Legal · Privacy Policy
Your health data is encrypted with a key only you hold.
We are a HIPAA-covered medical corporation, and we built our product so that even our own engineers cannot read a patient's health record without that patient's device unlocking it first. The sections below explain what we collect, how it's stored, who can ever see it, and how to take it back or delete it from inside the app — every right is in your hands, not behind a support ticket.
Last updated: April 2026. Material changes get 30 days' notice in-app and by email.
1 · What we collect
Four categories. No fifth.
Identity. Name, email, KYC verification result, payment method.
Health data. Records you import (FHIR/PDF), wearable telemetry you connect, lab results sent by your clinician, the dream-journal and journal entries you write, and the CH-axis scores derived from all of the above.
User actions. Buttons you tap, screens you visit, features you turn on or off — used to make the product less confusing.
Operational telemetry. Crash logs, latency, error rates — used to keep the product running.
We do not purchase data about you from third parties. We do not maintain a "shadow profile" of you from cookies or device fingerprints. If a fifth category ever appears, it will appear here first, and it will be opt-in.
2 · How it's stored
Health data: your key. Account data: ours.
Health data is encrypted at rest with a passkey that lives on your device. We hold the encrypted blobs; we cannot decrypt them without a grant signed by your device. This means a subpoena to us produces ciphertext, not records. It also means if you lose every device and every recovery contact, the data is unrecoverable. The trade-off is intentional.
Account data — your email, your billing record, your support tickets — is encrypted with corporation-held keys, never sold, never shared, and only ever shared with the third parties listed in §4.
3 · How it's used
Run the product. Compute your score. Route your care. Nothing else.
Your data is used to: deliver the product to you; compute your CH score and the eight axis scores from your inputs; route care requests to the right clinician; process HCR/HCC payments; detect fraud; and meet regulatory reporting obligations (HIPAA, state licensing). De-identified, aggregated patterns may improve our internal models. We never use your data to train a third-party AI. We never use it to target advertising. We do not run an ad network.
4 · When we share
Three cases. All audited. All public.
When you grant it. A clinician you select, a research partner you opted into, a family member you authorized — each share requires a per-recipient, per-scope grant signed from your device. You can revoke from inside the app and the grant disappears from the chain at the next block.
When the law requires it. Valid subpoena, court order, or warrant. We publish anonymized aggregate counts in the quarterly Transparency Report.
With BAA-bound subcontractors. The narrow set of providers who run our infrastructure (cloud, payment processing, KYC). Each is bound by a HIPAA Business Associate Agreement. The list is published at /legal/baa-template/ and updated when it changes.
We never sell. We never share for advertising. Those aren't policy choices we could change later — they're how the product is architected.
5 · HCC research participation
Opt in. Opt out. Either way, no surprises.
HCC is earned by contributing de-identified health signal to vetted research partners — academic medical centers, independent labs, and disease registries that have passed our IRB review. Participation is opt-in from Settings → HCC Research. Revocation stops future use immediately and removes you from active studies. Past contributions that have already been published in aggregate cannot be retroactively un-contributed (that's a property of publication, not of policy), but no future signal flows after revocation.
6 · Your rights
Every one of them lives inside the app.
Access. See everything we have about you in Settings → My Data.
Export. Download your record in FHIR (clinical) or CSV (everything else) from the same screen.
Correct. Fix anything that's wrong, with the audit log keeping the prior state for clinical purposes.
Delete. Close your account and request hard deletion, subject to HIPAA retention minimums in §7.
Revoke. Pull back any share or research opt-in from Settings → Grants.
If you're in the EU or UK, you additionally have data-portability rights under GDPR and the right to file a complaint with your local Data Protection Authority. Our EU DPO can be reached at dpo@conceptualhealth.com.
7 · Retention
Active forever. Closed: HIPAA minimums.
An active account keeps its records open until you close it. When you close an account, we retain encrypted records for the minimum periods HIPAA requires (six years for adult records, longer for minors per state law), then hard-delete. Hard deletion can be accelerated by request, subject to those minimums and any active legal hold.
8 · Children's privacy
Minors register through a guardian. Keys transition at majority.
For users under 18, registration is done through a parent or legal guardian. The encryption key for the minor's record is held by the guardian until the user reaches the age of majority, at which point a published transition protocol moves the key to the now-adult user's device. No new account for a minor can be created without guardian verification.
9 · Contact
Privacy inboxes are read by humans.
Privacy questions: privacy@conceptualhealth.com
Data-subject requests (access, export, deletion): from inside the app, or by email to privacy@conceptualhealth.com from the address on file.
EU/UK Data Protection Officer: dpo@conceptualhealth.com
HIPAA Notice of Privacy Practices: /legal/hipaa/
10 · Changes
Material changes: 30-day notice. Nothing retroactive.
If we change this policy in a way that affects how we collect, store, or share your data, you'll see an in-app notice and receive an email 30 days before the change takes effect. Non-material edits (clarifications, broken links, contact-detail updates) take effect on posting. Prior versions live at /legal/privacy/archive/.