Transparency Report & Data Use Summary

Last updated: January 30, 2026
Reporting period: This report describes our data practices as of the date above. We may update it periodically.
Operator: Heartbox LLC (“we,” “us,” or “our”)
Application: Heartbox (iOS and Android)
Contact: acfrank@heartbox.life

This Transparency Report & Data Use Summary (“Report”) provides a clear, plain-language overview of how Heartbox collects, uses, stores, and protects your information when you use the Heartbox mobile application (“App”) and related services (the “Service”). This Report is not a legal document and does not replace our legally binding policies. Our Privacy Policy and Terms of Service are the authoritative legal documents. We publish this Report to build trust, support informed choices, and help you understand our practices at a glance. For full detail, definitions, and legal terms, please refer to our Privacy Policy.

1. Purpose and Scope

1.1 Purpose

We publish this Report to give you a straightforward summary of: what data we collect and store; what we do and do not do with your data; who processes your data on our behalf; how you can access, correct, or delete your data; how we protect your data; and when and how we may disclose data (e.g., to service providers or when required by law).

1.2 Scope

This Report applies to the Heartbox App and any related services we provide in connection with the App. It applies to all users of the Service, including those who have created an account and those who have not. It covers data we collect through the App (e.g., account information, check-ins, journal-style content, goals, surveys, subscription status) and how we use and protect that data. This Report does not create any legal rights or obligations beyond those set out in our Privacy Policy and Terms of Service.

2. Data We Collect and Store

We collect and store the following categories of data in connection with the Service:

2.1 Account and identity data

  • Email address — Used to create and sign in to your account and to communicate with you when necessary.

  • User ID (UID) — A unique identifier assigned by our authentication provider (Firebase) so we can associate your data with your account.

  • Profile information — Display name, profile emoji, and any other profile or account fields you choose to provide. We use this to personalize your experience within the App.

We do not store your password in plaintext. Passwords are hashed and managed by our authentication provider (Firebase); we do not have access to your password.

2.2 Your content (user-generated data)

  • Check-ins — Mood, scale answers, and other responses you submit during check-ins.

  • Journal-style entries and notes — Any text or reflections you enter in the App.

  • Goals and progress — Goals you create and progress you record.

  • Survey and quiz responses — Answers you provide in health area surveys and quizzes.

  • Workout and activity data — Workouts and related data you log.

  • Other content — Any other data you create, upload, or store within the App (e.g., friends lists, session bookings, where applicable).

We store this content so you can view your history, track progress, and use the App’s features. We do not use your journal or wellness content for advertising or to build profiles about you for sale to third parties.

2.3 Subscription and payment-related data

  • Subscription or entitlement status — Whether you have an active subscription (e.g., Heartbox Pro) and which features you can access. We receive this from our subscription provider (RevenueCat) so we can unlock paid features in the App.

  • We do not collect or store your payment card number, billing address, or other payment details. All payments are processed by Apple (iOS) or Google (Android); they are the merchant of record.

2.4 Usage and technical data (where applicable)

If we use analytics or crash-reporting services (e.g., Firebase Analytics, Firebase Crashlytics), we may collect anonymized or pseudonymized data such as app opens, feature use, or crash reports to improve the App. We configure these services to minimize unnecessary data collection. You may be able to limit or opt out via your device or app settings where the service allows.

3. What We Never Sell

  • We do not sell your personal information. We do not sell your name, email address, user ID, or any other identifier to third parties for money or other valuable consideration.

  • We do not sell your journal content or wellness data. Your check-ins, journal entries, goals, survey responses, and other user-generated content are not sold to third parties.

  • We do not use your content to build profiles about you for sale to third parties or for advertising. We do not use your journal or wellness data to target you with ads or to create profiles that we sell or share for advertising purposes.

  • We do not sell your data to data brokers or for marketing. Our business model does not rely on selling user data.

This commitment applies regardless of where you live. For jurisdictions that define “sale” or “sharing” broadly (e.g., California), we do not sell or share your personal information as those terms are commonly understood in that context.

4. How We Use Your Data

We use the data we collect to: provide and operate the Service (account management, authentication, storage, sync, features); store and display your content so you can view history and track progress; personalize your experience (themes, reminders) where applicable; process subscriptions and grant access to paid features; improve the Service (bugs, usage analysis, new features); communicate with you (account, support); enforce our terms and protect security; and comply with law when required. We do not use your journal or wellness content for advertising or for building profiles about you for sale to third parties.

5. Who Processes Your Data

We use third-party service providers to operate the Service. They process data on our behalf and under our instructions (or as independent controllers where stated). We do not authorize them to use your data for their own marketing or to sell your data.

5.1 Authentication and database — Firebase (Google LLC)

What they do: We use Firebase for sign-in (email/password) and for our cloud database (Firestore). Your account data (e.g., email, user ID) and your content (check-ins, journal entries, goals, etc.) are stored and processed on Firebase’s infrastructure. What they have access to: Account identifiers and the user-generated content we store in Firestore. What we do not share with them: We do not share your password (it is hashed by Firebase). We do not share payment card details (we do not have them). Their privacy practices: Google Privacy Policy. Data may be processed in the United States or other locations where Google operates.

5.2 Subscriptions — RevenueCat

What they do: We use RevenueCat to manage subscriptions and in-app purchases. They help us determine whether you have access to paid features (e.g., Heartbox Pro). What they have access to: Your app user ID and subscription or entitlement status (e.g., active, cancelled, product identifier). What we do not receive from them: We do not receive your payment card details from RevenueCat. Payment processing is performed by Apple or Google.

