Decades Health Privacy Policy

Effective Date: June 25, 2026
Last Updated: June 25, 2026
Company: Decades Health Inc.
Address:
112 N Curry St
Carson City, NV 89703-4934
United States
Email: apps@decades.health
Phone: +1 424-239-9290

Table of Contents

1. Introduction

Decades Health Inc. ("Decades," "we," "us," or "our") provides the Decades mobile application, website (https://www.decades.health/), software, and related services (together, the "Services"). This Privacy Policy describes what personal information we collect, why we collect it, how we use and protect it, when we share it, and the choices and rights you have over your information.

This Policy applies to everyone who uses the Services and should be read alongside our Terms of Service, which it forms part of. When you create an account or use the Services, you confirm that you have read and understood this Policy. If you do not agree with how we handle information, please do not use the Services.

IMPORTANT - NOT MEDICAL ADVICE. DECADES IS A TOOL FOR PREVENTION, PREPAREDNESS, AND HEALTH AWARENESS. IT DOES NOT PROVIDE MEDICAL DIAGNOSIS OR TREATMENT, AND IT IS NOT A SUBSTITUTE FOR PROFESSIONAL MEDICAL, LEGAL, OR FINANCIAL ADVICE. ALWAYS CONSULT A LICENSED PROVIDER ABOUT ANY MEDICAL CONDITION OR DECISION.

2. About Decades

Decades is a multi-generational health and family patterning application built for individuals and families who want to take ownership of their health story. Most people carry their medical history in scattered places: old records in a drawer, prescriptions in a cabinet, half-remembered details about a grandparent's illness, and appointments tracked across different calendars. Decades brings all of this into one secure, private place that belongs to you.

The app helps you organize your own health information, record your medical history, store important documents such as records, prescriptions, insurance cards, and health-care proxy paperwork, and map health patterns across your family's generations. By connecting the dots between relatives, Decades helps you understand inherited risks, recognize recurring conditions, and prepare for conversations with your doctor with better information in hand.

We built Decades around a simple belief: your health data is yours. It should be private by default, protected with serious security, and used only to help you and your family. We do not run an advertising business, and we do not treat your records as a product to be sold. Everything in the app is designed to serve the person using it.

Decades Health Inc. is a Nevada C-Corporation established in 2025. The entity responsible for processing your personal information (the data controller and business) is:

Company

Decades Health Inc.

Address

112 N Curry St, Carson City, NV 89703-4934, United States

Email

apps@decades.health

Phone

+1 424-239-9290

3. Scope and Geographic Availability

The Services are intended for use within the United States and are designed for individuals physically located in the United States. By using the Services, you confirm that you are physically located in the United States.

If you access the Services from outside the United States, you do so at your own risk and remain responsible for following the laws that apply where you are. Any information you provide may be transferred to, stored in, and processed in the United States, where data-protection laws may differ from those in your country.

We do not knowingly offer the Services outside the United States, and we may restrict, suspend, or end access where we determine the Services are being used by individuals outside the United States.

4. Our Privacy Commitments

Because the Services handle sensitive health and family information, we hold ourselves to a high standard. The following commitments guide everything we do with your data:

Collect only what we need.

We ask for the information required to run the Services and the features you choose to use, and nothing more.

Use it only for the purposes you expect.

We use your information to operate the app for you, not for unrelated purposes, and not without your consent where consent is required.

Protect it by design.

Sensitive data is encrypted, access-controlled, and isolated so that, by default, only you can see your records.

Never sell or market it.

WE DO NOT SELL YOUR PERSONAL INFORMATION OR HEALTH DATA, AND WE DO NOT SHARE IT FOR ADVERTISING OR THIRD-PARTY MARKETING.

Be transparent.

We explain our AI features, the vendors we rely on, and the rights you can exercise over your information.

5. How We Use Your Information (Summary)

To be direct about it: WE USE YOUR DATA ONLY FOR THE PURPOSES DESCRIBED IN THIS POLICY. In practice, that means the following purposes and no others:

Purpose

Use

App functionality

Building and maintaining your health profile, family map, records, medications, documents, reminders, and reports.

User-side features

Generating the insights, summaries, and Health Blueprint that you ask the app to produce for your own use.

