Advoca Health Ltd

Consumer Health Data Privacy Policy

Washington My Health My Data Act

Last updated: June 11, 2026

This Consumer Health Data Privacy Policy is provided in compliance with the Washington My Health My Data Act (RCW 19.373) and applies to consumers whose consumer health data is collected in Washington State. This policy applies in addition to our general Privacy Policy. In the event of a conflict between this Consumer Health Data Privacy Policy and our general Privacy Policy regarding consumer health data, this Consumer Health Data Privacy Policy shall control for Washington consumers.

1. Categories of Consumer Health Data Collected and Purpose

We collect the following categories of consumer health data and use them for the purposes specified:

Audio Recordings of Health Appointments

  • Description: Live audio recorded through the Advoca app during health-related appointments, or recorded audio from telephone appointments uploaded by the consumer.
  • Purpose: To transcribe the appointment and generate a patient-friendly summary of the appointment content for the consumer’s personal use.
  • Audio is temporarily cached for processing and immediately deleted from our servers once processed. Audio is not permanently stored on our backend servers.

Transcripts of Health Appointments

  • Description: Raw and verified text transcriptions of audio recordings from health-related appointments.
  • Purpose: To provide the consumer with a text record of their appointment and to generate AI-powered summaries. Transcripts are also used for verification and error correction to improve summary accuracy.

AI-Generated Summaries of Health Appointments

  • Description: Summaries of health-related appointments generated by large language models (LLMs) in patient-friendly language, with links to verified health information sources.
  • Purpose: To help the consumer retain and understand information from their health appointments, communicate with carers and relatives, and conduct further research into their health.

Associated Appointment Metadata

  • Description: Date, time, and other metadata associated with appointment recordings and summaries.
  • Purpose: To organise and manage appointment records within the consumer’s account.

Optional Health Profile Data

  • Description: Health conditions, ongoing investigations, and other health-related information voluntarily provided by the consumer.
  • Purpose: To understand our user base, tailor the application to the consumer, and improve our Services.\

Health Journal Entries

  • Description: Free-text entries the consumer creates in the in-app health journal. These entries are entered by the consumer and may contain consumer health data.
  • Purpose: To provide the consumer with a personal record of their health, and to understand our user base, tailor the application to the consumer, and improve our Services.

Chatbot Questions and Conversations

  • Description: The questions the consumer asks our in-app chatbot and the content of their conversations with it. These are entered by the consumer and may contain consumer health data.
  • Purpose: To answer the consumer’s health-related questions, and to understand our user base, tailor the application to the consumer, and improve our Services.

Appointment Plans

  • Description: Notes, questions, and plans the consumer prepares within the App for upcoming appointments. These are entered by the consumer and may contain consumer health data.
  • Purpose: To help the consumer prepare for upcoming appointments, and to understand our user base, tailor the application to the consumer, and improve our Services.

Consent to Collection and Sharing

The consumer’s consent to the collection of consumer health data is obtained through the App’s consent flow when the consumer agrees to our Privacy Policy and Terms and Conditions prior to using the Services. The sharing of consumer health data with the third-party processors identified in Section 4 of this policy is conducted under the strictly necessary exception (RCW 19.373 §6(2)), as such sharing is strictly necessary to provide the product or service that the consumer has requested. Without this sharing, Advoca cannot transcribe audio recordings or generate summaries, which are the core Services. The same consent flow covers the optional health profile data, health journal entries, chatbot questions and conversations, and appointment plans the consumer chooses to provide. We use these categories internally to understand our user base, tailor the application, and improve our Services. This internal use applies to all consumers, including paid-tier consumers who have opted out of anonymisation and research sharing; for those consumers, this data is used only within Advoca and is never shared outside Advoca, including in anonymised form. Where we use a processor to support this internal analysis, that sharing is limited to what is strictly necessary to provide the Services.

In-House Analysis to Identify Relevant Opportunities

  • Description: As part of providing the Services, we may analyse your consumer health data internally — including appointment data, optional health profile data, health journal entries, chatbot questions and conversations, and appointment plans — to operate and improve the App and to identify information and opportunities that may be relevant to you.
  • Purpose: To surface information and opportunities relevant to the consumer. This analysis is carried out entirely in house. We do not share your consumer health data outside Advoca for this purpose, and we do not disclose your identity to any third party as part of it. This in-house analysis is separate from, and does not depend on, your research-community consent described below.
  • Disclosure of identity requires separate, specific consent: Where this analysis identifies a specific external opportunity that would involve disclosing your identity or contact details to a third party — for example, an invitation to be considered for a clinical trial or research study run by a partner — we will not share that data on the basis of the general consent flow. Such a disclosure is not within the strictly necessary exception. In each such case, we will first obtain your separate, specific, opportunity-specific consent before sharing any identifying consumer health data with that third party, and you are free to decline without affecting your use of the Services.

