Privacy Policy

Legal Information
Last modified: November 2023
1. INTRODUCTION
Heartify LLC, a company registered and acting under the laws of the United States with registration number 001466554, having its registered office at 50 Milk St, 18th Floor, Boston, MA, United States (“Heartify”, “Company”, ”we, “us”, or “our”), takes your privacy seriously. This Privacy Policy (the “Policy”) explains our data protection commitment and practices and describes the types of information we may process when you use our Websites and/or install and use the Heartify Heart Rate Monitor software application for mobile devices (”the App”, “our App”).

When we refer to personal data (or personal information), we mean any information of any kind relating to a natural person who can be identified, directly or indirectly, in particular by reference to such data or to an identification number (“Personal Data”).

Our Privacy Policy applies to all users and others who access the App (”Users”), this website, and other Company’s websites and landing pages (the “Website(s)”) and/or persons whose Personal Data we may process as a result of our business activities. We also refer to such persons by “you” in the text. The reference to the App and the Website(s) is the “Services”.

For the purposes of the General Data Protection Regulation (EU) 2016/679 and applicable national legislation implementing the GDPR and, if applicable, the UK Data Protection Act 2018 and the UK GDPR (hereinafter collectively the “GDPR”), we are the data controller, unless otherwise stated. We compiled this Privacy Policy and adjusted our processes towards Personal Data in compliance with GDPR as the highest standard for the protection of our users` personal data rights.

PLEASE READ THE FOLLOWING PRIVACY POLICY FOR INFORMATION REGARDING THE WAYS YOUR PERSONAL INFORMATION MAY BE PROCESSED CAREFULLY.
2. SCOPE
This Privacy Policy applies to Personal Data obtained through our Website(s), App, or when you otherwise interact with us.

The Company’s Website and App may contain links to other websites not under our control. We are not responsible for other websites' information practices or content. You should always review the policies of third-party products and services to make sure you are comfortable with how they collect and use your information.
3. INFORMATION WE PROCESS
Your privacy is our high priority, so we prefer, to the maximum possible extent, using instruments that disable the collection of clearly identifiable information and provide us with information in aggregated, encrypted, anonymized, and/or pseudonymized (non-identifiable) form. However, we understand that some categories of such information we use may be deemed Personal Data, in particular, for the purposes of GDPR. With regard to such Personal Data, the rules set out in this Privacy Policy are always strictly followed.

3.1. Information that you submit
You may provide personal information directly when you use our App. This information is necessary to adequately perform the contract between you and us. Without such information, it is impossible to provide the complete functionality of the App and perform the requested services. Depending on the App's functionality, the following information can be processed:

General Information. You may fill it in when you choose to track physical parameters for your convenience, and/or share by connecting the other app to our App:
  • Gender;
  • Date of birth or age;
  • Race;
  • Weight;
  • Height.

Contact Information. You may share it when you log in or create a profile in our App or Website or contact us via email:
  • Name;
  • E-mail address, and any other content included in the email;
  • Password or passcode;
  • Other information you decide to share when you log in via third-party services; it may also include technical identifiers necessary for the authentication service to run.

Health and well-being. The App may estimate various metrics such as:
  • Heart rate;
  • Heart rate variability;
  • Physical stress level;
  • Energy level;
  • Tension level;
  • Balance score;
  • Readiness score etc.
These indicators are based on RR intervals and other metrics the App collects when executing a measurement. You can always decline to save a measurement or delete a previously saved measurement through the App.

For measuring, the App technically accesses your camera required as a light sensor to estimate your heart rate. During a measurement, images from the camera feed are processed locally on your device and deleted immediately afterward. We cannot collect, store or use the data contained in your camera roll.

You may also allow us to connect to third-party services, such as Apple HealthKit, to enable us to import Personal Data about your health and activities into the App, as provided by its features. When you choose to have this data imported, you are subject to Apple Health privacy policies and practices. We may collect, once you allow us, the following data from Apple HealthKit:
  • Weight
  • Heart Rate Variability
  • Heart Rate
  • Date of Birth
  • Sleep changes
  • Height
  • Sleep
  • Gender

The health and well-being information you submit is stored locally on your device. If you have a Heartify account, we transfer your health data to the server storage to provide services, for example, to enable access to your measurements via our Website heartify.world for you. This information is never disclosed to third parties (except our authorized service providers) unless you share it yourself.

You can remove or alter your personal information at any time. Once you uninstall the App, your personal information (including Personal Data) will be stored and used for a period needed to achieve the purposes set out in Section 4 of this Policy. If you have a Heartify account, you can also delete your Personal Data by deleting your account in your account settings in the App or in your profile on the Website heartify.world. If you delete your Heartify account, your Personal Data will be removed from our storage, but some categories of your personal information may be stored for a longer period, as prescribed by this Policy and/or applicable laws (this may include, without limitation, storage of your consent log).

Other data you may submit to us. Also, we may collect other data that you submit to our Websites or App as you participate in any interactive features of them, participate in a survey, contest, promotion, sweepstakes, activity, or event, apply for a job, request customer support, communicate with us via third party social media sites or otherwise communicate with us.

Notice for employees. If you are our current, formal, or prospective employee or individual subcontractor, we also ask you to provide consent for collecting education-, career-related, and other background information (“Employment information”), which we process according to this Policy and/or our notice related to processing recruitment data that is provided in your contract or as a separate document by our HR-specialists.

