Last updated: 2026-05-16
Washington My Health My Data Act — Notice and Statement
This page is the dedicated notice and statement Gila publishes for Washington State residents under the My Health My Data Act, codified at chapter 19.373 of the Revised Code of Washington (RCW). It supplements — and does not replace — Gila's main Privacy Policy and Health Data Notice. Where MHMDA imposes a stricter standard than other privacy laws covering you, the MHMDA standard applies.
If anything here is unclear, email dpo@gila.coach and we will explain it. The authoritative text of the statute is at https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.
1. Why this notice exists
The Washington legislature passed the My Health My Data Act in 2023 to extend strong privacy protections to consumer health data that has historically fallen outside HIPAA — including data collected by mobile applications, websites, and connected devices that track weight, calories, food intake, medication use, exercise, sleep, mood, biometric measurements, and other indicators of past, present, or future physical or mental health.
Gila is exactly the type of service the legislature had in mind: a behaviour-change companion for people on GLP-1 medications that records body weight, GLP-1 medication name and dose, injection zone, side effects, mood, dietary intake (including calories and macronutrients), and synced fitness signals from Apple Health or Health Connect. Every one of those data points is consumer health data within the meaning of RCW 19.373.020.
We treat MHMDA as a meaningful obligation rather than a checkbox. Globally — not just for Washington residents — we run our health-data flows on the MHMDA standard: explicit affirmative opt-in consent before collection, a separate explicit authorisation before any sale (which we do not engage in), no geofencing, and a documented consumer-rights pathway. This decision is recorded in our internal decision log (decision #6).
2. What MHMDA covers — "consumer health data"
RCW 19.373.020(8) defines consumer health data as "personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status." The statute lists, without limitation:
- Individual health conditions, treatment, diseases, or diagnoses
- Social, psychological, behavioral, and medical interventions
- Health-related surgeries or procedures
- Use or purchase of prescribed medication
- Bodily functions, vital signs, symptoms, or measurements
- Diagnoses or diagnostic testing, treatment, or medication
- Gender-affirming care information
- Reproductive or sexual health information
- Biometric data
- Genetic data
- Precise location information that could reasonably indicate a consumer's attempt to acquire or receive health services or supplies
- Data that identifies a consumer seeking health care services
- Any information that a regulated entity (or its processor) processes to associate or identify a consumer with the data above, derived or extrapolated from non-health information
Applied to Gila, the following categories we collect are unambiguously consumer health data:
| Gila data category | MHMDA classification |
|---|---|
| Body weight (manual or HealthKit / Health Connect synced) | Bodily measurement → consumer health data |
| GLP-1 medication name, dose, injection zone, injection date, pain level | Use of prescribed medication → consumer health data |
| Side-effect log (description, severity, date, notes) | Symptoms → consumer health data |
| Mood entries (label, emoji, description, notes) | Mental-health status → consumer health data |
| Meal logs, calorie counts, macronutrient totals, food photographs | Bodily measurements + medical/behavioural intervention → consumer health data |
| Apple Health / Health Connect signals (steps, sleep, heart rate, active minutes, calories in) | Vital signs and bodily measurements → consumer health data |
| Journal entries and free-text notes that reveal physical or mental state | Health condition, mental-health status → consumer health data |
| AI-derived health insights, weekly briefings, activity-goal AI output | Information derived or extrapolated to identify a consumer with health data → consumer health data |
| Habit evidence photos that reveal body image or environment | Information that may reveal physical health condition → potentially consumer health data |
We do not collect: gender-affirming care information targeted to Washington residents, reproductive-health surgery records, genetic test results, or precise geolocation used to infer health-care visits. If you submit free-text journal content that incidentally reveals any of those categories, it is protected by the same MHMDA controls described below.
3. Consent — RCW 19.373.030
3.1 What MHMDA requires
RCW 19.373.030 requires a regulated entity to obtain a consumer's consent before collecting consumer health data beyond what is strictly necessary to provide a product or service the consumer has requested. Separate, additional consent is required for sharing consumer health data (RCW 19.373.030(2)), and a separate signed valid authorization is required for any sale (RCW 19.373.110 — see §6 below).
