Future Health AI Privacy Policy

Effective Date: April 20, 2026 · Last Updated: April 20, 2026

Version 2.0 — Health-Specific

1. Overview & Scope

This Privacy Policy applies exclusively to Future Health AI ("the App"), a mobile application for Android developed and operated by Future @I LLC ("we", "us", "our"), a California limited liability company. This policy supplements, and where more specific, supersedes our general Privacy Policy for Future @I applications.

Future Health AI is a personal health information coordinator. It helps you organize, track, and manage your personal health records. It is not a medical device, not a licensed healthcare provider, and does not provide medical advice, diagnosis, or treatment.

By installing, accessing, or using the App, you acknowledge that you have read, understood, and agree to this Privacy Policy.

2. Core Privacy Principles

Future Health AI is designed around four non-negotiable privacy principles:

• On-Device Everything. All health data, including records, medications, AI conversations, and audit logs, is stored exclusively on your device using AES-256-GCM encryption.
• No Cloud PHI. We do not operate, maintain, or contract with cloud servers that store your health information. Our backend infrastructure ("FM") stores only encrypted recovery tokens, device fingerprints for abuse prevention, and anonymous usage counters — never your actual health records.
• No Third-Party AI. AI inference runs entirely on your device using llama.cpp. We do not send your prompts, responses, or health data to OpenAI, Anthropic, Google, Microsoft, Meta, or any other third-party AI provider.
• No Data Sales. We do not sell, rent, or monetize your personal information. We do not share your data with advertisers, data brokers, or marketing firms. Ever.

3. Information We Collect

3.1 Information Stored Only on Your Device

The following categories are stored exclusively on your device and never transmitted to us:

• Health timeline entries (appointments, events, observations, notes)
• Medication records (names, dosages, schedules, refill dates)
• Vital signs (blood pressure, heart rate, temperature, weight, glucose)
• Allergies, chronic conditions, and medical history
• Profile information (name, date of birth, blood type, emergency preferences)
• Emergency contacts (names, phone numbers, relationships)
• Family links (parent/guardian, caregiver, and dependent relationships)
• Consent records (your privacy and sharing preferences)
• Audit logs (all data access within the App)
• AI conversation history with Aria, our on-device health coordinator
• Imported documents (photos of prescriptions, lab results — if you choose to upload them)

3.2 Information We Collect on Our Servers

The following minimal data is transmitted to our backend ("FM") to enable account recovery and abuse prevention:

• Account credentials: Email address and a bcrypt-hashed password (original password never stored in plaintext)
• Anonymous install ID: A randomly generated UUID to link reinstalls of the same account
• Device fingerprint hash: A SHA-256 hash of your Android ID combined with our app signature (used to prevent trial abuse; cannot be reversed to identify you)
• Usage counters: Daily AI query count (anonymized counter, no content)
• Encrypted recovery token: A user-key-derived token that lets you restore access on a new device (we cannot decrypt this)
• Support messages: If you contact support through the App, your messages are stored to respond to you
• Diagnostic telemetry (optional): Crash reports and anonymized performance metrics, only if you opt in

3.3 Information We Do NOT Collect

• Your health records, medical history, or PHI
• Your AI conversations or prompts
• Your location (except during explicit emergency activation with per-session consent)
• Your device contacts, photos, calendar, or files (except files you explicitly import)
• Your web browsing history
• Your installed apps list
• Biometric data (fingerprint/face templates remain in Android's TEE and never leave the device)
• Advertising identifiers for marketing purposes

4. Protected Health Information (PHI)

"Protected Health Information" includes any information in the App that identifies you and relates to your past, present, or future physical or mental health, the provision of healthcare, or payment for healthcare.

5. On-Device AI Processing

Future Health AI uses "Aria," an on-device AI assistant, to help you organize and understand your health information.