Other persons` Personal Data. If you are providing information (including Personal Data) about someone else, you must have the authority to act for them and to consent to the collection and use of their Personal Data as described in this Privacy Policy.

3.2. Information collected automatically
Information from the App. When you use the App, information about your device and user behavior may be collected and processed automatically. This information is generally non-personal, i.e. it does not, on its own, permit direct association with any specific individual. However, a set of this information may allow us to identify you as a separate user of our Services, therefore we treat such information as Personal Data and protect it as prescribed by law. We process Personal Data based on the contract between you and us or our legitimate interest in improving our App and giving our users the best experience. If we do not access such data, we may not be able to provide you with all the App`s features. To process your Personal Data for our marketing purposes, we rely either on legitimate interest or your consent basis, as the case may be.

Device Details. When you use a mobile device to access our App, some details about your device are reported subject to your privacy choices as provided by iOS functionality. For example, device identifiers and other metadata. Device identifiers are small data files or similar data structures stored on or associated with your mobile device, uniquely identifying your mobile device (but not your personality). Device identifier enables generalized reporting and analytics. In this regard, the following information may be collected and processed:
  • Information about the device itself: type of your device, type of operating system, and its version, model, and manufacturer.
  • Information about the internet connection: mobile carrier, IP address, timestamp, and duration of sessions.
  • Location-related information: IP address, the country code/ region/ state/ city associated with your SIM card or your device, language setting, and time zone.
  • Device identifiers and technical identifiers (e.g. IDFA).
  • Information about the App: name, API key (identifier for application), version, and App properties can be reported for automated processing and analysis.
  • Cookies and similar technologies. When you use the App, cookies and similar technologies may be used (pixels, web beacons, scripts). A cookie is a text file containing small amounts of information downloaded to your device when you access the App. The text file is sent back to the server each time you use the App. This enables us to operate the App more effectively. For example, we will know how many users access specific areas or features within our App and which links they clicked on. We use this aggregated information to understand and optimize how our App is used, improve our marketing efforts, and provide content and features that interest you. We may ask advertisers or other partners to serve ads or services to the App, which may use cookies or similar technologies.
  • Log file information. Log file information is automatically reported each time you request to access the App. It can also be provided when the App is installed on your device. When you use our App, analytics tools automatically record certain log file information, including the time and date when you start and stop using the App and how you interact with the App.
  • In-app events. When you use our App, analytics tools automatically record in-app information (tutorial steps, leveling up, payments, in-app purchases, custom events, progression events, etc.).

Please remember that some services are engaged in personal data profiling and may obtain information related to your personality and/or your device by using technologies that do not belong to our scope of responsibility. For example, when your user ID is linked to your Facebook account, Facebook may use your device information in association with categorized data already recorded in its databases (e.g. your age, gender or other demographic indication). We do not control, supervise or stand surety for how the third parties process your personal data that might be collected by their means (not through our App). Any information request regarding the disclosure of your personal information should be directed to such third parties.

Payment Information. Our e-commerce providers responsible for billing, processing, and charging for in-app purchases and web subscriptions, handle your Personal Data and keep it safe and secure. We cannot access or use your credit or debit card information. On the contrary, we obtain only statistical data related to the payment, such as subscription price and information about payment events.

Information collected through the Website(s). When you access and use our Websites, we may, once we obtain your consent or under another legitimate basis, automatically process the following data:
  • Web Logs. As is true with most websites and services delivered over the Internet, we may gather certain information and store it in log files when you interact with our Websites. This information includes internet protocol (IP) addresses as well as browser type, internet service provider, URLs of referring/exit pages, operating system, date/time stamp, the information you search for, locale and language preferences, identification numbers associated with your device, your mobile carrier, and system configuration information.
  • Analytics information from Websites. We collect anonymized and aggregated analytics information when you use our Websites to help us improve our products and services.
  • Google Analytics. Our Services use Google Analytics, a web analytics service of Google Ireland Limited (Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland). The use includes the "Universal Analytics" operating mode. This facilitates the assignment of data, sessions, and interactions across several devices to a pseudonymous user ID and, thus, the analysis of a user's activities across devices. Google allows its users to opt out of Google’s personalized ads and to prevent their data from being used by Google Analytics.
  • Cookies and other tracking technologies. We use cookies to enable the Websites functionality, make it easier for you to navigate our site, and help us with our marketing efforts. You can decide whether to accept or reject cookies other than essential cookies. You can manage your cookie preferences by clicking on the "Cookies Settings" or the equivalent button on our cookie banner. For more general information on Cookies, please visit http://www.allaboutcookies.org/. You can also change your browser's settings to delete already set cookies and not to accept new ones. Please learn more about our cookies practices in our Cookie Policy.

