Revora Consumer Health Data Privacy Notice

Version: v1.0.1 (alpha-cohort) Effective date: [TBD — slots in at alpha cohort onboarding] Last updated: 2026-05-29 Status: DRAFT — Cowork-authored (CLO + brand-guardian roles); Chris review pending; specialist healthcare-marketing counsel review per ADR-0024 §24.6 CLO Queue Item 3 routing pre-public-launch. Amends v1.0 (2026-05-06 + 2026-05-13 amendments) — see §10 changelog for amendment provenance.

Scope of this notice

This Consumer Health Data Privacy Notice describes how Revora, Inc. ("Revora," "we," "us," or "our") processes consumer health data as that term is defined under applicable US state laws. This notice applies to residents of:

Washington, under the Washington My Health My Data Act ("MHMDA," RCW 19.373)
Nevada, under Nevada SB-370 (the Health and Wellness Data Privacy Law)
Connecticut, under the Connecticut Data Privacy Act ("CTDPA"), specifically with respect to consumer health data

If you are a resident of one of these states, this notice supplements our main Privacy Notice and describes the additional protections, disclosures, and rights that apply to consumer health data under your state's law. In the event of a conflict between the main Privacy Notice and this Consumer Health Data Privacy Notice, this Consumer Health Data Privacy Notice applies to the extent it is consistent with applicable US state law.

If you are a resident of a state not listed above, the disclosures and rights in this notice may not apply to you, but the rights described in our main Privacy Notice §15 and §24 do apply.

This notice is published as a separate and distinct document, linked from our website homepage and from the main Privacy Notice, in compliance with the "separate and distinct link" requirement under MHMDA RCW 19.373 and corresponding requirements under Nevada SB-370 and Connecticut CTDPA.

This notice does not apply to any consumer health data we process on behalf of an enterprise customer (for example, an employer-sponsored wellness program). Revora has no enterprise customers at v1.0; if that changes, this notice will be updated.

1. Categories of consumer health data we collect

For the purposes of this notice, "consumer health data" (CHD) means personal information that identifies your past, present, or future physical or mental health status, as defined under applicable state law. Revora collects the following categories of consumer health data:

Bloodwork and biomarker readings. Laboratory test results — biomarker names, values, units of measurement, reference ranges — as well as the underlying lab report (PDF or image) you upload, the lab provider's name, and the date of the test.
Health-related self-reported information. Information you provide about your health goals (energy, longevity, body composition); your training and physical activity (sport, intensity, frequency); your current medications and supplements; medical history (where relevant to protocol generation, for example, "I have Hashimoto's, my doctor monitors my TSH"); allergies; sleep, stress, alcohol, and other lifestyle context.
Inferred and derived health-related data. Information we generate about you based on the data above — for example, a derived "responder profile" for a particular protocol class, or a derived "expected response window" for a marker change. This category includes any information derived or extrapolated from non-health information by means including algorithms or machine learning, where the derived information identifies your physical or mental health status.
Protocol and adherence data. Your personalized supplement and lifestyle protocol (specific supplements with doses and timing, lifestyle recommendations, re-test cadence, the rationale linked to your bloodwork), and your adherence to the protocol over time (when you mark a recommendation as taken or skipped, when you start or end a cycle, how each cycle's markers move at re-test).
Audit and event logs on protocol interpretations. Internal records when Revora's protocol engine generates a recommendation, explanation, or interpretation. For deterministic stack-assembly events, we capture the input snapshot, the active rule firings, the rationale, the output composition, the cycle context, and the rule and methodology version with a timestamp. For LLM-assisted narrative paths (such as "why this is in your protocol" explanations and outcome-cycle narratives), we capture the input hash, the prompt template version, the model identifier, the output, and the timestamp. Coverage of every recommendation-generation surface is being completed as part of our v1.x audit hardening.
Allergies, medical conditions, and family medical history. During onboarding intake, we collect three safety-screening inputs from you: (a) any allergies you report (free-text entry, for example "no known allergies" or specific allergens), (b) any medical conditions you confirm (free-text entry, for example "thyroid disease"), and (c) family medical history if you choose to share it (chip selections, for example "parent: heart disease"). Family medical history is captured with explicit semantics: known (you confirmed a specific category), no known (you confirmed no known listed family history), and absence (you skipped the question or do not know). We never treat absence as a confirmed negative. Family medical history is a special category of personal data under UK GDPR Article 9 (it is health-status data about family members inferred from your disclosure) and is classified as Consumer Health Data under the Washington My Health My Data Act (RCW 19.373), Nevada SB-370, and the Connecticut Data Privacy Act when held by Revora. We process all three of these inputs only with your explicit affirmative consent for biological-data processing, captured during onboarding.

