Heartbeat Hero

Summary

• We collect minimal data: simple app usage analytics (non-PII), email addresses for student verification, and records of your Terms acceptance using a pseudonymous installation identifier.
• We do not sell personal data or use advertising SDKs or third-party analytics services.
• Apple In-App Purchase processes payments. RevenueCat is used to validate receipts and manage entitlements.

Scope: This policy covers the Heartbeat Hero iOS app. It does not describe any data that may be collected on our marketing website.

Last updated: 10 September 2025

Who controls your data

forresTech (Aiden Forrest) is the app provider and, for users in the UK and EEA, the data controller for Heartbeat Hero.

Contact: aiden@forres.tech

Postal address: Grove House, West Sleekburn, Choppington, Northumberland, England, NE62 5XE

EU representative: If we are required to appoint an EU representative, we will publish their contact details here.

You can also lodge a complaint with the UK ICO or your local supervisory authority in the EEA.

Simple analytics

We collect basic app usage analytics to help us understand how the app is used and improve its performance. This data is not personally identifiable.

What we collect

• App launches
• Simple usage counts and metrics
• The same pseudonymous installation identifier used for consent records

What we do not collect

• No personally identifiable information (PII)
• No detailed user behaviour or screen-by-screen tracking
• No integration with third-party analytics services
• No advertising identifiers or cross-app tracking

This data helps us understand general app performance and usage patterns without compromising your privacy.

Student verification

Students can gain free access to Pro features by verifying their student status. This is an optional feature.

How verification works

• You provide your email address to request student verification
• We send a one-time verification code to that email address
• Once verified, we record that your email has been verified for student access

What we store

• Your email address and verification status
• No other personal information is collected or stored
• No academic records, institution details, or other student data

Data retention

We retain student verification records for as long as needed to provide the service and prevent abuse of the student discount program.

Data we do not collect

• No account creation in the app beyond optional student verification
• No personal profile, contact details (except student emails), or precise location storage
• No third-party analytics or advertising tracking
• No advertising SDKs or IDFA collection
• No cookies in the app
• No detailed behavioural tracking or screen-by-screen analytics

Purchases handled by Apple

Payments are processed by Apple using Apple In-App Purchase. We do not receive your payment card details.

Subscription management is handled in your Apple Account settings. You can view, change, or cancel subscriptions there.

Learn more at Manage subscriptions on iPhone or iPad and Apple Privacy.

RevenueCat

We use RevenueCat to securely validate purchase receipts and determine your active entitlements. RevenueCat acts as our processor for this purpose.

What the app sends to RevenueCat

• An App User ID that the SDK creates automatically and which is anonymous unless you link it yourself.
• Purchase receipts and product identifiers needed to confirm purchases and unlock features.
• Basic app context such as platform and app version used for fraud prevention and support.
• RevenueCat determines country from IP at the time of receipt then discards the IP. We do not receive IP addresses.

Optional attributes we set

• None related to consent. We do not store your Terms acceptance in RevenueCat. Consent is recorded on our server as described below.

What we do not send to RevenueCat

• We do not enable device identifier collection via collectDeviceIdentifiers.
• We do not enable Apple Search Ads attribution collection.
• We do not send custom attributes other than those needed for purchases.
• We do not forward events to analytics or advertising integrations.

See the RevenueCat Privacy Policy and RevenueCat Data Processing Addendum for details of their processing and retention.

Location feature and What3Words

If you grant the app permission to access Location Services, we use your device's current coordinates solely to display your What3Words address and location information within the app.

How it works

• Your device obtains latitude and longitude using the platform Location Services.
• The app sends those coordinates to the What3Words API to convert them into a three word address, then shows that address to you, alongside a human-readable address (if available).
• We do not store or log your coordinates or the resulting address. There is no background or continuous location tracking by us.

Third party processing

What3Words Limited processes the coordinates to return the address. For details of their processing, retention, and international transfers, see the What3Words Privacy Policy.

Controls

• You can grant or withdraw Location permissions at any time in iOS Settings.
• If you deny permission, the location feature is unavailable and no coordinates are sent.

Consent records for Terms acceptance

When you accept the Terms in the app, we record your consent on our server using a pseudonymous installation identifier stored in your device Keychain. We store the canonical SHA-256 terms_hash of the Terms page as rendered, the UTC timestamp of acceptance, and limited technical context including app version, device model, OS version, IP address, user agent, and the screen where acceptance occurred. This lets us verify the exact text you saw and provide evidence of your agreement.

International data transfers

Where data is transferred outside the UK or EEA, we rely on appropriate safeguards such as the EU Standard Contractual Clauses and the UK International Data Transfer Agreement or Addendum, together with a transfer risk assessment. You can request a copy by contacting us.

United States privacy notice

We do not sell or share personal information for cross-context behavioural advertising as those terms are used in applicable US state privacy laws.

If applicable state privacy laws grant you rights such as access, deletion, correction, portability, or the right to opt out, email aiden@forres.tech with subject: Privacy request and include your App User ID or your consent receipt from the app Settings. We will respond as required by law.

Appeals. If we deny your request, you may appeal by replying to our decision within 30 days with subject: Privacy appeal. We will respond in writing within the period required by your state law and tell you how to contact your Attorney General if you remain dissatisfied.

Do Not Track

Some browsers include a Do Not Track (DNT) setting. Our app does not track users across third-party apps and we do not use third-party advertising or analytics SDKs, so we do not respond to DNT signals. Where DNT disclosures are required by state law, this statement is our disclosure.

Legal basis

For users in the UK and EEA, we process only what is necessary to provide features you request. The primary legal basis is performance of a contract, together with our legitimate interest in preventing fraud, ensuring service reliability, and improving app performance through basic analytics.

Security

We and our processors implement reasonable technical and organisational measures to protect data, including TLS in transit and role based access to purchase information, analytics data, student verification records, and consent records.

Data retention

We retain analytics data, student verification records, and server-side consent records for the duration of your use and up to six years after to evidence consent, prevent abuse, and for record keeping. RevenueCat retains purchase records and related identifiers as needed to operate subscriptions and meet legal obligations.

Your rights

Depending on your location, you may have rights to access, correct, delete, or object to processing and to data portability. To exercise your rights, email aiden@forres.tech and include your App User ID or your consent receipt from Settings so we can locate your records.

For data handled through RevenueCat, we will coordinate appropriate requests with them. Deleting a RevenueCat customer record removes data held by RevenueCat but does not cancel an active Apple subscription. Manage subscriptions in your Apple Account settings.

You can also lodge a complaint with the UK ICO or your local supervisory authority in the EEA.

Children

Heartbeat Hero is intended for a general audience and is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided personal information, contact us and we will delete it.

Changes to this policy

We may update this policy as the app evolves. We will update the date at the top of this page and include changes in app release notes where appropriate.

Contact

If you have questions or requests about this policy, contact:

Email: aiden@forres.tech
Postal address: Grove House, West Sleekburn, Choppington, Northumberland, England, NE62 5XE