Legal Document

Consumer Health Data Privacy Policy

Developed and operated by Apex Development Studio LLC · Effective: April 7, 2026 · Last Updated: April 7, 2026

This Consumer Health Data Privacy Policy is provided pursuant to Washington's My Health My Data Act (RCW 19.373) and supplements our general Privacy Policy. It describes the consumer health data we collect, how we use and share it, and how you can exercise your rights.

1. Purpose and Scope

This Consumer Health Data Privacy Policy is provided pursuant to Washington's My Health My Data Act (RCW 19.373). It applies to all consumer health data collected, used, shared, or stored by Journey Tracker, an iOS application developed and operated by Apex Development Studio LLC ("we," "our," or "us").

This policy applies to any consumer who uses Journey Tracker, with particular rights afforded to residents of Washington state under the My Health My Data Act. The rights and transparency commitments described in this policy extend to all users regardless of location.

Journey Tracker is a consumer health application designed to help individuals undergoing GLP-1 therapy track their health progress, medication history, laboratory results, and related health markers. Apex Development Studio LLC is not a healthcare provider, health plan, or healthcare clearinghouse. Journey Tracker is not a medical device and does not provide medical advice.

2. Categories of Consumer Health Data Collected

Journey Tracker collects the following categories of consumer health data, each for the specific purpose described:

2.1 Body Measurements

Data collected: Weight, body fat percentage, muscle mass, BMI, and waist circumference.

Purpose: Health trend tracking, chart generation, and progress visualization against your personal goals.

2.2 Medication Information

Data collected: GLP-1 medication name, dose, injection dates, and injection site.

Purpose: Therapy adherence tracking and dose escalation timeline visualization.

2.3 Side Effect and Symptom Logs

Data collected: Symptoms, severity ratings, and associated notes.

Purpose: Symptom pattern identification and therapy correlation analysis.

2.4 Laboratory Results

Data collected: HbA1c, lipid panel values, metabolic markers, thyroid markers, and other health markers you choose to enter.

Purpose: Health marker tracking over time and, with your separate consent, optional AI-powered interpretive analysis.

2.5 Health Goals

Data collected: Target weight and hydration goals.

Purpose: Progress measurement against user-defined goals.

2.6 Body Composition from Apple HealthKit

Data collected (with your explicit permission): Body weight, blood glucose, blood pressure, and dietary water.

Purpose: Automated health data sync for trend tracking within the app.

2.7 Notes

Data collected: Free-text notes you attach to health entries.

Purpose: Personal record-keeping associated with your health data.

3. Sources of Consumer Health Data

Journey Tracker collects consumer health data from the following sources:

Direct user input: Manual entry of health measurements, medication information, side effects, lab results, goals, and notes within the app
OCR scanning: On-device optical character recognition (Apple Vision framework) used to extract lab values from photos, PDFs, or camera captures of lab reports
Apple HealthKit: Automated sync of body weight, blood glucose, blood pressure, and dietary water data — collected only with your explicit permission through Apple's native HealthKit authorization dialog
Apple Health Records: Clinical laboratory data from your connected health systems — collected only with your explicit permission through Apple's native Health Records authorization

4. Third Parties and Affiliates Receiving Consumer Health Data

The following is the exhaustive list of all third parties that receive, or may receive, consumer health data from Journey Tracker, along with each party's role and the categories of data shared:

4.1 Apple Inc.

HealthKit: Local on-device data sync between Journey Tracker and Apple Health. Health data remains on your device and in your personal iCloud account.
CloudKit: Encrypted iCloud backup of your Journey Tracker data to your personal iCloud account. This data is stored in your account, not on any server controlled by Apex Development Studio LLC.
Sign in with Apple: Authentication only. Apple provides an opaque user identifier — no health data is shared with Apple through this service.
StoreKit: Subscription management only. No health data is transmitted to Apple through StoreKit.

Apple's Privacy Policy: apple.com/privacy

4.2 Google LLC

Google receives de-identified consumer health data via the Google Gemini API for the purpose of AI-powered lab analysis. The data transmitted includes: lab values (as numbers), medication name and current dose, therapy duration (relative, not specific dates), and changes in lab values over time (relative timeframes).

This data sharing occurs only when you explicitly consent by tapping "I Understand and Agree" on the in-app AI Lab Analysis consent screen. Data is de-identified using automated on-device processing before transmission.

Journey Tracker operates on a paid Google AI billing account (Tier 1). Under Google's Gemini API Terms of Service, data submitted through paid-tier accounts is not used to train or improve Google's AI models.

Google's Privacy Policy: policies.google.com/privacy
Gemini API Terms: ai.google.dev/gemini-api/terms

4.3 Cloudflare, Inc.

Cloudflare operates as an API proxy, routing de-identified health data from the Journey Tracker app to Google's Gemini API. Consumer health data transits through Cloudflare's infrastructure during AI analysis requests.

