Privacy Policy

Last updated: January 30, 2026
Operator: Heartbox LLC (“we,” “our,” or “us”)
Application: Heartbox (iOS and Android)
Contact: acfrank@heartbox.life

This Privacy Policy (“Policy”) describes how Heartbox LLC collects, uses, stores, discloses, and protects your information when you use the Heartbox mobile application (“App”) and related services (collectively, the “Service”). This Policy is part of and incorporated into our Terms of Service. Please read this Policy carefully. By downloading, installing, or using the App, or by creating an account, you acknowledge that you have read, understood, and agree to this Policy. If you do not agree, do not use the App.

1. Scope and Definitions

Definitions. The following terms have the meanings set forth below whenever used in this Policy:

  • “App” means the Heartbox mobile application (iOS and Android) and any updates, revisions, or replacements we make available.

  • “Service” means the App and any related services, websites, content, or functionality we provide in connection with the App.

  • “Personal data” (or “personal information”) means information that identifies, relates to, describes, or could reasonably be linked, directly or indirectly, with you or your device, including as defined under applicable law (e.g., the GDPR, CCPA, or other data protection laws).

  • “User-generated content” means data you create, upload, or submit through the Service, including check-ins, journal-style entries, goals, survey responses, workout logs, and any other content you provide within the App.

  • “Process,” “processing,” or “processed” means any operation or set of operations performed on personal data, whether by automated means or not, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, alignment, combination, restriction, erasure, or destruction.

  • “Controller” means the entity that determines the purposes and means of processing personal data. Heartbox LLC is the controller of your personal data processed in connection with the Service.

  • “Processor” means a natural or legal person that processes personal data on behalf of the controller.

  • “you” and “your” mean the individual accessing or using the Service, or the parent or guardian of a user where applicable.

Scope. This Policy applies to all users of the Heartbox App, including visitors who have not created an account, and to all personal data we collect in connection with the App and the Service. It does not apply to third-party websites, apps, or services that may be linked from or integrated with the App; those are governed by their own privacy policies. Where our Terms of Service or other policies reference this Policy, they are incorporated by reference into your agreement with us.

2. Information We Collect

2.1 Information you provide

Account and identity data. When you create an account or sign in, we collect:

  • Email address (used to create and sign in to your account)

  • Password (stored in hashed form by our authentication provider; we do not have access to your plain-text password)

  • User ID (UID), a unique identifier assigned by our authentication provider (Firebase Authentication)

  • Display name, profile emoji, and any other profile or account fields you choose to provide

2.2 User-generated content (journal and wellness data)

When you use the App, we collect and store the content you create, including:

  • Check-ins — mood, scale answers, and other responses you submit during check-ins

  • Goals — goals you create and progress you record

  • Journal-style and wellness content — notes, reflections, and health- or wellness-related data you enter in the App

  • Survey and quiz responses — answers you provide in health area surveys and quizzes

  • Workout and activity data — workouts and related data you log

  • Other content — any other data you create, upload, or store within the App (e.g., friends lists, session bookings, where applicable)

This content is stored so you can view your history, track progress, and use the App’s features. We do not use your journal or wellness content for advertising or to build profiles about you for third parties.

2.3 Information collected automatically

Usage and technical data. When you use the App, we or our service providers may automatically collect:

  • Device information (e.g., device type, operating system, app version)

  • Usage data (e.g., app opens, feature use, session duration), where we use analytics services

  • Crash and performance data (e.g., error reports, performance metrics), where we use crash-reporting or monitoring services

We may use services such as Firebase Analytics and Firebase Crashlytics (or similar). Where we do, we configure them to collect only what is necessary to operate and improve the App, and we may use anonymized or pseudonymized data where possible. You may be able to limit or opt out of certain analytics via your device or app settings; we will honor such choices where technically and legally required.

2.4 Payment and subscription data

Payments for subscriptions or in-app purchases are processed by Apple (App Store) or Google (Play Store). We do not collect or store your payment card number, billing address, or other payment details. We receive from our subscription provider (e.g., RevenueCat) information necessary to grant you access to paid features, such as your app user ID and subscription or entitlement status (e.g., active, cancelled, product identifier). For more detail, see Section 6.

3. Legal Basis for Processing (EEA/UK and similar jurisdictions)

Where required by applicable law (e.g., in the European Economic Area or the United Kingdom), we process your personal data on the following bases:

  • Contract: Processing necessary to provide the App and related services (e.g., account management, storing and syncing your content).

  • Legitimate interests: Processing necessary for our legitimate interests (e.g., improving the App, security, fraud prevention), where those interests are not overridden by your rights.

