Consumer Health Data Privacy Policy

Last updated: February 6, 2026

This policy is provided in compliance with the Washington My Health My Data Act (RCW 19.373), California Consumer Privacy Act (CCPA/CPRA), and other applicable state consumer health data laws.

1. Consumer health data we collect

With your explicit, opt-in consent, Eva may collect:

  • Menstrual cycle start and end dates
  • Cycle length and predictions
  • Physical symptoms (cramps, headaches, skin changes, etc.)
  • Mood and emotional state
  • Energy levels and sleep quality
  • Biometric data from wearable devices (temperature, heart rate variability, blood oxygen, sleep scores)
  • Fertility-related data (fertile window estimates, ovulation predictions)

2. Purpose of collection

Your consumer health data is collected solely to:

  • Provide cycle tracking and prediction services
  • Display health insights and trend analysis
  • Enable voluntary sharing with your chosen healthcare provider
  • Personalize content recommendations (with separate consent)

3. Consent

We obtain separate, opt-in consent before collecting each category of health data. You can withdraw consent for any category at any time through Settings > Privacy & Consent. Withdrawal of consent does not affect the lawfulness of prior processing.

4. Sharing of consumer health data

We do not sell consumer health data. We do not share consumer health data except:

  • Doctor Portal: When you create a share link and explicitly select data categories to share with a healthcare provider. You control what is shared and can revoke access at any time.
  • Service providers: Our infrastructure providers (Supabase, Vercel) process data on our behalf under strict data processing agreements. They cannot use your data for their own purposes.

5. Your rights

  • Right to know: Request what health data we hold about you
  • Right to withdraw consent: Opt out of any data category at any time
  • Right to delete: Request deletion of all consumer health data
  • Right to export: Download all your health data
  • Non-discrimination: We will not discriminate against you for exercising your rights

6. Data security

Consumer health data is encrypted at rest and in transit. Access is enforced via database-level row security policies. We maintain audit logs of all data access, which you can review in your account settings.

7. How to exercise your rights

You can exercise all rights directly within Eva under Settings, or contact us at privacy@evahealth.me. We will respond within 15 days.