Legal
Privacy Policy
Effective date: April 25, 2026 · Last updated: June 14, 2026
HEAFT ("we", "our", or "us") is committed to protecting your personal information. This policy explains what data we collect, why we collect it, how we use it, and your rights regarding it. By using the HEAFT app you agree to the practices described here.
Questions? Email us at support@heaft.app — we respond within 2 business days.
1 Information We Collect
We collect only what is necessary to deliver a personalised training experience.
| Category | Examples | Why we need it |
|---|---|---|
| Account data | Name, email address, profile photo | Create and secure your account |
| Fitness & health data | Body weight & measurements, workout & nutrition logs, injuries or physical limitations you enter, optional progress photos, goals, fitness level | Generate personalised plans, adapt them safely around your limitations, and track progress |
| AI conversation data | Messages sent to the AI coach | Provide contextual coaching responses |
| Device data | Push notification tokens, device type, OS version | Send workout reminders and app notifications |
| Usage data | Feature interactions, session duration, app errors | Improve reliability and product quality |
We do not collect payment information directly. We do not access your contacts, microphone, camera, or location.
2 How We Use Your Information
- Generate and adapt personalised workout and nutrition plans
- Power the AI coaching feature with contextual fitness knowledge
- Authenticate your account securely via Firebase
- Send transactional emails (account verification, password reset) via Resend
- Deliver push notifications for workout reminders and milestones
- Diagnose bugs and improve app performance
- Comply with applicable laws and prevent fraud
We do not use your data for advertising or sell it to any third party, ever.
3 Third-Party Services
HEAFT relies on the following sub-processors to operate. Each is bound by their own privacy policy and data processing agreements.
| Service | Provider | Purpose |
|---|---|---|
| Firebase Authentication | Google LLC | Account sign-in (email, Google, Apple) |
| Firebase Cloud Messaging | Google LLC | Push notifications |
| Gemini API | Google LLC | AI image & plan (photo/PDF) analysis |
| Cerebras | Cerebras Systems Inc. | AI coaching & plan generation |
| Together AI | Together Computer Inc. | AI inference & embeddings (fallback) |
| Deepgram | Deepgram Inc. | Voice-note transcription |
| Resend | Resend Inc. | Transactional email delivery |
| DigitalOcean | DigitalOcean LLC | Cloud infrastructure and database hosting |
AI providers act as our processors: they receive only the data needed to generate your result — your fitness and training context, which can include health-related details such as injuries and body metrics, plus your message. On the paid tiers we use, they process it solely to return your result and do not use it to train their models. This processing may take place on servers in the United States. We minimise what we send, and strip incidental contact details (such as emails or phone numbers) from free-text notes before sending.
Your consent. AI features run only after you agree to this processing in the app. You can withdraw consent anytime in Settings → Privacy & AI — your core, non-AI features keep working.
4 Data Storage and Security
Your data is stored in a PostgreSQL database hosted on DigitalOcean infrastructure. We apply the following protections:
- All data in transit encrypted with TLS 1.2+
- Passwords are never stored — authentication is handled by Firebase
- JWT tokens for session management with short expiry windows
- Database accessible only from internal network (no public port)
- Regular automated backups retained for 7 days
No system is 100% secure. If you discover a security issue, please disclose it responsibly to support@heaft.app.
5 Data Retention
We retain your data for as long as your account is active. If you delete your account:
- Your profile, workout history, and AI conversation data are deleted within 30 days
- Anonymised, non-identifiable aggregate statistics may be retained indefinitely
- Backup copies are purged within 7 days of account deletion
6 Your Rights
Depending on where you live, you may have the following rights regarding your personal data:
- Access — request a copy of the data we hold about you
- Correction — ask us to fix inaccurate or incomplete data
- Deletion — request that we delete your account and associated data
- Portability — receive your data in a machine-readable format
- Objection — opt out of any processing not strictly necessary to deliver the service
- Withdraw consent — turn AI features off anytime in the app (Settings → Privacy & AI); your core, non-AI features keep working
To exercise any of these rights, email support@heaft.app with the subject line "Privacy Request". We will respond within 30 days.
7 Children's Privacy
HEAFT is not directed at children under 13. We do not knowingly collect personal information from anyone under 13. If you believe a child has provided us with personal data, contact us at support@heaft.app and we will delete it promptly.
8 Changes to This Policy
We may update this policy from time to time. When we make material changes, we will notify you via in-app notification or email at least 14 days before the change takes effect. Continued use of the app after that date constitutes acceptance of the updated policy.
The current version is always available at heaft.app/privacy.
9 Contact Us
For any privacy-related questions, data requests, or concerns:
- Email: support@heaft.app
- Response time: within 2 business days