Privacy Policy

Last updated: April 2, 2026

1. Who We Are

Early Signs (“we”, “us”, “our”) is a consumer health optimization platform that allows users to track their biomarker lab results against longevity-optimized reference ranges. We are not a healthcare provider, health plan, or clearinghouse.

2. Data We Collect

Account data: Email address, hashed password. Stored in our Identity layer, separate from health data.

Health data: Biomarker lab results you upload (values, dates, units). Stored in our Health Data layer with encryption at rest.

Usage data: Pages visited, features used. Collected via Vercel Analytics (privacy-focused, no cookies, no personal data).

Payment data: Processed entirely by Stripe. We never see or store your credit card number.

We do not collect data from third parties. All health data is self-reported by you.

3. How We Use Your Data

  • To provide the biomarker tracking and optimization service
  • To display your results against optimal and standard ranges
  • To power the AI Health Assistant (Pro plan) — your biomarker data is sent to Anthropic's API for processing, subject to their data processing terms
  • To process payments via Stripe
  • To send transactional emails (account verification, password reset)

We never: sell your health data, share it with advertisers, use it for ad targeting, share it with analytics vendors, or train AI models on your data without explicit opt-in consent.

4. Data Architecture

Your personally identifiable information (email, name) and your health data (biomarker results) are stored in separate database tables with independent encryption. This separation is by design and ensures that a compromise of one layer does not expose the other.

All data is encrypted at rest using AES-256. All connections use TLS 1.3.

5. Your Rights

Under the Washington My Health My Data Act (MHMDA), California Consumer Privacy Act (CCPA/CPRA), and applicable state laws, you have the right to:

  • Access: View all data we hold about you (available in Settings)
  • Export: Download all your data in CSV/JSON format at any time
  • Delete: Request complete deletion of your account and all associated data
  • Revoke consent: Withdraw your consent for health data processing at any time

We will honor deletion requests within 30 days.

6. Consent

We collect health data only after you provide explicit consent during account creation. This consent is recorded with a timestamp, IP address, and the exact text you agreed to, in compliance with MHMDA requirements. You can revoke this consent at any time from Settings.

7. PDF Processing

When you upload a lab report PDF, it is processed in memory to extract biomarker values. The raw PDF is never stored on our servers. Only the extracted numeric values are saved to your account.

8. Third-Party Services

  • Supabase: Database hosting and authentication (SOC 2 Type II compliant)
  • Vercel: Application hosting (SOC 2 Type II compliant)
  • Stripe: Payment processing (PCI DSS Level 1 compliant)
  • Anthropic: AI chat processing (Pro plan only, subject to user consent)

We do not use Google Analytics, Facebook Pixel, or any advertising tracking tools.

9. Breach Notification

In the event of a data breach affecting your health information, we will notify you and the FTC within 60 days of discovery, as required by the FTC Health Breach Notification Rule. If 500 or more records are affected, we will also provide public notice.

10. Children

Early Signs is not intended for use by individuals under 18 years of age. We do not knowingly collect data from minors.

11. Changes

We will notify you by email of any material changes to this policy at least 30 days before they take effect.

12. Contact

For privacy questions or data requests, contact us at privacy@earlysigns.ai.