Effective date: [TODO: legal to set]. This Consumer Health Data Privacy Policy supplements the Winsome Privacy Policy and applies to "consumer health data" as defined under the Washington My Health My Data Act, the Nevada consumer health data law, and the Connecticut Data Privacy Act. It is a draft provided for legal review and is not the final, governing version. [TODO: legal to confirm which state laws apply and all bracketed items.]
1. Collection of consumer health data
"Consumer health data" generally means personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status. It does not include publicly available, de-identified, or aggregated information. Winsome does not knowingly request, require, or use health information to operate the Service; any health-related inference would arise only incidentally from read-only spending activity. [TODO: legal to confirm definition aligns with each applicable statute.]
2. Categories of consumer health data we may process
Depending on the state in which you reside and how you use the Service, the only category that could potentially qualify is:
- Inferences from spending activity — for example, a transaction at a pharmacy, clinic, or similar merchant visible through your read-only Plaid connection. Winsome treats this as ordinary transaction data and does not use it to infer health conditions. [TODO: legal to confirm whether any merchant-category or location data could be deemed consumer health data.]
Winsome does not collect diagnoses, medications, treatments, reproductive or sexual-health information, biometric data, or precise health-related location data. [TODO: legal to confirm.]
3. Categories of sources
Any data described above is collected directly from your use of the Service and from your read-only Plaid connection, which you authorize. [TODO: legal to confirm sources.]
4. Purposes for collecting and using consumer health data
We process transaction data solely to confirm active accounts, administer drawings, prevent fraud, and produce anonymized, aggregated panel insights — not to identify or target you based on health status. We do not use any potentially health-related data for advertising or sell it. [TODO: legal to confirm purposes and any consent required before processing.]
5. How we disclose consumer health data
We do not sell consumer health data. We may disclose transaction data to service providers that operate the Service (such as Plaid) under contracts limiting their use, to affiliates within our corporate family [TODO: legal to confirm affiliate entities], and as required by law. Any panel insights shared with third parties are aggregated or de-identified and do not identify you. [TODO: legal to confirm recipients and whether valid authorization is required for any disclosure.]
6. Your consumer health data rights
Depending on your state, you may have the right to: confirm whether we process your consumer health data and access it; obtain a list of third parties with whom we have shared it; withdraw consent to its collection and sharing; request deletion; and not be discriminated against for exercising these rights. You may also appeal a denied request. [TODO: legal to confirm per-state rights, response timeframes, authentication, and appeal process.]
To exercise these rights, contact us using the details below [TODO: legal to confirm request channel / webform]. We will authenticate your request before responding.
7. Contact & complaints
Questions or requests about consumer health data may be directed to Winsome [TODO: legal to confirm entity and contact email].
Winsome — Consumer Health Data[Mailing address — TODO confirm before launch]
You may also have the right to file a complaint with your state attorney general. [TODO: legal to add Washington, Nevada, and Connecticut attorney-general contact links.]