Consumer Health Data Privacy Policy

Last updated: November 10, 2025

This Consumer Health Data Privacy Policy ("Health Data Policy") supplements our Privacy Policy and provides additional information about how Revly collects, uses, discloses, and protects your consumer health data in accordance with applicable state privacy laws, including the Washington My Health My Data Act and similar legislation.

What is Consumer Health Data?

"Consumer health data" means personal information that we collect that is used to identify or be reasonably linkable to a consumer and that relates to:

• The past, present, or future physical health, mental health, disability, diagnosis, or healthcare condition or treatment of a consumer;
• The past, present, or future physical health, mental health, disability, diagnosis, or healthcare condition or treatment;
• Social, psychological, behavioral, and medical interventions;
• Health-related surgeries or procedures;
• Use or purchase of prescribed medication;
• Bodily functions, vital signs, symptoms, or measurements of the information described above;
• Diagnoses or diagnostic testing, treatment, or medication;
• Gender-affirming care information, reproductive or sexual health information, biometric data, genetic data, precise location information that could reasonably indicate a consumer's attempt to acquire or receive health services or supplies, or any information that a regulated entity or a small business processes to associate or identify a consumer with any data described in this list that is derived or extrapolated from non-health information.

Consumer Health Data We Collect

In connection with our Services, we collect the following categories of consumer health data:

Blood Test and Biomarker Data

• Blood test results and biomarker values (e.g., glucose, cholesterol, hormones, vitamins, minerals)
• Laboratory test reports and diagnostic information
• Historical biomarker trends and changes over time

Fitness and Wearable Device Data

• Heart rate, heart rate variability (HRV), and resting heart rate
• VO2 max and cardiovascular fitness metrics
• Sleep data (duration, quality, stages)
• Activity and exercise data (steps, distance, active minutes, workouts)
• Body measurements (weight, body fat percentage, BMI)
• Recovery metrics and readiness scores
• Respiratory rate and SpO2 (blood oxygen levels)
• Body temperature and skin temperature

Health Experiments and Interventions

• Information about health protocols and experiments you are testing
• Supplement regimens and dosages
• Dietary interventions and nutritional changes
• Exercise and training protocols
• Lifestyle modifications and behavioral interventions
• Check-in data and self-reported outcomes from experiments

Health Goals and Preferences

• Your health optimization goals and objectives
• Areas of health focus and concerns
• Personal health context you provide

How We Collect Consumer Health Data

We collect consumer health data through the following methods:

• Direct uploads: When you upload blood test results, lab reports, or other health documents
• Device integrations: When you connect and authorize third-party health services and wearable devices (Apple Health, Google Fit, Oura, Whoop, etc.)
• Manual entry: When you manually input health data, experiment details, or check-in information
• AI analysis: When we process your uploaded documents using AI to extract biomarker data

How We Use Consumer Health Data

We use your consumer health data solely to provide and improve the Services to you. Specifically, we use your consumer health data to:

• Display your health metrics and biomarkers in your personal dashboard
• Track and visualize changes in your health data over time
• Analyze correlations between your experiments and health outcomes
• Provide personalized health insights and recommendations
• Enable you to share your health dashboard publicly if you choose
• Generate aggregate, de-identified data for research and product improvement
• Provide customer support when you contact us with questions about your health data
• Comply with legal obligations and protect against fraudulent or illegal activity

We will NEVER use your consumer health data for advertising purposes. We will NEVER sell or share your consumer health data to advertising platforms, data brokers, or information resellers.

