Hetki Privacy Policy

1) Our story

• Data Controller: Vilppu Messo
• Address: Torkkelinkatu 13, 00500 Helsinki, Finland
• Contact: team@hetki.xyz
• App: “Hetki” (iOS/Android)

2) What we collect

Account and authentication

Email, password (hashed and managed by Supabase Auth), user ID (UUID), first name, social sign-in data (Apple ID, Google ID, profile picture), session tokens stored on your device.

Profile and onboarding

Name/nickname, meditation experience level, reasons and priorities (ranked by you), free-text context and struggles, voice preference, talking speed, personalization level (general/tailored/specific), personality tone (direct/neutral/warm), guidance level (lot_of_silence/balanced/heavily_guided), timezone (IANA), goals (performance/recovery/life with context), user intentions (text array).

App usage and session data

Meditation generation requests and resulting scripts/audio; session metadata (start/end times, duration, completion); meditation rating (1–5); before/after feeling ratings; before/after mood tags; session notes; audio URLs; custom prompts; generated scripts (AI text); system prompts; meditation reason/style/duration; selected goals; AI reasoning for content selection.

Analytics and summaries

Aggregated analytics by reason/style; recent sessions (15 across all reasons; 10 per specific reason); style usage counts and averages; mood improvement metrics; feedback text analysis; AI-generated summaries (general/reason/style-specific); practice patterns; sub-goals (descriptions, durations, dates, completion status).

Device and technical data

Device ID (for rate limiting), app version, platform (iOS/Android), OS version, Expo Constants data, IP address, X-Forwarded-For headers, request timestamps, API endpoint access patterns. Network data (IP addresses) is temporarily stored with a 5-minute cleanup cycle for security and rate limiting.

Error and performance monitoring

Error messages, stack traces, request duration metrics, API performance stats sent to error monitoring services (may include user IDs); background job data (job IDs, types, statuses, serialized parameters, error messages) with 24-hour TTL.

Account deletion logs

Upon account deletion, we log: user ID, email, deletion timestamp, deletion reason (if provided), metadata (name, creation date, session count). All other user data is cascade-deleted.

In-app communications

Messages you send to support or feedback forms.

Subscription and payment data

Subscription status and tier, dates (start/end/cancellation/trial end), product ID, purchase receipts and transaction IDs (via RevenueCat), renewal and refund events, App Store/Play Store anonymous identifiers. We do not collect payment card details; payments are processed by Apple/Google/RevenueCat.

Health and biometric data (Special Category Data under GDPR)

With your explicit consent, we may collect Apple Health (iOS) data: heart rate (incl. resting HR), heart rate variability (HRV), respiratory rate, sleep data (stages/duration/efficiency), meditation session biometrics (HR 30 minutes before/after, changes during sessions; sleep following sleep meditations; HRV and breathing rate during sleep), and mood tracking (feeling ratings and mood tags).

Important privacy protections:

• Raw biometric values are stored in secure databases (biometric_daily_sync, meditation_session_biometrics) and displayed only in the app.
• Anonymous aggregated insights (e.g., “sleep quality: good”, “stress: moderate”) may be sent to AI providers for meditation generation—never names, emails, user IDs, or exact biometric values.
• You control collection & sharing via iPhone Settings → Hetki → Health; you can withdraw consent at any time.

Consent and privacy settings

Your privacy choices and any consent preferences (where applicable).

We do not use third-party advertising SDKs and do not perform cross-app tracking.

3) How we use your information

Provide and personalize the service

Generate meditation scripts via AI content generation services based on your inputs and profile; store your meditations and history; show summaries, analytics, and recommendations; track practice patterns and sub-goals.

Subscription management and access control

• Verify subscription status and grant/restrict feature access (free/trial/premium tiers)
• Process renewals, cancellations, refunds via App Store/Play Store
• Notify about billing issues and expirations
• Prevent subscription fraud and comply with financial/tax obligations

Health data processing and predictive insights (with consent)

• Display biometric data in the app
• Personalize recommendations (e.g., stress/sleep/HRV patterns)
• Provide predictive insights to suggest timely interventions
• Optimize meditation timing and track progress
• Generate personalized content using anonymous aggregated insights only

Note: Raw biometric values never leave Hetki systems.

Analytics and insights

Produce aggregated practice analytics and AI-generated summaries to help you understand your journey.

