Privacy & Data
Privacy Policy
What personal and health data we collect, how we use it, who we share it with, and the controls you have.
Effective date: May 6, 2026
Who we are
Veyda, LLC ("Veyda," "we," "us," or "our") is a Los Angeles–based health intelligence company. We operate the Veyda membership and the Sage AI assistant. This Privacy Policy explains how we handle the information you share with us when you use our website, mobile applications, and connected services.
Questions? Reach our privacy team at privacy@veyda.com.
Information we collect
Account information. Your name, email address, mobile phone number, and (where applicable) shipping address.
Health information. Lab results, wearable readings (HRV, sleep, activity), body composition, prescriptions, and any signals you connect or upload. This includes Protected Health Information ("PHI") under HIPAA when handled by our covered entity partners.
Payment information. Processed exclusively by Stripe. We never see or store full card numbers — only the last four digits and a tokenized payment method ID.
Usage information. Device type, app version, anonymized analytics events, and crash diagnostics. We do not sell behavioral profiles.
How we use your information
We use your information to: (1) deliver the Veyda membership you've signed up for, (2) generate Sage's reasoning across your connected signals, (3) coordinate care with our clinical partners, (4) process payments and send membership emails, (5) detect and prevent fraud, and (6) comply with legal obligations.
We do not use your health data for advertising, third-party marketing, or to train any external AI model.
Who we share with
We share data only with the partners required to deliver the service:
- Infrastructure — Supabase (database, auth), Vercel (hosting), Resend (transactional email).
- Payments — Stripe (billing) and RevenueCat (subscription state).
- Clinical — Our affiliated medical group and lab providers, under HIPAA-compliant Business Associate Agreements.
- Wearables and sources — Only the providers you explicitly connect (Apple Health, Whoop, Oura, Garmin, etc.). You can disconnect any source at any time.
We never sell your personal or health information.
Your rights
You have the right to access, correct, export, or delete your personal information at any time. California residents have additional rights under the CCPA/CPRA; EEA + UK residents have rights under GDPR; New York residents have rights under the SHIELD Act. Submit a request to privacy@veyda.com and we'll respond within 30 days.
You may also withdraw consent for any optional data processing — including disconnecting wearables, opting out of analytics, or pausing AI reasoning — from your member dashboard.
Data retention and security
We retain account and health data for as long as your membership is active, plus seven years after cancellation as required for medical record retention. After that, data is securely destroyed unless retained for a clear legal obligation.
All data is encrypted at rest (AES-256) and in transit (TLS 1.3). Our infrastructure is SOC 2 Type II audited. Health data is segmented and access-controlled per HIPAA Technical Safeguards. [LEGAL REVIEW: confirm exact retention windows with healthcare counsel.]
Children
Veyda is not intended for anyone under 18. We do not knowingly collect personal information from children. If you believe a child has provided information to us, contact privacy@veyda.com and we will delete it.
Changes to this policy
We will notify you by email at least 30 days before material changes take effect. The "Effective date" at the top of this page reflects the most recent revision.
Counsel review queue — California considerations
Not final policy text. The items below capture the California-specific regulatory considerations our counsel needs to address before we publish the production version of this Privacy Policy. Source: internal product/engineering review, May 2026.
California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA)
- Required notice at collection (Cal. Civ. Code § 1798.100): categories of personal information, business or commercial purposes for collection, length of retention, sale/share status. Confirm our "Information we collect" + "How we use" sections satisfy this with categorical specificity.
- Sensitive personal information (SPI) disclosure: health data is SPI. We must disclose collection, purposes, retention, and disclose that we do not use SPI for any purpose beyond delivering the service (or list those purposes).
- Consumer rights: access, deletion, correction, portability, opt-out of sale/share, limit use of SPI. Build the in-app + email mechanisms; document them in Your Rights.
- "Do Not Sell or Share My Personal Information" link required on the marketing site footer if we engage in any "sale" or "sharing" (broad definitions under CPRA — even ad pixels can qualify). Audit Meta Pixel usage on the marketing site.
- Global Privacy Control (GPC) must be honored as an opt-out signal under CPRA regulations.
Minor data — CCPA tiers + COPPA
- Under 13: opt-IN with verifiable parental consent for any sale/share of personal info. If Veyda is not directed at under-13s and does not knowingly collect their data, we should explicitly state this.
- 13–15: opt-IN required for any sale/sharing.
- 16+: opt-OUT model (default).
- Practical step: when DOB is captured during in-app onboarding, gate any sale/share rights based on resolved age. Block the under-13 path entirely — direct them to delete and refund.
- COPPA (federal, 15 USC §§ 6501–6506): confirm Veyda is not "directed to children" under FTC criteria. Add an explicit statement.
CA Confidentiality of Medical Information Act (CMIA, Cal. Civ. Code § 56)
- CMIA applies to "providers of health care" + "any business" that offers software/hardware "designed to maintain medical information." When Veyda's labs/clinical features go live, Veyda likely qualifies. Distinct from HIPAA — applies even if we are not a HIPAA covered entity.
- Required: written authorization for disclosure of medical info; opt-out of marketing; specific data-handling controls.
- Practical step: build a CMIA-specific section once labs/clinical features ship. Confirm BAA equivalents with downstream lab partners.
CA Genetic Information Privacy Act (SB-980, Civ. Code §§ 56.18–56.186)
- Applies if Veyda Marketplace ever surfaces direct-to-consumer genetic testing (e.g., Nucleus, Health-DNA via the catalog). Requires:
- Express, separate consent for collection + use of genetic data.
- Right to delete genetic data.
- Express consent before sharing with research collaborators or third-party storage.
- Practical step: gate the marketplace genetic-product workflow behind an SB-980-compliant consent module before listing those products.
CA Age-Appropriate Design Code (AB-2273)
- Effective 2024; partially enjoined as of mid-2024 but watch for revival via 9th Circuit appeal.
- If any users could be under 18, designs must default to highest privacy settings and undergo Data Protection Impact Assessment.
- Cleanest mitigation: hard age-gate at 18 for the membership. Document the gate in this policy.
Other state notice requirements (in addition to CCPA/CPRA)
- Virginia (VCDPA): similar to CCPA; processor/controller distinction required.
- Colorado (CPA): universal opt-out signal honoring required.
- Connecticut (CTDPA) + Utah (UCPA) + Texas (TDPSA): similar consumer rights; confirm notice language covers these residents.
- New York SHIELD Act: data security program requirements + breach notification.
- Washington My Health My Data Act (HB 1155): very strict consent requirements for "consumer health data" — applies broadly to wellness apps. Sage chat content + wearable data could fall in scope.
Specific items to revise in this draft
- "Children" section: expand to address CCPA tiers (under-13 / 13–15 / 16+) and COPPA explicit statement.
- "Your rights" section: add CMIA, SB-980, and Washington MHMDA where applicable.
- "Data retention and security" section: confirm exact retention windows with healthcare counsel (already flagged inline).
- Add: "Sensitive Personal Information" disclosure subsection.
- Add: Global Privacy Control honoring statement.