Privacy Policy

1. Introduction

Lineage Health ("we," "us") helps young adults take charge of their own health, with optional support from a parent or other trusted person. This policy explains what we collect, how we use it, and your choices when using lineagehealth.co or our app (the "Service").

Sections 1–3 cover our general practices. Section 4 is our Consumer Health Data Privacy Policy, covering the additional protections that apply to your health information under Washington's My Health My Data Act and similar state laws. Sections 5–9 apply to both.

2. Our Regulatory Status

Lineage Health is a consumer wellness app — not a healthcare provider, health plan, or business associate — so HIPAA generally doesn't apply. We're not a medical device and don't diagnose or treat anything. Our AI provides general education only and doesn't recommend specific plans, providers, or treatments.

We follow Section 5 of the FTC Act, the FTC Health Breach Notification Rule, the Washington My Health My Data Act, the California Consumer Privacy Act and Confidentiality of Medical Information Act, Nevada SB 370, and the Connecticut Data Privacy Act.

3. General Privacy Practices

Information we collect from you

• Account info: name, current situation (college, recent grad, employed), location, and an optional invitation to a parent or child
• Verification info to confirm your identity and that you're 18 or older
• Messages to a connected parent or child, and to our support team
• AI conversations: questions, responses, and any feedback
• Privacy settings you configure

Health information is covered separately in Section 4.

Information we collect automatically

• Device type, operating system, browser
• IP address and approximate (city-level) location
• Pages viewed and features used — event names only, never the contents of your health information
• Referring website

What we don't collect

Precise location, biometric data, your contacts, your photos, or information about you from data brokers.

How we use this information

• To provide and personalize the Service
• To enable messaging between connected accounts, based on your privacy controls
• To verify your identity and age
• To improve the Service through aggregated analytics
• To keep the Service secure and prevent fraud
• To send transactional emails, plus marketing if you opt in
• To comply with legal obligations

Cookies and tracking

We use strictly necessary cookies for login, sessions, and security, plus analytics cookies that never receive health information.

We don't use advertising cookies, retargeting pixels, or trackers from ad networks like Meta Pixel, Google Ads, or TikTok Pixel. We don't let third parties track you across other sites.

4. Consumer Health Data Privacy Policy

4.1 What counts as consumer health data

Information that identifies your past, present, or future physical or mental health status. For Lineage Health, this includes:

• Insurance coverage details
• Family medical history
• Allergies
• Medications and prescriptions
• Doctors and other healthcare providers
• Medical conditions and diagnoses
• Health questions you ask our AI, and the responses you receive

4.2 How we collect it

Only when you voluntarily share it — by entering it into your health profile, asking our AI a health question, or messaging a connected parent or child. We don't collect it passively, infer it from your behavior, or buy it from data brokers.

4.3 How we use it

• To build and personalize your health profile
• To generate AI educational content and guide your healthcare journey
• To enable health information sharing between connected accounts, based on your privacy controls
• To respond to your support requests

We don't use it for advertising, marketing analytics, or model training. Our AI providers don't train on your data.

4.4 Who we share it with

We don't sell your consumer health data. We don't share it with advertisers, data brokers, insurers, or employers. We share it only:

• With a parent, child, or other person you've connected to your account — only what you authorize through your privacy controls
• With service providers (cloud hosting, identity verification, authentication, AI processing, error monitoring) under contracts limiting how they may use it
• When we believe in good faith it's necessary to comply with the law, protect our legal rights, prevent wrongdoing, or protect personal safety
• In a merger or acquisition — we'll notify you first and let you delete your information

4.5 Your consent

Before we collect any consumer health data, we ask for your separate, opt-in consent and log the date, time, and policy version you agreed to. Before sharing it with anyone outside Lineage Health (other than the service providers above), we get your separate authorization. You can withdraw consent or revoke an authorization anytime in account settings or by emailing privacy@lineagehealth.co.

4.6 Your rights regarding consumer health data

You have the right to:

• Confirm whether we're collecting, sharing, or selling your consumer health data (we don't sell it)
• Access a list of all third parties with whom we've shared it
• Withdraw consent for our collection or sharing
• Delete it — we complete deletion within 30 days, including from backups, archives, and service providers

Email privacy@lineagehealth.co. We respond within the period required by law and verify your identity first.

Washington residents: MHMDA gives you a private right of action, meaning you can sue us directly for violations.

4.7 How we protect consumer health data

• Encryption in transit and at rest, with extra encryption on sensitive health fields
• Multi-factor authentication options
• Audit logs of every access to health information
• Employee access limited to need-to-know
• Regular security reviews
• No third-party tracking scripts on pages where you enter health information

No system is 100% secure. If we discover a breach of your unsecured health information, we'll notify you and the FTC within 60 days, as required by the FTC Health Breach Notification Rule (16 CFR Part 318).

5. Your Rights (All Users)

In addition to the consumer health data rights in Section 4, you have these rights for all your information, no matter where you live:

• Access — view in account settings or request a complete copy
• Correct — update in account settings
• Delete — we complete deletion within 45 days
• Portability — download in a machine-readable format
• Opt out of marketing — unsubscribe from any marketing email or change preferences in your account
• Non-discrimination — we won't deny service or change pricing for exercising these rights

Email privacy@lineagehealth.co. We respond within the period required by law (usually 45 days) and verify your identity first.

6. How Long We Keep Your Information

We keep your information while your account is active. After deletion: general account info within 45 days, consumer health data within 30 days, except where law requires retention. Audit logs may be kept up to 12 months for security investigations. Aggregated, de-identified data may be kept indefinitely.

If your account is inactive for 24 months, we flag it for deletion and email you at least 30 days before.

7. Users 18 and Older

The Service is for users 18 and older. We verify age at signup and don't knowingly collect information from anyone under 18. If we find out we have, we'll delete it promptly. Concerns: privacy@lineagehealth.co.

8. Geographic Scope and Third-Party Links

The Service is intended for users in the United States. If you access it from elsewhere, you do so on your own initiative, and your information will be processed in the US.

The Service may link to other sites, like provider directories. We're not responsible for their privacy practices.

9. Changes to This Policy

For significant changes — including any material change to Section 4 — we'll notify you by email or through the Service at least 30 days before they take effect.

Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at: hello@lineagehealth.co.