Privacy Policy

‍

Anomaly Health Inc.
‍

Last Updated: February 9, 2026

This Privacy Policy explains how Anomaly Health Inc. ("Anomaly," "we," "us") collects, uses, discloses, and protects personal information when you use our websites, mobile applications, and related services (collectively, the "Services").
‍

1. Canada and United States Only
‍

Our Services are intended for individuals located in Canada or the United States. If you use the Services from outside Canada or the United States, we may suspend or terminate your access.
‍

2. Important Points Upfront
‍

No selling: We do not sell your personal information or your consumer health data.
No health-data ads: We do not share your consumer health data with advertising platforms for targeted advertising, and we do not share it with data brokers.
Security: We take security seriously and use safeguards commonly used in healthcare and financial-grade environments (encryption, access controls, monitoring, and vendor diligence).
Consumer-directed: Our Services are consumer-directed. You decide what to upload, connect, and share.
Clinician boundary: If you choose an optional session with an Independent Clinician, any clinical services are provided by that clinician. Official visit notes, if any, are kept in the clinician’s own EMR/EHR, not in Anomaly.
Government disclosure: We do not voluntarily disclose personal information to government agencies. If we receive a legally valid request, we respond as required by law and, where legally permitted, we notify you and challenge overbroad requests.
Security incidents: If we become aware of a security incident involving your personal information, we will provide notices as required by applicable law and without unreasonable delay.
‍

3. Definitions and Scope
‍

Personal information includes information that identifies or can reasonably be linked to you.
‍
Consumer health data includes health-related information you choose to upload or connect to the Services (for example, test results, records, symptoms, wearables).

Clinicians may be subject to healthcare privacy laws (including HIPAA in the United States) for information they create or store in their own systems. Anomaly’s consumer-directed Services are generally not operated as a HIPAA covered entity. We nonetheless apply strong safeguards and comply with applicable privacy laws as described here.
‍

4. What Information We Collect
‍

We collect information from three sources: (A) information you provide, (B) information from third parties you connect, and (C) information collected automatically.
‍

a. Information You Provide
‍

Account and contact information: name, email, phone number, address (if provided), login credentials, date of birth (if provided).

Wellness and health-related information you choose to provide: uploaded medical records, lab results, imaging reports, symptoms, goals, lifestyle information, medications you enter, family health history, dietary preferences, exercise routines, sleep patterns, and other health context.
‍

Communications: messages you send to support, feedback, survey responses, and any other communications with us.
‍

Payment information: if you pay for Services, payments are processed by our payment processors (for example, Stripe). We do not store your full card details, but we may receive transaction metadata (like amount, date, last four digits, and billing postal code).
‍

b. Information From Third Parties You Connect
‍

If you choose to connect third-party services (for example Apple Health, Oura, Whoop, Withings, Garmin, lab portals, genetic testing services), we receive the data you authorize those services to share.

This may include: activity data, sleep data, heart rate, heart rate variability, body temperature, blood oxygen levels, lab test results, and other biometric or health data available through the integration.
‍

c. Information Collected Automatically
‍

Device and usage data: IP address, browser type, device identifiers, operating system, app version, pages/screens viewed, timestamps, click patterns, feature usage, session duration, and interaction patterns.

Location data: approximate location derived from IP address. We do not collect precise geolocation unless you explicitly enable location services for a specific feature.

Cookies and similar technologies: used for authentication, preferences, performance, analytics, and security. You can manage cookies via your browser settings, though some features may not function properly if you disable essential cookies.
‍

5. How We Use Your Information
‍

We use personal information to:
‍

a. Provide the Services
‍

Account creation, authentication, and access control
Feature delivery (summaries, plans, checklists, coordination tools)
Customer support and troubleshooting
Processing transactions and managing subscriptions
‍

b. Enable AI-Powered Features
‍

Organizing health data into readable formats
Generating wellness-oriented summaries and planning outputs
Highlighting potential patterns or insights for your review
Improving quality and safety of AI-assisted features (using de-identified or aggregated data where feasible)
‍

c. Personalize and Improve the Services
‍

Tailoring the experience to your preferences and goals
Testing new features and analyzing usage patterns
Research and development to improve reliability, safety, and user experience
Developing new features and services
‍

d. Maintain Safety and Integrity
‍

Fraud prevention and detection
Abuse prevention and content moderation
Security monitoring and threat detection
Enforcing our Terms and policies
‍

e. Communicate With You
‍

Service notices and updates
Onboarding and educational content
Support responses
Marketing communications (you can opt out)
‍

f. Comply With Legal Obligations
‍

Responding to valid legal requests and court orders
Enforcing our rights and terms
Meeting applicable legal requirements
Protecting the rights, property, and safety of Anomaly, our users, and others
‍