• Models: We use open-weight language models (Qwen3, SmolLM3, Phi-4) in GGUF format, running locally via llama.cpp
• Model storage: Downloaded once to your device's internal storage; verified via SHA-256 hash
• Inference: All AI reasoning happens on your device's CPU/GPU — no network calls
• Prompt privacy: Your prompts and Aria's responses never leave your device
• Training: We do NOT train, fine-tune, or improve AI models using your data
• Safety layer: Aria runs behind a verb filter enforced at the code level — she can coordinate, summarize, organize, and notify, but cannot diagnose, prescribe, or recommend treatment

6. How Your Data Is Stored

6.1 On-Device Storage

• Database: SQLite, encrypted with SQLCipher (AES-256-GCM)
• Keys: Derived via PBKDF2 (100,000 iterations) from your master password, protected by Android Keystore
• Session tokens: Rotated every 15 minutes, stored in Android Keystore
• Per-device salt: Unique cryptographic salt per installation
• Biometric keys: Hardware-backed via Android StrongBox (where available)

6.2 Server Storage (FM Backend)

• Location: Privately owned hardware in the United States
• Not in the cloud: We do not use AWS, Azure, GCP, or any third-party cloud provider for data storage
• Encryption: All server data encrypted at rest (AES-256-GCM) and in transit (TLS 1.3+)
• Access control: Multi-factor authentication required for all administrative access

7. Data Security

We implement layered security controls aligned with HIPAA Security Rule, NIST SP 800-53, and industry best practices:

• AES-256-GCM encryption at rest, TLS 1.3+ in transit
• Hardware-backed key storage (Android Keystore / StrongBox)
• Session key rotation every 15 minutes
• Complete immutable audit trail (INSERT-only enforcement)
• Biometric authentication with liveness detection
• Brute-force protection (account lockout after 5 failed attempts)
• bcrypt password hashing (cost factor 12)
• Cryptographic consent chain (SHA-256 hash-chained records)
• Network Security Config enforcing HTTPS-only (no HTTP fallback)
• Anti-tamper verification using APK signature SHA-256 pinning
• FLAG_SECURE enabled in production (prevents screenshots in recent-apps)

No security system is perfect. If we become aware of a breach that compromises your personal information, we will notify you within 60 days (or sooner if required by applicable law) via email and in-app notice.

8. Data Sharing & Disclosure

We do not sell your personal information. We do not share your data with advertisers, data brokers, marketing firms, or any third parties for their own purposes.

We may disclose limited information in the following narrow circumstances:

• With your explicit consent: If you explicitly share data with a family member, caregiver, or healthcare provider through the App's consent-based sharing features
• Payment processors (future versions): Google Play Billing or Stripe handle subscription payments. We do not see or store your credit card information
• Service providers (limited): AdMob for banner ads on non-medical screens (see Third-Party Services section)
• Legal process: If required by valid legal process (court order, subpoena, warrant). We will challenge overly broad requests and, where legally permitted, notify you before disclosure
• Safety & emergencies: To prevent imminent harm to life, if we have a good-faith belief that disclosure is necessary
• Business transitions: In the event of merger, acquisition, or sale of assets, user data may transfer to the successor entity, subject to the same privacy protections

9. Your Rights

You have the following rights regarding your information, regardless of where you live:

• Access: View all data the App stores about you (via Settings → Export Data)
• Correction: Update or correct any inaccurate information at any time
• Deletion: Permanently delete your account and all associated data (via Settings → Account → Delete Account)
• Portability: Export your health records in HL7 FHIR R4 format for transfer to another provider or system
• Restriction: Limit certain processing activities (e.g., disable analytics, opt out of crash reports)
• Objection: Object to processing you believe is unlawful or inappropriate
• Withdraw consent: Revoke consent for any voluntary data sharing at any time

