
  • No raw genetic files, raw biomarker values, or uploaded health documents are shared with other users or sold to third parties.

4. Specific Named Service Providers and Categories of Third Parties

  • Hetzner Online GmbH — VPS hosting for AI processing infrastructure. Uploaded file content is processed on a Hetzner server located in the Nuremberg, Germany datacenter and deleted after extraction. Entity address: Industriestr. 25, 91710 Gunzenhausen, Germany.
  • Supabase Inc. — cloud database and storage hosting. Address: 970 Toa Payoh North, #07-04, Singapore 318992.
  • RevenueCat Inc. — subscription and payment management. Address: 300 Brannan Street, San Francisco, CA 94107, USA.
  • Apple Inc. — iOS app distribution and in-app purchase processing. Address: One Apple Park Way, Cupertino, CA 95014, USA.
  • Google LLC — Android app distribution via Google Play Store only. No health data is shared with Google in this capacity. Address: 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

No consumer health data is sold to data brokers, advertisers, pharmaceutical companies, insurers, or employers.

5. How Consumers Can Exercise Their Rights

You have the right to:

  • Access the consumer health data we hold about you.
  • Withdraw consent for collection or sharing.
  • Request deletion of your consumer health data, including from backups (subject to a 6-month archival period).
  • Receive a list of all third parties with whom your data has been shared, including active contact information for each.
  • Appeal any denial of a rights request.

To exercise any of these rights, contact us at privacy@idicine.com. We will respond within 45 days. You may request a 45-day extension if needed. You are not required to create an account to submit a rights request. You may submit two free requests per year.

If we deny your request, you may appeal to us at privacy@idicine.com. If your appeal is denied, you may contact the Washington State Attorney General at www.atg.wa.gov/file-complaint.

6. De-Identification Commitment

If we create de-identified or aggregated data from consumer health data, we commit publicly not to attempt to re-identify that data. We require all recipients of de-identified data to be contractually bound to the same commitment.

7. Nevada-Specific Disclosures (NV SB 370)

  • Categories of consumer health data collected: blood type, biomarkers, genetic data, self-reported health experiences.
  • Sources: directly from consumers via app input and file upload.
  • Third-party recipients: Hetzner Online GmbH (VPS processor hosting Idicine's AI infrastructure), Supabase Inc. (database processor).
  • Purposes: bio-matching for peer-support conversation access.
  • Consumer rights procedure: email privacy@idicine.com.
  • How we notify consumers of changes: updated effective date on this page; in-app notification for material changes.
  • Third-party cross-site tracking: we do not use cross-site tracking technologies on consumer health data.
  • Effective date: May 17, 2026; last updated May 19, 2026.

8. Research and Pattern Discovery (Opt-In)

Idicine operates an internal research program — the Bio-Outcome Intelligence Engine — that identifies statistical associations between bio-signatures (combinations of blood type, biomarker, and genetic features) and self-reported outcomes shared in Bio Chats. Participation is strictly opt-in via in-app Settings and is independent of the consents listed in Section 1.

  • Categories of consumer health data used. When research participation is enabled, the same categories listed in Section 1 may be included, in pseudonymized form, in pattern-discovery pipelines. No additional categories of consumer health data are collected solely for research.
  • Sources. The data used in the research program comes exclusively from data you have provided directly through the Service.
  • Recipients. Internal pattern-discovery compute occurs on Idicine-controlled infrastructure (see Section 4). When the separate research partner sharing consent is enabled, fully de-identified aggregate outputs may additionally be transferred to contractually bound research partners under a written Data Processing Agreement available at idicine.com/data-processing-agreement. Aggregates that are shared with partners are de-identified to the HIPAA Safe Harbor standard, informed by the principles of the Expert Determination standard under 45 C.F.R. § 164.514(b), and all rows or cells describing fewer than ten distinct users are suppressed (k-anonymity ≥ 10) — a stricter threshold than the k-anonymity ≥ 5 floor applied to Idicine-internal research.
  • Purposes. Hypothesis generation about associations between bio-signatures and self-reported outcomes; improvement of internal ranking quality for peer-support conversation surfacing; preparation of de-identified cohort statistics for academic publication or partner research.
  • Not returned to consumers. No prediction, score, or interpretation produced by the research program is returned to the individual user through the Service. The program is a backend-only intelligence asset. It is not a clinical decision support tool, and it is not a software-as-a-medical-device.
  • De-identification commitment. Idicine commits publicly not to attempt to re-identify de-identified data. Every research partner is contractually bound to the same commitment by Data Processing Agreement, including prohibitions on combining data, fingerprinting, or any other technique that could result in re-identification.
  • No sale. Aggregate research insights are not sold to data brokers, advertisers, insurers, employers, or any other third party. Where a research partnership involves commercial consideration, that consideration is for the production of insights for a specific research purpose under a DPA and is not a sale of personal information.
  • Withdrawal. Research consent can be withdrawn at any time from Settings or by emailing privacy@idicine.com. Withdrawal stops all future inclusion of your data in research processing. Aggregates already computed under the de-identification standard above are retained, consistent with MHMDA and NV SB 370.

Operational details, model lifecycle, audit logging, and the contractual terms applicable to research partners are described in our Privacy Policy §32 and the Data Processing Agreement.

Your Privacy Choices

This section consolidates the opt-out rights available to California residents under the CCPA/CPRA. The two rights below are accessible from anywhere on the site via the “Your Privacy Choices” link in the footer.

Limit the Use of My Sensitive Personal Information

California residents may request that we limit the use and disclosure of sensitive personal information — including health data, genetic data, and biomarker data — to purposes necessary to provide the Service. To submit this request, email privacy@idicine.com.

Do Not Sell or Share My Personal Information

Idicine does not sell consumer health data. We do not share consumer health data with third parties for cross-context behavioral advertising. If this changes, we will update this policy and provide required opt-out mechanisms.

Contact

Idicine
5214F Diamond Hts Blvd
San Francisco, CA 94131
privacy@idicine.com