Divine

Consumer Health Data Privacy Policy

A focused notice covering the categories of data treated as “consumer health data” under U.S. state law.

Effective date: May 16, 2026

This Consumer Health Data Privacy Policy supplements our general Privacy Policy and is provided in addition to any rights you have under the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the General Data Protection Regulation (GDPR), and other applicable privacy laws. It applies specifically to information about you that may be treated as “consumer health data” under:

  • The Washington My Health My Data Act (RCW 19.373) (“MHMDA”);
  • The Nevada SB370 health-data statute (NRS Chapter 603A);
  • The health-data provisions of the Connecticut Data Privacy Act (CTDPA) as amended; and
  • Comparable provisions in other state privacy laws as enacted from time to time.

Divine is a voice-first social application operated by Tiger LLC. We are not a healthcare provider, do not provide medical advice or treatment, and are not a HIPAA-regulated entity. However, because we collect some information that the laws above define broadly as “consumer health data,” this notice describes what we collect, how we use and share it, your rights, and how to exercise them.

1. What is “consumer health data”?

Under MHMDA, “consumer health data” means personal information linked or reasonably linkable to a consumer that identifies the consumer’s past, present, or future physical or mental health status, including (among other things): biometric data; reproductive or sexual health information; gender-affirming care; precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies; and any non-public information derived or extrapolated from non-health information (e.g., proxy, derivative, inferred, or emergent data).

Nevada and Connecticut adopt substantially similar definitions, with slight differences in scope. For purposes of this Policy, we apply the broadest of those definitions.

2. Categories of consumer health data we may collect

From you, when you choose to provide it (or when we infer it from other information you provide):

  • Biometric data — facial geometry derived from a selfie during face verification. We use a third-party verification partner (Amazon Web Services Rekognition) to analyze the selfie server-side and perform the match. We do not retain biometric templates produced by Rekognition; we receive only the decision (match / no-match) and a confidence score. We do not collect a voiceprint or any voice biometric.
  • Gender identity and sexual orientation — if you choose to disclose your gender, your preferred pronouns, or information about who you are interested in talking to or dating. We treat this as sensitive and use it only to operate the matching and discovery features of the App.
  • Inferences derived from those fields — the matches we surface, the Spaces we recommend, and the Clans we suggest may reveal inferences about your gender identity or sexual orientation. We do not knowingly use those inferences for advertising purposes other than as described in our Privacy Policy.
  • Precise location — when you grant location permission, we collect precise device location to show you nearby people and compute distance. Precise location can reveal sensitive activity (e.g., proximity to a clinic or support center), and so we treat the underlying precise coordinates as consumer health data for the purposes of this Policy.
  • Reports about physical safety — if you report another user, or another user reports you, the contents of those reports may include health-related context (e.g., a report about a threat to harm yourself).
  • Information related to age-estimation — we may use a third-party age-estimation tool to confirm that users reasonably appear to be at least 18 years of age. Output of the estimation is an age range, which we treat as biometric- derived data subject to this Policy.

We do not collect from public records, data brokers, or other third parties consumer health data about you that you have not affirmatively given us. We do not buy lists of consumer health data.

3. Why we collect it

The only purposes for which we collect or process consumer health data are:

  • To verify you are a real human and at least 18 years old (facial geometry derived server-side during face verification).
  • To operate the App as you have asked us to — surfacing nearby people you might want to talk to (precise location), connecting you with people whose profiles fit your stated preferences (gender, gender identity, sexual orientation), and routing voice calls.
  • To protect your safety and the safety of others — investigating reports of harm, fraud prevention, and detection of platform abuse.
  • To comply with the law — including, where required, responding to lawful legal process and complying with mandatory reporting obligations such as 18 U.S.C. § 2258A.

We do not use consumer health data for behavioral advertising, ad targeting, or to sell to data brokers.

4. With whom we share consumer health data

We share consumer health data only with a small set of vendors who are contractually bound to use it solely to provide a service to us:

  • Amazon Web Services (Rekognition + S3) — runs face-verification matching. AWS acts as our service provider and is not permitted to retain or use the data for its own purposes.
  • Stream Video — routes real-time voice for matches and Spaces. Stream processes audio in real time but does not persist it.
  • Sentry and PostHog — crash reporting and product analytics. Account-scoped identifiers are used; no verification selfie, facial geometry, or other biometric data is transmitted to them.
  • Law enforcement — only in response to valid legal process or in genuine emergencies presenting a risk of death or serious physical injury, as described in our Law Enforcement Guide.

We do not sell consumer health data, share it for cross-context behavioral advertising, or disclose it to insurers, employers, or other commercial third parties without your specific, opt-in, signed authorization (described in Section 6).

5. Retention

  • Face verification: The selfie is retained for up to 30 days from completion of the verification, then deleted from active systems. Backups are overwritten on their normal rotation. We retain only the verification decision and timestamp after that.
  • Voice biometrics: not collected. Divine does not generate or process a voiceprint or any voice biometric template.
  • Precise location: Captured as needed for the active session. We do not log your precise coordinate history.
  • Gender / sexual orientation fields: retained while your account exists and deleted within 30 days of account deletion.
  • Reports involving safety/health: retained for up to 12 months in restricted-access storage for investigation and legal-obligation purposes.

6. Your rights and how to exercise them

Where you reside in a state that grants additional rights with respect to consumer health data, you have the right to:

  • Confirm whether we are collecting, sharing, or selling your consumer health data, and to receive a list of the categories of third parties with whom we share that data.
  • Withdraw consent for our collection or sharing of your consumer health data. (In practice this is done by revoking the underlying device permission for the App — camera, microphone, location — or by deleting your account.)
  • Request deletion of consumer health data we have collected about you. Deletion requests are honored within 30 days, subject to limited exceptions (e.g., we may retain a minimal record of the existence of a deletion request, or retain data we are legally required to keep).
  • Appeal a denial of any of the above.

To exercise these rights, email support@divineapp.io with the subject line “Health Data Request.” We will verify your identity using information you provide and respond within the timeframes required by applicable law. If your request is denied in whole or in part, you may appeal by replying to our response with the subject line “Health Data Appeal.”

Authorization to sell or share. Under MHMDA, the sale of consumer health data requires a written, signed, opt-in authorization that conforms to the statute’s requirements. We do not currently sell consumer health data, and we have no plans to do so. If we ever change that policy, we will obtain your signed authorization first and you will be free to refuse or revoke it at any time.

7. Non-discrimination

We will not discriminate against you for exercising any of your rights under this Policy. Exercising your rights will not result in degraded service, denial of service, different pricing, or any retaliatory action.

8. Security

Consumer health data is held under the same security controls as the rest of your account information: encryption in transit (TLS 1.2+), encryption at rest for sensitive fields, role-based access controls limiting employee access on a need-to-know basis, audit logging of administrative access, and routine review of our security posture. No method of transmission or storage is perfectly secure, so we cannot guarantee absolute security.

9. Children

Divine is for adults aged 18 and over. We do not knowingly collect consumer health data from anyone under 18. See our Child Safety policy for more.

10. Changes to this Policy

We may update this Policy as the law evolves and as Divine’s practices change. We will update the effective date at the top and, for material changes, notify you in the App or by email.

11. Contact

Tiger LLC — Privacy
California, United States
Email: support@divineapp.io (use the subject line “Health Data Request” for the fastest routing)

If you are a Washington resident and believe we have violated MHMDA, you may file a complaint with the Washington State Attorney General’s Office at atg.wa.gov/file-complaint.