Customer support

Responding to your questions and helping you resolve issues.

Security and fraud prevention

Protecting your account, your data, and the integrity of the Services.

Legal compliance

Meeting our obligations under applicable law and enforcing our Terms.

Service improvement

Keeping the app reliable and making it better over time.

WE DO NOT USE YOUR INFORMATION TO BUILD ADVERTISING PROFILES, TO MARKET TO YOU ON BEHALF OF THIRD PARTIES, OR TO SELL ACCESS TO YOUR DATA. The detailed version of these uses appears in Section 12 .

6. HIPAA Notice and Clarification

Many people assume that all health information is automatically covered by the federal Health Insurance Portability and Accountability Act ("HIPAA"). That is not how the law works, so we want to be clear about both how HIPAA relates to Decades and the safeguards we apply regardless.

6.1 Our HIPAA Status

DECADES IS GENERALLY NOT A HEALTHCARE PROVIDER, HEALTH PLAN, OR HEALTHCARE CLEARINGHOUSE, AND WE GENERALLY DO NOT ACT AS A HIPAA "COVERED ENTITY" OR "BUSINESS ASSOCIATE." As a result, the health information you store in the Services may not be subject to HIPAA in every case.

In most situations, the health information you enter into Decades is information you give us directly as a consumer, rather than protected health information ("PHI") that we receive from, or handle on behalf of, a covered entity. Under HIPAA, a "business associate" relationship arises specifically when an entity performs functions involving PHI for or on behalf of a covered entity, which is generally not the nature of our relationship with you. In that common case, your information is governed by this Privacy Policy and by the consumer-privacy and consumer-health-data laws described in Section 27 , rather than by HIPAA.

6.2 HIPAA-Aligned Safeguards and Vendor Protections

Even where HIPAA does not legally apply, we implement security practices inspired by HIPAA's Security Rule — including encryption, access controls, and contractual safeguards — and we keep a Business Associate Agreement ("BAA") in place with our cloud database and storage provider as a precaution. Specifically:

Area

Details

Database and file storage (cloud database and storage provider).

Your account, profile, health, family, and document data are stored with our cloud database and storage provider, in a project covered by a signed BAA with the HIPAA add-on enabled. Our provider requires both a signed BAA and the HIPAA add-on for projects handling PHI, and we maintain that configuration. Health data sits in private, encrypted storage protected by Row-Level Security ("RLS") and storage-access policies, so that by default only you can reach your records through the application (see Section 24 ).

AI processing (AI service provider).

When information is processed to generate insights, your Health Blueprint, or document summaries, it is analyzed through our AI service provider's API under that provider's standard API terms. Under those terms, your inputs are not used to train the provider's models, though the provider may retain inputs for a limited period as permitted under its standard terms. We do not send sensitive contact details such as your email address, phone number, or mailing address to our AI provider. Documents processed by AI are reached only through temporary signed links that expire after roughly 10 minutes (see Section 11 and Section 13 ).

AI provider terms.

AI processing runs under our AI provider's standard API terms. If we put a Business Associate Agreement or a Zero Data Retention ("ZDR") configuration in place for AI processing, or otherwise change our AI provider or configuration, we will update this Policy.

We apply these protections (encryption in transit and at rest, access controls, and RLS isolation) to the health information in your account, whether or not HIPAA applies to a given piece of it. Keeping these safeguards and our database-provider BAA does not, on its own, make Decades a HIPAA-covered entity or business associate.

6.3 What This Means for You

Your health information is handled with safeguards aligned with what HIPAA expects, while your legal rights over that information come from this Privacy Policy and from applicable consumer-health-data laws (see Section 27 ). Whenever we bring on a new vendor that may handle health information for us, we seek the right contractual protections, including BAAs where relevant (see Section 16 and Section 17 ).

7. Information We Collect

We collect information you give us directly, information generated as you use the Services, and a limited amount of technical information collected automatically (see Section 10 ). What we collect depends on the features you use.

7.1 Account and Authentication Information

You can create an account using Sign in with Apple or Sign in with Google. Depending on the provider and your choices, we receive:

Provider

Information Received

Apple

Your email address (which you may choose to hide behind a private relay address) and name.