We do not collect:

Specific clinical diagnoses unless you self-report them as part of member context.
Genetic data at v1.0.
Biometric identifiers (facial recognition, fingerprint, voiceprint) at v1.0.
Reproductive or sexual health information unless you self-report it as relevant to a protocol question.
Gender-affirming care information unless you self-report it.
Precise geolocation data.

If we collect any of the above categories in the future, we will update this notice and seek explicit consent where required.

2. Categories of sources of consumer health data

We collect consumer health data from the following categories of sources:

Directly from you when you complete onboarding, upload bloodwork, log a meal or supplement, contact support, or respond to a feedback request.
From third-party services you choose to link. If you connect a wearable or integration to your Revora account (post-MVP), the integration shares the data it provides. We do not import wearable data at v1.0.
From inferences and derivations within Revora. As described in §1, we generate consumer health data from data you've provided or from non-health information that, when processed through the Revora protocol engine, produces information about your health status.

We do not buy consumer health data about you from data brokers, marketing data providers, or any third-party data source. We do not receive consumer health data about you from healthcare providers, laboratories (other than a lab report you yourself upload), insurance companies, or employers.

3. Purpose of consumer health data collection and use

We use consumer health data only for the purposes described below:

Service delivery. To generate your personalized supplement and lifestyle protocol from your bloodwork; to display your data, recommendations, and explanations in the Revora app; to coordinate your re-test cadence; to provide member support when you contact us.
Safety screening and clinical-adjacency contextualization. To use your allergies, medical conditions, and family medical history specifically to screen each protocol recommendation for safety considerations before it reaches you (for example, withholding a supplement contraindicated by a reported allergy or member-reported condition) and to contextualize the rationale for your protocol. Family medical history is treated as informational safety-screening context, never as a diagnosis or treatment target.
Audit and event logs on protocol interpretations. To maintain internal records when Revora's protocol engine generates a recommendation, explanation, or interpretation, so that you (and Revora, on your request or for regulatory inquiries) can reconstruct what was generated and why. Coverage of every recommendation-generation surface is being completed as part of our v1.x audit hardening.
Service improvement using aggregated and de-identified data. Once consumer health data has been aggregated and stripped of directly-identifying fields such that it does not reasonably identify any individual, we may use it to improve the Service, develop new features, and analyze population-level trends. Aggregated and de-identified data is not consumer health data within the meaning of MHMDA, Nevada SB-370, or CTDPA.
Compliance and protection. To comply with applicable law, respond to lawful subpoenas or court orders, protect our rights and yours, investigate fraud, and enforce our Terms of Service.

We do not use consumer health data for:

Marketing or advertising of any kind, except service-related transactional communications about your account, lab-report processing, cycle reminders, and other operational notifications.
Cross-context behavioral advertising.
Profiling that produces legal or similarly significant effects.
Automated decision-making that produces legal or similarly significant effects (Revora's protocol recommendations are informational and supportive of your own decision-making — you remain in control of whether to follow a recommendation).
Any purpose other than those listed above without your separate, explicit, opt-in consent.

4. Categories of consumer health data we share, sell, or disclose

We do not sell consumer health data. We do not share consumer health data for monetary or other valuable consideration with any third party.

We share consumer health data only with sub-processors that operate the Service on our behalf, as described in §5. We do not share consumer health data with employers, insurance companies, public databases, third-party advertisers, or any party offering insurance or benefits.

We may disclose consumer health data when:

You direct us to. If you choose to share an export of your data with your healthcare provider, family member, or another person, the disclosure is at your direction. (Note: Revora itself does not initiate any sharing with third parties — exports are member-controlled.)
Required by law. We will disclose consumer health data when we believe in good faith that disclosure is required to comply with applicable law, a valid court order, subpoena, search warrant, or other legally valid request, or to protect against an imminent threat to safety. Where not legally prohibited, we will provide you advance notice before disclosing your information in response to legal process.
Business transfer. If Revora is involved in a merger, acquisition, financing, reorganization, or sale of assets, consumer health data may be transferred to the acquirer subject to the terms of this notice (or a successor notice with at least 30 days' advance notice and the option to delete your account before the change takes effect).

