Privacy Policy
HeartAlly — Lifestyle & Journaling Companion
Last Updated: July 8, 2026
Effective Date: July 8, 2026
1. Introduction
Welcome to HeartAlly ("we," "our," or "us"). We are committed to protecting your
privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use,
store, and protect your data when you use our AI-powered lifestyle and journaling companion application.
HeartAlly is a lifestyle and journaling app for everyday reflection, mood and sleep
tracking, voice notes, and AI companion conversations. We are not a medical or healthcare service provider, and our
app is not a substitute for professional medical advice, diagnosis, or treatment.
By using HeartAlly, you agree to the collection and use of information in accordance
with this Privacy Policy. If you do not agree with our policies and practices, please do not use our
application.
2. Information We Collect
2.1 Account Information
- Email Address: Required for account creation
and communication
- Apple ID: If you choose to sign in with
Apple
- Anonymous ID: For users who choose to use the
app without registration
2.2 Conversation Data
- Chat Messages: Text conversations with our AI
companion
- Voice Recordings: Audio messages you send
(temporarily stored for transcription)
- Memory Tags: Keywords extracted from
conversations to provide personalized responses
- Session Information: Conversation history and
context
2.3 Journal & Lifestyle Data
- Mood Check-ins: Daily energy/mood scores,
labels, and focus areas
- Journal Entries: Reflections, thoughts, and
life moments you choose to record
- Sleep Logs: Sleep duration, rest feeling,
and related notes (if provided)
- Voice Notes: Short audio reflections you
choose to save
2.4 Usage Data (Analytics)
- App Interactions (via Google Analytics for Firebase): Feature
usage, button clicks, screen views, session duration. Collected automatically by the Google Analytics for Firebase SDK after user
consent.
- Device Information (via Google Analytics for Firebase): Device
model, operating system version, app version, screen dimensions, app-instance identifier. Collected
automatically by the Google Analytics for Firebase SDK.
- User Identifier (via Google Analytics for Firebase): After login
and consent, your Supabase user UUID is shared with Google Analytics for Firebase via the
setUserId() API to associate
events with your account. Anonymous users are tracked with a random app-instance identifier.
- Regional Data: Country/region (for
localizing app content and resources)
3. How We Use Your Information
|
Data Type
|
Purpose
|
Legal Basis
|
|
Account Information
|
Authentication, account management, security
|
Contract necessity
|
|
Conversation Data
|
Provide AI responses, memory features, personalization
|
Contract necessity
|
|
Journal & Lifestyle Data
|
Journaling insights, lifestyle tracking, and personal wellness suggestions
|
Explicit consent
|
|
Usage Data
|
App improvement, bug fixing, user experience optimization
|
Legitimate interest
|
4. Data Storage and Security
4.1 Storage Locations
- Cloud Storage: All data is stored securely in
Supabase (PostgreSQL database) with AES-256 encryption
- Local Storage: App preferences and temporary
data are stored locally using Hive (encrypted)
- Voice Data: Audio recordings are processed in
real-time and not retained after transcription
4.2 Security Measures
- End-to-end encryption for all data transmission (TLS
1.3)
- AES-256 encryption for data at rest
- Regular security audits and penetration testing
- Access controls and authentication protocols
- No storage of payment information (handled by
RevenueCat)
5. Third-Party Services
We use the following third-party services to provide our application:
|
Service
|
Purpose
|
Data Shared
|
|
Supabase
|
Database, authentication, storage
|
All user data
|
|
Google AI (Gemini / Cloud Speech / Cloud TTS)
|
AI conversation processing (primary), voice transcription (Cloud
Speech-to-Text), text-to-speech (Cloud TTS)
|
Conversation content, voice recordings (temporarily for transcription only),
response text for TTS generation. Not used for model training.
|
|
OpenRouter (DeepSeek)
|
Backup AI conversation processing
|
Conversation content (only when Gemini is unavailable). Not used for model
training.
|
|
Google Analytics for Firebase
|
Product analytics, feature usage tracking, and event measurement
|
User UUID (after consent), device model, OS version, app version, screen size,
app-instance identifier, feature usage events, screen views. No conversation content.
|
|
Apple Sign-In
|
Authentication
|
Anonymous user identifier
|
|
Google Sign-In
|
Authentication
|
Email address, name, profile picture (if provided), Google user
identifier
|
|
RevenueCat
|
Subscription management
|
Subscription status, receipts
|
|
Google AdMob
|
Advertising delivery, measurement, and personalization
|
Device model, OS version, advertising ID (IDFA/AAID), IP address,
approximate location, app interactions and ad events
|
|
Unity Ads (via AdMob mediation)
|
Advertising delivery
|
Device info, advertising ID, IP address, app interactions and ad events
|
|
Pangle (via AdMob mediation)
|
Advertising delivery
|
Device info, advertising ID, IP address, app interactions and ad events
|
All third-party services are contractually obligated to protect your data and are
prohibited from using it for their own purposes.
