·05 — Consumer health data
Consumer
health data
policy.
Effective date · [Publication date TBD]
This stand-alone policy describes how Seshman handles "consumer health data" as defined by Washington's My Health My Data Act (RCW 19.373), Nevada's Health Data Privacy Act, and equivalent US state laws that target health-related information held by businesses outside the HIPAA perimeter. It is published separately from our general privacy policy as those laws require, and it covers only consumer health data — anything else Seshman does with personal data is in the general policy.
Who and where this policy applies to
This policy applies to anyone whose consumer health data Seshman processes who is a resident of a US state with a consumer health data privacy statute. That includes — but is not limited to — residents of Washington (RCW 19.373, My Health My Data Act) and Nevada (SB 370, Health Data Privacy Act). If your state passes equivalent legislation later, this policy will apply to you on its effective date in your state without us needing to re-publish.
If you're outside the US, the relevant document for you is our general privacy policy, which covers UK and EU residents under UK GDPR and the GDPR respectively. Those frameworks already give you equivalent or stronger rights than the US laws this policy covers.
What we mean by "consumer health data"
The Washington My Health My Data Act defines consumer health data as personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status. The statutory definition is broad and explicitly includes fitness and exercise data, bodily measurements, and health-related questions a consumer answers about themselves — all of which arise in the course of using Seshman.
In plain English, for the purposes of this policy that means anything we hold about you that relates to:
- Health conditions, injuries, allergies, medications, or symptoms.
- Physical measurements (height, weight, vital signs and similar) where you've shared them with your trainer through Seshman.
- Exercise activity, training history, goals, and progress.
- Health-related answers you've given on an intake form your trainer published.
- Emergency contact information, to the extent it's linked to your health context with your trainer.
Categories that Washington's statute lists but that Seshman does not collect — biometric data, genetic data, reproductive or sexual health information, gender-affirming care information, precise location indicating health-seeking behaviour — are addressed under What we do not do with consumer health data below.
Seshman's role and your trainer's role
Seshman is a platform that your personal trainer (or coach, instructor, or similar fitness provider) uses to manage their relationship with you. That arrangement creates a split that matters under the consumer health data laws this policy covers:
Your trainer decides what to ask you
Your trainer chooses which intake questions to put in front of you, what notes to record about your sessions, and what to do with your answers in the context of your training relationship. For consumer health data law, your trainer is the decision-maker — Seshman runs the infrastructure that lets them do that.
Seshman processes that data on their behalf
Seshman acts as a processor for your trainer with respect to the data you share with them through our platform. Seshman cannot use your consumer health data for purposes the trainer hasn't authorised, and we cannot share it outside the categories described in Categories of consumer health data we share below.
Where Seshman is the regulated entity in its own right
For a narrow set of consumer health data — primarily anything Seshman processes to operate the platform itself, including audit logging for security and abuse handling, deliverability state for transactional emails, and retention obligations independent of any individual trainer — Seshman is the regulated entity in its own right. This policy covers both capacities, because from your perspective the relevant question is "what does Seshman do with my health data", and the answer should be the same either way.
Categories of consumer health data we handle
The categories below are what we either currently collect or could collect under the intake-form questions trainers can publish through Seshman. Not every trainer asks every question — what's actually held about you depends on the intake form your trainer chose to publish, what you chose to answer, and what consent you gave at the time.
Health and medical category
- Self-reported health conditions (for example: cardiac conditions, asthma, diabetes, joint conditions).
- Injuries — past, current, or recurring — that may affect training.
- Allergies, medications, and other clinically relevant information you've chosen to share.
- Free-text health notes you've written in response to an intake question.
Fitness and exercise category
- Training goals (for example: weight management, marathon training, injury recovery).
- Training history and self-reported experience level.
- Records of sessions you've completed with your trainer through Seshman, including the session type, the time it took place, and any notes the trainer or you added to it.
- Session attendance, cancellations, and the reasons recorded for either.
Physical measurements category
- Height, weight, and similar bodily measurements where your trainer's intake form asks for them and you've chosen to answer.
Contextual category
- Emergency contact name and phone number, where you've added them via your trainer's intake form, because the linkage to your training context can itself be health data.
