DRAFT, pending legal review. Supplementary notice for Washington consumers under the My Health My Data Act (Chapter 19.373 RCW). Generated from a codebase audit and is not legal advice. Pending counsel review before publication.
Effective date: [YYYY-MM-DD, TBD before publication] Last updated: [YYYY-MM-DD, TBD before publication]
In ordinary operation, Apoyu processes raw Apple Health readings on your device and does not transmit those raw readings to our servers. Derived values and certain account-linked metadata are synced as described below.
Apoyu reads heart rate variability, sleep, resting heart rate, respiratory rate, workouts, steps, and active energy from Apple Health on your iPhone. Those raw readings are processed locally by an algorithm that lives on your iPhone. Only a small set of derived values (your recovery score, a few summary statistics, and workout metadata) reaches our servers. Raw samples, individual readings, and timestamped sensor data stay on your device and are erased when you delete your account.
This document explains what consumer health data Apoyu collects, how we use it, who receives it, and how you can exercise your rights under Washington’s My Health My Data Act (“MHMDA”). It supplements our general Privacy Policy. Where the two documents overlap, this one controls for consumer health data covered by MHMDA.
This notice is written in plain language, as required by RCW 19.373.020(2). If anything below is unclear, contact us at support@apoyu.app and we will explain it.
This policy applies to anyone who uses Apoyu. We publish it to comply with the Washington My Health My Data Act, which protects Washington residents.
Apoyu is operated by Daryll Cheng, a sole proprietor doing business as Apoyu (“Apoyu,” “we,” “our,” or “us”).
Apoyu is a general wellness product, not a medical device. Recovery scores and coaching content are not medical advice.
“Consumer health data” under MHMDA means personal information linked or reasonably linkable to a consumer that identifies the consumer’s past, present, or future physical or mental health status. We describe our collection in two buckets: data that stays on your device, and data that we receive on our servers.
The following categories are read from Apple HealthKit, processed locally by the Apoyu algorithm, and stored only in encrypted local storage on your iPhone. In ordinary operation, we do not receive them.
This data is encrypted at rest on your device, not transmitted to us in ordinary operation, and is cleared when you delete your account.
The following derived categories are computed on your device and synced to our servers so the app can give you a daily card, briefing, dare, and collection history.
The recovery score and component z-scores are derived values. They are wellness indicators, not clinical measurements. We declare them as health data here out of caution because Washington’s definition of consumer health data is broad.
The following identifiers and operational data are linked to your consumer health data on our servers:
We do not collect:
If we ever start collecting any of these categories, we will update this policy and obtain fresh consent before doing so.
Apoyu collects consumer health data from two sources, both initiated by you.
Apple HealthKit. With your explicit permission granted through the iOS HealthKit consent sheet, Apoyu reads the categories listed in Section 2.1 from Apple Health. We do not collect health data from any other source. We do not import data from third-party fitness platforms, wearables that are not connected through Apple Health, scales, glucose monitors, or any other device.
You, directly. Daily intentions, journal tags, personality quiz choices, dare completions, and display name come from selections and entries you make inside the app.
We do not buy consumer health data from data brokers. We do not infer consumer health data from public records, social media, or third-party analytics. We do not receive consumer health data from advertising networks or marketing partners.
We share the limited derived data described in Section 5 with service providers only to the extent necessary to provide the briefing, dare, and card features you request. We do not share consumer health data for any purpose beyond service provision.
We collect and use consumer health data only for the following purposes.
We do not use consumer health data for any of the following:
This section is the part Washington’s MHMDA specifically requires us to make clear. We share the categories below with the third parties listed in Section 6. We share these categories with service providers only to the extent necessary to provide the briefing, dare, and card features you request.
| Category we share | Recipients | Purpose |
|---|---|---|
| Derived recovery score (integer 0 to 100) | OpenAI, Anthropic, Supabase | Generate wellness content; store account data |
| Summary biometric values (HRV in milliseconds, resting heart rate in beats per minute, sleep duration in hours) | OpenAI, Anthropic, Supabase | Generate wellness content; store derived metrics |
| Component z-scores, archetype, comfort type, confidence level | OpenAI, Anthropic, Supabase | Personalize wellness content; store derived metrics |
| Workout metadata (type, duration, start/end time, HealthKit source name) | Supabase | Display recent training context; not sent to LLM providers |
| Daily training intention (categorical) | OpenAI (briefings and dares only), Supabase | Personalize briefings and dares; store history |
| Journal tags, dare completions, badges, streaks | Supabase | Persist your collection and progress |
| Display name (pseudonym) | OpenAI, Anthropic, Supabase | Address you by name in generated content |
| Subscription status and event payload | RevenueCat, Supabase | Manage entitlements and billing events |
| Crash and error events (PII scrubbed, no health data) | Sentry | Diagnose and fix problems |
What we do not share with any third party:
Each recipient below is a service provider we use to operate the app. None of them is permitted to use your data for their own advertising or to sell it.