5.1 Advertising & Measurement
When advertising is enabled, we work with advertising partners to serve and measure
ads. This section describes what data may be collected and how it is used.
5.1.1 Data Collected for Advertising
- Device Information: Device model, operating
system version, screen size, language, and timezone
- Advertising Identifier: IDFA on iOS and AAID
on Android, used to deliver personalized ads and limit ad frequency
- IP Address: Used by our advertising partners
for ad delivery, fraud prevention, and measurement, including in the EEA, UK, and Switzerland as described in
Google's updated EU User Consent Policy
- App Interactions: Ad impressions, clicks,
rewards, and other ad events to measure campaign performance
5.1.2 How Advertising Data Is Used
- Ad Delivery: Showing app open, interstitial,
and rewarded video ads
- Personalization: Tailoring ads to your
interests where you have provided consent
- Measurement: Reporting ad impressions, clicks,
and conversions to advertisers
- Fraud Prevention: Detecting invalid traffic and
protecting ad inventory
5.1.3 Advertising Partners
We use Google AdMob as our primary advertising platform, and AdMob mediation to access
inventory from Unity Ads and Pangle. Each partner processes data in accordance with their own privacy policy:
5.1.4 Your Choices
- Consent: When required, we display a Google
User Messaging Platform (UMP) consent form so you can choose whether to allow personalized advertising
- Withdraw Consent: You can update your ad
privacy choices at any time in the app's Settings → Privacy & Security → Ad Privacy Options
- Reset Advertising Identifier: You can reset
your IDFA (iOS) or AAID (Android) in your device system settings
- Non-Personalized Ads: Even if you decline
personalized advertising, you may still see non-personalized ads
6. AI Data Processing & Model Training
HeartAlly uses artificial intelligence to provide conversational support. We believe in
complete transparency about how your data is processed by AI systems:
6.1 What Data Is Sent to AI Services
- Conversation Content: Your chat messages
and voice transcripts are sent to Google's Gemini API (primary) or OpenRouter's DeepSeek API (backup when
Gemini is unavailable) via our secure Edge Function to generate AI responses
- Voice Recordings: Audio files are temporarily
uploaded to Supabase Storage, then transcribed by Google Cloud Speech-to-Text API. The audio is deleted
immediately after transcription
- TTS Generation: AI response text is sent to
Google Cloud Text-to-Speech API to generate audio replies. The generated audio is stored temporarily in Supabase
Storage
- System Context: Non-personal conversation
context (turn count, session duration) is sent alongside messages to improve response quality
6.2 Data Is NOT Used for Model Training
- We configure AI service APIs with opt-out
settings enabled for model improvement (where available)
- Your conversation data is never used to train,
fine-tune, or improve any AI model
- Our AI providers retain API request logs for abuse
monitoring and compliance only, not for training
- We do not share your data with any AI model training
providers
6.3 Encryption & Transmission Security
- All data to AI services is transmitted via TLS
1.3 encrypted connections through our Supabase Edge Function
- Your messages are never sent directly from the
device to AI services — they route through our secure Edge Function with JWT authentication
- Conversation data is stored in Supabase (AES-256
encrypted at rest) and never in plain text on any third-party system
7. Your Rights and Choices
7.1 Data Control
- Access: You can request a copy of all your
data at any time
- Export: Free users can export data as JSON;
Premium users can export as PDF report
- Deletion: You can delete all your data with
one click in Settings
- Correction: You can update your account
information in the app settings
7.2 Privacy Settings
- Toggle data analytics collection
- Manage notification preferences
- Control memory feature settings
- Enable/disable personalized insights
7.3 Legal Rights (GDPR/CCPA)
If you are in the European Union or California, you have additional rights
including:
- Right to be informed about data collection
- Right to access your personal data
- Right to rectification of inaccurate data
- Right to erasure ("right to be forgotten")
- Right to restrict processing
- Right to data portability
- Right to object to processing
8. Account & Data Deletion
You have the right to delete your account and all associated data at any time. We
provide both complete account deletion and selective data deletion options to ensure you have full control over
your personal information.