  • Consent: Where we rely on consent (e.g., for optional analytics or marketing), you may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

  • Legal obligation: Processing necessary to comply with applicable law.

If you have questions about the legal basis for a specific processing activity, you may contact us at the address in Section 13.

4. How We Use Your Information

We use the information we collect to:

  • Provide and operate the App — create and manage your account, authenticate you, store and sync your data, and deliver the features you use

  • Store and display your content — save and present your check-ins, goals, journal-style content, and other user-generated data

  • Personalize your experience — where applicable, tailor content or features (e.g., themes, reminders) based on your settings and usage

  • Process subscriptions and entitlements — verify and grant access to paid features in accordance with your purchases

  • Improve the App — fix bugs, analyze usage (where we use analytics), and develop new features

  • Communicate with you — send account-related or support messages, respond to your inquiries, and, where you have agreed, send marketing or product updates

  • Enforce our terms and protect security — enforce our Terms of Service, prevent fraud and abuse, and protect the rights and safety of us and our users

  • Comply with law — comply with applicable law, regulation, or legal process

We do not sell your personal information or your journal/wellness content to third parties for marketing or advertising. We do not use your user-generated content to build profiles about you for sale to or use by third parties.

5. Third-Party Processors and Services

We use third-party service providers to operate the App. They process personal data on our behalf and under our instructions (or as independent controllers where stated). The categories of providers we use include:

5.1 Authentication and database (Firebase / Google)

We use Firebase (operated by Google LLC) for authentication (email/password sign-in) and for our cloud database (Firestore). Your account data (e.g., email, UID) and user-generated content (including check-ins and journal-style content) are stored and processed on Firebase’s infrastructure. Firebase’s privacy practices are described in the Google Privacy Policy (policies.google.com/privacy). Data may be processed in the United States or other locations where Google operates.

5.2 Subscriptions and in-app purchases

We use RevenueCat (or similar) to manage subscriptions and in-app purchases. RevenueCat may receive your app user ID and purchase/subscription status to determine your entitlements. Payment processing is performed by Apple Inc. (iOS) or Google LLC (Android); we do not receive or store your payment card details. Apple’s and Google’s respective privacy policies apply to the data they collect and process.

5.3 Analytics and crash reporting

We may use services such as Firebase Analytics and Firebase Crashlytics (or similar) to understand usage and to diagnose and fix errors. These services may collect device identifiers, usage data, and crash reports. We configure them to minimize unnecessary data collection and, where applicable, to use anonymized or pseudonymized data. Their privacy policies apply to their processing.

5.4 Other providers

We may use additional providers for hosting, email, support, or other operational purposes. We require our processors to handle your data in accordance with applicable data protection laws and, where they act as our processors, to process data only on our instructions and with appropriate security measures.

6. Storage and Security

Storage. Your account data and user-generated content are stored in Firebase (Firestore) and are associated with your user ID. Data may be stored in the United States or other countries where our service providers operate.

Encryption. Data is encrypted in transit using industry-standard protocols (e.g., TLS/HTTPS). Firebase encrypts data at rest. We do not guarantee end-to-end encryption of journal or other user-generated content; we use security measures appropriate to the nature of the service.

Access controls. Our backend and database rules are designed so that your content is accessible only to your account (and, where you have chosen to use sharing features, as described in the App, e.g., optional sharing with friends). We restrict access to personal data by our personnel to those who need it to operate the App or to fulfill legal or safety obligations.

No absolute guarantee. While we take reasonable steps to protect your data from unauthorized access, loss, or misuse, no method of transmission or storage is completely secure. We cannot guarantee absolute security.

7. Data Sharing and Disclosure

We do not sell your personal information. We may share or disclose your data only in the following circumstances:

  • Service providers: With processors that help us operate the App (e.g., Firebase, RevenueCat, analytics), as described in Section 5, and under contracts that require them to protect your data.

  • Legal and safety: Where required by law, regulation, legal process, or governmental request; or where we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Heartbox LLC, our users, or the public.

  • Business transfers: In connection with a merger, acquisition, sale of assets, or bankruptcy, in which case your data may be transferred as part of that transaction, subject to the same privacy commitments.

  • With your consent: Where you have given us clear consent to share your data for a specific purpose.

We do not share your journal or wellness content with third parties for their marketing or advertising.

Do not sell or share (CCPA/CPRA). We do not sell your personal information as defined under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). We do not “share” your personal information for cross-context behavioral advertising as defined there. We do not use or disclose sensitive personal information (as defined under the CPRA) for purposes other than those permitted under applicable law.

