Washington My Health My Data Act
Last Updated: May 16, 2026
MACH Evolved Creations, Inc., a Delaware corporation, together with its affiliates, if any ("MACH," "we," "us," or "our"), provides this Consumer Health Data Privacy Policy ("CHD Policy") to describe how we collect, use, share, and protect "Consumer Health Data," as defined under Washington's My Health My Data Act ("MHMDA") and similar laws (such as Nevada's SB 370 and Connecticut's expanded health data provisions). This CHD Policy supplements our Privacy Policy and applies specifically to Consumer Health Data.
This CHD Policy applies to consumers who are residents of Washington State and to other consumers whose Consumer Health Data we process where applicable law requires equivalent disclosures.
If there is any conflict between this CHD Policy and our Privacy Policy with respect to Consumer Health Data, this CHD Policy controls.
We are committed to handling any consumer health data with care, transparency, and respect. We limit any consumer health data we collect to what is reasonably necessary to fulfill the purposes described in this CHD Policy.
1. What is Consumer Health Data?
Under MHMDA, "Consumer Health Data" means personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status. This includes information that, when combined with other data, may reveal health-related information.
Examples of Consumer Health Data we may process include:
- Information you voluntarily provide about physical conditions (such as neck pain, posture issues, recovery from surgery or injury, or sleep disturbances) when contacting customer service, completing surveys, or submitting product reviews;
- Information you provide about your interest in our products in connection with health-related goals (such as recovery, rest, pain relief, or post-procedure care);
- Purchase information related to MACH products (which may, in combination with other data, suggest interest in health-related goals); and
- We do not use Consumer Health Data to make inferences about specific medical conditions, diagnoses, or treatments.
MACH is not a healthcare provider. We are not a covered entity or business associate under the Health Insurance Portability and Accountability Act ("HIPAA"). We do not intentionally collect or process protected health information ("PHI") as defined under HIPAA. Our products are designed for comfort and ergonomic support. Although MACH may collect certain information that could be considered Consumer Health Data under applicable law, MACH products are not medical devices. Our services and products are not intended for medical diagnosis or treatment. MACH products have not been evaluated, cleared, or approved by the U.S. Food and Drug Administration ("FDA").
2. Categories of Consumer Health Data We Collect
We may collect the following categories of Consumer Health Data, depending on how you interact with us:
| Self-reported health information | Information you voluntarily share with our customer service team or in product reviews about your physical conditions, recovery goals, pain points, sleep, posture, or related concerns. |
| Product use and purchase information | Records of MACH products you have viewed, added to cart, purchased, or returned, where such information may suggest a health-related interest or use. |
| Communications you initiate with us | The content of emails, customer support inquiries, chat messages, surveys, and similar communications where you share health-related information. |
| Inferences | Inferences we may draw from your interactions with us that could relate to your health status or interests, used to recommend products and personalize content. |
| Information from our service providers and partners | Health-related information shared with us by our service providers or processors acting on our behalf (such as customer support tools or our email marketing platform). |
We do not collect biometric data, precise geolocation data within the proximity of any health care facility, or genetic data.
3. Sources of Consumer Health Data
We collect Consumer Health Data from the following sources:
- Directly from you, including when you create an account, place an order, sign up for our waitlist, contact customer service, complete a survey, submit a product review, or otherwise communicate with us;
- Automatically through your interactions with our website, including through cookies and similar technologies, where such interactions may relate to health-related interests;
- From our service providers, when they collect information on our behalf for purposes such as customer support, fulfillment, and marketing; and
- From our partners and other third parties, where you have consented to such sharing.
4. How We Use Consumer Health Data
We use Consumer Health Data only for the following purposes, and only to the extent necessary to fulfill these purposes:
- To provide the products and services you have requested, including responding to your inquiries, fulfilling your orders, processing returns, and providing customer support.
- To improve our products, content, and customer experience, including reviewing aggregated and de-identified feedback to inform product development.
- To personalize your experience, including showing you content and product recommendations that may be relevant to your interests, where you have consented to such personalization.
- To send you communications you have opted into, including marketing emails, where you have consented.
- To comply with legal obligations and enforce our policies, including responding to lawful requests from government authorities and protecting against fraud or misuse.
We do not use Consumer Health Data to: (a) make inferences about your medical conditions or treatments; (b) sell health-related products or services that we do not offer; (c) make automated decisions that produce legal or similarly significant effects; or (d) discriminate against you in any way.
5. How We Share Consumer Health Data
We share Consumer Health Data only with the following categories of recipients, and only as necessary to fulfill the purposes described in this CHD Policy:
| Service providers and processors | Vendors who provide services on our behalf, including e-commerce hosting (Shopify), email marketing and customer relationship management, customer support, payment processing, fulfillment, shipping, analytics, and IT infrastructure. These providers are contractually bound to use Consumer Health Data only as necessary to provide their services to us. |
| Affiliates | Our corporate affiliates, who may process Consumer Health Data for the same purposes described in this CHD Policy and under the same protections. |
| Legal and regulatory authorities | Where required by law, court order, subpoena, or other lawful process, or as necessary to protect our rights, the rights of our customers, or the public. |
| Successor entities | In connection with a merger, acquisition, financing, reorganization, or sale of all or part of our business, subject to confidentiality protections. |
| Other parties with your consent | Where you have specifically consented to the sharing. |
5.1 We Do Not Sell Consumer Health Data
MACH does not sell Consumer Health Data. Under MHMDA, the sale of Consumer Health Data requires a separate, valid authorization from the consumer, and we do not engage in that practice. We do not use Consumer Health Data for targeted advertising. If our practices change in the future, we will obtain valid authorization as required by law before any such sale occurs.