Where we collect consumer health data from
Consumer health data reaches Seshman through one of three routes. We do not buy consumer health data from data brokers or other commercial sources, and we do not derive it from open-web scraping or third-party advertising signals.
- Directly from you, when you fill in an intake form your trainer published inside the Seshman mobile app, or when you confirm or correct information through the in-app "My data and consents" surface.
- From your trainer, when they record notes against a session you've had, or — for clients who don't use the Seshman app themselves — when they enter information into their own copy of the intake form on your behalf, on your authority.
- From your device's interactions with our platform, including timestamps of session check-in and completion, which can indirectly reveal training-related activity that counts as consumer health data under the statute.
Why we collect it and how it's used
Seshman uses consumer health data only for the following purposes. Per the statute, we cannot add new purposes without first updating this policy and obtaining your affirmative consent.
- To deliver the training service you've engaged your trainer for. This includes letting your trainer see your intake answers, your goals, and your session history; letting you see and edit the same; and surfacing the right context at the right time (for example, showing your trainer your recorded injuries before a session).
- To run the platform. This covers authentication, push notifications to the device you signed in on, transactional email about your bookings and sessions, audit logging required for security and abuse handling, and routine engineering operations (backups, monitoring, debugging, where consumer health data might be incidental rather than the focus).
- To comply with our legal obligations. This includes preserving consent records under your applicable state's law for as long as the law requires us to, and handling subject access and deletion requests within the statutory deadlines.
We do not use consumer health data for any form of advertising, profiling for marketing, personalisation of marketing content, or training of machine learning models. See What we do not do with consumer health data for the explicit list.
Categories of consumer health data we share, and with whom
We share consumer health data only in the categories below. We do not share it with marketing or advertising partners, with data brokers, or with any third party for purposes other than delivering the service you've engaged with.
With the trainer whose service you've engaged
Everything in the categories we handle is, by design, visible to the trainer who asked you for it. That sharing is the whole point of the product.
With our service providers (processors)
To run the platform we use a small number of third-party services. Each is bound by a contract that limits what they can do with consumer health data to operating the platform on Seshman's behalf. Categories:
- Hosting and database infrastructure (AWS, in the UK region, including App Runner, RDS, Cognito, and CloudWatch).
- Transactional email delivery (AWS SES and AWS SNS, in the UK region) — only the minimum needed to deliver a given email; we do not include sensitive consumer health data in the body of any email.
- Push notification delivery (Apple Push Notification Service, Google Firebase Cloud Messaging, and Expo Push as the intermediary) — notification payloads contain only the minimum context needed; no sensitive consumer health data is in the payload.
- Mobile app distribution (Apple App Store, Google Play) — Apple and Google collect standard installation and crash data on their own terms; we do not pass them consumer health data.
The full current list, including each vendor, what it does, where it operates, and the legal mechanism we rely on for any data that crosses borders, is at seshman.com/sub-processors. That list is maintained as the source of truth and updated when the set of vendors changes.
With legal authorities and similar parties when required
We may disclose consumer health data when we're legally compelled to (a court order, a warrant, an enforceable subpoena), where we reasonably believe doing so is necessary to protect someone from harm, or in connection with the investigation of suspected fraud or abuse against the platform. Where the law permits, we will tell you when this happens.
In a corporate transaction (future)
If Seshman or its operating company is acquired, merged, or has its assets transferred, the consumer health data we hold could form part of that transaction. The acquiring party would take it on subject to this policy at the time of the transaction. We have no such transaction in progress.
Specific affiliates
Washington's My Health My Data Act requires that this policy list the specific affiliates with whom we share consumer health data, in addition to the categories of third party above. The single affiliate that processes any consumer health data is:
- Inca Labs Limited — the company that operates the Seshman service. A private limited company registered in England and Wales (company number 14731709, VAT GB438261686), registered office 167-169 Great Portland Street, Fifth Floor, London, W1W 5PF, United Kingdom. Inca Labs Limited has no group companies, parents, or subsidiaries that receive consumer health data.
What we do not do with consumer health data
To remove ambiguity, the following are not part of how Seshman handles consumer health data, and we will not start doing any of these without first updating this policy and obtaining your affirmative consent.
