Legal Docs Changelog

Tracks material changes to public-facing legal documents. New entries at the top.

Per HOSTING.md §"Version control discipline": every material change here should be paired with a 30-day-notice flow to users, a bump in Effective Date and Last Updated on the affected document, and an immutable PDF snapshot at deploy time.

2026-05-28 — Privacy Policy v3: reproductive-health protections

File: PRIVACY_POLICY.md

Changes:

• Added §4a.6 Reproductive Health Data with heightened protections for menstrual cycle and pregnancy data sourced via the Garmin Women's Health API (and equivalent streams from other wearables in the future):
  • Separate explicit opt-in, default OFF
  • Excluded from aggregate research unless separately opted in (second opt-in)
  • Dedicated 24-hour deletion path (vs standard 30-day cascade)
  • Documented stance on law-enforcement requests: will not voluntarily disclose; will challenge overbroad legal process; will notify the user before responding where law permits
  • Cross-state hardening: where state laws conflict, the most user-protective rule applies
• Added row to §4a.1 (What We Collect) for the new Reproductive health category, flagged "separate opt-in".
• Bumped Effective Date and Last Updated to 2026-05-28.

Material change? Yes — adds a new sensitive data category. Per §12 ("we will give reasonable advance notice for material changes... at least 30 days"), would normally require user notification. No notice obligation triggered in practice because no users exist yet (private/family beta with manual FIT-file ingestion, no live OAuth users). If you have OAuth-connected users on future iterations, this kind of change requires the 30-day flow.

Driver: decision to include Women's Health API in the Garmin Developer Program application (2026-05-28). Reproductive data carries elevated legal sensitivity post-Dobbs and under WA MHMD / CA Reproductive Privacy Act; the §4a.6 protections are designed to be defensible against state-law scrutiny and to give users meaningful control before the data crosses our boundary.

2026-05-27 — Privacy Policy v2; Terms of Service v1 (initial)

Files: PRIVACY_POLICY.md, TERMS_OF_SERVICE.md

Changes:

• Privacy Policy: Added §4a (Wearable Health Data) covering Garmin Connect, Terra, and similar — scopes collected, two-purpose usage (personal analytics + opt-in aggregate research), Garmin license compliance (no raw redistribution), retention/deletion mechanics, and explicit "what we never do" list. Added Washington My Health My Data Act section to §14 — separate consent, withdrawal, deletion, no geofencing, private right of action. Added CPRA additions to California section (Sensitive PI use limit, right to correct, Do-Not-Sell-or-Share statement). Updated entity name from "OmniSciences" to "OmniSciences LLC, a Wyoming limited liability company" in introduction. Marked physical address as TODO pending pull from Wyoming formation paperwork. Bumped Effective Date and Last Updated.
• Terms of Service: Initial publication. Master ToS for OmniSciences with product-specific sections for OmniHealth, OmniPoll, OmniFi, OmniResearch. Includes binding individual arbitration (JAMS, Wyoming) with 30-day opt-out, class-action waiver with WA MHMD carve-out, no-medical-advice / no-financial-advice disclaimers, $100-or-12-months-fees liability cap.

Material change? Yes — first-ever publication of ToS is by definition material. Privacy Policy additions (WA MHMD, CPRA, Garmin-specific scopes) expand user rights and clarify wearable data handling; should ship with a one-time notice to existing users on next deploy.

Open prerequisites before public deploy:

• Counsel review (Wyoming-admitted at minimum)
• Registered agent address filled in
• Mailboxes (privacy@, legal@, security@, billing@, dmca@) live and monitored