3.3. Information received from third parties
We may also obtain information from third parties, such as:
  • Our authorized resellers, distributors, and partners if there is a lawful basis to do so. For example, we get analytic information from the Apple App Store. .
  • Other third parties, such as email campaigns, marketing partners, and publicly available sources. We may use this information to enhance the information we already maintain about you, in addition to other purposes described in this Privacy Policy.
  • Social media and authentication services. We may have access to certain information from a third-party social media or authentication service if you log into our App or Website through the service or otherwise provide us with access to information from the service. Any access that we may have to such information from a third-party social or authentication service is in accordance with the authorization procedures determined by that service. By authorizing us to connect with a third-party service, you authorize us to access and store your name, email address(es), profile picture URL, and other information that the third-party service makes available to us, and to use and disclose it under this Privacy Policy. You should check your privacy settings on these third-party services to understand and change the information sent to us through these services.
4. THE LEGAL BASES AND PURPOSES OF PROCESSING YOUR PERSONAL DATA
Without first notifying you, we will not collect or use your Personal Data. We will handle your Personal Data using one or more of the following legal bases, depending on which features of our Services you use:

  1. Contract. We use your Personal Data to fulfill our contractual obligations and provide the Services to you.
  2. Consent. For example, after installing the App on the welcome screen, we may ask you to permit us to process your Personal Data.
  3. Legitimate interest. We may process your Personal Data in relation to our interests in providing the Services to you, our legitimate commercial interests, our interest in protecting the security and integrity of the Services, and wider societal benefits, as allowed under the law.
  4. Legal obligations. We may be obligated to process some of your Personal Data to comply with applicable laws and regulations.

Our mission is to improve our App and constantly provide new user experiences. As part of this mission, we may use your Personal Data for the following purposes and under the applicable legal basis:

Purpose of processing
To make our service available
Legal basis for processing
Contract
Example
We use your Personal Data (measurements data, technical and device identifiers, payment information, in-app events, other device information, IP address, App settings information etc.) to provide you with all requested Services


Purpose of processing
To communicate with you and send you system and transactional messages
Legal basis for processing
Contract, legitimate interest
Example
We use your contact and device information to send you system notifications, and reminders, let you know about our policies and terms, and send you billing information, if applicable. We may use push notifications, which you can disable anytime in your device settings or the App using the consent toggle screens, if any. We also use your contact information to respond to you when you contact us, to provide you with user support, and to respond to your comments, questions, and requests related to your use or intention to use our App.


Purpose of processing
To improve, test, and monitor the effectiveness of our App
Legal basis for processing
Consent, legitimate interest
Example
We use information that is processed automatically to understand user behavior and trends better, detect potential outages and technical issues, operate, protect, improve, and optimize our App. We also use some automatically collected data for content performance and features testing (A/B testing).


Purpose of processing
To provide you with a personalized experience within our Services
Legal basis for processing
Consent, contract
Example
We use your Personal Data from different sources to discover your preferences and interests within our Services, propose personalized content, and provide the best possible user experience


Purpose of processing
To send promotional communications
Legal basis for processing
Consent, legitimate interest
Example
We use the contact information you provided to us to inform you about services, features, surveys, newsletters, offers, promotions, contests, and events and send updates about our App, provide other news or information about our selected partners and us that may be interesting to you, including by email, push notification or otherwise, as permitted by law. In cases when we cannot refer to the legitimate interest basis according to applicable law, we will send you marketing communications only after you give us explicit consent to do so.


Purpose of processing
To promote and market our App
Legal basis for processing
Consent
Example
We use information (including Personal Data) processed automatically, and/or obtained from (or by) our marketing service providers or partners, to build our marketing strategy and advertise our Services. The information we use and share for this purpose generally does not include personally identifiable information and never includes any health data.


Purpose of processing
To enable interest-based (behavioral) advertising or other targeted content
Legal basis for processing
Consent
Example
We or our service providers may use information processed automatically for marketing purposes (to show ads that may interest you or others based on your preferences). Service providers we use may provide personalized content and information to you, including online ads or other forms of marketing. We never share your health data for this purpose. Please refer to “How to opt-out from tracking in the App” Section below to discover the ways of ceasing this type of advertising.


Purpose of processing
For internal business purposes
Legal basis for processing
Consent, legitimate interest
Example
We use the information you submitted to us, information collected automatically, and information we obtained from third parties for data analysis, audits, conducting research, analysis, studies or surveys, and identifying usage trends solely for internal business purposes. If the results of such activities contain your Personal Data, we will anonymize or aggregate it before disclosing them.


Purpose of processing
To keep basic data to identify you and prevent further unwanted processing
Legal basis for processing
Legitimate interest
Example
If you ask us to delete your data or to be removed from our marketing lists and we are required to fulfill your request


Purpose of processing
To verify your age
Legal basis for processing
Legal obligations
Example
We may ask for your identification documents to confirm that your age complies with our age restrictions to use our Services


Purpose of processing
To comply with legal obligations and legal processes and respond to requests from public and government authorities, including public and government authorities outside your country of residence
Legal basis for processing
Legal obligation
Example
We may share your Personal Data to comply with our legal obligations when we are lawfully requested to do so


Purpose of processing
To enforce the Terms of Use, protect our operations, protect our rights, privacy, the safety of property, and/or that of you or others, and allow us to pursue available remedies or limit the damages that we may sustain
Legal basis for processing
Legitimate interest
Example
We may process your Personal Data according to our legitimate interest when we need to provide security and safety of data, protect our rights and fulfill our obligations before other people and entities.

The following purpose applies solely with regard to HR activities:


Purpose of processing
To conduct HR activities, ensure and perform our rights and obligations as an employer or a customer if you act as an individual contractor
Legal basis for processing
Consent, legitimate interest
Example
We will use the Employment information of Personal Data subjects for HR activities and, accordingly, within the business collaboration or employment relations, if such arises


If we need to process your information for a specific purpose not clearly outlined in this Policy and not concerning our ability to provide you with all requested Services and features of the App, or a justified legitimate interest, we will ask you for consent while amending the list of purposes above.