Under RCW 19.373.020(7), "consent" means a clear affirmative act that signifies a consumer's freely given, specific, informed, opt-in, voluntary, and unambiguous agreement. Consent must be obtained through an interaction that:
- Is freely given — not bundled with a different purpose, not coerced
- Is specific — separately requested for each purpose, not a generic blanket acceptance
- Is informed — the consumer is told the categories of data, purposes, categories of recipients, the right to withdraw, and how to withdraw
- Is opt-in — pre-ticked boxes, inactivity, or silence do not count
- Is a clear affirmative action — a deliberate, conscious tap or click
- Is unambiguous
The statute expressly invalidates consent obtained through dark patterns. A user interface designed to subvert or impair user autonomy, decision-making, or choice — for example, hiding the "decline" option, requiring more steps to decline than to accept, or repeatedly nagging until the user accepts — does not produce valid consent under MHMDA.
3.2 How Gila collects MHMDA-grade consent
Before any field listed in §2 is written to our database, we present an in-app consent gate (LegalConsentGate in lib/widgets/legal/) with the following properties:
- Health-data consent is a separate checkbox, granular by purpose (health tracking, AI features, community sharing each have their own affirmative action)
- The "Accept" and "Decline" controls are visually equivalent — no dark-pattern weighting
- The screen states the categories of consumer health data we collect, the purposes, the recipients (Supabase US, Google Gemini US for AI features, Apple Health or Health Connect on-device only, and the on-device store)
- A link to this MHMDA notice and to the Health Data Notice is rendered above the consent control
- A "Withdraw consent" affordance is available at any time through our self-service rights form or by emailing dpo@gila.coach
A consent receipt is persisted in the public.consent_log table on a per-acceptance basis. The receipt records policy version, accepted categories, jurisdiction (if known), timestamp, source surface (app_onboarding, app_settings, web_signup, etc.), and the device user-agent. The receipt is append-only and survives account deletion as audit evidence, so we can demonstrate the affirmative-action standard to the Washington Attorney General on request.
3.3 Withdrawing consent
You can withdraw consent at any time. Withdrawal is as easy to perform as giving consent: visit our self-service rights form or email dpo@gila.coach to withdraw any consent. We action withdrawal as soon as the verified request lands and typically complete it within 24 hours. Withdrawal stops future collection of the affected category immediately. It does not retroactively invalidate processing that was lawful when performed. Per RCW 19.373.090(1)(c), you may also request deletion of consumer health data that was previously collected — see §8.
4. What we collect, what we use it for
For every consumer-health-data category in §2, the purpose is to provide the Gila service to you and only the Gila service to you. Specifically:
- Show you your own weight, medication adherence, side effects, mood, food, and habit trends over time
- Personalise habit suggestions and AI coaching (only if you have separately consented to AI features)
- Send you the in-app insights, weekly briefings, and progress recaps you have asked for
- Backup your data so that signing in on a new device restores your history
- Allow you to share a specific habit or stack to the Community Library, if you choose, in which case the published content becomes visible to other Gila users (this is gated by a separate affirmative submission action and is the only context in which any consumer-health-data-derived content becomes visible outside your account)
The full per-feature breakdown lives in our Privacy Policy §3 and in the Health Data Notice. The internal Records of Processing Activities lists each processing activity with categories, purposes, recipients, and retention.
