Consumer Health Data Privacy Policy

1. Scope

This Consumer Health Data Privacy Policy sits alongside our U.S. Privacy Policy. It applies to consumer health data handled by Microbioflora Pty Limited, an Australian company trading as Progurt (“Progurt”, “we”, “us”, “our”) under laws including the Washington My Health My Data Act, Nevada consumer-health-data law and the Connecticut Data Privacy Act. “Consumer health data” can include information that identifies or is reasonably linkable to a consumer and reveals or permits an inference about health status.

Effective date: July 17, 2026

2. Categories of consumer health data we collect

  • Quiz questions and raw answers: answers you choose to provide about digestive comfort, everyday wellbeing goals, preferences and related concerns.
  • Inferences and results: interests inferred from answers, the decision path used by the quiz, and the product recommendation or result generated.
  • Identifiers: email address, customer or account identifier, session or request identifier, and other identifiers needed to generate, save or deliver the result.
  • Support and review information: health-related details you choose to include in support communications or a review, and whether a review is submitted for public display.
  • Interaction information: de-identified, PII-scrubbed events showing use of the quiz or result experience, without raw health answers, inferred health interests or an identifier that identifies you.

You do not have to provide health information to buy Progurt products or view general product information.

3. Sources

We collect consumer health data directly from you when you answer quiz questions, ask us to save or deliver a result, contact support, or submit a review. We generate inferences and recommendations from the answers you provide. Our first-party providers may return delivery, communication or processing status associated with the requested service. We do not obtain consumer health data from data brokers.

4. Purposes and manner of processing

  • To present the quiz, interpret your answers, and generate, save or deliver the recommendation you request.
  • To provide customer support and respond to a health-related question you choose to ask.
  • To display a health-related review only when you submit it for public display under the review notice.
  • To personalise first-party emails using your quiz answers only as described in section 5. We do not use consumer health data to personalise marketing for consumers in Washington, Nevada or Connecticut.
  • To secure, troubleshoot and improve the quiz and website using de-identified, PII-scrubbed analytics.
  • To meet legal obligations, investigate fraud or security events, and protect legal rights.

We do not use geofencing around a health-care facility. We do not combine health-related quiz data with third-party cross-site browsing to profile you for advertising.

5. Consent at collection

Your quiz answers stay in your browser while you take the quiz and are not linked to your identity unless you ask us to email your result. At the point you request your result, we state — next to the request button — “We’ll use your answers to create and email your recommendation, and to personalise your follow-up emails — unsubscribe anytime.” with a link to this policy. Making that request is your affirmative consent to that collection and those uses. If you do not request your result by email, your answers are not collected against your identity, and your result still appears on the page.

For consumers in Washington, Nevada and Connecticut, we do not use consumer health data to personalise marketing emails; those consumers receive general communications, and any future health-informed marketing for them would first require the separate consent their laws demand. You can withdraw consent or unsubscribe at any time using the contact path in section 9. No consent is inferred from browsing, and no separate sharing consent is bypassed by describing a disclosure in this policy.

6. Recipients and disclosures

  • Progurt personnel: authorized support, ecommerce, privacy, security and marketing personnel receive only the data needed for the requested function and any separately consented first-party marketing.
  • Klaviyo: acts as a first-party communication provider for Progurt. It may receive the email or customer identifier, quiz answers, inferred interest, recommendation and consent status needed to deliver a requested result or separately consented first-party communication. The transmitted fields are: email address, quiz answers, health concern, the recommendation produced, consent and subscription status, and quiz metadata such as the requesting page and time (verified 17 July 2026).
  • Shopify: provides ecommerce and account infrastructure and may hold identifiers or customer records linked to a quiz result where required for the requested service, as verified in the data map.
  • Recharge: provides subscription services and receives health-related information only if the verified data map shows it is necessary for a subscription function requested by the consumer.
  • Okendo: processes review content. Health-related review content is displayed publicly only when you submit it for publication under the review notice.
  • GA4 and Microsoft Clarity: receive only de-identified, PII-scrubbed quiz and site interaction information. They do not receive identifiers, raw health answers, inferred health interests or recommendations that identify or are reasonably linkable to you.
  • Security, hosting and rights-request providers: receive only information necessary to secure the service or fulfil a request; the specific provider and active recipient contact list is maintained in the verified data map.