Where required by law, we will only send you marketing communications if you consent to us doing so when you provide us with your Personal Data or if we obtain your consent to receive marketing information separately. You may opt out of receiving such emails by following the instructions in each promotional email we send you or, if this doesn`t work, by contacting us at privacy@heartify.io. We will continue to contact you via email regarding your use of our Services and to respond to your requests only.
5. SHARING OF YOUR INFORMATION
General principles and prohibitions. We will only share your information with third parties in the ways described in this Privacy Policy. Without your permission, we do not share Personal Data with third parties for their marketing purposes (including direct marketing). We do not share identifiable health data with third parties for marketing and other purposes not related to providing you access to our Services. We will not rent or sell your Personal Data to any third parties.

Personnel. We share your Personal Data only with our employees and contractors, agents, and auditors who need to know or otherwise access Personal Data according to their scope of professional responsibilities and who are bound in writing by confidentiality and other obligations sufficient to protect Personal Data under this Privacy Policy.

Protection measures. While integrating external services, we choose service providers that can assure they apply all necessary technical and organizational measures to protect users` personal data. However, we cannot guarantee the security of any information transmitted from us to any such processor due to technical accidents that may arise out of our reasonable control. Provided that we followed all demands of applicable personal data protection legislation, we are not responsible for any accidental loss or unauthorized access to your Personal Data through the fault of third parties.

5.1. Disclosures made by you
Certain features of our Services allow you to make some of your measurements public, in which case it will become readily accessible to anyone. We urge you to consider the sensitivity of any data you share at your discretion.

5.2. Service providers and subcontractors

Processing to make the App run
We occasionally engage outside businesses to process your Personal Data on our behalf. They are the “processors” of your Personal Data. Processors assist us in managing the Services, facilitate our communication with you, and carry out other related tasks. To complete these objectives, they may process specific Personal Data on our behalf, acting under our instructions and subject to demands of applicable data protection laws. To the degree applicable legislation requires, we will execute data processing agreements with our processors and maintain responsibility for their actions.

We may engage the following third-party service providers to provide us with the necessary infrastructure for the delivery and improvement of our services:

Processor`s name and location
Amazon Web Services EMEA SARL; EU, USA
Services
Cloud storage and integration services
Privacy statement and Data Processing Addendum
Privacy Statement
Data Processing Addendum
Personal data collected/shared
All Personal Data that you submit to us and all data contained in the App, namely, User ID, name, email, profile picture, date of profile creation, in-app events, IP address, subscription status, individual identifiers, billing information, subscription ID, measurements data, measurements data source
Purpose of sharing
Storage of all Personal Data when you use the App


Processor`s name and location
Firebase (Google LLC); EU, USA
Services
Hosting, storage, and technical management services
Privacy statement and Data Processing Addendum
Privacy Policy
Cloud Data Processing Addendum
Firebase Data Processing and Security Terms
Personal data collected/shared
All Personal Data
Purpose of sharing
Storage of all Personal Data when you use the App, cloud computing to perform the App`s functionality


Processor`s name and location
App Store Connect, App Store, Test Flight (Apple Inc.), USA
Services
Technical, payment processing, and analytics services
Privacy statement and Data Processing Addendum
App Store & Privacy
App Analytics & Privacy
Personal data collected/shared
Payment information, personal identifiers
Purpose of sharing
To collect and process payments for subscription to the App, and for analytic purpose. Note that we do not access your banking information or payment requisites when you purchase subscriptions in the App.


Processor`s name and location
OneSignal, Inc., USA, EU
Services
Push notifications and analytics service
Privacy statement and Data Processing Addendum
Privacy Policy
Data Processing Addendum - to be provided on data subject`s demand, if applicable
Personal data collected/shared
Device identifiers, external user IDs, and in-app events
Purpose of sharing
To enable reminders and push-notification as part of our App`s functionality and Services


Processor`s name and location
SendGrid (SendGrid, Inc.), USA
Services
Email notifications
Privacy statement and Data Processing Addendum
Privacy Policy
Data Processing Addendum
Personal data collected/shared
Email address
Purpose of sharing
To communicate with you regarding your purchase of our Services, send you our newsletters, surveys, and other related notifications


Processor`s name and location
Amplitude, Inc., USA
Services
Analytical tools
Privacy statement and Data Processing Addendum
Privacy Notice
Data Processing Addendum
Personal data collected/shared
App usage data (e.g., device identifiers (not Apple ID), operating system, and IP addresses)
Purpose of sharing
To understand how you use the App and the Services, engage with particular features and what you like or dislike the most to engineer product experiences


Processor`s name and location
Hotjar Ltd. (EU)
Services
Analytical tools
Privacy statement and Data Processing Addendum
Privacy Policy
Data Processing Agreement
Personal data collected/shared
Hotjar Unique User ID;
device screen resolution;
device type (unique device identifiers), operating system, and browser type;
console logs and errors;
geographic location (country only);
preferred language used to display the Hotjar-enabled site;
mouse events (movements, location and clicks);
keypresses (suppressed by default);
referring URL and domain;
pages visited;
date and time when Your website was accessed and specific event on Your website occured;
user attributes that you may choose to share with us via Identify API
Purpose of sharing
To understand how you use the App and the Services, engage with particular features and what you like or dislike the most to engineer product experiences