5. Recipients of consumer health data
We list every processor that can possibly receive consumer health data on the subprocessor list. The current set:
| Processor | Role | Location | Consumer-health-data scope |
|---|---|---|---|
| Supabase (PostgreSQL + auth + storage + edge runtime) | Primary data store | United States (us-east-2, Ohio) |
All consumer health data |
| Google Gemini API | AI features (food vision, AI coaching, report narrative, weekly briefing) | United States | Per-request curated context only when an AI feature is invoked AND you have separately consented to AI features. Google's API terms state prompts are not used to train Gemini, and the "no training" flag is set on each request. |
| Apple HealthKit (iOS) / Health Connect (Android) | On-device health data source | On your device | We receive a synced summary into Supabase only if you grant the OS-level read permission; the underlying detailed data stays on your device. |
| Firebase Cloud Messaging | Push delivery | United States | Push payloads are deliberately written to be non-revealing of health content (for example, "time for a check-in" rather than "time for your Wegovy shot"). |
| Sentry | Error tracking | United States | Pseudonymised user ID and error breadcrumbs only. Per our engineering guidelines, no consumer-health-data values are attached to error events; if a leak is discovered we treat it as a privacy incident under our 72-hour notification commitment. |
| PostHog | Product analytics | United States | Pseudonymised user ID and event names only. Per our engineering guidelines, no consumer-health-data values are emitted to analytics; same incident-treatment commitment applies. |
Each processor is bound by a written contract (Article 28-equivalent processor terms or a HIPAA-style obligation) that prohibits the processor from selling consumer health data, from using it for the processor's own purposes, and from re-disclosing it outside our direction. Processors are required to delete or return consumer health data upon termination of the processing relationship.
We do not disclose consumer health data to data brokers, advertising networks, ad-tech vendors, or insurance carriers. We do not allow any third-party advertising pixel or cross-context behavioural-advertising tag on the gila.coach website. Gila does not run advertising.
6. Sale of consumer health data — RCW 19.373.110
Gila does not sell consumer health data, and we have no plan or intention to do so.
RCW 19.373.110 prohibits a regulated entity or small business from selling, or offering for sale, consumer health data without first obtaining the consumer's valid authorization. A "valid authorization" under RCW 19.373.110(1) is a separate, written document signed by the consumer that contains:
- The specific consumer health data concerning the consumer that the person intends to sell
- The name and contact information of the person collecting and selling the consumer health data
- The name and contact information of the person purchasing the consumer health data from the seller
- A description of the purpose for the sale, including how the consumer health data will be gathered and how it will be used by the purchaser when sold
- A statement that the provision of goods or services may not be conditioned on the consumer signing the valid authorization
- A statement that the consumer has a right to revoke the valid authorization at any time and a description of how to submit a revocation
- A statement that the consumer health data sold pursuant to the valid authorization may be subject to redisclosure by the purchaser and may no longer be protected by RCW 19.373
- An expiration date for the valid authorization that expires one year from when the consumer signs the valid authorization
- The signature of the consumer and the date
Because we do not sell consumer health data, we do not issue, request, or rely on any such authorisation. If our business model were ever to change to include a transaction that would constitute a sale within the meaning of RCW 19.373.020(28) ("the exchange of consumer health data for monetary or other valuable consideration"), we would:
- Update this notice and our Privacy Policy 30 days before the change takes effect
- Build a separate, MHMDA-compliant signed authorisation flow per RCW 19.373.110
- Make participation entirely optional — service would remain fully available to consumers who decline
For clarity: routine processor relationships in which we direct a processor to handle consumer health data on our behalf, with no monetary or valuable consideration flowing in either direction for the consumer health data itself, are not "sales" under RCW 19.373.020(28). Disclosures to fulfil a service you requested, or disclosures with your direction, are also not sales.
7. Geofencing — RCW 19.373.100
RCW 19.373.100 makes it unlawful for any person to implement a geofence around an entity that provides in-person health-care services where such geofence is used to (a) identify or track consumers seeking health-care services, (b) collect consumer health data from consumers, or (c) send notifications, messages, or advertisements to consumers related to their consumer health data or health-care services.
A geofence under RCW 19.373.020(11) is technology that uses GPS coordinates, cell-tower connectivity, cellular data, radio-frequency identification, Wi-Fi data, or any other form of spatial or location detection to establish a virtual boundary that is 2,000 feet or less from the perimeter of a physical location.
