Consumer Health Data Privacy Policy.

This policy applies to Washington residents who use Leo. The Washington My Health My Data Act (MHMDA, RCW 19.373) requires us to publish a Consumer Health Data Privacy Policy distinct from our general privacy policy, covering the specific categories of consumer health data we process and the rights you have over it.

“Consumer health data” under MHMDA means personal information linked or reasonably linkable to a consumer and that identifies their past, present, or future physical or mental health status. The categories Leo collects from you are:

• Account identifiers — your email, password hash, name, date of birth.
• Medications and dose history (scheduled and as-needed).
• Vitals — heart rate, blood pressure, SpO₂, glucose, sleep, weight, temperature.
• Symptoms, flare-ups, mood, and journal entries you write into Leo.
• Conditions, allergies, and medical history you record.
• Lab results — whether you scan a printed report or import them via Apple Health Records.
• Cycle, pregnancy, and reproductive-health entries when you choose to track them.
• Care-relationship records (which caregivers, school nurses, providers, or partners you've linked).

All consumer health data comes from one of three sources, all of which require an explicit action by you:

• Direct entry inside Leo. You tap, type, or speak the information into the app.
• Apple Health & HealthKit. Only the categories you authorize through the iOS system prompt, and only what your Apple Health app has already collected.
• Apple Health Records (outside providers). Only after you tap through Apple's authorization picker for a specific provider portal (Labcorp, MyChart, etc.). For minors, an additional parental approval gate applies — see the Children's data section.

We never purchase health data, scrape it, infer it from third-party advertising signals, or receive it from a data broker.

Consumer health data is processed solely to operate Leo for you and the people you have explicitly linked: rendering your dashboards, generating local pattern descriptions, sending you reminders and notifications, surfacing the data to your caregivers / nurses / providers / partners with the permissions you set, and supporting the analytics, customer-service, and security obligations described in our general privacy policy.

None. Leo does not sell consumer health data, does not share it for cross-context behavioral advertising, and does not provide it to any third party for their own independent use. We also do not process it for any purpose that would constitute “sale” or “sharing” under MHMDA, CCPA/CPRA, or GDPR.

The only third parties that touch consumer health data are the service providers that operate the Leo platform on our behalf — listed below — each bound by a written contract (Business Associate Agreement, Data Processing Addendum, or both) that prohibits them from using the data for any purpose other than running Leo for you.

• Google / Firebase — hosting, database, authentication, push notifications, and Cloud KMS for per-user key management. All consumer health data lives inside the Google Cloud Platform tenancy. HIPAA Business Associate Agreement: currently in progress and not yet executed. We will not enable any third-party feature that exposes consumer health data outside the GCP tenancy until the BAA is in force. Until then, no consumer health data is transmitted to any service that isn't under a written contractual restriction against using it for any purpose other than operating Leo for you.
• Apple — HealthKit and Health Records integrations operate entirely on-device; no consumer health data flows to Apple servers through Leo.
• Resend — transactional and operational email (consent confirmations, parental notices, account-deletion receipts, nurse-link approval requests). Emails carry first names and operational identifiers only — never raw lab values, journal text, or vitals. Data Processing Addendum in place.
• Shopify — ambassador rewards store. Health data is never sent to Shopify; only ambassador identity and discount-code metadata. Adults only — minors cannot enroll in the ambassador program.
• Stripe — donations and subscription payments. Receives no consumer health data; only billing details required to process the charge.

• Right to confirm collection. You can ask us whether we are processing your consumer health data.
• Right to access. You can receive a complete copy of the consumer health data we hold. Inside Leo this is the “Download all data” flow in account settings; under-13 accounts are accessed via the parent surface.
• Right to withdraw consent. You can withdraw consent to collection, sharing, or sale at any time. Because Leo neither sells nor shares, withdrawing consent functionally pauses or deletes the account.
• Right to deletion. You can ask us to delete every piece of consumer health data we hold. Inside Leo this is the “Delete account” flow.
• Right to appeal. If we deny a request, you may appeal — see the contact line below.

We respond to verifiable requests within forty-five (45) days. Identity verification is typically by confirming the email address on the Leo account.

MHMDA § 19.373.030 imposes a separate, written, signed authorization standard before a regulated entity may sell or share consumer health data. Because Leo neither sells nor shares, we do not solicit such an authorization today. If we ever introduce a feature that would constitute sale or sharing, we will: (a) update this policy, (b) request a distinct, signed MHMDA-compliant authorization from you (and, for minors, from the parent who granted COPPA consent), and (c) provide a one-tap revocation path.

We do not establish a geofence of any kind around any in-person health-care facility, and we do not use location data to identify, track, or send notifications to anyone entering or leaving such a facility (RCW 19.373.040).

To exercise any right under MHMDA — or to appeal a denial — write to privacy@leomindbody.com. If you are unsatisfied with our response, you may contact the Washington State Attorney General at atg.wa.gov/file-complaint.