Consumer Health Data Privacy Policy

Effective Date: March 28, 2026.

Last Updated: March 28, 2026.

This Consumer Health Data Privacy Policy ("Notice") applies to "consumer health data" as defined under the Washington My Health My Data Act (RCW 19.373), Nevada's Senate Bill 370, and any other applicable state consumer health data privacy law (collectively, "Consumer Health Privacy Laws"). This Notice supplements our general Privacy Policy and Medical Disclaimer. In the event of a conflict between this Notice and our general Privacy Policy regarding consumer health data, this Notice controls to the extent required by applicable Consumer Health Privacy Law.

QuantumOne ("Company," "we," "us," or "our") is a technology company that provides a consumer health optimization mobile application and related services (the "Services"). We are not a healthcare provider, laboratory, or medical facility. We are not a covered entity under HIPAA. For full details about our Services, please see our Privacy Policy.

What Is Consumer Health Data?

Under the Consumer Health Privacy Laws, "consumer health data" means personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status. Because QuantumOne is a health optimization service, much of the data we collect could constitute consumer health data under this broad definition.

Consumer Health Data We Collect

We collect the following categories of consumer health data:

Health and biometric data from connected wearable devices. Heart rate variability (HRV), sleep score, sleep stages, sleep duration, heart rate, activity levels, step count, blood glucose (continuous glucose monitoring), blood oxygen (SpO₂), respiratory rate, body temperature, and other physiological metrics. This data is collected automatically via the Open-Wearables integration layer when you connect a device such as Oura, Apple Watch, Garmin, Fitbit, Whoop, Dexcom, EightSleep, or other compatible platforms.

Clinical data from uploaded reports. Blood test results (biomarker values, reference ranges), pathology reports, and DEXA scan results (body composition, bone density). This data is collected when you upload PDF files, which are parsed using automated text extraction tools (Amazon Textract, Amazon Comprehend, Tesseract) within the AWS environment.

Genetic data from uploaded files. Raw genetic data files from third-party genetic testing providers (such as 23andMe, AncestryDNA, or whole genome sequencing providers). This data is collected when you upload genetic files in JSON or PDF format.

Supplement, nootropic, and biohack data. Compound names, dosing schedules, timing, and self-reported effects for supplements, nootropics, and biohacking interventions you are trialing. This data is entered by you directly in the app.

Nutrition, habit, measurement, and self-reported data. Dietary intake, habits, body measurements (weight, body composition), and self-reported surveys (mood, cognition, energy). This data is entered by you directly in the app.

Environmental data tied to your location. Temperature, barometric pressure, humidity, UV index, solar radiation, air quality, atmospheric pollutants, pollen, mold risk, water quality, and moon phase. This data is collected automatically from public APIs and datasets and assigned to your account based on your approximate location (~25 km accuracy). No precise GPS coordinates are stored.

Inferred data and correlations. Cross-source correlations, quantified impact estimates, trend analyses, and personalized advice generated by the correlation engine from the data categories listed above.

How We Collect Consumer Health Data

We collect consumer health data from the following sources:

Directly from you: When you manually enter data in the app (supplements, nootropics, biohacks, habits, nutrition, measurements, surveys) or upload files (blood tests, DEXA scans, pathology reports, genetic files).
From connected devices and platforms: Automatically via the Open-Wearables integration layer when you connect a wearable device or health platform.
From public data sources: Environmental data collected from public APIs and government datasets (NWS, NSRDB, AirNow, TROPOMI Sentinel-5, weatherapi.com, EPA/state water portals) and assigned based on your approximate location.
Generated by our systems: The correlation engine analyzes your existing data to generate new inferred data, including correlations, impact estimates, and personalized advice.

How We Use Consumer Health Data

We use consumer health data for the following purposes:

Core service functionality. Powering the correlation engine, generating personalized advice with quantified impact estimates, producing the 3D hologram dashboard, delivering insights and trend analyses, and supporting self-experiment tracking.
Product improvement. Using aggregated and anonymized data to improve the correlation engine and strengthen the accuracy of advice for all users. Individual-level health data is not used for product improvement.
Communications. Sending transactional emails related to your account and, if you opt in, occasional product updates.
Safety, security, and legal compliance. Detecting and preventing unauthorized access, fraud, and abuse; complying with applicable laws.

We do not use consumer health data for advertising or ad targeting. We do not sell consumer health data.