5. Categories of third parties and named affiliates that receive consumer health data

The third parties listed below are the sub-processors that receive consumer health data as part of operating the Revora Service. Each is bound by a signed Data Processing Agreement that requires them to process your data only as we instruct, to keep it secure, and to delete it when we ask. The full sub-processor list is in our main Privacy Notice §10; the entries below are the ones that handle consumer health data specifically.

The "Contact" column provides direct contact mechanisms for each sub-processor, as required by the Washington My Health My Data Act (RCW 19.373) and corresponding statutes — you have the right to contact each recipient regarding consumer health data they have received from us.

Sub-processor	Role	Consumer health data received	Region	Contact
Supabase Inc.	Primary database	All consumer health data (bloodwork, biomarker, protocol state, member context, adherence, audit log)	United States (us-east-1)	privacy@supabase.com; https://supabase.com/privacy
Anthropic, PBC (via AWS Bedrock)	AI model API	Bloodwork results and member context (de-identified at API call boundary), for bloodwork parsing, free-text medication and supplement interpretation, and explanatory prose around deterministic protocol logic	United States (AWS us-east-1)	privacy@anthropic.com; https://www.anthropic.com/legal/privacy
Microsoft Corporation (Azure OpenAI)	AI model API	Bloodwork results and member context (de-identified at API call boundary), for bloodwork parsing, free-text medication and supplement interpretation, and explanatory prose around deterministic protocol logic	United States (Azure East US)	https://aka.ms/privacyresponse; Microsoft EU DPO, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland
Google LLC (Google Vertex AI)	AI model API	Bloodwork results and member context (de-identified at API call boundary), for bloodwork parsing, free-text medication and supplement interpretation, and explanatory prose around deterministic protocol logic	United States (us-central1)	https://policies.google.com/privacy; Google Cloud Data Processing Addendum (CDPA) contact via https://cloud.google.com/terms/data-processing-addendum
Resend Inc. (Resend Inc. for inbound bloodwork email)	Receives bloodwork PDFs attached to email and routes them to our ingestion pipeline	Bloodwork data in email attachments	United States	privacy@resend.com; https://resend.com/legal/privacy-policy; DPA at https://resend.com/legal/dpa
Google LLC (Google Workspace / Gmail support inbox)	Stores member inquiries sent to `privacy@revora.app` and other support addresses	Communications data; may contain consumer health data when members include health-related details (for example, a member emailing about their bloodwork or a privacy rights request that references their health information)	United States	https://policies.google.com/privacy; Google Workspace Data Processing Amendment at https://workspace.google.com/terms/dpa_terms.html

Sub-processors that do NOT receive consumer health data (listed for completeness, full details in the main Privacy Notice §10):

PostHog Inc. (product analytics + error tracking — receives event metadata and error contexts only, with clinical/PII keys and values redacted at the source; does not receive consumer health data)
Cloudflare, Inc. (CDN and security — receives network metadata only, not consumer health data)
Apple Inc. — APNs / push notification (Tier 2 ephemeral transport — generic notification copy only, no specific lab readings or diagnoses)
Apple Inc. — Apple Sign-In (Tier 3 authorization — OAuth profile only, no consumer health data)
Google LLC — Google Sign-In (Tier 3 authorization — OAuth profile only, no consumer health data)
Resend Inc. (outbound transactional email — Tier 2 ephemeral transport; generic notification content only, no specific lab readings or diagnoses)

Affiliates. Revora has no corporate affiliates as of the effective date of this notice.

6. MHMDA-required disclosure chart

This chart provides the disclosure required by Washington's My Health My Data Act, Nevada SB-370, and Connecticut Data Privacy Act for consumer health data.

Consumer health data we collect	Source	Purpose of collection and use	Categories of third parties with whom shared
Bloodwork and biomarker readings	Self-reported (you upload your lab report)	Service delivery (protocol generation); audit-logged interpretations; aggregated/de-identified service improvement	Sub-processors only (Supabase, AI providers — Anthropic/Microsoft/Google, Resend Inc. for inbound bloodwork email); we do not share with any other third parties
Health-related self-reported information (medications, conditions, goals, lifestyle)	Self-reported (during onboarding and as you use the Service)	Service delivery (protocol generation, member-context-aware recommendations); audit-logged interpretations	Sub-processors only (Supabase, AI providers — Anthropic/Microsoft/Google); we do not share with any other third parties
Inferred and derived health-related data (responder profiles, expected response windows)	Generated by Revora from sources above	Service delivery (improving protocol generation specificity); audit-logged interpretations	Sub-processors only (Supabase, AI providers); we do not share with any other third parties
Protocol and adherence data	Generated by Revora; updated based on your in-app interactions	Service delivery (cycle management, re-test coordination, adherence tracking); audit-logged interpretations; aggregated/de-identified service improvement	Sub-processors only (Supabase); we do not share with any other third parties
Audit and event logs on protocol interpretations	Generated by Revora protocol engine (deterministic stack-assembly events written to event_log; LLM-assisted narrative records written to audit_log)	Internal record-keeping for member transparency, advisor review, and regulatory inquiries; logs are part of your record and are exportable per main Privacy Notice §16. Coverage of every recommendation-generation surface is being completed as part of v1.x audit hardening.	Sub-processors only (Supabase); we do not share with any other third parties

