Consumer Health Data Privacy Policy

This page is for Washington residents and for anyone who wants to understand how MESO handles the information a consumer health data statute would cover. Washington state passed the My Health My Data Act (RCW 19.373) in 2023. It applies to any business that reaches Washington consumers. MESO is a pre-launch cosmetic brand. Our waitlist collects an email address. Our optional pH page and our optional welcome fields can collect a small amount of additional information. Some of that information falls inside the statute. This page explains what, why, where it lives, who can see it, and how you can ask us to delete it.

This page is published as a standalone policy, which is what the statute asks for. It sits alongside our general Privacy Policy, not inside it. The Privacy Policy covers everything. This page covers the subset that the statute calls consumer health data. If your browser sends a Global Privacy Control (GPC) signal, we automatically stop any sharing of consumer health data, in addition to turning off analytics and marketing processing; this is described in the Privacy Policy and is the same behavior the site applies everywhere.

The statute defines consumer health data as personal information that is linked or reasonably linkable to a consumer and that identifies that consumer’s past, present, or future physical or mental health status. It lists examples. A few of them apply to MESO. Others do not.

Examples that apply to MESO:

• Bodily functions. This includes any pH reading or inference from our optional pH page.
• Reproductive or sexual health information. A waitlist signup for an intimate-care product is reasonably linkable to interest in this category.
• Data derived or inferred from other information. This includes squad position and cohort identifiers because they tie back to a consumer’s interest in an intimate-care product.

Examples that do not apply to MESO:

• Medications, prescriptions, or dosages. MESO does not collect any of these.
• Genetic data. MESO does not collect any.
• Gender-affirming care information. MESO does not collect any.
• Biometric data (fingerprint, facial image, retina scan, voice recording, gait, keystroke). MESO does not collect any.
• Precise location indicating healthcare acquisition. MESO does not collect location.

You can read the full definition at RCW 19.373.010(8) on the Washington legislature website.

This table lists every category of information MESO collects that either is consumer health data under the statute or is close enough to the line that we handle it the same way.

We do not collect your name at signup. We do not collect your phone number. We do not collect any payment information anywhere on this site. Nothing is for sale here yet.

Our servers record standard request metadata (IP address, user agent, timestamp) in short-lived logs used to detect abuse and to operate the site. Those logs are kept for 30 days. They are not consumer health data on their own and are not combined with the information above for any purpose beyond security and operations.

We collect each of the categories above for one of these purposes:

• To tell you when MESO ships. This is why we collect your email.
• To operate the squad mechanic. This is why we generate and record squad codes and cohort positions. It is also why we record the inbound squad code of the person who referred you.
• To surface your pH information back to you. If you submit the optional pH page, we show you the result and save it to your waitlist row so the welcome page can reference it.
• To understand our early community in aggregate. If you share your zip code or your referral source note, we look at them in aggregate only. We do not profile individuals with them.
• To defend the site from abuse. Our request-metadata logs catch bots and scrapers.

We do not use consumer health data for advertising. We do not run any third-party advertising pixels on this site. We do not share consumer health data with advertisers, data brokers, or any third party for marketing purposes.

Every category above comes from you. We do not buy, rent, or acquire consumer health data from any third party. We do not use any data-enrichment service. We do not pull data from social networks, data brokers, advertising identifier vendors, or any other outside source.

Three service providers operate parts of the site. Each has a signed data processing agreement with MESO. Each is listed on our main Privacy Policy with its DPA link.

These three are the only parties that receive any of the information listed above. We do not share with advertisers. We do not share with data brokers. We do not share for marketing purposes of any kind. If we ever add another service provider that would receive consumer health data, we will update this page and, where the change is material, email everyone on the waitlist 72 hours before the change takes effect.

If you are a Washington resident (or anyone else on our waitlist), you can ask us to do any of the following:

• Confirm whether we have collected, shared, or sold any of your consumer health data. We will give you a yes or no and, if yes, a copy of what we have.
• Access your consumer health data. We will send you a copy in a machine-readable format.
• Receive a list of the third parties and affiliates who have received any of your consumer health data. For MESO that list is Supabase, Vercel, and Resend, plus their addresses and contact points.
• Withdraw consent at any time. We will stop collecting and stop processing within 30 days and confirm back.
• Delete your consumer health data. We will remove your waitlist record from our live database within 30 days and from our processor systems (including archive and backup) within six months as the statute requires. We will notify Supabase, Vercel, and Resend.
• Appeal if we deny a request. We will respond to your appeal within 45 days with a written explanation. If we still deny, we will give you the information you need to file a complaint with the Washington Attorney General at https://www.atg.wa.gov/file-complaint.

You can exercise any of these rights without penalty. We will not refuse you service, raise a price, or reduce what you get from MESO because you asked.

Email privacy@meso-usa.com with the right you want to exercise and the email address you used to sign up. We reply within 30 days. Your first two requests each year are free. If you make more than two requests in a year and we find the additional requests are repetitive or unfounded, we may charge a reasonable fee or decline, as the statute allows. We have not charged a fee to date.

We do not require any account verification beyond confirming that a reply can reach the email address you used to sign up. If we cannot verify it is you, we will ask for one additional piece of information that matches our record (for example, your squad code or your cohort position number).

MESO does not sell consumer health data. If that ever changes, we will not sell any consumer health data about you until you sign a separate written authorization. The statute requires that authorization to include specific details (what data, who is buying it, for what purpose, your right to revoke, a one-year expiration, your signature, the date) and to be separate from any other consent you have given us. You would receive a copy, and we would keep a copy for six years. The statute also bars us from conditioning any goods or services on your signing. We have no current plans to sell any consumer health data.

MESO does not operate any geofence. The statute prohibits any geofence within 2,000 feet of an entity providing in-person health care services where the geofence is used to identify consumers, collect consumer health data, or send health-related notifications. We do not geofence anywhere, and we do not collect precise location at all.

We will not discriminate against you for exercising any right on this page. You will not lose your spot on the waitlist. Your squad position will not change. You will not receive a worse price, a worse experience, or a different product than anyone else because you asked us to delete, access, or correct your information.

If we change this policy in a way that adds a new category of consumer health data, a new purpose, a new processor, or a new third-party recipient, we will email everyone on the waitlist 72 hours before the change takes effect. For smaller edits (a typo, a clarifying sentence), we update the “Last reviewed” date at the top and move on.

Email privacy@meso-usa.com for any request under this policy. The entity responsible for handling your consumer health data is Meso-Sweet LLC, [MESO-RA-ADDRESS-PENDING].

Cosmetic product. Not a medical device. Not intended to diagnose, treat, cure, or prevent any disease.