Gila does not implement any geofence — around health-care facilities or anywhere else. We do not collect precise device geolocation, we do not condition collection or messaging on the consumer being within a defined geographic radius of any place, and we do not infer health-care visits from device location. Our mobile app does not request location permissions at all. Apple Health and Health Connect data syncs we ingest are health and fitness measurements, not location coordinates.
8. Consumer rights — RCW 19.373.090
Washington residents whose consumer health data Gila holds have the following rights, exercisable free of charge:
| Right | Statute | What it means at Gila |
|---|---|---|
| Right to confirm | RCW 19.373.090(1)(a) | Confirm whether we are collecting, sharing, or selling your consumer health data, and access that data |
| Right to a list of recipients | RCW 19.373.090(1)(a)(ii) | Receive a list of all third parties and affiliates with whom we have shared or sold your consumer health data, plus an active email or other contact for each |
| Right to withdraw consent | RCW 19.373.090(1)(b) | Withdraw consent from our collection and sharing of consumer health data at any time |
| Right to deletion | RCW 19.373.090(1)(c) | Have your consumer health data deleted — including a directive to all processors and third parties with whom the data has been shared |
| Right to non-discrimination | RCW 19.373.040(2)(d) | We may not deny you the Gila service for exercising any of the above rights |
8.1 How to exercise these rights
Two channels, both free, both designed to be the easiest available:
- Self-service web form — visit
/dsar, select Washington (MHMDA) as your jurisdiction, and tell us which right you are exercising. We will email you a verification link to confirm the request is yours. - Email — write to dpo@gila.coach stating your right and a contact email associated with your Gila account. We may ask for a small additional data point (an in-app event identifier or the email on file) to verify you, but we will not require you to create an account or to provide additional personal information beyond what is reasonably necessary to authenticate you.
8.2 How we respond — RCW 19.373.090(2)–(3)
- We acknowledge the request within 10 days of receipt
- We complete the request within 45 days of receipt
- For complex requests, we may extend by an additional 45 days (90 days total) and will notify you of the extension and the reason within the initial 45-day window
- We provide the response in a portable, readily usable format that allows you to transmit the data to another controller
- We will not charge you a fee for the first response in any 12-month period (a reasonable fee may apply to manifestly unfounded or excessive repeat requests, per RCW 19.373.090(4))
- You may exercise the right twice per consumer per year free of charge
8.3 Authorised agents
You may designate an authorised agent to exercise these rights on your behalf. We will accept the request if:
- The agent provides written, signed authorisation from you (a power of attorney is also accepted), and
- We can verify the agent's identity by a reasonable method, and
- We can independently verify your identity (we may ask you to confirm the request directly)
8.4 Appeals
If we deny your request, we will tell you why in writing within the response window and explain how you can appeal. To appeal, reply to our denial email or write to dpo@gila.coach with subject line "MHMDA appeal". We will decide the appeal within 45 days of receipt and respond with our written reasoning. If we still deny your request, we will tell you how to file a complaint with the Washington State Attorney General (see §10).
9. Private right of action — RCW 19.373.140
This section is required by RCW 19.373.140 and is the single most important paragraph in this notice from a litigation-risk perspective. We highlight it for you so there is no ambiguity:
A violation of RCW 19.373 by Gila is an unfair or deceptive act in trade or commerce and is an unfair method of competition for purposes of the Washington Consumer Protection Act, chapter 19.86 RCW. Per RCW 19.86.090, any person who is injured in their business or property by a violation of chapter 19.86 RCW may bring a civil action in a court of competent jurisdiction to enjoin further violations, recover actual damages, and may be awarded treble damages (up to $25,000 for unfair-trade-practice violations), together with the costs of the suit, including a reasonable attorney's fee.
In plain language: if Gila were to violate MHMDA in a way that injured you, you would have a direct right to sue us in Washington state court. You do not need to file an Attorney-General complaint first, and you do not need to wait for any agency action.
