CareDraft Logo CareDraft
Legal

Washington Consumer Health Data Privacy Policy

Effective Date: May 28, 2026  |  Last Updated: June 7, 2026

DRAFT — REQUIRES ATTORNEY REVIEW BEFORE PUBLICATION. This document is required by Washington's My Health My Data Act (RCW 19.373) ("MHMDA") and must be a separate, dedicated policy distinct from our general Privacy Policy. A Washington-licensed privacy attorney should review before publication.

Why this policy exists

The Washington My Health My Data Act (RCW 19.373) requires regulated entities that collect "consumer health data" of Washington consumers to publish a dedicated privacy policy describing their consumer health data practices. This is that policy.

Our general Privacy Policy is available at https://caredraft.app/privacy. This document supplements that policy with specific information required by Washington law. If anything in this document conflicts with the general Privacy Policy, this document governs with respect to Washington consumer health data.

How CareDraft works (important context)

CareDraft is a clinical productivity application that runs entirely on the device of the clinician who installs it. The App is intended for clinician-dictated, post-encounter, de-identified note drafting. It is not intended to record patient interactions or to capture patient identifiers. The App does not transmit clinical content, audio, transcripts, summaries, notes, or any patient information to [CareDraft LLC]'s servers, to cloud services, or to any third party. Everything you create stays on your device. [CareDraft LLC] does not have, and cannot obtain, access to your clinical content.

This architectural decision shapes everything below. Because we do not collect or process consumer health data, our MHMDA obligations are substantially narrower than those of cloud-based health applications. We have nonetheless prepared this policy to be transparent about our practices and to provide a clear mechanism for Washington consumers to exercise their rights under MHMDA.

1. Categories of consumer health data we collect

We do not collect, receive, process, or store consumer health data on our servers or in any system we control.

When you use the App, the following types of information are created and stored exclusively on your device, encrypted at rest:

  • Audio recordings of dictations
  • Text transcriptions
  • AI-generated summaries and templates
  • Notes, including any patient information you input
  • Diagnoses, treatment plans, medication information, or other clinical content you enter

While this information may meet MHMDA's definition of "consumer health data" with respect to patients whose information a clinician dictates, [CareDraft LLC] does not collect, receive, or process any of it. It never leaves the device of the clinician who entered it.

2. Categories of sources from which consumer health data is collected

Not applicable. [CareDraft LLC] does not collect consumer health data from any source.

3. Categories of consumer health data shared

Not applicable. [CareDraft LLC] does not collect, and therefore cannot share, consumer health data.

We do not sell consumer health data, and we will not sell consumer health data in the future without first obtaining a separate, written, signed Valid Authorization from the consumer as required by RCW 19.373.040.

4. Categories of third parties and affiliates with whom consumer health data is shared

Not applicable. [CareDraft LLC] does not share consumer health data with any third party, affiliate, processor, or service provider, because we do not collect it.

5. How a consumer can exercise their MHMDA rights

Even though we do not collect consumer health data, we provide the following process so that Washington consumers can confirm this and exercise the rights MHMDA provides:

5.1 Rights

Washington consumers have the right to:

  • Confirm whether [CareDraft LLC] is collecting, sharing, or selling consumer health data about them, and to access that data.
  • Withdraw consent from [CareDraft LLC]'s collection and sharing of consumer health data.
  • Delete consumer health data [CareDraft LLC] has collected.

5.2 How to exercise these rights

Email [email protected] with the subject line "Washington MHMDA Request" and include:

  • Your name (and, if you are a patient submitting a request about your own data, the name of the clinician who may have used the App with respect to your care, if known);
  • The specific right you wish to exercise (confirm/access, withdraw consent, or delete);
  • A description sufficient for us to verify your identity (we will request additional verification information if needed);
  • Your preferred contact method for our response.

5.3 Our response

We will respond within 45 days of receiving a verifiable request, as required by RCW 19.373.050. We may extend that period by an additional 45 days if reasonably necessary, in which case we will notify you of the extension and the reason for it.

Because we do not collect consumer health data on our servers, the substance of our response to confirm/access, withdraw consent, and delete requests will typically be: "[CareDraft LLC] does not collect, receive, store, or process any consumer health data about you on our systems. Any clinical information about you created in the CareDraft App resides exclusively on the device of the clinician who installed the App; we have no access to it and cannot retrieve, modify, or delete it. To address consumer health data residing on a specific clinician's device, please contact that clinician directly or their healthcare practice."

5.4 Appeals

If we deny your request and you wish to appeal, reply to our denial within 30 days. We will respond to your appeal within 60 days. If we deny your appeal, you may submit a complaint to the Washington State Attorney General at https://www.atg.wa.gov/file-complaint.

6. Processors

[CareDraft LLC] does not engage processors to handle consumer health data, because we do not collect consumer health data.

7. Consent and authorization

Because [CareDraft LLC] does not collect, share, or sell consumer health data, no consumer consent or authorization is required for those activities. The App, however, displays a privacy notice at first launch that summarizes its on-device architecture and confirms the user has read this policy and the general Privacy Policy.

If our architecture or practices ever change such that [CareDraft LLC] would collect, process, share, or sell consumer health data of Washington consumers, we will:

  • Update this policy before any such change takes effect;
  • Obtain affirmative opt-in consent under RCW 19.373.030 before any collection;
  • Obtain a separate written, signed Valid Authorization under RCW 19.373.040 before any sale.

8. Geofencing

[CareDraft LLC] does not operate a geofence around any in-person healthcare facility, as those terms are defined in RCW 19.373.005, and does not use any geofencing technology to identify, track, or collect information from Washington consumers near healthcare facilities.

9. Changes to this policy

We may update this policy from time to time. When we do, we will update the "Last Updated" date at the top of the policy. If we make material changes that expand the scope of consumer health data we collect, share, or sell, we will obtain any consents required by MHMDA before those changes apply to existing users.

10. Contact us

[CareDraft LLC]
[Insert Postal Address]
Email: [email protected]

*This policy was prepared with assistance from an AI legal-workflow tool and reviewed by qualified counsel before publication. It is not a substitute for individualized legal advice.*