Washington Consumer Health Data Privacy Notice
Cykee — Washington Consumer Health Data Privacy Notice
Effective Date: [DATE] Last Updated: [DATE]
SUMMARY
If you are a Washington State resident — or a person located in Washington when interacting with Cykee — this notice describes how we handle "consumer health data" under the My Health, My Data Act (MHMDA) (RCW 19.373), separately from our general Privacy Policy.
The MHMDA gives Washington consumers specific rights over health-related data that go beyond what GDPR, CCPA, or general state privacy laws require. This notice is how we comply.
A short summary of what matters most:
- Cykee is a dating app. We collect a small set of data that may qualify as "consumer health data" under MHMDA — primarily inferences about sexual orientation and sexual intent (drawn from your stated preferences and matching behavior), and voice characteristics from your voice intro.
- We do NOT collect biometric identifiers like genomics, fingerprints, gait data, fitness/wellness app data, reproductive health data, or mental-health treatment records.
- We do NOT sell consumer health data. The MHMDA's "sale" definition is broad; the Privacy Policy §11 sale-disclosure also applies here.
- You have the right to know what consumer health data we have, to delete it, to withdraw consent, and to appeal denials. This notice explains how.
1. WHO WE ARE
This notice is provided by [LEGAL_ENTITY_NAME] ("Cykee," "we," "us") for the Cykee mobile application (the "App") and the cykeeapp.com website (the "Website").
Contact for MHMDA-related questions, requests, or appeals:
- Primary: health-data@cykeeapp.com
- Privacy team: privacy@cykeeapp.com
- Mailing address: [BUSINESS_ADDRESS]
For non-MHMDA privacy questions, see Privacy Policy §1.
2. WHAT THE MHMDA COVERS
The Washington My Health, My Data Act ("MHMDA," RCW 19.373) is a 2023 Washington law that took effect for most regulated entities on March 31, 2024. It defines "consumer health data" as personal information that identifies a consumer's past, present, or future physical or mental health status. The statutory definition is broad and explicitly includes:
- Health conditions, treatment, diseases, or diagnoses.
- Social, psychological, behavioral, and medical interventions.
- Health-related surgeries or procedures.
- Use or purchase of prescribed medication.
- Bodily functions, vital signs, symptoms, or measurements.
- Diagnoses or diagnostic testing, treatment, or medication.
- Gender-affirming care.
- Reproductive or sexual health information.
- Biometric data tied to health.
- Genetic data.
- Precise location information that could reasonably indicate consumer attempts to acquire or receive health services or supplies.
- Information that identifies a consumer seeking health care services.
- Data that identifies a consumer or infers any of the above.
Of those, the categories relevant to Cykee's processing are limited to inferred reproductive/sexual health information (sexual orientation, sexual intent) and voice biometric data (the voice intro recording, used for moderation).
3. CATEGORIES OF CONSUMER HEALTH DATA WE COLLECT
We collect only the following categories of consumer health data. We do not collect any other category defined under RCW 19.373.
3.1 Inferred sexual orientation and gender of interest
When you complete onboarding, you tell us your gender and the gender(s) you're interested in. We use this to match you with compatible profiles. Under MHMDA's broad definition, these inferences may be treated as consumer health data.
- Source: Direct user input during onboarding (
profiles.gender,profiles.interested_incolumns). - Purpose: Matching algorithm; never used for advertising, never shared with third parties for advertising purposes.
- Retention: For the life of your account. Deleted within 30 days of account deletion (subject to the legal hold exceptions in §7).
3.2 Voice biometric data (voice intro)
During onboarding, you record a short voice introduction (5–30 seconds). The recording is stored to play to potential matches and is also passed through automated moderation to detect prohibited content (slurs, threats, prerecorded scripts).
- Source: Direct user recording via the mobile app microphone.
- Purpose:
- Playing back to matched users in the App ("voice intro" feature).
- Automated moderation via OpenAI omni-moderation-latest (transcription via Whisper + classification).
- Voice biometric inference: We do not use voice prints for identity verification, fraud detection, or profiling. We transcribe the audio for moderation purposes and discard the transcription after the moderation decision is recorded.
- Retention: Voice file stored for the life of your account. Deleted within 30 days of account deletion.
3.3 What we do NOT collect
For clarity — and because the MHMDA's definition is broad — we explicitly confirm we do not collect any of the following:
| Category | Confirmed not collected |
|---|---|
| Reproductive health (period tracking, fertility, pregnancy, abortion services) | ✓ Not collected |
| Mental health treatment, prescriptions, diagnoses | ✓ Not collected |
| Medical conditions, symptoms, vital signs, body measurements | ✓ Not collected |
| Gender-affirming care data | ✓ Not collected |
| Genetic information or genomic data | ✓ Not collected |
| Biometric identifiers (fingerprints, facial-recognition templates, gait) | ✓ Not collected |
| Precise location data related to seeking health services | ✓ Not collected (our location precision is city-level for matching only) |
| Fitness/wellness app data, sleep tracking | ✓ Not collected |
| HIV status or sexually-transmitted-infection status | ✓ Not collected |
If we add a feature in the future that would collect any of these categories, we will update this notice and obtain renewed consent before processing.
4. HOW WE USE CONSUMER HEALTH DATA
We use consumer health data only for the purposes listed in this Section.
4.1 Matching algorithm
profiles.gender and profiles.interested_in are used by the matching algorithm to surface compatible profiles in the browse experience and to compute distance-ranked recommendations. They are processed exclusively on Cykee's backend (Supabase Postgres) and are not shared with any third party for matching purposes.
