Privacy Policy for HeartStrong

Last Updated: December 25, 2024

Overview

HeartStrong (“we”, “our”, or “the app”) is a fitness and wellness application designed specifically for heart transplant recipients. We are committed to protecting your privacy and handling your personal health information with the utmost care. This Privacy Policy explains how we collect, use, and protect your information.

Information We Collect

Health Data (via Apple HealthKit)

HeartStrong integrates with Apple HealthKit to:

• Read workout data (heart rate, calories burned, exercise minutes)
• Write completed workout sessions to your Health app

Important: All HealthKit data remains on your device and syncs only through Apple’s secure HealthKit framework. We do not have access to your HealthKit data on our servers.

Location Data

When you perform outdoor workouts (walking, running, cycling), HeartStrong may collect:

• GPS coordinates during active workout tracking
• Route data for workout history visualization

Location data is:

• Only collected during active outdoor workouts
• Stored locally on your device
• Never shared with third parties
• Optional - you can decline location permissions

Photos

If you choose to attach photos to workout achievements:

• Photos are stored locally on your device
• Photos are never uploaded to external servers
• You control which photos are associated with workouts

Profile Information

You may voluntarily provide:

• Name
• Transplant date
• Recovery stage information
• Fitness goals

This information is stored locally and used solely to personalize your workout recommendations.

Account Information

If you use Sign in with Apple:

• We receive only the information you choose to share (email or relay email)
• Authentication is handled entirely by Apple
• We do not store your Apple ID password

Data Storage

Local Storage

All your workout data, health information, profile details, and training plans are stored locally on your device using secure iOS mechanisms.

Cloud Sync (Optional)

If you enable cloud sync:

• Data is encrypted in transit and at rest
• Stored on secure servers
• Used solely for syncing your data across your devices
• Never shared with third parties

How We Use Your Information

We use your information to:

• Provide personalized workout recommendations appropriate for heart transplant recovery
• Track your fitness progress over time
• Generate training plans based on your goals
• Display your workout history and routes

We do NOT:

• Sell your personal information
• Share your health data with third parties
• Use your data for advertising purposes
• Create profiles for marketing

Third-Party Services

Apple Services

• HealthKit: For health data integration
• Sign in with Apple: For optional account authentication
• MapKit: For displaying workout routes

Backend Services

We use Supabase for optional cloud sync functionality. Supabase is SOC 2 Type II compliant and all data is encrypted.

Data Retention

• Local data remains on your device until you delete it
• Cloud sync data is retained until you delete your account
• You can export all your data at any time using the in-app export feature

Your Rights

You have the right to:

• Access: Export all your data in JSON format via the app (Profile > Privacy & Sharing > Export My Data)
• Delete: Remove all your data using the in-app deletion feature (Profile > Privacy & Sharing > Delete All My Data)
• Portability: Export your workout history and profile information in standard JSON format
• Opt-out: Decline any optional permissions (location, photos, health)

Data Deletion

To completely delete your data:

1. Local Data: Go to Profile > Privacy & Sharing > Delete All My Data. This permanently removes all workouts, profile information, and preferences from your device.

2. Account Data: If you have an account, deleting your data will also remove your authentication credentials from our systems.

3. HealthKit Data: Data written to Apple Health must be deleted separately through the iOS Health app.

4. Alternative: Uninstalling the app will remove all local data, but you should use the in-app deletion to ensure cloud account data is also removed.

Children’s Privacy

HeartStrong is not intended for use by children under 13 years of age. We do not knowingly collect personal information from children.

Security

We implement appropriate technical and organizational measures to protect your data:

• All data transmission uses HTTPS encryption
• Local data is protected by iOS device security
• Cloud data is encrypted at rest and in transit

Special Considerations for Health Data

As a health-focused application for heart transplant recipients:

• We treat all health-related data with extra care
• We never provide medical advice
• We recommend consulting your healthcare provider for medical decisions
• RPE (Rate of Perceived Exertion) guidance is for fitness purposes only

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the “Last Updated” date.

Contact Us

If you have any questions about this Privacy Policy or your data, please contact us at:

Email: heartstrong@diegovarela.com

Compliance

This app is designed to comply with:

• Apple App Store Guidelines
• GDPR (General Data Protection Regulation)
• CCPA (California Consumer Privacy Act)
• HIPAA considerations for personal health apps