Anonymised (Deidentified) Data

With your separate and explicit consent, we may process certain data in a fully anonymised form for research, development, and commercial purposes.

Advoca is offered on a free tier and a paid tier, and you may choose freely between them. The paid tier is a premium product available for a subscription fee: it provides an enhanced in-app experience and additional product features, and it does not require you to join our research community. The free tier is available at no monetary charge to members of our research community, who give separate, explicit consent for us to anonymise their data and use and share it for research, development, and commercial purposes. The difference between the tiers reflects the premium features of the paid product as well as your choice of whether to join the research community. Giving research consent is never a condition of using Advoca’s core appointment features — if you do not wish to join the research community, you can subscribe to the paid tier instead. This is a free choice between two genuine alternatives. You may withdraw your research consent at any time; withdrawal does not affect the lawfulness of processing carried out beforehand. If you are a free-tier consumer and you withdraw this consent, you will need to subscribe to the paid tier to keep using the Services.

The data that may be anonymised and used for these purposes includes appointment data (transcripts and summaries), optional health profile data, health journal entries, chatbot questions and conversations, and appointment plans. Once anonymised, this data may also be used to train and improve the artificial-intelligence and machine-learning models that power Advoca’s features. Under the Washington My Health My Data Act, data that has been fully deidentified is excluded from the definition of "consumer health data." To ensure this data remains exempt, Advoca publicly commits to:

  • Take reasonable measures to ensure the data cannot be associated with any consumer;
  • Maintain and process the data only in a deidentified fashion and not attempt to re-identify it

Because this data cannot be traced back to you, its use and sharing do not constitute the collection, sharing, or sale of consumer health data.

In rare cases it may not be possible to fully deidentify data — for example, where an ultra-rare condition or other characteristic could reasonably identify you even after anonymisation. We will never share data that does, or reasonably could, identify you on the basis of your research-community consent alone. If we ever wish to share such data, we will first seek your separate, express consent to share that specific data with a specific partner for a specific purpose, and you are free to refuse without affecting your use of the Services.

2. Categories of Sources from Which Consumer Health Data Is Collected

Consumer health data is collected from the following categories of sources:

  • Directly from the consumer: Audio recordings initiated by the consumer through the App, audio uploaded by the consumer from telephone recordings, and optional health profile data entered by the consumer.
  • Generated by the Services: Transcripts and summaries generated from audio recordings by our AI processing systems.

3. Categories of Consumer Health Data That Is Shared

The following categories of consumer health data are shared with third parties for the purposes of providing the Services:

  • Audio recordings are shared with Amazon Web Services (Amazon Web Services, Inc.) and Google Cloud Platform (Google LLC) for transcription processing. Zero data retention policies are in place; audio is processed and immediately deleted by the processor.
  • Transcripts are shared with Google Cloud Platform (Google LLC) for personal data removal, verification, and summary generation. Zero data retention policies are in place; transcripts are processed and immediately deleted by the processor.
  • App interaction data is shared with PostHog (PostHog Inc.) for analytics processing to improve our services.
  • Chatbot questions and conversations are shared with Amazon Web Services (Amazon Web Services, Inc.) and Google Cloud Platform (Google LLC) to perform the large language model inference that powers the in-app chatbot. Zero data retention policies are in place; this content is processed and immediately deleted by the processor.

Health journal entries, chatbot conversations, and appointment plans are stored in our database (Supabase) and used internally to understand our user base, tailor the application, and improve our Services. We do not share these categories with third parties except the strictly necessary processing described above and, for free-tier consumers who give research consent, in fully anonymised (deidentified) form as described in Section 1. The only circumstance in which identifiable consumer health data is shared with a third party for any other purpose — such as an invitation to a clinical trial or research study run by a partner — is where you have given separate, specific, opportunity-specific consent for that disclosure, as described in Section 1.

Consumer health data is shared with these processors solely to the extent strictly necessary to provide the Services requested by the consumer. We do not sell consumer health data. We do not share consumer health data for advertising purposes.