Google

Your email address, name, and profile photo.

We use this to create and secure your account and to identify you within the Services.

7.2 Profile and Demographic Information

During onboarding and in your profile, you may provide your full name, biological sex, date of birth, height, weight, blood type, primary and other languages spoken, relationship status, and race and ethnicity.

7.3 Health and Medical Information

The heart of the Services is the health information you choose to share about yourself, including:

7.4 Sensitive Health Information

Some of what you may share is treated as sensitive under applicable law. We collect it only when you choose to provide it and use it only to power the related features. Sensitive categories may include reproductive and sexual-health information, genetic-testing information, mental-health information, substance-use information, and detailed medication and condition information. See Section 8 .

7.5 Lifestyle and Environmental Information

You may add lifestyle information across these areas:

Area

Information

Sleep

Hours slept, restfulness, how often you have trouble sleeping, snoring or stopped breathing, sleep-aid use, sleep-disorder diagnoses, nighttime wakeups, and usual bed and wake times.

Nutrition

Eating pattern, dietary restrictions, food sensitivities, processed or fast-food frequency, meals eaten out, foods you avoid, and digestive or food-related conditions.

Exercise

Active days per week, exercise type and duration, strength-training frequency, hours spent sitting, stretching or mobility practice, and any activity-limiting injuries or conditions.

Emotional health

Stress levels and coping ability, counseling or therapy, caregiving responsibilities, mental-health history, and support practices.

Substance use

Alcohol frequency and quantity, drinking to manage stress, sleep, or anxiety, attempts to cut back, treatment history, family addiction history, nicotine products and frequency, and prescription-drug-misuse information.

7.6 Family Member and Family History Information

Because Decades maps health across generations, you may add information about relatives, including grandparents' ages and living status, and detailed records for family members you add. Section 9 explains how we handle family-member and child information.

7.7 Documents and Uploaded Files

You may upload medical documents, prescriptions, supplement documents, insurance cards, government IDs, Health Care Proxy documents, signatures, notary materials, and a profile photo. Section 11 explains how uploaded files are stored and processed.

7.8 Generated and Activity Information

As you use the Services, we generate information such as AI summaries of your documents, your personalized Health Blueprint, profile-completion status, family pattern insights, and records of the calendar events and reminders you create. We also process subscription information such as plan, status, expiration, product ID, and purchase reference identifiers.

8. Sensitive Health Information

When you choose to provide it, the Services may collect categories of information that receive heightened protection under various laws, including:

We collect sensitive information only when you provide it, and we use it solely to operate the features you use, such as generating insights, your Health Blueprint, and emergency reports. WE DO NOT USE SENSITIVE HEALTH INFORMATION FOR ADVERTISING, AND WE DO NOT SELL OR SHARE IT (see Section 22 ). You may decline to provide sensitive information, though some features may be limited if you do.

9. Family Member, Child, and Third-Party Information

9.1 Information About Family Members

The Services let you add family members and record information about them, such as relationship, name, date of birth, living status (and, where applicable, death date and cause), biological sex, race and ethnicity, height, weight, biological relationship and notes, shared inherited conditions, diagnosed conditions, lifestyle factors, and other important health information. For relatives you invite, we also process the contact email and phone number you supply so we can send an invitation.

YOUR RESPONSIBILITY WHEN ADDING OTHERS. When you add information about another person, you confirm that you have the authority or consent to do so and to share that information with us for the purposes described in this Policy. You are responsible for making sure family members know about, and where required, have agreed to your use of the Services to store their information.

9.2 Invitations to Family Members

When you invite a relative, we send an invitation by email (through our email/SMTP provider) and/or SMS (through our messaging provider) to the contact details you provide. The invitation contains a unique link to an intake form where the invited person can add or correct their own information. We use the contact details only to deliver invitations and run the collaboration feature, and we do not send these contact details to our AI provider (see Section 13 ).

9.3 Children and Minors

THE SERVICES ARE INTENDED FOR ADULTS AGED 18 AND OLDER. We do not knowingly let anyone under 18 create their own account, and we do not knowingly collect personal information directly from children under 13.

