Penny Consumer Health Data Privacy Policy
Version 1.0 — Effective March 24, 2026
Washington My Health My Data Act (RCW 19.373)
This Consumer Health Data Privacy Policy is provided pursuant to the Washington My Health My Data Act (RCW Chapter 19.373) and applies to (a) Washington residents and (b) natural persons whose consumer health data is collected in Washington. This policy is separate from and in addition to Penny's general Privacy Policy.
Penny is a pelvic health wellness tracking application operated by Baig Innovations, LLC, a Florida limited liability company.
Contact Information:
- Privacy Inquiries: privacy@baig-innovations.com
- Legal Matters: legal@baig-innovations.com
- Mailing Address: Baig Innovations, LLC, Orange County, Florida
1. Categories of Consumer Health Data Collected and Purposes
Under the Washington My Health My Data Act, "consumer health data" means personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status. Penny collects the following categories of consumer health data:
1.1 Health & Wellness Tracking Data
| Category | Examples | Purpose |
|---|---|---|
| Bathroom event data | Frequency, timing, urgency levels, characteristics | To document bathroom patterns and generate visualizations for you and your healthcare providers |
| Pain and discomfort data | Pain levels, body locations, intensity, duration, quality, triggers | To help you document discomfort experiences and identify patterns over time |
| Wellness check-in data | Mood, energy levels, stress levels, sleep quality ratings | To track daily wellness patterns and generate trend insights |
| Episode data | Episode descriptions, start/end dates, severity, triggers, associated experiences | To create chronological records of health episodes for documentation and provider communication |
| Treatment and medication data | Treatment names, types, start dates, effectiveness ratings, notes | To help you document treatments and track their perceived effectiveness over time |
| Appointment data | Appointment dates, provider names, locations, notes, follow-up items | To help you prepare for and document healthcare appointments |
| Diet and nutrition data | Food logs, dietary observations (if entered voluntarily) | To help you document dietary patterns that may relate to your wellness experiences |
| Menstrual cycle data | Cycle-related observations (entirely optional, user-initiated) | Stored only if you voluntarily enter this information; not processed, analyzed, or used for predictions |
| Free-form health notes | Personal observations, contextual notes (up to 500 characters) | To capture in-the-moment observations that may be relevant to your health patterns |
| Milestone data | Health-related milestones and dates | To help you track progress and significant events in your health journey |
| Condition data | Diagnosed conditions (user-reported) | To provide context for your tracking data and tailor the tracking experience |
1.2 Data Derived from Consumer Health Data
| Category | Purpose |
|---|---|
| AI-generated summaries | Episode AI Summaries, Stats Narrations, and Appointment Next-Steps Extractions generated by processing your health data through Anthropic's Claude AI (optional, premium feature, requires separate consent) |
| Pattern visualizations | Charts, calendars, and statistical summaries generated from your tracked data |
| PDF reports | Provider-ready reports combining your tracked health data for sharing with healthcare providers |
1.3 Data Collected in Connection with Health Data
| Category | Purpose |
|---|---|
| Account information | Email address, display name (optional) — to create and maintain your account |
| Device and technical information | Device type, operating system, app version, IP address — for security, fraud prevention, and geographic verification |
| Geographic verification data | Country code, verification method, success/failure — to confirm compliance with geographic availability requirements |
2. Categories of Sources from Which Consumer Health Data Is Collected
Penny collects consumer health data from the following sources:
- Directly from you: All health and wellness tracking data is entered voluntarily by you through the Penny app. You decide what to track and when.
- Generated from your data: AI-generated summaries, pattern visualizations, and reports are derived from data you have entered. AI processing occurs only with your separate, explicit consent.
- Collected automatically: Device information, IP address, and geographic verification data are collected automatically when you use the app, for security, service delivery, and compliance purposes.
Penny does not collect consumer health data from data brokers, third-party data sources, or any source other than you and your direct use of the app.
3. Categories of Consumer Health Data Shared
3.1 Sharing at Your Direction
- Healthcare provider reports: When you choose to export a PDF report or share data with a healthcare provider, you initiate and control that sharing.