Third-party collection over time and across sites or services: No third party collects consumer health data about you over time and across different websites or online services through our services. Our analytics providers receive only de-identified, PII-scrubbed interaction events, the quiz interface is masked in session-replay tools, no advertising pixels operate on our sites, and Klaviyo processes information solely as our first-party communication provider (verified 17 July 2026).

We maintain an internal record of recipients, fields and contacts, reviewed whenever a provider or data flow changes. We may disclose information where legally required, after assessing the request and limiting disclosure as permitted.

7. No sale or cross-context advertising disclosure

We do not sell consumer health data. We do not share identifiable consumer health data, raw health answers or inferred health interests for cross-context behavioral advertising. Advertising pixels do not receive that information. De-identified, PII-scrubbed analytics are used only as described above.

8. Your consumer health data rights

Subject to applicable law, you may ask us to:

  • Confirm whether we collect, process, share or sell your consumer health data.
  • Access the consumer health data we hold and receive a portable copy where required.
  • Provide a list of the third parties or affiliates with whom your consumer health data was shared or sold, including active contact information where required.
  • Delete consumer health data held by us and direct processors, contractors and other recipients to delete it.
  • Withdraw consent and stop future collection, processing or sharing based on that consent.
  • Appeal a refusal or other decision on your request.

Review and correction of your consumer health data

You may review the consumer health data we hold by requesting access, and you may request correction of that data, using the request paths in section 9. This is the same correction right described in section 10 of our U.S. Privacy Policy. There is no separate correction mechanism beyond the paths in section 9 of this policy and section 10 of the U.S. Privacy Policy.

We do not sell consumer health data, so a request to stop a sale will be treated as confirmation of that status and an instruction not to begin such a sale.

9. How to submit a request or use an authorized agent

Email support@progurt.com with the subject “Consumer health data request”. You do not need to create a new account.

An authorized agent may use the same paths and identify the consumer, the requested action and the agent’s authority. We may request signed authorization or confirm authority directly with the consumer, but will not require more information than reasonably necessary. We will use information supplied for verification only to process and document the request.

10. Response, deletion and backups

We will acknowledge and respond without undue delay, and within the period applicable law requires — no later than 45 days where such a deadline applies — unless applicable law permits an extension. If an extension is reasonably necessary, we will notify you within the initial period, explain why and state the new deadline. Requests are free where required, subject only to lawful rules for manifestly unfounded, excessive or repetitive requests.

For a valid deletion request, we delete from active systems and instruct relevant processors, contractors and other recipients to delete. Where immediate deletion from an isolated backup is not technically feasible, the data is put beyond ordinary use and deleted when the backup expires or is securely overwritten, subject to the applicable backup-deletion deadline, unless law requires retention. Where Washington law applies, consumer health data is deleted from backups no later than six months after authenticating the deletion request, unless a longer retention is required by law. We will explain any lawful exception and the data affected.

11. Appeals and Attorney General complaints

To appeal, reply to the decision or email support@progurt.com with the subject “Health data appeal” and explain why you disagree. A person not involved in the original decision will review the appeal where practicable. We will respond within the period required by applicable law, including within 60 days where Connecticut law applies, and provide reasons.

If an appeal is denied, you may file a complaint with the relevant state Attorney General:

12. Security, retention and destruction

We use safeguards proportionate to the sensitivity of consumer health data, including access controls, authentication, provider diligence, contractual restrictions, transmission protections, monitoring and incident-response procedures. No method is completely secure.

We retain consumer health data only while needed for the disclosed and consented purpose, legal compliance, dispute resolution, security or fraud prevention. We then securely delete or irreversibly de-identify it and direct relevant processors to do the same.

13. Changes to this policy

We will post a revised policy before a material change takes effect and provide additional direct notice where reasonably practicable or legally required. If a new purpose, category, recipient or processing activity requires consent, we will obtain that consent before the change applies to the affected data.

14. Homepage link and contact

This policy is available at https://www.progurt.com/pages/consumer-health-data-privacy and is linked from the footer of every page, including the homepage.

Email: support@progurt.com
Microbioflora Pty Limited, an Australian company trading as Progurt · 16 Sunnyridge Road, Arcadia NSW 2159, Australia

Last updated: July 16, 2026