6. How We Disclose Your Information
‍

We disclose personal information only as needed to operate the Services, protect our rights, or as required by law.
‍

a. Service Providers (Subprocessors)
‍

We use vendors for hosting, storage, databases, analytics, monitoring, customer support, communications, payment processing, and AI processing. Examples may include:

Cloud hosting and infrastructure: AWS, Google Cloud Platform, or similar providers
AI and machine learning: OpenAI, Anthropic, or similar providers for AI-powered features (using enterprise or health-grade offerings where available)
Security and monitoring: providers for logging, threat detection, and security operations
Payment processing: Stripe or similar payment processors
Communications: email service providers, SMS providers, and customer support platforms
Analytics: providers for usage analytics and performance monitoring
‍

Our subprocessor management:

We use written agreements requiring appropriate data protection measures
We perform vendor due diligence before engagement
We limit vendor access to only what is necessary to provide their service
We periodically review vendor security practices
‍

Current subprocessor list: Available upon request at privacy@anomaly.health. We will update this list as vendors are added or changed.
‍

Important note: While we choose reputable vendors and contract for protections, no vendor is risk-free. To the maximum extent permitted by law, Anomaly is not responsible for security incidents caused solely by a third-party service provider outside our reasonable control.
‍

b. Independent Clinicians (If You Request a Session)
‍

If you request an optional virtual session with an Independent Clinician, you may choose to share relevant information with them through the Services.

Clinicians are independent third parties, not Anomaly employees
Clinicians may have their own privacy practices for information you share with them or that they create as part of clinical services
Official visit notes, if any, are maintained by the Independent Clinician in their own EMR/EHR or record keeping system, not by Anomaly
‍

c. Legal Process and Protection
‍

We do not voluntarily disclose personal information to government agencies. We may disclose information if:

Required by applicable law or valid legal process (for example, court order, subpoena)
Necessary to protect the rights, property, or safety of Anomaly, our users, or others
Necessary to detect, prevent, or address fraud, security, or technical issues
Necessary to enforce our Terms or investigate potential violations
‍

Where legally permitted, we will:

Limit disclosures to what is legally required
Notify you of requests for your information (unless prohibited by law or court order)
Challenge overbroad or inappropriate requests
‍

d. Business Transactions
‍

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal information may be:

Disclosed during due diligence (under confidentiality agreements)
Transferred as part of the transaction
‍

We will notify affected users where required and require the acquiring party to honor the commitments in this Privacy Policy (or obtain consent for material changes, as required).
‍

e. With Your Consent
‍

We may disclose information for other purposes with your explicit consent.
‍

7. No Sale, No Targeted Ads Using Consumer Health Data
‍

No sale: We do not sell your personal information or consumer health data.
No targeted advertising using consumer health data: We do not share consumer health data with ad platforms (for example, Facebook, Google Ads) for targeted advertising, and we do not build advertising profiles using your health data.
No data brokers: We do not share consumer health data with data brokers, information resellers, or list sellers.
‍

Marketing our own Services: We may send you marketing emails about Anomaly features, updates, or educational content. You can opt out using the unsubscribe link in any marketing email.
‍

De-identified data: We may create de-identified or aggregated data (where individual users cannot reasonably be identified) and use it for analytics, research, and improving our Services. This is not a sale of personal information.
‍

8. AI and Automated Processing
‍

Some features use AI and automated tools to help organize information and generate summaries, insights, and wellness-oriented outputs.
‍

What AI Does
‍

Analyzes uploaded records and connected data to identify and organize key information
Generates plain-language summaries and wellness planning outputs
Suggests priorities or next steps in a wellness context
Helps coordinate information for optional clinician sessions
‍

AI Limitations and Safeguards
‍

AI outputs can be incomplete, incorrect, or inappropriate
You should not use AI outputs as medical advice, diagnosis, or treatment
We use monitoring, content filtering, and safety controls designed to reduce harmful outputs
We limit AI use to wellness and organizational functions, not diagnosis or treatment recommendations
We use AI models under enterprise agreements with appropriate data protections where available
‍

How We Improve AI
‍

We may use usage data and interactions to improve quality and safety of our AI-assisted features
Where feasible, we use de-identified or aggregated data for evaluation and improvement
We do not allow AI vendors to use your identifiable health data for their own advertising purposes
‍

9. Security Practices
‍

We apply administrative, technical, and physical safeguards designed to protect personal information.
‍

Technical Safeguards
‍

Encryption in transit: TLS 1.2 or higher for data transmitted over networks
Encryption at rest: AES-256 or equivalent for stored data
Access controls: role-based access with least-privilege principles and multi-factor authentication for team members
Network security: firewalls, intrusion detection, and network segmentation
Secure development: security testing, code review, and vulnerability scanning
‍

Organizational Safeguards
‍

Staff training: regular training on data handling, privacy, and security
Background checks: for team members with access to sensitive data (where lawful and appropriate)
Policies and procedures: written policies for data handling, incident response, and vendor management
Vendor oversight: due diligence, contractual protections, and periodic review of Service Providers
‍