7. Your rights regarding consumer health data

If you are a resident of Washington, Nevada, or Connecticut, you have the following rights regarding consumer health data under your state's law. These rights supplement (and in some cases overlap with) the rights described in our main Privacy Notice §15.

7.1 Rights for Washington residents (My Health My Data Act, RCW 19.373)

Right to know. You have the right to know what consumer health data we collect, share, or sell (we do not sell), including a list of all third parties and affiliates with whom we have shared your consumer health data, and the contact information of those third parties.
Right to access. You have the right to access (receive a copy of) the consumer health data we have collected, shared, or disclosed.
Right to withdraw consent. You have the right to withdraw your consent to our collection or sharing of your consumer health data at any time. Withdrawal of consent stops new processing; processing already done while consent was active remains valid. If you withdraw consent for the bloodwork and biomarker data that is essential to the Service, we may not be able to continue providing the Service to you, and we will notify you of this consequence at the time you withdraw consent.
Right to delete. You have the right to request deletion of your consumer health data. Deletion requests are processed per the account closure and data deletion process described in main Privacy Notice §20.
Right to non-discrimination. You have the right not to receive discriminatory treatment for exercising any of these rights.
Right to appeal. If we deny a request you have made under your MHMDA rights, you have the right to appeal. We will explain the basis of any denial and the process for appeal in our response.

7.2 Rights for Nevada residents (Nevada SB-370)

Nevada residents have substantially the same rights as Washington residents under Nevada SB-370, with the following procedural notes:

Right to know, access, withdraw consent, delete, and non-discrimination — same as Washington above.
Appeal. Within 45 days of receipt of an appeal, we will inform you in writing of any action taken or not taken, including an explanation of our reasons. If the appeal is denied, you may contact the Nevada Office of the Attorney General at (702) 486-3132 or via the Nevada Consumer Protection Hotline.

7.3 Rights for Connecticut residents (Connecticut Data Privacy Act)

Connecticut residents have the following rights under CTDPA with respect to consumer health data:

Right to know and access. You have the right to know what consumer health data we collect, use, disclose, sell (we do not sell), or share. You may request a portable copy of this information up to two times in a rolling twelve-month period.
Right to delete. You have the right to request deletion of your consumer health data.
Right to correct. You have the right to request correction of inaccurate consumer health data.
Right to opt out. You have the right to opt out of (a) targeted advertising (we do not engage in targeted advertising using consumer health data), (b) the sale of personal data (we do not sell), and (c) profiling decisions that could produce legal or similarly significant effects (we do not engage in such profiling). This right is preserved as a matter of completeness even though Revora's practices do not currently involve any of these activities.
Sensitive personal data. Consumer health data is sensitive personal data under CTDPA. We process consumer health data only with your affirmative consent, captured during onboarding.
Right to non-discrimination. You have the right not to receive discriminatory treatment for exercising any of these rights.
Appeal. Within 60 days of receipt of an appeal, we will inform you in writing of any action taken or not taken, including an explanation of our reasons. If the appeal is denied, you may contact the Connecticut Office of the Attorney General at (860) 808-5420.

8. How to exercise your rights

To exercise any right described in this notice, please contact us:

Email: privacy@revora.app

When contacting us, please include:

Your full name
The email address associated with your Revora account
A description of the right you are exercising (for example, "I want to access my consumer health data" or "I am withdrawing my consent")

If you do not have a Revora account but believe we have collected consumer health data about you, please describe the basis of your request so we can verify your identity and respond appropriately.

Verification. Before processing a request, we may need to verify your identity. We will typically verify identity by confirming information already on file with us — your account email, recent activity, or similar. If you do not have an account with us, we may request additional information for verification, used only for that purpose.

Authorized agents. You may designate an authorized agent to submit a request on your behalf. We may require verification of the agent's authorization (a signed permission form or power of attorney) and may also separately verify your identity to confirm the agent's authority.

