Consumer Health Data Privacy Policy
Last updated: 2026-05-26 · This policy is in force as of the date above. Read alongside our Privacy Policy and Crisis & Safety policy.
This policy supplements our main Privacy Policy with specific disclosures required for consumer health data under:
- Washington's My Health My Data Act (RCW 19.373; "MHMDA")
- Nevada SB 370 (consumer health data)
- Connecticut's CTDPA health-data carve-outs
- California Consumer Privacy Act / California Privacy Rights Act (CCPA / CPRA) sensitive personal-information rules
- The U.S. FTC's Health Breach Notification Rule (16 CFR Part 318)
If you are a Washington, Nevada, or Connecticut resident — or a California resident whose health-adjacent data we hold — this policy is the controlling supplement.
1. What we consider "consumer health data"
We treat the following categories as consumer health data when you share them with Astrael in a free-text prompt, in a structured form, or via a connected third-party app:
- Health-related conditions, symptoms, diagnoses, medical interventions, surgeries, procedures, testing, or treatments.
- Mental-health states, including stress, anxiety, depression, trauma, substance-use context, or self-harm ideation.
- Reproductive-health information, including pregnancy status, fertility, contraception, abortion-related queries, gender- affirming care.
- Biometric data such as voice recordings (when you use Voice mode), facial scans (when you upload to the Vision feature), palmistry photos, and any heart-rate / breath / sleep figures passed in from connected health apps.
- Precise location data only if you opt in to a feature that requires it.
- Information that may reasonably be used to infer or derive any of the above.
Astrael is not a clinical service. We do not, and you should not, use Astrael as a substitute for medical, psychiatric, or psychological care.
2. Sources
We collect consumer health data from:
- You directly, when you type or speak to the product.
- The Astrael AI model's interpretation of inputs you provide (e.g. labeling a prompt as "mental-health adjacent" so we can apply our crisis-safety overlay).
- Third-party health apps you connect to your Astrael account (none enabled by default).
3. Purposes of processing
We use consumer health data only to:
- Provide the feature you invoked.
- Apply our crisis-detection overlay (per our Crisis & Safety
policy). When a hard-intervene signal fires, we may surface
crisis-hotline numbers and persist a row to our
reportstable for safeguarding review. - Investigate fraud, abuse, or violations of our policies.
- Comply with legal obligations.
- Improve the Services in aggregated, de-identified form only if you have not opted out of model-training use (see our Privacy Policy).
We do not:
- Sell consumer health data.
- Share it with advertisers or for advertising purposes.
- Use it to deny insurance, employment, credit, or any other decision.
4. Sharing
We share consumer health data only with:
- Service providers (sub-processors) under written contract that require equivalent protections (Anthropic, Supabase, Vercel, Stripe — see our published sub-processor list).
- Law enforcement or regulators when legally compelled, or when sharing is necessary to prevent imminent harm. We will push back on overbroad requests where lawful and notify you where not prohibited.
- A successor entity in the event of a merger, acquisition, or asset sale, under equivalent privacy obligations.
We require affirmative authorization in writing from you
before sharing any consumer health data outside the categories
above. Authorization is revocable at any time at
privacy@astrael.ai.
5. Retention
| Category | Default retention |
|---|---|
| Free-form prompts containing health context | 30 days (then deleted on rolling basis, or earlier if you delete the conversation) |
| Crisis-signal rows | 12 months (safeguarding audit), then deleted |
| Voice recordings (Voice mode) | Streamed, never stored on Astrael servers unless you save explicitly |
| Vision uploads (face / palm photos) | 24 hours processing window, then deleted |
| Aggregated and de-identified statistics | Retained indefinitely (no longer "your" data) |
Backups roll off within 30 days of the corresponding primary deletion.
6. Your rights
You can, at any time:
- Confirm whether we are processing your consumer health data.
- Access the consumer health data we hold about you.
- Delete it (subject to narrow exceptions, e.g. records under a legal hold).
- Withdraw consent for any optional sharing.
- Receive a portable copy in JSON.
- Lodge a complaint with the Washington State Attorney General, the Nevada Attorney General, the Connecticut Attorney General, the California Privacy Protection Agency, or your applicable supervisory authority.
To exercise any of these: email privacy@astrael.ai from the
address on your account. We respond within 15 days for
Washington / Connecticut requests, 60 days for California
requests, with a one-time 45-day extension permitted by law.
7. Children
We do not knowingly collect consumer health data from minors under 18. If you are under 18, do not use the product. If we discover such data, we will delete it.
8. Notification of breach
In the event of a breach affecting consumer health data, we will notify affected users without unreasonable delay (target: within 30 days of confirmed scope), and the relevant attorneys general per state law and the FTC per the Health Breach Notification Rule.
9. Contact
- Health data rights: privacy@astrael.ai
- Crisis or safety concern: usersafety@astrael.ai
- Postal: Astrael (operating-entity details in the Legal Center)
This document is platform-drafted and pending counsel review.
Questions about this document?
Email us — we reply within 24h (12h for Pro members and creators).