HashiMotto Privacy Policy

Last updated / Effective date: July 6, 2026

Last updated / Effective date: July 6, 2026

This Privacy Policy explains how Immunomy, Inc. ("Immunomy," "we," "us," or "our") collects, uses, discloses, and protects information in connection with the HashiMotto mobile application, the website at hashimotto.app, and related services (together, the "Service").

HashiMotto is a wellness companion for people living with Hashimoto's thyroiditis and related thyroid conditions. Because you may choose to share health-related information with us, we treat that information with particular care and describe our practices in plain language below.

Please read this Policy together with our Terms of Service. By creating an account or using the Service, you acknowledge this Policy. Where we rely on your consent — including for the collection and use of your health information — we obtain it as described here.

HashiMotto is not a doctor and is not a substitute for professional medical care. This Policy is about your data. For what HashiMotto is and isn't as a health tool, see our Terms of Service.

1. A one-screen summary

This summary is for convenience; the full Policy controls.

2. Scope, eligibility, and our HIPAA status

Who this Policy covers. This Policy applies to the HashiMotto app and website and to information we process as the data controller.

Age. The Service is intended only for individuals 18 years of age or older. We do not knowingly collect information from anyone under 18. If we learn that we have collected information from a person under 18, we will delete it. If you believe a minor has provided us information, contact privacy@immunomy.com.

Our HIPAA status — please read. For the core HashiMotto app, Immunomy is generally not a "covered entity" or a "business associate" under the U.S. Health Insurance Portability and Accountability Act (HIPAA). This means the information you enter into the app is generally not "protected health information" (PHI) governed by HIPAA — but we nonetheless treat your health information as sensitive and protect it as described in this Policy, and other laws (including state health-privacy and consumer-protection laws) still apply.

Telehealth is different. If you choose to use HashiMotto's telehealth features, the clinical services are provided by OpenLoop Health, Inc. ("OpenLoop") and independent, licensed practitioners (which may include dietitians, nutritionists, endocrinologists, functional-medicine practitioners, and immunologists). In that telehealth context, OpenLoop and its providers act as covered entities under HIPAA, and information you share in that relationship is governed by OpenLoop's own Notice of Privacy Practices and privacy policy, not this Policy. See Section 6.

3. Information we collect

We collect information in three ways: information you provide, information collected automatically, and information from third parties and connected services.

3.1 Information you provide

3.2 Information collected automatically

3.3 Information from connected services and third parties

We do not purchase personal information about you from data brokers.

Some of the information above — including your symptoms, lab values, medications, mood, and health metrics from wearables — is sensitive health information. Under various U.S. state laws, sensitive information generally requires your consent to collect and use.

You provide this information voluntarily, and by choosing to enter health information, connect a wearable, or use health features of the Service, you consent to our collection and use of that information for the purposes described in this Policy — principally, to provide the Service to you. Where a specific feature (such as optional research contribution) requires separate, affirmative consent, we ask for it separately, and you can decline or withdraw it at any time (see Sections 8 and 12).

We use your sensitive health information only to provide, personalize, secure, and support the Service (and, separately and only with your opt-in, for de-identified research). We do not use your health information to serve you targeted advertising, and we do not sell it.

5. How we use information

We use information for the following purposes:

We describe the specific bases and your related rights for state-law purposes in Section 11.

6. Telehealth provided by OpenLoop

HashiMotto may offer access to telehealth services — one-to-one engagement with licensed practitioners such as dietitians, nutritionists, endocrinologists, functional-medicine practitioners, and immunologists.

These services are provided by OpenLoop and its independent providers, not by Immunomy. Immunomy does not provide medical care, does not employ the providers, and is not responsible for the clinical services delivered. We understand OpenLoop engages licensed providers across all 50 U.S. states.

How your data is handled in telehealth:

Please review OpenLoop's privacy notice before using telehealth features. If you do not use telehealth, no information is shared with OpenLoop for that purpose.

7. How HashiDoc (AI) uses your information

HashiDoc is HashiMotto's AI companion. It is designed to give you educational, personalized information — it does not diagnose, prescribe, or dose, and it is not a medical professional. (See our Terms for these limits.)

How it works with your data:

A note on AI limitations: AI can be wrong or incomplete. Do not rely on HashiDoc for emergencies or in place of professional judgment. See the Terms for the full disclaimer.

8. Optional research contribution

We may invite you to contribute to research aimed at improving understanding of Hashimoto's and thyroid health.