Operational Safeguards
‍

Audit logging: logs of access and changes to sensitive data
Monitoring and alerts: detection of unusual access patterns or security threats
Incident response: procedures to investigate, contain, and remediate incidents
Regular review: periodic security assessments and updates to safeguards
‍

No method of transmission or storage is 100% secure. While we work diligently to protect your information, we cannot guarantee absolute security.
‍

10. How We Respond to Security Incidents
‍

If we become aware of a security incident involving unauthorized access to personal information:

Investigation and containment: we investigate to understand scope and impact and take steps to stop and remediate
User notification: we provide notices as required by applicable law and without unreasonable delay
Guidance: we provide practical steps you can take (for example, password reset)
Regulatory notification: we notify regulators where required
‍

Report security concerns to: security@anomaly.health
‍

11. Data Retention
‍

We retain personal information as long as necessary to:

Provide the Services and maintain your account
Meet legal, accounting, tax, and regulatory requirements
Resolve disputes and enforce agreements
Maintain security and prevent fraud
‍

Typical Retention Periods (May Vary by Context and Legal Requirements)
‍

Account data: while your account is active and for up to 30 days after closure (to allow recovery), subject to lawful retention
Health-related data you store in Anomaly: while your account is active and for up to 30 days after closure, unless you request earlier deletion or retention is required by law
Support communications: typically up to 2 years
Transaction records: typically up to 7 years for tax and accounting
Logs and security data: typically up to 12 months or longer if needed for investigations
‍

After retention periods expire, we delete or de-identify data where feasible. Backup systems may take additional time to cycle out.
‍

12. Your Choices and Rights
‍

Depending on where you live (Canada and applicable U.S. state laws), you may have rights to:

Access: request a copy of personal information we hold about you
Correction: request correction of inaccurate information
Deletion: request deletion of personal information (subject to legal, security, and transactional exceptions)
Portability: receive certain information in a portable format (where feasible)
Withdraw consent: where processing is based on consent, you may withdraw it
Opt out of marketing: unsubscribe from marketing emails
‍

How to Exercise Your Rights
‍

Email: privacy@anomaly.health
Include: your name, email, and a description of your request
Verification: we may verify your identity before fulfilling requests
Timing: we respond within timelines required by applicable law (typically 30-45 days)
‍

Marketing Opt-Out
‍

Use the unsubscribe link in any marketing email.
‍

Cookies
‍

Adjust browser settings to block or delete cookies. Some features may not work without essential cookies.
‍

13. Children
‍

The Services are not intended for individuals under 18, and we do not knowingly collect personal information from children under 18. If we learn we have collected such information, we will delete it.
‍

14. Cross-Border Processing
‍

We may process and store information in Canada and the United States and may use Service Providers located in those countries (and, in limited cases, other jurisdictions). Information may be subject to lawful access by authorities in the jurisdiction where it is processed. We use measures designed to protect information during cross-border processing.
‍

15. Changes to This Privacy Policy
‍

We may update this Privacy Policy to reflect changes in our practices, Services, or legal requirements.

We will revise the "Last Updated" date
For material changes, we will provide notice through the Services, via email, or other reasonable means at least 30 days before changes take effect
We will not materially reduce your rights under this Privacy Policy without your consent where required by law
‍

16. Contact Us
‍

Privacy questions and rights requests: privacy@anomaly.health
Security concerns: security@anomaly.health
General support: hello@anomaly.health

‍

Privacy Policy

Anomaly Health Inc.‍

1. Canada and United States Only‍

2. Important Points Upfront‍

3. Definitions and Scope‍

4. What Information We Collect‍

a. Information You Provide‍

b. Information From Third Parties You Connect‍

c. Information Collected Automatically‍

5. How We Use Your Information‍

a. Provide the Services‍

b. Enable AI-Powered Features‍

c. Personalize and Improve the Services‍

d. Maintain Safety and Integrity‍

e. Communicate With You‍

f. Comply With Legal Obligations‍

6. How We Disclose Your Information‍

a. Service Providers (Subprocessors)‍

b. Independent Clinicians (If You Request a Session)‍

c. Legal Process and Protection‍

d. Business Transactions‍

e. With Your Consent‍

7. No Sale, No Targeted Ads Using Consumer Health Data‍

8. AI and Automated Processing‍

What AI Does‍

AI Limitations and Safeguards‍

How We Improve AI‍

9. Security Practices‍

Technical Safeguards‍

Organizational Safeguards‍

Operational Safeguards‍

10. How We Respond to Security Incidents‍

11. Data Retention‍

Typical Retention Periods (May Vary by Context and Legal Requirements)‍

12. Your Choices and Rights‍

How to Exercise Your Rights‍

Marketing Opt-Out‍

Cookies‍

13. Children‍

14. Cross-Border Processing‍

15. Changes to This Privacy Policy‍

16. Contact Us‍