DRAFT — FOR ATTORNEY REVIEW — NOT FOR PUBLICATION
PUBLICATION GATE — DO NOT PUBLISH UNTIL ALL OF THE FOLLOWING ARE TRUE IN THE LIFTTRACK CODE. Each item is asserted as fact below. Publishing first is a false claim in the dangerous direction.

Consumer Health Data Privacy Notice

LiftTrack · AscentApps LLC · Version 1.2

Effective date: [TO BE SET ON PUBLICATION]

Why this notice exists. Washington’s My Health My Data Act and Nevada’s SB 370 require a separate notice, apart from our general Privacy Policy, covering only consumer health data. This is that notice. Where it conflicts with our general Privacy Policy, this notice controls for consumer health data.

1. What this notice covers

“Consumer health data” means personal information linked or reasonably linkable to you that identifies your past, present, or future physical or mental health status — including bodily functions, measurements, and inferences drawn from them. This notice applies to the consumer health data that LiftTrack collects.

2. The consumer health data we collect — and why

CategoryExamplesWhy
Bodily measurementsBody weight and other metrics you enterTo track progress and inform AI coaching
Exercise dataWorkouts, exercises, sets, reps, weight lifted, volume, duration, cardio sessionsTo log and display your training history
Calorie / energy dataEstimated calories burned per workoutTo summarize training load and, if you connect it, to sync to Atisbo Health
GoalsTraining goals you setTo tailor AI coaching suggestions
AI coach conversationsQuestions you ask the AI coach about training and nutrition, and its answersTo answer your questions
InferencesAI-generated coaching, plateau flags, recovery flags, and calorie estimates derived from the aboveThese are themselves consumer health data and are treated as such

These are estimates, not clinical measurements or medical advice.

3. Where we collect it from

All of it comes from you: what you log, enter, or type into the AI coach. We do not buy consumer health data, receive it from data brokers, or obtain it from health-care providers or medical devices.

4. Who we share it with

We share consumer health data only with the service providers that operate LiftTrack on our behalf, each under contract and only to deliver the features you use:

Third partyWhat is sharedPurpose
Anthropic (AI provider)Your recent workout history, personal records, and the messages you send the AI coachTo generate the coaching suggestions, flags, estimates, and chat answers you request
Cloudflare (infrastructure)All stored data, keyed to your pseudonymous identifier, in a D1 databaseTo host, store, and process your data, primarily in the United States
Clerk (authentication)No health data — email, credentials, and the account identifier onlyTo authenticate you
Atisbo Health (our sibling app) — only if you turn on the optional connectionThe exercise and calorie data you choose to syncTo combine your training data with your nutrition and glucose data in that app, at your election

We do not share consumer health data with any other third party or affiliate.

5. What we do NOT do

6. Consent

We collect and share your consumer health data only after you give separate, affirmative consent — a distinct checkbox, separate from our general Terms and Privacy Policy, presented before you use any feature that collects it. Consent to collection and consent to sharing with the processors above are obtained together at that gate and are described there. You may withdraw consent at any time (see below).

Account eligibility is separately gated: before creating an account you complete an 18+ date-of-birth age gate (recorded as age-gate-1.0; your date of birth is checked on your device and never stored). This is distinct from the consumer-health-data consent above.

ATTORNEY: MHMDA requires separate consent for collection and for sharing. Confirm whether a single unbundled health-data checkbox covering both (as implemented) is sufficient, or whether two distinct checkboxes are required.

Your rights — and how to appeal

To exercise any right, use the controls in your profile or email [email protected]. We will confirm your identity using the email address on your account. We respond within 45 days, and may extend once by a further 45 days where reasonably necessary, telling you why.

Appeal. If we refuse a request, we will tell you why in writing and how to appeal. To appeal, reply to our decision or email [email protected] with “Appeal” in the subject line. We will decide the appeal and respond in writing within 45 days. If we deny the appeal, we will explain why and tell you how to submit a complaint to your state Attorney General.

We will not discriminate against you for exercising any of these rights.

ATTORNEY: confirm the identity-verification method, the 45-day response and appeal windows, and the Attorney-General complaint referral against the final text of WA RCW 19.373 and NV SB 370.

7. How we protect it

Data is encrypted in transit (HTTPS/TLS) and at rest by our infrastructure provider. Access requires authentication. Our stores are not publicly reachable. Our application database contains no names and no email addresses: the mapping from your pseudonymous identifier to your identity is held only by our authentication provider (Clerk). This is pseudonymization, not anonymization — see the Privacy Policy for the full description.

Washington availability. LiftTrack returns HTTP 451 and is unavailable to requests geolocated to Washington State, blocked at the API layer. This notice nonetheless applies in full to any Washington resident whose consumer health data we hold.

8. Changes and contact

If we change this notice we will update the version and effective date and obtain fresh consent where required. Questions or requests: [email protected].

Postal: AscentApps LLC, Arizona, United States.

AscentApps LLC · Incorporated in the State of Arizona · [email protected]