Skip to content

Privacy

Consumer Health Data Privacy Policy

Effective date: April 18, 2026 Version: 2026-04-18-v1

This is a separate policy that covers consumer health data, the kind of information you share with me through the Nutritional Assessment Questionnaire, the food journal, the messaging thread, and anything else inside your private portal. It is distinct from the general Privacy Policy, because Washington's My Health My Data Act (MHMDA) and similar state laws require that separation, and because this information deserves its own careful description.

Please read this alongside the general Privacy Policy. If there is ever a conflict between the two for anything relating to your health data, this policy governs.

About me and this policy

I am Kristy of The Rooted Life, a Nutritional Therapy Practitioner (NTP, NTA-certified). I am not a licensed medical provider, and I do not bill insurance. HIPAA does not apply to the work I do, and I will never claim otherwise. What does apply is state-level consumer health data law, the FTC Health Breach Notification Rule, and my own commitment to handling what you share with care.

What "consumer health data" means here

Under MHMDA and the other state laws that shape this policy, consumer health data is any personal information that is linked or reasonably linkable to you and that identifies your past, present, or future physical or mental health status. Examples in this practice include symptom ratings, the presence of a health concern you disclose, digestive patterns, menstrual and reproductive history if you share it, sleep patterns, mood and stress indicators, and any free-text notes you write to me.

What I collect

The short answer: the minimum I need to do Nutritional Therapy work with you, and nothing more.

Specifically:

  • Your name, email, and phone if you choose to provide it (kept in the account system, separated from your health responses).
  • Your responses to the Nutritional Assessment Questionnaire (symptom ratings from 0 to 3, plus intake details like age range).
  • Entries you make in your food journal, including photos you upload.
  • Messages you send me through the portal.
  • Any protocol feedback or notes you submit.
  • Basic technical information needed to keep the site secure and working (session cookies, approximate IP for authentication and abuse prevention, device type).

What I do not collect

I do not ask for, and do not want, the following: Social Security numbers, dates of birth (age range is enough), insurance information, clinical diagnoses from other providers unless you volunteer them in a free-text note, laboratory results, prescription records, or data from wearables and health apps. If you paste something like that into a message to me, it becomes part of the record for the conversation, so please share only what you genuinely need to share.

I do not track you across the internet. I do not use advertising pixels, remarketing cookies, or analytics tools that profile you. I do not share your health data with advertisers, data brokers, or any third-party AI training pipeline.

How your data is protected

Your health responses are stored under a random identifier that is separate from your account identity. Inside the database, the answers you give to the NAQ do not sit next to your name. The two pieces are joined only when I, as the practitioner, view your chart.

All data is encrypted at rest using AES-256 (the standard encryption our database provider applies to every stored row) and in transit using TLS. Sensitive identity fields (name, email, phone, free-text notes) are additionally protected with column-level encryption using pgcrypto. Access to your records requires authentication, and on my side, multi-factor authentication plus audit logging.

How long I keep it

I keep your consumer health data for up to five (5) years from the date of our last professional engagement, and then I delete it. If you ask me to delete it sooner, I will honor that request within 30 days unless the law requires me to retain specific records (for example, a tax or legal hold on a specific piece of transactional data).

How I use your data

I use what you share to do the Nutritional Therapy work you hired me for: to prepare for our sessions, to build protocols with you, to follow up between visits, and to keep a careful record of the arc of our work together. I use de-identified aggregate patterns (never individual responses) to improve the assessment itself over time.

Anything outside those uses requires your separate, specific written permission.

What I will never do

Your consumer health data is never sold, never shared with advertisers, never used to train outside AI or machine learning models, and never handed to a third party for their own marketing or analytics. If I need to involve a service provider (for example, the company that hosts our database, or the email service that sends your session reminders), I use only providers with contractual obligations to keep your data confidential and to use it solely to deliver the service I've asked of them.

Your rights

Regardless of which state you live in, the following rights apply to your work with me:

  • Access: you can see what I have.
  • Export: you can download a portable copy at `/account/data-export` in your portal, or by emailing me.
  • Correct: you can ask me to fix anything that's wrong.
  • Delete: you can ask me to delete your data at `/account/delete-my-data`, or by emailing me.
  • Withdraw consent: you can withdraw consent at any time, which stops new processing going forward.
  • Appeal: if I deny a request, you can appeal and I will respond within 45 days.

I respond to these requests within 30 days. If yours is complex or covers multiple records, I may extend that by another 30 days and will tell you why.

State-specific notes

Washington (MHMDA): you have the specific rights above, plus the right to a copy of all consumer health data I've collected, and the right to confirm whether I am processing your data. Washington residents have a private right of action under MHMDA.

California (CCPA/CPRA and CMIA): you have the rights above, plus the right to limit use of sensitive personal information. I do not sell or share personal information for cross-context behavioral advertising.

Colorado, Connecticut, Virginia, Texas, and Oregon: you have access, correction, deletion, portability, and opt-out rights under your state law, and those are honored here.

If you live in a state I haven't listed, write to me anyway. The protections here apply to everyone.

Breach notification

If, despite all of this, a security incident affects your consumer health data, I will notify you within 60 days in accordance with the FTC Health Breach Notification Rule, and I will also notify the FTC and any other authorities required by law. The notice will tell you what happened, what data was involved, what I'm doing about it, and what steps you can take.

Minors

This practice is intended for adults (age 18 and over). I do not knowingly collect data from minors. If you are a parent or guardian and believe I have collected information from your child, please contact me and I will delete it.

Changes to this policy

If I change something that materially affects how your consumer health data is collected, used, shared, or protected, I will notify you by email and will ask you to re-accept the updated consent before you continue using tools that depend on it. Non-material changes (for example, a typo fix, a clarified sentence) will be updated in place with a new version number and effective date.

Prior versions of this policy are retained so you can see exactly what you agreed to and when.

How to contact me

For any privacy request, question, or concern:

  • Email: hello@therootedlife.com (placeholder, update with Kristy's preferred contact email)
  • Mail: address available on request
  • In portal: use the message thread in your account

I read these personally. I will respond.

Policy version 2026-04-18-v1