HeroTracker

Privacy Policy

Effective 1 July 2026 · Version 1.0

HeroTracker ("HeroTracker," "we," "us," "our") is a personal health and wellness app. This Privacy Policy explains what information we collect, why, who processes it, how long we keep it, and the choices and rights you have. It applies to the HeroTracker mobile app, its web version, and this website. Questions: privacy@herotracker.co.

At a glance

Information we collect, and where it comes from

Almost everything below comes directly from you (what you enter) or from your device with your permission. We don't buy personal data about you.

How we use your information, and our legal bases

We use your information only for the purposes below. For users in the EEA/UK, the GDPR legal basis for each is noted.

We do not use your health data for advertising or to build advertising profiles.

Where your data is stored

Your device holds the primary copy of your health data. A synced copy is stored with our cloud provider (Supabase) in the United States, so your data is available across devices and recoverable. Data is encrypted in transit; each account's records are isolated by row-level security so one user cannot read another's data.

Who we share data with

We share data only with the service providers ("processors") that help us run the features you use, each bound to use it only on our instructions. We disclose the following categories of data to the following categories of recipients for the following business purposes:

We may also disclose information if required by law (e.g., a valid legal request), to protect rights and safety, or in connection with a business transfer (e.g., a merger or acquisition) — in which case we will require the recipient to honor this Policy or notify you of any material change. We have no corporate affiliates that receive your data. We do not sell your personal information, and we do not share it for cross-context behavioral advertising.

AI features are opt-in. Before any health data is sent to an AI provider, you grant an explicit, per-feature consent that names the provider; you can withdraw it in Settings at any time.

Connecting your own external AI assistant (optional)

HeroTracker offers an optional feature to connect your own external AI assistant (such as Claude or ChatGPT). It is off by default, and available only to adults (18+). If you connect one, only the health categories you explicitly enable are shared with that assistant's provider, and only structured values — never your free-text notes, photos, or the specific names of symptoms or conditions. Because the assistant is operated by another company under their terms, this is a share to a third party that you direct; that provider may retain or use the data under its own policies, which we do not control. You can turn any category off, or disconnect, at any time in Settings → Connectors.

Cookies & tracking

The HeroTracker app does not use advertising cookies or third-party ad trackers. It stores sign-in tokens and your preferences on your device so the app works — these are functional, not used for tracking. This legal website is static and sets no cookies and runs no analytics.

International transfers

Your data is stored and processed in the United States. Where data is transferred from the EEA, UK, or Switzerland, we rely on appropriate safeguards (such as the European Commission's Standard Contractual Clauses) with our processors. You may request a copy of the relevant safeguards by emailing privacy@herotracker.co.

How long we keep it, and deletion

We keep your data while your account is active. You can permanently delete your account and all associated data at any time from Settings → Account → Delete Account, or from the app's public /delete-account page (reachable without signing in). Deletion propagates to our processors; residual copies in encrypted backups are purged within approximately six months. Diagnostic data (if you opted in) is retained by our diagnostics provider for a limited period (up to about 90 days) and then deleted. Support and feedback messages are kept as long as needed to handle your request and for a reasonable period afterward.

Deleting your account does not affect data you have synced to Health Connect or Apple Health — that data is owned by the platform and stays under your control. If you also want to remove it there, delete it in the Health Connect or Apple Health app (both let you delete a connected app's data by source).

Security

We design for data minimization and privacy by design: your device is the source of truth, per-user row-level security isolates each account, transport is encrypted, and optional diagnostics pass through a health-data-scrubbing filter before they leave the device. No system is perfectly secure, but we work to minimize what leaves your device and to protect what does.

Your rights and choices

Depending on where you live, you may have some or all of these rights:

Most rights are self-service in the app. For anything else, email privacy@herotracker.co. We may need to verify your identity (typically via your account email). You may use an authorized agent where the law allows. We aim to respond within the timeframes the applicable law requires (for example, 45 days under California law, one month under GDPR).

U.S. state privacy rights

California (CCPA/CPRA). In the past 12 months we have collected these categories of personal information: identifiers (email; date of birth and country; Google account identifier if you use Google sign-in), internet/device activity (diagnostics, only if you opt in), and sensitive personal information — namely health information you record. We collect it from you and your device, for the purposes described above. We do not sell or share (for cross-context behavioral advertising) personal information, and we do not use or disclose your sensitive personal information for purposes beyond providing the app you asked for — so no "Do Not Sell" or "Limit the Use of My Sensitive Personal Information" action is required, though you may still contact us. California residents have the rights to know, delete, correct, and non-discrimination described above.

Washington & Nevada. If you are a Washington resident (or covered by a comparable consumer-health-data law such as Nevada's), please see our Consumer Health Data Privacy Policy, which addresses those specific rights.

Other U.S. states. Residents of states with comprehensive privacy laws have comparable rights (access, deletion, correction, portability, and to opt out of sale/targeted advertising — which we do not do). Contact us to exercise them.

European & UK users (GDPR / UK GDPR)

For users in the EEA, UK, or Switzerland, HeroTracker is the data controller for the processing described here; contact privacy@herotracker.co. Our legal bases are noted above. In addition to the rights listed above, you have the right to lodge a complaint with your local supervisory authority (in the UK, the Information Commissioner's Office). We do not make decisions that produce legal or similarly significant effects about you solely by automated means; our insights are informational and optional. If and when we offer the service broadly in the EEA and are required to, we will designate an EU/UK representative and update this Policy.

Canadian users (PIPEDA)

HeroTracker is operated from Ontario, Canada, and we handle personal information consistent with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA). You may access and correct your personal information (through the in-app Export and by editing your data, or by contacting us) and withdraw consent to optional processing at any time. Note that your data is stored and processed in the United States by our cloud and AI providers; by using HeroTracker you understand that your information is handled in the U.S. and may be accessible to U.S. authorities under U.S. law, and we require our providers to protect it with comparable safeguards. If you have a privacy concern we haven't resolved, you may contact the Office of the Privacy Commissioner of Canada.

Children

HeroTracker is not directed to and not intended for children under 13 (or the higher digital-consent age in your country in the EEA), and the optional external-AI-assistant connector is limited to adults (18+). We do not knowingly collect data from children under 13. If you believe a child has provided us data, contact privacy@herotracker.co and we will delete it.

Automated processing

Some optional features use automated processing to generate insights (for example, patterns in the data you record). These are informational, require your opt-in, and do not by themselves make decisions with legal or similarly significant effects about you. You can view and turn them off, and export the underlying data at any time.

Not medical advice

HeroTracker is a wellness tool, not a medical device, and does not provide medical advice, diagnosis, or treatment. Always consult a qualified clinician for medical decisions. In an emergency, call your local emergency number (in the US, 911) or the 988 Suicide & Crisis Lifeline.

Changes to this Policy

We will update this Policy as the app evolves and post the new version here with a revised effective date. If changes are material, we will surface a notice in the app.

Contact us

Privacy questions or requests: privacy@herotracker.co.