Effective Date: May 7, 2025
Issued by: Up4adate Inc.
Address: 8 The Green, Ste A, Dover, DE 19901
Contact: app@up4adate.com

This Consumer Health Data Privacy Policy supplements Up4adate’s main Privacy Policy and is intended to comply with U.S. state consumer health data laws, including but not limited to:

• Washington My Health My Data Act (MHMDA)

• Nevada Senate Bill 370

• Connecticut Data Privacy Act (CTDPA)

• Oregon Consumer Privacy Act (OCPA)

• California Consumer Privacy Act as amended by CPRA (CCPA/CPRA)

• And other state or federal regulations governing the collection, use, and disclosure of Consumer Health Data (“CHD”)

Up4adate Inc. (“Up4adate,” “we,” “our,” or “us”) is committed to ensuring that any information subject to these laws is handled with the highest level of transparency, control, and security.

1. Scope of This Policy

This Policy applies exclusively to Consumer Health Data collected, processed, or shared by Up4adate in connection with your use of our mobile application, website, or affiliated services (collectively, the “Services”), and covers both:

• Identifiable health-related data tied directly to you

• Derived or inferred health signals reasonably linked to your well-being, identity, or behavior

This Policy governs data collected from residents of U.S. states that regulate CHD and applies where such data:

• Is collected from a U.S.-based individual or device

• Is reasonably capable of being associated with you

• Falls under a state’s statutory definition of “Consumer Health Data”

For Purposes of this Policy, Consumer Health Data May Include:

• Biometric identifiers (e.g., video verification data used for identity confirmation, but not stored as biometric templates)

• Information about sexual orientation, gender identity, or relationship preferences, if voluntarily provided

• Geolocation data, if it may indirectly reveal health-related behavior (though we do not infer health status from location)

• User-submitted emotional feedback related to dating interactions or emotional well-being

• Behavioral patterns or in-app signals that may be used to support safety or trust-scoring features (e.g., EchoID), if linked to emotional context

What Is Not Covered by This Policy:

This Policy does not apply to:

• Non-health-related data governed by Up4adate’s general Privacy Policy

• Aggregated or de-identified information that cannot reasonably be linked to an individual

• Information collected under HIPAA-covered entities or providers (Up4adate is not a Covered Entity or Business Associate under HIPAA)

Policy Integration and Conflict

Where this Policy differs from our general Privacy Policy, this Policy controls with respect to any data classified as Consumer Health Data under applicable law. For all other information, our main Privacy Policy remains in force.

2. What Consumer Health Data We Collect

Up4adate Inc. collects only the minimum amount of Consumer Health Data (“CHD”) necessary to support legitimate user safety, personalization, and trust features. All CHD collection is:

• Voluntary or explicitly consented to

• Transparent in purpose and scope

• Never used for advertising, resale, or unrelated profiling

The types of CHD we collect are limited and carefully controlled, as detailed below.

a. Biometric Verification Data

• What We Collect: A short selfie-style video during account registration

• Why: To confirm the user is a real person and to prevent fake or bot accounts

• How It’s Used:

  • Used exclusively for identity verification

  • Not used to generate or store biometric identifiers or faceprints

  • Not shared, sold, or visible to other users
    
    

• Storage Limits: Retained only while your account remains active; never stored as biometric templates

• Legal Classification: May be classified as biometric-related CHD under certain state laws

b. Sexual Orientation and Relationship Preferences

• What We Collect:

  • Gender identity

  • Sexual orientation or interest

  • Relationship goals (e.g., dating, serious, casual)

• Why: To improve the quality and relevance of match suggestions

• How It’s Used:

  • Optional input, visible only within app settings or your profile

  • Not used to infer other sensitive traits

  • Never sold or shared for advertising

• Legal Classification: May be considered CHD where such traits relate to emotional or sexual well-being

c. Geolocation Data (When Enabled)

• What We Collect: Approximate or precise location

• Why: To recommend nearby venues, time-based invitations, or localized matches

• How It’s Used:

  • Only collected with your opt-in consent

  • Never used to infer visits to healthcare facilities, clinics, or other sensitive locations

  • Not combined with any third-party location datasets

• Legal Classification: May be considered CHD if location could infer health-related behavior under state law

d. Emotional Feedback & Interaction Data (EchoID – Experimental)

• What We Collect:

  • Optional emotional check-ins after a real-life meeting (e.g., “How did this interaction feel?”)

