Consumer Health Data Privacy Policy
Last updated and effective: May 27, 2026. Operated by Zeit Capital Ltda.
This Consumer Health Data Privacy Policy explains how Zeit Capital Ltda ("Phaze," "we," "us," or "our") collects, uses, shares, and protects "consumer health data" of users of the Phaze mobile application, the Apple Watch companion, and the phaze.fit website (the "Service").
This Policy is provided in addition to our Privacy Policy and Terms of Service, and is intended to satisfy the requirements of the Washington My Health My Data Act (RCW 19.373), the Nevada Consumer Health Data Privacy Law (SB 370), the Connecticut Data Privacy Act as amended for consumer health data, the California Confidentiality of Medical Information Act (CMIA) where applicable, and similar state consumer health data laws.
If you are a resident of one of these states, you have specific rights summarized in Section 8.
Important: Phaze is not a HIPAA "covered entity" or "business associate," and the Health Insurance Portability and Accountability Act (HIPAA) does not directly regulate our processing of your data. We do not claim to be HIPAA-compliant. Instead, we describe below the specific practices we apply to your consumer health data.
1. What is "Consumer Health Data"
For the purposes of this Policy, "Consumer Health Data" means personal information that identifies your past, present, or future physical or mental health status, including data that is derived or inferred from non-health information, such as:
- Body measurements (weight, height, body composition entries)
- Progress photos showing your body
- Medication information you log (including GLP-1 medications such as Wegovy, Ozempic, Mounjaro, Zepbound, or Saxenda)
- Dose schedule and side-effect entries you record
- Food, hydration, and nutrient logs
- Exercise, activity, and sleep entries
- Fasting and meal-timing windows
- Goals and progress narratives
- Data shared with Phaze via Apple HealthKit or Google Health Connect (if you authorize)
2. Categories of Consumer Health Data we collect
| Category | Source | Examples |
|---|---|---|
| Body measurements | You; HealthKit / Health Connect | Weight, body fat %, lean mass, waist |
| Progress photos | You | Front, side, back photos you save |
| Medication entries | You | Drug name, dose, schedule, side effects, injection site |
| Nutrition | You; food databases | Food logs, meal photos, voice descriptions, water |
| Activity | You; HealthKit / Health Connect | Workouts, steps, active minutes |
| Sleep and fasting | You; HealthKit / Health Connect | Sleep summaries, fasting windows |
| Inferred information | Phaze processing | Trend lines, goal progress, recommendation triggers |
| Conversational health data | You (AI chat) | Messages you send to Ember |
3. Purposes for collection and processing
We process Consumer Health Data only to:
- Provide the Service to you (display dashboards, log entries, sync, charts)
- Generate insights, summaries, and personalized recommendations for your use
- Power AI features (Ember chat, food scan) that you choose to use
- Allow you to export your data (PDF reports, sharing)
- Sync data across your devices (with your authorization)
- Back up your data to your personal cloud storage if you enable Cloud Backup
- Detect and prevent fraud, abuse, and security incidents
- Comply with legal obligations
We do not process Consumer Health Data to: serve advertising, build advertising profiles, sell to third parties, share with data brokers, share with insurers or employers, or train AI models on your data.
4. Where your data is stored
4.1 On-device default
Consumer Health Data is stored on your device by default.
- iOS: SwiftData persistent store with iOS Data Protection. Sensitive medical fields (medication identifiers, doses, side-effect entries, injection-site notes, medical profile, dose schedule) are additionally encrypted with AES-256-GCM using a key stored in the iOS Keychain.
- Android: Room database. Sensitive medical fields are encrypted with AES-256-GCM (256-bit key, 12-byte IV, 128-bit tag) using a key stored in the Android Keystore. Preferences use Jetpack Security EncryptedSharedPreferences.
We do not operate a first-party server that stores your Consumer Health Data.
4.2 Cloud Backup (optional, off by default)
If you enable Cloud Backup, an encrypted archive is written to your personal cloud account:
- iOS: to your iCloud Drive, inside the Phaze ubiquity container (iCloud.com.zeit.phaze).
- Android: to the AppData folder of your Google Drive account (private to Phaze, application-scoped, not visible in your general Drive UI).
The archive is encrypted with AES-256-GCM before upload.