Processor`s name and location
Google Analytics, Google Search Console (Google Inc, USA)
Services
Analytical tools
Privacy statement and Data Processing Addendum
Google Analytics Privacy
Google Ads Data Processing Terms
Google Controller-Controller Data Protection Terms
Personal data collected/shared
Google Analytics collects first-party cookies, data related to the device/browser, IP address (when collecting data, Google Analytics 4 does not log or store IP addresses), on-site/app activities and advertising cookies. Cookies on the Websites are collected upon your separate consent for the use of cookies on your device.
Through Google Search Console we access data about our Websites traffic. This data include type and settings of your browser, unique identifiers.
Purpose of sharing
To measure and report statistics about user interactions on the Websites and in the App for further improvement of our Services


Processor`s name and location
Stripe (Stripe, Inc.), USA
Services
Payments
Privacy statement and Data Processing Addendum
Privacy Policy
Data Processing Agreement
Personal data collected/shared
Payment Account Details, bank account details, billing/shipping address, name, date/time/amount of transaction, device ID, email address, IP address/location, order ID, payment card details, tax ID/status, unique customer identifier, identity information including government issued documents (e.g., national IDs, driver’s licenses and passports) Note that Stripe does not share your payment and banking information with us; we receive only events and identifiers data about you and your purchases via Stripe payment services.
Purpose of sharing
To collect and process payments for certain web Services. Note that we do not access your banking information or payment requisites when you purchase subscriptions on the web


Processor`s name and location
PayPal, Inc. and its affiliated companies
Services
Payments
Privacy statement and Data Processing Addendum
Privacy Statement
Data Protection Addendum
Personal data collected/shared
Name, amount to be charged, date/time, bank account details, payment card details, CVC code, postcode, country code, address, email address, fax, phone, website, expiry data, shipping details, tax status, unique customer identifier, IP Address, location, and any other data received by PayPal. Note that PayPal does not share your payment and banking information with us; we only receive events and identifiers data about you and your purchases via payment services.
Purpose of sharing
To collect and process payments for certain web Services. Note that we do not access your banking information or payment requisites when you purchase subscriptions on the web


Processor`s name and location
AppsFlyer (AppsFlyer, Inc), USA
Services
App analytics services
Privacy statement and Data Processing Addendum
Services Privacy Policy
Data Processing Addendum
Personal data collected/shared
• Technical Information, such as: browser type, device type and model, CPU, system language, memory, OS version, Wi-Fi status, time stamp and zone, device motion parameters and carrier
• Technical Identifiers that generally only identify a computer, device, browser or App. For example, device or advertising identifiers such as IDFA (identifier for advertisers); Google Advertiser ID; and App IDs.
• Network Generated Data such as IP address and User agent.
Purpose of sharing
To perform analytics activities aimed at monitoring and improving our Services


Processor`s name and location
Google Inc, USA
Services
User authentication services
Privacy statement and Data Processing Addendum
Privacy&Terms
Data Processing Addendum
Personal data collected/shared
When you use Sign in with Google to access our Services, Google only shares with us the following information associated with your Google Account:
• Your name
• Your email address
• Your profile picture
This data is only shared after you give permission. If you want to use Sign in with Google, you can't exclude any of these pieces of data.
Purpose of sharing
To enable Sign in with Google in our Services


Processor`s name and location
Apple Inc, USA
Services
User authentication services
Privacy statement and Data Processing Addendum
Apple ID & Privacy
Sign in with Apple & Privacy
Personal data collected/shared
When you use Sign in with Apple ID to access our Services, Apple only shares with us the following Personal Data associated with your Apple Account:
• Your email address
This data is only shared after you give permission. If you decide not to share with us any of your Personal Data, we will get only a unique identifier necessary for login, which does not identify you personally.
Purpose of sharing
To enable Sign in with Apple ID in our Services


Processing for marketing and marketing analytics purposes
With your consent, we may share some of your non-health Personal Data with our marketing and promotional service providers. We do this to market our App and Services, to help new users find out about us, and to develop our business by increasing awareness about the Services.

These are processors we engage for the above purpose:

Processor`s name and location
AppsFlyer (AppsFlyer, Inc), USA
Services
Marketing and marketing analytics services
Privacy statement and Data Processing Addendum
Services Privacy Policy
Data Processing Addendum
Personal data collected/shared
• Technical identifiers: IP address (which may also provide general location information), User agent, IDFA (Identifier for advertisers), Customer-issued user ID and other similar unique technical identifiers;
• Engagement Information such as: clicks on our ads, ad impressions viewed, audiences or segments to which an ad campaign is attributed, the type of ads and the webpage or application from which such ads were displayed, the webpages on our Website visited by you, the URL from the referring website, downloads and installations of the App.
• Your subscription status;
• The fact of application launch.
Purpose of sharing
To analyze and obtain reports of how to optimize our marketing campaigns; for analytical purposes. In order to discover you or users who are similar to you on other platforms, including social networking websites, AppsFlyer may provide your Personal Data to some of its integrated partners (such as Pinterest, Google Ads, Apple Search Ads, FB marketing network, and others). These partners review your Personal Data to display pertinent information about Heartify to those who might be interested in it or prompt you to use the App again if you haven't in a while.
You can withdraw your consent or opt-out from the sharing of your Personal Data with AppsFlyer for marketing and promotional purposes anytime by adjusting your device settings.