  • Micro-ratings or sentiment reflections, if submitted

• Why: To help users reflect on dating interactions and improve platform trust

• How It’s Used:

  • Fully anonymized before analysis

  • Not linked to medical conditions, diagnoses, or therapy models

  • Not used for AI-generated content or commercial profiling

• Legal Classification: May be considered CHD as it reflects user emotional state or interpersonal well-being

e. Behavior-Based Safety Signals (Health-Adjacent, Not Diagnostic)

• What We Monitor:

  • Patterns of ghosting, aggression, or suspected manipulation

  • Message tone or frequency that may indicate unsafe behavior

• Why: To support moderation and user safety

• How It’s Used:

  • May trigger internal reviews or moderation alerts

  • Not used to label mental health conditions or generate health scores

• Legal Classification: May qualify as CHD where behaviors are tied to emotional state or well-being assessments

CategoryCollectedConsent RequiredUsed for ProfilingShared/SoldBiometric Verification VideoYesYesNoNoSexual Orientation PreferencesOptionalYesNoNoGeolocation DataOptionalYesNoNoEmotional Feedback (EchoID)OptionalYesNo (anonymized)NoBehavior Signals (Non-medical)IndirectN/A (for safety)NoNo

3. How We Use Consumer Health Data

Up4adate uses Consumer Health Data (“CHD”) solely to support legitimate, narrowly defined purposes in compliance with U.S. state laws (e.g., Washington MHMDA, Nevada SB 370). We do not use CHD for behavioral advertising, profiling unrelated to core functionality, or any form of commercial resale.

All processing is:

• Purpose-limited

• Consent-based or contractually required

• Aligned with user expectations

• Subject to strict internal governance controls

a. Identity Verification and Anti-Impersonation

• Purpose: To ensure that users are real individuals and not bots, fake accounts, or bad actors

• Data Used: Biometric verification video (collected during onboarding)

• Safeguards: Not used for facial recognition databases, not retained as biometric templates, and never visible to others

b. Personalization Based on Stated Preferences

• Purpose: To tailor matches and recommendations to your gender identity, orientation, and relationship intent

• Data Used: Voluntarily provided orientation, identity, and interest data

• Safeguards: Only used within the Up4adate ecosystem; not shared with advertisers or third parties

c. Location-Based Feature Enablement

• Purpose: To suggest relevant venues, spontaneous invitations, or local date opportunities

• Data Used: Geolocation (only with opt-in)

• Safeguards: Never inferred for medical visits; not combined with health-related location datasets

d. Safety, Trust, and Platform Integrity

• Purpose: To flag behavior that may indicate spam, abuse, or unsafe interactions

• Data Used: Interaction patterns, emotional feedback (EchoID), or safety signal metadata

• Safeguards: All moderation decisions are reviewed by trained human moderators; AI is assistive only

e. Future Trust Infrastructure Development (EchoID)

• Purpose: To allow users to reflect on their emotional experience during real-world interactions and improve authenticity on the platform

• Data Used: Voluntary micro-feedback or emotional reflection (e.g., "How did that meeting feel?")

• Safeguards:

  • Data is anonymized and de-identified

  • Not used for medical analysis or therapeutic outcomes

  • Not disclosed externally or used for algorithmic scoring outside platform trust metrics

f. Compliance with Law and Legal Enforcement

• Purpose: To comply with applicable law, respond to lawful subpoenas, or enforce our Terms of Use

• Data Used: May include CHD only when disclosure is required by law

• Safeguards: We evaluate each legal request for scope, legality, and necessity. Data is disclosed only with a lawful basis and minimum scope.

What We Explicitly Do Not Do:

• We do not use CHD for behavioral advertising or retargeting

• We do not resell or share CHD with third-party ad networks or data brokers

• We do not use CHD to make automated decisions that produce legal or significant effects on users

• We do not conduct any medical or therapeutic assessments using CHD

• We do not train external AI systems using CHD

4. Data Sharing & Disclosure

Up4adate does not sell or commercially share Consumer Health Data (“CHD”) under any circumstance. We only disclose CHD in narrowly defined, legally compliant situations and always under strict contractual, technical, and purpose-specific safeguards.