10. California Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you additional rights:

• Right to Know: Request disclosure of the specific categories and pieces of personal information collected about you in the preceding 12 months
• Right to Delete: Request deletion of your personal information (with limited exceptions for legal/security requirements)
• Right to Correct: Request correction of inaccurate personal information (added under CPRA)
• Right to Opt Out of Sale/Sharing: We do not sell or share your personal information, but you can still record your preference in Settings
• Right to Limit Use of Sensitive Personal Information: Health information qualifies as "Sensitive Personal Information" under CPRA. You may request that we limit our use to what is necessary to provide the service
• Right to Non-Discrimination: We will not deny service, charge different prices, or provide a different level of service because you exercised your rights
• Right to Access Automated Decision-Making Information: You may request information about how our AI produces outputs that affect you (added under recent CPRA regulations, effective 2025)

To exercise these rights, use the in-app Settings menu or email privacy@futureati.app with the subject line "CCPA Request." We will verify your identity and respond within 45 days (extensions may apply for complex requests up to 90 days total, per statute).

We will not retaliate or discriminate against you for exercising your CCPA rights. If your request is denied, you have the right to appeal by emailing privacy@futureati.app with "CCPA Appeal" in the subject.

Categories of Personal Information Collected (CCPA Disclosure)

In the preceding 12 months we have collected the following categories of personal information:

• Identifiers (email, device ID, IP address)
• Sensitive personal information (health records — stored on device only)
• Commercial information (app usage patterns, anonymized)
• Internet or network activity (app interaction logs, crash reports)
• Geolocation (ONLY during emergency activation, with explicit consent)

We have not sold or shared any category of personal information in the preceding 12 months.

11. Other State Rights (CO, VA, CT, UT, TX, OR, and Others)

Residents of Colorado (CPA), Virginia (VCDPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA, effective July 2024), Oregon (OCPA, effective July 2024), Montana, Iowa, Tennessee, Indiana, Delaware, New Jersey, New Hampshire, and Kentucky have rights similar to those described above, including access, correction, deletion, data portability, and the right to opt out of targeted advertising and sale of personal information.

We provide all these rights to all users nationwide regardless of state of residence. To exercise them, email privacy@futureati.app.

Washington My Health My Data Act: As of March 2024, Washington residents have specific rights regarding consumer health data. Our on-device architecture means we do not collect or process "consumer health data" as defined by the Act. However, if you believe this Act applies, you may exercise your rights by emailing the address above with "MHMDA Request" in the subject line.

12. HIPAA Notice

If you are a healthcare provider, clinic, or other HIPAA Covered Entity considering using Future Health AI with patients, please contact legal@futureati.app to discuss Business Associate Agreement ("BAA") availability for enterprise deployments. We expect BAA-eligible enterprise plans to be available in a future release.

If you share information about your care with a Covered Entity (e.g., by emailing a Future Health AI-generated export to your doctor), that entity's HIPAA obligations govern the use of that information on their end.

13. Children's Privacy (COPPA)

Future Health AI is not directed to, and we do not knowingly collect information from, children under 13 as independent account holders.

The App supports a parent/guardian-managed family account model for children under 13, in compliance with the Children's Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501–6505 and 16 CFR Part 312. Under this model:

• A verified parent or legal guardian creates and controls the child's account
• The parent provides COPPA-compliant verifiable consent before any information is collected
• The parent can view, edit, or delete the child's information at any time
• We do not use the child's information for any purpose other than providing the requested service
• We do not condition the child's participation in activities on the disclosure of more information than is necessary
• The child's information is never used for behavioral advertising

If you believe we have collected information from a child under 13 without proper consent, contact us immediately at privacy@futureati.app. We will delete the information and the associated account within 30 days.

14. Minors 13-17 (Teen Privacy)

Users aged 13–17 may create accounts, with the following privacy protections tightened in 2024–2026 state laws (including California SB 976):

• Default-private account settings
• No behavioral advertising
• No "addictive" engagement features (no streaks, no infinite scroll, no push-notification engagement loops)
• Limited parental-access mode: parents see medications, appointments, and emergency contacts but NOT mental-health entries, reproductive-health entries, substance-use entries, or private chat history
• The teen may elect full privacy from their parent at age 16, subject to state law

15. Family Linking & Caregiver Access

The App supports linking family members for care coordination, with strict age-based and consent-based access controls:

• Children under 13: Parent has full access (COPPA)
• Teens 13–17: Parent has limited access (excludes sensitive categories listed above)
• Adults 18+: No access without explicit, revocable consent from the adult user

All family-link permissions are cryptographically consent-recorded and reversible at any time. Revoking a family link immediately removes the caregiver's access and is logged in your immutable audit trail.

