Legal

Health Data Privacy Notice

Last updated: Mar 3, 2026

This Health Data Privacy Notice ("Notice") explains how Bloodwork.app and its affiliates ("Bloodwork.app," "we," "us," or "our") collect, use, disclose, and protect Health Data and other personal data in connection with our website, platform, mobile applications, and any related products or services (collectively, the "Services").

This Notice is designed to meet or exceed requirements under applicable U.S. state consumer health data privacy laws and other global privacy regulations to the extent they apply to Bloodwork.app and its users. This Notice supplements, and should be read together with, the Bloodwork.app Privacy Policy.

By using the Services, you acknowledge this Notice. If you do not agree, please discontinue use of the Services.

Note on HIPAA: Bloodwork is not a HIPAA Covered Entity or Business Associate and does not provide clinical care, medical billing, or insurance-related services regulated under HIPAA. Your health data is governed by this Notice, our Privacy Policy, and applicable state and international consumer privacy laws — not by HIPAA.

1. Definitions

"Health Data" / "Sensitive Health Data"

Health Data includes any past, present, or future physical or mental health status, including but not limited to:

  • Lab test results and bloodwork values
  • Biomarkers, diagnostic values, trends, and interpretations
  • Self-reported health history, symptoms, or conditions
  • Wearable-device data (such as heart rate, activity, sleep, or biometrics)
  • Data collected through surveys, questionnaires, quizzes, or assessments
  • Inferences or derived health insights (e.g., risk scores, wellness indicators, trends inferred from raw results or wearable metrics)

"Personal Data" or "Personal Information"

Any data that identifies, relates to, describes, or can reasonably be linked to an individual, such as name, email, device identifiers, IP address, payment information, or account data.

"Processing"

Any operation performed on data, including collection, storage, retrieval, use, disclosure, sharing, analysis, deletion, or other handling.

2. Categories of Data We Collect

A. Data You Provide Directly

  • Lab results you upload
  • Health history and health-related inputs
  • Survey/quiz answers
  • Wearable data you manually add
  • Account information: name, email, login credentials
  • Billing and payment information (processed through third-party PCI-compliant providers)

B. Data Collected from Devices or Integrations (With Your Permission)

  • Wearable-device or health-app data (e.g., Apple Health, Fitbit, Oura, Garmin, Google Fit)
  • Automatically synced metrics where authorized
  • Device information, technical logs, interaction data, crash logs, IP address

C. Derived or Inferred Data

We may generate insights based on your data, such as:

  • Trend analysis
  • Highlighted biomarkers
  • Potential risk indicators
  • Condition-related wellness analysis
  • Personalized recommendations
  • Internal analytics and scoring

D. Payment & Transaction Data

Because Bloodwork.app offers one-time purchases and auto-renewing subscriptions, we collect:

  • Transaction details
  • Subscription status
  • Billing-related information (via third-party processors)

E. Aggregated & De-identified Data

We may create aggregated or de-identified datasets for:

  • Analytics
  • Service improvements
  • Research
  • Reporting

Aggregated or de-identified data does not identify any individual.

3. How We Use Health Data

We use your Health Data and Personal Data to:

A. Provide the Services

  • Display and interpret lab results
  • Sync wearable data
  • Generate personalized insights
  • Provide dashboards and health summaries
  • Enable data download/export
  • Facilitate integrations
  • Deliver customer support

B. Improve and Develop the Platform

  • Feature development
  • Algorithm improvements
  • Testing and research
  • Bug fixing
  • Performance enhancements

C. Communications

  • Service notifications
  • Account updates
  • Security alerts
  • Support messages
  • Purchase and subscription confirmations

D. Service Communications and Health-Affiliated Recommendations

As part of the Bloodwork service, and where you have agreed to receive communications during onboarding, we use your email address and health profile to send:

  • Personalized health insights and educational content based on your results
  • Results-based product recommendations relevant to your health profile (e.g., supplements that may address a specific biomarker)
  • Service updates, feature announcements, and promotional offers from Bloodwork

We do not sell, share, or disclose your Health Data or Personal Data to third parties for their own marketing or advertising purposes.