Processor`s name and location
Facebook (Meta), USA
Services
Analytics / ad management services
Privacy statement and Data Processing Addendum
Privacy Policy
Data Processing Addendum
Personal data collected/shared
Technical identifiers and raw data, namely, event status, event revenue, and currency, event source, campaign ID, site ID, region, country, state, city, IP address, Customer User ID, Advertising ID, IDFA, IDFV; data about your device, namely, device category, platform, OS version, App version, and ID.
Purpose of sharing
To promote our Services and obtain marketing analytics data


Processor`s name and location
Mintegral North America Inc., USA
Services
Marketing services
Privacy statement and Data Processing Addendum
Privacy Pilcy and Data Protection Addendum
Personal data collected/shared
Technical identifiers and raw data, namely, event status, event revenue and currency, event source, campaign ID, site ID, region, country, city, IP address, AppsFlyer ID (if applicable), Advertising ID, IDFA, IDFV; data about your device, namely, device category, platform, OS version, App version, and ID.
Purpose of sharing
To promote our services and place ads on the Internet


Processor`s name and location
TikTok Pte. Ltd, Singapore
Services
Analytics / ad management services
Privacy statement and Data Processing Addendum
Privacy Policy
Data processing addendum
Personal data collected/shared
Personal information accessed or collected in connection with an event on TikTok inventory and properties, including a user’s non-intentional interaction with our ads, including hovering over, muting, pausing, or closing our ads; and any derivations or combinations of such personal information
Purpose of sharing
To promote our services and place ads on Tik Tok platform


Processor`s name and location
Unity Technologies S.F., (USA)
Services
Analytics / ad management services
Privacy statement and Data Processing Addendum
Privacy Policy
Data Processing Addendum
Personal data collected/shared
• End Users data including voice (if applicable), advertising identifiers or device IDs (e.g. IDFA GAID), User IDs, IP address, gameplay, in-app purchase, and device data, including device identifiers,
• Information related to the ad content or attribution data sent by Heartify or Heartify`s agent
Purpose of sharing
To promote our services and place ads on Unity platform


Processor`s name and location
Apple Search Ads platform (Apple Inc.), USA
Services
Analytics / ad management services
Privacy statement and Data Processing Addendum
Privacy Policy
General Apple Privacy Policy
Personal data collected/shared
To ensure delivering the most relevant ads, Apple Search Ads may use the following:
• Account Information. This includes the information a customer includes in their Apple ID account (is not shared with Heartify).
• App Store Data. This includes information provided by developers to define and categorize their apps. It also includes insights derived from non-personal historical search terms, App Store downloads, App Store browsing activity, and in-app purchases made through the App Store.
• App Transaction Data. This includes historical information about users’ transactions on the App Store, including apps they’ve downloaded and in-app purchases they’ve made.
• Contextual Information. This includes a user’s device type, iOS version, time of day, device location, search query, and information about the page they’re viewing, or app they're downloading.
Purpose of sharing
To promote our Services and place ads on Apple Search Ads platform


Processor`s name and location
ironSource Mobile Ltd.
Services
Analytics / ad management services
Privacy statement and Data Processing Addendum
Privacy Policy
Data Protection Addendum
Personal data collected/shared
Device ID, IP address, Online unique identifiers, User ID, if provided by us
Purpose of sharing
To promote our Services and place ads on ironSource platform


Processor`s name and location
Google Ads service, (Google Inc.)
Services
Analytics / ad management services
Privacy statement and Data Processing Addendum
Google Privacy & Terms
Google Ads Data Processing Terms
Personal data collected/shared
Secure Signals; Names, email addresses, phone numbers, addresses, client identifiers, online identifiers, including internet protocol addresses; partner-provided identifiers; cookie identifiers, device identifiers;
Purpose of sharing
To promote our services and place ads on Google


These lists may be amended or modified from time to time according to our business needs, on our sole discretion and without giving notice to you, but provided that such extension in sharing of your Personal Data do not require your consent as legal basis for processing. If so, we will ask you for consent while informing you of modifications for further processing.

How to opt-out from tracking in the App
If you don't want third-party service providers to personalize ads on the basis of your interests, please choose option "Limit Ad Tracking" on your iOS device in Settings/ Privacy/ Advertising, please find additional information here: https://support.apple.com/en-us/HT202074

You can also disable Tracking for Heartify App in the Settings of your phone.

Remember that when you opt out of certain interest-based advertising, you may still receive contextual ads based on other non-personal information, such as ads related to the content of other digital products you are using.

Our App does not track your precise location data.

5.3. Third-party websites and social media widgets
Our Services may contain links to third-party websites/services, or you may login in the App or a Website via a third-party service. We are not responsible for the privacy practices of these third-party sites or services linked to or from our App, including the information or content contained within them. Our Services may also include social media features, such as Twitter, Facebook, and Instagram buttons. These features may collect your IP address and which page you visit on our site and may set a cookie to enable the feature to function properly. Your interactions with these features are governed by the privacy statements of the company providing them.

