Status: DRAFT. This is a working draft. Final text must be reviewed and approved by counsel familiar with Washington's My Health My Data Act (MHMDA), California's CMIA, and the FTC Health Breach Notification Rule before public launch.
Last updated: 2026-05-13
This Consumer Health Data Privacy Policy is provided in addition to our general Privacy Policy. It applies specifically to "consumer health data" as that term is defined under Washington's My Health My Data Act (MHMDA) and similar state laws. The Testicular Cancer Foundation ("TCF," "we") is not a HIPAA-covered entity, but we choose to honor consumer-health-data protections as a matter of trust and as a baseline of compliance with state-level law.
What we consider consumer health data
For the purposes of this policy, we treat the following as consumer health data:
- Your role in the community where it implies a health status (e.g., "survivor" or "current patient")
- Your eligibility attestation that you've been diagnosed with testicular cancer
- Your diagnosis date and treatment path, if you choose to disclose them (coming in a future release; not currently collected)
- Your "my story" free-text field, if you write one (coming in a future release; not currently collected)
- Survivor-since date (coming in a future release; not currently collected)
How we collect it
We collect consumer health data only when you affirmatively provide it inside the App. We do not infer health data from other sources. We do not buy consumer health data from data brokers.
How we use it
- To run the App's core features (the directory, future support matching, etc.)
- To provide aggregate statistics about the community (e.g., "members across N states") — never tied back to individuals
- To respond to your direct questions or requests
Categories of third parties with whom we may share
We share consumer health data only as follows:
- With Supabase, our database and authentication provider, who stores the data on our behalf. Supabase signs a Data Processing Addendum and applies industry-standard security controls.
- With Vercel, our hosting provider. Vercel processes only what's needed to deliver the App to your browser; the consumer health data itself sits in Supabase, not Vercel.
- With Twilio SendGrid, when we send you an account email (e.g., a sign-in magic link). The email itself doesn't contain consumer health data.
- With Sentry, when an error occurs on a page that touches your data, for the limited purpose of debugging. Sentry's Session Replay is disabled on any page that surfaces sensitive fields.
We do not share consumer health data with advertisers, analytics platforms, or data brokers.
Your rights under MHMDA
You have the right to:
- Confirm whether we hold consumer health data about you
- Request a copy of that data
- Request deletion of that data (planned UI in a future release; available today by emailing info@tcancer.org)
- Withdraw consent for any specific use we've described, at any time
- Appeal any denial of these requests by writing to info@tcancer.org
We respond to requests within 45 days. There is no fee.
Our security commitments
- Encryption in transit (TLS 1.2+) on every page
- Encryption at rest in our database
- Row-Level Security on every database table
- Append-only audit log of every administrative read of consumer health data
- Annual privacy self-assessment
Breach notification
In the unlikely event of a security incident involving your consumer health data, we will notify you and the relevant regulator (FTC, state Attorney General, etc.) within 60 days of discovery, in line with the FTC Health Breach Notification Rule.
Contact and complaints
- Direct contact: info@tcancer.org
- Washington State Office of the Attorney General: consumer protection division
- FTC: ftc.gov/complaint
This policy will be reviewed annually and updated as our practices evolve. We will notify you in the App when material changes are made.
Testicular Cancer Foundation · 501(c)(3) · EIN 27-1348551