Effective Date: April 6, 2026
This Consumer Health Data Privacy Policy ("Health Data Policy") is provided in accordance with the Washington My Health My Data Act, RCW 19.373 et seq. ("MHMDA"), and applicable consumer health data privacy laws in other states, including Nevada SB 370. This Health Data Policy describes how Resilio Health LLC ("Company," "we," "us," or "our") collects, uses, shares, and retains consumer health data in connection with the Resilio Health application and related services (collectively, the "Service").
This Health Data Policy is a standalone document provided as a separate and distinct policy as required by the MHMDA. It supplements our general Privacy Policy, available at https://resiliohealth.com/privacy. If there is a conflict between this Health Data Policy and our general Privacy Policy with respect to consumer health data, this Health Data Policy shall control.
This Health Data Policy applies to all users of the Service.
In the course of providing the Service, we collect the following categories of consumer health data:
When you use the body map feature, you designate specific body regions as "focus" zones (areas you want to strengthen) or "avoid" zones (areas where you are managing discomfort or want to avoid heavy loading). These selections reflect your self-reported physical status and constitute consumer health data. We collect:
We collect data about your exercise activity as reported through the Service:
If you report symptoms during a check-in or chat with the AI Coach, or if the AI Coach determines that a safety escalation is warranted, we collect:
When you interact with the AI Coach, we collect the messages you send, which may include descriptions of physical symptoms, pain, injuries, medical history, or other health-related information you voluntarily disclose.
Our AI systems generate inferences from your data that may constitute consumer health data, including: exercise preferences, progression levels, body region resilience trends, and engagement patterns. Even where these inferences are derived from non-health inputs (such as session timing or app usage patterns), they may qualify as consumer health data under the MHMDA to the extent they are used to associate you with health-related information.
We collect consumer health data from the following sources: directly from you, through the app interface (body map selections, check-in responses, debrief responses, chat messages); from Apple Health, with your explicit permission via the HealthKit API (workout type, duration, and distance); from Strava, with your explicit permission via OAuth and webhook (activity type, duration, and distance); and generated by our AI systems (exercise routine selections, safety recommendations, progression decisions, and health-related inferences).
We collect each category of consumer health data identified above for the following specific purposes:
We do not sell consumer health data. We share consumer health data only with the following categories of processors, solely for the purposes described in Section 3:
To generate personalized routines and coaching responses, we transmit your check-in data, body region selections, exercise history, safety event context, and chat messages to Anthropic, PBC, which provides the Claude large language model. Anthropic acts as a processor on our behalf pursuant to a data processing agreement (incorporated into Anthropic's Commercial Terms of Service). Under the terms of our agreement, Anthropic is contractually prohibited from using data submitted through the API to train its models. Anthropic retains API inputs and outputs for a maximum of thirty (30) days for safety and abuse monitoring purposes, after which they are automatically deleted. Anthropic does not store your data beyond this period.
Your consumer health data is stored in a PostgreSQL database hosted by Supabase on Amazon Web Services infrastructure in the United States. Supabase acts as a processor on our behalf pursuant to a data processing agreement. All data is encrypted at rest and in transit. Row-level security policies ensure that only your authenticated session can access your data.
If you connect Apple Health or Strava, workout activity data (type, duration, distance) from these platforms is stored in our database and used as context for AI-generated routine recommendations. When this context is included in a routine generation request, it is transmitted to Anthropic as part of the check-in data described in Section 4.1. Apple Health data is accessed via the HealthKit API on your device. When you complete a routine, we write a summary workout record (activity type and duration) back to Apple Health so your training log stays complete. Strava data is received via Strava's webhook system. Neither Apple nor Strava receives your consumer health data from Resilio. HealthKit data is not used for advertising, marketing, or data mining purposes. We do not sell HealthKit data to data brokers or any third parties. HealthKit data is not stored in iCloud.
Push notifications are delivered through Apple Push Notification service (APNs), Google Firebase Cloud Messaging (FCM), and Expo's push notification service. These services receive only your device push token and notification content. No consumer health data is transmitted through push notification channels.
We maintain contractual agreements with each processor identified above that include data processing provisions, as required by the MHMDA (RCW 19.373.060). For Anthropic and Supabase, these take the form of data processing agreements incorporated into their commercial terms of service. For Apple APNs, Google FCM, and Expo, processing is governed by their standard terms of service, which include data handling obligations. Payment processors (Stripe, RevenueCat, Apple, and Google billing) do not receive consumer health data. These agreements contractually require each processor to:
We do not share consumer health data with any other third parties, including advertisers, data brokers, analytics providers, or social media platforms. We do not use consumer health data for advertising purposes. Resilio Health LLC has no subsidiaries or affiliated entities. If this changes, we will update this Health Data Policy and name all affiliates by name as required by the MHMDA.