A parent or legal guardian may, however, add information about their own minor child as a family member, such as the child's health conditions, allergies, and surgery or hospitalization history. When adding a child, you must confirm that you are the child's parent or legal guardian and that you are authorized to provide the child's information. By doing so, you represent that you have that authority, and we rely on that representation to collect and use the information to provide the Services.

PARENTAL RIGHTS AND DELETION. A parent or guardian may review, correct, or request deletion of a minor child's information at any time through the app or by contacting us at apps@decades.health. If you believe a child has given us personal information without parental consent, contact us, and we will take steps to delete it. See also Section 26 .

10. Information Collected Automatically

When you use the Services, our infrastructure providers and we may automatically collect limited technical information, such as device type and operating system, app version, device identifiers, IP address, crash and diagnostic logs, and basic usage and analytics data about how the app is used. We currently use an authentication and app-infrastructure provider for authentication support, push notifications, crash reporting, and app infrastructure analytics; additional analytics or diagnostic tools, if any, will be disclosed in Section 16.

We use this information to operate, secure, troubleshoot, and improve the Services. We rely only on the analytics and infrastructure tooling needed to run a reliable app, and WE DO NOT USE THIS INFORMATION TO BUILD ADVERTISING PROFILES. Because Decades is a mobile app rather than a website, our use of cookies is limited (see Section 19 ).

11. Medical Documents and Uploaded Files

Files you upload, including medical records, prescriptions, supplement documents, insurance and ID cards, and Health Care Proxy and signature or notary materials, are stored in a private, encrypted storage bucket. Access is protected by Row-Level Security and storage-access policies, so that by default, only you, the file owner, can view or manage your files through the application. Files are not publicly accessible. This storage runs with our cloud database and storage provider under a signed BAA with the HIPAA add-on enabled (see Section 6 ).

AI DOCUMENT PROCESSING. When a feature needs to process a document with AI, for example, to pull out medication details or write a short summary, the file is accessed through a temporary signed link that expires after roughly 10 minutes and is available only for the duration of that request. Processing runs through our AI service provider's standard API terms. Under those terms, your document inputs are not used to train its models, though the provider may retain inputs for a limited period as permitted under its standard terms (see Section 13 ). The AI uses the document only to produce a summary or extract the relevant fields, which are then saved to your health profile. The original file stays protected.

EXPORT AND SHARING. You may export, download, or share your documents and related information. You are solely responsible for anything you choose to share outside the Services. Once information leaves the Services, we cannot control, monitor, or guarantee how it is handled.

12. How We Use Personal Information

We use personal information for the following purposes, and for no others:

Purpose

Details

Provide the Services.

Create and manage your account and build your health profile, family map, medical records, medications, supplements, allergies, doctors, lifestyle records, insurance and IDs, emergency report, and Health Care Proxy documents.

Generate insights and your Health Blueprint.

Analyze the information you provide to surface possible inherited risks, recurring patterns, and personalized, informational insights for your own use (see Section 13 ).

Process documents.

Extract details and create summaries from documents you upload.

Run reminders and calendar features.

Create and manage appointment and medication reminders and related notifications (see Section 21 ).

Support family collaboration.

Deliver invitations and let family members contribute information.

Communicate with you.

Send service-related messages, notifications, and responses to your requests.

Maintain security and reliability.

Protect the Services and our users, prevent fraud, and keep the app performing well.

Comply with the law.

Meet legal obligations and enforce our Terms.

Improve the Services.

Keep the app stable and make it more useful over time.

WE DO NOT USE YOUR PERSONAL INFORMATION FOR ADVERTISING, AND WE DO NOT SELL IT OR SHARE IT WITH THIRD PARTIES FOR THEIR OWN MARKETING. We rely on your consent and on the performance of our agreement with you as the main bases for processing health information, and on our legitimate interest in security and improvement, where the law permits.

13. Artificial Intelligence and Automated Processing

Several features use artificial intelligence to analyze the information you provide and generate insights, summaries, and recommendations, including the Health Blueprint, family pattern insights, and document summaries.

13.1 How AI Processing Works

To produce these features, the health information you provide may be shared with our AI service provider for analysis. We apply the following protections:

Protection

Details

AI provider terms

AI processing runs under our AI service provider's standard API terms.

No training use

Under those terms, your inputs are not used to train the provider's models, though the provider may retain inputs for a limited period as permitted under its standard terms.