About the encryption key. So that you can restore the backup on a new device without managing a separate passphrase, the encryption key is generated locally and stored alongside the encrypted payload in the same backup file. This means the security of the backup file is bound to the security of your iCloud or Google account, not to a separate passphrase you hold. We do not market Cloud Backup as protected only for you or as having no key access by us. If you require true zero-knowledge encryption, do not enable Cloud Backup. We may add a user-passphrase option in a future release.
We do not retain a server-side Phaze copy of the backup outside your own iCloud or Google account.
4.3 What does leave your device
- Cloud Backup, if enabled: to your own iCloud or Google Drive AppData.
- AI features: see Section 6. Ember chat sends context fields (including weight range and current-day totals); food scan sends meal photos.
- Health platforms, if you authorize them: Apple HealthKit (iOS) or Google Health Connect (Android) read and write through the system framework.
- Analytics and crash reporting: see Section 5. Some currently transmit specific clinical fields to Mixpanel pending sanitization work.
- PDF report export, milestone share, or screenshot share: if you initiate them.
4.4 HealthKit and Health Connect
Phaze reads these platforms only with your authorization. We do not store a separate server-side copy of HealthKit or Health Connect data. We do not use this data for advertising, marketing, sale, data mining, or user identification outside Phaze.
5. Categories of third parties with whom we share Consumer Health Data
We share Consumer Health Data only with the following categories of recipients, and only as needed to operate the Service:
| Recipient | Purpose | What is sent | Where |
|---|---|---|---|
| Google (Gemini, via Cloudflare Workers edge service) | Ember chat, food image recognition, body-composition estimate from photo | Your message (with GLP-1 brand and generic names stripped), context fields (current weight, weight range, today's nutrient totals, side-effect list, goals), meal photos, body-comp photos | United States, Cloudflare global edge |
| Apple (iOS) / Google (Android) system speech APIs | Voice meal description transcription | Audio routed by SFSpeechRecognizer (iOS) or SpeechRecognizer (Android); may transit to Apple or Google services depending on device and language | Per platform |
| iCloud (iOS) / Google Drive (Android), only if Cloud Backup is enabled | User-controlled backup of your data | Encrypted archive of your data (Section 4) | Your iCloud or Google region |
| Apple HealthKit (iOS) / Google Health Connect (Android), only if authorized | Sync of authorized data categories | Reads and writes performed locally through the system framework | On your device |
| Mixpanel | Product analytics | Pseudonymized event payloads keyed to a device-generated identifier (no email, no name). Payloads include: weight value (lbs), water value (oz) and daily total, meal macro panel (protein, calories, carbs, fat, fiber, saturated fat, trans fat, sugar) with food name, lab biomarker name, exercise type, mood and energy ratings. User properties include medication administration type. These are pseudonymized, not anonymized. All events for one device link to the same identifier. | United States |
| Sentry | Crash and error monitoring | Crash reports, stack traces, navigation breadcrumbs. Medication identifiers, doses, side-effect entries, injection-site notes, and the medical profile are scrubbed from event payloads. Identifier is a device-scoped ID; administration type is attached as context. | United States |
| RevenueCat | Subscription management | Subscription identifiers, purchase events. No health values. | United States |
| Meta Aggregated Event Measurement SDK | App install and conversion attribution | Install and conversion events. No health values. | United States |
| TikTok Business SDK | App install and conversion attribution | Install and conversion events. No health values. On iOS this SDK requests App Tracking Transparency authorization. | United States |
| Apple App Store, Google Play | Distribution and IAP | Standard store telemetry, purchase confirmations | United States, Ireland |
| USDA FoodData Central, Open Food Facts, Spoonacular (Android) | Food and recipe lookups | Food name or barcode you scanned. We do not send your health values to these databases. | United States, Europe |
| Apple, Google (Sign in) | Authentication, if used | Account identifier returned by provider | United States |
| Legal and regulatory | Comply with valid legal process | As legally required | As applicable |
We do not "sell" Consumer Health Data. We do not "share" Consumer Health Data for cross-context behavioral advertising. We do not engage in geofencing within 2,000 feet of any health care facility.