- Data exports: When you request a data export, your health data is packaged and delivered to you. You control what happens with it after that.
3.2 Sharing with Service Providers (Necessary for Service Delivery)
The following categories of health data are shared with service providers as necessary to operate Penny:
| Data Category Shared | Service Provider | Purpose |
|---|---|---|
| All tracked health data (encrypted) | Supabase (database and backend provider) | Secure storage, synchronization, and retrieval of your data |
| De-identified health narrative text only (PII redacted before transmission) | Anthropic (AI provider — Claude AI) | Processing AI-powered features (Episode AI Summaries, Stats Narration, Appointment Next-Steps Extraction). Only activated with your separate consent. Your name, email, and account identifiers are NOT sent. |
3.3 Data NOT Shared
The following service providers do not receive any consumer health data:
- RevenueCat (subscription management) — receives only subscription status and anonymous user identifiers
- Resend (email delivery) — receives only your email address for transactional emails
- Apple / Google (payment processing) — receives only payment information, never health data
- Plausible Analytics / Fathom Analytics (privacy-preserving analytics) — do not collect personal data, do not use cookies, do not receive health data
3.4 No Sale of Consumer Health Data
Penny does not sell, rent, or trade consumer health data. Period.
3.5 Legal Requirements
We may disclose consumer health data if required by law, such as in response to a valid subpoena, court order, or other valid legal process. If legally permitted, we will notify you before any such disclosure.
4. Categories of Third Parties and Specific Affiliates with Whom Consumer Health Data Is Shared
As required by RCW 19.373.020(1)(d), the following is a complete list:
Third Parties Receiving Consumer Health Data
| Third Party | Category | Data Received | Contractual Restrictions |
|---|---|---|---|
| Supabase, Inc. | Cloud infrastructure / database provider | All tracked health data (encrypted in transit and at rest) | Binding data processor agreement in place pursuant to RCW 19.373.060, setting out processing instructions and limiting processor's activities to those necessary to provide services to Penny; processor is required to assist Penny in fulfilling its MHMD Act obligations by appropriate technical and organizational measures |
| Anthropic, PBC | AI processing provider | De-identified health narrative text only (PII redacted) | Contractually prohibited from using data to train AI models; data not retained after processing; stateless processing |
Affiliates
Baig Innovations, LLC does not have any affiliates or subsidiaries with whom consumer health data is shared.
5. Your Rights Under the Washington My Health My Data Act
As a Washington consumer, you have the following rights regarding your consumer health data:
5.1 Right to Know / Access
You have the right to confirm whether Penny is collecting, sharing, or selling your consumer health data, and to access that data. You can:
- View all data you've entered through the Penny app at any time
- Request a complete copy of your consumer health data by emailing privacy@baig-innovations.com. Our response will also include, to the extent applicable, a list of the third parties and affiliates with whom we have shared or sold your consumer health data, together with an active email address or other online mechanism you may use to contact them.
- Your access response will include a list of all third parties and affiliates with whom Penny has shared your consumer health data, including their names and contact information.
5.2 Right to Deletion
You have the right to request that Penny delete your consumer health data. You can:
- Use the "Delete My Account" feature in app settings
- Email privacy@baig-innovations.com to request deletion
Upon receiving a verified deletion request, we will:
- Delete your consumer health data from our active systems without undue delay and, in all cases, within 45 days of receipt of a verified request, unless an extension is permitted by applicable law.
- Delete consumer health data stored on archived or backup systems within the timeframe permitted by applicable law, which may be delayed as necessary to restore backup systems but will not exceed six months following authentication of your request.
- Notify all processors, affiliates, and other third parties with whom we have shared your consumer health data of your deletion request, and require them to delete your data.
- Confirm completion of deletion to you
5.3 Right to Withdraw Consent
You have the right to withdraw consent for the collection or sharing of your consumer health data at any time. You can:
- Withdraw AI consent: Disable AI features in your app settings at any time. This stops all future sharing of health data with Anthropic for AI processing. Previously generated AI content remains accessible but no new processing will occur.
- Withdraw all consent: Delete your account, which permanently removes all consumer health data as described in Section 5.2.