9. How we share information

We share information only as described here. We do not sell your personal information. We do not share your health information with advertising partners or data brokers.

We maintain a current list of key sub-processors; contact privacy@immunomy.com to request details.

10. Cookies, analytics, and advertising

10.1 On our marketing website

Our website (hashimotto.app) uses cookies and similar technologies for site functionality, analytics, and advertising/measurement. These may include tools from Google (Google Analytics / GA4, Firebase), Meta, TikTok, Microsoft Clarity, Taboola, Outbrain, and Reddit. These tools may set identifiers and collect information such as pages viewed, interactions, device and browser data, and IP-derived approximate location, and may share certain identifiers and online-activity data with those partners so we can measure and run advertising campaigns.

Health data is not part of this. We design the Service so that these advertising and measurement tools operate on our marketing pages and do not receive the health information you enter into the app.

10.2 Your controls

10.3 Marketing communications (email, push, SMS, WhatsApp)

With your consent where required, we may send marketing messages by email, push notification, SMS/text, and WhatsApp.

11. Your U.S. privacy rights

Depending on your state of residence, you may have some or all of the rights below. We honor these rights for our users as described, and we do not discriminate against you for exercising them.

11.1 Rights that may apply

Because your health information is treated as sensitive, we generally rely on your consent (given when you choose to provide it) and use it only for the purposes in this Policy. You may withdraw that consent as described in Section 12.

11.2 How to exercise your rights

Submit a request by:

We will verify your request (typically by confirming control of your account email) and respond within the timeframe required by applicable law. You may use an authorized agent to submit a request on your behalf with proper authorization and verification.

11.3 California residents (CCPA/CPRA)

If you are a California resident, you have the rights above, including the rights to know, delete, correct, opt out of sale/sharing, and limit the use of sensitive personal information.

11.4 Other states

Residents of states with comprehensive privacy laws (including, as applicable, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others) have the rights described in Section 11.1. For these states, we treat health information as sensitive data requiring consent, which you provide by choosing to use the health features of the Service, and you may withdraw consent as described in Section 12. To exercise your rights or appeal a decision, contact privacy@immunomy.com.

12. Consumer Health Data — Washington & Nevada

This Section is intended to serve as a consumer health data privacy notice under the Washington My Health My Data Act ("MHMDA") and Nevada's health-data law (SB 370). It should also be surfaced as a separately linked page.

If you are a Washington or Nevada resident (or your health data is collected there), this Section applies to your consumer health data — information that is linked or reasonably linkable to you and that identifies your past, present, or future physical or mental health status (for example, your thyroid condition, symptoms, lab values, medications, and health metrics you provide).

13. Data retention

We keep personal information for as long as needed for the purposes in this Policy, then delete or de-identify it. General defaults (which we may adjust and which are subject to legal exceptions):

14. How we protect information

We use reasonable administrative, technical, and physical safeguards designed to protect personal information, including:

No method of transmission or storage is completely secure, and we cannot guarantee absolute security. If we become aware of a breach affecting your information, we will notify you and authorities as required by applicable law (including the FTC Health Breach Notification Rule and applicable state breach-notification laws).

15. Where your information is processed

The Service is offered to users in the United States, and we store and process information on infrastructure located in the United States (AWS us-east-1). If we later serve users outside the U.S., we will update this Policy and adopt any additional protections required.

The Service integrates with, or links to, third-party services — including wearables and health platforms you connect, OpenLoop (telehealth), Stripe (payments), and affiliate offers and other links. When you follow an affiliate link, we do not share your personal information with the merchant; we may pass a non-identifying tracking parameter so the merchant can attribute a referral, and any information you then provide to that merchant is governed by their privacy policy. We are not responsible for the privacy practices of third parties; please review their policies.

17. Children

The Service is for adults 18 and older. We do not knowingly collect information from children. See Section 2.

18. Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will notify you by reasonable means (such as in-app notice or email) and update the "Last updated" date above. Your continued use of the Service after an update means you acknowledge the revised Policy. Where required, we will obtain your consent to material changes affecting your health information.

19. Contact us

Immunomy, Inc. 2810 N Church St STE 89648, Wilmington, DE 19802, USA Privacy: privacy@immunomy.com (or privacy@hashimotto.app) Legal: legal@immunomy.com (or legal@hashimotto.app)

If you have a concern we haven't resolved, you may also have the right to contact your state attorney general.