Legal · Washington

Consumer Health Data Privacy Notice.

Last updatedMay 11, 2026
EffectiveMay 11, 2026
Reading time~9 minutes
Version1.3

Required by Washington's My Health My Data Act (RCW 19.373). Provided for Washington consumers — and anyone else who wants to read it.

Washington has one of the strongest health-data privacy laws in the country. We take it seriously. If you live in Washington, this Notice is your contract with us.

This Notice satisfies the My Health My Data Act (RCW 19.373) and describes the consumer health data we handle, who receives it, and how to exercise your rights. The contact section at the bottom is the actionable part.

The short version

  • We collect health data so KaleWay can do its job — meal plans, workouts, KaleAI conversations.
  • We do not sell your health data. Ever.
  • We do not use it for advertising or share it with data brokers.
  • You can ask us what we hold, get a copy, or delete it — Section 8 lays out every right.
  • Email support@kaleway.com with the subject "Washington Health Data Request" and we'll respond within 45 days.

01Who this Notice applies to

This Notice applies to consumer health data (defined in Section 2) that is collected, processed, shared, or sold by Granviex, LLC (operating as KaleWay) about Washington consumers.

For purposes of this Notice, a Washington consumer is a natural person who is either:

  • A Washington state resident, or
  • A natural person whose consumer health data is collected in Washington

If you are a Washington consumer using KaleWay, this Notice describes the rights you have over your consumer health data and how we handle it.

If you are not a Washington consumer, our Privacy Policy describes how we handle your data, including any rights you may have under your state's or country's laws. The substance of how we handle health information is the same; the legal framework that gives you enforceable rights differs.

02What "consumer health data" means under Washington law

The Washington My Health My Data Act defines consumer health data broadly. It is not limited to traditional medical records. It includes any personal information that identifies a consumer's past, present, or future physical or mental health status — including information that we infer from non-health data.

For KaleWay specifically, consumer health data includes (but is not limited to):

  • Your weight, height, age, and biological sex when used to assess your health status
  • Your dietary restrictions when they relate to health (gluten-free for celiac, dairy-free for lactose intolerance, etc.)
  • Your health conditions (pregnancy, breastfeeding, menopause, polycystic ovary syndrome, thyroid conditions, others) that you tell us about
  • Your weight loss goals and target weight
  • Your eating patterns, mood entries, and behavioral patterns when they suggest something about your mental or emotional health
  • Your conversations with KaleAI when those conversations reveal information about your health
  • Your "Why List" entries when they reveal personal information about your physical, mental, or emotional state
  • Inferences we make about your likely state of health based on the data you provide
  • Information about your use of our app when that use suggests health status (for example, frequent use of the SOS / Help Me Now flow)

This is a broad definition. That breadth is intentional in the law. We are taking it seriously.

03Categories of consumer health data we collect

We organize the consumer health data we collect into four categories.

Health profile data — you provide directly

Data you enter into the app or tell KaleAI:

  • Weight, height, age, biological sex
  • Goal weight and weight loss timeline
  • Dietary restrictions (vegetarian, gluten-free, dairy-free, etc.)
  • Health conditions you choose to share (pregnancy, breastfeeding, menopause, polycystic ovary syndrome, thyroid conditions, others)
  • Food likes, dislikes, and preferences
  • Workout history and energy levels
  • Mood entries and stress levels
  • Personal motivation statements ("Why List")
  • Trigger profile (your responses about which moments make eating challenging)

Conversational and behavioral data — you generate as you use KaleWay

  • Your conversations with KaleAI (text)
  • Meal logs (what you ate, when, and why if you tell KaleAI)
  • Weight check-ins over time
  • App usage patterns (which features you use, which screens you visit)
  • Your engagement with crisis resources when surfaced by the app

Sensor data — Apple HealthKit, only with your permission

If you grant permission:

  • Weight readings from HealthKit
  • Daily step count and active energy

We do not access any other category of HealthKit data.

Inferred data — what we derive

Based on what you provide and how you use the app, KaleWay may infer:

  • Your likely body mass index (BMI)
  • Your likely caloric needs
  • Patterns in your relationship with food
  • Patterns in your motivation, energy, and emotional state

These inferences are also consumer health data under MHMDA and are protected the same way.

04Sources of consumer health data

  • Directly from you — when you sign up, complete onboarding, update your profile, log meals, talk to KaleAI, or otherwise interact with the app
  • From Apple HealthKit, only when you grant permission, and only the categories listed in Section 3
  • From service providers acting on our behalf — for example, RevenueCat tells us you have an active subscription so we can determine your access to features. We do not receive new health data from RevenueCat.

We do not purchase, license, or otherwise acquire consumer health data from third-party data brokers, advertisers, or marketing platforms. We do not receive your data from your employer, your insurance company, or any healthcare provider.