Cloudflare does not store, retain, or process consumer health data beyond the transit necessary to route the API request. No health data is retained by Cloudflare after the request completes.

Cloudflare's Privacy Policy: cloudflare.com/privacypolicy

4.4 RevenueCat, Inc.

RevenueCat receives subscription status information only. No consumer health data of any kind is transmitted to RevenueCat.

RevenueCat's Privacy Policy: revenuecat.com/privacy

4.5 Formspree, Inc.

Formspree processes contact form submissions on the Journey Tracker website (journeytracker.app). Formspree receives your name, email address, and message content only. No consumer health data is transmitted to Formspree.

Formspree's Privacy Policy: formspree.io/legal/privacy-policy

4.6 Affiliates

No affiliates receive consumer health data. Apex Development Studio LLC has no affiliates, subsidiaries, or parent companies. We are an independent limited liability company.

5. How to Exercise Your Rights Under MHMDA

Washington state residents and all Journey Tracker users have the following rights with respect to their consumer health data:

5.1 Right to Know

You have the right to know what consumer health data is collected about you and how it is used. This policy fulfills that right by describing every category of data collected, its purpose, and every third party that receives it.

5.2 Right to Access

You can access all of your consumer health data at any time directly within the Journey Tracker app. All data you have entered or synced is available to you through the app's dashboard, charts, and detail views.

5.3 Right to Delete

You have the right to request deletion of your consumer health data. Here is how to delete your data from each location where it may exist:

On-device data: Open Journey Tracker, navigate to Settings → Privacy & Security → Delete Account & All Data. This permanently removes all health data stored on your device.
iCloud data: Go to iOS Settings → [Your Name] → iCloud → Manage Storage → Journey Tracker → Delete Data. This removes all Journey Tracker data from your iCloud account.
Google API logs: To request deletion of any data retained in Google's temporary API logs, email support@journeytracker.app. Apex Development Studio LLC will submit a deletion request to Google on your behalf. Google's temporary log retention policies apply to the timing of deletion.
Cloudflare: Cloudflare does not retain consumer health data. No deletion action is required.
Apex server-side: Apex Development Studio LLC stores no consumer health data on any server it controls. No server-side deletion is required.

5.4 Right to Withdraw Consent

You have the right to withdraw consent to the collection or sharing of your consumer health data at any time:

HealthKit data collection: Revoke Journey Tracker's HealthKit access at any time through iOS Settings → Privacy & Security → Health → Journey Tracker. This immediately stops all HealthKit data collection.
AI Lab Analysis (sharing with Google via Cloudflare): Disable this feature at any time through Journey Tracker Settings → Features → AI Lab Analysis → Off. Withdrawal of consent applies prospectively to all future sharing. Data previously transmitted to Google is subject to Google's temporary log retention policies.

Withdrawal of consent is always prospective. Revoking HealthKit access or disabling AI Lab Analysis immediately stops future data collection and sharing. It does not retroactively delete data that was previously collected or shared with your consent.

5.5 Private Right of Action

The My Health My Data Act provides a private right of action for violations of its provisions (RCW 19.373.040). If you believe your rights under MHMDA have been violated, you may bring a claim as provided under the statute.

6. Consent

Journey Tracker collects consumer health data only with your affirmative consent. We do not collect health data passively or without your knowledge.

6.1 HealthKit Data

HealthKit data is collected only after you grant permission through Apple's native HealthKit authorization dialog. This dialog clearly describes the specific data types Journey Tracker requests access to. Granting permission through this dialog constitutes your consent to the collection of consumer health data for the purposes described in this policy.

6.2 AI Lab Analysis (Sharing with Google)

Before any consumer health data is shared with Google via the Gemini API, you are presented with a separate, dedicated in-app consent screen. This consent screen explains:

Exactly what data will be transmitted
How the data is de-identified before transmission
That Google will receive and process the data
That data transits through Cloudflare's infrastructure
That Google does not use the data for AI model training (paid-tier account)

You must tap "I Understand and Agree" before any health data is transmitted. No data is shared with Google or Cloudflare until you provide this explicit consent.

6.3 Consent Standards

All consent obtained by Journey Tracker is:

Freely given — you are not required to consent to use the core features of the app
Specific — each consent request identifies the exact data and purpose
Informed — you are told what data is collected, why, and who receives it
Opt-in — no consumer health data is collected or shared by default
Voluntary — declining consent does not prevent you from using Journey Tracker's core features
Unambiguous — consent requires an affirmative action (granting a permission or tapping a consent button)

These consent standards meet or exceed the requirements of RCW 19.373.020.

7. Contact

To exercise your rights under this policy or Washington's My Health My Data Act, or to ask questions about how your consumer health data is handled:

Email: support@journeytracker.app (subject line: "Health Data Privacy Request")
Website: journeytracker.app/support
Company: Apex Development Studio LLC

We will respond to all requests within the timeframes required by applicable law.