Consumer Health Data Privacy Policy

This policy applies to you if you are a consumer in Washington, Nevada, Connecticut, or Maryland, OR if your consumer health data is collected while you are physically present in Washington (regardless of your state of residence). The general Privacy Policy applies to all users.

The Service is operated by Rhodium Ventures, LLC, a Georgia limited liability company (“we”, “us”, “our”).

We collect the following categories of consumer health data (CHD), all of which derive from your direct responses to validated screening instruments. We do not infer CHD from non-health sources, and we do not purchase CHD from data brokers.

• Mental-health status (self-reported). Responses to PHQ-9 (depression), GAD-7 (anxiety), SPI-8 (perceived stress), ACE-10 (adverse childhood experiences), ARI-6 (adaptive resilience), WBI-5 (wellbeing), BCI-8 (belonging and connection), PMI-8 (purpose and meaning).
• Sleep and circadian status (self-reported). Responses to RSI-14 (restorative sleep) and RLI-6 (rhythm and light).
• Substance-use status (self-reported). Responses to SAI-2 (substance awareness) and AUDIT-C (alcohol consumption).
• Physical-health status (self-reported). Responses to PEG-3 (pain), IPAQ-SF (physical activity), DVI-6 (daily vitality), REAP-S (eating patterns), RQI-6 (relational quality).
• Crisis-tier event codes. When your responses suggest an elevated or active-risk pattern, we record short event codes (for example, PHQ9_ITEM9_GTE_1) plus the tier that fired and the rules version active at the time. The underlying response values stay in the standard responses table; the crisis log is codes-only.
• Inferences derived from the above. Per-pillar percentage scores, an overall Flourishing Score, and the proprietary Yield Index (GYI-9). These are derived from your responses and are CHD under MHMDA’s definition of inferred health data.
• Consent records. Timestamps + document hashes of every consent you provide (age affirmation; CHD collection; ToS + general Privacy Policy; CHD sharing for delivery; optional marketing). The consent log itself is also CHD-adjacent.

We do not collect or infer the following CHD categories: precise geolocation, biometric identifiers (face scans, fingerprints, voiceprints), genetic information, reproductive-health information, gender-affirming-care information, prescription medication data beyond what you volunteer in screening responses, or laboratory test results (future paid tiers may collect these under separate consent).

We process your CHD for the following purposes only:

• Scoring your assessment and generating your personalized report and PDF.
• Delivering your results to the email address you provide.
• Surfacing crisis-line references on the results screen at the appropriate tier (see Section 15 of our general Privacy Policy for the three-tier design).
• Supporting the 90-day retake feature so you can compare your current results to earlier ones.
• Honoring your data-subject rights (access, correction, deletion, withdrawal of consent).
• Producing aggregate, de-identified statistics for service improvement and research, with no re-identification.

All CHD we collect comes from you, directly — via the responses you give in the assessment. We do not purchase CHD from data brokers, scrape it from public sources, or infer it from your activity outside the Service.

We share CHD only with the service providers we use to operate the Service, and only to the extent necessary for them to perform their services. We have or are pursuing data-processing agreements with each:

• Vercel (United States): web application hosting. Sees the entire request payload at the network layer.
• Supabase (United States): database hosting. Stores all assessment responses, consent events, and crisis events.
• Resend (United States): transactional email delivery for your results email. Sees your email address, first name, and a summary of your results in the email body.
• GoHighLevel (GHL) (United States): customer-relationship management. Currently inactive: no consumer health data is transmitted to GHL today. If this integration is re-enabled, GHL would receive only your name, email, and marketing-consent flag, never individual responses or results, and we would update this policy first.

We do not share CHD with advertisers, social networks, data brokers, or any third party for cross-context advertising, behavioral profiling, or training of general-purpose machine-learning models.

We do not sell your consumer health data, and we do not provide it to any third party in exchange for monetary or other valuable consideration. We have no plans to sell CHD. Should that ever change, you will be asked for the separate, signed authorization Washington MHMDA requires before any sale could occur.

We obtain your affirmative consent at two separate points before any CHD is collected, processed, or shared:

• Collection consent. On the “Before you begin” screen — an active confirmation that captures consent to collect and process your responses, before any questions are presented.
• Sharing consent. On the results-delivery screen — an explicit checkbox consenting to sharing your email and results summary with the email and CRM providers listed in Section 5.

Each consent is recorded as an immutable, timestamped, hashed event so the exact document version you agreed to is reproducible. You may withdraw consent at any time by contacting us; withdrawal is recorded the same way.

As a consumer covered by this policy, you have the right to:

• Confirm whether we are processing your CHD.
• Access the CHD we have collected, along with a list of the third parties with whom we have shared it.
• Withdraw consent you previously granted for collection, sharing, or processing.
• Delete your CHD. Under MHMDA, deletion is honored with no exceptions for processed data, and propagates to processors, affiliates, and third parties. Archived and backup copies are deleted within six (6) months.
• Appeal any decision we make on a rights request.

How to exercise these rights. Email jared@flourishingassessment.com with a description of your request. We will respond within 45 days of receiving a verifiable request, extendable once by another 45 days when reasonably necessary (we will tell you if we extend, and why). The first request in any 12-month period is free. We may require reasonable identity verification before processing the request.

Authorized agents. You may designate an authorized agent to submit a request on your behalf. The agent must provide written authorization signed by you, and we may contact you directly to verify the request before acting on it.

The appeal process and the exact response timelines for non-WA jurisdictions are pending review by retained counsel.

Washington residents: violations of MHMDA are deemed unfair or deceptive acts under the Washington Consumer Protection Act (RCW 19.86), which gives you a private right of action with treble damages (capped) and attorneys’ fees. We take this seriously and have built our consent, audit, and deletion infrastructure with that exposure in mind.

We do not implement geofences of any kind around healthcare facilities, mental-health-service providers, reproductive- or sexual-health facilities, substance-use treatment facilities, or any other CHD-relevant location, for any purpose. This commitment matches the geofencing ban that has been in force under MHMDA since July 23, 2023.

We protect your CHD with a written security program that satisfies a reasonable standard of care. Specific measures include: row-level security on the database with service-role access controls; server-side writes only; transport-layer encryption (HTTPS / TLS); at-rest encryption from our database host; an insert-only audit log for consent and crisis events; and a logging discipline that prohibits writing identifiable response values to server logs.

We may update this Consumer Health Data Privacy Policy from time to time. Each version is recorded with an effective date and a content hash. When a material change takes effect, the next assessment session you begin will re-prompt you for the relevant consents before any new CHD is collected. Prior versions remain available on request.

Addition of a postal address is pending business decision and counsel review.

For any questions or requests regarding your consumer health data, contact jared@flourishingassessment.com.