No sensitive contact details

We do not send contact details such as email address, phone number, or mailing address to our AI provider.

Time-limited document access

Documents processed by AI are reached only through temporary signed links that expire after roughly 10 minutes (see Section 11 ).

If we put a Business Associate Agreement or a Zero Data Retention ("ZDR") configuration in place for AI processing, or otherwise change our AI provider or configuration, we will update this Policy.

13.2 Nature and Limitations of AI Output

AI-GENERATED CONTENT IS FOR INFORMATIONAL AND EDUCATIONAL PURPOSES ONLY. It is produced from the information you provide and may be incomplete, inaccurate, or out of date. IT IS NOT A DIAGNOSIS, A TREATMENT RECOMMENDATION, OR MEDICAL, LEGAL, OR PROFESSIONAL ADVICE. AI output can generate plausible but incorrect content, leave out relevant context, and vary between runs for the same inputs. IT MUST NOT BE THE SOLE BASIS FOR ANY HEALTH, MEDICAL, OR LEGAL DECISION. You remain responsible for your decisions and should consult a qualified professional before acting on any AI-generated insight.

13.3 No Automated Decisions With Legal Effect; Your Choices

We do not use AI to make decisions that produce legal or similarly significant effects about you. AI features support your decisions; they do not replace them. You may decline AI features by not using them, though related functionality, such as the Health Blueprint and document summaries, will then be unavailable.

14. Feature-Specific Disclaimers

14.1 Health Blueprint

The Health Blueprint is generated from the information you provide and may include insights, risk summaries, screening suggestions, and nutrition, fitness, sleep, and wellness guidance. It is informational only and is not a substitute for professional medical advice, diagnosis, or treatment.

14.2 Health Care Proxy

The Health Care Proxy feature helps you create and store a proxy document. Decades does not provide legal advice, and a generated document may need additional state-specific formalities, such as witnessing or notarization, to be valid. You are responsible for making sure any document meets the legal requirements of your state.

14.3 Emergency Report

You may generate, export, or share an emergency medical report in PDF format containing selected information from your profile. You are solely responsible for anything you choose to export, share, or distribute. Once shared, we cannot control or guarantee how it is handled.

15. How We Share Personal Information

WE DO NOT SELL YOUR PERSONAL INFORMATION (see Section 22 ). We share it only in the limited situations below:

Situation

Details

Service providers and processors

Vendors that host our infrastructure, store data, handle authentication, deliver messages, process payments, and provide AI processing, each acting for us under contract (see Section 16 ).

Family members you choose to involve

When you invite a family member, the relevant invitation and intake information is shared so they can collaborate.

At your direction

When you export, download, or share documents, reports, or your Blueprint outside the Services.

Legal and safety

To comply with applicable law, legal process, or a valid government request; to enforce our Terms; or to protect the rights, safety, and security of our users, the public, or Decades.

Business transfers

In connection with a merger, acquisition, financing, reorganization, or sale of assets, subject to this Policy and applicable law.

Where we share health information with a processor that may handle protected health information for us, we seek appropriate contractual protections, including BAAs where relevant.

16. Third-Party Service Providers

The providers below process information on our behalf. Each is contractually limited to using that information only to provide services to us (see Section 17 ).

Provider

Service

Information processed

Safeguards

Cloud database and storage provider

Database and encrypted file storage; Row-Level Security.

Account, profile, health, family, document, and subscription data.

Signed BAA with HIPAA add-on enabled for the project used by the Services; RLS; private encrypted buckets.

AI service provider

AI analysis for insights, the Health Blueprint, and document summaries.

Health and profile data submitted for analysis (no contact details).

Processed under our AI provider's standard API terms; inputs are not used to train the provider's models, though the provider may retain inputs for a limited period as permitted under its standard terms.

Authentication and app-infrastructure provider

Authentication support, push notifications, and app infrastructure.

Account identifiers, device tokens, diagnostic data.

Access controls; provider security program.

Apple / Google

Sign-in, app distribution, and in-app purchase processing.

Authentication identifiers; subscription and purchase references.

Payment card data handled by the store, not by us.

Email (SMTP) and SMS provider

Delivery of family invitations and service messages.

