Consumer Health Data Privacy Policy
Last updated:
This is the Consumer Health Data Privacy Policy of Curlew Labs LLC (“Curlew Labs,” “we,” “our,” or “us”) for the eNeighbor™ mobile application (the “App”), required by Washington’s My Health My Data Act (RCW 19.373). It applies to Washington residents and to anyone whose consumer health data is collected by us in Washington.
Read alongside our main Privacy Policy, which covers the App’s data practices in full. Where the two documents speak to the same topic, the more specific statement controls.
What we treat as consumer health data
Washington defines “consumer health data” broadly to include personal information linked or reasonably linkable to a consumer that identifies the consumer’s past, present, or future physical or mental health status. The App is not a medical device and does not collect clinical health information. Out of caution, we treat the following data types as consumer health data for purposes of this policy:
- Device activity signals — timestamps indicating that a paired device has been used (for example, the App opened or the device unlocked). These can imply that a person was up and about at a given time.
- Device reachability signals — timestamps indicating that the device is powered on and on a network. We use these only to confirm reachability; they do not record location coordinates.
- Daily check records — whether a check-in was detected on a given day.
- Notification delivery records — whether the App sent a nudge or neighbor alert and whether it was received and opened.
The App does not collect biometric data, precise geolocation, the contents of communications, contacts, photos, or any clinical health record. We do not infer or record a diagnosis, condition, treatment, or medication.
Sources of consumer health data
We collect consumer health data from two sources:
- You and your paired contact, when you install the App, create an account, configure preferences, and use the App.
- Your device, which generates activity and reachability signals while the App is installed.
Purposes for collecting and using consumer health data
We use this data only to operate the App: to detect that a paired device has been used by a configurable mid-morning time and, if not, to send a notification to a paired neighbor. We use limited delivery records to diagnose when notifications fail to reach their recipient. We do not use consumer health data for advertising, profiling, training machine-learning models, or research.
Categories of third parties and affiliates that receive consumer health data
We share consumer health data only with the third parties needed to operate the App, and only to the extent each recipient needs it. Google Firebase and Cloudflare process the data on our behalf as service providers / processors under data-processing agreements with us, not for their own purposes. The other recipients have different relationships, described in their entries below:
- Google Firebase / Google LLC (United States) — authentication, push notifications, and crash reporting.
- Cloudflare, Inc. (global edge network) — cloud hosting and API delivery.
- Apple Inc. (Apple Push Notification service, United States) — delivery of user-facing push notifications to iOS devices. Notifications routed by Google Firebase Cloud Messaging are handed off to APNs for the final hop to the device, and the alert payload (which may include check-in / non-response status this policy treats as consumer health data) passes through Apple infrastructure on that hop. APNs operates under Apple’s own iOS Developer Program License Agreement and Apple Privacy Policy rather than a separate data-processing agreement with Curlew Labs.
- Your paired neighbor — the person you paired with receives whether-a-check-in-occurred status and any notification we send on your behalf. This is the core function of the App and only happens at your direction.
Curlew Labs LLC is a Seattle-based limited liability company and has no current affiliates that receive consumer health data.
We do not sell consumer health data
Curlew Labs does not sell consumer health data, and has not sold any consumer health data in the prior 12 months. RCW 19.373.040 prohibits the sale of consumer health data without a valid authorization; we do not engage in any such sale, so no authorization page exists. If we ever change this practice, we will obtain a valid authorization from you before any sale and will publish a separate authorization page.
Your rights under the My Health My Data Act
Washington consumers have the right to:
- Confirm whether we are collecting, sharing, or selling your consumer health data, and access that data.
- Receive a list of all third parties and affiliates with whom we have shared or sold your consumer health data, including each entity’s contact information.
- Withdraw consent from our collection or sharing of your consumer health data.
- Delete your consumer health data, subject to the exceptions permitted by the Act.
- Appeal a denial of any of the above; if we deny your appeal, we will tell you how to contact the Washington Attorney General to lodge a complaint.
How to exercise these rights
The fastest paths are inside the App:
- Download My Data in Settings exports a copy of everything we hold about you, including any data covered by this policy.
- Delete Account in Settings cascades a deletion of the App data we control. Residual copies may remain in our secured disaster-recovery backups for up to 90 days before they age out; we do not use backups to restore deleted data.
- Remove the pairing from the home screen withdraws your consent to share status with that neighbor. Open the neighbor’s detail page and tap Leave this neighbor to end the relationship. To stop sharing your status while keeping the connection, turn off Share your check-ins on that page instead.
You can also email support@curlewlabs.com from the address tied to your account and tell us which right you want to exercise. We will verify your request by matching the email or account identifier you give us to the one on your account, and respond within 45 days. If your request is complex or large in volume, we may extend the response window once by another 45 days and will tell you why. If we cannot verify your request, we will tell you why.
If we deny your request, you may appeal within a reasonable time by replying to our denial email. We will respond to your appeal in writing within 45 days. If we deny your appeal, we will provide instructions for filing a complaint with the Washington Attorney General’s office.
Authorized agents
You may authorize another person to make a request on your behalf. We may require the agent to provide written authorization signed by you and to verify their identity, and we may independently confirm the request with you before acting on it.
Changes to this policy
We may update this policy as the App or the My Health My Data Act evolves. When we do, we will update the “Last updated” date at the top of this page and, for material changes, notify you via the App or by email.
Contact us
Questions or concerns about this policy can be sent to:
Curlew Labs LLC
300 Lenora St. #936
Seattle, WA 98121
Email:
support@curlewlabs.com