05Categories of consumer health data shared

When we share consumer health data with the third parties listed in Section 6, we share only the data categories necessary for that recipient's purpose. The categories shared with each recipient are described next to that recipient in Section 6.

We do not share consumer health data:

  • With advertisers, advertising networks, or marketing platforms
  • With data brokers
  • With your employer, insurance company, or healthcare provider (unless you specifically request and authorize a future integration we have not yet built)
  • With anyone outside the named recipients in Section 6

Note about advertising-measurement events. Our iOS app uses Meta's measurement tools to attribute installs and subscription starts to ads we run. The data we send to Meta is strictly limited to non-health data: a SHA-256 hashed version of your email and KaleWay user ID, your IP address, the name of the event (such as “Install” or “StartTrial”), and — for subscription events — the purchase amount. We never send Meta any consumer health data: no weight, no HealthKit data, no mood logs, no dietary restrictions, no allergies, no health conditions, no KaleAI conversations, and no behavioral patterns. See our Privacy Policy §5 for the complete list of fields and how they travel.

Note about AppsFlyer (V1.0.2+). Our iOS app also uses AppsFlyer Ltd. as a Mobile Measurement Partner that forwards the same kind of non-health advertising-measurement events to multiple ad networks (Meta, TikTok, Apple Search Ads, Google). The data we send to AppsFlyer is strictly limited to non-health data: AppsFlyer's own per-install device identifier, your KaleWay user ID (a UUID, not your email), your IP address, the event name (e.g., “Install” or “StartTrial”), event parameters (paywall variant, plan type — never health-related), and — for subscription events — the purchase amount via RevenueCat's server-to-server forwarding. We never send AppsFlyer any consumer health data: no weight, no HealthKit data, no mood logs, no dietary restrictions, no allergies, no health conditions, no KaleAI conversations, and no behavioral patterns. See our Privacy Policy §5 for the complete list of fields and how they travel.

06Third-party recipients

We name each third-party recipient explicitly. For each, we describe what they receive, why, where they are located, and how to contact them. If a recipient is missing from this list, we are not sharing your data with them.

Anthropic, PBC

AI processing
  • ReceivesYour messages to KaleAI; recent conversation context; first name; dietary restrictions, health conditions, weight loss goal, trigger profile, "Why List," today's meals, food preferences, and wake/sleep times when relevant
  • WhyTo power KaleAI's responses and AI-generated meal plans, Trap Cards, and Mind Moments
  • LocationUnited States
  • Retention~7 days under our commercial API terms; longer in trust & safety reviews
  • Contactprivacy.claude.com
  • MoreAI Privacy Notice →

Supabase, Inc.

Backend
  • ReceivesAll consumer health data on your account — Supabase operates our backend database
  • WhyTo provide the database and authentication infrastructure that the app depends on
  • LocationUnited States
  • RetentionAs long as your account is active, plus a brief deletion window after account closure
  • Contactsupabase.com/privacy

RevenueCat, Inc.

Billing
  • ReceivesAn anonymous user identifier and your subscription state. Not your health data.
  • WhyTo manage subscription billing across iOS and Android
  • LocationUnited States
  • Contactrevenuecat.com/privacy

FatSecret Platform API

Nutrition
  • ReceivesFood queries (what foods you or KaleAI search for or look up). Not your identity, weight, health conditions, or any health data tied to you.
  • WhyTo provide nutritional information about specific foods
  • LocationUnited States and Australia
  • Contactplatform.fatsecret.com/privacy

Apple Inc.

Auth · HealthKit · Store
  • ReceivesHealthKit is read-only on your device — Apple does not receive new health data through HealthKit. Sign in with Apple receives an anonymous identifier we use to authenticate you. The App Store receives subscription transaction information.
  • WhyAuthentication, payment processing, and HealthKit integration
  • Contactapple.com/legal/privacy

Google LLC

Play · Email infra
  • ReceivesSubscription transaction information for Android subscriptions. Google Workspace also processes the contents of any email you send to support@kaleway.com (which may contain health data if you choose to share it).
  • WhyAndroid subscription billing and the email infrastructure that handles your support requests
  • Contactpolicies.google.com/privacy

Meta Platforms, Inc.

Ad measurement · iOS app only
  • ReceivesNon-health advertising-measurement events from the iOS app only: SHA-256 hashed email, SHA-256 hashed user ID, IP address, event name (Install / CompleteRegistration / InitiateCheckout / StartTrial / Subscribe), purchase amount on subscription events, and — only if you granted Apple's tracking prompt — IDFA. Meta receives zero consumer health data from KaleWay.
  • WhyInstall attribution and subscription conversion measurement so we can spend our marketing budget responsibly. Not used for retargeting or behavioral ad targeting on KaleWay's side.
  • LocationUnited States
  • Your controlApple App Tracking Transparency prompt (Ask App Not to Track withholds your IDFA); revoke anytime in iOS Settings → Privacy & Security → Tracking → KaleWay; deleting your account stops all further events.
  • Contactfacebook.com/business/help
  • MorePrivacy Policy §5 (full field list + opt-out paths) →

AppsFlyer Ltd.