Recipient email address and phone number.

Used only to deliver messages; not sent to our AI provider.

Device calendar providers (Apple Calendar, Google Calendar, Outlook, and others configured on your device)

Storage and display of appointment and medication-reminder events you create in the app.

Event details you choose to save: title, date, time, location, notes, and medication details.

Governed by the calendar provider's own privacy policy; we do not control how they handle synced events.

17. Vendor Management and Data Processing

We sign written agreements with our service providers that require them to protect personal information, use it only to provide services to us, follow the principle of minimum necessary data sharing, and apply appropriate technical and organizational security. Where a provider may process health information that carries special protection, we seek to put a Business Associate Agreement or equivalent safeguard in place. We give each provider only the information it needs for the specific job it performs.

18. Payments and Subscriptions

Subscriptions are available on monthly or yearly plans. To ensure the highest level of security, all payments are handled directly by the Apple App Store or Google Play. Decades does not collect, process, or store your payment card details. We only receive basic confirmation of your subscription status to maintain your access to the Services.

19. Cookies and Tracking Technologies

As a mobile app, Decades does not rely on advertising cookies. Our infrastructure providers and we may use device identifiers, local app storage, and similar technologies needed to authenticate you, keep you signed in, maintain security, and understand basic app performance. WE DO NOT USE THESE TECHNOLOGIES FOR CROSS-CONTEXT BEHAVIORAL ADVERTISING. Where the law requires it and our systems support it, we honor recognized opt-out signals, including Global Privacy Control ("GPC").

20. Mobile App Permissions

The Services request the permissions below. Most are optional and are requested only when you use a related feature. You can grant or revoke permissions at any time in your device settings, though revoking one may limit related functionality.

Permission

Purpose

Internet access

Connect securely to our backend, database, storage, authentication, and AI services.

Camera

Scan or capture medical documents, insurance and ID cards, and medication or supplement documents.

Photo library / Photos

Select and upload profile photos, documents, ID and insurance cards, and signature or notary files.

Files / Storage

Pick and upload documents such as PDFs, images, and health-related files from your device.

Calendar (read)

Read Decades-created events to show upcoming appointments and medication reminders in the app.

Calendar (write)

Create, update, or delete appointment and medication-reminder events in your device calendar.

Notifications

Send push and local reminders for appointments, medications, Blueprint updates, and app notices.

Background fetch / remote notifications (iOS)

Support background refresh and delivery of push notifications where enabled.

Apple / Google sign-in scopes

Authenticate your account and obtain the basic profile information you authorize.

21. Notifications and Calendar Events

You may create health-related calendar events, including medical appointments and medication reminders. These events are saved to your device calendar or chosen calendar account and, depending on your settings, may sync with third-party calendar providers such as Apple, Google, or Outlook that you have configured. Decades also schedules local notifications for selected reminders.

In the current calendar flow, appointment and medication-reminder events are managed through your device calendar and local notification system and are not stored in our database. Notification and event content may include appointment details (title, date, time, location, notes) and medication details (name, dosage, frequency, and prescribing doctor or pharmacy), and may appear on your lock screen depending on your operating system settings.

22. We Do Not Sell, Market, or Share Your Data

DECADES DOES NOT SELL, RENT, OR TRADE YOUR PERSONAL INFORMATION OR CONSUMER HEALTH DATA. DECADES DOES NOT SHARE YOUR DATA FOR ADVERTISING OR FOR ANY THIRD-PARTY MARKETING PURPOSE. WE DO NOT RUN ADS IN THE APP, AND WE DO NOT LET ANY OUTSIDE COMPANY USE YOUR INFORMATION TO MARKET TO YOU.

The only parties that ever receive your information are the service providers listed in Section 16 , who act strictly on our behalf and under contract to run the app, and any party you yourself choose to share with. Because we do not sell or share personal information for advertising, there is no advertising-related opt-out to exercise. Where required, we honor the Global Privacy Control signal as a valid opt-out request. You may also exercise the privacy rights described in Section 26 .

23. Data Retention

We keep personal information for as long as your account is active or as needed to provide the Services, and after that only as long as necessary to meet legal obligations, resolve disputes, and enforce our agreements. When information is no longer needed, we delete or de-identify it. General guidelines follow; specific periods may vary based on the data and the law.