Health profile information used to personalize recommendations remains internal to Bloodwork. It is never passed to advertising networks or used to build third-party advertising profiles. You may unsubscribe from these communications at any time without affecting your access to the Services.

E. Payment Processing

  • Processing one-time purchases
  • Managing auto-renewing subscriptions
  • Preventing fraud
  • Transaction notifications

F. Research and Analytical Purposes

  • Aggregated analyses
  • De-identified research
  • Trend evaluation
  • Product development

(never identifying individual users unless explicitly consented)

G. Legal, Compliance & Security

  • Detecting and preventing fraud
  • Complying with legal obligations
  • Protecting rights, safety, and property

H. AI-Based Analysis of Health Data

Bloodwork uses proprietary AI models to analyze your uploaded lab results, quiz responses, and health profile (collectively, your "Health Inputs") and generate personalized health insights, scores, and action plans ("AI Outputs").

AI Outputs are produced by comparing your biomarker values against clinically established reference thresholds from the sources listed in our Editorial Standards. No personally identifiable outputs are shared externally as part of this analysis.

AI Outputs are educational and informational only. They do not constitute a clinical assessment, diagnosis, or medical recommendation. They are based on population-level reference data and do not incorporate your full medical history, symptoms, medications, or the clinical context that a licensed physician would consider.

You consented to this AI-based processing during onboarding. You may withdraw this consent at any time by deleting your account or contacting privacy@bloodwork.app. Withdrawal does not affect the lawfulness of processing prior to withdrawal, but will prevent further AI analysis of your data.

4. How We Share or Disclose Health Data

Bloodwork.app does not sell Health Data and does not share it for cross-context behavioral advertising.

We may disclose data to:

A. Service Providers

  • Hosting & cloud infrastructure
  • Data storage
  • Analytics
  • Customer support
  • Payment processors
  • Security tools
  • Email providers

AI model providers (health data processors): The following third-party AI providers process your health data solely to generate your personalized outputs. Each is engaged under a Data Processing Addendum and does not use your data to train its models by default:

B. At Your Direction

For example:

  • When you sync with a wearable
  • When you share or export data
  • When you authorize a third party

C. Legal or Safety Requirements

We may disclose data to comply with:

  • Laws
  • Court orders
  • Law enforcement requests
  • Security investigations

D. Corporate Transactions

Data may be transferred during:

  • Mergers
  • Acquisitions
  • Financing
  • Bankruptcy
  • Sale of assets

E. Advertising and Retargeting

We may use hashed identifiers (such as a cryptographic hash of your email address) to create custom audiences on advertising platforms solely for the purpose of showing you ads about Bloodwork.

We do not share Health Data, lab results, biomarker values, symptoms, medications, diagnoses, or any health attributes with advertising networks. Retargeting is based on account or engagement status only — never on your health profile.

F. Aggregated or De-identified Data

Used for research, analytics, publications, and reporting.

5. Your Rights and Choices

You may have the following rights depending on your jurisdiction:

  • Right to Know / Access your Health Data and Personal Data
  • Right to Correct inaccurate data
  • Right to Delete your data
  • Right to Withdraw Consent (including marketing consent)
  • Right to Data Export / Portability
  • Right to Appeal — if any rights request or AI output review is denied, you may request escalation by replying to the denial notice or emailing privacy@bloodwork.app with the subject line "Appeal — [original request type]." We will respond within 45 days.

Right to object to marketing (absolute right): You may opt out of marketing communications at any time — without providing a reason — by clicking "Unsubscribe" in any email or contacting us. This will not affect your access to the Services.

California (CCPA/CPRA): California residents have the additional right to limit the use and disclosure of sensitive personal information (which includes health data) under the California Privacy Rights Act (CPRA). We use your health data solely to provide the Services and as described in this Notice — we do not use it for purposes beyond those you have consented to. To exercise this right, contact us with the subject line "Limit Sensitive PI."

