Back to Calibrate

Consumer health privacy

Consumer Health Privacy Notice

Calibrate treats questionnaire answers, consult answers, saved protocols, generated guidance, and related timing plans as sensitive consumer-health or health-adjacent data, even though the current website is an educational wellness product and not a HIPAA patient portal.

Last updated June 1, 2026

Scope

This notice applies to Calibrate's web product, questionnaire, consult flow, saved protocol flow, account support, transactional email, analytics limits, and related operational messages. It supplements the general Privacy Policy.

Privacy Policy - general personal-information policy

Health Privacy Boundary Notice - HIPAA boundary and no provider-care relationship for the current website

Privacy Choices - access, deletion, export, correction, and consent-withdrawal requests

Consumer health data we collect

Calibrate classifies the following as consumer-health data or health-adjacent sensitive data when linked to you, your browser draft, or your account.

  • Questionnaire and consult answers about wake timing, sleep timing, light access, caffeine timing, midday reset preferences, evening routine, room and screen environment, symptom-like goals, and related wellness-planning inputs.
  • Generated protocols, calendar-style recommendations, saved drafts, protocol events, and similar output tied to those questionnaire inputs.
  • Consent, support, security, and account records when they are connected to questionnaire or protocol activity.

Sources

Calibrate currently relies on information you enter directly, server-generated protocol logic, and operational metadata needed to run the service. We do not ingest external medical records or third-party health sources for the website.

  • No HealthKit or Apple Health imports.
  • No Health Connect, Google Fit, wearable, sleep-tracker, or device sync.
  • No EHR, provider record, insurance, pharmacy, lab, or medical-record import.
  • Any future external health-record or wearable integration requires a separate legal, security, and architecture review before it is enabled.

How we use consumer health data

We use consumer-health data only for product and operational purposes tied to the Calibrate service.

  • Generate and save educational wellness guidance requested by the user.
  • Authenticate accounts, recover saved work, provide support, and maintain service reliability.
  • Protect against abuse, fraud, unauthorized access, security incidents, and operational failure.
  • Queue user-requested protocol email without sending raw questionnaire answers to email providers beyond the summary content the user requests.
  • Debug and improve the product using minimized, scrubbed, or de-identified operational signals where feasible.

No sale or advertising share

Calibrate does not sell consumer-health data and does not share questionnaire, consult, or protocol content for cross-context advertising, lookalike audiences, retargeting, behavioral advertising, or ad pixels.

  • Questionnaire answers, consult answers, protocol JSON, prompt/output bodies, and health labels must not be sent to PostHog, Sentry, affiliate networks, product merchants, ad pixels, lookalike audiences, or retargeting systems.
  • Affiliate redirects may use a server-generated click ID for attribution, but not questionnaire answers, protocol content, health labels, email addresses, or raw IP addresses.
  • Analytics and monitoring providers are limited to event, performance, security, and error signals with sensitive content redacted or blocked.

Service providers

We use service providers to operate Calibrate, such as hosting, database, authentication, email, background-job, analytics, monitoring, anti-abuse, backup, and storage providers. They may process information for Calibrate's operational purposes and not for their own advertising use.

  • Current provider categories include Vercel, Neon, Clerk, Postmark, Trigger.dev, Upstash, PostHog, Sentry, Cloudflare Turnstile/WAF/R2, and Vercel Blob or AI Gateway when enabled.
  • Provider scopes, data categories, DPAs, and transfer terms are maintained as part of ongoing legal and security review.

Your consumer-health rights

Depending on where you live, you may be able to request access, deletion, export, correction, consent withdrawal, appeal, or review of a denied request. Washington consumers may have rights under the My Health My Data Act if Calibrate is in scope. California residents may have sensitive-personal-information rights if Calibrate meets CCPA/CPRA business thresholds or other applicable requirements.

Submit a privacy or consumer-health request - email-based workflow while self-serve controls are being built

Deletion and retention

When account deletion is processed, Calibrate is designed to delete saved questionnaire submissions, generated protocols, protocol events, and related email job payloads tied to the account, and to de-identify retained operational records where feasible. Narrow consent, audit, security, email-delivery, affiliate/accounting, provider, and backup records may remain where needed for legal, security, fraud-prevention, dispute, backup-rotation, or operational reasons.

Health breach handling

If Calibrate identifies an unauthorized acquisition, disclosure, or access event involving unsecured identifiable consumer-health information, we will evaluate whether federal or state health-breach notification rules apply and follow the incident runbook for affected-user, regulator, provider, and counsel escalation.

Future integrations

Calibrate must update this notice and complete legal, security, analytics, vendor, and consent review before enabling external health records, wearable sync, lab workflows, provider dashboards, insurance workflows, behavioral advertising, or any sharing of consumer-health data outside the operational providers described above.