Hetki Privacy Policy

1) Our story

• Data Controller: Hetki Records
• Address: Torkkelinkatu 13, 00500 Helsinki, Finland
• Contact: team@hetki.xyz
• App: "Hetki" (iOS/Android)

2) What we collect

Account and authentication

Email, password (hashed and managed by Supabase Auth), user ID (UUID), first name, social sign-in data (Apple ID, Google ID, profile picture), session tokens stored on your device.

Profile and onboarding

Name/nickname, meditation experience level, reasons and priorities (ranked by you), free-text context and struggles, voice preference, talking speed, personalization level, personality tone, guidance level, timezone, goals, user intentions.

App usage and session data

Meditation generation requests and resulting scripts/audio; session metadata (start/end times, duration, completion); meditation rating (1-5); before/after feeling ratings; before/after mood tags; session notes; audio URLs; custom prompts; generated scripts (AI text); system prompts; meditation reason/style/duration; selected goals; AI reasoning for content selection.

Analytics and summaries

Aggregated analytics by reason/style; recent sessions; style usage counts and averages; mood improvement metrics; feedback text analysis; AI-generated summaries; practice patterns; sub-goals.

Device and technical data

Device ID (for rate limiting), app version, platform (iOS/Android), OS version, IP address, request timestamps, API endpoint access patterns. Network data (IP addresses) is temporarily stored with a 5-minute cleanup cycle for security and rate limiting.

Subscription and payment data

Subscription status and tier, dates (start/end/cancellation/trial end), product ID, purchase receipts and transaction IDs (via RevenueCat), renewal and refund events, App Store/Play Store anonymous identifiers. We do not collect payment card details; payments are processed by Apple/Google/RevenueCat.

Health and biometric data (Special Category Data under GDPR)

With your explicit consent, we may collect Apple Health (iOS) data: heart rate (incl. resting HR), heart rate variability (HRV), respiratory rate, sleep data (stages/duration/efficiency), meditation session biometrics, and mood tracking.

Important privacy protections:

• Raw biometric values are stored in secure databases and displayed only in the app.
• Anonymous aggregated insights (e.g., "sleep quality: good") may be sent to AI providers for meditation generation—never names, emails, user IDs, or exact biometric values.
• You control collection & sharing via iPhone Settings → Hetki → Health; you can withdraw consent at any time.

We do not use third-party advertising SDKs and do not perform cross-app tracking.

3) How we use your information

Provide and personalize the service

Generate meditation scripts via AI content generation services based on your inputs and profile; store your meditations and history; show summaries, analytics, and recommendations; track practice patterns and sub-goals.

Subscription management and access control

• Verify subscription status and grant/restrict feature access
• Process renewals, cancellations, refunds via App Store/Play Store
• Notify about billing issues and expirations
• Prevent subscription fraud and comply with financial/tax obligations

Health data processing and predictive insights (with consent)

• Display biometric data in the app
• Personalize recommendations (e.g., stress/sleep/HRV patterns)
• Provide predictive insights to suggest timely interventions
• Generate personalized content using anonymous aggregated insights only

Note: Raw biometric values never leave Hetki systems.

Security and integrity

Authenticate via Supabase Auth; prevent abuse via rate limiting; enforce Row Level Security (RLS); input sanitization and prompt-injection prevention.

4) Legal bases (EEA/UK)

• Contract: Provide the app features you request and process subscriptions.
• Legitimate interests: Security, fraud prevention, reliability, essential metrics.
• Legal obligation: Financial/tax record-keeping and consumer protection.
• Explicit consent: Health/biometric data under GDPR Article 9.

5) Sharing and processors

We share data with trusted service providers under Data Processing Agreements (DPAs).

We do not sell your data or share it with third parties for their own marketing purposes.

6) Retention

7) Your rights

Depending on your location, you may have the right to access, correct, delete, export, restrict or object to processing, and withdraw consent.

To exercise your rights, contact team@hetki.xyz.

Supervisory authority (EEA): You may lodge a complaint with the Office of the Data Protection Ombudsman (Finland) or your local authority.

8) Children

Hetki is not intended for users under 16 years of age. We do not knowingly collect personal data from children under 16.

9) Security

• Encryption in transit (HTTPS/TLS)
• Encryption at rest (Supabase)
• Password hashing (no plain-text passwords)
• Row Level Security (RLS)
• JWT-based authentication
• Rate limiting (user → device → IP)
• Input sanitization and prompt-injection prevention

If you suspect a security incident, notify us at team@hetki.xyz.

10) Changes

We may update this Policy from time to time. We will post the new version with the "Effective date" and, where appropriate, notify you in-app.

11) Contact

• Email: team@hetki.xyz
• Address: Torkkelinkatu 13, 00500 Helsinki, Finland
• Data Controller: Hetki Records