Hetki Privacy Policy

1) Who we are

• Data Controller: hetki-records
• Address: Torkkelinkatu 13, Helsinki
• Contact: team@hetki.xyz
• App: “Hetki” (iOS/Android)

2) What we collect

Account and authentication

Email, password (managed by our authentication provider), user ID, session tokens stored on your device.

Profile and onboarding

Name/nickname, meditation reasons and priorities, free‑text context you provide, experience level, struggles and optional struggle context, voice preference and talking speed.

App usage and session data

Meditation generation requests and resulting scripts/audio, session metadata (e.g., mood tags before/after, optional notes, ratings), request timestamps, generated file paths/URLs.

Device and technical

IP address and basic HTTP metadata in server logs (for security and reliability).

In‑app communications

Messages you send to support or feedback forms.

Health and biometric data

With your explicit consent, we may collect and process health-related data including:

• Heart rate variability (HRV) from compatible wearable devices
• Sleep patterns and quality metrics from connected health apps
• Stress indicators from wearable devices (heart rate, breathing patterns)
• Activity levels and physical wellness metrics
• Mood and wellbeing self-assessments you provide in the app

This health data is used exclusively to personalize your meditation experience and provide predictive wellness insights. You can withdraw consent and delete this data at any time through the app settings.

Consent and privacy settings

Your choices for privacy settings and any consent preferences (where applicable).

We do not use third‑party advertising SDKs and do not perform cross‑app tracking.

3) How we use your information

Provide and personalize the service

Generate meditation scripts via AI services based on your inputs and profile; convert text to audio; store your meditations and session history; show summaries and personalized suggestions.

Health data processing and predictive insights

When you provide consent, we use your health and biometric data to:

• Personalize meditation recommendations based on your current stress levels, sleep quality, and HRV patterns
• Provide predictive wellness insights by analyzing trends in your biometric data to suggest interventions before stress builds
• Optimize meditation timing by identifying when you might benefit most from mindfulness practices
• Track your progress by correlating meditation practice with improvements in your health metrics
• Generate personalized content that adapts to your physical and mental state

Health data processing is based on your explicit consent and is limited to improving your personal wellbeing experience. We do not share health data with third parties for any purpose other than essential service provision (see Section 5).

Security and integrity

Authenticate users, prevent abuse, and enforce rate limits.

Improvement

Debug, monitor performance, and enhance features (using limited, non‑PII operational data where possible).

Communications

Respond to support requests and notify you about important changes.

4) Legal bases (EEA/UK)

• Contract: To provide the app features you request (account, generation, storage).
• Legitimate interests: Security, fraud prevention, reliability, and essential metrics.
• Explicit consent: For processing health and biometric data, which requires your explicit, informed consent under GDPR Article 9. You can withdraw this consent at any time.
• Consent: Only for other non‑essential purposes where required (e.g., regional consent, marketing if introduced).

5) Sharing and processors

We share data with trusted service providers that help us operate the app, such as authentication and storage providers, AI services that generate meditation content, text-to-speech providers, infrastructure providers, and error monitoring tools (where enabled). These providers only process data on our behalf and under our instructions.

6) International transfers

Your data may be processed in countries outside your residence. Where required, we rely on appropriate safeguards (e.g., Standard Contractual Clauses) and vendor assurances. Provider regions may vary.

7) Retention

• Account and profile: kept while you maintain an account.
• Generated meditations, audio files, and session history: kept until you delete them or delete your account.
• Health and biometric data: kept only while you maintain consent and your account. Automatically deleted when you withdraw consent or delete your account.
• Logs and security data: retained for a limited period necessary for security, debugging, or legal compliance.

We delete or anonymize data when it’s no longer needed.

8) Your rights

Depending on your location, you may have the right to:

• Access, correct, or delete your data
• Port your data
• Restrict or object to certain processing
• Withdraw consent (where processing is based on consent)
• Lodge a complaint with your supervisory authority

Contact us at team@hetki.xyz to exercise your rights. We’ll verify your request. Some data may be required to operate the app.

9) Children

Hetki is not directed to children. Do not use the app if you are under the minimum age required by your jurisdiction (e.g., 13 in the US, 16 in parts of the EU) without appropriate consent and supervision.

10) Security

We use safeguards including:

• Encryption in transit (HTTPS)
• Access controls and role‑based permissions
• Time‑limited signed URLs for private audio (where enabled)
• Minimal logging of personal data in production

No method is 100% secure. Notify us promptly of any suspected incident.

11) Cookies and SDKs

Mobile app: We do not use web cookies. We store session tokens locally on your device.

No advertising SDKs or cross‑app identifiers.

Operational metrics and diagnostics are primarily server‑side and limited.

12) iOS App Tracking Transparency

We do not track you across other companies’ apps and websites for advertising; no ATT prompt is shown.

13) Changes

We may update this Policy. We’ll post the new version with the “Effective date” and, where appropriate, notify you in‑app.

14) Contact

• Email: team@hetki.xyz
• Address: Torkkelinkatu 13, Helsinki
• Data Controller: hetki-records

Region‑specific disclosures

California (CPRA/CCPA): We do not sell or “share” personal information as defined by CPRA. You may exercise the rights described above.

EEA/UK (GDPR/UK GDPR): See legal bases and rights sections above. International transfers rely on appropriate safeguards.