Security Practices & Data Protection

Last updated: January 30, 2026
Operator: Heartbox LLC
Application: Heartbox (iOS and Android)
Contact: acfrank@heartbox.life

This document provides a high-level overview of our security practices and data protection measures for the Heartbox application (“App”). It is for transparency and user confidence; it is not a legal contract. Our Privacy Policy and Terms of Service govern your use of the App and our handling of your data.

1. Purpose of This Document

We want you to understand how we protect your data. This overview describes our approach to encryption and secure transmission, authentication and access controls, how we store and process your data, and what we do not do (e.g., plaintext passwords). This document is not exhaustive and does not create any legal obligation beyond what is set out in our Privacy Policy and Terms of Service.

2. Data Encrypted in Transit

All data transmitted between the App and our backend is encrypted in transit using industry-standard protocols (e.g., TLS/HTTPS). This helps protect your account data, journal content, check-ins, and other information from being read or modified by third parties while in transit over the internet.

3. Secure Authentication (Firebase)

We use Firebase Authentication (operated by Google LLC) for sign-in and account management. We do not store your password in plaintext. Passwords are hashed and managed by Firebase; we do not have access to your plain-text password. Account credentials are handled in accordance with Firebase’s security practices.

4. Access Controls

Your content is associated with your account. Our backend and database rules are designed so that your journal content, check-ins, goals, and other user-generated data are accessible only to your account (and, where you have chosen to use sharing features, as described in the App). We restrict access to personal data by our personnel to those who need it to operate the App, provide support, or fulfill legal or safety obligations. We use secure, access-controlled systems (e.g., Firebase/Firestore) with authentication and authorization rules that enforce per-user access.

5. Data at Rest

Data stored in our systems (e.g., in Firebase/Firestore) is stored in environments that use encryption at rest where provided by our service providers. We do not guarantee end-to-end encryption of journal content; we use security measures appropriate to the nature of the service. We do not store your payment card details; payments are processed by Apple (iOS) or Google (Android).

6. What We Do Not Do

We do not store your password in plaintext. We do not sell your personal information or your journal content to third parties for marketing or advertising. We do not use your journal or wellness content to build profiles about you for sale to third parties.

7. Third-Party Processors

We use third-party service providers (e.g., Firebase/Google, RevenueCat, and where applicable analytics or crash-reporting services) to operate the App. We choose providers that implement appropriate security and privacy practices. Their handling of data is subject to their respective policies and, where they act as our processors, to our instructions and agreements.

8. No Absolute Guarantee

While we take reasonable steps to protect your data from unauthorized access, loss, or misuse, no method of transmission or storage is completely secure. We cannot guarantee absolute security. You use the App at your own risk, subject to our Terms of Service and Privacy Policy.

9. Reporting Security Concerns

If you believe you have found a security vulnerability or have a concern about how we handle your data, please contact us at acfrank@heartbox.life. We will investigate and respond in a reasonable time.

10. Updates

We may update this overview from time to time. The “Last updated” date at the top indicates when this document was last revised. For legally binding commitments, see our Privacy Policy and Terms of Service.