Privacy Policy

1. What Data We Collect

1.1 Health and Biometric Data

• Self-reported symptoms and wellness data: fatigue levels, mood, sleep quality, libido, and other subjective health metrics you enter through the Platform.
• Laboratory test results: blood panels, hormone levels (testosterone, estradiol, DHEA, etc.), metabolic markers, and other clinical lab values you upload or authorize us to receive.
• Wearable device data: heart rate, HRV, sleep stages, activity levels, and recovery metrics synced from connected wearable devices (e.g., WHOOP, Oura, Apple Watch, Garmin).
• AI-generated Optimization Index scores: composite health scores and trend analyses generated by our proprietary algorithm based on your submitted data.
• Supplement and medication logs: optional data you enter about supplements, medications, or protocols you follow.

1.2 Account and Identity Data

• Name, email address, date of birth, and biological sex (required for physiological reference ranges).
• Account credentials (password stored in hashed, salted form — never in plaintext).
• Profile preferences and notification settings.

1.3 Technical and Usage Data

• IP address, device type, browser type, and operating system.
• Pages visited, features used, and interaction events within the Platform (collected via PostHog analytics).
• Session data and cookies (see our Cookie Policy).
• Error logs and diagnostic data to improve Platform performance.

2. How We Use Your Data

We do not use your health data for advertising purposes. Your health data is never sold, licensed, or otherwise disclosed to advertisers, data brokers, insurance companies, or employers. We use your data for the following purposes:

• Personalized Health Analysis: Your health data is processed by our AI algorithms to generate your Optimization Index score, trend analyses, and personalized recommendations.
• Platform Operation: Processing transactions, managing your account, sending transactional emails (confirmation, password reset), and providing customer support.
• Safety and Fraud Prevention: Detecting and preventing unauthorized access, abuse, or violations of our Terms.
• Product Improvement: Aggregated, de-identified analytics to understand feature usage and improve the Platform. Individual health profiles are not used to train our AI models without explicit consent.
• Legal Compliance: Complying with applicable laws, regulations, and responding to lawful requests.
• Breach Notification: Notifying you in the event of a data breach affecting your information.

3. Vendors Processing Health Data

CoreSignal engages the following third-party service providers as data processors or business associates. Each has been evaluated for security and privacy compliance. Business Associate Agreements (BAAs) are executed or in progress with each vendor that processes PHI:

• Neon — PostgreSQL database hosting; processes all health data at rest. BAA required.
• Vercel — Application hosting and serverless functions; processes all data in transit via API. BAA required.
• OpenAI — AI/ML analysis engine; processes health data for scoring. BAA required.
• PostHog — Product analytics; processes behavioral analytics (no raw PHI). BAA required.
• Postmark — Transactional email; processes no PHI — notifications only. No BAA (PHI excluded).

CoreSignal does not sell, share, or disclose your health data to any third party beyond the vendors listed above, except as required by law.

4. Data We Do Not Sell or Share

CoreSignal makes the following explicit commitments regarding your health data:

• We never sell your health data to advertisers, data brokers, or any commercial third parties.
• We never share your health data with health insurance companies, life insurers, or disability insurers.
• We never share your health data with your employer, potential employers, or background check services.
• We never use your health data for behavioral advertising or audience profiling.
• We do not participate in data broker exchanges or people-search databases.

5. Apple HealthKit and Wearable Data

With your explicit permission, CoreSignal reads health and fitness data from Apple HealthKit and connected wearable devices (e.g., Apple Watch, WHOOP, Oura, Garmin) to calculate your Optimization Index and power the app's features. This may include heart rate, heart rate variability, sleep, activity, and recovery metrics.

• We do not use data from Apple HealthKit for advertising or share it with third parties without explicit consent.
• HealthKit data is used solely to provide and improve the app's health functionality for you — it is never sold and is never used for marketing or audience profiling.
• You can revoke CoreSignal's access to HealthKit at any time from the Apple Health app or your device settings. Revoking access stops future syncing; previously synced data is handled per the retention and deletion terms in this Policy.
• HealthKit data is stored and protected with the same encryption and access controls as all other health data described in Section 8.