We retain your consumer health data for as long as your account is active and you maintain an active subscription. If you cancel your subscription but do not delete your account, your data is retained in read-only form to allow you to access your history.
Per-category retention periods:
You have the right to request deletion of all consumer health data we have collected from you. You may exercise this right by:
Upon receiving a valid deletion request:
We will complete the deletion process and respond to your request within forty-five (45) days. If we require additional time, we will notify you of the extension (not to exceed an additional forty-five (45) days) and the reason for the delay.
We may retain limited data beyond the periods described above where necessary to comply with legal obligations, resolve disputes, enforce our agreements, or protect against fraud. In particular, safety event records (which document instances where the Service recommended that you stop an exercise or consult a healthcare provider) may be retained for up to three (3) years after account deletion to defend against potential claims. Any such retention will be limited to the minimum data necessary. After the three-year period, all retained safety event records will be permanently deleted.
Once deletion from active production systems is executed, it cannot be reversed. All exercise history, body region data, progression data, safety event records (except as noted in Section 5.4), chat history, streak data, and notification records will be permanently removed. We are unable to recover this data after deletion.
During account creation, we present a dedicated, unbundled consent screen. This screen is separate from and independent of the general Terms of Service acceptance. It:
Your consent to the collection and processing of consumer health data is separate and distinct from your acceptance of the Terms of Service. Neither consent mechanism is pre-checked. You may not use the health-data features of the Service without providing this consent.
Additionally, connection to Apple Health or Strava requires separate, explicit authorization through each platform's own permission flow before any data is accessed.
We will obtain your affirmative consent before:
You may withdraw your consent to the collection and processing of consumer health data at any time by deleting your account through the Service's settings or by contacting us at privacy@resiliohealth.com. Withdrawal of consent will result in the deletion of all consumer health data as described in Section 5. Because consumer health data processing is integral to the Service's core functionality (generating personalized routines based on your physical status), full withdrawal of consent requires account deletion; it is not possible to use the Service without the collection described in this Health Data Policy. However, you may partially withdraw consent by disconnecting Apple Health or Strava integrations at any time through the Service's settings, which will stop the collection of third-party activity data without affecting the rest of your account.
We maintain administrative, technical, and physical safeguards designed to protect consumer health data, including:
For information about our data breach notification procedures as they apply to consumer health data, please see Section 6 of our general Privacy Policy at https://resiliohealth.com/privacy. In the event of a breach affecting consumer health data, we will notify affected consumers without unreasonable delay and no later than thirty (30) business days after discovering the breach, in compliance with the Washington data breach notification statute (RCW 19.255.010) and, where applicable, the FTC Health Breach Notification Rule (16 CFR Part 318).
We do not use geofencing technology to identify or track consumers for the purpose of collecting consumer health data. We do not collect location data in connection with the Service. The Service does not use GPS, Wi-Fi triangulation, Bluetooth beacons, or any other geolocation technology. We do not use geofencing within 2,000 feet of any entity providing in-person health care services, as prohibited by RCW 19.373.080 (and within 1,750 feet as required by Nevada SB 370, where applicable). If we introduce any location-based features in the future, we will update this Health Data Policy and obtain your consent before collecting any location data.
Under the MHMDA and other applicable laws, you have the right to:
To exercise any rights under this Health Data Policy, you may:
We will respond to verified requests within forty-five (45) days of receipt. If we require additional time, we will notify you of the extension (not to exceed an additional forty-five (45) days) and the reason for the delay. We will not discriminate against you for exercising your rights under the MHMDA or any other applicable law.
If we decline to take action on your request, we will inform you of the reason for our decision. You may appeal our decision by contacting us at privacy@resiliohealth.com with the subject line "Privacy Rights Appeal." We will respond to your appeal within forty-five (45) days. If we deny your appeal, we will provide you with information on how to contact the Washington State Attorney General to submit a complaint: https://www.atg.wa.gov/file-complaint.
We may update this Health Data Policy from time to time. If we make material changes to how we collect, use, or share consumer health data, we will notify you through the Service or by email at least thirty (30) days before the changes take effect and, where required by law, will obtain your consent to the changes.
If you have any questions about this Health Data Policy or wish to exercise your rights, please contact us at:
Resilio Health LLC
Email: privacy@resiliohealth.com
Legal inquiries: legal@resiliohealth.com
Support: support@resiliohealth.com
Website: https://resiliohealth.com