- We do not sell consumer health data. No exchange of consumer health data for money or other valuable consideration takes place. The Washington statute's "valid authorization" form for the sale of consumer health data is not applicable to us.
- We do not share consumer health data with marketing or advertising partners. We do not run a behavioural advertising programme; we do not seed audiences or lookalike audiences from consumer health data; we do not include consumer health data in any marketing communication.
- We do not use consumer health data to train machine learning models. Seshman has no production AI features today, and any future AI features will be designed so that consumer health data is not part of model training data without separate, affirmative consent.
- We do not collect biometric data, genetic data, reproductive or sexual health information, gender-affirming care information, or precise location information that indicates health-seeking behaviour. Our intake catalogue does not include fields for any of these and is structurally constrained so that trainers cannot add them as custom fields.
Your rights
Where the consumer health data law of your state gives you rights over consumer health data we hold about you, we will honour them. Under Washington's My Health My Data Act in particular, you have the following rights:
- The right to confirm whether Seshman is collecting, sharing, or selling your consumer health data, and to access the data we hold along with a list of third parties we've shared it with.
- The right to withdraw consent for our collection and sharing of your consumer health data, going forward.
- The right to have your consumer health data deleted on request.
- The right to appeal if we deny one of the above requests.
The statutory window for us to respond is 45 days from receiving a verified request, with one possible 45-day extension where reasonably necessary. We will tell you in writing if we extend, and why.
How to exercise your rights
You have two routes. Both reach the same internal queue and are held to the same 45-day response window.
Inside the Seshman app
Open the Seshman app, go to Settings → My data and consents. You will see the consents you've given to each of your trainers and a button to withdraw any of them. Withdrawing a consent notifies your trainer and deletes the affected information within seven days: it stops being visible to your trainer and is then permanently erased. In the limited case where your trainer has a separate legal basis to retain specific information, they must record it and tell you; otherwise everything in the withdrawn scope is deleted.
For deletion of your whole account (rather than scope-by-scope withdrawal of consent), use the in-app account deletion path in Settings.
By email
Email privacy@seshman.com with the request you'd like to make. So that we can verify the request really is yours, please send it from the email address linked to your Seshman account and include one piece of information you'd previously shared with us (for example, the full name of the trainer you've been working with, or the approximate date you signed up). We may ask for a further piece of evidence if the first round leaves us in doubt; we will not ask for or retain copies of government ID.
For requests that come in by email, we acknowledge receipt within five business days, run identity verification, action the request, and confirm completion — all within the 45-day statutory window from receipt.
Appeals and the Washington Attorney General
If we deny a request — for example, because we couldn't verify your identity, or because the data you're asking about isn't consumer health data within the statute's scope — you have the right to appeal that denial. To do so, reply to the email in which we communicated the denial, with the word "appeal" in the subject line, or send a fresh email to privacy@seshman.com with "appeal" in the subject.
We will review the appeal and give you a written decision within 45 days of receiving it. If the appeal is also denied, you may escalate to the Washington State Attorney General. The Washington Attorney General's consumer complaint process is available at atg.wa.gov/file-complaint.
If your state's law provides for escalation to a different regulator (for example, the Nevada Attorney General for Nevada residents), the equivalent route is available to you in your own state, and we will tell you where to find it when we issue an appeal decision.
Changes to this policy
We will update this policy when our practices materially change, when a new category of consumer health data comes into scope for Seshman, or when a new state law brings a population of consumers into the scope described in Who and where this policy applies to.
For material changes — new categories of consumer health data, new categories of third parties, new processing purposes, new affiliates — we will both update this page (with a new effective date) and notify affected consumers via an in-app banner and, where we have your email address, by email at least 30 days before the change takes effect. Minor changes (clarifications, typo fixes, vendor renames that don't change the underlying processing) are made silently. A running history of every change is at seshman.com/legal/changes.
Contact
Questions or concerns about this policy or anything in it: privacy@seshman.com.
Seshman is operated by Inca Labs Limited, 167-169 Great Portland Street, Fifth Floor, London, W1W 5PF, United Kingdom. Inca Labs Limited is the regulated entity (and the sole affiliate) for the purposes of Washington's My Health My Data Act and equivalent US state laws.