16. Emergency Features

The App's emergency system NEVER activates automatically. Every emergency action requires explicit user confirmation:

• Which contacts to notify
• Whether to call 911 or local emergency services
• What health information to share with first responders
• Whether to share location (location is collected ONLY during emergency activation with per-session consent)

Emergency packets are encrypted, expire after 24 hours, and are revocable. Location data collected during an emergency is never transmitted to Future @I LLC servers — it is transmitted only to the contacts you explicitly designate and, if you activate it, to 911 services via Android's standard emergency APIs.

17. Consent Framework

Every consent event (granting, modifying, or revoking data sharing with family, caregivers, providers, or first responders) is recorded in an immutable SHA-256 hash-chained ledger on your device. This provides cryptographic proof of what you consented to and when.

18. Audit Logging

Every data access event is logged in an INSERT-only audit trail. Database triggers prevent UPDATE or DELETE operations on audit logs. You can view and export your audit history at any time through Settings → Privacy → Audit Log.

19. Data Retention & Deletion

Your data is yours. You control retention:

• On-device data: Retained until you delete it. You can delete individual records, export everything, or wipe the entire database
• Account: Retained while active. When you delete your account, all server-side records (install ID, usage counters, recovery token, support history) are permanently deleted within 30 days
• Cryptographic erasure: Deletion destroys the encryption keys, rendering any residual data cryptographically unrecoverable
• Legal hold: In the rare case of an active legal proceeding, we may retain minimal records for the duration of the hold, then purge

20. Third-Party Services

We minimize third-party dependencies. The complete list of third-party services in Future Health AI:

• Google AdMob: Displays banner ads on non-medical screens only (Home, Settings, Profile, FAQ). Never on Emergency screens, AI chat, medication safety alerts, or consent screens. See AdMob's privacy practices. You can disable personalized ads at any time via Settings → Privacy → Ads.
• Google Play Services: Required for Android distribution, push notifications, and Play Integrity attestation
• llama.cpp (on-device, open-source): AI inference engine running entirely on your device
• Hugging Face (model download only): AI model files are downloaded from Hugging Face's CDN on first use. Only the model file download is made; no health data is transmitted

We do NOT use: Firebase Analytics, Google Analytics, Meta/Facebook SDK, TikTok SDK, Crashlytics (we use our own FM crash infrastructure), AppsFlyer, Adjust, Branch, Sentry, or any other tracking, attribution, or analytics SDK commonly found in consumer apps.

21. International Users

Future Health AI is currently available only in the United States. If you access the App from outside the U.S., you do so at your own initiative and are responsible for compliance with local laws.

We do not currently offer GDPR-compliant data processing agreements for EU/UK users. International expansion is planned, and this policy will be updated with GDPR-specific provisions at that time.

22. Changes to This Policy

We may update this Privacy Policy periodically to reflect new features, legal requirements, or privacy improvements. Material changes will be communicated through:

• In-app notification on next launch after the change
• Email to your registered address (for account holders)
• Updated "Last Updated" date at the top of this policy

We will never reduce your rights without your explicit consent. If a change materially reduces your privacy protections, we will obtain fresh opt-in consent before applying the change to your account.

23. Contact Information

Future @I LLC
Porterville, California, USA
D-U-N-S: 144266395

Privacy inquiries: privacy@futureati.app
General support: support@futureati.app
HIPAA / BAA inquiries: legal@futureati.app
Data deletion requests: Use in-app Settings → Account → Delete Account, or email the privacy address above

Response SLA: 48 hours for general support; 45 days (extendable to 90) for formal CCPA/state rights requests, per statute.