Consumer Health Data Privacy Policy

Effective date: 23 May 2026 · Last updated: 23 May 2026

This policy is specific to consumer health data as defined by the Washington State My Health My Data Act (RCW 19.373) and applies to consumers in Washington State. It supplements (and does not replace) our general Privacy Policy.

1. Who This Policy Applies To

This policy describes how Remira Care Pty Ltd ("Remira", "we", "us", "our") collects, uses, shares and protects consumer health data of natural persons who are residents of Washington State, or whose consumer health data is collected by us in Washington State.

Under the My Health My Data Act ("MHMDA"), "consumer health data" means personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present or future physical or mental health status. It includes (without limitation) symptoms, diagnoses, treatments, medications, biometric data, reproductive or sexual-health information, gender-affirming care information, and precise location information that could reveal an attempt to acquire or receive health services.

2. Categories of Consumer Health Data We Collect

  • Self-reported symptoms: daily pain levels, joint pain locations and severity, morning stiffness duration, fatigue severity, sleep quality and duration, mood and anxiety levels, body-map selections, flare events.
  • Medication and treatment information: medication names, dosages, frequency, schedule and adherence logs.
  • Lab values: marker results you choose to enter that you have been given by your treating clinician (CRP, ESR, complete blood count and others).
  • Profile health context: RA type, diagnosis date.
  • Mental-health indicators: mood and anxiety entries, and any responses to validated questionnaires such as PHQ-9 and GAD-7 if you choose to complete them.
  • Voice or photo content you attach to flare events.
  • Free-text notes you write within the App.
  • Imprecise location: city and (if you choose to set it) coordinates used solely for weather correlation. We do not use precise geolocation for advertising or to infer visits to health facilities.

3. Sources of Consumer Health Data

We collect consumer health data:

  • directly from you, when you enter information into the App;
  • from you, when you upload a photo or record a voice note;
  • automatically, only as metadata about your use of the App (such as the timestamp of a check-in submission) — we do not collect consumer health data from other sources without your knowledge.

We do not buy or otherwise acquire consumer health data from third parties.

4. Purposes for Which We Collect and Use Consumer Health Data

We collect and process your consumer health data only for the following specific purposes:

  • to provide the wellness-tracking, logging, visualisation and reporting features of the App that you request;
  • to generate personal-use wellness summaries, charts, and statistical observations based on your own data;
  • to generate a clinician-readable PDF or shareable summary only when you initiate the share;
  • to deliver in-App notifications and reminders you have configured;
  • to secure your account (rate limiting, lockout, audit logging tied to your account);
  • to fulfil legal obligations and respond to lawful regulatory or judicial requests;
  • to protect the rights, property and safety of users and the public.

We do not use your consumer health data for cross-context behavioural advertising, profiling for targeted advertising, marketing to third parties, or training third-party AI/ML models.

5. Categories of Recipients

We share your consumer health data only with the following categories of recipients, and only for the specific purposes shown:

  • People you choose: a clinician you have invited as a connected provider, a caregiver you have invited, or the recipient of a share link you have created. You control these connections in Settings and can revoke them at any time.
  • Service providers (subprocessors) acting on our behalf under contractual data-protection obligations: Oracle Cloud Infrastructure (hosting + database), Oracle Cloud Email Delivery (transactional email only — no consumer health data is included in email bodies). See our Privacy Policy §6 for the full subprocessor list.
  • Stripe Payments for billing — we do not share consumer health data with Stripe; only billing data (name, email, billing address, last 4 of card).
  • Government authorities when required by valid legal process.
  • A successor entity in the event of a merger, acquisition or asset sale. Your rights under this policy will be honoured by any successor; we will notify you in advance.

We do not sell consumer health data. We do not share consumer health data with advertisers, data brokers, pharmaceutical companies, or for any cross-context behavioural advertising.

6. Sale of Consumer Health Data

We do not sell consumer health data, and we have not sold consumer health data in the preceding 12 months.

If we ever propose to sell consumer health data — which we do not currently contemplate — we would obtain your separate, prior, written and revocable "valid authorisation" as required by MHMDA before doing so, and we would publish a separate notice in advance.

7. How Long We Retain Consumer Health Data

  • Active account: retained for as long as your account is active and you continue to use the App.
  • After account deletion: 30-day grace period (which you can cancel), then permanent deletion from the primary database.
  • Backups: rolling backups are purged within 90 days of account deletion.
  • Audit logs: kept in pseudonymised form for up to 12 months, then deleted.

8. Your Rights Under the My Health My Data Act

As a Washington State consumer, you have the right to:

  • Confirm whether we are collecting, sharing or selling consumer health data about you, and to access that data.
  • Withdraw consent from our collection and sharing of your consumer health data.
  • Delete consumer health data we have collected from or about you, with limited exceptions provided by law (for example, where data is required to comply with legal obligations or to detect security incidents).
  • Appeal a refusal by us to take action on any of the above requests (see §10).

Exercising these rights is free, and we will not discriminate against you for doing so. You may also designate an authorised agent to submit a request on your behalf.

9. How to Exercise Your Rights

You can exercise most rights directly in the App:

  • Confirm / access: Settings → Export Report (full data export in CSV / PDF / JSON).
  • Withdraw consent: Settings → Consents.
  • Delete: Settings → Delete Account (30-day grace period).

For requests that cannot be completed in the App, or to send a request through an authorised agent, email privacy@remiracare.com with the subject line "MHMDA Request" and include enough information to allow us to verify your identity. We will respond within 45 days of receipt. If we need an extension, we will tell you why and when to expect a response, up to a further 45 days as permitted by law.

10. Appeals

If we decline to take action on a request you have submitted under this policy, we will tell you the reason in writing. You may appeal within a reasonable time by emailing privacy@remiracare.com with the subject line "MHMDA Appeal".

We will respond to your appeal within 45 days of receipt with a written response explaining the outcome and our reasoning. If your appeal is denied, you may contact the Washington State Attorney General to submit a complaint at atg.wa.gov/file-complaint.

11. Geofencing

Remira does not use geofences around in-person healthcare facilities, mental-health facilities, reproductive-health facilities or any other location protected by MHMDA's geofencing prohibition. We do not target advertising or messaging to consumers based on their location near such facilities.

12. Security

We protect consumer health data with technical, administrative and physical safeguards described in our general Privacy Policy §8, including TLS 1.3 in transit, encryption at rest, bcrypt password hashing, RS256-signed access tokens, refresh-token rotation, account lockout, rate limiting, audit logging, and a documented breach response plan.

13. Changes to This Policy

We may update this Consumer Health Data Privacy Policy from time to time. We will provide reasonable advance notice of material changes by email and/or in-App message and will update the "Last updated" date above. We will not retroactively materially change our practices in a way that diminishes consumer rights without obtaining your consent where required by law.

14. Contact Us

For any question or request related to consumer health data under MHMDA:

Remira Care Pty Ltd
Email: privacy@remiracare.com
Subject line: "MHMDA Request" or "MHMDA Appeal" as applicable
Website: remiracare.com