MMP · iOS app only, V1.0.2+
  • ReceivesNon-health advertising-measurement events from the iOS app: AppsFlyer's per-install device identifier (not Apple's IDFA), KaleWay user ID (UUID, not email), IP address, event name (e.g., af_complete_registration, af_start_trial), non-personal event parameters (paywall variant, plan type), device + OS info, IDFA (only with ATT consent), and subscription purchase amount via RevenueCat's server-to-server forwarding. AppsFlyer receives zero consumer health data from KaleWay.
  • WhyMobile Measurement Partner that attributes installs and subscriptions across Meta, TikTok, Apple Search Ads, Google, and ~5,000 other ad networks through a single integration. Not used for retargeting or behavioral ad targeting on KaleWay's side.
  • Onward sharingAppsFlyer forwards the same measurement events to the relevant ad networks for attribution. Downstream sharing is governed by AppsFlyer's services privacy policy and each ad network's own privacy practices.
  • LocationIsrael · EU (servers in multiple regions)
  • Your controlSame Apple ATT prompt as for Meta (Ask App Not to Track withholds your IDFA from AppsFlyer and all downstream networks); revoke anytime in iOS Settings → Privacy & Security → Tracking → KaleWay; EEA / UK users get AppsFlyer's "limited consent" mode by default, which blocks individual-event personalization sharing.
  • Contactappsflyer.com/legal/privacy-policy
  • MorePrivacy Policy §5 (full field list + opt-out paths) →

Government, law enforcement, or legal process

Legally required
  • ReceivesOnly what we are legally required to disclose — for example, in response to a subpoena, court order, or other valid legal request
  • NoticeWhere legally permitted, we will notify you first

Business transfers

If acquired
  • ReceivesIf KaleWay is acquired, merged, or sold, your consumer health data may transfer to the new owner along with the rest of the business
  • CommitmentThe new owner will be bound by the commitments in this Notice or will notify you of changes

07Why we collect and how we use it

We collect and use consumer health data only to provide and improve the KaleWay service:

  • To generate your personalized meal plans, workouts, and KaleAI conversations
  • To track your progress over time
  • To detect when content suggests a need for professional support and respond appropriately
  • To respond to your support requests
  • To improve the service in aggregate, with health data not tied to your identity
  • To comply with applicable laws and regulations
  • To prevent fraud, abuse, and unauthorized access

We share consumer health data only with the third parties named in Section 6, only for the purposes described there.

We do not:

  • Sell your consumer health data
  • Use your consumer health data for advertising
  • Use your consumer health data for purposes unrelated to providing the KaleWay service to you
  • Profile you for purposes outside the KaleWay service
  • Share your consumer health data with anyone we have not named in Section 6

08Your rights as a Washington consumer

Under the Washington My Health My Data Act, you have the following rights with respect to your consumer health data. Section 9 explains exactly how to exercise any of them.

8.1

Right to confirmation

You have the right to ask us whether we are collecting, using, sharing, or selling your consumer health data — and to receive details about each.

8.2

Right to access

You have the right to receive a copy of the consumer health data we have collected about you. This includes a list of all third parties and affiliates who have received your individual consumer health data, including their names and contact information.

8.3

Right to deletion

You have the right to request that we delete your consumer health data. When you exercise this right:

  • We will delete your data from our active systems
  • We will remove it from our routine backups within approximately 30 days
  • We will notify the third parties listed in Section 6 of your deletion request, and direct them to honor it to the extent they hold your individual consumer health data
  • Some data may be retained where required by law (for example, transaction records for tax and accounting purposes)
8.4

Right to withdraw consent

You have the right to withdraw consent for our collection or sharing of your consumer health data at any time:

  • For AI features: turn off the "KaleAI Features" toggle in Profile → AI Features in the app. This stops the sharing of your data with Anthropic for new requests.
  • For all KaleWay use: close your account in Profile → Delete My Account in the app, or by writing to support@kaleway.com.

Withdrawing consent for AI features may functionally disable parts of the app that depend on AI (KaleAI chat, AI-generated meal plans, AI-personalized features). The non-AI parts of the app continue to work — see our graceful degradation list.

8.5

We do not sell consumer health data

We do not sell your consumer health data, as "sale" is defined under Washington law (sharing of consumer health data for monetary or other valuable consideration). Because we do not sell, we do not need to obtain separate written authorization for sales. If we ever change this practice, we will obtain explicit written and signed authorization from you before any sale.

8.6

Right to non-discrimination

We will not discriminate against you for exercising any right under this Notice. We will not deny service, charge different prices, or reduce the quality of service because you exercised a right.

