This Consumer Health Data Privacy Policy applies to: (a) Washington State residents; and (b) any natural person whose Consumer Health Data is collected in Washington (“you,” “consumer”), where such Consumer Health Data is collected, processed, or shared by MEMOIZE AI LLC in connection with the MEMOIZE AI Memory-as-a-Service platform (“Services”).
MEMOIZE AI LLC is a limited liability company organized under the laws of the State of Indiana, with its registered agent at c/o Northwest Registered Agent LLC, 5534 Saint Joe Road, Fort Wayne, IN 46835, USA.
Under the Washington My Health My Data Act (RCW 19.373.010), “Consumer Health Data” means personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status. In the context of the MEMOIZE AI Services, this includes data collected during AI-powered chat interactions on e-commerce stores that sell supplements, wellness products, and health-adjacent goods.
MEMOIZE AI LLC may collect the following categories of Consumer Health Data through Merchant-operated e-commerce stores:
We collect Consumer Health Data solely for the following purposes:
We do NOT collect Consumer Health Data for: marketing or advertising purposes; sale to third parties; employment, insurance, or credit decisions; or any purpose unrelated to providing the Services.
Consumer Health Data is shared with the following categories of entities, solely for the purpose of delivering the Services:
| Entity | Purpose | Data Access Level |
|---|---|---|
| Google LLC (Vertex AI / Gemini) | AI inference — processing chat messages to generate recommendations | Transient (Zero Data Retention — prompts and responses not stored by Google) |
| Google LLC (Cloud SQL) | Database storage — storing chat history and vector embeddings | Persistent (encrypted at rest, AES-256) |
| Google LLC (Cloud Run) | API hosting — routing requests between widget and backend | Transient (no persistent storage) |
| Merchant | The specific store operator whose widget the consumer is using | Persistent (Merchant is the Data Controller) |
Google Vertex AI Zero Data Retention: We engage Google Vertex AI exclusively under enterprise “Zero Data Retention” settings. Prompts sent to Gemini and corresponding responses are not logged, stored, or used by Google for any purpose, including model training, beyond the immediate API request processing window. Google’s Data Processing Addendum contractually prohibits Google from using Consumer Health Data for any purpose other than providing the inference service.
Sub-Processors That Do NOT Process Consumer Health Data: The following sub-processors used by MEMOIZE AI LLC do not process, store, or have access to Consumer Health Data for AI memory, profiling, or personalization purposes: Zoho Corporation (ZeptoMail) — processes only transactional email communications (support, billing, compliance notices, and Contact Form Mode submissions); Clerk Inc. — processes only Merchant authentication data; Stripe Inc. — processes only payment and billing information; Shopify Inc. — provides platform integration for Shopify merchants only and does not receive Consumer Health Data through the MEMOIZE AI Services.
Contact Form Mode Disclosure: When the chat widget’s AI message allocation is exhausted, the widget switches to Contact Form Mode, in which shopper messages are routed as transactional email via ZeptoMail to the Merchant’s customer support team. A shopper’s Contact Form submission may incidentally contain health-related content (e.g., describing an allergy or supplement question). Such content is transmitted solely for the purpose of routing the inquiry to the Merchant and is NOT processed by MEMOIZE AI LLC as Consumer Health Data — it is not stored in the AI memory system, not used for profiling or personalization, and not retained beyond ZeptoMail’s standard transactional email retention (90 days). The Merchant’s support team responds to the shopper directly via their own email system.
All sub-processors that do process Consumer Health Data are contractually prohibited from using it for any purpose other than providing services to MEMOIZE AI LLC, and from selling, disclosing, or retaining Consumer Health Data beyond operational necessity. All sub-processors listed above will receive and honor deletion requests as described in Section 7.4.
For information about sub-processor changes, notification procedures, and your right to object, see MEMOIZE AI LLC’s Privacy Policy at memoizeai.com/privacy-policy, Section 5.1, or the sub-processor list at memoizeai.com/legal/sub-processors.
We do NOT: sell Consumer Health Data to any person or entity; share Consumer Health Data with data brokers; disclose Consumer Health Data for targeted advertising; or share Consumer Health Data with employers, insurers, or government agencies (except as required by law).
In accordance with RCW 19.373.080, MEMOIZE AI LLC does not implement, facilitate, or assist in any geofencing within two thousand (2,000) feet of any in-person health care service location for the purpose of identifying or tracking consumers, collecting Consumer Health Data, or sending notifications, messages, or advertisements to consumers related to their Consumer Health Data. We do not track your physical location, and the Services do not use location data in connection with Consumer Health Data.
This prohibition applies to MEMOIZE AI LLC as an entity conducting business in Washington and applies regardless of whether consumers are identified as Washington residents.
You have the right to confirm whether MEMOIZE AI LLC is collecting, sharing, or selling your Consumer Health Data, and to access that data.
You have the right to receive a copy of the Consumer Health Data we hold about you, in a portable and readily usable format, free of charge, once per 12-month period. Upon request, we will also provide a list of all specific third parties and affiliates with whom we have shared your Consumer Health Data, including an active email address or other online mechanism that you may use to contact each such third party.
You have the right to withdraw consent to our collection and sharing of Consumer Health Data at any time. Withdrawal of consent will not affect the lawfulness of processing that occurred prior to your withdrawal.