We maintain an internal access log for all CHD processing activities and limit access strictly on a documented, need-to-know basis.

a. We Never Sell or Commercialize CHD

• No sale to data brokers

• No third-party advertising integrations using CHD

• No monetization of emotional, sexual, biometric, or health-adjacent data

b. Permitted Disclosures (Limited and Controlled)

We may share CHD only in the following cases:

1. With Authorized Service Providers

• Purpose: To securely host, process, or store CHD on our behalf

• Examples: Cloud infrastructure providers, security vendors, verification platforms

• Safeguards:

  • All vendors are bound by legally enforceable Data Processing Agreements (DPAs)

  • Prohibited from secondary use, profiling, or retention beyond contractual scope

  • Regularly audited for compliance

2. With Government Authorities or Law Enforcement (Where Legally Required)

• Purpose: To comply with applicable legal obligations, court orders, subpoenas, or agency investigations
  Process:

  • We conduct a legal and necessity review of each request

  • Disclose only the minimum data necessary

  • Notify the user of the request unless legally prohibited

3. With Your Explicit Consent

• Purpose: To support a specific feature, service, or integration that you request

• Examples: Participation in an experimental feature (e.g., EchoID beta program)

• Safeguards:

  • Consent must be clear, specific, informed, and opt-in

  • You may withdraw consent at any time

c. Data Access Governance

• Access to CHD is limited to trained, authorized personnel

• All access is logged, time-stamped, and monitored

• Internal access must be:

  • Purpose-specific

  • Documented in access control systems

  • Subject to periodic review

Recipient TypePurposeConditionsCHD Use Permitted?Cloud Hosting ProvidersSecure data storageDPA required; zero marketing useLimitedIdentity VerificationConfirm user authenticityContractually bound; one-time useLimitedLaw EnforcementComply with lawful demandLegal review + user notice when possibleMinimalOther Third PartiesOnly with explicit user consentDocumented consent requiredUser-controlledAdvertisers / BrokersNot applicableN/ANever

5. User Rights

Up4adate is committed to honoring your rights under applicable U.S. state laws that govern Consumer Health Data (CHD), including Washington’s My Health My Data Act (MHMDA), Nevada SB 370, and other emerging consumer health privacy frameworks.

Depending on your state of residence, you may have the following rights with respect to your CHD. We provide these rights without discrimination, subject to verification of your identity and compliance with legal retention or security obligations.

a. Right to Access

You have the right to request:

• Whether we are collecting or processing any CHD about you

• A copy of your CHD, in a portable and readily usable format

• A list of third parties and affiliates (if any) with whom your CHD has been disclosed, including the purpose and scope of each disclosure

b. Right to Delete

You may request the deletion of any CHD that we collected from or about you. Upon verification of your request:

• We will delete such data unless retention is required for:

  • Legal compliance

  • Security purposes

  • Fraud detection

  • Completion of a transaction you initiated

c. Right to Withdraw Consent

Where we rely on your consent to collect or use CHD (e.g., geolocation, orientation, EchoID participation), you may:

• Withdraw that consent at any time

• Prevent any further collection or use of the affected data

• Request deletion of prior data collected under that consent, where allowed by law

d. Right to Correct

You may request that we update or correct inaccurate or outdated CHD associated with your account. This includes correcting preference data that was entered in error.

e. Right to Know How CHD Has Been Used

You may request:

• A summary of how your CHD has been used in the last 12 months

• The purposes for which it was processed

• The categories of individuals or vendors who accessed it

f. Right to Appeal

If we deny any part of your request, you have the right to appeal the decision. We will:

• Respond to your appeal in writing within 45 days

• Provide a clear explanation of our reasoning

• Inform you of how to escalate the matter to a relevant state authority, if applicable

g. How to Exercise Your Rights

To submit a request regarding your CHD, contact us at:

Email: privacy@up4adate.com
Postal Address:
Up4adate Inc.
Attn: Privacy Officer
8 The Green, Ste A
Dover, DE 19901
United States

We may request information to verify your identity, such as:

• Your email address

• A verification code sent to your device

• Confirmation of recent activity on your account

We will respond within 45 days of receiving a valid, verifiable request. Extensions of an additional 45 days may apply where permitted by law, in which case you will be notified in advance.

