Health Data Privacy Policy
This policy covers health and wellness data specifically. It supplements our general Privacy Policy. Where this policy and our general Privacy Policy conflict regarding health data, this policy controls.
This policy is designed to comply with the Washington State My Health My Data Act (MHMDA), RCW 19.373, and applies to all Hestia users regardless of location.
Hestia is a meal planning and grocery shopping app. Some of the data we handle relates to your health and wellness - things like what you eat, your dietary needs, and optionally your body measurements from Apple Health. This policy explains exactly what health data we collect, why we collect it, who can see it, and how you stay in control.
1. What Health Data We Collect
We organize health data into three categories based on where it comes from.
A. Apple HealthKit Data (opt-in only)
If you choose to connect Apple Health, we may read:
- Body weight and height - to set your daily calorie and protein targets
- Active energy burned and step count - to estimate your total daily energy expenditure (TDEE)
- Resting energy (basal metabolic rate) - used alongside active energy for TDEE estimation
We also write data to Apple Health on your behalf:
- Calories, protein, fat, carbohydrates, and fiber from your meal plans - so your Apple Health nutrition log stays up to date
HealthKit integration is entirely optional. You can enable or disable it at any time in Settings > Health & Fitness, or through iOS Settings > Privacy & Security > Health > Hestia.
B. Data Derived from App Usage
As you use Hestia, we derive health-related information from your activity:
- Dietary patterns - what meals you plan and consume
- Meal plan compliance rates - how closely you follow your plan
- Grocery purchase patterns - what foods you buy
- Healthy Eating Index (HEI-2020) scores - a nutrition quality score computed from your consumption data
- Pantry inventory - foods you have on hand
We also derive health-related insights using algorithms, including your Healthy Eating Index (HEI-2020) score, dietary pattern analysis, and meal plan compliance rates. Under Washington law, these algorithmically derived insights are considered consumer health data and are subject to all protections in this policy.
C. Health Data Sent to Hestia Servers
Most health data stays on your device. The only HealthKit-sourced data that leaves your phone is:
- Body weight - sent only if you have enabled both the analytics consent toggle AND the health research consent toggle
- When sent, your weight is pseudonymized: it is associated with a SHA-256 hashed household ID, never your raw user ID or name
- HealthKit-sourced weight is tagged as such and is always excluded from partner analytics and commercial data products
2. Why We Collect Health Data
| Data | Purpose |
|---|---|
| Body weight, height, energy burned, step count, BMR | Personalize your daily calorie and macronutrient targets so your meal plan matches your body and activity level |
| Nutrition written to HealthKit | Keep your Apple Health nutrition log current with meals from your Hestia plan |
| Dietary patterns and meal compliance | Improve future meal plan suggestions and reduce food waste |
| HEI-2020 scores | Show you how your overall diet quality is trending over time |
| Grocery purchase patterns and pantry | Suggest recipes using ingredients you have, avoid buying duplicates |
| Pseudonymized weight (when both consents enabled) | Compute your Healthy Eating Index score and support wellness research at the population level |
We do not collect health data for any purpose not listed above. We do not use health data for advertising, behavioral targeting, or profiling.
3. Who We Share Health Data With
Short answer: almost nobody. We never sell health data to insurers, advertisers, or data brokers. HealthKit data is never included in commercial data products.
No third-party sharing without consent
Your health data is not shared with any third party unless you explicitly opt in. There is no default sharing.
Service providers
Our backend servers process meal plan generation and nutrition scoring. These servers are operated by Hestia and are not third-party services with independent access to your data. Crash reporting (Sentry) may capture anonymized error context but never health data values.
Wellness program analytics (future, consent-required)
If you opt into "Health & Wellness Insights," anonymized aggregate statistics - computed at the population level with a minimum cohort size of 50 people and differential privacy noise applied - may be used for wellness program analytics. This is statistical research (for example, "families who plan meals 5 days a week have 12% higher HEI scores"), never individual data. HealthKit-sourced weight is always excluded from these analytics, even with consent.
Hestia Labs LLC has no corporate parent, subsidiaries, or affiliates. If any are established in the future, they will be listed here by name before any health data sharing occurs.