Information

Retention

Account and profile information

Kept for the life of the account; deleted after account deletion.

Health, family, and lifestyle information

Kept while the account is active; deleted on an account-deletion request.

Uploaded documents and generated summaries

Kept until you delete them or close your account.

AI requests to our AI service provider

Not used to train our AI provider's models; the provider may retain inputs for a limited period as permitted under its standard API terms.

Subscription and transaction records

Kept as required for financial, tax, and audit purposes.

Diagnostic and security logs

Kept for a limited period for security and reliability.

Backups

Encrypted backups are kept on a rolling basis and overwritten on a defined cycle.

24. Security of Your Personal Information

We maintain administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. These include:

NO METHOD OF TRANSMISSION OR STORAGE IS COMPLETELY SECURE, AND WE CANNOT GUARANTEE ABSOLUTE SECURITY. You are responsible for safeguarding the device and credentials you use to access the Services.

25. Breach Notification

If we learn of a security incident that compromises your personal information, we will investigate and respond as the law requires. Where required, we will notify affected users and the relevant authorities within the timeframes and by the methods the law prescribes, and we will share information about the nature of the incident and the steps we are taking.

26. Your Privacy Rights and Choices

Depending on where you live, you may have some or all of the following rights over your personal information:

Right

Description

Access or know

Confirm whether we process your information and obtain a copy.

Correction

Ask us to fix inaccurate information.

Deletion

Ask us to delete your information, subject to legal exceptions.

Portability

Receive a copy of certain information in a portable format.

Withdraw consent or restrict

Withdraw consent or limit certain processing of sensitive information.

Opt out

Opt out of any sale, sharing, or targeted advertising (we do not do these; see Section 22 ).

Non-discrimination and appeal

Exercise your rights without unlawful discrimination, and appeal a decision about your request.

26.1 How to Exercise Your Rights

You may exercise your rights through the in-app controls or by contacting us at apps@decades.health. We will verify your identity before fulfilling a request and may need to confirm your relationship to any minor whose information is involved (see Section 9.3). We will respond within the timeframes the law requires. If we decline a request, we will explain why, and you may appeal by replying to our response. An authorized agent may submit a request on your behalf with proper authorization.

26.2 Account Deletion

You can delete your Decades account in the app by going to Profile/Settings → Account → Delete Account. Deleting your account deletes your profile, health records, family data, uploaded documents, and generated summaries, except information we are legally required to retain, such as transaction records. Deletion is processed after you confirm your intent within the app. Once confirmed, we complete deletion in accordance with this Policy, subject to any legal obligations to retain certain information (see Section 23).

27. State-Specific Privacy Notices

27.1 California Notice at Collection

This section provides the notice required by the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"). We collect the categories of personal information described in Section 7 and in the table in Section 28 , including identifiers, demographic and protected-classification information, health and medical information, sensitive personal information, internet and device activity, and inferences. We collect this information for the business purposes described in Section 12 , and we retain it as described in Section 23 . WE DO NOT SELL OR SHARE PERSONAL INFORMATION.

California residents have the right to know and access, delete, correct, and limit the use of sensitive personal information, along with the right to non-discrimination. We use sensitive personal information only to provide the Services you request and for purposes the CCPA permits, and not to infer characteristics about you for advertising. To exercise these rights, see Section 26.1.

California Confidentiality of Medical Information Act (CMIA). To the extent the CMIA applies to medical information we maintain about California residents, we handle that information in line with the CMIA, including limits on disclosing medical information without authorization.

27.2 Nevada — Consumer Health Data Privacy Law

Decades Health Inc. is headquartered in Nevada, so this section provides the notice relevant to Nevada's Consumer Health Data Privacy Law (Nevada Revised Statutes Chapter 603A) for Nevada residents and others to whom it applies.

Item

Details

Categories of consumer health data we collect

The health, medical, reproductive, sexual-health, mental-health, genetic, medication, and related information described in Section 7 and Section 8 , plus health-related identifiers and information derived from documents you upload.

How it is collected

Directly from you (and from family members you invite), and generated from your use of the Services.