Who We Share Consumer Health Data With

We share consumer health data only with the following categories of recipients, and only as necessary to provide the Services:

Recipient	What Is Shared	Why	Relationship
Amazon Web Services (AWS)	All consumer health data (the Services run entirely on AWS)	Cloud infrastructure, storage, compute, data processing, document parsing (Textract, Comprehend)	Service provider / processor
Open-Wearables	Authentication credentials and data sync metadata for connected wearables	Integration layer enabling connections to wearable devices and health platforms	Service provider / processor
Sentry	App navigation data, crash logs, page timing only. No consumer health data is shared with Sentry.	Error monitoring and crash reporting	Service provider / processor
Stripe	Payment tokens, subscription status, email address	Payment and subscription processing	Service provider / processor
Apple	Subscription and payment data for iOS	In-App Purchase processing	Service provider / processor

We may also disclose consumer health data if required by law, subpoena, court order, or valid legal process, or in connection with a business transfer (merger, acquisition, or asset sale) — in which case we will notify you in advance and give you the opportunity to delete your account.

We do NOT sell consumer health data. We do not share consumer health data for advertising, marketing, or any purpose unrelated to providing the Services. We do not provide consumer health data to employers, insurance companies, or public databases.

How We Protect Consumer Health Data

Encryption at rest (AES-256) and in transit (TLS 1.2 or higher)
Access controls restricting employee and contractor access to a need-to-know basis
Access logging and audit trails
All data processed and stored within the AWS infrastructure in the United States
Data processing agreements in place with all service providers

QuantumOne deliberately does not collect or store your full name, physical address, or phone number. Your consumer health data is associated only with your email address — the only personal identifier we hold.

How Long We Keep Consumer Health Data

Consumer health data is retained for the duration of your active account. If you request account deletion:

Your email address (the only personal identifier we hold) is permanently deleted within 30 days.
All other consumer health data is anonymized (email association permanently removed) within 30 days. Because QuantumOne does not collect names, physical addresses, or phone numbers, removing the email renders the data anonymous — it cannot be linked back to any individual.
Anonymized data is retained indefinitely for aggregate research and correlation engine improvement. Anonymized data is not consumer health data because it is no longer linked or reasonably linkable to any consumer.
Backup copies are processed (email deleted, data anonymized) within 90 days.

Your Rights

Under the Consumer Health Privacy Laws, you have the following rights with respect to your consumer health data:

Right to confirm and access. You may request confirmation of whether we are collecting, sharing, or selling your consumer health data, and request access to the specific consumer health data we hold about you.

Right to delete. You may request deletion of your consumer health data. Upon a verified request, we will permanently delete your email address and anonymize all other data as described above. We will respond to deletion requests within 30 calendar days.

Right to withdraw consent. You may withdraw your consent to the collection and processing of consumer health data at any time. Withdrawing consent does not affect the lawfulness of processing performed before withdrawal. To withdraw consent, disconnect any connected devices or platforms through Settings in the app and submit a deletion request.

Right to know about sharing. You may request a list of all third parties and affiliates with whom we have shared your consumer health data during the preceding 12 months.

Non-discrimination. We will not discriminate against you for exercising any right under the Consumer Health Privacy Laws.

How to Exercise Your Rights

You may submit a consumer health data privacy request by:

Email: privacy@quantumone.app
In-app: Through Settings > Privacy in the app

We will verify your identity before processing any request. For email requests, we will verify ownership of the email address associated with your account. For in-app requests, authentication through the app constitutes verification.

We will respond to requests within 30 calendar days. If we deny a request, we will explain the reason and provide instructions for how to appeal. You may appeal by emailing privacy@quantumone.app with the subject line "Consumer Health Data Appeal."

Consent

We obtain your consent before collecting consumer health data:

For wearable and health platform data, consent is obtained when you initiate the device connection.
For uploaded clinical and genetic data, consent is obtained when you upload the file.
For location-based environmental data, consent is obtained during onboarding.
For supplement, nootropic, biohack, nutrition, habit, measurement, and survey data, consent is obtained when you enter the data.

You may withdraw consent at any time as described above.

We do not sell consumer health data, and we do not share consumer health data without your consent except as described in this Notice.

Geofencing Prohibition

We do not use geofencing technology to identify or track consumers seeking healthcare services at or in proximity to any healthcare facility. We do not collect consumer health data through geofencing around healthcare facilities.

Children

The Services are not intended for anyone under 18 years of age. We do not knowingly collect consumer health data from anyone under 18.

Changes to This Notice

We may update this Notice from time to time. If we make material changes, we will notify you by email and in-app notice at least 30 days before the changes take effect.

Version history. This Notice is maintained in a public, open-source repository alongside our Privacy Policy. A complete version history — including every change, its date, and its content — is transparently available through the repository's commit history.

Contact Us

For questions about this Notice or to exercise your consumer health data rights:

Email: privacy@quantumone.app

Mail: QuantumOne, Inc., Attn: Privacy Officer, 251 Little Falls Drive, Wilmington, DE 19808

You may also file a complaint with the Attorney General of your state if you believe your consumer health data rights have been violated. You will not be retaliated against for filing a complaint.