5A. HIPAA Compliance

For users who connect CoreSignal through a clinic partner, CoreSignal Health acts as a Business Associate under HIPAA (45 C.F.R. §160.103). In that capacity, CoreSignal processes Protected Health Information (PHI) under the terms of a Business Associate Agreement (BAA) with each clinic partner. CoreSignal does not sell PHI, use PHI for advertising purposes, or disclose PHI except as required to provide the Services or as required by law.

5B. Wearable Device Data

Data obtained from connected wearable devices (including Oura Ring, Garmin, Apple Health, and Terra-connected devices) is ingested as pre-processed summary metrics from the respective device manufacturer's API. CoreSignal does not access raw physiological waveforms or signals from connected devices. Wearable data is stored in encrypted form and used solely to generate wellness scores and coaching insights within the Platform.

6. Your Privacy Rights

• Right to Access: Request a complete copy of your personal and health data in a machine-readable format within 30 days.
• Right to Correction: Request correction of inaccurate or incomplete health data.
• Right to Deletion: Request deletion of your account and associated data. See Section 7 for retention timelines.
• Right to Data Portability: Receive your health data in a portable format (JSON or CSV) for transfer to another provider.
• Right to Withdraw Consent: Withdraw consent for data processing at any time. Withdrawal does not affect lawfulness of prior processing.
• Right to Restrict Processing: Request restriction of processing while a correction or objection is pending.
• Washington MHMDA Rights: Washington residents have additional rights under the My Health My Data Act (see Section 10).
• California CMIA Rights: California residents have rights under the Confidentiality of Medical Information Act (see Section 11).

To exercise any of these rights, contact privacy@coresignal.health. We will respond within 30 days. We will not retaliate or discriminate for exercising privacy rights.

7. Data Retention

CoreSignal retains data for the minimum period necessary to fulfill the purposes described in this Policy:

• Health data, lab results, wearable data: account lifetime + 3 years post-deletion (FTC Health Breach Notification Rule compliance).
• Optimization Index scores and AI outputs: account lifetime + 3 years post-deletion (continuity and audit purposes).
• Account / identity data: account lifetime + 90 days post-deletion (account recovery window).
• Transactional email logs (Postmark): 90 days (operational troubleshooting).
• Security and audit logs: 6 years (HIPAA Security Rule § 164.312 minimum).
• Analytics events (PostHog): 2 years (product analytics, no PHI).

After applicable retention periods, data is securely deleted using DoD 5220.22-M overwrite standards or cryptographic erasure for cloud-stored data.

8. Data Security

• All health data is encrypted at rest using AES-256 encryption in Neon PostgreSQL.
• All data in transit is encrypted using TLS 1.2 or higher.
• Access to production health data is restricted by role-based access controls and requires MFA.
• We conduct periodic security risk assessments and penetration tests.
• Employees and contractors with access to health data receive HIPAA privacy training.

9. Breach Notification

In the event of a security breach affecting your health data, CoreSignal will notify affected users within 60 days of discovering the breach, consistent with the FTC Health Breach Notification Rule (16 C.F.R. Part 318). Notification will include:

• The nature of the breach and categories of data affected.
• The approximate date(s) of the breach.
• Steps we have taken to secure data and prevent future incidents.
• Steps you can take to protect yourself.
• Contact information for our Privacy Officer.

We will also notify the FTC as required and any applicable state regulators.

10. Washington My Health My Data Act (MHMDA)

If you are a Washington State resident, CoreSignal complies with the Washington My Health My Data Act (RCW 19.373), effective March 31, 2024:

• We do not sell consumer health data without your valid authorization.
• We do not collect or share consumer health data beyond what is necessary for the purposes disclosed.
• You have the right to confirm whether we hold consumer health data about you.
• You have the right to delete consumer health data.
• You have the right to withdraw consent from the sale or sharing of consumer health data.
• You may exercise these rights by contacting privacy@coresignal.health.
• CoreSignal will not discriminate against Washington residents for exercising MHMDA rights.

11. California Confidentiality of Medical Information Act (CMIA)

CoreSignal acknowledges obligations under the California Confidentiality of Medical Information Act (Cal. Civ. Code §§ 56–56.37):

• We will not sell, share, or otherwise use your medical information for any purpose other than those disclosed herein without your written authorization.
• We will not disclose your medical information to employers for employment-related decisions.
• California residents may request access to and correction of their medical information.
• Breaches of medical information will be reported as required under CMIA.