You have the right to request deletion of your Consumer Health Data from our active systems and to require us to instruct our sub-processors to delete your data. Upon receiving a verified deletion request, we will:
In addition to your right to request deletion at any time, MEMOIZE AI LLC automatically deletes Consumer Health Data based on inactivity:
All plans: Consumer Health Data associated with your memory profile is retained for 365 days from your last interaction with the chat widget. After 365 days of inactivity (no chat session, contact form submission, or AI-assisted browsing session), your memory profile — including all Consumer Health Data, vector embeddings, and chat logs — is flagged for deletion and permanently purged within 30 days.
“Last interaction” means the most recent chat session, contact form submission, or AI-assisted browsing session initiated by you through the MEMOIZE AI widget.
This automatic deletion aligns with the data minimization principles underlying the Washington My Health My Data Act and ensures that Consumer Health Data is not retained beyond its useful purpose.
Backup System Deletion: Backup systems will be purged within ninety (90) calendar days following active system deletion. This delay is permitted under the statute to accommodate standard backup rotation cycles. During the backup retention period, Consumer Health Data in backup systems is encrypted (AES-256) and is not accessible for any operational purpose.
To exercise any of your rights under this policy, contact us at:
We will verify your identity before processing any rights request. Verification may include confirming the email address associated with your chat interactions and providing additional identifying information.
We will respond to your request within forty-five (45) calendar days of receipt. If we require additional time (up to an additional 45 days), we will notify you of the extension and the reasons for the extension within the initial forty-five (45) day period, as required by RCW 19.373.040(1)(g). The identity verification process does not extend or pause the response deadline. We will not charge a fee to process your rights requests.
If we decline to take action on your Consumer Health Data rights request, you have the right to appeal that decision. To appeal:
| Field | Details |
|---|---|
| Agency | Washington State Office of the Attorney General — Consumer Protection Division |
| Online Complaint Portal | https://fortress.wa.gov/atg/formhandler/ago/ContactATGForm.aspx |
| Address | 800 5th Ave., Suite 2000, Seattle, WA 98104 |
| ATGConsumerServices@atg.wa.gov | |
| Phone | 1-800-551-4636 |
The Washington My Health My Data Act establishes two consent categories relevant to the MEMOIZE AI Services: consent to collect (RCW 19.373.030(1)(a)) and authorization to sell (RCW 19.373.070). MEMOIZE AI LLC requires Merchants to implement all applicable tiers as described below.
Before MEMOIZE AI LLC collects your Consumer Health Data, the Merchant through whose store you are interacting must present you with the following consent notice in a clear, standalone disclosure — NOT bundled with Terms of Service or pre-checked:
MEMOIZE AI LLC operates as a data processor on behalf of the Merchant (the data controller). Transfers of Consumer Health Data to operational sub-processors (such as Google LLC via Vertex AI under Zero Data Retention) for service delivery are part of the collection and processing purpose authorized under Tier 1 and do not constitute independent “sharing” requiring separate consent under RCW 19.373.030(1)(b). No Consumer Health Data is shared with third parties for their own independent purposes.
MEMOIZE AI LLC does not sell Consumer Health Data. Because no sale of Consumer Health Data occurs, no authorization to sell is sought from consumers. If MEMOIZE AI LLC were ever to sell Consumer Health Data in the future (which it has no intention of doing), it would be required to obtain a valid authorization to sell that meets all nine requirements of RCW 19.373.070, including: a signed document, plain language description, specific data categories, identity of the purchaser, purpose of sale, one-year expiration, prominent right to revoke, and six-year retention. This authorization would be separate and distinct from the collection and sharing consents above.
Consent (Tier 1) may not be: pre-checked; bundled with acceptance of Terms of Service; required as a condition of using non-health-related features; or obtained through a “deemed consent,” dark pattern, or countdown-timer mechanism. Consent must be freely given, specific, informed, opt-in, voluntary, and unambiguous as defined by RCW 19.373.010(6).
Merchants are contractually responsible for implementing Tier 1 consent in their store interfaces before enabling Consumer Health Data processing.
The Washington My Health My Data Act does not provide a small business revenue exemption. The Act applies to any entity that conducts business in Washington or targets Washington residents and processes Consumer Health Data, regardless of revenue size or employee count. Accordingly, MEMOIZE AI LLC is subject to the MHMD Act to the extent it processes Consumer Health Data of Washington residents through Merchant stores that serve Washington customers, irrespective of MEMOIZE AI LLC’s revenue or size as an Indiana-based company.
Consumer Health Data is protected by the same technical and organizational safeguards described in our general Privacy Policy, including AES-256 encryption at rest, TLS 1.3 encryption in transit, and strict sub-processor contractual controls. Given the sensitivity of Consumer Health Data, access is further restricted on a need-to-know basis and logged for audit purposes.
We will provide reasonable advance notice of any material changes to this Consumer Health Data Privacy Policy via email to affected Merchants and by posting a notice on this page. The “Last Updated” date at the top reflects the most recent revision.
| Field | Details |
|---|---|
| Company | MEMOIZE AI LLC |
| Privacy Team Email | privacy@memoizeai.com — Subject: “Washington MHMD Inquiry” |
| Legal Email | legal@memoizeai.com |
| Security Email | security@memoizeai.com |
| Mailing Address | c/o Northwest Registered Agent LLC, 5534 Saint Joe Road, Fort Wayne, IN 46835, USA |
Homepage Link Notice (Required by RCW 19.373.020): The following prominent link must appear on the MEMOIZE AI LLC homepage and on every page where Consumer Health Data may be collected (per the statutory definition of “homepage” in RCW 19.373.010(16)), linking to memoizeai.com/consumer-health-data-privacy-policy: “Consumer Health Data Privacy Policy — Your rights under the Washington My Health My Data Act”