We require each recipient to (i) act only on our instructions, (ii) implement appropriate security, (iii) not use your Consumer Health Data for their own purposes other than aggregate statistics necessary for their service, and (iv) honor deletion requests passed through us. For the Meta and TikTok attribution SDKs specifically, we configure them to operate in aggregate-attribution mode (no personalized retargeting).
6. AI features: additional disclosures
Phaze includes AI-driven features:
- Ember (AI chat companion), routed through a Phaze edge service (Cloudflare Workers) to Google Gemini
- Food scan (image recognition for meal logging), routed through the edge service to Google Gemini Vision
- Body composition estimate from photo, routed through the edge service to Gemini Vision
- Voice meal description, transcribed by the platform speech API, then sent to Gemini for parsing
Important about AI features:
- AI responses can be inaccurate or out of date. Treat them as informational only.
- We instruct Google through the Gemini API not to use your inputs to train its models. The Cloudflare Workers edge service applies output redaction to strip dose-change suggestions, stop-medication suggestions, dose-recommendation patterns, and GLP-1 brand-name references from Gemini's responses before they reach the app. We are also working on a server-side refusal classifier to block dose Q&A, contraindication, and symptom-triage prompts at the edge layer; until that ships, the safety guidance is enforced through Gemini's own system prompt only.
- Ember will not knowingly provide dosing advice, contraindication guidance, side-effect triage, or any clinical recommendation. For any medical question, contact your prescribing healthcare provider.
- AI features can be disabled in Settings, Privacy. In-app toggles are tracked engineering work.
In accordance with the EU AI Act Article 50 transparency requirements, AI-generated outputs are labeled as AI in the interface, and you are informed when you interact with an AI system. Ember responses carry a per-output "AI-generated" label, and AI food-scan estimates are marked with an AI badge.
7. Retention
| Category | Retention |
|---|---|
| Consumer Health Data on your device | Until you delete it, or you uninstall the app |
| Consumer Health Data in your Cloud Backup | Until you disable Cloud Backup and delete the AppData contents from your Google account |
| Consumer Health Data on Phaze servers | We do not maintain a server-side copy |
| AI provider transient retention | Per provider policy; we contractually require deletion within their normal log windows; we do not retain a copy ourselves |
| Aggregated, irreversibly anonymized statistics | Indefinite (no longer Consumer Health Data) |
| Legal hold | As required by law |
8. Your rights
8.1 Washington (My Health My Data Act)
You have the right to:
- Confirm whether Phaze is processing your Consumer Health Data
- Access your Consumer Health Data
- Request deletion of your Consumer Health Data: Phaze will delete the data within 30 days and direct any service provider or processor to do the same
- Withdraw consent: you may withdraw consent to processing or sharing at any time; withdrawal does not affect prior lawful processing
- Appeal a denial of any of the above
Submit requests by email to privacy@phaze.fit. You can also submit a "Delete All Data" request in the app today at Settings, Privacy, Delete Everything, which deletes your on-device data. To also remove a Cloud Backup file, disable Cloud Backup in Settings and delete the file from your iCloud or Google Drive account. We will verify your identity (typically by matching to the email on your account) and respond within the timeframes required by law (45 days, extendable once).
If we deny a request, we will explain why and how to appeal within 45 days. If your appeal is denied, you may contact the Washington Attorney General at https://www.atg.wa.gov/file-complaint.
Geofencing. Phaze does not use geofences within 2,000 feet of any in-person health care service or facility.
8.2 Nevada (SB 370)
Nevada residents have the right to confirmation, access, deletion, opt-out of sale, and opt-out of sharing for targeted advertising. Phaze does not sell Consumer Health Data and does not engage in targeted advertising. Submit requests to privacy@phaze.fit.
8.3 Connecticut, Colorado, Virginia, Texas, Oregon, and other state laws
Residents of these states have rights including access, correction, deletion, portability, opt-out of sale, opt-out of targeted advertising, and the right to limit the use of sensitive data including consumer health data. Phaze does not sell or engage in targeted advertising and processes sensitive data only with your opt-in consent. Submit requests to privacy@phaze.fit. Universal opt-out signals (GPC) are honored where required.
8.4 California (CCPA / CPRA / CMIA)
California residents have all rights described in Section 13.3 of our Privacy Policy, including the right to limit use of sensitive personal information (which includes Consumer Health Data). We process your Consumer Health Data only as needed to provide the Service you requested.
