Consumer Health Data Privacy Policy
v5.0Last updated: June 1, 2026
This Consumer Health Data Privacy Policy ("Health Data Policy") describes how DrivePhase LLC ("DrivePhase," "Company," "we," "us," or "our"), an Indiana single-member limited liability company governed by its managing member, collects, uses, shares, retains, and protects "consumer health data" through the DrivePhase mobile application, website, and related services (collectively, the "Service").
This Health Data Policy is a standalone notice required by the Washington My Health My Data Act (RCW 19.373), the Nevada consumer health data law (Nevada SB 370), and the consumer health data provisions of the Connecticut Data Privacy Act, and it applies to residents of those states. It supplements, and is incorporated into, our Privacy Policy and our Terms of Service.
IF YOU DO NOT AGREE WITH THIS HEALTH DATA POLICY, DO NOT USE DRIVEPHASE.
Table of Contents
This Consumer Health Data Privacy Policy ("Health Data Policy") describes how DrivePhase LLC ("DrivePhase," "Company," "we," "us," or "our"), an Indiana single-member limited liability company governed by its managing member, collects, uses, shares, retains, and protects "consumer health data" through the DrivePhase mobile application, website, and related services (collectively, the "Service").
This Health Data Policy is a standalone notice required by the Washington My Health My Data Act (RCW 19.373), the Nevada consumer health data law (Nevada SB 370), and the consumer health data provisions of the Connecticut Data Privacy Act, and it applies to residents of those states. It supplements, and is incorporated into, our Privacy Policy and our Terms of Service. Defined terms used here ("Service," "User Content," "Pose Data," "Biometric-Derived Data," and "Consumer Health Data") have the same meaning as in our Privacy Policy. Where this Health Data Policy and the general Privacy Policy address the same subject, this Health Data Policy controls for consumer health data of covered-state residents.
IF YOU DO NOT AGREE WITH THIS HEALTH DATA POLICY, DO NOT USE DRIVEPHASE.
DrivePhase is offered only to residents of the United States. The Service is not directed to, intended for, or offered to residents of the European Economic Area (EEA), the United Kingdom, or Switzerland, and residents of those regions should not use the Service. If we identify data originating from those regions, we will handle it in accordance with applicable United States law and will delete it on request. Consumer health data is processed and stored in the United States.
"Consumer health data" means personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status, including data derived or extrapolated from non-health information (such as inferences made from your videos or activity). Because DrivePhase is an athletic performance app, much of the data we collect is, or may be treated as, consumer health data under the laws referenced above.
This Health Data Policy uses the following defined terms consistently with our Privacy Policy:
- "Pose Data" / "Biometric-Derived Data" means the skeletal pose landmarks (33 body points, including joint positions), body geometry measurements, and the derived per-frame body-geometry coordinate time-series (for example, ankle and body-center pixel coordinates) generated from your sprint videos, together with the sprint metrics derived from them.
- "Consumer Health Data" means Biometric-Derived Data together with the nutrition, body, readiness, injury, and inference data described in Section 3.
We collect the following categories of consumer health data:
3.1 Biometric-Derived Data (Pose Data)
When you upload or record a sprint video, our backend (MediaPipe, OpenCV, and FFmpeg) and on-device technology (Google ML Kit) analyze the video to derive:
- Skeletal pose landmarks (33 body points, including joint positions) and joint/limb angles
- A derived per-frame body-geometry coordinate time-series (for example, ankle and body-center pixel coordinates)
- Sprint metrics such as hip angle, shin angle, torso/forward lean, ground contact time (GCT), stride and phase detection, velocity and acceleration estimates, scores, and quality and trend metrics
Important honesty note about retention. Raw, full-resolution video frames are processed transiently to perform the analysis. DrivePhase then retains both the derived sprint metrics and the derived body-geometry coordinate time-series for the duration of your account (and no longer than three (3) years after your last interaction with the Service), subject to the retention-and-destruction schedule in Section 8. This data is not used to identify you and is never sold.