6. Data Security

Up4adate Inc. applies a multi-layered security framework to protect Consumer Health Data (“CHD”) from unauthorized access, use, disclosure, alteration, or destruction. We align our security posture with industry standards, state privacy laws, and best practices for sensitive data, including biometric, emotional, and health-adjacent signals.

We treat CHD as a high-risk data category and apply stricter controls accordingly.

a. Technical Safeguards

• End-to-End Encryption
  All CHD is encrypted:

  • In transit using TLS 1.2 or higher

  • At rest using AES-256 or equivalent cryptographic protocols

• Data Segmentation
  CHD is logically and/or physically isolated from other data types, reducing attack surface and risk of accidental exposure.

• Secure Authentication

  • Role-based access control (RBAC) for internal personnel

  • Multi-factor authentication (MFA) for systems handling CHD

  • Automatic session timeouts for sensitive data views

• No Biometric Template Storage
  Biometric videos (used for verification) are stored as raw files for human review only.

  • We do not extract or store faceprints, hashes, or biometric identifiers

  • Videos are deleted when the account is closed or after a retention limit is reached

b. Organizational & Operational Safeguards

• Internal Governance
  Access to CHD is limited to pre-authorized personnel with defined job roles and tracked through access logs and change audits

• Data Minimization by Design
  We collect only what is necessary for specific, disclosed purposes. No unnecessary retention of emotional, sexual, or biometric data occurs.

• Security Training & Confidentiality
  All employees with access to CHD undergo specialized security and privacy training and are bound by confidentiality agreements

• Vendor Management
  Any service provider with access to CHD must:

  • Sign a Data Processing Agreement (DPA)

  • Pass security due diligence

  • Be monitored for compliance with security obligations

c. Testing, Auditing & Incident Response

• Vulnerability Assessments
  Regular internal testing and third-party penetration testing are conducted, with CHD systems included in scope.

• Automated Threat Detection
  Security event monitoring systems detect unauthorized access attempts or suspicious behavior in real time.
  
  

• Incident Response Plan (IRP)
  In the event of a suspected breach involving CHD:

  • Users and regulators will be notified without undue delay, where required by law

  • Root cause analysis and remediation are initiated immediately

  • Full post-incident review and reporting is conducted

Security Certifications (via Infrastructure Providers)

Our hosting infrastructure providers maintain the following certifications (or equivalent):

• ISO/IEC 27001 – Information Security Management

• SOC 2 Type II – Trust Service Criteria

• PCI-DSS – For any systems involving payment data

7. Retention

Up4adate retains Consumer Health Data (“CHD”) only for as long as necessary to fulfill the specific, disclosed purposes for which it was collected — or as required by applicable law, contractual obligation, or internal risk management policy. We follow the principle of data minimization, and apply purpose-based retention schedules to all CHD.

a. General Retention Principles

We retain CHD:

• Only while your account is active, or for a short period after closure (e.g., for fraud prevention or dispute resolution)

• Only for the purpose it was collected (e.g., identity verification, safety monitoring)

• Only when retention is required by law, or for legitimate legal defense, audit, or compliance needs

Once data is no longer necessary, it is securely deleted, anonymized, or segregated for archival based on applicable data destruction protocols.

b. Retention by Data Type

CHD CategoryRetention PeriodBiometric Verification VideoRetained only while account remains active; deleted within 90 days of account closureSexual Orientation or PreferencesRetained until account deletion or user manually removes itGeolocation DataRetained temporarily for session-level feature use; not stored long-term unless required for security loggingEmotional Feedback (EchoID)Retained in anonymized form only; user-linked data deleted upon request or account closureBehavioral Safety SignalsRetained up to 24 months for safety audits, moderation integrity, and legal defenseLegal Compliance LogsRetained up to 7 years, where required for audit, taxation, or regulatory inquiry

c. Deletion Protocols

• Data is permanently deleted from active databases and caches

• Encrypted backups containing CHD are rotated and purged on a defined lifecycle (typically ≤90 days)

• Requests for deletion under Section 5 (User Rights) are processed promptly and confirmed upon completion

• Deletion events are audited and logged for accountability

d. Exceptions to Immediate Deletion

In limited cases, CHD may be retained for longer periods if:

• Required to resolve an active legal dispute or enforce our Terms of Use

• Needed to investigate potential violations (e.g., fraud, impersonation)

• Necessary to comply with financial or regulatory retention mandates

8. How We Use Health-Adjacent Signals

Up4adate may process certain behavioral and emotional data points that, while not classified as medical or diagnostic data, could be interpreted as reflecting a user’s emotional or relational state. These are referred to as “health-adjacent signals.”

