We’re fully committed to safeguarding and maintaining the privacy and security of your personal information and your health data. This has been true since day 1, and is a core pillar of how we operate as a business and ingrained into our app.

Privacy is top of mind for our users, and we accordingly put it front and centre in our app onboarding. Here’s a shot from our sign up flow:

In this blog post I’ll talk about how we use (and importantly: don’t use!) your data, and the various ways we keep your data safe. While you’ll find the full details in our Privacy Policy, this summarised version will help you get up to speed fast.

Keeping your data private

• We will never sell your health data. We also won’t share it in a ‘not technically selling, but sharing in some ethically questionable way for our own benefit’ manner!
• We will never send Personally-Identifiable Information (PII) and Private Health Information (PHI) to any third party without your explicit consent.
• We collect anonymised metrics about the things you do in the app, and we use this data internally-only to figure out which features are working well, which flows need tweaking, and which areas to invest into next. It’s what enables our rapid iteration and helps us make our app the best it can be.
• We also use anonymised data to power certain AI and data-science backed features, like our Community Insights feature, where you can see top symptoms and treatments tracked by people like you on the Human platform. This is done in aggregate, and isn’t linked in an identifiable way to your PII or PHI.

Research studies with Human

• We currently use fully anonymised and aggregated health data on the app for research purposes to help us and our research partners answer questions about human health, for example are users more likely to rate their anxiety as ‘major’ during summer or winter? Or do daylight savings changes impact how people rate their sleep?
• We have future plans to allow users to opt-in (only with explicit consent) to specific research studies on our platform, and to have their health data shared with carefully selected and vetted research organisations to advance research and care for people with similar conditions and symptoms. We think it’d be a really neat way to do science at scale.
• We have not yet launched research studies in our app. When we get to it we’ll make it opt-in, and it’ll be super clear what each research study is for, who your data will be shared with, exactly what data will be shared & how it will be used, how your data will be deleted after the study ends, etc.
• Read more about our research intentions in our blog post from Kelly, our chief Researcher, and stay tuned for our next white paper.

Compliance and ethics at Human

• We are fully GDPR and HIPAA compliant, which provides a number of safeguards in how we process and store your data, how we operate as a business, including storing sensitive data only for as long as strictly needed, enabling you to request copies of your data, easy deletion of your data, and so on.
• We view GDPR and HIPAA as the minimum bar for compliance. Often, just because something is legal doesn’t mean it’s the best we can do ethically and when designing our system, and for each new product feature we launch, we carefully consider best practices and how we might go beyond these.
• Our staff undertake training in how to handle data and IT systems in accordance with GDPR, HIPAA, and security best-practices relevant to their role.

Security at Human

• We store your PII and PHI encrypted at rest in Google Cloud Platform (GCP), using industry best-practices.
• We consider “Privacy by Design” and “Security by Design” when developing new features, and think hard about how our data is collected, where it goes, and how it’s used.
  • An example of Privacy by Design: we use PostHog for the internal app metrics and analytics mentioned above. Instead of taking the easy route and adding a ‘tracking pixel’ to our app that’ll hoover up what you click on, we take an explicit route of opting-in each action we want to record, and sending it to PostHog via our own servers, to strictly limit what gets tracked.
  • An example of Security by Design: we don’t store passwords — since launching Sign In With Apple & Google we have found over 90% of our users take this route. For people that do decide to sign up with an email + password combination, we outsource password storage to Google (Firebase) so that we can never leak your password.
• We engage a third party to undertake security penetration testing on a yearly basis, and passed our first one with no major findings.
• We undertake a yearly HIPAA compliance audit, and are proud that we passed our first audit this year with flying colours.

If you have questions about the above, or any related questions about data privacy, security, compliance please drop us a line support@human.health and we’ll share more information.

Happy tracking,

The Human Health Team