Priority Number One

This separate and distinct Consumer Health Data Privacy Policy supplements our main Privacy Policy. It applies specifically to consumers residing in the State of Washington, or whose consumer health data is collected within Washington, pursuant to the Washington My Health My Data Act (MHMDA).

AXIA collects and processes multiple categories of data that constitute regulated "Consumer Health Data" under Washington law:

• Dietary Inferences: Because our artificial intelligence (AI) algorithms estimate caloric and nutritional intake based on user-generated food logs, the algorithmic outputs may constitute inferences regarding dietary habits, restrictions, and nutritional intake.
• GLP-1 Medication Records: We directly collect GLP-1 medication names, dosages, injection timestamps, and injection history, which constitute health information directly related to a consumer's medical treatment.

Both categories are classified as regulated "Consumer Health Data" under Washington law and are afforded the full protections of this policy.

We absolutely do not sell Consumer Health Data. We will never sell your biometric data, food logs, GLP-1 medication records, injection history, or the health inferences generated by our AI to any data brokers, advertising networks, or third parties under any circumstances.

We do not rely on a single, generalized checkbox (such as "I agree to the Terms and Privacy Policy") to obtain your consent in Washington.

• Consent to Collect: You will be asked for an affirmative, opt-in consent specifically before we collect your consumer health data, including both dietary information and medication records.
• Consent to Share: Because we securely transmit food log data to third-party AI processors (Firebase Vertex AI and Google Gemini) and cloud hosts to provide our core features, you must provide a separate and distinct opt-in consent to allow us to "share" that data with our processors. Note: GLP-1 medication records are not transmitted to AI processors and are stored locally within our Firebase infrastructure only.

These consent requests are never bundled together, hidden in broader agreements, or presented via pre-checked boxes.

You possess a fundamental right to access and control your data. Our application settings and this website provide an easy, conspicuously available process for you to exercise your rights. You may:

• Request access to your Consumer Health Data, including both dietary logs and medication records.
• Request permanent deletion of your data.
• Easily withdraw your consent for data collection and sharing.

To initiate a request, please use the in-app account management tools or email us directly at [email protected]. We are legally required to respond to these requests within forty-five (45) days.

If we deny a data rights request (for instance, if we cannot verify your identity or locate your account), we will provide you with a method to appeal our decision. We have forty-five (45) days to respond to an appeal in writing. If we deny the appeal, we are legally obligated to provide you with a method and link to contact the Washington State Attorney General to file a formal complaint.

We ensure that all contracts with our third-party processors (Google Firebase and Firebase Vertex AI / Google Gemini) explicitly and contractually bind them to process your health data only in ways that are consistent with our privacy policies. These processors act solely on our behalf and are strictly prohibited from utilizing your data for their own independent purposes, such as training public AI models. GLP-1 medication records and injection history are stored exclusively within Firebase Firestore and are never transmitted to AI inference endpoints.

We have established and maintain administrative, technical, and physical security practices that satisfy a "reasonable standard of care" within the digital health industry. This includes:

• Robust encryption protocols (TLS) for data in transit.
• Firebase security rules enforcing data-at-rest encryption.
• Firebase App Check (App Attest on iOS, Play Integrity on Android) to prevent unauthorized API access from non-genuine app instances.
• Internal access to Consumer Health Data is strictly restricted solely to personnel who absolutely require access to maintain and operate the application's services.

Our application never utilizes location tracking or GPS technology to establish a virtual boundary (a "geofence") around any in-person healthcare facilities, clinics, hospitals, or pharmacies. We are strictly prohibited from identifying consumers, collecting data, or sending targeted notifications or advertisements based on proximity to medical locations. This prohibition extends to GLP-1 prescription facilities, weight loss clinics, and any other healthcare or treatment locations.