Purpose

To provide the Services, generate insights and your Health Blueprint, and operate the features you choose.

Sharing and sale

We share consumer health data only with the processors listed in Section 16 that help us run the Services. WE DO NOT SELL YOUR CONSUMER HEALTH DATA, AND WE WILL NOT DO SO WITHOUT YOUR VALID AUTHORIZATION AS REQUIRED BY NEVADA LAW.

Your rights

You may access, correct, and request deletion of your consumer health data, and withdraw any consent you have given for its collection or sharing, by contacting apps@decades.health. We will confirm and honor valid requests as required by law.

27.3 Washington - My Health My Data Act (MHMDA)

This section provides the Consumer Health Data Notice required by Washington's My Health My Data Act for Washington residents and others to whom it applies.

Item

Details

Categories of consumer health data we collect

The health, medical, reproductive, sexual-health, mental-health, genetic, medication, and related information described in Section 7 and Section 8 , plus health-related identifiers and information derived from documents you upload.

How it is collected

Directly from you (and from family members you invite), and generated from your use of the Services.

Purpose

To provide the Services, generate insights and your Health Blueprint, and operate the features you choose.

Sharing

We share consumer health data only with the processors listed in Section 16 that help us run the Services; we do not sell consumer health data and will not without your separate, valid authorization.

Your rights

You may access, withdraw consent to the collection and sharing of, and request deletion of your consumer health data by contacting apps@decades.health. We will confirm and honor deletion requests as required by law, including by directing our processors to delete the data.

WE DO NOT AND WILL NOT SELL YOUR CONSUMER HEALTH DATA, WHICH WOULD REQUIRE YOUR SEPARATE, SIGNED, VALID AUTHORIZATION UNDER THE MHMDA.

27.4 Other U.S. State Privacy Laws

Residents of other U.S. states with comprehensive privacy laws may have rights similar to those in Section 26 , including the rights to access, correct, delete, and obtain a portable copy of their information, and to appeal our decisions. Because the Services are intended only for users in the United States (see Section 3 ), this Policy does not provide GDPR, UK, Canadian, or Australian disclosures; if our availability changes, we will update this Policy. To exercise any available rights, contact apps@decades.health.

28. Categories of Personal Information Collected

The categories below summarize what we collect, with examples, purposes, and retention. Recipients are the service providers listed in Section 16 .

Category

Examples

Purpose

Retention

Identifiers

Name, email, account ID, device identifiers, IP address.

Account creation, security, communications.

Life of account.

Protected classifications

Age, sex, race/ethnicity, relationship status.

Profile, insights, demographic context.

Life of account.

Health and medical information

Conditions, medications, allergies, history, documents.

Provide core Services and insights.

Life of account.

Sensitive personal information

Reproductive, sexual, genetic, mental-health, substance-use data.

Provide requested features only.

Life of account.

Family information

Relatives' health and relationship data, contact details.

Family mapping and collaboration.

Life of account.

Commercial information

Subscription plan, status, purchase references.

Provision and manage subscriptions.

As legally required.

Internet / device activity

App usage, diagnostics, crash logs.

Security, reliability, improvement.

Limited period.

Inferences

AI-generated insights, patterns, Blueprint.

Personalized informational insights.

Life of account.

29. How We Review New Features for Privacy Risks

We follow a privacy-by-design approach. Before launching new features that involve personal information, especially health or sensitive data, we assess the data involved, apply data-minimization and security controls, review vendor and AI processing arrangements, and consider the privacy impact on users and the family members they add. We update this Policy when new features materially change how we handle personal information.

30. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last Updated" date at the top and, for material changes, provide additional notice through the Services or by other appropriate means. Your continued use of the Services after an update takes effect means you accept the revised Policy.

31. Privacy Contact and Data Rights Requests

If you have questions about this Privacy Policy, want to exercise your privacy rights (see Section 26 ), or need to make a request relating to a family member or minor, please contact our privacy point of contact:

Point of Contact: Amy Samuel
Company: Decades Health Inc.
Address: 112 N Curry St,
Carson City, NV 89703-4934,
United States
Email: apps@decades.health
Phone: +1 424-239-9290

We will respond to privacy inquiries and verified rights requests within the timeframes required by applicable law.