Security and integrity

Authenticate via Supabase Auth; prevent abuse via rate limiting (user → device → IP); enforce Row Level Security (RLS); input sanitization and prompt-injection prevention.

Improvement and debugging

Use error monitoring services and performance metrics to improve stability and features.

Communications

Respond to support requests and send important service/subscription notices.

Legal compliance

Maintain deletion logs for 3 years; retain subscription records for 7 years for financial record-keeping and taxation.

4) Legal bases (EEA/UK)

• Contract: Provide the app features you request and process subscriptions.
• Legitimate interests: Security, fraud prevention, reliability, essential metrics.
• Legal obligation: Financial/tax record-keeping and consumer protection.
• Explicit consent: Health/biometric data under GDPR Article 9 (withdraw at any time).
• Consent: Other non-essential purposes where required (e.g., marketing if introduced).

5) Sharing and processors

We share data with trusted service providers under Data Processing Agreements (DPAs). They process data only on our behalf and per our instructions.

Critical privacy safeguards:

• No PII to AI providers: Names, emails, and user IDs are never sent to AI content generation services.
• No raw health data to AI providers: Only anonymous aggregated categories (e.g., "sleep quality: good") are sent—never exact biometric values.
• DPAs & SCCs: All processors have valid DPAs; Standard Contractual Clauses (SCCs) are applied for international transfers where required.

We do not sell your data or share it with third parties for their own marketing purposes.

6) International transfers

Your data may be processed outside your country of residence. Where required, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (SCCs), plus vendor commitments and technical/organizational measures.

7) Retention

When you delete your account:

• All meditations (scripts/audio/history) and health data are permanently deleted
• Your profile, preferences, goals are permanently deleted
• A minimal deletion log is kept for 3 years (legal compliance)
• Subscription records are retained for 7 years (financial/legal)

8) Your rights

Depending on your location, you may have the right to access, correct, delete, export, restrict or object to processing, and withdraw consent where processing relies on consent.

To exercise your rights, contact team@hetki.xyz. We may request information to verify your identity before acting on your request.

Supervisory authority (EEA): You may lodge a complaint with the Office of the Data Protection Ombudsman (Finland) or your local authority.

9) Children

Hetki is not intended for users under 16 years of age. We do not knowingly collect personal data from children under 16. If we learn we have collected data from a child under 16 without parental consent, we will delete it promptly. Parents/guardians may contact team@hetki.xyz.

10) Security

• Encryption in transit (HTTPS/TLS)
• Encryption at rest (Supabase)
• Password hashing (Supabase Auth; no plain-text passwords)
• Row Level Security (RLS)
• JWT-based authentication
• Rate limiting (user → device → IP)
• Input sanitization and prompt-injection prevention
• Role-based access controls & least privilege
• Time-limited signed URLs for private audio files
• Minimal logging (network data auto-deleted after 5 minutes)
• Regular security audits

If you suspect a security incident, notify us immediately at team@hetki.xyz.

11) Cookies and SDKs

Mobile app: No web cookies. Session tokens are stored on your device. No advertising SDKs or cross-app identifiers. Operational metrics are primarily server-side and limited.

12) iOS App Tracking Transparency

We do not track you across other companies’ apps and websites for advertising; no ATT prompt is shown.

13) Changes

We may update this Policy from time to time. We will post the new version with the “Effective date” and, where appropriate, notify you in-app.

14) Contact

• Email: team@hetki.xyz
• Address: Torkkelinkatu 13, 00500 Helsinki, Finland
• Data Controller: Vilppu Messo

15) Data Protection Impact Assessment (DPIA)

We have conducted a DPIA due to processing special category health data, AI-powered content generation, systematic monitoring of meditation practices, and large-scale processing. Safeguards include explicit consent, data minimization, anonymization of insights sent to AI providers, encryption, RLS, user controls over collection/sharing, right to withdraw consent and delete data, DPAs with processors, and regular security audits.

16) Region-specific disclosures

California (CPRA/CCPA): We do not sell or “share” personal information as defined by CPRA. You may exercise the rights described above.

EEA/UK (GDPR/UK GDPR): See legal bases and rights sections above. International transfers rely on appropriate safeguards including SCCs. Health data is processed on the basis of your explicit consent (GDPR Art. 9).