Consumer Health Data Privacy Policy
Plain-language summary
This page is required by Washington's My Health My Data Act (MHMDA), Nevada SB 370, and Connecticut's consumer-health-data amendment to the CTDPA. It tells you what consumer health data Mold Scanner AI collects from residents of those states, why, who we share it with, and how to exercise your rights.
If you do not use a feature that collects health-related information (a symptom-related quiz, the in-app home profile, or any tool that infers a health status), we do not collect consumer health data from you. We do not sell consumer health data. We do not use it for advertising or geofence tracking. You can withdraw consent and delete your consumer health data at any time by emailing hello@moldscanner.ai with the subject line "Health Data Request."
1. Who we are
"Mold Scanner AI", "we", "us", and "our" refer to Tested Media LLC, the operator of moldscanner.ai and the Mold Scanner AI mobile app.
Contact for health data requests: hello@moldscanner.ai · subject line "Health Data Request."
2. Categories of consumer health data we collect
Depending on which features of the Services you choose to use, we may collect the following categories of consumer health data, as defined under Washington MHMDA, Nevada SB 370, and Connecticut law:
- Self-reported symptom information — for example, free-text or multiple-choice answers about headaches, fatigue, sinus congestion, asthma, brain fog, or other physical/mental health states you choose to enter into a symptom-related quiz or the in-app home profile.
- Self-reported health conditions — for example, asthma, allergies, immunocompromise, pregnancy, or chemical sensitivities, when you choose to disclose them in the home profile.
- Self-reported household health context — for example, whether children, elderly residents, or pets live in the home, when you choose to disclose this context.
- Inferred environmental health risk — categorical risk levels (for example, "low / moderate / high environmental risk") that our software derives from the symptoms and home context you submit. Under MHMDA, derived health-status inferences are themselves consumer health data even when the source inputs were not.
- Photos that incidentally reveal health-related conditions — we do not ask for, and we do not encourage, photos of people. Where a photo you submit incidentally reveals health-adjacent conditions, we treat that photo as consumer health data only with respect to the incidental health information.
We do not collect biometric identifiers, lab results, prescription information, insurance information, or genetic data. We do not have access to medical records.
3. Sources of consumer health data
The only source of the consumer health data described above is you, when you voluntarily enter it into a feature that collects it. We do not buy consumer health data from data brokers, we do not infer health data from your browsing behavior on third-party websites, and we do not receive consumer health data from your healthcare providers.
4. Purposes for collection, use, and sharing
We collect and use consumer health data only for the following purposes, each of which is reasonably necessary to deliver the feature you requested:
- To generate the educational, environmental-screening output you asked for (for example, a symptom-context summary on a scan report).
- To tailor remediation guidance to the household context you disclosed (for example, recommending more conservative actions when the home includes someone with asthma).
- To diagnose product errors and improve the Services. We do this on aggregated and de-identified data wherever feasible.
- To meet our legal obligations and protect users from abuse of the Services.
We do not use consumer health data:
- For advertising of any kind, on or off our Services.
- For geofencing of healthcare facilities, identification of consumers near healthcare facilities, or tracking of consumers near healthcare facilities.
- To train any third-party AI foundation model. We do not opt in to provider-side training use of API inputs and outputs.
- To make eligibility, employment, insurance, or credit decisions about you.
5. Categories of third parties with whom we share consumer health data
We share consumer health data only with the service providers required to operate the Services and only to the extent needed for the purposes in Section 4. We do not sell consumer health data to anyone, ever, for any consideration. The current categories of recipients are:
| Recipient | Purpose | Health data it receives |
|---|---|---|
| Anthropic PBC | AI inference (Claude Opus 4.7) when a feature uses synthesis | Symptom-related text and home-context fields when the feature requires them; we minimize what is sent and we do not send fields outside the requested feature |
| OpenAI, L.L.C. | AI inference (fine-tuned vision classifier based on GPT-4o) when a feature uses photo classification | Photos and the prompt template; we do not send symptom-related home-profile fields to the classifier path |
| Vercel Inc. | API hosting and edge delivery | API request payload in transit (TLS); not retained beyond standard request logs |
| Supabase Inc. | Encrypted at-rest storage of report records | The report content you saved to your account, including any health-context fields you chose to include in the report |
We do not share consumer health data with advertisers, data brokers, marketing partners, social platforms, or affiliates.
If our list of recipients changes, we will update this page before the new recipient receives consumer health data, and we will obtain a new affirmative opt-in if required by applicable law.
6. Subprocessor protections
Each AI inference provider listed above processes API inputs under contracts that, at minimum, prohibit use of inputs and outputs to train the provider's foundation models absent a separate written opt-in (we do not opt in), and provide standard data-security and breach-notification commitments. We have not entered into a HIPAA Business Associate Agreement with either provider, and we do not transmit information that we identify as HIPAA Protected Health Information to either provider. The home-profile data described in this page is consumer health data under state law, but is not necessarily PHI absent a HIPAA-covered relationship.
7. Your rights
If you are a Washington, Nevada, or Connecticut resident (and even if you are not), you have the following rights with respect to your consumer health data:
- Right to know what consumer health data we have about you, the categories of recipients with whom we have shared it, and the active authorizations you have given.
- Right to withdraw consent for collection, use, or sharing at any time. Withdrawal stops future processing but does not invalidate processing that already happened lawfully.
- Right to delete your consumer health data, subject to limited exceptions where retention is required to comply with a legal obligation, defend a legal claim, or detect security incidents.
- Right to be free from discrimination for exercising any of the above rights.
To exercise these rights, email hello@moldscanner.ai with the subject line "Health Data Request" and tell us which right you want to exercise. We will verify your identity using the email address associated with your account or the email used to submit a tool. We will respond within the timeframe required by the applicable statute (Washington MHMDA: 45 days, extendable by 45 days where reasonably necessary, with notice to you).
You may authorize an agent to exercise your rights on your behalf. We will require the agent to provide written authorization signed by you and verification of the agent's identity.
8. Consent and revocation
We obtain unbundled, affirmative opt-in consent before collecting consumer health data from a Washington, Nevada, or Connecticut resident. We do not collect consumer health data from a hidden default, from continued use of the Services alone, or from a pre-checked box. The consent screen tells you, before you opt in, what categories of consumer health data the feature collects, the purposes for collection, and the categories of recipients (this page).
You may withdraw consent at any time at hello@moldscanner.ai. Withdrawal does not affect processing that has already happened in reliance on prior consent.
9. Security and retention
Consumer health data is transmitted over HTTPS, stored encrypted at rest in Supabase, and accessible only to a small number of personnel with operational need. Symptom and home-profile fields are retained for as long as your account is active and your report history exists, and are deleted upon your deletion request or upon account closure. Inference-API request logs that may transiently include consumer health data are retained for the standard request-log window required for security and abuse prevention (currently 30 days), then deleted.
10. No collection from children
The Services are not directed to children under 13. We do not knowingly collect consumer health data from a child under 13. If you believe a child has submitted consumer health data to us, email hello@moldscanner.ai and we will delete it.
11. Complaints to a regulator
Washington residents may file a complaint with the Washington State Office of the Attorney General at atg.wa.gov/file-complaint. Washington's MHMDA also provides a private right of action for violations.
Nevada residents may contact the Nevada Office of the Attorney General. Connecticut residents may contact the Connecticut Office of the Attorney General.
12. Changes to this policy
If we materially change this policy, we will update the "Last updated" date above and, where required by law, give you a separate notice and obtain a new opt-in before any material change in the categories of consumer health data we collect, the purposes for collection, or the categories of recipients.