| Third party | Role | Jurisdiction | What they receive | Contact |
|---|---|---|---|---|
| Supabase, Inc. | Database, authentication, and Edge Function compute | United States | All server-synced data: derived recovery scores, component z-scores, workout metadata, daily intentions, dare records, badges, journal tags, subscription state, display name, app open timestamps, notification logs, push token | privacy@supabase.com (https://supabase.com/privacy) |
| OpenAI, L.L.C. | Large language model inference for daily briefings, dares, and common/uncommon trading card commentary | United States | Recovery score, HRV summary in milliseconds, sleep duration in hours, resting heart rate in beats per minute, display name if provided, archetype, intensity level, and daily intention (briefings and dares only) | privacy@openai.com (https://openai.com/policies/privacy-policy) |
| Anthropic, PBC | Large language model inference for rare and legendary trading card commentary | United States | Recovery score, HRV summary in milliseconds, sleep duration in hours, resting heart rate in beats per minute, display name if provided, archetype, and intensity level | privacy@anthropic.com (https://www.anthropic.com/privacy) |
| RevenueCat, Inc. | Subscription processing, entitlement management | United States | Subscription product identifier, transaction events, the Apoyu user identifier (used only as appUserID), and event metadata fields such as currency, country code, environment, and original purchase identifiers. No biometric or recovery data |
privacy@revenuecat.com (https://www.revenuecat.com/privacy) |
| Functional Software, Inc. (Sentry) | Crash reporting and diagnostics | United States | Crash and error event payloads. PII fields (email, IP address, identities, user metadata, refresh and access tokens, Apple identifiers, Apple identity tokens, authorization codes, provider strings) are scrubbed before transmission. No biometric, recovery score, or coaching content data | privacy@sentry.io (https://sentry.io/privacy) |
About provider-side training and retention:
store: false).Provider terms may permit limited retention for abuse prevention; refer to each provider’s privacy policy at the links above for details.
Apple Sign in with Apple and Apple Push Notification service are operated by Apple and are not separately listed here because they are part of the iOS platform. Apple receives only what its own platform documentation describes.
We do not use any advertising SDK. We do not use Google Analytics, Mixpanel, Amplitude, Firebase Analytics, Segment, AppsFlyer, Adjust, Branch, or any similar third-party analytics or attribution provider.
Washington’s MHMDA gives you the following rights regarding consumer health data we hold about you. Apoyu honors these rights for anyone who asks, not only Washington residents.
You may ask us to confirm whether we are collecting, sharing, or selling your consumer health data (we do not sell), and to provide you with a list of all third parties and affiliates with whom we have shared your consumer health data, together with an active email address or other online mechanism you can use to contact them, where required by law. The third-party recipients and their contact mechanisms appear in the table in Section 6.
How to exercise: Email us at support@apoyu.app with the subject line “MHMDA access request.” Include the email address linked to your account so we can verify you. We will respond within 45 days of receipt of your request.
You may withdraw consent at any time for our collection and sharing of your consumer health data.
How to exercise:
Withdrawing consent does not undo processing that already happened.
You may ask us to delete the consumer health data we hold about you. Account deletion is the primary way to do this.
How to exercise: Open the app, go to Settings > Account > Delete Account, and confirm. The app will:
You may also email us at support@apoyu.app with the subject line “MHMDA deletion request.”
We delete consumer health data from our active systems without undue delay and handle archived or backup-system deletion as permitted by applicable law (up to six months for backup systems). We also direct relevant processors and recipients to honor verified deletion requests where the law requires.
A small audit trail of the deletion (the timestamp and the fact that a deletion occurred, with the user identifier removed or anonymized) is retained for compliance purposes. The audit record does not contain consumer health data. See Section 9.
We will not unlawfully discriminate against you for exercising your rights under this policy. However, if you ask us to stop collecting or sharing data needed to provide specific features, those features may no longer function.
To protect your data, we may ask you to verify a deletion or access request by signing in to the app or by confirming control of the email address linked to your account. We will not ask for additional sensitive information.
If we deny a rights request, we will tell you why in writing. You may appeal that decision by emailing support@apoyu.app with the subject line “MHMDA appeal” within 60 days of our denial.
We will respond to your appeal within 45 days of receipt of your appeal. If we maintain our denial, our response will tell you how to contact the Washington State Attorney General’s Office. The Attorney General’s consumer protection page is at https://www.atg.wa.gov/file-complaint.
You may contact the WA Attorney General directly at any time; you are not required to exhaust our internal appeal process first.
You also have the right to bring a private cause of action under RCW 19.373.060 through the Washington Consumer Protection Act.
While your account is active, we retain your consumer health data for as long as you continue to use Apoyu. Daily records (recovery scores, cards, dares, intentions) build your history and collection over time.
When you delete your account, all consumer health data tied to your user identifier is deleted from our active database in a single cascading transaction across every user-keyed table. On-device storage is cleared by the app: rolling baselines, recovery history, card state, settings, and any cached values. Locally stored authentication tokens are cleared from iOS Keychain. Your Sign in with Apple authorization is revoked with Apple before deletion proceeds.
Deleted data may persist in Supabase’s automated database backups for up to 7 days (the standard Supabase backup window for our plan tier), after which it is overwritten. We do not access or restore from these backups except to recover from a service-wide incident.
Two narrow exceptions, neither of which contains consumer health data, are retained after account deletion:
consent_records table that an account deletion occurred, with the user identifier removed or anonymized. Retained for legal compliance under GDPR Article 17(3) and equivalent record-keeping obligations.For any question about this policy or to exercise any right described above:
Email: support@apoyu.app Subject lines we monitor: “MHMDA access request,” “MHMDA deletion request,” “MHMDA appeal,” or simply “Privacy question” App: apoyu.app General Privacy Policy: https://apoyu.app/privacy Terms of Service: https://apoyu.app/terms
You may also contact the Washington State Attorney General’s Office if you believe your rights have been violated: https://www.atg.wa.gov/file-complaint.
This document is a draft generated from a codebase audit on 2026-04-29 and revised against second-pass AI review on 2026-05-20. General provisions on children, HIPAA, security, and change management appear in our general Privacy Policy. It has not been reviewed by legal counsel and must not be published until reviewed and approved.