Timeline. We will confirm receipt of your request within 10 business days. We will respond to your request within 30 days of receipt; complex requests may be extended once for an additional 30 days, with notice within the original 30-day window. (Note: the response window for Connecticut and Nevada residents is up to 45 days under state law; we apply our 30-day window as a member-favorable standard.)

Fee. We do not charge a fee for processing requests under this notice, except where a request is excessive, repetitive, or manifestly unfounded under applicable law. If we determine a fee applies, we will tell you why and provide a cost estimate before completing the request.

Declining to provide information. Some consumer health data is essential to providing the Service (most notably, bloodwork and biomarker readings — without those, we cannot generate your protocol). If you decline to provide essential data, or if you withdraw consent for essential data, we may not be able to continue providing the Service, and we will notify you of this consequence.

9. How to appeal a denial

If we deny a request you've made under this notice, you have the right to appeal. Submit your appeal by email to privacy@revora.app with the subject line "Privacy Rights Appeal" and a description of the request that was denied and your basis for appeal.

We will respond to appeals within the following timelines:

Connecticut residents: within 60 days of receipt of the appeal.
Nevada residents: within 45 days of receipt of the appeal.
Washington residents: within 45 days of receipt of the appeal (or sooner if practicable).

If your appeal is denied, you may file a complaint with your state Attorney General:

Washington: Office of the Attorney General, (800) 551-4636 or https://www.atg.wa.gov.
Nevada: Office of the Attorney General, (702) 486-3132 or via the Nevada Consumer Protection Hotline.
Connecticut: Office of the Attorney General, (860) 808-5420 or https://portal.ct.gov/AG.

10. Versioning and changes

Version	Date	Changes
v1.0	[TBD — slots in at alpha cohort onboarding]	Initial Consumer Health Data Privacy Notice. Companion to main Privacy Notice v1.0. Covers Washington (MHMDA), Nevada (SB-370), and Connecticut (CTDPA). Pre-counsel-review draft per ADR-0024 §24.6 CLO Queue Item 3 routing.
v1.0.1	2026-05-29	Three-amendment pass tracking the parallel main-notice v1.0.1 amendments. Amendment 1 — Sub-processor consolidation per ADR-0024 §24.5 amendment 2026-05-26: Sentry removed from the "do-not-receive-CHD" enumeration; PostHog now disclosed as combined product-analytics + error-tracking with clinical/PII redaction at the source. Amendment 2 — Extended-intake CHD disclosure per ADR-0040 (shipped 2026-05-28): §1 adds allergies, medical conditions, and family medical history as a new CHD category with explicit UK GDPR Article 9 special-category framing and explicit MHMDA / SB-370 / CTDPA Consumer Health Data classification. Family medical history is collected with `known` / `no_known` / absence semantics; absence is never treated as a confirmed negative. §3 adds a safety-screening + clinical-adjacency contextualization purpose. Amendment 3 — Retention precision by reference: the 30-day soft-delete + automated scheduled-purge cascade disclosed in main notice §13 + §20 applies to all CHD held by Revora (including the new extended-intake fields), including the raw lab PDF files held in our private Supabase Storage bucket per ADR-0036. See main notice §13 + §20 for the full cascade scope, cancellation window, affirmative-consent gate, and what survives the purge.

We may update this notice from time to time. The "Last Updated" date at the top reflects when we last changed it. Material changes — for example, changes to the categories of consumer health data we collect, new third-party recipients of consumer health data, or new purposes for which we use consumer health data — will be communicated to affected members at least 30 days before the change takes effect, by email and through an in-app notification.

Past versions of this notice are available on request from privacy@revora.app.

Companion documents (member-visible)

Main Privacy Notice — applies to all Revora members. This Consumer Health Data Privacy Notice supplements the main notice for residents of Washington, Nevada, and Connecticut.

Companion documents (internal — not member-visible)

ADR-0024 §24.5.1 — sub-processor tier framework
ADR-0024 §24.1 — MHMDA strict-consent architecture
ADR-0021 §21.5.1 — vocabulary blocklist
compliance-research-2026-04-18 §4 — Washington MHMDA + state-by-state research

Drafted by Lane C (Cowork) per CLO + brand-guardian skills, 2026-05-06. Phase 3 of privacy notice authoring per HANDOFF-privacy-notice-next-session-2026-05-05.md. Companion to PRIVACY-NOTICE-v1.0.md. DRAFT v1.0 ready for Chris review and counsel-review routing per ADR-0024 §24.6 pre-public-launch.

Return to Revora