Consumer Health Data Privacy Notice

This Consumer Health Data Privacy Notice ("CHD Notice") is a separate notice required by the Washington My Health My Data Act (RCW 19.373, "MHMDA"), Nevada SB 370 (NRS 603A.400 et seq.), and the Connecticut Data Privacy Act as amended by SB 1295 (effective July 1, 2026). It supplements, and does not replace, our Privacy Policy.

This Notice is linked directly from the footer of ophie.app, adjacent to — and distinct from — our Privacy Policy link, consistent with Washington Attorney General guidance.

• Residents of Washington, regardless of the residence we have on file.
• Consumers physically located in Washington when interacting with the Service.
• Residents of Nevada.
• Residents of Connecticut, for processing on or after July 1, 2026.

MHMDA defines "consumer health data" broadly. For users covered by this Notice, Ophie treats the following as consumer health data:

• voice audio (transient) and the text transcript derived from it;
• message content of your conversations with Ophie;
• memories and topics derived from your sessions;
• emotional snapshots, sentiment, valence/arousal, and wellness trajectory inferences;
• speech-emotion-recognition outputs (when persisted);
• crisis-detection signals (category, confidence, action taken);
• the fact of use (that you use Ophie) and derived usage facts (frequency, duration, topical focus).

We do not process CHD for targeted advertising, for sale, for training any AI model, or for profiling with significant effects.

MHMDA requires named disclosure. The following is the complete list as of the date above:

• Supabase, Inc. — managed Postgres, auth, storage (US).
• LiveKit, Inc. — WebRTC voice transport (US).
• Deepgram, Inc. — speech-to-text (US).
• Cartesia AI, Inc. — text-to-speech, default provider (US).
• ElevenLabs, Inc. — text-to-speech, alternate provider (US).
• Inworld AI, Inc. — text-to-speech, alternate provider (US).
• DigitalOcean, LLC — primary conversational LLM inference (Qwen 3.5-397B) (US).
• Groq, Inc. — background LLM, RAG summarization, and safety-classifier inference (US).
• OpenAI, L.L.C. — fallback LLM, embeddings, sentiment / summary helpers (US).
• Anthropic, PBC — Claude Haiku inference for the image OCR tool (US, accessed via OpenRouter).
• Google LLC (Google AI) — Gemini 2.5 Flash inference for the PDF reading tool (US, accessed via OpenRouter).
• OpenRouter Inc. — routing intermediary for tool-level LLM calls (US).
• Voyage AI, Inc. — text embeddings for memory retrieval (US).
• Pinecone Systems, Inc. — managed vector database (US).
• Stripe, Inc. — payment processing (subscription metadata only) (US).
• Sentry (Functional Software, Inc.) — error telemetry (PII and conversation content scrubbed) (US).
• PostHog, Inc. — product analytics (opt-in; no conversation content; user identifier sent as SHA-256 hash) (US).
• Netlify, Inc.; Render Services, Inc. — application hosting (US).
• Resend, Inc. — transactional email delivery (US).
• Kraken Technologies, S.L. (ipapi.co) — IP-based geolocation for regional access controls (EU).

Ophie has no affiliates receiving CHD at the date above. We do not sell CHD to any person or entity.

Before we collect, process, or share CHD beyond what is strictly necessary to provide the Service you have specifically requested, we obtain your affirmative, opt-in consent. That consent is freely given, specific, informed, unambiguous, and revocable at any time through Privacy Controls or by emailing health-team@ophie.app.

We separately obtain written authorization if we ever intend to sell CHD, in the form required by RCW 19.373.060. We do not currently sell CHD and have no plans to do so.

• Confirm whether we are processing your CHD.
• Access the specific CHD we hold.
• Access the list of third parties that have received your CHD, by name.
• Delete your CHD, with propagation to our processors and downstream recipients.
• Withdraw consent to further processing.

Response timing: 45 days, extendable once by 45 days when reasonably necessary. Appeal on denial; you may also complain to the Washington, Nevada, or Connecticut AG as applicable.

Submit requests at health-team@ophie.app or via in-product Privacy Controls.

We do not use geofences to identify, track, target, collect data from, or send notifications or ads to consumers in relation to their CHD. We do not operate a geofence around any in-person healthcare facility.

We protect CHD with the safeguards described in Section 10 of the Privacy Policy: transport and at-rest encryption; Postgres row-level security; scoped access; vendor due diligence; incident-response procedures. Production access to CHD is restricted and logged.

In the event of unauthorized access, acquisition, or disclosure of CHD, we will notify affected users and regulators per the FTC Health Breach Notification Rule, MHMDA, Nevada breach law, and Connecticut breach law.

Washington MHMDA is enforced by the Washington Attorney General and through the Washington Consumer Protection Act, which provides a private right of action. If you are a Washington resident and believe Ophie has violated MHMDA, you may have a claim in addition to filing with the Washington AG.

We retain CHD only as necessary for the purpose for which it was collected. Specific periods are in Section 9 of the Privacy Policy. Deletion flows propagate to our processors and, where feasible, to backups.

Regulator complaints:

• Washington AG: https://www.atg.wa.gov/file-complaint
• Nevada AG: https://ag.nv.gov/Complaints/CMPL_Main/
• Connecticut AG: https://portal.ct.gov/ag/consumer-filing-a-complaint

Material changes will be communicated by email and in-product notice at least 30 days before taking effect. If a change materially alters how we process CHD, we will solicit a refreshed opt-in consent before applying the change.