Categories of third parties
| Category | What They Receive | Your Consent Required? |
|---|---|---|
| Hestia backend servers | Pseudonymized weight (if both consents enabled), meal plan data | Yes (two separate toggles) |
| Wellness researchers (future) | Aggregate population statistics only, never individual data | Yes |
| Commercial data partners | Nothing from HealthKit, ever. Grocery pricing data only (covered in general Privacy Policy) | N/A - HealthKit data excluded |
| Insurers, advertisers, data brokers | Nothing. Never. | N/A |
4. Your Consent and How It Works
Separate, granular consent
Hestia uses 6 independent consent toggles. You can enable or disable each one separately:
- Analytics - usage data to improve the app
- Personalization - tailored meal plans and recommendations
- Data sharing - aggregated grocery data in commercial products
- Health research - pseudonymized health data for wellness analytics
- Swap targeting - product substitution suggestions
- Price contributions - your price observations in market intelligence
Health data sent to our servers requires both the analytics toggle AND the health research toggle to be enabled. Turning off either one stops the transmission.
Consent expires
All health data consents expire after 1 year. We will ask you to renew before the expiration date. If you do not renew, collection stops automatically.
The app works without health data
You do not need to connect Apple Health or enable any health consent toggles to use Hestia. Meal planning, grocery shopping, pantry tracking, and all core features work fully without health data.
5. Your Rights
You have the following rights over your health data. These rights apply to all Hestia users, not just Washington State residents.
Right to know
You can request a list of all health data we have collected about you, the purposes it was used for, and any third parties it was shared with, including active contact information for each third party. We will respond within 30 days.
Right to access
You can request a copy of your health data in a machine-readable format. Go to Settings > Account > My Data in the app, or email us. You may request access to your health data up to twice per year free of charge.
Right to delete
You can request deletion of some or all of your health data at any time:
- Disconnect HealthKit in Settings > Health & Fitness. This deletes all HealthKit-sourced data from our backend servers.
- Delete your account in Settings > Account > Delete Account. This removes all data, including pseudonymized records, from our systems.
- Request targeted deletion by emailing us. For example, you can ask us to delete only your weight history while keeping other data.
We will delete your health data within 30 days of your request. Data stored on archived backup systems may take up to 6 months to be fully purged, after which it will be permanently removed. We will confirm deletion in writing.
Right to withdraw consent
You can turn off any consent toggle at any time in Settings > Privacy. We will honor your withdrawal promptly - withdrawing consent stops future collection immediately. It does not affect data already collected under your prior consent, but you can separately request deletion of that data.
Right to appeal
If we deny a request related to your health data rights, we will explain why in writing. You may appeal by emailing us within 45 days of the denial. If you disagree with our response to a health data rights request, you may appeal by emailing us with the subject line "Health Data Appeal." We will respond to appeals within 45 days.
No retaliation
We will never degrade your service, increase your price, or penalize you in any way for exercising your health data rights.
6. How We Protect Health Data
- On your device: HealthKit data is protected by iOS file protection (complete protection class). The Hestia app database is encrypted at rest.
- In transit: All data sent to our servers uses TLS 1.2+ with certificate pinning.
- On our servers: Health data is stored separately from account identifiers. Weight data uses pseudonymized household IDs (SHA-256 hashed). Access is restricted to essential personnel only.
- Retention: HealthKit-sourced data on our servers is retained only while your consent is active. When consent expires or is withdrawn, server-side health data is deleted within 30 days.
7. What We Will Never Do
To be absolutely clear:
- We will never sell your health data to insurers, employers, advertisers, or data brokers
- We will never use health data for advertising or behavioral targeting
- We will never include HealthKit data in any commercial data product
- We will never share health data with third parties without your explicit opt-in consent
- We will never deny you service for refusing to share health data
- We will never collect health data from children under 13
8. Geofencing Disclosure
Hestia does not use geofencing technology around healthcare facilities, mental health providers, pharmacies, or any other health-related locations. We do not track your proximity to healthcare providers or use location data to infer health conditions.
9. Changes to This Policy
If we make material changes to how we handle health data, we will notify you at least 30 days before the changes take effect. Notification will be sent via email and in-app notification. Your continued use after the effective date of changes constitutes acceptance, but we will re-request consent for any new categories of health data collection.
10. Contact Us
Questions about your health data?
Email: support at hestiaember.com
Subject line: "Health Data Privacy Request"
We will respond within 30 days for all health data requests.
This policy also applies to requests made under the Washington State My Health My Data Act (RCW 19.373), the California Consumer Privacy Act (CCPA/CPRA), and the EU General Data Protection Regulation (GDPR). For rights under those laws, see our general Privacy Policy.
Last updated: March 28, 2026. This Health Data Privacy Policy supplements Hestia's general Privacy Policy.