4.2 Content moderation
The voice intro recording is passed through OpenAI's moderation API to detect prohibited content. The transcription is held only for the duration of the moderation decision (typically <1 second) and is not stored.
4.3 Account access and customer support
If you contact support and we need to verify your identity, we may reference your account creation data, including gender and interested-in fields. We never use this data to make eligibility decisions about support access.
4.4 Legal compliance
We may retain consumer health data as necessary to comply with legal obligations, defend against legal claims, or respond to validly served legal process. See Privacy Policy §8 and §9.
4.5 What we do NOT use consumer health data for
We do not:
- Sell consumer health data to any party.
- Share consumer health data for cross-context behavioral advertising.
- Use consumer health data to train external AI models. (We use the data inside our own matching algorithm; we do not feed it to OpenAI, Google, or any LLM provider for model improvement.)
- Disclose consumer health data to employers, insurers, or credit bureaus.
- Combine consumer health data with data from data brokers.
- Use consumer health data to make automated decisions producing legal or similarly significant effects under RCW 19.373.080.
5. WHO WE SHARE CONSUMER HEALTH DATA WITH
We share consumer health data with the following processors, all of whom are bound by written contracts requiring MHMDA-equivalent protections:
| Processor | What they receive | Purpose | Region |
|---|---|---|---|
| Supabase | All profile data including gender + interested_in | Database hosting + auth | US East |
| OpenAI | Voice intro audio passed for moderation only | Content moderation (omni-moderation-latest + Whisper) | US |
| Google (Gemini) | Profile context (name, soul cards, interests) is included in Cupido AI coaching prompts. Voice biometrics are NOT shared with Gemini. | AI coaching responses | US |
We do not share consumer health data with:
- Advertisers, data brokers, ad networks, or analytics products that resell data.
- Social media platforms (no Meta Pixel, TikTok Pixel, X Conversion API).
- Other dating apps or dating-app aggregators.
Each processor's privacy practices are documented in the Privacy Policy §6.
6. YOUR RIGHTS UNDER THE MHMDA
If you are a Washington consumer (or a person located in Washington when interacting with Cykee), you have the following rights:
6.1 Right to know
You can request a copy of all consumer health data we hold about you. We will respond within 45 days of receiving a verifiable request, in line with RCW 19.373.040(1). One free request per consumer per twelve-month period.
6.2 Right to delete
You can request deletion of your consumer health data. We will delete it within 45 days, including from all backups (which complete their rotation cycle within 30 days), and notify any processors that received the data within 30 days of our deletion (RCW 19.373.040(3)).
6.3 Right to withdraw consent
For any consumer health data we collected under your consent (voice intro), you can withdraw that consent at any time. We will stop processing the data within 15 days. Voice intro can be removed via App Settings → Profile → Voice Intro → Delete, without contacting us.
6.4 Right to appeal
If we deny a request under §6.1, §6.2, or §6.3, we will inform you of the denial reason and your appeal options. You can appeal by emailing privacy-appeals@cykeeapp.com within 30 days of the denial. We will respond to the appeal within 60 days.
If you remain dissatisfied with our appeal decision, you can contact the Washington State Attorney General's Office for further review at https://www.atg.wa.gov/file-complaint.
6.5 Right to non-discrimination
We will not deny you Cykee services, charge you a different price, or provide a different level of service in retaliation for exercising any right described in this notice (RCW 19.373.040(4)).
7. HOW TO MAKE A REQUEST
7.1 Submit a request
Email health-data@cykeeapp.com with:
- The right you are exercising (know / delete / withdraw consent / appeal).
- Enough information for us to verify your identity. For account holders, this is typically the email address on your account and a recent action only the account owner would know (e.g., date of a recent date request).
- For requests on behalf of someone else (authorized agent under RCW 19.373.040(5)): proof of authorization.
7.2 Verification
We verify identity proportional to the sensitivity of the request. For deletion requests, we may require email-link confirmation. For know-requests for the data export, we require email-link confirmation plus answering one challenge question.
7.3 Timing
| Request type | Response deadline |
|---|---|
| Know / access | 45 days from receipt |
| Deletion | 45 days from receipt |
| Withdraw consent | 15 days from receipt |
| Appeal | 60 days from receipt |
7.4 Cost
All requests are free, once per twelve-month period. If you make a second request for the same right within a 12-month window, we may charge a reasonable cost-based fee, but we will tell you the fee in advance.
8. SECURITY OF CONSUMER HEALTH DATA
We protect consumer health data with the same controls described in the Privacy Policy §8, including:
- Encryption in transit (TLS 1.3) and at rest (Supabase-managed AES-256).
- Row-level security (RLS) on every database table holding profile data, so users see only their own records by default.
- Service-role access scoped to specific edge functions; no human-direct access to production data without a documented incident-response trigger.
- Audit logs of all administrative access.
We will notify the Washington Attorney General and affected consumers within the timelines required by RCW 19.255 (breach notification) if a security incident affects consumer health data.
9. CHANGES TO THIS NOTICE
We will update this notice when our consumer health data processing changes materially. Material changes (new categories of data, new processors receiving consumer health data, new uses) will be notified in-app and by email to your account email, with at least 30 days' notice before the change takes effect.
We will not apply changes retroactively to consumer health data collected under a prior version of this notice without renewed consent.
10. CONTACT AND APPEALS
- Consumer health data requests: health-data@cykeeapp.com
- Privacy appeals: privacy-appeals@cykeeapp.com
- General privacy questions: privacy@cykeeapp.com
- Washington AG complaints (independent escalation): https://www.atg.wa.gov/file-complaint
- Mailing address: [BUSINESS_ADDRESS]
This Notice was last reviewed on [DATE].