Consumer Health Data Privacy Policy

This policy explains specifically how Clarion Labs collects, uses, shares, retains, and protects consumer health data: biomarker values, uploaded lab reports, symptom check-ins, medication and supplement entries, and anything else that reveals information about your physical or mental health status.

We publish this as a standalone document because Washington's My Health My Data Act (MHMDA) — and similar laws in Nevada and Connecticut — require a separate health data privacy notice that is distinct from our main privacy policy. For everything else we do, see our general privacy policy.

Categories of health data we collect

Lab uploads. PDF or photo of your lab report. We use this to extract biomarker values. The raw file is deleted immediately after you confirm the extracted values.

Biomarker values. Individual test results (ferritin, vitamin D, etc.) and their units. We use these to score your panel and generate your protocol.

Symptom and wellness reports. Daily check-ins, energy ratings, sleep, stress, training load. Used to personalize suggestions and detect patterns over time.

Supplements and medications you log. Names, doses, and context. Used to check for conflicts and to personalize your plan.

Profile facts that imply health status. Age band, sex at birth, training focus, diet pattern, self-reported conditions you enter.

How we use your health data

We only use your health data to run Clarion for you. Specifically: extracting values from uploads, scoring biomarkers, generating your personalized interpretation, suggesting supplements, tracking trends, and sending the reminders you ask for.

We do not use your health data for advertising, lead generation, or behavioral profiling. We do not sell it. We do not use it to train machine learning models beyond what is strictly needed to process your request in the moment.

How AI is used on your health data

Clarion uses OpenAI's API to (a) read lab PDFs and images you upload and extract biomarker values, and (b) generate your personalized interpretation and supplement suggestions.

Before any file or text is sent to OpenAI, we remove direct identifiers (your name, date of birth, MRN, address, phone, and provider NPI) from the content where feasible. We have not opted in to having your data used to train OpenAI's models. Where available, Clarion operates under OpenAI's Zero Data Retention configuration so that your inputs and outputs are not retained by OpenAI beyond the duration of the API call.

Who we share health data with

We share health data only with the subprocessors required to run the product:

Supabase — database and private file storage for uploads, with row-level security scoped to your account.

OpenAI — AI extraction and interpretation as described above.

Vercel— application hosting. Vercel's first-party analytics do not receive health data.

We do not share health data with Stripe, Resend, or Amazon Associates. Payments, emails, and affiliate links do not carry biomarker values or symptoms.

We will never share health data with advertisers, data brokers, or cross-context behavioral advertising networks. There are no third-party tracking pixels on the upload, dashboard, or analysis routes.

Your consent

Before you upload a lab report, Clarion asks for three separate opt-in consents: (1) to process your lab results, (2) to use AI to extract and interpret them, and (3) to apply our default retention policy (raw files deleted after confirmation). Each checkbox is unchecked by default and recorded individually with a version number. When the underlying terms change materially, we re-request consent.

You can revoke any consent at any time in Settings. Revoking consent stops future processing tied to that consent and triggers deletion of the derived data.

Retention

Uploaded PDFs and images are deleted immediately after you confirm the extracted biomarker values. We do not retain the raw file by default.

Extracted biomarker values, symptom logs, and your stackare retained for as long as your account is active so you can see trends over time. You can delete any of it from the app, or delete your whole account.

Consent records are retained as a legal record even after revocation, so we can demonstrate the state of consent at the time of each action.

Backups. Deleted data may persist in encrypted database backups maintained by Supabase for up to about 30 days before they roll off.

Your rights

MHMDA and similar laws give you specific rights over your consumer health data. Clarion extends these rights to every user:

Access and confirm. You can see every health data element we have about you inside the app, or request an export.

Delete. You can delete individual biomarker values, lab sessions, symptom entries, or your whole account. Deletion also propagates to our subprocessors.

Withdraw consent. Any consent can be revoked at any time.

Non-discrimination. Exercising any of these rights will never change your pricing or access.

Appeal. If we deny a request, you can appeal by emailing us. You may also contact your state attorney general.

To exercise a right or ask a question, email us at support@clarionlabs.tech. We respond within 45 days (or the shorter window your state law requires).

Security

Uploads are transmitted over HTTPS and stored in a private bucket scoped to your user ID. Database tables holding health data are protected by row-level security. Access to production systems inside Clarion is limited to the people who need it to operate the service.

Not a HIPAA-covered entity

Clarion Labs is a direct-to-consumer product and is not a HIPAA-covered entity. HIPAA does not apply to this relationship. The Federal Trade Commission's Health Breach Notification Rule and state health data laws (including MHMDA) do, and we comply with them.

Children

Clarion is for adults 18 and older. We do not knowingly collect health data from anyone under 18.

Changes to this policy

We'll update this page and email you when changes are material. The version string shown in the app consent gate reflects the current revision of this policy.