09How to exercise your rights

To exercise any right described in Section 8, contact us using either method below. Use the subject line so your request routes to the right person fastest.

Email — fastest
support@kaleway.com
Subject line: "Washington Health Data Request"
Mail
Granviex, LLC
4700 NW Boca Raton Blvd #202
Boca Raton, FL 33431
United States

In your request, please tell us:

  1. Your name (so we can identify your account)
  2. The email address associated with your KaleWay account
  3. Which right you are exercising (confirmation, access, deletion, withdrawal of consent)
  4. Any specific information about what you are requesting

Verification

Before we respond, we may need to verify your identity. We do this so your data is not given to someone else. Verification may involve confirming the email associated with your KaleWay account, asking you to log in to the app, or asking you to confirm specific details about your account. We will explain what verification we need before we proceed.

Response time

We will respond to your request within 45 days of receiving it. If we need more time (for example, if your request is complex or requires us to coordinate with the third parties listed in Section 6), we will notify you within those 45 days and may extend our response time by up to an additional 45 days.

No new account required

We will not require you to create a new account in order to exercise your rights. If you currently have an account, you may use it; if not, we will work with you to verify your identity using other means.

Authorized agents

If you wish to designate someone to act as your authorized agent in submitting a request on your behalf, please include written authorization from you and identification verification for the agent. We may contact you to confirm the authorization.

10Appeals

If we deny your rights request, in whole or in part, you may appeal that decision.

To appeal

  • Email support@kaleway.com with the subject line "Appeal: Washington Health Data Request"
  • Include the original request and the reason you believe our denial was incorrect
  • We will review the appeal and respond within 45 days

If we deny your appeal

You may contact the Washington State Attorney General's office:

Washington AG · Consumer Resource Center
1-800-551-4636
Online
atg.wa.gov/consumer-issues

11Private right of action

Under the Washington My Health My Data Act, Washington consumers have a private right of action against regulated entities that violate this Act. Violations are also enforceable by the Washington Attorney General under the Washington Consumer Protection Act.

We mention this so that you know your rights are not just on paper — they are enforceable in court.

12Geofencing

The Washington My Health My Data Act prohibits geofencing around any entity that provides in-person health services for purposes of identifying or tracking consumers, collecting consumer health data, or sending messages or advertisements related to a consumer's health.

KaleWay does not engage in geofencing. We do not use precise location data, we do not target consumers based on proximity to healthcare facilities, and we have no plans to do so.

13Security

We protect your consumer health data with the same measures described in our Privacy Policy, Section 10 — encryption in transit (TLS), encryption at rest in our database, access controls, multi-factor authentication for administrative access, and vendor security diligence.

If we discover a breach affecting your consumer health data, we will notify you and the appropriate regulators in accordance with applicable law, including the Federal Trade Commission's Health Breach Notification Rule and Washington's data breach notification law.

14Children

KaleWay is rated for users 17 years and older. We do not knowingly collect consumer health data from children under that age. If we learn that a person under the applicable minimum age has created an account, we will delete the account and any associated consumer health data and notify the third parties listed in Section 6.

15Changes to this Notice

We may update this Notice from time to time as the law evolves or as KaleWay changes. When we make a material change, we will:

  • Update the "Last updated" date at the top
  • Post a notice in the app
  • For significant changes (especially to your rights or to the categories of third parties we share with), notify you by email before the change takes effect

Your continued use of KaleWay after a change becomes effective means you accept the updated Notice. If you do not agree, you may withdraw consent or close your account.

Recent updates

  • v1.3 — May 11, 2026. Added a clarifying paragraph in §5 disclosing the AppsFlyer SDK integration (V1.0.2+) with explicit confirmation that no consumer health data is shared with AppsFlyer or its downstream ad-network partners. Added an AppsFlyer entry to §6 recipients list with cross-reference to Privacy Policy §5. (Version jumped from v1.1 to v1.3 to stay in lockstep with the other docs in this batch.)
  • v1.1 — May 5, 2026. Added a clarifying paragraph in §5 and a Meta Platforms entry in §6 to confirm that consumer health data remains excluded from the iOS app's advertising-measurement events. Meta receives only non-health identifiers (hashed email, hashed user ID, IP, event name, purchase amount, and — with ATT consent — IDFA). Cross-linked Privacy Policy §5.

16Contact

For any question about this Notice or to exercise any right described above:

Email
support@kaleway.com

Subject "Washington Health Data Request" routes fastest.

Mailing address
Granviex, LLC
4700 NW Boca Raton Blvd #202
Boca Raton, FL 33431
United States

For appeals or complaints we have not resolved, the Washington State Office of the Attorney General's Consumer Resource Center is reachable at 1-800-551-4636 or at atg.wa.gov/consumer-issues.