Qpher

Consumer Health Data Privacy Policy

Version 1.0.0Last updated: 2026-07-07
Published

1. Who We Are; Scope

This Consumer Health Data Privacy Policy is published by Qpher LLC ("Qpher", "we", "us") under the Washington My Health My Data Act and Nevada Senate Bill 370. It applies to Washington and Nevada consumers' "consumer health data" handled by Qpher Legacy and Qpher Vault. This policy supplements our Privacy Policy at qpher.ai/legal/privacy. For consumer health data of Washington and Nevada consumers, where this policy and the Privacy Policy differ, this policy governs.

2. What We Can and Cannot See

Your documents are encrypted on your device; Qpher stores only ciphertext and cannot read document contents or (for Legacy Vault documents) file names. We believe this means we do not collect readable health information from your documents. To the extent any data we hold is consumer health data, this policy governs it. For the full description of the encryption design and its trust model, see Section 6.5 of our Privacy Policy.

3. Categories of Consumer Health Data Collected

To the extent the following constitute consumer health data, we collect: (a) Encrypted documents you store, which may contain health information we cannot read; and, for Qpher Legacy Vault documents, the encrypted document and folder names (for standard, non-Legacy Qpher Vault documents, file names are stored unencrypted — see Section 3 of our Privacy Policy — so do not put health information in a standard Qpher Vault file name if this matters to you); (b) A death certificate, only if a claimant submits one in the manual claim-review lane of the Qpher Legacy claim process (a copy of a death certificate may state a cause of death); (c) Claim attestations regarding a death — the sworn statement, typed legal name, and date a claimant provides when opening a claim on a Legacy Vault. We do not collect biometric data, precise location data, health-status inferences, or any other category of consumer health data.

4. Sources

We collect the data described in Section 3 from: (a) you, when you store documents; and (b) your designated heirs and confirmers, for claim-lane submissions only (attestations and, in the manual review lane, a death certificate).

5. Purposes

We collect and use the data described in Section 3 only to: (a) provide the storage and legacy-release service you configure; (b) verify claims on a Legacy Vault; (c) maintain the security of the service; and (d) comply with legal obligations. No other purpose.

6. No Sale; No Advertising Use

We do not sell consumer health data and do not use it for advertising. No data is shared for these purposes. Because we do not sell consumer health data, we do not need — and do not ask for — the separate signed authorization Washington law requires before any sale.

7. Sharing

We share the data described in Section 3 only: (a) with recipients you designate, when your release policy completes (release is controlled by your policy — a claim, your confirmers, the delay period, and your right to veto); (b) with processors acting under binding contracts that limit processing to our documented instructions — currently Google Cloud (infrastructure and storage), Cloudflare (encrypted object storage), and Twilio SendGrid (transactional email); the current list is maintained in this section and in Section 6 of our Privacy Policy; and (c) as required by law — see the legal-process transparency provisions of our Terms of Service; law-enforcement requests are documented and never, by themselves, release documents.

8. Your Rights

If you are a Washington resident (or a Nevada resident, with equivalent rights under Nevada law), you have the right to: - **Access** the consumer health data we hold about you, including the categories of third parties and processors it has been shared with; - **Withdraw consent** you previously gave for the collection or sharing of your consumer health data; - **Delete** your consumer health data, including from backups, on the timelines the statutes set, except records we are permitted or required by law to retain — for example the append-only legacy policy ledger entry recording a claim attestation, and a death certificate held as part of a claim record, both of which we keep as evidence of the basis for a claim on the retention timelines described in our Privacy Policy. Where we retain such data, we tell you what we kept and why in our response. Deleting your Legacy Vault disarms your legacy policy. Submit a request to privacy@qpher.ai. We verify each request, respond within the statutory deadlines (for most requests, within 45 days of verification, extendable once by a further 45 days where the law allows and we notify you), and never discriminate against you for exercising your rights. **Appeals**: if we decline a request, you may appeal by replying to our decision; we will respond to the appeal within the statutory appeal deadline. If your appeal is unresolved, you may raise it with the Washington Attorney General or the Nevada Attorney General, as applicable.

9. Processors

Every processor that handles consumer health data on our behalf is bound by a contract limiting its processing to our documented instructions and requiring it to assist us in honoring the rights in Section 8. Our current processors for this data are listed in Section 7.

10. Changes to This Policy

We may update this policy as our practices or the law change. Material changes will be announced on this page before taking effect, and where the law requires renewed consent for a new collection or sharing purpose, we will ask for it — we will not apply a material change to previously collected consumer health data without the consent the law demands. Prior versions of this policy are archived and retrievable on request to privacy@qpher.ai.

11. Contact

For questions about this policy or to exercise your rights: privacy@qpher.ai. Qpher LLC, 8401 Mayland Dr Ste A, Richmond, VA 23294, USA. This Consumer Health Data Privacy Policy is effective as of July 7, 2026 (version 1.0.0).

Ask Qpher AI