5.2 Specific Third Parties That May Receive Consumer Health Data
To the extent the following third parties receive any information that may constitute Consumer Health Data, they do so as our service providers or processors and are bound by contractual obligations to protect that data:
- Shopify (e-commerce platform);
- Klaviyo (CRM provider);
- Google Analytics, Shopify Analytics;
- UPS, USPS, FedEx (shipping carriers);
- Shopify Payments (payment provider).
A current list of our service providers is available upon request via the contact information at the end of this CHD Policy.
6. Your Consent
Where required by applicable law, we obtain your explicit, affirmative consent before collecting or processing Consumer Health Data beyond what is necessary to provide a product or service you have requested. Providing information alone does not constitute consent where additional consent is required by law.
We obtain separate consent where required for (i) collection of Consumer Health Data, (ii) sharing of Consumer Health Data with third parties, and (iii) any sale of Consumer Health Data (which would require valid authorization under applicable law).
By voluntarily providing Consumer Health Data to us (for example, by sharing health-related information in a customer service inquiry, product review, or survey), you consent to our collection and use of that information for the purposes described in this CHD Policy, subject to applicable consent requirements.
You may withdraw your consent at any time by contacting us at the email address listed at the end of this CHD Policy. Withdrawing consent will not affect any processing that occurred before we received your withdrawal request, but we will stop processing your Consumer Health Data going forward (except where we are permitted or required to retain it under applicable law).
7. Your Rights
If you are a Washington resident, you have the following rights under MHMDA with respect to your Consumer Health Data:
- Right to confirm and access. You have the right to confirm whether we are processing your Consumer Health Data and to access that data, including a list of the third parties and affiliates with whom we have shared it.
- Right to withdraw consent. You may withdraw your consent for our collection or sharing of your Consumer Health Data at any time.
- Right to delete. You may request that we delete your Consumer Health Data. We will honor verified deletion requests by deleting the data from our records and instructing our service providers and affiliates that received the data to do the same, subject to limited exceptions permitted by law.
- Right to non-discrimination. We will not discriminate against you for exercising any of these rights.
7.1 How to Exercise Your Rights
To exercise any of these rights, please email us at legal@mani.co with the subject line "Consumer Health Data Request" and a description of the right you wish to exercise.
We may need to verify your identity before responding to your request. Verification will generally involve matching information you provide to information we already have on file. We do not require you to create an account in order to exercise your rights, and we will only use information you provide for the purpose of verifying your identity and processing your request.
We will respond to verified requests within 45 days. We may extend this period by an additional 45 days when reasonably necessary and will notify you of any such extension.
7.2 Authorized Agents
You may designate an authorized agent to submit a request on your behalf. We will require the agent to provide written, signed authorization from you, and we may ask you to verify your identity directly with us before processing the request.
7.3 Appeals
If we deny your request, you may appeal our decision by replying to our written response or by emailing legal@mani.co with the subject line "Consumer Health Data Appeal." We will respond to your appeal within 45 days. If your appeal is denied, you may contact the Washington State Attorney General's Office at atg.wa.gov/file-complaint.
8. Retention of Consumer Health Data
We retain Consumer Health Data only for as long as reasonably necessary to fulfill the purposes for which it was collected, to provide the products and services you have requested, and to comply with our legal obligations. We maintain and use de-identified data in a manner that does not attempt to re-identify individuals. We do not attempt to re-identify de-identified Consumer Health Data. When Consumer Health Data is no longer needed, we delete or de-identify it in accordance with our data retention procedures. You may request deletion of your Consumer Health Data at any time as described in Section 7.
9. Security
We maintain administrative, technical, and physical safeguards designed to protect Consumer Health Data against loss, theft, and unauthorized access, disclosure, alteration, or destruction. These safeguards include encryption in transit, access controls, and contractual protections with our service providers. No security measure is perfect, but we work continuously to maintain and improve the protection of Consumer Health Data.
Access to Consumer Health Data within our organization is limited to personnel who need it to perform the purposes described in this CHD Policy.
10. No Geofencing of Health Care Facilities
Consistent with MHMDA, MACH does not implement geofences within 2,000 feet of any in-person health care facility for the purpose of:
- Identifying or tracking consumers seeking health care services;
- Collecting Consumer Health Data from those consumers; or
- Sending notifications, messages, or advertisements to those consumers based on their Consumer Health Data or proximity to a health care facility.
We do not collect precise location data for the purpose of inferring health status.
11. Changes to This CHD Policy
We may update this CHD Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will update the "Last Updated" date at the top of this CHD Policy and, where required by law, provide additional notice. We encourage you to review this CHD Policy periodically.
12. Contact Us
If you have questions about this CHD Policy or about how we handle Consumer Health Data, please contact us at: legal@mani.co