3.2 Nutrition, Calorie, and Body Data
- Meal logs, food names, serving sizes, calories, macronutrients and micronutrients, fiber, sugar, sodium, saturated fat, hydration, meal timing, and notes
- Food photos and product images submitted for nutrition recognition or logging
- Nutrition goals, race-day fueling protocols and outcomes, and dietary preferences
- Body weight, body measurements, age, height, and weight
3.3 Readiness, Recovery, and Self-Reported Health Data
- Daily check-ins for sleep, soreness, stress, energy, readiness, and recovery
- Injury history, physical limitations, and self-reported training context
3.4 AI Inferences
- Inferences and outputs generated about your training, performance, nutrition, readiness, recovery, and technique, including sprint analysis feedback, AI form feedback, DrivePhase Intelligence responses, generated summaries, scores, trends, and recommendations
We collect consumer health data from the following sources:
- Directly from you: information, videos, photos, meal logs, check-ins, measurements, and prompts you enter or upload
- From your device, with your permission: camera, microphone, photo/media library, and similar inputs used to capture sprint videos and food photos
- Generated by the Service: Biometric-Derived Data, metrics, summaries, and inferences produced from your videos and activity
- From service providers and authentication/app-store providers that help us operate the Service and process the features you request
We collect and use consumer health data only for the following specific purposes:
- To provide sprint analysis, annotated video, sprint metrics, sprint analysis feedback, and AI form feedback you request
- To provide DrivePhase Intelligence responses, reminders, saved memories, and generated artifacts you request
- To provide nutrition logging, food photo recognition, hydration tracking, race-day fueling, and related nutrition features
- To provide readiness, recovery, training, calendar, progress, and trend features
- To personalize the features above to your account, goals, and history
- To maintain the security, reliability, and integrity of the Service, and to detect and prevent fraud, abuse, and safety risks
- To provide customer support and respond to your requests
- To comply with applicable law and legal obligations
- To operate, develop, and improve the Service
We use the phrase "operate, develop, and improve the Service" deliberately: DrivePhase does not train its own AI models on identifiable user content, and we do not use your identifiable consumer health data to train third-party AI providers' public models. Where we use data to evaluate, test, and improve the Service, we use aggregated, anonymized, or de-identified data wherever practicable.
We will not collect, use, or share consumer health data for purposes that are not described in this Health Data Policy without obtaining your affirmative consent (see Section 7).
We share consumer health data only with the specific categories of third parties listed below, and only as necessary to provide a feature you request, to operate and secure the Service, or as required by law:
| Category of Third Party | Specific Providers | What May Be Shared and Why |
|---|---|---|
| Cloud, database, and storage providers | Supabase, Google Cloud Platform | Hosting, database, authentication, and storage of your account data, videos, and Consumer Health Data so the Service can operate |
| AI providers | OpenAI API, Tavily (Pro web search) | When you use an AI feature: prompts, compact app context, derived sprint metrics, saved memory snippets, food photos, and tool inputs/outputs needed to generate a response |
| Nutrition database providers | FatSecret, USDA FoodData Central, Open Food Facts | Food search queries and barcode/product lookups to return nutrition data you request |
| Analytics and diagnostics providers | PostHog, Sentry | Product analytics (such as app opens and feature usage) and crash/error diagnostics. These providers do not receive your consumer health data: analytics events exclude health, nutrition, sprint, and biometric data, and crash diagnostics are limited to the technical error information needed to operate and debug the Service. |
| Email delivery provider | Resend | Operational, security, and support email |
| App-store and billing providers | Apple App Store, Google Play, RevenueCat | Subscription and entitlement status only; these providers do not receive your Consumer Health Data, and DrivePhase never receives your card numbers |
| Authentication providers | Supabase Auth, Sign in with Apple, Google Sign-In, phone authentication | Authentication identifiers and OAuth metadata you authorize |
| Legal, safety, and security recipients | Law enforcement, courts, regulators, and professional advisors, where applicable | Only where reasonably necessary to comply with law or legal process, enforce our Terms, or protect the rights, property, or safety of DrivePhase, users, minors, or the public |
| Acquirer or successor | A buyer or successor in a merger, acquisition, financing, reorganization, or sale of assets | Transferred only as part of such a transaction, subject to this Health Data Policy or a substantially similar policy |
6.1 We Do Not Sell or Share for Advertising
DrivePhase does not sell consumer health data. We do not exchange consumer health data for money or other valuable consideration. DrivePhase does not share consumer health data for advertising, cross-context behavioral advertising, or targeted advertising, and we do not provide consumer health data to data brokers. The providers listed above act on our behalf or to fulfill a feature you request; they are not authorized to use your consumer health data for their own independent advertising purposes.