- Withdraw consent for specific tracking: Disable individual tracking categories (bathroom events, wellness checks, etc.) in your app settings at any time.
5.4 Right to Appeal
If we deny or are unable to fulfill your request, you have the right to appeal. To appeal:
- Email legal@baig-innovations.com with "MHMDA Appeal" in the subject line
- Include a description of your original request and the reason for appeal
- We will respond to your appeal within 45 days
- If your appeal is denied, we will provide you with an online mechanism or other method through which you may contact the Washington Attorney General to submit a complaint.
5.5 How to Exercise Your Rights
- Email: privacy@baig-innovations.com
- In-App: Settings → Privacy & Data (for data export, account deletion, and consent management)
- Response Time: We will acknowledge your request within 5 business days and fulfill verified requests within 45 days. Where reasonably necessary given the complexity or number of your requests, we may extend this period by an additional 45 days and will notify you within the initial 45-day period of the extension and the reason for it.
We will not discriminate against you for exercising any of these rights.
- No Charge: We will fulfill requests free of charge up to twice per calendar year. We reserve the right to charge a reasonable fee to cover administrative costs for requests that are manifestly unfounded, excessive, or repetitive beyond that limit.
- No New Account Required: We will not require you to create a new account in order to exercise any of your rights under this policy.
6. Consent Practices
6.1 Consent for Collection
Before collecting your consumer health data, Penny obtains your affirmative consent during account creation. You are presented with a clear description of the following, and you must affirmatively agree before your account is created: (1) the categories of consumer health data to be collected; (2) the purposes for collection and the specific ways Penny will use it; (3) the categories of third parties with whom Penny may share your consumer health data; and (4) how you may withdraw your consent at any time.
6.2 Consent for AI Data Sharing
Before sharing your consumer health data with our AI provider (Anthropic), Penny obtains separate, explicit consent through a dedicated AI consent screen during onboarding. This consent:
- Is separate and distinct from your general data collection consent
- Clearly identifies Anthropic as the third party receiving your data
- Explains what data is shared (health narrative text with direct identifiers removed or redacted, rather than data represented as "deidentified" for all legal purposes)
- Explains the purpose (generating summaries, narrations, and next-step extractions)
- Can be declined without affecting access to Penny's core features
- Can be revoked at any time through app settings
6.3 No Additional Collection or Sharing Without Consent
Penny will not collect additional categories of consumer health data, or use or share consumer health data for additional purposes, beyond what is disclosed in this policy without first updating this policy and obtaining your affirmative consent where required by applicable law.
7. Data Security
Penny implements the following security measures to protect your consumer health data:
- Encryption in transit: All data transmitted between your device and our servers uses TLS 1.3 encryption
- Encryption at rest: Your data is encrypted when stored on our servers
- Access controls: Strict internal access controls; only authorized personnel can access systems containing consumer health data
- PII redaction: Before any health data is sent to our AI provider, personally identifiable information (email addresses, account identifiers) is redacted
- Data minimization: Only the specific data needed for each AI feature is sent for processing; full account data is never transmitted
- Regular security reviews: Ongoing security assessments and updates
- Privacy-preserving analytics: We use only Plausible Analytics and Fathom Analytics, which do not collect personal data or use cookies
- No prohibited geofencing: Penny does not use geofencing around healthcare facilities to identify or track consumers, collect consumer health data, or send health-related notifications, messages, or advertisements.
8. Changes to This Policy
We will notify you of material changes to this Consumer Health Data Privacy Policy by email and in-app notification. We will not collect, use, or share additional categories of consumer health data or for additional purposes not disclosed in this policy without first updating this policy and obtaining your affirmative consent.
9. Related Policies
- General Privacy Policy: penny.baig-innovations.com/privacy
- Terms of Service: penny.baig-innovations.com/terms
- Accessibility Statement: penny.baig-innovations.com/accessibility
This Consumer Health Data Privacy Policy is published pursuant to the Washington My Health My Data Act (RCW Chapter 19.373). For questions, contact privacy@baig-innovations.com.
— End of Consumer Health Data Privacy Policy v1.0 —
© 2026 Baig Innovations, LLC. All rights reserved.