We take this exposure seriously. Our compliance posture — explicit affirmative consent before any consumer-health-data collection, no sale, no geofencing, no advertising, processor contracts with deletion and audit obligations, encryption in transit and at rest, RLS on every Supabase table, consent receipts in public.consent_log — is built around minimising the likelihood of a litigable MHMDA breach. We document our practices in the internal Records of Processing Activities, Data Inventory, DPIA, and TIA so that, if a question is ever raised, we have the contemporaneous evidence to answer it.
10. Washington Attorney General complaint
In addition to (or instead of) a private civil action, you may file a complaint with the Washington State Attorney General. The Attorney General has independent authority to enforce MHMDA under RCW 19.373.140 and the Consumer Protection Act.
- Online complaint form: https://www.atg.wa.gov/file-complaint
- Attorney General consumer protection page: https://www.atg.wa.gov
- Telephone: 1-800-551-4636 (Consumer Resource Center)
Filing a complaint with the Attorney General does not waive your private right of action.
11. Security — RCW 19.373.080
We maintain administrative, technical, and physical safeguards that reasonably protect the security of consumer health data appropriate to the volume and nature of the consumer health data we hold:
- TLS 1.3 for all data in transit between the Gila app and our backend, and between our backend and processors
- AES-256 at-rest encryption for the Supabase Postgres database (managed by AWS RDS in the
us-east-2region) and forstorage.objects(photo bucket) - Row-level security (RLS) on every Supabase table that holds consumer health data, scoped to
auth.uid() = user_id, so that even an authenticated session cannot read another user's rows - OAuth state + PKCE for Google and Apple sign-in flows
- Session JWTs scoped to a 1-hour refresh window
- Telemetry boundary discipline — PostHog and Sentry receive a hashed identifier rather than your email. Per our engineering guidelines, no consumer-health-data values (
weight_kg,dose_mg,total_calories,medication_name, journal text, etc.) are attached to analytics or error events; a best-effort denylist scrubber strips known-bad keys as defence-in-depth, and any leak is treated as a privacy incident under our 72-hour notification commitment - Push payload minimisation — notification text is deliberately non-revealing of health context
- Pooler-backed database access from edge functions for consistent rate-limiting and authentication
- Sub-processor written contracts require equivalent safeguards
- Sole-operator access — Gila is operated by a single person, and elevated database access is logged in the Supabase audit log
If a breach affecting Washington residents occurred, we would notify affected consumers and the Washington Attorney General consistent with our Breach Response Playbook and applicable Washington law including RCW 19.255 (Washington's data-breach notification statute).
12. Children
Gila has a 16-and-over self-attested age gate (see Privacy Policy §11). MHMDA itself does not impose a separate age threshold for consumer-health-data collection, but federal COPPA applies to under-13 users and we do not knowingly serve or collect data from anyone under 16. If we learn that we have collected consumer health data from a person under 16, we will delete it promptly under our standard right-to-delete workflow.
13. Updates to this notice
We will update this MHMDA notice whenever:
- The text of RCW 19.373 or its implementing rules changes
- The Washington Attorney General issues guidance that materially affects our practices
- Our processing of consumer health data materially changes (for example, a new AI provider or a new feature category)
- A material processor change affects how consumer health data flows
We will give you at least 30 days' notice before any change that reduces our consumer-health-data protections takes effect, by email (if you have an account) and by an in-app banner.
The effective_date in the frontmatter above is the current version date.
14. Contact
For any MHMDA question or request:
- Email: dpo@gila.coach
- Self-service:
/dsar(select Washington (MHMDA)) - Mailing address: Karya Evleri 3/18, Ataşehir Mahallesi, Çiğli, İzmir, Türkiye
For the avoidance of doubt, our Data Protection Officer (Sezen Soykut) is also the privacy contact for MHMDA matters. We acknowledge MHMDA inquiries within 10 days and respond substantively within 45 days as required by RCW 19.373.090.