Washington Consumer Health Data Privacy Policy

Effective: May 16, 2026 · Last updated: May 16, 2026

This policy is provided under the Washington My Health My Data Act (RCW 19.373) and applies in addition to Runi’s general Privacy Policy.

Who this policy applies to

This policy applies to all Runi users, including (but not limited to) Washington residents. Runi (“we,” “us”) is the regulated entity for purposes of the My Health My Data Act. You can reach our privacy contact at [email protected].

Categories of consumer health data we collect

We collect the following categories of consumer health data, as defined by RCW 19.373.010, from you:

  • Reproductive and menstrual health information — cycle entries, period start/end dates, flow intensity, symptoms, contraception type and status, life stage (regular cycle, perimenopause, postpartum, trying to conceive).
  • Biometric and physiological measurements — heart rate, heart rate variability, resting heart rate, step count, active energy, sleep analysis. These come from Apple HealthKit or Oura when you connect them.
  • Conditions, symptoms, and treatments you tell us about — health conditions selected during onboarding, supplement use, medication mentions in chat, mood and energy reports, food and exercise entries.
  • Inferences derived from the above — cycle phase estimates, AI-extracted symptoms and patterns from your chat messages, and the personalized protocols Runi generates.

Sources of consumer health data

  • Directly from you — onboarding, chat messages, manual entries.
  • From Apple HealthKit, if you connect it.
  • From Oura, if you connect it.
  • From Google Calendar, if you connect it (event titles only, used to schedule recommendations around your calendar).
  • Generated by our AI provider from the inputs above.

How we use consumer health data

  • To generate your personalized daily nutrition, fitness, supplement, and sleep protocols.
  • To adapt those protocols based on your cycle phase, goals, life stage, and connected health metrics.
  • To deliver chat responses, briefings, and weekly plans tailored to your context.
  • To send notifications you have opted into.
  • To respond to your support requests and provide the Service.

We do not sell consumer health data. We do not use it for targeted advertising. We do not share it with data brokers.

Third parties with whom we share consumer health data

We share consumer health data with the following processor only, and only for the purposes described:

  • Anthropic, PBC — our AI model provider. Runi sends relevant personalization context (profile, cycle phase, recent metrics, recent extractions, chat messages) to Anthropic’s Claude API on each chat turn, briefing, and plan generation. Anthropic processes this data solely to return a model response to Runi. Per Anthropic’s API terms, data sent through the API is not used to train their models.

We use other service providers (e.g., Sentry for error reporting, PostHog for product analytics) that do not receive consumer health data. Sentry receives scrubbed diagnostic data only; PostHog receives event names and screen identifiers, not health content.

Your rights under MHMDA

You have the right to:

  • Confirm whether we are collecting, sharing, or selling your consumer health data, and access that data.
  • Withdraw consent to our collection of your consumer health data. Because providing Runi’s service requires collecting and processing this data, withdrawing consent means closing your account. You can do this through Settings → Your Data → Delete My Account inside the Runi app, or by emailing [email protected].
  • Delete your consumer health data. Use Settings → Your Data → Delete My Account inside the Runi app, or email us. We will delete the data from our active systems within 30 days of confirmation and from backups within 90 days.
  • Appeal a denial of any of the above requests by emailing [email protected]. If we deny the appeal, you may contact the Washington State Attorney General at atg.wa.gov/file-complaint.

Under MHMDA, Washington residents also have a private right of action under the Washington Consumer Protection Act.

Sale of consumer health data

Runi does not sell consumer health data and has no plans to. We will not begin selling consumer health data without first obtaining your separate, valid authorization.

How we obtain consent

By creating a Runi account, you agree to our Terms of Service and Privacy Policy, which together with this notice describe how we collect, use, and share your consumer health data. You may withdraw consent at any time as described under Your rights above.

Security and retention

Sensitive fields (cycle entries, OAuth tokens, and profile cycle information) are encrypted at the column level in our database using lockbox. Postgres is encrypted at rest. All traffic to and from the Runi API is HTTPS-only. We retain your consumer health data for the duration of your account; after deletion is requested, see the timelines under Your rights.

Changes to this policy

If we change this policy in a way that materially affects how consumer health data is collected, used, or shared, we will request your renewed consent and update the “Last updated” date above before applying the change to you.

Contact

Email [email protected] for any privacy request or question. We respond within 45 days as MHMDA requires.