Such signals are handled with heightened care due to their potential sensitivity, and are never used to infer or diagnose mental or physical health conditions.

a. What Are Health-Adjacent Signals?

Health-adjacent signals include:

• In-app behavioral patterns (e.g., ghosting frequency, responsiveness, sentiment trajectory)

• Optional post-interaction emotional feedback (e.g., how a date felt)

• Message rhythm, tone shifts, or turn-taking balance

• Anomalies or escalations flagged for safety moderation (e.g., suspected harassment)

These signals are used only in the context of platform safety, trust building, and product improvement, not for health profiling or treatment analysis.

b. Use of AI Tools

We may use AI-assisted tools to support the analysis of health-adjacent signals. These tools:

• Detect suspicious or unsafe behaviors (e.g., bot-like activity, emotional manipulation patterns)

• Flag potential violations of our Terms of Use for human moderator review

• Identify opportunities to improve emotional safety features (e.g., EchoID insights)

Important: These systems are not diagnostic, and are not used for psychological profiling, health assessments, or automated content decisions with significant user impact.

c. Human Oversight & Limitations

• All decisions involving emotional data, safety flags, or user reputation are reviewed by trained human moderators.

• AI outputs are used for support, not enforcement — no user is banned, restricted, or profiled by AI alone.

• Users are not labeled, scored, or sorted based on emotional or psychological assumptions.

d. Disclosure and Consent

• Participation in features like EchoID is explicitly opt-in

• No emotional or behavioral data is used for advertising, personalization, or third-party sharing

• These signals are not connected to medical records or external health databases

e. Disclaimer

Health-adjacent signals are intended to support trust and safety on the platform. They:

• Do not constitute health data under HIPAA or similar medical frameworks

• Are processed in accordance with state privacy laws governing inferred emotional or relational well-being

• Are not a substitute for professional psychological or medical advice
  
  

9. Changes to This Policy

We may update this Consumer Health Data Privacy Policy to reflect changes in legal requirements, regulatory guidance, product features, or internal data governance practices. When we make material changes to the way we collect, use, or disclose Consumer Health Data (“CHD”), we are committed to notifying you clearly and in a timely manner.

a. Notification of Changes

If we make material changes, we will notify you by:

• Posting an updated version of this Policy within the app and/or on our website

• Updating the “Effective Date” and clearly marking the most recent changes

• Providing in-app alerts or email notices where the law requires, especially if new CHD uses or processing purposes are introduced

Where required by law, we will obtain your affirmative consent before applying changes to how we collect or use CHD.

b. Material vs. Non-Material Changes

• Material changes include:

  • Introducing new categories of CHD

  • Changing how CHD is shared, processed, or retained

  • Adding new uses of AI involving health-adjacent signals

  • Expanding disclosures to third parties (even service providers)

• Non-material changes may include formatting, clarification, or legal citation updates that do not alter your rights or our practices

c. Your Continued Use Constitutes Acceptance

By continuing to use the Services after any update to this Policy becomes effective, you acknowledge and agree to the revised terms. If you do not agree, you have the right to stop using the Services and request deletion of your CHD at any time (see Section 5: User Rights).

10. Contact

If you have any questions, concerns, or requests regarding this Consumer Health Data Privacy Policy or the handling of your Consumer Health Data (“CHD”), you may contact us using the information below.

We are committed to responding promptly, transparently, and in accordance with all applicable U.S. state laws.

Contact Information

Data Protection Officer
Up4adate Inc.
8 The Green, Suite A
Dover, DE 19901
United States

Email: app@up4adate.com

Additional Contact Notes

• For requests related to access, deletion, correction, or consent withdrawal, please clearly specify the nature of your request in the subject line (e.g., “CHD Deletion Request”).

• We may require additional verification steps to confirm your identity before fulfilling your request, as outlined in Section 5: User Rights.

• If you are a resident of a state with a CHD law in effect and believe your rights under that law have been violated, we encourage you to contact us first. You also have the right to contact your state’s Attorney General or Consumer Protection Authority.