5.3 Payments — Apple Inc. (iOS) and Google LLC (Android)

What they do: When you subscribe or make an in-app purchase, Apple (App Store) or Google (Play Store) processes the payment. They are the merchant of record. What we receive: We do not receive your payment card number, billing address, or other payment details from Apple or Google. We receive subscription or entitlement status through RevenueCat so we can unlock features in the App. Their privacy practices apply to the data they collect and process.

5.4 Analytics and crash reporting (where applicable)

If we use services such as Firebase Analytics or Firebase Crashlytics, they may collect device identifiers, usage data, or crash reports. We configure them to minimize unnecessary data collection and to use anonymized or pseudonymized data where possible. Their privacy policies apply.

6. When We Share or Disclose Data

We do not sell your personal information or your journal/wellness content. We may share or disclose data only in the following circumstances: Service providers — With providers that help us operate the Service (e.g., Firebase, RevenueCat, analytics or crash-reporting services), as described in Section 5, and under contracts that require them to protect your data and use it only for the purposes we specify. Legal and safety — When required by applicable law, regulation, legal process, or governmental or regulatory request; or when we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Heartbox LLC, our users, or the public. Business transfers — In connection with a merger, acquisition, sale of assets, or bankruptcy, in which case your data may be transferred as part of that transaction, subject to the same privacy commitments. With your consent — When you have given us clear consent to share your data for a specific purpose. We do not share your journal or wellness content with third parties for their marketing or advertising.

6.1 Government and law enforcement requests

If we receive a request from a government agency or law enforcement for user data, we will: Review the request to ensure it is legally valid (e.g., subpoena, court order, or other lawful process). Disclose only what is legally required and only to the extent required by law. Notify users where permitted by law and where we are not prohibited from doing so (e.g., by a court order or applicable law). Object or push back where we believe a request is overly broad, not legally required, or inconsistent with our values and applicable law, to the extent permitted. We do not provide governments or third parties with “backdoor” or unfettered access to your data. We do not sell your data to governments or to any third party.

7. How You Stay in Control

7.1 Access and correction

You can view and update much of your data inside the App, including your profile (e.g., display name, profile emoji) and many of your goals and settings. If you need access to or correction of data that you cannot update in the App, contact us at acfrank@heartbox.life.

7.2 Deletion

You can request deletion of your account and all associated data (including your journal content, check-ins, goals, and other user-generated data). We process valid deletion requests within 30 days of verifying your identity. For how to submit a request (in-app or by email) and what we delete, see our Data Deletion Policy. After deletion, we do not use your data for any purpose other than as permitted by law (e.g., backup purge, legal compliance).

7.3 Subscriptions

You can cancel your subscription at any time through your Apple ID (iOS) or Google account (Android). Cancellation stops future charges; you keep access to paid features until the end of your current billing period. For step-by-step instructions, see our Subscription & Billing Terms. We do not process payments or issue refunds directly; Apple or Google handle both.

7.4 Other rights

Depending on where you live, you may have additional rights (e.g., data portability, restriction of processing, objection, withdrawal of consent). Our Privacy Policy describes these rights and how to exercise them. Contact us at acfrank@heartbox.life to submit a request.

8. Data Retention

Active accounts: We retain your account data and your content for as long as your account is active and for a reasonable period thereafter if you stop using the Service without requesting deletion. After deletion: When you request account deletion, we delete or anonymize your data as described in our Data Deletion Policy, typically within 30 days of verifying your request. Some data may be retained for a limited period where required by law (e.g., tax, legal claims) or for legitimate operational purposes (e.g., security, fraud prevention); we delete or anonymize such data when it is no longer needed.

9. Security

We take reasonable steps to protect your data: Data in transit — Data sent between your device and our systems is encrypted using industry-standard protocols (e.g., TLS/HTTPS). Authentication — We use Firebase for sign-in. We do not store your password in plaintext; passwords are hashed and managed by Firebase. Access controls — Your content is tied to your account. Our backend and database rules are designed so that only you (and, where you have chosen to use sharing features, people you share with) can access your data. We restrict access to personal data by our personnel to those who need it to operate the Service or to fulfill legal or safety obligations. Data at rest — Data stored in our systems (e.g., Firebase/Firestore) is stored in environments that use encryption at rest where provided by our service providers. We do not guarantee end-to-end encryption of journal content; we use security measures appropriate to the nature of the Service. No method of transmission or storage is completely secure. We cannot guarantee absolute security. For more detail, see our Security Practices Overview.

10. International Transfers

Your data may be stored and processed in the United States or other countries where our service providers (including Google/Firebase) operate. If you are located outside the United States, your data may be transferred to and processed in a country that has different data protection laws. Where required by law (e.g., for transfers from the European Economic Area or the United Kingdom), we implement appropriate safeguards, such as standard contractual clauses approved by the relevant authorities, to ensure your data receives an adequate level of protection. For more detail, see our Privacy Policy.

11. Children

The Service is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe we have collected information from a child under 13, please contact us at acfrank@heartbox.life. We will take steps to delete that information in accordance with our Privacy Policy and Child Safety & Age Restriction Policy.

12. Updates to This Report

We may update this Report from time to time to reflect our current practices. We will post the revised Report in the App and/or at our website and update the “Last updated” date at the top. For material changes, we may provide additional notice (e.g., in-app or by email) where appropriate. This Report is for transparency only; it does not create legal rights or obligations. The legally binding terms are in our Privacy Policy and Terms of Service.

13. Contact

For questions about your data, this Report, or our privacy practices:

Email: acfrank@heartbox.life
Privacy Policy: Privacy Policy
Data Deletion: Data Deletion Policy
Terms of Service: Terms of Service

We will respond to inquiries in accordance with our internal procedures and applicable law.