8.1 Complete Account Deletion
When you choose to delete your account, the following will occur:
- Permanent Deletion: Your account and all
personal data will be permanently deleted. This action is irreversible and cannot be undone.
- No Freeze or Deactivation Alternative: We do
not offer account freezing or deactivation as a substitute for deletion. Account deletion is the only option for
users who wish to remove their account entirely.
- Data Removed: All account information,
conversation history, mood check-ins, journal entries, sleep logs, voice notes, memory tags, and analytics data
linked to your account will be permanently erased from our systems.
- Third-Party Data: We will also initiate
deletion requests with our third-party service providers (Supabase, Google Analytics for Firebase, RevenueCat) to remove your data
from their systems within 30 days.
8.2 Partial Data Deletion (Without Deleting Account)
If you wish to delete specific types of data while keeping your account active, you can
do so through the following methods:
- Chat History: Clear all chat conversations
from Settings. Chat history older than 30 days is automatically deleted.
- Mood Check-ins: Delete individual mood
entries from the Data screen.
- Journal Entries: Remove specific journal
entries from the Tools section.
- Voice Recordings: Audio recordings are
automatically deleted after transcription and are not retained.
- Memory Tags: Reset or disable the memory
feature in Settings to clear all stored memory keywords.
- Analytics Data: Opt out of analytics
collection in Privacy Settings. Previously collected analytics data will be anonymized and cannot be linked to
you.
8.3 How to Request Deletion
You can request data deletion through the following methods:
- In-App Deletion: Go to Settings → Account →
Delete Account (for complete account deletion) or Settings → Privacy → Clear Data (for partial deletion).
- Email Request: Send a deletion request to kaiven9195@gmail.com with your registered
email address. We will process your request within 30 days.
8.4 Deletion Timeline
- Immediate: Your account will be deactivated
immediately upon deletion request.
- Within 30 Days: All personal data will be
permanently deleted from our primary systems and third-party services.
- Legal Exceptions: In limited circumstances,
we may retain certain data as required by law or for legitimate business purposes (e.g., fraud prevention, legal
compliance). Any retained data will be anonymized or pseudonymized where possible.
9. Data Retention
- Active Accounts: Data is retained while your
account is active
- Chat History: Text conversations are
automatically deleted after 30 days of creation (both locally and in the cloud). Voice recordings are deleted
immediately after transcription and are not retained.
- Deleted Accounts: All data is permanently
deleted within 30 days of account deletion
- Anonymous Users: Data is retained for 90 days
of inactivity, then deleted
- Backup Data: Encrypted backups are retained
for 30 days
- Analytics Data: Aggregated and anonymized
after 12 months
10. Children's Privacy
Important: HeartAlly is rated 12+ and is intended for users aged 12 and older.
We do not knowingly collect personal information from anyone under the age of 12. If you are under 12, please do
not use our application or provide any personal information.
If we discover that we have collected personal information from a user under 12, we
will take steps to delete that information as soon as possible. If you believe we might have any information from
or about a user under 12, please contact us at kaiven9195@gmail.com.
11. Emergency Disclaimer
HeartAlly is a lifestyle and journaling app, not a medical or emergency service. If
you or someone you know is experiencing a medical or mental health emergency, please contact your local emergency
services or a qualified professional immediately.
12. International Data Transfers
Your data may be transferred to and processed in countries other than your country of
residence, including the United States. These countries may have different data protection laws. We ensure
appropriate safeguards are in place to protect your data, including:
- Standard Contractual Clauses (SCCs)
- Data Processing Agreements (DPAs)
- Adequacy decisions where applicable
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any changes
by:
- Posting the new Privacy Policy on this page
- Updating the "Last Updated" date
- Notifying you via email or in-app notification for
significant changes
Your continued use of the application after changes constitutes acceptance of the
updated policy.
14. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our
data practices, please contact us:
Email: kaiven9195@gmail.com
Address: HeartAlly Privacy Team
Response Time: We aim to respond within 48 hours
15. Legal Compliance
This Privacy Policy complies with:
- General Data Protection Regulation (GDPR) - European
Union
- California Consumer Privacy Act (CCPA) - California,
USA
- Apple App Store Privacy Guidelines
- Google Play Store Data Safety Requirements
- Children's Online Privacy Protection Act (COPPA) -
USA
© 2026 HeartAlly. All rights reserved.
Your personal journey is private, and we're committed to keeping it that way.