Heartbeat Hero

Summary

• We do not collect, store, or sell personal data within the app beyond what is strictly necessary to operate purchases and evidence your agreement to the Terms.
• No analytics SDKs, no crash reporting, no advertising SDKs.
• Apple In-App Purchase processes payments. RevenueCat is used to validate receipts and manage entitlements. We record your acceptance of the Terms on our server using a pseudonymous installation identifier.

Scope: This policy covers the Heartbeat Hero iOS app. It does not describe any data that may be collected on our marketing website.

Last updated: 31 August 2025

Who controls your data

forresTech (Aiden Forrest) is the app provider and, for users in the UK and EEA, the data controller for Heartbeat Hero.

Contact: aiden@forres.tech

Postal address: Grove House, West Sleekburn, Choppington, Northumberland, England, NE62 5XE

EU representative: If we are required to appoint an EU representative, we will publish their contact details here.

You can also lodge a complaint with the UK ICO or your local supervisory authority in the EEA.

Data we do not collect

• No account creation in the app.
• No personal profile, contact details, or precise location data collected by us.
• No analytics or advertising tracking implemented by us.
• No advertising SDKs. No IDFA collection by us.
• No cookies in the app.

Purchases handled by Apple

Payments are processed by Apple using Apple In-App Purchase. We do not receive your payment card details.

Subscription management is handled in your Apple Account settings. You can view, change, or cancel subscriptions there.

Learn more at Manage subscriptions on iPhone or iPad and Apple Privacy.

RevenueCat

We use RevenueCat to securely validate purchase receipts and determine your active entitlements. RevenueCat acts as our processor for this purpose.

What the app sends to RevenueCat

• An App User ID that the SDK creates automatically and which is anonymous unless you link it yourself.
• Purchase receipts and product identifiers needed to confirm purchases and unlock features.
• Basic app context such as platform and app version used for fraud prevention and support.
• RevenueCat determines country from IP at the time of receipt then discards the IP. We do not receive IP addresses.

Optional attributes we set

• None related to consent. We do not store your Terms acceptance in RevenueCat. Consent is recorded on our server as described below.

What we do not send to RevenueCat

• We do not enable device identifier collection via collectDeviceIdentifiers.
• We do not enable Apple Search Ads attribution collection.
• We do not send custom attributes other than those needed for purchases.
• We do not forward events to analytics or advertising integrations.

See the RevenueCat Privacy Policy and RevenueCat Data Processing Addendum for details of their processing and retention.

Location feature and What3Words

If you grant the app permission to access Location Services, we use your device’s current coordinates solely to display your What3Words address and location information within the app.

How it works

• Your device obtains latitude and longitude using the platform Location Services.
• The app sends those coordinates to the What3Words API to convert them into a three word address, then shows that address to you, alongside a human-readable address (if available).
• We do not store or log your coordinates or the resulting address. There is no background or continuous location tracking by us.

Third party processing

What3Words Limited processes the coordinates to return the address. For details of their processing, retention, and international transfers, see the What3Words Privacy Policy.

Controls

• You can grant or withdraw Location permissions at any time in iOS Settings.
• If you deny permission, the location feature is unavailable and no coordinates are sent.

Consent records for Terms acceptance

When you accept the Terms in the app, we record your consent on our server using a pseudonymous installation identifier stored in your device Keychain. We store the canonical SHA-256 terms_hash of the Terms page as rendered, the UTC timestamp of acceptance, and limited technical context including app version, device model, OS version, IP address, user agent, and the screen where acceptance occurred. This lets us verify the exact text you saw and provide evidence of your agreement.

International data transfers

Where data is transferred outside the UK or EEA, we rely on appropriate safeguards such as the EU Standard Contractual Clauses and the UK International Data Transfer Agreement or Addendum, together with a transfer risk assessment. You can request a copy by contacting us.

United States privacy notice

We do not sell or share personal information for cross-context behavioural advertising as those terms are used in applicable US state privacy laws.

If applicable state privacy laws grant you rights such as access, deletion, correction, portability, or the right to opt out, email aiden@forres.tech with subject: Privacy request and include your App User ID or your consent receipt from the app Settings. We will respond as required by law.

Appeals. If we deny your request, you may appeal by replying to our decision within 30 days with subject: Privacy appeal. We will respond in writing within the period required by your state law and tell you how to contact your Attorney General if you remain dissatisfied.

Do Not Track

Some browsers include a Do Not Track (DNT) setting. Our app does not track users across third-party apps and we do not use advertising or analytics SDKs, so we do not respond to DNT signals. Where DNT disclosures are required by state law, this statement is our disclosure.

Legal basis

For users in the UK and EEA, we process only what is necessary to provide features you request. The primary legal basis is performance of a contract, together with our legitimate interest in preventing fraud and ensuring service reliability.

Security

We and our processors implement reasonable technical and organisational measures to protect data, including TLS in transit and role based access to purchase information and consent records.

Data retention

We do not retain personal data ourselves within the app. RevenueCat retains purchase records and related identifiers as needed to operate subscriptions and meet legal obligations. We retain server-side consent records for the duration of your use and up to six years after to evidence consent and for record keeping.

Your rights

Depending on your location, you may have rights to access, correct, delete, or object to processing and to data portability. To exercise your rights, email aiden@forres.tech and include your App User ID or your consent receipt from Settings so we can locate your records.

For data handled through RevenueCat, we will coordinate appropriate requests with them. Deleting a RevenueCat customer record removes data held by RevenueCat but does not cancel an active Apple subscription. Manage subscriptions in your Apple Account settings.

You can also lodge a complaint with the UK ICO or your local supervisory authority in the EEA.

Children

Heartbeat Hero is intended for a general audience and is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided personal information, contact us and we will delete it.

Changes to this policy

We may update this policy as the app evolves. We will update the date at the top of this page and include changes in app release notes where appropriate.

Contact

If you have questions or requests about this policy, contact:

Email: aiden@forres.tech
Postal address: Grove House, West Sleekburn, Choppington, Northumberland, England, NE62 5XE