Legal
Privacy Policy
Effective date: April 25, 2026 · Last updated: April 25, 2026
HEAFT ("we", "our", or "us") is committed to protecting your personal information. This policy explains what data we collect, why we collect it, how we use it, and your rights regarding it. By using the HEAFT app you agree to the practices described here.
Questions? Email us at support@heaft.app — we respond within 2 business days.
1 Information We Collect
We collect only what is necessary to deliver a personalised training experience.
| Category | Examples | Why we need it |
|---|---|---|
| Account data | Name, email address, profile photo | Create and secure your account |
| Fitness data | Body weight, workout history, exercise logs, goals, fitness level | Generate personalised plans and track progress |
| AI conversation data | Messages sent to the AI coach | Provide contextual coaching responses |
| Device data | Push notification tokens, device type, OS version | Send workout reminders and app notifications |
| Usage data | Feature interactions, session duration, app errors | Improve reliability and product quality |
We do not collect payment information directly. We do not access your contacts, microphone, camera, or location.
2 How We Use Your Information
- Generate and adapt personalised workout and nutrition plans
- Power the AI coaching feature with contextual fitness knowledge
- Authenticate your account securely via Firebase
- Send transactional emails (account verification, password reset) via Resend
- Deliver push notifications for workout reminders and milestones
- Diagnose bugs and improve app performance
- Comply with applicable laws and prevent fraud
We do not use your data for advertising or sell it to any third party, ever.
3 Third-Party Services
HEAFT relies on the following sub-processors to operate. Each is bound by their own privacy policy and data processing agreements.
| Service | Provider | Purpose |
|---|---|---|
| Firebase Authentication | Google LLC | Account sign-in (email, Google, Apple) |
| Firebase Cloud Messaging | Google LLC | Push notifications |
| Gemini API | Google LLC | AI workout generation |
| Groq API | Groq Inc. | AI coaching responses |
| Together AI | Together Computer Inc. | AI fallback inference |
| Resend | Resend Inc. | Transactional email delivery |
| DigitalOcean | DigitalOcean LLC | Cloud infrastructure and database hosting |
AI providers receive only the minimum data required to generate a response (your fitness context and the conversation message). Your name and email are never sent to AI providers.
4 Data Storage and Security
Your data is stored in a PostgreSQL database hosted on DigitalOcean infrastructure. We apply the following protections:
- All data in transit encrypted with TLS 1.2+
- Passwords are never stored — authentication is handled by Firebase
- JWT tokens for session management with short expiry windows
- Database accessible only from internal network (no public port)
- Regular automated backups retained for 7 days
No system is 100% secure. If you discover a security issue, please disclose it responsibly to support@heaft.app.
5 Data Retention
We retain your data for as long as your account is active. If you delete your account:
- Your profile, workout history, and AI conversation data are deleted within 30 days
- Anonymised, non-identifiable aggregate statistics may be retained indefinitely
- Backup copies are purged within 7 days of account deletion
6 Your Rights
Depending on where you live, you may have the following rights regarding your personal data:
- Access — request a copy of the data we hold about you
- Correction — ask us to fix inaccurate or incomplete data
- Deletion — request that we delete your account and associated data
- Portability — receive your data in a machine-readable format
- Objection — opt out of any processing not strictly necessary to deliver the service
To exercise any of these rights, email support@heaft.app with the subject line "Privacy Request". We will respond within 30 days.
7 Children's Privacy
HEAFT is not directed at children under 13. We do not knowingly collect personal information from anyone under 13. If you believe a child has provided us with personal data, contact us at support@heaft.app and we will delete it promptly.
8 Changes to This Policy
We may update this policy from time to time. When we make material changes, we will notify you via in-app notification or email at least 14 days before the change takes effect. Continued use of the app after that date constitutes acceptance of the updated policy.
The current version is always available at heaft.app/privacy.
9 Contact Us
For any privacy-related questions, data requests, or concerns:
- Email: support@heaft.app
- Response time: within 2 business days