5.4. Business transfers, legal requirements, and protection of our rights
We may disclose your personal information if it is needed for objective reasons, due to the public interest, or in other unforeseen circumstances:
  • to the extent permitted and as restricted by law, in response to subpoenas, court orders, or legal processes, including to meet national security or law enforcement requirements;
  • when we believe, in good faith, that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or enforce our agreements, policies, and terms of service;
  • if we are involved in a merger, acquisition, or sale of all or a portion of our assets, you will be notified via prominent notice in our App of any change in ownership or your personal information usage, as well as any choices you may have regarding your personal information.
Depending on the circumstances, we may rely on legitimate interest or legal obligation as a legal basis for the above processing activities.

5.5. Aggregated or anonymized data
We may share aggregated or anonymized information that does not directly identify you with other third parties, not mentioned above, such as our partners and research entities, for statistical, analytic, and scientific purposes. Anonymization and further use of anonymized information are done under our legitimate interest and aimed at contributing scientific value in our activities to increase awareness about heart health and general well-being across society worldwide.
6. YOUR PRIVACY RIGHTS
We are committed to giving you extensive privacy rights in relation to your Personal Data, regardless of the nation or region you are from. This includes all individuals in the EEA, the UK and/or Switzerland.

Please refer to Section 4 of this Policy to discover legal bases and specific purposes for processing of your Personal Data.

Your rights under the GDPR:
  • the right of access. If you ask us, we will confirm whether we are processing your Personal Data and, if so, provide you with a copy of the personal data along with certain other details.
  • the right to rectification. If your Personal Data is inaccurate or incomplete, you are entitled to ask that we correct or complete it. If we shared your Personal Data with others, we will tell them about the correction where possible.
  • the right to erasure. You may ask us to erase your Personal Data in some circumstances, such as when we no longer need it, or you withdraw your consent. If we share your Personal Data with others, we will alert them to the need for erasure where possible.
  • the right to restriction of processing. You may ask us to restrict or ‘block’ the processing of your Personal Data in certain circumstances, such as where you contest the accuracy of the data or object to us processing it (please read below for information on your right to object). We will tell you before we lift any restrictions on processing. If we share your Personal Data with others, we will tell them about the restriction where possible.
  • the right to data portability. You have the right to obtain your Personal Data from us that you consented to give us or that was provided to us as necessary in connection with our contract with you, and that we processed with automated means. We will give you your Personal Data in a structured, commonly used, machine-readable format. You may reuse it elsewhere.
  • the right to object. You may ask us at any time to stop processing your Personal Data, and we will do so:
— if we are relying on a legitimate interest to process your Personal Data – unless we demonstrate compelling legitimate grounds for the processing, or your Personal Data is needed to establish, exercise, or defend legal claims; or
— in certain circumstances, if we are processing your Personal Data for direct marketing purposes.
  • the right to withdraw consent. If we rely on your consent to process your Personal Data, you have the right to withdraw that consent at any time, but this will not affect any processing of your data that has already taken place.
  • the right to make a complaint with the data protection authority. If you have a concern about our privacy practices, including the way we handled your Personal Data, you can report it to the data protection authority that is authorized to hear those concerns.
Your rights under California Consumer Privacy Act of 2018 (CCPA):
  • The CCPA provides California residents with the right to know what categories of personal information we have collected about them and whether we disclosed that personal information for a business purpose (e.g., to a service provider) in the preceding twelve months. California residents can find this information in Section 5 of this Policy.
  • “Sales” of Personal Information under the CCPA. Without limiting our ability to disclose information as described in the section of our Privacy Policy entitled “Business transfers”, for purposes of the California Consumer Privacy Act we do not and will not sell your Personal Data, nor do we have actual knowledge of any “sale” of personal information of minors under 16 years of age.
  • Non-Discrimination. California residents have the right not to receive discriminatory treatment by us for the exercise of their rights conferred by the CCPA.
  • Authorized Agent. Only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your personal information. To designate an authorized agent, please contact us as set forth below.
  • Verification. When you make a request, we will ask you to provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative, which may include confirming the email address associated with any personal information we have about you.

Your rights under Virginia Consumer Data Privacy Act (VCDPA):
  • Opt out of the Processing of your Personal Data for Targeted Advertising. Please note that we do not process personal data for purposes of (1) the sale of personal data, as defined by the VCDPA, or (2) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
  • Confirm whether your Personal Data is being Processed. You may confirm whether your personal data is being processed by emailing us.
  • Appeal a Case with regard to your Request. In the case where we declined to take action on your data rights request or have rejected your request, you may contact us to initiate an appeal of this decision. Once we receive your appeal, we will notify you in writing within 60 days of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions.
If your appeal is denied, you may contact the Office of the Virginia Attorney General by these means:
Office of the Attorney General | Virginia.gov
www.virginia.gov/agencies/office-of-the-attorney-general/#vagov
202 North Ninth Street
Richmond, VA 23219

Notice for Nevada residents:
If you are a resident of Nevada, you have the right to opt-out of the sale of certain personal information to third parties who intend to license or sell that personal information. Please note that we do not currently sell your personal information as sales are defined in Nevada Revised Statutes Chapter 603A.