U.S. State-Specific Rights: Users in Washington (My Health MY Data Act), Colorado (CPA), Connecticut (CTDPA), Virginia (VCDPA), California (CCPA/CPRA), and other states with consumer health data laws may have additional rights with respect to their Sensitive Health Data, including the right to consent to or opt out of certain processing. We honor all such rights upon verified request.

Response timeline: We will respond to rights requests within 30 days (extendable to 90 days for complex requests, with prior notice). CCPA requests will be addressed within 45 days (extendable to 90 days).

To exercise your rights:

Email: privacy@bloodwork.app

6. Data Retention

We retain your data:

  • As long as necessary to provide services
  • As required by law
  • As needed for security and fraud prevention

On account deletion:

  • Your account is deactivated
  • Personal and Health Data are deleted or anonymized
  • Aggregated data may be retained

7. Data Security

We apply industry-standard security measures such as:

  • Encryption at rest and in transit
  • Role-based access control
  • Secure server infrastructure
  • Monitoring and intrusion detection
  • Regular security audits

No system is 100% secure, but we follow best practices to protect your data.

8. International Users

Bloodwork.app operates from the United States. If you use the Services from outside the U.S., your Health Data and Personal Data will be transferred to and processed in the United States, where data protection laws may differ from those in your country.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, transfers are conducted under Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms under applicable data protection law. We do not rely solely on consent as the legal basis for international data transfers.

  • Your data will be transferred to and processed in the United States
  • U.S. federal and state laws govern processing, supplemented by our internal privacy standards
  • EEA/UK/Swiss transfers are protected by Standard Contractual Clauses or equivalent safeguards

GDPR Lawful Bases for Processing (EEA / UK / Switzerland)

For users in the European Economic Area, United Kingdom, or Switzerland, we process personal data under the following lawful bases under the GDPR:

  • Service delivery and account management: performance of a contract (Article 6(1)(b))
  • Security alerts, legal compliance, and mandatory notices: legitimate interests (Article 6(1)(f)) or legal obligation (Article 6(1)(c))
  • Marketing communications and personalized recommendations: your explicit consent (Article 6(1)(a)) — withdrawable at any time
  • Health data (special category data): your explicit consent (Article 9(2)(a)) — withdrawable at any time without affecting prior lawful processing
  • Research using de-identified data: scientific or statistical research purposes with appropriate safeguards (Article 9(2)(j))

You may withdraw consent at any time by deleting your account or emailing us. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

Automated processing (GDPR Article 22): Bloodwork uses AI models to process your health data and generate personalized outputs as described in Section 3H above. To the extent GDPR Article 22 applies to such processing, you have the right to request human review of any AI-generated output, to express your view, and to contest any output you believe is inaccurate or misleading. To exercise this right, email privacy@bloodwork.app with the subject line "AI Output Review Request," the date of the output, and a description of your concern. We will respond within 45 days.

9. Children's Privacy

Bloodwork.app is not intended for individuals under 18 without parental consent. We do not knowingly collect personal data or health data from children under 13 in compliance with the Children's Online Privacy Protection Act (COPPA), or under 16 where required by applicable law.

If we discover that we have inadvertently collected data from a child under 13, we will delete it promptly. Parents or guardians who believe we have collected their child's data may contact us at privacy@bloodwork.app.

10. Changes to This Notice

We may update this Notice periodically.

We will notify users of material changes via:

  • Email
  • In-app notifications

Continued use constitutes acceptance.

11. Research and De-identified Data

We may use aggregated, de-identified Health Data for research, product development, publication of population-level health insights, and to develop, train, evaluate, and improve our AI models and analytical systems. Such data will not contain any information that could reasonably identify you. We do not use individually identifiable health data to train AI models.

You may opt out of having your anonymized data included in research, published analyses, or AI model training at any time by contacting us at privacy@bloodwork.app with the subject line "Research Opt-Out" (this covers both research and AI training opt-out). This does not affect your access to the Services.

12. Contact Information

Bloodwork – Privacy Department

privacy@bloodwork.app

GDPR / EEA / UK inquiries: privacy@bloodwork.app

Washington / Nevada consumer health data rights: Contact us at privacy@bloodwork.app with the subject line "State Health Data Rights Request."