6.2 OpenAI API Data Handling
When DrivePhase uses the OpenAI API, it sends only the content and context needed for the feature you requested. Based on OpenAI's current API data controls, API inputs and outputs are not used to train OpenAI's models, and OpenAI may retain abuse-monitoring logs for up to thirty (30) days by default unless different approved retention controls apply. Sprint video analysis may extract a small number of still images ("key moments") from your video and send those stills to OpenAI's vision API to generate visual observations; DrivePhase does not stream your full raw video to OpenAI. Nutrition photo recognition may send food photos to OpenAI.
Before we collect or share consumer health data beyond what is necessary to provide a product or service you have requested, we obtain your affirmative, voluntary, opt-in consent. Consent is:
- Specific to the categories of consumer health data, the purpose of collection, and the categories of third parties with whom it may be shared
- Separate from any other agreement or term you accept
- Freely given and revocable at any time (see Section 9)
For collection and processing that is necessary to provide a feature you actively request — for example, deriving sprint metrics from a video you choose to upload, or logging a meal you choose to enter — we rely on your voluntary act of using that feature, consistent with applicable law. We do not condition the use of unrelated features on your consent to additional health-data collection.
Consistent with biometric-privacy best practice (including the Illinois Biometric Information Privacy Act), we maintain and publicly disclose the following written retention-and-destruction schedule for Biometric-Derived Data (Pose Data). This schedule also governs the destruction of other consumer health data on account deletion.
| Data | Retention Trigger | Maximum Retention | Destruction |
|---|---|---|---|
| Raw, full-resolution video frames used for pose analysis | Processed transiently during analysis | A complete frame archive is not retained after analysis completes | Discarded after the analysis pipeline completes |
| Key-moment still images extracted from your video | Active account | Duration of account; deleted when you delete the associated video or your account | Deleted with the associated video or on account deletion, then purged from backups |
| Derived sprint metrics (hip/shin angle, lean, GCT, velocity, scores, trends) | Active account | Duration of account, and no more than three (3) years after your last interaction with the Service | Deleted on account deletion or expiry of the retention period, then purged from backups |
| Derived body-geometry coordinate time-series (e.g., ankle/body-center pixel coordinates) | Active account | Duration of account, and no more than three (3) years after your last interaction with the Service | Deleted on account deletion or expiry of the retention period, then purged from backups |
| Sprint videos and annotated output | Active account; free-tier videos | Duration of account; free-tier videos may be deleted on or after 30 days from upload | Deleted on the applicable schedule or on your request, then purged from backups |
| Nutrition, body, readiness, injury, and inference data | Active account | Duration of account, unless a longer period is required by law | Deleted on account deletion, then purged from backups |
Destruction occurs the earlier of (a) the date the initial purpose for collection has been satisfied, (b) three (3) years after your last interaction with the Service, or (c) completion of your account-deletion request. Account-deletion requests are generally processed within thirty (30) days, and backup copies are typically purged on a delayed schedule, generally within ninety (90) days, subject to legal, security, and fraud-prevention exceptions. In no event will Biometric-Derived Data be retained for more than three (3) years after your last interaction with the Service unless a valid legal requirement requires longer retention.
We do not sell, lease, trade, or otherwise profit from Biometric-Derived Data, and we do not use it to identify you, for facial recognition, or for any biometric identification purpose.
You have the right, with respect to consumer health data, to:
- Confirm whether we are collecting, sharing, or selling your consumer health data (we do not sell it)
- Access the consumer health data we have collected, including a list of the categories of third parties and (where applicable) third parties with whom we have shared it
- Withdraw consent to our collection or sharing of your consumer health data
- Delete your consumer health data
- Appeal a decision we make regarding a request
9.1 In-App Controls
Where available, you can delete individual videos, meals, and other content, and delete your entire account through Settings > Account > Delete Account. You can request to opt out of product analytics by emailing support@drivephaseai.com. Account deletion uses our delete_user process and triggers cascading deletion of your account data, including consumer health data, in accordance with Section 8.