How to exercise your rights:
You may contact us at privacy@heartify.io to exercise your rights. Please be as accurate as possible in defining the subject line and filling the body of your request email; otherwise, we may not be able to respond to it properly. Heartify LLC will be responsible for responding to your requests, including under the GDPR and the local states data protection laws. Please bear in mind that we ensure the above-mentioned rights only with respect to the information that we physically access and store or if we have a technical opportunity to ensure your rights.
7. INTERNATIONAL TRANSFERS OF PERSONAL DATA
We work in the cross-border area and provide our App and Services to our users around the world.

We and third-party organizations that provide data processing technologies for the Services or our third-party advertising partners may transfer the processed information across borders and from your country or jurisdiction to other countries or jurisdictions worldwide.

If you are located in the European Union or other regions with laws governing data processing that may differ from U.S. law, please note that we may transfer information, including personal information, to a country and jurisdiction that does not have the same data protection laws as in your jurisdiction. This means that your personal information can be transferred to a third country, a territory, or one or more specified sectors within that third country or to an international organization where data protection and confidentiality regulations may not provide the same level of personal data protection as your country does.

We try to ensure that the recipient of any personal data provides proper protection of the personal data received, in accordance with the current legislation on protecting such information. By agreeing with this Policy, you agree that we may transfer your personal data to any third country, a territory, or one or more specified sectors within that third country or to the international organization.

For the purposes of data processing, we recourse to the third-party services or the hosting organizations. We take your privacy seriously and, therefore, encrypt your personal data - if possible - before sending it to our service providers. Please note that we cooperate only with those service providers that have passed our security and reliability check. If applicable, we are party to data transfer agreements/data processing addendums or equivalent legal instruments with each of our service providers, and we will (i) keep each document up to date with current law and (ii) only engage in personally identifiable information transfers from safeguards area to outside safeguards area in accordance with such an agreement or an alternative means of transfer in compliance with data protection legislation. Where we transfer your Personal Data as described above, we will take steps to ensure that your Personal Data receive adequate security protection where it is processed, and your rights continue to be protected pursuant to the applicable data protection law, including through the use of Standard Contractual Clauses approved by the European Commission.
8. RETENTION
We generally retain your personal information for as long as is necessary for performing the functional service of the App and to comply with our legal obligations. If you no longer want us to use your Personal Data that we physically access and store, you can either:
  • if you don`t have a Heartify account, you can uninstall the App;
  • if you have a Heartify account, you can delete your data by deleting your account on the profile page (on the Website heartify.world) or in account settings in the App; or
  • request that we erase your personal information and close your account.
Unless you demand us otherwise, if you have a Heartify account and don`t delete it before uninstalling the App from your mobile device, we will retain your Personal Data for a period of 1 year in case you decide to re-activate the Services or re-install the App.

Even if you requested the erasure or deleted your account or the App, some data may still be stored for a certain time period (but no longer than the storage purpose requires) if the information is necessary to comply with legal obligations (taxation, accounting, audit), or in order to maintain safety and data backup settings, prevent fraud or other malicious acts, or keep your choices about privacy, for example, if you unsubscribed from our marketing communications.
9. SECURITY
The security of your personal information is highly important to us. Services we use to maintain the App follow generally accepted industry standards to protect the personal information submitted to us, both during transmission and once we receive it. Please note that our App is available for download via authorized App Store (Apple App Store) only; if you download a copy of our App via other sources, we cannot guarantee the availability, security and proper functioning of such a product. Your access to our Services via unauthorized means will be deemed improper and entails us to act correspondingly to cease unauthorized use.

We take reasonable and appropriate measures to protect Personal Data from loss, misuse, and unauthorized access, disclosure, alteration, and destruction, taking into account the risks involved in the processing and the nature of the personal information.

We implement appropriate technical and organizational measures, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing. We seek your Personal Data to be encrypted with proper and strong encryption algorithms, including hashing where possible.

Please notice that by choosing and keeping your password carefully, not disclosing your password, and avoiding unauthorized access to your mobile device, you can help keep your information secure. Unfortunately, no method of transmission over the Internet or method of electronic storage is 100% secure. We do our best to protect your personal data, but we cannot guarantee its absolute security. In the event that your personal information is compromised as a breach of security, we will promptly notify you in compliance with applicable law. We will also take specific steps to address the breach as necessary in the given situation. These steps may include logging you out of all devices, resetting a password (sending you a temporary password to use), and carrying out other activities and actions that are deemed to be reasonably necessary.

If you suspect or become aware of any security incident within the Services, please let us know at support@heartify.io.
10. CHILDREN'S PRIVACY
General limitation. The Services are not intended for children and we do not knowingly collect or solicit any personal information from children under 12. If we learn that we have collected personal information from a child under age 12 without verification of parental consent, we will erase that information as quickly as possible. If you believe that we might have any information from or about a child under 12, please contact us at support@heartify.io.

Limitations for users from the European Economic Area and the United Kingdom. The use of the Services by residents of EEA or the UK younger than 16 years old is prohibited. If you know that a person under 16 is using the Services, please contact us at support@heartify.io and we will take measures to delete such information and/or delete the child’s account.
11. CHANGES TO THE PRIVACY POLICY
This Privacy Policy is updated regularly.

Whenever we change this Privacy Policy, we will post those changes to this Privacy Policy and other places that we consider appropriate. Additional forms of notice of modifications or updates as appropriate under the circumstances may be provided to you.
12. HOW TO CONTACT US
If you have any questions about this Privacy Policy, please feel free to contact us via email at privacy@heartify.io.