This Data Privacy Policy supplements our Privacy Policy and provides specific details about how Heudia Health LLC (“we,” “us,” or “our”) handles consumer health data in compliance with Nevada’s Consumer Health Data Privacy Law (SB 370), federal regulations (e.g., HIPAA, FTC guidelines), and general privacy considerations in Oklahoma. This policy applies to our digital health platform, including our website, mobile applications, and related services (collectively, the “Services”).

1. Scope and Applicability

This policy applies to “regulated entities” as defined by Nevada’s SB 370, meaning any entity that:

Conducts business in Nevada or targets products/services to Nevada consumers.
Determines the purpose and means of processing, sharing, or selling consumer health data. The policy also aligns with federal HIPAA requirements for protected health information (PHI) and Oklahoma’s general consumer protection laws, which emphasize transparency and security for personal data.

2. Categories of Consumer Health Data Collected

We collect the following categories of consumer health data:

Personal health information (e.g., medical history, symptoms, fitness data).
Biometric data (e.g., heart rate, sleep patterns, if applicable).
Data inferred from non-health data that indicates past, present, or future health status.
Other data linked or reasonably linkable to your physical or mental health.

3. Sources of Consumer Health Data

We collect consumer health data from:

You, when you provide information through forms, account creation, or direct input.
Devices or apps integrated with the Services (e.g., fitness trackers, with your consent).
Third parties, such as healthcare providers or partners, with your explicit consent.

4. Purposes of Collecting, Using, and Sharing Consumer Health Data

We collect, use, and share consumer health data to:

Provide requested Services, such as health tracking or personalized recommendations.
Improve the functionality and user experience of the Services.
Comply with legal obligations, including HIPAA and Nevada’s SB 370.
Conduct research or analytics using deidentified data, where permitted.

5. Third Parties with Whom Data Is Shared

We may share consumer health data with:

Processors or service providers under strict data processing agreements.
Healthcare providers or partners, with your explicit consent.
Regulatory authorities, as required by law. We maintain a list of third parties with whom data is shared, available upon request as required by Nevada’s SB 370.

6. Consent Requirements

Collection Consent: We obtain your prior, express opt-in consent before collecting consumer health data, unless it is necessary to provide a requested Service.
Sharing Consent: We obtain separate, express opt-in consent before sharing consumer health data with third parties, unless required by law.
Sale Authorization: We do not sell consumer health data without your written authorization, as required by Nevada’s SB 370. Authorization forms will specify the data, purpose, and recipient, and you may revoke consent at any time.

7. Consumer Health Data Rights

Under Nevada’s SB 370, you have the right to:

Confirm whether we collect, share, or sell your consumer health data.
Access a list of third parties with whom your data has been shared or sold.
Request cessation of collection, sharing, or sale of your consumer health data.
Request deletion of your consumer health data, subject to exemptions (e.g., archived data). To exercise these rights, submit a request via [Your Contact Email] or our secure online form. We will respond within 45 days, with a possible 45-day extension for complex requests. Oklahoma residents have similar rights under general consumer protection laws, and we extend these protections uniformly.

8. Security and Access Controls

We implement the following safeguards, in compliance with HIPAA and Nevada’s SB 370:

Limit access to consumer health data to authorized employees and processors.
Use encryption, access controls, and other technical measures to protect data.
Maintain policies for administrative, technical, and physical security to ensure confidentiality, integrity, and accessibility.

9. Geofencing Prohibition

We do not implement geofencing within 1,750 feet of healthcare facilities for the purpose of identifying, tracking, collecting, or sending notifications related to consumer health data, as prohibited by Nevada’s SB 370.

10. Third-Party Data Collection

We disclose whether third parties collect consumer health data over time or across websites/services when you use the Services. Our consent management platform allows you to manage tracking preferences, including opting out of non-essential data collection.

11. Data Processing Agreements

All processors handling consumer health data are bound by contracts that:

Limit processing to the purposes specified in our agreement.
Require compliance with Nevada’s SB 370, HIPAA, and other applicable laws.
Mandate reasonable security measures to protect consumer health data.

12. Compliance with Federal and State Laws

HIPAA: We comply with HIPAA for protected health information (PHI), ensuring safeguards for data security and patient rights.
FTC Guidelines: We adhere to Federal Trade Commission guidelines for transparent data practices and consumer protection.
Nevada SB 370: We meet all requirements, including consent, privacy policies, and consumer rights, effective March 31, 2024.
Oklahoma: While Oklahoma lacks a specific consumer health data law, we apply general consumer protection principles, including transparency and the right to opt out of data sales.

13. Contact Information

For questions about our Terms, please contact us at:

Email: support@heudia.com

Phone: 1-800-XXX-XXXX

14. Updates to This Policy

We will notify you of material changes to this Data Privacy Policy by posting the updated policy on our website or through other reasonable means. The effective date will be updated accordingly.

By using the Services, you acknowledge that you have read and understood this Data Privacy Policy.