8. Data Retention

We retain your account data and user-generated content for as long as your account is active and for a reasonable period thereafter if you stop using the App without requesting deletion. When you request account deletion, we delete or anonymize your data as described in our Data Deletion Policy, typically within 30 days of verifying your request.

We may retain certain data for longer where required by law (e.g., tax, legal claims, regulatory compliance) or for legitimate operational purposes (e.g., security, fraud prevention) for limited periods. When retention is no longer necessary, we delete or anonymize the data.

9. Your Rights and Choices

Depending on where you live, you may have the following rights:

  • Access: Request a copy of the personal data we hold about you.

  • Correction: Request correction of inaccurate or incomplete data. You can update much of your profile and account information within the App.

  • Deletion: Request deletion of your account and associated data. For how to submit a request and what we delete, see our Data Deletion Policy. We process valid requests within the timeframe stated there (e.g., within 30 days).

  • Restriction or objection: In some jurisdictions, request restriction of processing or object to certain processing (e.g., profiling or direct marketing).

  • Portability: In some jurisdictions, request a copy of your data in a structured, machine-readable format or request transfer to another provider where technically feasible.

  • Opt-out of analytics or marketing: Where our analytics or marketing tools allow it, you may limit or opt out via device or app settings; we will honor such choices where technically and legally required.

  • Withdraw consent: Where we rely on consent, you may withdraw consent at any time.

To exercise any of these rights, contact us at acfrank@heartbox.life. We will respond within the time required by applicable law. If you are in the EEA or UK, you may also have the right to lodge a complaint with a supervisory authority in your country of residence.

California residents. We do not sell personal information as defined under the California Consumer Privacy Act (CCPA), as amended. You may have the right to: know what personal information we collect and how it is used; delete your personal information; correct inaccurate personal information; opt out of “sales” or “sharing” of personal information (we do not sell or share as defined there); limit use of sensitive personal information; and non-discrimination for exercising your rights. To submit a request, contact us at acfrank@heartbox.life. We will verify your identity as required by law and respond within the timeframes prescribed by the CCPA/CPRA.

Nevada residents. You may have the right to opt out of the “sale” of certain covered information under Nevada law. We do not currently sell covered information as defined under Nevada law.

Automated decision-making. We do not use your personal data for automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you.

10. Children

The App and the Service are not directed at children under 13 (or the equivalent minimum age in your jurisdiction, such as 16 in certain countries). We do not knowingly collect personal information from children under 13. If you are under 13, do not use the App or provide any personal information to us. If you are a parent or guardian and believe we have collected information from a child under 13 without your consent, please contact us at acfrank@heartbox.life, and we will take steps to delete that information promptly. Our Child Safety & Age Restriction Policy (incorporated into our Terms of Service) contains additional information.

11. International Transfers

Your personal data may be stored and processed in the United States or other countries where our service providers (including Google/Firebase) operate. If you are located outside the United States, including in the European Economic Area (EEA), the United Kingdom (UK), or Switzerland, your data may be transferred to and processed in a country that has different data protection laws. Where required by applicable law (e.g., for transfers from the EEA or UK), we implement appropriate safeguards to ensure your data receives an adequate level of protection, which may include: (a) standard contractual clauses (SCCs) approved by the European Commission, UK authorities, or other relevant bodies; (b) adequacy decisions where the destination country is recognized as providing adequate protection; or (c) other mechanisms permitted under applicable law. You may request details of the safeguards we use for a specific transfer by contacting us at the address in Section 13.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the revised policy in the App and/or at our designated URL and update the “Last updated” date at the top. Your continued use of the App after the effective date of changes constitutes your acceptance of the updated Policy. For material changes that affect how we use your personal data, we may provide additional notice (e.g., in-app notification or email) where required by law or as a matter of good practice. We encourage you to review this Policy periodically. If you do not agree to the updated Policy, you must stop using the Service and may request deletion of your account and data as set out in our Data Deletion Policy.

13. Contact Us

Heartbox LLC is the data controller for personal data processed in connection with the Service. For privacy-related questions, requests to access or delete your data, or to report a concern:

  • Email: acfrank@heartbox.life

  • Data deletion: See our Data Deletion Policy for how to request account and data deletion. We process valid deletion requests as described there, typically within 30 days of verification.

  • Operator: Heartbox LLC

If you are in the EEA or UK and believe our processing of your personal data infringes applicable law, you have the right to lodge a complaint with a supervisory authority in your country of residence. We would, however, appreciate the opportunity to address your concerns before you approach a supervisory authority; please contact us first at the email above.