For purposes of the California Confidentiality of Medical Information Act (CMIA, Cal. Civ. Code sections 56 et seq.), to the extent Phaze qualifies as a "provider of health care" as defined in the statute, the medical information you provide is processed under the safeguards described in this Policy and disclosed only as permitted by law or with your authorization.
8.5 Brazil (LGPD)
Brazilian residents may exercise rights under LGPD Article 18 (confirmation, access, correction, anonymization or deletion, portability, sharing information, consent revocation). Submit to privacy@phaze.fit or the Encarregado (Vinicius) at privacy@phaze.fit. ANPD: gov.br/anpd.
8.6 EU / UK / EEA
EU and UK residents may exercise rights under GDPR Articles 15 to 22, including access, rectification, erasure, restriction, portability, objection, withdrawal of consent, and the right not to be subject to a decision based solely on automated processing with legal or similarly significant effects.
9. Security
We apply the following safeguards to Consumer Health Data:
- Encryption at rest: AES-256-GCM for sensitive medical fields on device and for Cloud Backup archives
- Encryption in transit: TLS 1.3
- Platform key storage: Apple Keychain on iOS (kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly); Android Keystore on Android (hardware-backed where available)
- Crash-report scrubbing: Sentry breadcrumbs and event payloads are scrubbed to remove medication identifiers, doses, side-effect entries, injection-site notes, and medical profile before transmission
- Vendor diligence: processors are reviewed before engagement and subject to data-processing terms
- Access controls: role-based access to internal tools
- Code review and testing: code review and automated test coverage prior to releases that affect data handling
- We do not currently hold an independent security certification or audit attestation (for example, ISO 27001). We do not claim certifications we do not hold.
- Product-analytics events transmit specific clinical fields to Mixpanel under a device-scoped pseudonymous identifier as disclosed in Section 5. This is pseudonymization, not anonymization, and remains subject to the rights and obligations described in this Policy and in our Privacy Policy.
No method of transmission or storage is perfectly secure. If we discover a security incident that compromises the confidentiality of your Consumer Health Data, we will notify you and applicable regulators in accordance with the FTC Health Breach Notification Rule (16 CFR Part 318) within 60 days of discovery, the EU GDPR Article 33 and 34 (within 72 hours for the supervisory authority), the LGPD Article 48, and applicable US state breach-notification laws.
10. Consent
When you create an account and enable features that process Consumer Health Data, we obtain your consent in the relevant onboarding screens and in-product settings. You may withdraw consent at any time by:
- Disabling the relevant feature (for example, Cloud Backup, Ember, food scan) in Settings
- Deleting the relevant data
- Deleting your account from Settings, Account, Delete Account
- Emailing privacy@phaze.fit to withdraw consent for any specific processing
Withdrawal does not affect prior lawful processing.
For sale or sharing of Consumer Health Data, we obtain separate, signed valid authorization prior to any such activity. We do not currently sell or share Consumer Health Data, so no such authorization is requested.
11. Children
The Service is intended for adults aged 18 and over. We do not knowingly collect Consumer Health Data from anyone under 18. If we learn we have collected data from a person under 18, we delete it promptly.
12. Changes to this Policy
We will post material changes here with a new "Last updated" date and notify you in-app or by email at least 30 days before they take effect, unless a shorter timeframe is required by law.
13. Contact
- Email: privacy@phaze.fit
- In-app: Settings, Privacy, Consumer Health Data Requests
- Postal: Zeit Capital Ltda, SRTVS Conjunto L, Lote 38, Centro Empresarial Assis Chateaubriand, No 30, Sala 417 Parte J 07, Brasilia, DF, CEP 70340-906, Brazil
- Brazilian Encarregado: Vinicius (privacy@phaze.fit)
- EU / UK Representative: not currently appointed; will be appointed if and when our EU or UK user base reaches the threshold that requires one. Until then, contact privacy@phaze.fit.
If we deny your request, you may appeal at privacy@phaze.fit; if the appeal is denied, you may contact your state attorney general (in the United States), the Information Commissioner's Office (UK), your EU member-state supervisory authority, or the ANPD (Brazil).