Consumer Health Data Privacy Policy

Last updated: February 2026

This Consumer Health Data Privacy Policy describes how SupaHit (“we,” “us,” or “our”) collects, uses, shares, and protects consumer health data through the SupaHit mobile app and VDojo web platform. This policy is provided in compliance with the Washington My Health My Data Act (RCW 19.373), the Connecticut Health Data Privacy requirements, and other applicable state health data laws.

This policy supplements our general Privacy Policy. In the event of a conflict between this policy and the general Privacy Policy regarding health data, this policy controls.

1. What Is Consumer Health Data?

Consumer health data means personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status. For SupaHit, this includes:

  • Injury records — body area affected, severity level (low/medium/high), description, notes, date of injury, and recovery status
  • Injury sharing preferences — whether you have opted to share injury severity with your dojo
  • Training activity data that reveals health status — training frequency patterns, duration changes, and gaps in training activity that may correlate with health conditions

The following data is not classified as consumer health data under this policy: belt/rank progression, class attendance, gamification data (XP, streaks, achievements), social posts, or general profile information.

2. How We Collect Health Data

We collect consumer health data only through the following means:

  • Injury logging: When you voluntarily use the “Log Injury” feature in the SupaHit app to record an injury, including selecting a body area on the body map, choosing a severity level, and optionally adding a description and notes.
  • Parent-logged injuries: When a parent or legal guardian logs an injury on behalf of their child through the Parent Portal.

We do not collect health data automatically, passively, from wearable devices, from third parties, or from any source other than your direct voluntary input.

3. Consent

We collect and process your consumer health data only with your affirmative, voluntary consent. You provide consent each time you choose to use the injury logging feature. Injury tracking is entirely optional — no part of the Service requires you to log injuries.

Consent for Sharing

Sharing injury data with your dojo requires separate, additional consent via the “Share with Dojo” toggle on each individual injury record. This toggle is off by default. Enabling it shares only the severity level (low/medium/high) with your dojo’s owner and managers. Your injury description, specific body area, and personal notes are never shared.

4. How We Use Health Data

We use your consumer health data only for the following purposes:

  • Display in your personal injury log: Showing your injury history, active injuries, and recovery status within the SupaHit app.
  • Dojo staffing intelligence (opt-in only): When you enable sharing, your injury severity is included in your dojo’s staffing analysis to help predict class attendance and allocate instructors. Only severity level is shared — no descriptions, body areas, or notes.
  • Dashboard alerts (opt-in only): Dojo owners/managers see an aggregated injury alert count on their dashboard when students have opted to share injury status. No individual details are displayed in the alert count.
  • Parent visibility: Parents who have linked to their child’s student record can view their child’s full injury details through the Parent Portal.

We do not use consumer health data for:

  • Advertising or marketing of any kind
  • Sale to third parties
  • Profiling or automated decision-making
  • Employment, insurance, or credit decisions
  • Any purpose not listed above

5. Who Receives Health Data

Your consumer health data may be received by the following parties:

5.1 Service Infrastructure

  • Supabase, Inc. — our database hosting provider. Injury data is stored in Supabase’s PostgreSQL database with row-level security policies that restrict access to authorized users only. Data is stored in the United States.

5.2 Dojo Staff (Opt-In Only)

If you enable the “Share with Dojo” toggle, your injury severity level only is accessible to your dojo’s owner and managers through the VDojo staffing and dashboard features. Instructors do not have access to injury data. This sharing is facilitated through a database function (get_dojo_injury_report) that is specifically designed to return severity-only data — it is architecturally impossible for the function to expose descriptions, body areas, or notes.

5.3 Parents (Linked Children Only)

Parents and legal guardians linked to a child’s student record can view the child’s full injury details (including body area and description) through the Parent Portal.

We do not share consumer health data with any other third party, including advertisers, data brokers, employers, insurers, or government entities (except as required by law).

6. We Do Not Sell Health Data

We do not sell, rent, trade, or otherwise make available your consumer health data to any third party in exchange for monetary or other valuable consideration. We have never sold consumer health data and will not do so in the future without first obtaining your separate, express written authorization as required by applicable law.

7. Your Rights

You have the following rights regarding your consumer health data:

  • Right to confirm: You may ask us to confirm whether we are collecting or sharing your consumer health data.
  • Right to access: You may request a complete copy of all consumer health data we hold about you, provided in a machine-readable format.
  • Right to withdraw consent: You may withdraw consent for collection of future health data at any time by simply not using the injury logging feature. You may withdraw consent for sharing at any time by disabling the “Share with Dojo” toggle on each injury record.
  • Right to deletion: You may request deletion of any or all of your consumer health data. Individual injuries can be deleted directly in the app. For complete deletion of all injury data, contact privacy@supahit.com.
  • Right to appeal: If we deny a request to exercise your rights, you may appeal the decision by contacting privacy@supahit.com with the subject line “Health Data Rights Appeal.”

We will process rights requests within 45 days. We will not discriminate against you or degrade your Service experience for exercising any of these rights.

8. Data Retention

  • Active injuries: Retained for as long as your account is active or until you delete the injury record.
  • Recovered injuries: Retained in your injury history for as long as your account is active, unless you choose to delete them.
  • Account deletion: All consumer health data is deleted within 30 days of account deletion. Backups are purged within 90 days.
  • Children’s health data: Deleted within 14 days of a parent’s deletion request.
  • Shared severity data: When you disable the “Share with Dojo” toggle, the dojo’s access to your injury severity is revoked immediately. No cached copies are retained by the dojo.

9. Security of Health Data

Consumer health data receives the same security protections as all personal data on our platform, including:

  • Encryption in transit (TLS/HTTPS) and at rest (AES-256 via Supabase)
  • Row-level security (RLS) policies restricting database access to authorized users
  • SECURITY DEFINER database functions that enforce data minimization (severity-only sharing)
  • Role-based access control limiting dojo staff access by permission level
  • Input validation and sanitization on all injury form fields
  • Regular security audits of data access patterns

10. Geofencing

We do not use geofencing technology to collect consumer health data. We do not track your physical location in connection with health data collection or processing.

11. Changes to This Policy

We will provide at least 30 days’ advance notice before making material changes to this Consumer Health Data Privacy Policy. Notice will be provided via email to the address associated with your account. Where required by law, we will obtain your consent before applying changes that expand our collection, use, or sharing of consumer health data.

12. Contact

For questions, concerns, or requests related to your consumer health data, contact: