Privacy & Data
Your Member Rights
Your rights to access, export, correct, and delete your data — and how to exercise them.
Effective date: May 6, 2026
What you can ask for
As a Veyda member you have the right to:
- Access a copy of every piece of personal and health data we hold on you, in a portable format.
- Correct inaccurate information in your account or health record.
- Delete your account and the personal data tied to it, subject to medical-record retention obligations.
- Export your data to a format you can hand to another provider (HL7 FHIR for clinical records where supported).
- Restrict certain processing — including disconnecting individual wearables, pausing Sage's reasoning, or opting out of optional analytics.
- Withdraw consent for any optional data processing at any time.
How to make a request
Most requests can be filed directly from the Privacy section of your member dashboard. For requests that need our team — including deletion, data export, or correction of clinical records — email privacy@veyda.com from the email address tied to your account.
We verify your identity before fulfilling sensitive requests. We respond within 30 days; complex requests may take up to 90 days, in which case we'll let you know.
California residents (CCPA / CPRA)
In addition to the rights above, California residents may request the categories of personal information we collected, the business or commercial purpose for collecting it, and the categories of third parties we shared it with. We do not sell personal information and do not use sensitive personal information for any purpose beyond what is reasonably necessary to deliver the service. You may designate an authorized agent to make a request on your behalf.
EEA / UK residents (GDPR / UK GDPR)
If you are in the European Economic Area or the United Kingdom, you have the rights described above plus the right to lodge a complaint with your local data protection authority. Veyda does not currently operate in the EEA or UK; if you become a member while traveling, please be aware that data may be processed in the United States.
Other states
Members in Virginia, Colorado, Connecticut, Utah, Texas, and other states with comprehensive consumer-privacy laws have substantially the rights described above. Reach privacy@veyda.com to exercise them. [LEGAL REVIEW: confirm state-specific notice requirements.]
Appeals
If you disagree with how we handled a request, you may appeal by replying to the response email. Appeals are reviewed by a senior member of our privacy team and answered within 60 days.
Counsel review queue — California considerations
Not final policy text. The items below capture the California-specific regulatory considerations our counsel needs to address before we publish the production version of this Member Rights document. Source: internal product/engineering review, May 2026.
CCPA / CPRA — required disclosures
The current draft mentions CCPA at a high level. Counsel should expand to fully satisfy the statute:
- Categories of personal information collected (last 12 months): identifiers, financial, internet activity, geolocation, sensory (e.g., wearable signals), professional/employment, education, inferences, sensitive personal information (health, biometric, geolocation, etc.).
- Categories of sources: directly from member, from connected wearables/labs, from clinical partners, from analytics providers.
- Business or commercial purposes for each category.
- Categories of third parties the data is disclosed to.
- Categories sold or shared: explicit "We do not sell or share personal information" statement IF that's true. Audit Meta Pixel usage on marketing site — pixel placements may legally count as "sharing" under CPRA's broad definition.
- Limit Use of Sensitive Personal Information right disclosure.
- Authorized agent process: how members designate an agent (CCPA permits this), verification requirements.
Verification requirements
- For deletion requests of medical/sensitive data: heightened verification (CCPA regulations require "reasonable degree of certainty"). Document the verification flow.
- Authorized agent: written permission from consumer + agent verification by Veyda.
Right to limit use of SPI
- CCPA allows consumers to limit Veyda's use of sensitive personal information to what's necessary to provide the service. Health data is SPI. Build the in-portal toggle + email path.
State-by-state
- The catch-all line at the bottom is fine for soft launch but counsel should confirm we satisfy each state's notice + verification + appeal requirements (already flagged inline as
*[LEGAL REVIEW]*):- VA (VCDPA): 45-day response, appeal within 60 days
- CO (CPA): 45-day response, universal opt-out signal honoring
- CT (CTDPA): similar to CO
- UT (UCPA): opt-out only (no opt-in for SPI)
- TX (TDPSA): opt-out for sensitive data
- WA (My Health My Data Act): separate consent for "consumer health data" — applies broadly; very strict
- NY (SHIELD Act): data security program
Children's data (CCPA tiers)
- Add age-tier disclosures from the Privacy Policy here too:
- Under 13: parental consent required for sale/share
- 13–15: opt-IN required for sale/share
- 16+: opt-OUT default
Specific items to revise in this draft
- Add: full CCPA categories disclosure subsection.
- Add: "Right to limit SPI use" as its own bullet.
- Add: Authorized agent verification process detail.
- Confirm: state-specific notice requirements (already flagged inline).