How We Share Consumer Health Data

We share your consumer health data only in the following limited circumstances:

With Your Consent

• Public dashboards: If you choose to make your dashboard publicly accessible, the health data you select to share will be visible to anyone with the link
• Third-party integrations: When you authorize us to sync data with third-party health services

With Service Providers

We share consumer health data with service providers who assist us in providing the Services, subject to strict confidentiality and data protection obligations:

• Cloud infrastructure providers (Amazon Web Services, Vercel) that host and store your data securely
• Database providers (Neon) that provide secure database services
• AI service providers (OpenAI, Anthropic, Google) that help process and analyze your health data to provide insights and recommendations
• Authentication providers (Clerk) that manage secure user authentication

These service providers are contractually required to use your consumer health data only for the specific purposes we authorize and to maintain appropriate security measures.

For Legal Compliance

We may disclose consumer health data when required by law, such as in response to a valid subpoena, court order, or other legal process, or to protect our rights or the rights of others.

Business Transfers

In the event of a merger, acquisition, or sale of assets, your consumer health data may be transferred to the acquiring entity, subject to the same privacy protections outlined in this policy.

Your Rights Regarding Consumer Health Data

You have specific rights regarding your consumer health data under applicable state laws, including:

Right to Access

You have the right to confirm whether we are processing your consumer health data and to access that data. You can access most of your consumer health data directly through your account dashboard.

Right to Delete

You have the right to request deletion of your consumer health data. You can delete individual data points through your account, or request complete deletion of your account and all associated data by contacting us at privacy@revly.health

Right to Withdraw Consent

Where we collect and process your consumer health data based on your consent, you have the right to withdraw that consent at any time. You can:

• Disconnect third-party device integrations through your account settings
• Stop uploading new health data
• Delete existing health data
• Close your account entirely

Right to Appeal

If we deny your request to exercise any of these rights, you have the right to appeal that decision. To appeal, please contact us at privacy@revly.health with the subject line "Privacy Rights Appeal."

No Discrimination

We will not discriminate against you for exercising any of your privacy rights, including by denying services, charging different prices, or providing a different level of service quality.

Data Security and Protection

We implement comprehensive security measures to protect your consumer health data:

• Encryption: All consumer health data is encrypted in transit (using TLS) and at rest
• Access controls: We implement role-based access controls to limit who can access your data
• Secure infrastructure: We use enterprise-grade cloud infrastructure with robust security practices
• Regular audits: We regularly review and update our security practices
• Employee training: Our team receives training on privacy and data security
• Incident response: We have procedures in place to respond to any security incidents

Data Retention

We retain your consumer health data for as long as you maintain an active account and for a reasonable period thereafter to comply with legal obligations, resolve disputes, and enforce our agreements. When you delete your account or request deletion of specific data, we will permanently delete that data from our systems within 30 days, except where we are required to retain it by law.

De-identified and aggregated data that cannot be linked back to you may be retained indefinitely for research and product improvement purposes.

Geofencing and Sensitive Locations

If we collect precise location data, we will not use geofencing or similar technology to establish virtual boundaries around sensitive healthcare facilities (such as mental health clinics, reproductive health facilities, or other medical facilities) to identify, track, or collect consumer health data.

Children's Health Data

We do not knowingly collect consumer health data from individuals under the age of 18. Our Services are not directed to children. If we learn that we have collected consumer health data from a child under 18, we will delete that information immediately.

Changes to This Health Data Policy

We may update this Consumer Health Data Privacy Policy from time to time. If we make material changes to how we collect, use, or share consumer health data, we will notify you by email (if you have provided an email address) and/or by posting a prominent notice on our website and within the Services.

Contact Us

If you have questions about this Consumer Health Data Privacy Policy or wish to exercise your rights regarding your consumer health data, please contact us at:

Email: privacy@revly.health

State-Specific Rights

Washington Residents

If you are a Washington resident, you have rights under the Washington My Health My Data Act (MHMDA). This includes the rights to access, delete, and withdraw consent for the collection of your consumer health data, as described above.

California Residents

California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). For information about your California privacy rights, please see our Privacy Policy.

Other States

Residents of other states may have rights under applicable state privacy laws. We extend the rights described in this Health Data Policy to all users of our Services, regardless of location.