If the consumer uses the in-app sharing feature, the consumer may choose to share specific transcripts and summaries with other Advoca users (e.g., carers, relatives). This sharing is initiated solely by the consumer and occurs only at the consumer’s direction.

4. Third Parties and Affiliates with Whom Consumer Health Data Is Shared

The following is a complete list of the categories of third parties and specific affiliates with whom we share consumer health data:

Amazon Web Services, Inc. (Amazon Web Services)

  • Category: Cloud infrastructure, transcription, summary generation, and chatbot LLM inference service provider
  • Data shared: Audio recordings, transcripts, and chatbot questions and conversations (temporarily, for transcription, summary generation, and chatbot LLM inference)
  • Location of processing: European Union
  • Data retention: Zero data retention — data is processed and immediately deleted
  • Contact: https://aws.amazon.com/privacy/ or via https://aws.amazon.com/contact-us/

Google LLC (Google Cloud Platform)

  • Category: Cloud infrastructure and AI processing service provider
  • Data shared: Audio Recordings and Transcripts (temporarily, for transcription, personal data removal, verification, and summary generation), and chatbot questions and conversations (temporarily, for chatbot LLM inference)
  • Location of processing: European Union
  • Data retention: Zero data retention — data is processed and immediately deleted
  • Contact: https://policies.google.com/privacy or via https://support.google.com/

Supabase Inc.

  • Category: Database hosting provider
  • Data shared: Summaries, verified transcripts, appointment metadata, and optional health profile data, health journal entries, chatbot conversations, and appointment plans (for permanent storage)
  • Location of processing and storage**:** United Kingdom.
  • Contact: https://supabase.com/privacy or [email protected]

PostHog Inc.

  • Category: Analytics processor
  • Data shared: App interaction data and device information
  • Location of processing and storage: European Union
  • Contact: https://posthog.com/privacy or [email protected]

Advoca Health Ltd does not have any affiliates with whom consumer health data is shared.

5. How to Exercise Your Rights

Under the Washington My Health My Data Act, you have the following rights regarding your consumer health data:

Right to Confirm and Access

You have the right to confirm whether we are collecting, sharing, or selling your consumer health data, and to access that data. You may exercise this right through the data access features within the Advoca App or by contacting us at [email protected].

Right to Withdraw Consent

You have the right to withdraw your consent to the collection and sharing of your consumer health data at any time. You may withdraw consent by:

  • Deleting your account through the App (which will delete all associated data)
  • Contacting us at [email protected] to request withdrawal of consent

Please note that if you withdraw consent to the collection and sharing of your consumer health data, we will no longer be able to provide the Services to you, as processing your health data is necessary to deliver the core functionality of Advoca.

Your consent to anonymisation and research sharing (Section 1) is separate from your consent to the collection and sharing of consumer health data, and you may withdraw it on its own at any time through the App. If you are a paid-tier consumer, withdrawing it does not affect your use of the Services. If you are a free-tier consumer, you may keep using the Services by subscribing to the paid tier.

Right to Delete

You have the right to request deletion of your consumer health data. You may exercise this right by:

  • Deleting specific appointment data (summaries, transcripts, and associated metadata) within the App
  • Deleting all data associated with your account within the App
  • Contacting us at [email protected] to request deletion

Upon receiving a verified deletion request, we will delete your consumer health data and direct our processors to delete any consumer health data in their possession. Given that our processors operate under zero data retention policies, there is no consumer health data retained by processors to delete.

Appeals Process

If we refuse or are unable to act on a request you have made regarding your consumer health data, you may appeal our decision. To submit an appeal:

  • Email [email protected] with the subject line “MHMDA Appeal.”
  • Include a description of your original request and the reason for your appeal.
  • We will review your appeal and inform you in writing of our decision within forty-five (45) calendar days of receiving your appeal.
  • Our response will include a written explanation of the reasons for our decision.
  • If we deny your appeal, we will provide you with information on how to submit a complaint to the Washington State Attorney General, including the online complaint form available at: https://www.atg.wa.gov/file-complaint

Authorised Agents

You may designate an authorised agent to exercise your rights on your behalf. To do so, please provide the authorised agent with written permission signed by you, and contact us at [email protected] so that we can verify your identity and the agent’s authority.

This Consumer Health Data Privacy Policy contains only the information required under the Washington My Health My Data Act. For complete information about our data practices, please refer to our general Privacy Policy.