9.2 By Email
To withdraw consent, request access, or request deletion of your consumer health data, email support@drivephaseai.com with the subject line "Washington Health Data Request" (this subject line is used for all covered-state consumer health data requests, including Nevada and Connecticut). Please include the email address associated with your account and a description of your request. We may take reasonable steps to verify your identity before completing a request.
We will respond to verifiable requests within the timeframe required by applicable law. If we deny a request, you may appeal by emailing the same address; if your appeal is denied, you may contact the attorney general of your state.
Withdrawing consent or deleting consumer health data may make some features unavailable, because much of the Service depends on that data to function.
DrivePhase does not use geofences. We do not implement, operate, or use any geofence around any location to identify, track, collect data from, or send notifications, messages, or advertisements to consumers related to their consumer health data based on their proximity to or presence at any location, including health-care facilities, gyms, pharmacies, or any other location.
DrivePhase does not access your device's GPS or precise location; any city and state in your profile is information you type in yourself. DrivePhase does not use geofencing of any kind, including around health-care facilities.
DrivePhase is intended only for users who are at least 13 years old. Users between 13 and 17 require parental or guardian consent before using the Service, and we require a 13-or-older self-attestation (with parental or guardian approval if under 18). All accounts are private — DrivePhase has no public profiles, social, or discovery features. Nutrition deficit and weight-loss features are not intended for minors. Parents or guardians may exercise the rights in Section 9 on behalf of a minor by emailing support@drivephaseai.com with the subject "Washington Health Data Request." Nutrition, training, and sprint analysis feedback for minors should be supervised by a parent, guardian, coach, or qualified healthcare professional.
If you or someone you know is struggling with disordered eating, self-harm, or thoughts of suicide, please contact the 988 Suicide & Crisis Lifeline by calling or texting 988 and consult a qualified healthcare professional. DrivePhase is not a crisis or treatment service.
We use technical, administrative, and organizational safeguards designed to protect consumer health data, including TLS encryption in transit, provider-managed encryption at rest, row-level security and access controls for user-owned data, private storage buckets, locally encrypted SQLite/SQLCipher caches, restricted access to production systems and service-role credentials, and logging, monitoring, and abuse-prevention controls. No system is perfectly secure, and you are responsible for protecting your credentials and devices.
We may update this Health Data Policy from time to time. Material changes will be communicated by email, in-app notice, or another legally required method, and the change will be reflected in the Version History below. We will obtain renewed affirmative consent before collecting or sharing consumer health data for a materially new purpose where required by law.
Version History
- Version 5.0 (June 1, 2026): Initial standalone Consumer Health Data Privacy Policy issued as part of the coordinated 5.0 legal release. Discloses the categories of consumer health data collected (including the persisted body-geometry coordinate time-series), sources, specific purposes, specific categories of third parties, no-sale and no-advertising statements, affirmative opt-in consent, a BIPA-style retention-and-destruction schedule for Biometric-Derived Data, a no-geofencing statement, withdrawal-and-deletion instructions, and a United-States-only geographic scope. Satisfies the Washington My Health My Data Act (RCW 19.373), Nevada SB 370, and the Connecticut Data Privacy Act consumer health data provisions.
Email: support@drivephaseai.com
Washington / Consumer Health Data Requests: support@drivephaseai.com with subject "Washington Health Data Request"
Privacy Requests: support@drivephaseai.com with subject "Privacy Request"
Security Issues: support@drivephaseai.com with subject "Security"
Mailing Address:
DrivePhase LLC
65 East Garner Road, Suite 300
Brownsburg, IN 46112
United States
Website: https://drivephaseai.com
DrivePhase is a single-member limited liability company governed by its managing member. We do not maintain a separate legal department or phone support.
BY USING DRIVEPHASE, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTAND THIS CONSUMER HEALTH DATA PRIVACY POLICY.
DrivePhase LLC. All rights reserved.