Consumer Health Data Privacy Policy

1. Scope and Purpose

This Consumer Health Data Privacy Policy describes how InvestigAItor (“we”, “us”, or “our”) handles consumer health data as defined under applicable state laws, including the Washington My Health MY Data Act (MHMD), the Nevada Consumer Health Data Privacy Law, and similar legislation.

InvestigAItor is a business-to-business (B2B) AI governance platform. We provide services to employer organizations (“Customers”), not directly to individual consumers. When health data is encountered through our platform, it is processed on behalf of and under the direction of the Customer organization.

2. What Is Consumer Health Data

For purposes of this policy, “consumer health data” means personal information that is linked or reasonably linkable to an individual and that identifies the individual’s past, present, or future physical or mental health status. This may include health conditions, diagnoses, medications, treatment history, or other health-related information.

3. How Health Data May Be Encountered

InvestigAItor monitors employee interactions with AI platforms (such as ChatGPT, Claude, Gemini, and others) to help organizations enforce AI usage policies and detect sensitive data disclosures. Health data may be incidentally present in this context in the following ways:

• PHI detection in AI prompts:Employees may submit prompts to AI platforms that contain Protected Health Information (PHI) or other health-related content. InvestigAItor’s sensitive data detection analyzes prompt content for PHI patterns (such as medical record numbers, diagnoses, or treatment details) and flags potential disclosures to authorized administrators.
• Health-related platform usage: Metadata about which AI platforms an employee accesses is collected. If an employee uses a health-focused AI tool, the URL and platform name are logged as activity events.
• Prompt content (when enabled):Depending on the Customer’s configuration, the full text of AI prompts may be captured. This content may contain health-related information if the employee included it in their prompt.

4. How We Use Health Data

We use health data encountered through our platform only for the following purposes:

• To detect and flag potential PHI disclosures to AI platforms on behalf of the Customer organization
• To enforce the Customer’s data loss prevention and AI usage policies
• To generate activity reports and audit logs accessible only to authorized administrators within the Customer organization
• To provide the services described in our agreement with the Customer

We do not sell consumer health data. We do not use health data for advertising or marketing purposes. We do not share health data with third parties except as required to operate the service (e.g., our infrastructure provider, Supabase) or as required by law.

5. Data Retention

Activity event logs, including any flagged PHI detections, are retained for the period configured by the Customer organization (default 12 months) or as required by applicable law. Customers may reduce their retention period or request earlier deletion through the dashboard settings.

6. Data Security

We implement industry-standard security measures to protect all data processed through our platform, including health data. These measures include encryption in transit (TLS), encryption at rest, row-level security, and strict access controls. All data is stored in Supabase-hosted infrastructure with role-based access policies.

7. Your Rights

Depending on your state of residence, you may have the following rights with respect to your consumer health data:

• Right to know what consumer health data we have collected about you
• Right to access a copy of your consumer health data
• Right to deletion of your consumer health data
• Right to withdraw consent to our collection or sharing of your health data
• Right to appeal a denial of any of the above rights

Because InvestigAItor operates as a processor on behalf of Customer organizations, requests related to data collected under a specific organization’s deployment should first be directed to that organization. We will work cooperatively with Customers to fulfill verified consumer requests.

8. How to Exercise Your Rights

To submit a consumer health data rights request, contact us at [email protected] with the subject line “Health Data Rights Request.” Please include your name, the organization through which you interact with our platform (if applicable), and a description of your request. We will respond within 45 days of receipt. If we are unable to fulfill your request, we will provide a written explanation and information on how to appeal.

9. Authorized Representatives

You may designate an authorized agent to submit a request on your behalf. We may require verification of the authorization before processing requests submitted by agents.

10. Non-Discrimination

We will not discriminate against you for exercising any rights described in this policy. Exercising these rights will not affect the services you receive from InvestigAItor or from the organization that deployed our platform.

11. Changes to This Policy

We may update this policy from time to time to reflect changes in applicable law or our practices. We will post the revised policy on this page and update the “Last updated” date. For material changes, we will notify account administrators by email at least 14 days before the changes take effect.

12. Contact

For questions about this Consumer Health Data Privacy Policy or to submit a rights request: